IETF Logo Mail Archive

Re: [lamps] CAA tags

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 19 December 2017 14:47 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC91B12704A for <spasm@ietfa.amsl.com>; Tue, 19 Dec 2017 06:47:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mPFhrmPA3pRC for <spasm@ietfa.amsl.com>; Tue, 19 Dec 2017 06:47:09 -0800 (PST)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95A1A12D72F for <spasm@ietf.org>; Tue, 19 Dec 2017 06:47:09 -0800 (PST)
Received: from [216.82.251.38] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-17.bemta-12.messagelabs.com id C0/BC-10763-C66293A5; Tue, 19 Dec 2017 14:47:08 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1VSa2xLYRjud057emY7fO3GXmUuDcJmZYvLRoS EH8wsErIszRJO52g7bbf0FPPL3BLUMOo2q80lmJoJc53KLlhMzLZQhm0W28QWWRiGIM7pN7c/ J8/3Ppf3+U4+lta2MDpWyHEJTgdv0zODlM/GlM+MtU1INE697OUSjgUyEg75A+p51MJS9xNm4 alTX6mllFFldZiyclaqLLsqGpjswPycbWfFXHRz3k40iFXiXgru72lTyQct9lBQ0tqqJoc7CN rvFTE7UQjL4KkQ8NdSMo7AU8B/uV4tYxqPB+/uQqWMw3EUtL+soIlmFBRXfZJSWQmnQm9Xijx WSvJOX03QyuF0qLywjyG7ztLwzvMmmB+C58CWktZgJsLDoL/uPEV2RcLzjqIgBhwB7Y0PGIKH wtvXP1VEnw7evuqBuR5elH5BBEdBU5EbycsAV6vhxtUaFSEMcCX/HZKLAl4CrY9iiOY0gsa8C iXRRMOJfj9N8BqoaXAPeGeB72YXQww1NPg6D6lJ0Eho804j8zsquFhZH2ytxavAc460C8c6aH m8A+1Fkwr+uVyB5KFxEYIzuxqYguBv0sD9Ix1KIoqGA6XdAzgGTh/voQmeDYe/VTEEjwWPu11 N8HToufseFSP2HJooCs51gjM2frrB5LSaLS47b7XFxsXFG+yCKPJmwcabRENGlv0Skh7WRoUC XUflm5Kq0XCW0g/lHnoSjNrBpqxVGyy8aFnhXGsTxGo0kmX1wJ0Yn2jUapyCWchZbbVJr/M3D WyYPoJLk2lOzObtotVMqDo0ly30P/9OsRf7X0nfriM9uTR7rPbzZlqrdGQ5BF0kd022YdlmWe v4E/r71TehKF04hxQKhTYsW3Dara7/+W4UySJ9OLddTgmzOlx/dndLtSip1oG0mXItF/+X0uW ikzPy+yxJHVEz1nem/vw85KV3XFVhWn5oSsNypnnr6BGBx8bsB5s+viqb3LROW/fxQoZvUdOw Dyv2Hz0ZmOBLadbcSrIbKn9cLZuvSG5e/CE0/6ndLJTjzGd5mfajCw4mtuTZxNCukrbXs/vct zW4Of1Fr8kSvyRZlXbb8Ha4pnPZAr1StPBx0bRT5H8BaHcxFPADAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-12.tower-163.messagelabs.com!1513694827!161865725!1
X-Originating-IP: [216.32.180.55]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 71465 invoked from network); 19 Dec 2017 14:47:08 -0000
Received: from mail-by2nam03lp0055.outbound.protection.outlook.com (HELO NAM03-BY2-obe.outbound.protection.outlook.com) (216.32.180.55) by server-12.tower-163.messagelabs.com with AES256-SHA256 encrypted SMTP; 19 Dec 2017 14:47:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=e5AaFoqA/3ZtAWuEGHCuWHsIHQ5uTsYCj26uAmElkwg=; b=MVdZX2ExjwbvTjA1HxQRmjAoUJDy9WNfoDuz8vCd2Er6ln3TIEkJubMGzCASxC1oAImZQi+xc7XjNhpdaM6Ey+5YOBWDpR8dkBhu6CWJhxRs2tX1EtW0P5jl8OvQlD1ZFxyV65E+RtxSQrpJDaKcjm/hlofvnyOrll1/xtz2+4Y=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1291.namprd14.prod.outlook.com (10.173.132.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Tue, 19 Dec 2017 14:47:07 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0323.018; Tue, 19 Dec 2017 14:47:06 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] CAA tags
Thread-Index: AdN4J3TZ60fppeKgRNaOHREkYP39nwADzsgAAAD5epAAAYUKgAAAB/wgACB+VwAABVMhEA==
Date: Tue, 19 Dec 2017 14:47:06 +0000
Message-ID: <DM5PR14MB12893477D1F843E48CD3D088830F0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <DM5PR14MB1289FA2B76543ABAF16FD0EF830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <0ab8efa3-378c-ece7-4fa3-913308f81c22@eff.org> <DM5PR14MB12895320D99FC570E797373F830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <CAErg=HGMOVmvEoD=hy3rnTb=J1uQeu-SHrTn1JEeRnQuXzqg-Q@mail.gmail.com> <DM5PR14MB1289520C260D1634FBF5C1E4830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <ca3d070f-2fb1-32e2-f6d4-70a7809525a8@cs.tcd.ie>
In-Reply-To: <ca3d070f-2fb1-32e2-f6d4-70a7809525a8@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1291; 6:5MICqsZcIL6m3/HseX4JnNfpXo6FWjjCshxOQCqCB2GW9ba8lZK0QBvo/VsnNPcgJR79vGREAv2+v9Y4k6NCHX5TAS03Rm+aJPAkWF2y2TC8J4Q3lEZPvenOKaB9rhad65x2mR4+pD9xsUwM8Nnz30uOhM8CJDXcfa8SxF03Qaf3lzqD6xBVHkmFnIgosEOp7FLzqGrWrPnafhTrIvUxXCOpAGj5zRCUC1VpTGBg3aaYJWJWx0ePGTw15IdGUCrSLHAWi55Mhzc97iWZhS8FT3j9WiISPBmICjaWLved+dsfSBSt5044ODUtZ2uc+fAXXdxqTFhLJ4PeoZJ9S4h8LtyzIVgbHXvqzaV3MMcrSqA=; 5:IP6kkPmSxRviil2CSZVy2oB1BQfLIptTJAstHsV7qBti2C/eQpWb94+FXI3oDnrfmD0nEMYjga4p9CaDJOMgoLWQbirBnXf8oULvY5TFlaDGcZSU5wu47VlLhvfijPB9JrvH/vsJz3KsRXKLKAM801u3mHY9X/O8UdiZX0nf35Q=; 24:ZY4XT617VMNSx7dizqquO/tOKELGUzjhvES7N8YS8ikfq0BeVfOwXeMvZ4DcWACIrCQuHhoQF2mRHjFEnN2QpWPjBDSpvlA+/NQ3J7KDtDc=; 7:GXEdB4a29DlanhOoCwiJ5FB7dA/W7x4FN7HJYiVau0GcaJIzo5CHIDjaXVIs+iad6NP5EFzjZKMNNCrRvBHyN6U0qgoFdePRNq/YM890z7d9/JGKsnF830yEJbNs8bd2Uj/Ei0iwPPDngExefgWHNnyoPnS8Jclcw4UHPlhrTQo+1+dobSdn9WjEklJTqbk58LwPAbmkrlyRYVbghOx3E40Gc9NldtITsW1XYfinszAjWHfrdYdXCmWJevqPtiGX
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: c12c519a-a40a-4d7d-bb84-08d546ef602f
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4603075)(4627115)(201702281549075)(2017052603307)(49563074); SRVR:DM5PR14MB1291;
x-ms-traffictypediagnostic: DM5PR14MB1291:
x-microsoft-antispam-prvs: <DM5PR14MB1291728515490C1B718F55A1830F0@DM5PR14MB1291.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(32856632585715);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040450)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231023)(3002001)(6041248)(20161123562025)(20161123564025)(2016111802025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123558100)(20161123560025)(6072148)(6043046)(201708071742011); SRVR:DM5PR14MB1291; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1291;
x-forefront-prvs: 052670E5A4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39860400002)(376002)(346002)(396003)(199004)(189003)(24454002)(45074003)(13464003)(81166006)(2906002)(9686003)(229853002)(4326008)(99936001)(6436002)(74316002)(6246003)(305945005)(53936002)(68736007)(25786009)(77096006)(97736004)(105586002)(33656002)(55016002)(14454004)(99286004)(478600001)(2900100001)(106356001)(93886005)(76176011)(8676002)(81156014)(6506007)(2950100002)(7696005)(6916009)(316002)(3280700002)(3660700001)(7736002)(5660300001)(86362001)(66066001)(3846002)(53546011)(102836003)(6116002)(8936002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1291; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_05C4_01D3789D.8D277BD0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c12c519a-a40a-4d7d-bb84-08d546ef602f
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2017 14:47:06.5474 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1291
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/2vtZaEW6kW8oeW3loIrevWNm2k8>
Subject: Re: [lamps] CAA tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 14:47:16 -0000

