From nobody Wed Jan 4 14:08:42 2023 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49F8EC151558 for ; Wed, 4 Jan 2023 14:08:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.097 X-Spam-Level: X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fH5_I2x-436J for ; Wed, 4 Jan 2023 14:08:37 -0800 (PST) Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2120.outbound.protection.outlook.com [40.107.93.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3F91C151555 for ; Wed, 4 Jan 2023 14:08:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ifO1AxerO/VEbkL4CFr0Eg9scLyt5VUuAulLgS0617adPO2zAaMjy5SYHakb4+y2MSRRbv/DXcYTh5s1H0wEFgP1mIkDqEvldmSDdL7u2w773WWd/sKyYnKdT0SmhqjJJ6l1Ym6pFp4rUmw/1qDxn7m9t6sp4SaoGls+W8J9UF4fkxT+pqlJ9D9kGHt5KggXk7cNIuvFPXV7Af8rQJXBXZTRVUes8KiqlzMByqXWljFTJwQeXz0JoDMZFXOBJUqoVNr2MeLYNoRa9j4JSBqECVsM3Nc1/HskfuTPwW0aQGEhE1lNpE4LI8ay7SVGElATeQOSvZ+oZwB6Vf9oxv/L/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i0tIIfVTHBC5ypm/4OzJ9znvcOIUVxJdJu3GDVHxfHA=; b=awYFJIyFHzzlFjjfNO4T07fD9q45gTaU5P2p7nXdevXFP1ELxngCO1n4M/xWgbCwDlfK2ex4qW2pDEWcyQfklj9Rc+vBNBgvkES896YPQNciaRAk8KvbYYKnOF46oWf+i/VfTplIlLGLUxh98vFHIvAXh0DPaBrS2JD1xEnnQ7010y6MFDzJ38Cj+e1zkYT8g+WIzMHJ8hCHEbuXBVFszheSS/1FUhST3/lLjIJuw7aoo+aSZq/fk0dd7HFwnP39/8UE94Ff/l36EASqM5BW9gMEGPhx7335PzMcy7iJqYc4M9PEogzTR6swGd8iVMAn5zAM55AAXpYii0NSDEHLDQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i0tIIfVTHBC5ypm/4OzJ9znvcOIUVxJdJu3GDVHxfHA=; b=P6damL6iv2iXaK4dyZ0IxQSUFvIJA2b0KImMJGqvebdA7Ygdk///n2gV9wss/WJB3dRkFU2iGSElT2dngC+aGqKDADTHlK4y/C0XwL3h29BmPH7Bzab1kWvDBpq2qKd4NTSiZLN0aqdGVmES/Xn7q84wzgqCMghsir8uspdC7eDchVHna7GHWUXKsd2zk8496pMwOPmfAzpp5tLfiACCnZ38L3fQL1BIxE4pxEM6eiiupm3wzXXIlvbziPVYy0gYwwnbEwwU9CLTgYe90uzsqvvp9r2vH4I8KTzlISR5/IgJ679x/Z7kQ8E/7cvsMzsay+utAsPqMFhqIZg+D6waHg== Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by IA1PR14MB6318.namprd14.prod.outlook.com (2603:10b6:208:425::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.9; Wed, 4 Jan 2023 22:08:33 +0000 Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::d9f9:12de:89d7:7b88]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::d9f9:12de:89d7:7b88%3]) with mapi id 15.20.5986.007; Wed, 4 Jan 2023 22:08:33 +0000 From: Corey Bonnell To: Seo Suchan , "spasm@ietf.org" Thread-Topic: [lamps] CAA processing for email addresses Thread-Index: AdkE3JItxNBB7kz6RsOpvMkCMg4ICAAGdAEAAAEJlzAC/pZOgAPjAk8Q Date: Wed, 4 Jan 2023 22:08:33 +0000 Message-ID: References: <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <994608bc-2f31-845d-d5a7-181a0be23527@gmail.com> In-Reply-To: <994608bc-2f31-845d-d5a7-181a0be23527@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|IA1PR14MB6318:EE_ x-ms-office365-filtering-correlation-id: f07353da-4554-4a2e-5e30-08daeea03887 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: T7fop0vNQ/DVgkV3bOz9yibGG/GvSACrhAgT2WtCqHuS027mZTSGPi9+CUZtP+uKykjIneEj+1pouAvTn5Lk4G2wCNE6OQVdj8VXTpRJyaR20NAT19b0x4WkAvhtiM3YUZ2VlVw3N2E0Kh1ZHgblMwwPWeT3d2tFQi7KUagGCB/plzc1U1bbo6BLYS0jAC2kX/lNHx1rYwFE+9tcMtrvg/u+fDhsf8OMndHkG8HvTxhfn3AH9ADHenl/4V2LuhPL5k/AqgGopBMRkBRV5dO6PR2tvGWBMJiFkFub4TB/QXE/JxDJuRwq1wPSiiZ6djFKdaTDitXFHqcKQ/9ksYfU2PsXjgbmpijWCS5DeYbNVnTPgJ6zLud4BTgFBLYDIRs1RD0ie6bdFqKsLa90QnuMKkUMkl955Ku4AgkjRWe5EI6Lnots/rmQvLbsa9Dg9yJkzKGZj9j+bol41BLuVUUj3ogwaBnrkVEyxvGBmBrcs8IH8HAk/2XY7OpNJsjh7rFVxVYu/Pmz1aBahYt0V/8hDf8zYtxlZlxiyq8wcFecJnWhzoHHKh6/bex0LsR17cPE1JppBxlljNpPhCZvKDlNhhl0b7VM6LKvRY0TIEYmxaLR8WfWgzs2YGarPZZa49MEPjBgCezHGfPVlJ9a2MPXLHWjl3kOU4CWNZXgElnxlXV3P/P2v9MQcBUQUa7OTz44CL3xKUpdRSCdS2/9kffz6xkB/c9M5xaS4IODwrXFTVzHOxjP0ZjSr+uhNXbPAbTI x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(366004)(346002)(376002)(396003)(136003)(39860400002)(451199015)(478600001)(83380400001)(33656002)(966005)(7696005)(186003)(9686003)(71200400001)(55016003)(86362001)(66574015)(38070700005)(166002)(122000001)(38100700002)(99936003)(26005)(66476007)(5660300002)(41300700001)(64756008)(66556008)(8676002)(21615005)(2906002)(110136005)(53546011)(52536014)(76116006)(8936002)(66946007)(316002)(6506007)(9326002)(66446008)(199583001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?aSt5SWc1TXRaM0YvQTJNbCtrUkpyYjlQeXR4dUx5UitqblM5WThWdzhuN2Vj?= =?utf-8?B?U3FpQmhMcU5EbGlYTUsxMGowK2ZDVlJYM2lsQmE5dVQ3bzNld0ZPTDlOR05E?= =?utf-8?B?WG5zQ2MxdFZrUU41Wi9sZmZPSzUrK013N3RBbWEyZ1pYSUMvQUlvZDBNMDM5?= =?utf-8?B?VTlCeFY0TUhJL2RKbys0eURrVjVvWUpqL1l1WDkwakFFdnlHbzRQd0VPYTY4?= =?utf-8?B?MXcrNE94RTNJOTFueWcySmpjQjQreDdiNTZlbEFtYnNLNkQ1L3EwVm9wUWF3?= =?utf-8?B?bGtHcDZ5RjRtRzYvUk1FR3dyQkc0YTVZYUFYZVlZemJnOFZHZFcvNWpySXpo?= =?utf-8?B?cWh4NmVZckRZRVZrWTJEYUpQYkptQmVhUWYwOUFzQmlGMUNKZjdnb0dJR1pl?= =?utf-8?B?ZU5vTlRHQ2lvNmUvTGlBeDBOQW5jS3orMTBnd0h6QkpYMmZGTmliMkYvRU53?= =?utf-8?B?eGVtZ1crK0xDQ0JHc2ptaXlDdG5SaU9mcXlOaEQrOTd4Y292bU5POFdWbkxu?= =?utf-8?B?V1dYY0pYN3JGL2thclVYbExXNGxqZkRGMkt2aCsvamozbFFxVVVsSmxsNkl3?= =?utf-8?B?b2s2dkovLzU3QTBmVDFna3UrcW5EQVdrOEd5RHo4NjFzRXQ2NCtUUnhtbnVK?= =?utf-8?B?aHc2WlJ6NkIwRStZLzFuQzV1VFd5SjFtbXZtVnhGNU9YNkd2SDRWQTk0dGRo?= =?utf-8?B?TmZ2RU5GbCtXME9oWmgvMzlObmI1MVZycWtLdWVjS2x2UzU1RHRYcHRoaXlL?= =?utf-8?B?eTVadXBTNHF4cEFHTXNsdDlIM25aYmlPbzcyQm1abVhMSWx1bWphbnRTRVFm?