IETF Logo Mail Archive

Re: [lamps] CAA processing for email addresses

Corey Bonnell <Corey.Bonnell@digicert.com> Wed, 04 January 2023 22:08 UTC

Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49F8EC151558 for <spasm@ietfa.amsl.com>; Wed, 4 Jan 2023 14:08:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fH5_I2x-436J for <spasm@ietfa.amsl.com>; Wed, 4 Jan 2023 14:08:37 -0800 (PST)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2120.outbound.protection.outlook.com [40.107.93.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3F91C151555 for <spasm@ietf.org>; Wed, 4 Jan 2023 14:08:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ifO1AxerO/VEbkL4CFr0Eg9scLyt5VUuAulLgS0617adPO2zAaMjy5SYHakb4+y2MSRRbv/DXcYTh5s1H0wEFgP1mIkDqEvldmSDdL7u2w773WWd/sKyYnKdT0SmhqjJJ6l1Ym6pFp4rUmw/1qDxn7m9t6sp4SaoGls+W8J9UF4fkxT+pqlJ9D9kGHt5KggXk7cNIuvFPXV7Af8rQJXBXZTRVUes8KiqlzMByqXWljFTJwQeXz0JoDMZFXOBJUqoVNr2MeLYNoRa9j4JSBqECVsM3Nc1/HskfuTPwW0aQGEhE1lNpE4LI8ay7SVGElATeQOSvZ+oZwB6Vf9oxv/L/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i0tIIfVTHBC5ypm/4OzJ9znvcOIUVxJdJu3GDVHxfHA=; b=awYFJIyFHzzlFjjfNO4T07fD9q45gTaU5P2p7nXdevXFP1ELxngCO1n4M/xWgbCwDlfK2ex4qW2pDEWcyQfklj9Rc+vBNBgvkES896YPQNciaRAk8KvbYYKnOF46oWf+i/VfTplIlLGLUxh98vFHIvAXh0DPaBrS2JD1xEnnQ7010y6MFDzJ38Cj+e1zkYT8g+WIzMHJ8hCHEbuXBVFszheSS/1FUhST3/lLjIJuw7aoo+aSZq/fk0dd7HFwnP39/8UE94Ff/l36EASqM5BW9gMEGPhx7335PzMcy7iJqYc4M9PEogzTR6swGd8iVMAn5zAM55AAXpYii0NSDEHLDQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i0tIIfVTHBC5ypm/4OzJ9znvcOIUVxJdJu3GDVHxfHA=; b=P6damL6iv2iXaK4dyZ0IxQSUFvIJA2b0KImMJGqvebdA7Ygdk///n2gV9wss/WJB3dRkFU2iGSElT2dngC+aGqKDADTHlK4y/C0XwL3h29BmPH7Bzab1kWvDBpq2qKd4NTSiZLN0aqdGVmES/Xn7q84wzgqCMghsir8uspdC7eDchVHna7GHWUXKsd2zk8496pMwOPmfAzpp5tLfiACCnZ38L3fQL1BIxE4pxEM6eiiupm3wzXXIlvbziPVYy0gYwwnbEwwU9CLTgYe90uzsqvvp9r2vH4I8KTzlISR5/IgJ679x/Z7kQ8E/7cvsMzsay+utAsPqMFhqIZg+D6waHg==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by IA1PR14MB6318.namprd14.prod.outlook.com (2603:10b6:208:425::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.9; Wed, 4 Jan 2023 22:08:33 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::d9f9:12de:89d7:7b88]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::d9f9:12de:89d7:7b88%3]) with mapi id 15.20.5986.007; Wed, 4 Jan 2023 22:08:33 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Seo Suchan <tjtncks@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] CAA processing for email addresses
