Re: [Spasm] CAA erratum 4515

[Jacob Hoffman-Andrews <jsha@eff.org>]

On 03/10/2017 11:43 AM, Ryan Sleevi wrote:
> I'm going to introduce one more assumption: the CDN issues
> certificates for their own internal subdomains, and wants a CAA policy
> for those. This is necessary to explain why the CDN sets any CAA
> records at all in the Self-managed case. And I think this is what's
> implied by your examples - right?
>
> I think "internal subdomains" introduces an unnecessary degree of
> ambiguity, especially with your example of "enterprise.ca
> <http://enterprise.ca>". I'm not sure if this is indicative that we're
> talking past each other or not.
>
> Both organizations want to set their own CAA policy as appropriate. I
> think that should be uncontroversial and without complication.
Agreed. To aid understanding, could you re-explain in your own words why
your examples show the CDN setting CAA records in the Self-managed case?
I copied that into my own examples for consistency, by I had to guess at
the reasons.

> These configurations are a little confusing, since you don't define
> goals. I assume the goals in this example are:
>  (a) Every domain and subdomain in the example is covered by a CAA
> policy, and
Can you confirm whether this is an implicit goal in your examples?

>
>     Now, if we like, we can factor out the CAA records that appear in
>     every example: those for the base domains staffie.dog, beagle.dog,
>     terrier.dog, and hound.dog. That allows us to look at the
>     differences between the worlds more closely, and see what CAA
>     records are required beyond those:
>
>
> I'm sorry. At this point, I'm no longer able to follow your logic,
> despite having read this several times.
Sure, I'll re-explain: If you look at the examples, you'll find they all
have these four CAA entries in common:

staffie.dog.            CAA 0 issue "user-facing.ca"
beagle.dog.             CAA 0 issue "user-facing.ca"
terrier.dog.            CAA 0 issue "enterprise.ca"
hound.dog.              CAA 0 issue "enterprise.ca"

The "reduced examples" are simply the regular examples with those common
entries removed.

> I personally find this structure much harder to follow, so I may have
> missed things - if only because you're describing the permutations for
> trampoline and non-trampoline in the same configuration, and I think
> that makes it harder to compare the implications of these two
> configurations - which was very much my objective in providing further
> discussion.
My goal here was to give trampoline and non-trampoline examples their
own distinct names, so we can compare them side-by-side in each world.
The conclusion I come to is that there is not a significant difference.

Maybe we can come at this from a different angle: I think you are saying
that in the non-tree-climbing world, CDNs would need to use the
trampoline to make it possible (or convenient?) to express a certain CAA
policy.

You and I agree that forcing CDNs to use trampolines to express a
certain CAA policy is undesirable. I disagree that trampolines are
necessary in either the tree climbing or the non-tree-climbing world.
Let's try to answer some specific questions:

- Are you arguing that trampolines make a certain policy possible, or
just more convenient?
- In the non-tree-climbing world, are you arguing that trampolines are
necessary for Self-managed, Externally-managed, or both?