= =?utf-8?B?M1hna2xMWEFWS0dpcW51OTEwTHNUcUtIUkNXMGNuZzI1SEp4L3NPNi8wbGRw?= =?utf-8?B?UTRDWVJDbHdzUWxJVGk1SUlqc1R2SEpteDZpa2poUFBwbTN3dFZxYzdMdjB2?= =?utf-8?B?bHZMdDZxbmlRc1BQenZsOEdPN2UyTm5ZSHNoazE4cDc1aUx3MGtkN2dlTVpo?= =?utf-8?B?RE45aDVSbXNqbFFxNFFZaG1ncno5YjhSSmVpNGxyWWIrK25mVjVvMlpCclpj?= =?utf-8?B?dElJTlhRSlBad0dwMWlwSGpORWJ1VnFIcGVLaE5vb0N3RWtqbjZQUlU4SGRP?= =?utf-8?B?b2NvMmZYTkRSeXVsNUFTN2x6Y0NyK1ByKzQyZW9DMyswczVpM1FUMXRzNmxq?= =?utf-8?B?bkVTSVY2cEhmNkloNXpjUUhQeC9yUHc0Zkg3TSt2cjVUZGJaWkl4T0V2ZFhR?= =?utf-8?B?K2toNzFIbzZyLzFOYVRzSGkzTGtFaU9aZWttVHgyZEhjN1N4SThpYktFU0Vu?= =?utf-8?B?eVF4MXcyZ3VUWGZQY291Tm9ubVo2Yy8xNmltTEJ6UnNCQTV5VjJVOE5CTFIz?= =?utf-8?B?eGZlbVhuKzlUZ0c4bUYyUGE4VzI2bVFrVWo1c2t0RUpaRGN4TFdNYnM5dEhm?= =?utf-8?B?V2NzS2crM2hsbEU0WFZDVUpNSWorOEdTRDh6OW9YRk8zUVZpaWRZZFAxbFFS?= =?utf-8?B?SlNiaHR6YW1UbzRPRDJBZGtKcmtJVXpNSllBQUNrVEFpY29mRnVLYzFMREhl?= =?utf-8?B?Z29XVmNDMUZ6bkdtdHUzcWJ1NW56L3hiZzJzZWlPM1VWZVRHSWQzbm94UHRB?= =?utf-8?B?OXBjVjFHelRzN09FYU51SlZWdkVOcG5GWTRGRDhtOEJ4SVV4WER2akFFSzdE?= =?utf-8?B?ZlA3SW1WSWZxYXc0TjFWOWpTMUNMbFc3b2RJTFAwSlV0VEQ2bVYwbGlJNjF4?= =?utf-8?B?N3l0amJRb2t1QzdCWE1rYUVRVm5wQ2VpT0lrVHo2eUhMNDNoUjYyTGZrUlVY?= =?utf-8?B?Tlh6WEY1TERRTG9Tbkh4dTdtS1VQL1Nwb2RaU2RrQkdzN2ZZcnM4NytMNnhv?= =?utf-8?B?U0l2RHIzMUVwOHlCeXZaUm1TOFBEZEZnRHd4ZWNHalZKcHNmZVlKWGp6OEhv?= =?utf-8?B?aUdNUUlYRHZjcWFNbS9qYTNlWXZWWW5qcmVXLzR2SEdMN0hzejV4amRweTZR?= =?utf-8?B?QmJSNW1XTUpHUEU5ZmJ0UHg0aE9uR1JVNTFhVUZxTXNNZHJSU3pKK3dhWU9y?= =?utf-8?B?NVRKYjI5cUN2WVZYVWdmeks0dnNoZnU0UDJBQzdPd2gvK01YTFUyMnJTZnZ4?= =?utf-8?B?REtsaUMyall4VFh4ZTQyRW8wZmQ1R3JqTnFYSmJDQmRCQmFUYTh4ZW1udVFj?= =?utf-8?B?ZUE9PQ==?= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0037_01D9205F.2C711250" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f07353da-4554-4a2e-5e30-08daeea03887 X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jan 2023 22:08:33.6607 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: LzVfcjSYLu/uf7cYWqMFomlgvnjx6jCmRVc+M7iWHSxu48IWRutLiY8dGSJKHLVvINQr8BlYvTr5i+VhEmR9I9ST4fnoBADxaTPHOi+yEoM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR14MB6318 Archived-At: Subject: Re: [lamps] CAA processing for email addresses X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.39 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2023 22:08:41 -0000 ------=_NextPart_000_0037_01D9205F.2C711250 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0038_01D9205F.2C711250" ------=_NextPart_001_0038_01D9205F.2C711250 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Seo, Thanks for further discussion on fleshing out criticality. Comments = inline. =20 * Some extended though over critical flag: would we need a namespace for = email related and/or reserve a bit in CAA flag bit that mean critical = just for mail CAs while not breaking cert for TLS CAs? Can you expand on the use case for a =E2=80=9Cmail-only=E2=80=9D = criticality bit? My first thought is that it=E2=80=99s unnecessary, = because either the CA understands a given critical Property and knows it = can ignore it because it is not relevant to the type of certificate to = be issued, or it fails to issue because it doesn=E2=80=99t understand = the critical Property. This behavior aligns with the intent of the = criticality flag: is it a signal that the CA MUST understand the given = Property or fail to issue. =20 * and CAs should understand most TLS-related CAA records (ex. RFC8657's = acme relayed validationmethod and accounturi) but ignore it as it = doesn't apply to them? this kinda looks asymmetrical, but we can't just = ignore critical flag because we are not TLS CA, right? =20 My understanding is that parameters are relevant solely to the specified = issuer-domain-name; if the CA is not identified by the = issuer-domain-name in the Property, then it need not understand or = process any of the parameters. =20 Thanks, Corey =20 From: Seo Suchan =20 Sent: Thursday, December 15, 2022 9:20 PM To: Corey Bonnell ; spasm@ietf.org Subject: Re: [lamps] CAA processing for email addresses =20 Some extended though over critical flag: would we need a namespace for = email related and/or reserve a bit in CAA flag bit that mean critical = just for mail CAs while not breaking cert for TLS CAs? and CAs should understand most TLS-related CAA records (ex. RFC8657's = acme relayed validationmethod and accounturi) but ignore it as it = doesn't apply to them? this kinda looks asymmetrical, but we can't just = ignore critical flag because we are not TLS CA, right? not sure how different types of CAs will handle CAA records that says = critical on tin but possibly not about them.=20 2022-12-01 5:47AM written by Corey Bonnell: Hi Seo, Comments inline. =20 1. 1. marking this record critical will make block TLS certificate for = that domain unless they understand this. I think that is a footgun worth = mention. =20 Thanks, that=E2=80=99s a great point. I=E2=80=99ll make a note of this = and add it to the Security Considerations in the next update. =20 2. 