Thread-Index: AdkE3JItxNBB7kz6RsOpvMkCMg4ICAAGdAEAAAEJlzAC/pZOgAPjAk8Q
Date: Wed, 04 Jan 2023 22:08:33 +0000
Message-ID: <DM6PR14MB21863E717FFC30AE55DDF24592F59@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <994608bc-2f31-845d-d5a7-181a0be23527@gmail.com>
In-Reply-To: <994608bc-2f31-845d-d5a7-181a0be23527@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|IA1PR14MB6318:EE_
x-ms-office365-filtering-correlation-id: f07353da-4554-4a2e-5e30-08daeea03887
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: T7fop0vNQ/DVgkV3bOz9yibGG/GvSACrhAgT2WtCqHuS027mZTSGPi9+CUZtP+uKykjIneEj+1pouAvTn5Lk4G2wCNE6OQVdj8VXTpRJyaR20NAT19b0x4WkAvhtiM3YUZ2VlVw3N2E0Kh1ZHgblMwwPWeT3d2tFQi7KUagGCB/plzc1U1bbo6BLYS0jAC2kX/lNHx1rYwFE+9tcMtrvg/u+fDhsf8OMndHkG8HvTxhfn3AH9ADHenl/4V2LuhPL5k/AqgGopBMRkBRV5dO6PR2tvGWBMJiFkFub4TB/QXE/JxDJuRwq1wPSiiZ6djFKdaTDitXFHqcKQ/9ksYfU2PsXjgbmpijWCS5DeYbNVnTPgJ6zLud4BTgFBLYDIRs1RD0ie6bdFqKsLa90QnuMKkUMkl955Ku4AgkjRWe5EI6Lnots/rmQvLbsa9Dg9yJkzKGZj9j+bol41BLuVUUj3ogwaBnrkVEyxvGBmBrcs8IH8HAk/2XY7OpNJsjh7rFVxVYu/Pmz1aBahYt0V/8hDf8zYtxlZlxiyq8wcFecJnWhzoHHKh6/bex0LsR17cPE1JppBxlljNpPhCZvKDlNhhl0b7VM6LKvRY0TIEYmxaLR8WfWgzs2YGarPZZa49MEPjBgCezHGfPVlJ9a2MPXLHWjl3kOU4CWNZXgElnxlXV3P/P2v9MQcBUQUa7OTz44CL3xKUpdRSCdS2/9kffz6xkB/c9M5xaS4IODwrXFTVzHOxjP0ZjSr+uhNXbPAbTI
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(366004)(346002)(376002)(396003)(136003)(39860400002)(451199015)(478600001)(83380400001)(33656002)(966005)(7696005)(186003)(9686003)(71200400001)(55016003)(86362001)(66574015)(38070700005)(166002)(122000001)(38100700002)(99936003)(26005)(66476007)(5660300002)(41300700001)(64756008)(66556008)(8676002)(21615005)(2906002)(110136005)(53546011)(52536014)(76116006)(8936002)(66946007)(316002)(6506007)(9326002)(66446008)(199583001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: i+yIg5MtZ3F/A2Ml+kRJrb9PytxuLyR+jnS9Y8Vw8n7ecSqiBhLqNDliXMK10j0+fCVRX3ilBa9uT7o3ewFOL9NGNDXnsCc1tVkQN5Z/lffOK5++Mw7tAma2gZXIC/AIod0M039U9BxV4MHI/dJo+4yDkV5oYJj/YuX90jAEvyGo4PwEOa681w+4OxE3I91nyg2JjcB4+x7b56elAmbsK6D5/q0VopQawlkGp6yF4mG6/RMEGwrBG4a5YaAXeYYzbg8VGdW/5jrIzhqhx6eYrDYEVkY2DaJPbJmBeaQf09AsBiF1CJf7goGIGZeeNoNTGCio6e/LiAx0NAncKz+10gwHzBJX2fFNib2F/ENwxemgW++LCCBGsjmiyCtnRiOfqyNhD+97xcovmNO8WVnLnWWXcJX7rF/karUXlLW4ljfDF2Kvh+/jj3lQqUUlJll6Iwok6vJ//57A0fT1gku+qnDAWk8GyDz861sEt64+TRxmnuJhw6ZRz6B0E+Y/1nC5uTWyJ1mmvmVxF5OX6GvH4VA94tdhNfvENFl+W0OhZh/39Nnb51VrqkKuecKlvS55DtXpthiyKy5ZupS4qxpAGMslt9H3nZbiOo72BmZmXLIlumjantSEQf3XgklLXAVKGiqnu910LsTqKHRCW0cng25HJx/sO6/0ldpQ4CYRClwsQlITi5IIjsTvHJmx6ikjhPPpm3wtVqc7Lv0vlvLt6qniQsPPzvl8GO7e2NnYHshk18p75iLw0kd7geMZhDN9h5RmsjlQq4QYhmgrz9b8RJei4lrYb++nfV5o2ZBrZctIINXQJPZwGp1ipHjNEbuVqHpeKhNooCwEkjn6PRU8HdOoco2fXNDRyul5AS7lzcCr+Pr+42eoC3+0s5i3QT1ts6ljnESIV6pHf6Ih5zcQHPx/rPw4fH7M+vr5TdbZZIxOEvdXQ+kh71Ho6r/1NaTsHi3LkEiOZekmTx2dHc7SxI8ibKESEnyQx1w2guTXfPcouNonmZ6c/16imLBzRsBA5yV2U8NBLR3xfemXn+9TgG8mF2Pa8W26mQkUj5sktEJZDcxLWMbs9tHfWcsKg+3hllE4XVCUJMIj+8GSD8z9oXFO3QViidYdP1lQRJSbhtzamTo4OD2AdkJrkIUzMJYAACkTAicofFuKc1LDHegoWVcC1FznGmtu3qbu5nz/xbg2seiO3UVeTGId3noxPtA9pcV1GzTs7OEaNuJVVvENpnFY4FD8m8BxIUxXDvjAEK7DfP7ImVIfqaw4N1V9jS1CLlW7odILP0JUtTD6mV0liI61x7ytjbQokuC7BXMkaEQVnpCeiOIkTz6yHL43hR62LfkRUXNXzXF5LDQLoSnHxu7mKUP/SpodZSdkBGs7fYrs87+L6xoSIvDr31Ep8yByvZRmS8PDdFgDwxecGjVJpsfeYJXjz8HoiGMQIXDvcqaMm/ja3eYvVYnjreW/4vHGL7Hsz5xjdpy6QBbR5mWMJGPE9fbtPx4hOnGRU51aUFqMsMdrRSzJ+waYOr5TJb29qCvYVXUgfzK4vshfu4P2AC7Owh/+MXLU22rSfvxDKliC2jYxTXxe42Eo0fd5GrjNqXJbCBdBBaTa8xemnuQceA==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0037_01D9205F.2C711250"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f07353da-4554-4a2e-5e30-08daeea03887
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jan 2023 22:08:33.6607 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LzVfcjSYLu/uf7cYWqMFomlgvnjx6jCmRVc+M7iWHSxu48IWRutLiY8dGSJKHLVvINQr8BlYvTr5i+VhEmR9I9ST4fnoBADxaTPHOi+yEoM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR14MB6318
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/BJptTL39DdGaroXEE_dRberVEjE>
Subject: Re: [lamps] CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2023 22:08:41 -0000