If you don't want to use these tags, you don't have to.  They're purely optional and completely backwards compatible.  They simply transmit additional information to the CA about the desired certificate.

> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> Sent: Tuesday, December 19, 2017 5:13 AM
> To: Tim Hollebeek <tim.hollebeek@digicert.com>
> Cc: spasm@ietf.org
> Subject: Re: [lamps] CAA tags
> 
> 
> Hiya,
> 
> I've not been following this closely but since you
> said:
> 
> On 18/12/17 20:45, Tim Hollebeek wrote:
> > Pre-spec for discussion.  It’s current status is “I sat down for an
> > hour, reviewed meeting minutes and read some stuff, and circulated
> > some notes”.
> I guess it may be ok to throw in a requirement to keep an aspect of the status
> quo:
> 
> I'd like to ensure it remains possible for a whole bunch of DNS domains to use
> the same CAA RR value and for that to continue to make sense. I've no
> problem if optional things can be added that are domain-specific so long as I
> don't have to create custom CAA values for every domain.
> 
> My reason for wanting that is that I deal with sets of domains who can all
> currently sensibly use the same CAA value and that's easy to handle. If I had to
> go changing the value for each, esp if that had to be re-done regularly, or even
> worse, sporadically, that'd be a PITA.
> 
> Apologies for the interruption if this is already taken as a given, but I wasn't
> sure based on the recent mails about phone numbers etc.
> 
> Thanks,
> S.

v2.23.0 | Report a Bug | By Email