2. there are 'free to register' email domains. would it be acceptable = to them to limit client's certificate choice? =20 Fundamentally, CAA is a mechanism for domains to express the allowed set = of CAs that may issue certificates. Given that the mailbox provider = owns/controls the domain name in question, I believe it is entirely = acceptable for such a mailbox provider to limit the set of CAs that can = issue S/MIME certificates for the provider=E2=80=99s domain. =20 Thanks, Corey =20 From: Spasm On = Behalf Of Seo Suchan Sent: Wednesday, November 30, 2022 3:00 PM To: spasm@ietf.org =20 Subject: Re: [lamps] CAA processing for email addresses =20 some thoughts: 1. marking this record critical will make block TLS certificate for that = domain unless they understand this. I think that is a footgun worth = mention. 2. there are 'free to register' email domains. would it be acceptable to = them to limit client's certificate choice? for example, Google can set a issuemail record on gmail.com with a = contracted CA and force user go get s/mime from that CA. 2022-12-01 =EC=98=A4=EC=A0=84 2:17=EC=97=90 Corey Bonnell = =EC=9D=B4(=EA=B0=80) =EC=93=B4 =EA=B8=80: Hello, Over the past several years, there have been discussions [1][2][3] on = extending CAA such that it can be used for domains to express = restrictions on the issuance of certificates for email addresses (e.g., = S/MIME certificates, etc.). With the recent passage of the initial = version of the CA/Browser Forum S/MIME Baseline Requirements, there is a = renewed interest in mandating that publicly trusted CAs process CAA = records prior to the issuance of S/MIME certificates in an upcoming = version of the requirements. In order to provide a full specification = for CAA processing for email addresses, I drafted an I-D for a new CAA = property tag: = https://www.ietf.org/archive/id/draft-bonnell-caa-issuemail-00.html. I = am hopeful that such a specification can be reviewed here such that any = update to the S/MIME Baseline Requirements that mandates CAA processing = can directly reference the specification. =20 Given that CAA is a topic that is firmly within the scope of this WG, I = wanted to circulate the draft here and would appreciate feedback and = comments. =20 Thanks, Corey =20 [1] = https://groups.google.com/g/mozilla.dev.security.policy/c/NIc2Nwa9Msg [2] https://github.com/mozilla/pkipolicy/issues/135 [3] = https://lists.cabforum.org/pipermail/smcwg-public/2020-October/000040.htm= l =20 _______________________________________________ Spasm mailing list Spasm@ietf.org =20 https://www.ietf.org/mailman/listinfo/spasm ------=_NextPart_001_0038_01D9205F.2C711250 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Hi Seo,