Hi Seo,

Thanks for further discussion on fleshing out criticality. Comments inline.

 

*	Some extended though over critical flag: would we need a namespace for email related and/or reserve a bit in CAA flag bit that mean critical just for mail CAs while not breaking cert for TLS CAs?

Can you expand on the use case for a “mail-only” criticality bit? My first thought is that it’s unnecessary, because either the CA understands a given critical Property and knows it can ignore it because it is not relevant to the type of certificate to be issued, or it fails to issue because it doesn’t understand the critical Property. This behavior aligns with the intent of the criticality flag: is it a signal that the CA MUST understand the given Property or fail to issue.

 

*	and CAs should understand most TLS-related CAA records (ex. RFC8657's acme relayed validationmethod and accounturi) but ignore it as it doesn't apply to them? this kinda looks asymmetrical, but we can't just ignore critical flag because we are not TLS CA, right?

 

My understanding is that parameters are relevant solely to the specified issuer-domain-name; if the CA is not identified by the issuer-domain-name in the Property, then it need not understand or process any of the parameters.

 

Thanks,

Corey

 

From: Seo Suchan <tjtncks@gmail.com> 
Sent: Thursday, December 15, 2022 9:20 PM
To: Corey Bonnell <Corey.Bonnell@digicert.com>; spasm@ietf.org
Subject: Re: [lamps] CAA processing for email addresses

 

Some extended though over critical flag: would we need a namespace for email related and/or reserve a bit in CAA flag bit that mean critical just for mail CAs while not breaking cert for TLS CAs?

and CAs should understand most TLS-related CAA records (ex. RFC8657's acme relayed validationmethod and accounturi) but ignore it as it doesn't apply to them? this kinda looks asymmetrical, but we can't just ignore critical flag because we are not TLS CA, right?

not sure how different types of CAs will handle CAA records that says critical on tin but possibly not about them. 

2022-12-01 5:47AM written by Corey Bonnell:

Hi Seo,

Comments inline.

 

1.	1. marking this record critical will make block TLS certificate for that domain unless they understand this. I think that is a footgun worth mention.

 

Thanks, that’s a great point. I’ll make a note of this and add it to the Security Considerations in the next update.

 

2.	2. there are 'free to register' email domains. would it be acceptable to them to limit client's certificate choice?

 

Fundamentally, CAA is a mechanism for domains to express the allowed set of CAs that may issue certificates. Given that the mailbox provider owns/controls the domain name in question, I believe it is entirely acceptable for such a mailbox provider to limit the set of CAs that can issue S/MIME certificates for the provider’s domain.

 

Thanks,

Corey

 

From: Spasm  <mailto:spasm-bounces@ietf.org> <spasm-bounces@ietf.org> On Behalf Of Seo Suchan
Sent: Wednesday, November 30, 2022 3:00 PM
To: spasm@ietf.org <mailto:spasm@ietf.org> 
Subject: Re: [lamps] CAA processing for email addresses

 

some thoughts:

1. marking this record critical will make block TLS certificate for that domain unless they understand this. I think that is a footgun worth mention.

2. there are 'free to register' email domains. would it be acceptable to them to limit client's certificate choice?

for example, Google can set a issuemail record on gmail.com with a contracted CA and force user go get s/mime from that CA.

2022-12-01 오전 2:17에 Corey Bonnell 이(가) 쓴 글:

Hello,

Over the past several years, there have been discussions [1][2][3] on extending CAA such that it can be used for domains to express restrictions on the issuance of certificates for email addresses (e.g., S/MIME certificates, etc.). With the recent passage of the initial version of the CA/Browser Forum S/MIME Baseline Requirements, there is a renewed interest in mandating that publicly trusted CAs process CAA records prior to the issuance of S/MIME certificates in an upcoming version of the requirements. In order to provide a full specification for CAA processing for email addresses, I drafted an I-D for a new CAA property tag: https://www.ietf.org/archive/id/draft-bonnell-caa-issuemail-00.html. I am hopeful that such a specification can be reviewed here such that any update to the S/MIME Baseline Requirements that mandates CAA processing can directly reference the specification.

 

Given that CAA is a topic that is firmly within the scope of this WG, I wanted to circulate the draft here and would appreciate feedback and comments.

 

Thanks,

Corey

 

[1] https://groups.google.com/g/mozilla.dev.security.policy/c/NIc2Nwa9Msg

[2] https://github.com/mozilla/pkipolicy/issues/135

[3] https://lists.cabforum.org/pipermail/smcwg-public/2020-October/000040.html

 






_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org> 
https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email