Thanks for further discussion on fleshing out = criticality. Comments inline.

 

  • Some extended though over critical flag: would we need a = namespace for email related and/or reserve a bit in CAA flag bit that = mean critical just for mail CAs while not breaking cert for TLS = CAs?

Can you expand on the use = case for a =E2=80=9Cmail-only=E2=80=9D criticality bit? My first thought = is that it=E2=80=99s unnecessary, because either the CA understands a = given critical Property and knows it can ignore it because it is not = relevant to the type of certificate to be issued, or it fails to issue = because it doesn=E2=80=99t understand the critical Property. This = behavior aligns with the intent of the criticality flag: is it a signal = that the CA MUST understand the given Property or fail to = issue.

 

  • and CAs should understand most TLS-related CAA records (ex. = RFC8657's acme relayed validationmethod and accounturi) but ignore it as = it doesn't apply to them? this kinda looks asymmetrical, but we can't = just ignore critical flag because we are not TLS CA, = right?

 

My understanding is that parameters are relevant = solely to the specified issuer-domain-name; if the CA is not identified = by the issuer-domain-name in the Property, then it need not understand = or process any of the parameters.

 

Thanks,

Corey

 

From: Seo Suchan = <tjtncks@gmail.com>
Sent: Thursday, December 15, 2022 = 9:20 PM
To: Corey Bonnell <Corey.Bonnell@digicert.com>; = spasm@ietf.org
Subject: Re: [lamps] CAA processing for email = addresses

 

Some extended though over = critical flag: would we need a namespace for email related and/or = reserve a bit in CAA flag bit that mean critical just for mail CAs while = not breaking cert for TLS CAs?

and CAs should = understand most TLS-related CAA records (ex. RFC8657's acme relayed = validationmethod and accounturi) but ignore it as it doesn't apply to = them? this kinda looks asymmetrical, but we can't just ignore critical = flag because we are not TLS CA, right?

not sure how = different types of CAs will handle CAA records that says critical on tin = but possibly not about them.

2022-12-01 5:47AM written by Corey = Bonnell:

Hi = Seo,

Comments = inline.

 

  1. 1. marking this record critical will make block TLS = certificate for that domain unless they understand this. I think that is = a footgun worth mention.

 

Thanks, = that=E2=80=99s a great point. I=E2=80=99ll make a note of this and add = it to the Security Considerations in the next update.

 

  1. 2. there are 'free to register' email domains. would it be = acceptable to them to limit client's certificate = choice?

 

Fundamentally, CAA is a mechanism for domains to = express the allowed set of CAs that may issue certificates. Given that = the mailbox provider owns/controls the domain name in question, I = believe it is entirely acceptable for such a mailbox provider to limit = the set of CAs that can issue S/MIME certificates for the = provider=E2=80=99s domain.

 

Thanks,

Corey

 

From: Spasm <spasm-bounces@ietf.org>= On Behalf Of Seo Suchan
Sent: Wednesday, November 30, = 2022 3:00 PM
To: spasm@ietf.org
Subject: Re: = [lamps] CAA processing for email addresses

 

some = thoughts:

1. marking this record critical will make = block TLS certificate for that domain unless they understand this. I = think that is a footgun worth mention.

2. there are = 'free to register' email domains. would it be acceptable to them to = limit client's certificate choice?

for example, Google = can set a issuemail record on gmail.com with a contracted CA and force = user go get s/mime from that CA.

2022-12-01 =EC=98=A4=EC=A0=84 2:17=EC=97=90 Corey = Bonnell =EC=9D=B4(=EA=B0=80) =EC=93=B4 =EA=B8=80:

Hello,

Over the = past several years, there have been discussions [1][2][3] on extending = CAA such that it can be used for domains to express restrictions on the = issuance of certificates for email addresses (e.g., S/MIME certificates, = etc.). With the recent passage of the initial version of the CA/Browser = Forum S/MIME Baseline Requirements, there is a renewed interest in = mandating that publicly trusted CAs process CAA records prior to the = issuance of S/MIME certificates in an upcoming version of the = requirements. In order to provide a full specification for CAA = processing for email addresses, I drafted an I-D for a new CAA property = tag: https://www.ietf.org/archive/id/draft-bonnell-caa-issuemail-00.html. I am hopeful that such a specification can be reviewed here such = that any update to the S/MIME Baseline Requirements that mandates CAA = processing can directly reference the specification.

 

Given that = CAA is a topic that is firmly within the scope of this WG, I wanted to = circulate the draft here and would appreciate feedback and = comments.

 

Thanks,

Corey

 

[1] https://groups.google.com/g/mozilla.dev.security.policy/c/NIc2Nwa9M= sg

[2] https://github.c= om/mozilla/pkipolicy/issues/135

[3] https://lists.cabforum.org/pipermail/smcwg-public/2020-October= /000040.html

 




_______________________=
________________________
Spasm mailing =
list
Spasm@ietf.org
https://www.ietf.org=
/mailman/listinfo/spasm
------=_NextPart_001_0038_01D9205F.2C711250-- ------=_NextPart_000_0037_01D9205F.2C711250 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD30w ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFbDCCBFSgAwIBAgIQ DodJIkPnW6h4YZSbQdr2xzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMjAxMDIzMDAwMDAwWhcNMjMxMDIyMjM1OTU5WjCBhzEL MAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxDTALBgNVBAcTBExlaGkxFzAVBgNVBAoTDkRpZ2lD ZXJ0LCBJbmMuMRYwFAYDVQQDEw1Db3JleSBCb25uZWxsMSkwJwYJKoZIhvcNAQkBFhpjb3JleS5i b25uZWxsQGRpZ2ljZXJ0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7GS9HD 58ciFNyhdb9MJ0ekjSUVkaSrGSw2Q/E8euaolJrAuDzssxo+kMYAB2uITc+YQMLQKwsAVJn8KQvB yCGYbwhndp04d0g3l4Iz/E8NRtptBXWCCfcCvKeMW4ICHq8pT7MIYGudOPdfoeXZtCKmxNVWZldu vk+rQaur7Gjxy3K0eGikDr/Ob2pxwfbhO7+LRntPX2/+MGpIGF4MiKqFNLPYcT6FMN7Ls6YfNN19 3lbZbIcSwpMEVk/1lQ3x1pGhIZwifbuBt5jYU5g5WxQM36F33+FQyxdMqp7trNAuWmkvgYWBg52u O8a1bhAkztcGKNippFcDrf/q2/9QZXcCAwEAAaOCAfMwggHvMB8GA1UdIwQYMBaAFOcCI4AAT9jX vJQL2T90OUkyPIp5MB0GA1UdDgQWBBTIYooIDkqWAo6hnwewkz6XesZzXjAMBgNVHRMBAf8EAjAA MCUGA1UdEQQeMByBGmNvcmV5LmJvbm5lbGxAZGlnaWNlcnQuY29tMA4GA1UdDwEB/wQEAwIFoDAd BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwQwYDVR0gBDwwOjA4BgpghkgBhv1sBAECMCow KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYgGA1UdHwSBgDB+MD2g O6A5hjdodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyQXNzdXJlZElEQ0EtZzMu Y3JsMD2gO6A5hjdodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyQXNzdXJlZElE Q0EtZzMuY3JsMHkGCCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNl cnQuY29tMEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRT SEEyQXNzdXJlZElEQ0EuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQCAuLHhhfMKHzPgF7Z8KaLgLQI4 aT/31FRSD180x8ZTizYsL3LYsQh17OHLCcGCG3ng8GgU+6Ksfc6rLjiWU7LOfUQbAujzh+Tssvln Ef2TOKKa1ia3emDDLa3dT1PlHyZ7dEydKC3q6kI1sFijUiFZObHJIwiTvEtD2LQZMqTxobsqOcnZ uYk6gkFqkJht9V4rdQVrV5T9rM/n4HzO7Wg9kicBdMqT8rHlK0Jn1OOjZMmUvuTouTZwC+FWw835 YuwK6buxrRb7NrX8eHBSi0wYZ8odw+tNUpwQUCeB6J+SqRim3OOTqem1nIKDCoL4PfSzRUXNNI60 21pXraOzh8ipMIIGTjCCBTagAwIBAgIQBK55YGZmkBq5xX+mbFvczTANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwHhcNMTMxMTA1MTIw MDAwWhcNMjgxMTA1MTIwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5j MRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3Vy ZWQgSUQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc+BEjP2q178AneRstBYei EEMx3w7UFRtPd6Qizj6McPC+B47dJyq8AR22LArK3WlYH0HtagUf2mN4WR4iLCv4un7JNTtW8R98 Qn4lsCMZxkU41z1E+SB8YK4csFoYBL6PO/ep8JSapgxjSbZBF1NAMr1P5lB6UB8lRejxia/N/17/ UPPwFxH/vcWJ9b1iudj7jkUEhW2ZzcVITf0mqwI2Reo2119q4hqCQQrc6dn1kReOxiGtODwT5h5/ ZpzVTdlG2vbPUqd9OyTDtMFRNcab69TvfuR7A+FEvXoLN+BPy4KKDXEY5KbgiSwb87JzPMGwkp4Y fb2rfcV9CKEswp9zAgMBAAGjggL4MIIC9DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE AwIBhjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv bTCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNz dXJlZElEUm9vdENBLmNybDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0 QXNzdXJlZElEUm9vdENBLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwggGzBgNV HSAEggGqMIIBpjCCAaIGCmCGSAGG/WwAAgQwggGSMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k aWdpY2VydC5jb20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUA cwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAg AEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkA IABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBs AGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIA ZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMB0GA1UdDgQWBBTnAiOAAE/Y17yUC9k/ dDlJMjyKeTAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkqhkiG9w0BAQsFAAOC AQEATtSJJ7n9HYd3fg8oBZDxCi/JOz69k5yQxq/6kVGHMlRr6MrBcVFcmY61+uBiGZmmB5p8Eyfb 5QKihBLZFfYKRFfENI9tcx861qABPd7jguRFa7LrJf2AXh05kL5bQvbOkWDj+aBWDEgQzjNoe82T q/Bqy09YD7l7XRsEgZ6nIuJXSSfukpMIvmkIUwI6Ll3IGfRQgE4C2bBdkbSTh/mWloFVQI5m7YLY uyhf7Uxh7QZYKBlTEUS8RyApsgRs2IlUmTt122d4LB6SeMZVPVgSETJuvUMMTTTbe8ZC2+y+q5th TAaS447fISpQVwTAYKI11SSeZjcJSc/V+GWz4OJuwjGCA78wggO7AgEBMHkwZTELMAkGA1UEBhMC VVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIG A1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOh0kiQ+dbqHhhlJtB2vbHMA0GCWCG SAFlAwQCAQUAoIICFzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0y MzAxMDQyMjA4MzJaMC8GCSqGSIb3DQEJBDEiBCCHwApdP3q06Mh/GfIjpnfjVc1gs/X6C3znlkTa wmHLHjCBiAYJKwYBBAGCNxAEMXsweTBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQg SW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFz c3VyZWQgSUQgQ0ECEA6HSSJD51uoeGGUm0Ha9scwgYoGCyqGSIb3DQEJEAILMXugeTBlMQswCQYD VQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t MSQwIgYDVQQDExtEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ0ECEA6HSSJD51uoeGGUm0Ha9scw gZMGCSqGSIb3DQEJDzGBhTCBgjALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAoGCCqGSIb3DQMH MAsGCWCGSAFlAwQBAjAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwCwYJYIZIAWUDBAIB MAsGCWCGSAFlAwQCAzALBglghkgBZQMEAgIwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAC8jn xMB1fwTKFgrd30a9ZUBkodzqlT/ZncEv21LOMSIG4nJTc37X+bcbbtsOpaVTs25t96ZrxCecm4mM /EZdvPkkw24LnsGGsdWBoO5NXGmnM+ek0/MuW+x4dE9hm7lqS+OzG0e8rgpE7+rfCbrn9aOioCFG 7DYS/PEV3WCEPwZCpJ81ZsBiis/oQKawj5ys2S307Ezj4n4JlttBuTv3zYntFouLsTaRfZZGCo7m If4B9pS8wL7Nt7m192AJZhdov4sKTmElsb4VptAXGadk5kJDxYq+kBmmuW4/OSZku5P/tyx96lmP ZSmm5PQuPGRGk13XUcJG4n8nbGWf+5GeRgAAAAAAAA== ------=_NextPart_000_0037_01D9205F.2C711250--