IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 01 December 2022 18:46 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A82E5C1524C9 for <spasm@ietfa.amsl.com>; Thu, 1 Dec 2022 10:46:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SXEVssD-Siab for <spasm@ietfa.amsl.com>; Thu, 1 Dec 2022 10:46:47 -0800 (PST)
Received: from mail-oi1-f181.google.com (mail-oi1-f181.google.com [209.85.167.181]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8739FC14CE27 for <spasm@ietf.org>; Thu, 1 Dec 2022 10:46:47 -0800 (PST)
Received: by mail-oi1-f181.google.com with SMTP id h132so2995473oif.2 for <spasm@ietf.org>; Thu, 01 Dec 2022 10:46:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oSybXvz2TP4qoKiSzPha5orzn1We/Alex5PNuf3weac=; b=TA/zKSrgMGk6CXQU1RhtuudSY9oLLSUOVns4+q6oxvujWGPS/OId2Ix61M8xtth9bE RN6SPyEBlYYJWcXpKfPLVmkZ29QT2T07FXfg8kOGwRHEaCla0/8IJNRugJ6uEUM5Xaaf QOP4rwNMffzwMzGe+cLFc9Q4tGSyxc8ow0a6ThNgB0ogh/1MwIa9SzsTzQjB6HBhRMq8 A8pCGoJCQ6/uWl8q2qq7rmmJjrb4vDJX5BamtFua0xF/OQozKbw8jtEPKGO+Y9Z3UqXK IVlrZy2jdFCKRorJ1xLSt+iaG1FzOcCAUV6zgjUkm/UxjULMsZCcBusyUm5xEq3hxvKm tGlQ==
X-Gm-Message-State: ANoB5pkKfYvpmiXXMUH88xSTEso0EBWsrcfr3GF4UH9MYFnt6KYlLya8 wpJE9+nXHMfSMLS2+pxKp2JUzQy4dWBv9XtZNxQ=
X-Google-Smtp-Source: AA0mqf6QLq5HxBfS8L+JsoM7EeAhStt7YSrniv7zGxhldCg5nqnJYI2/eJgYngHcz9FOpsURve5Jc1r0C/ur978eCjM=
X-Received: by 2002:a05:6808:8d3:b0:353:c96f:5e2f with SMTP id k19-20020a05680808d300b00353c96f5e2fmr31538589oij.244.1669920406411; Thu, 01 Dec 2022 10:46:46 -0800 (PST)
MIME-Version: 1.0
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie> <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie> <CH0PR11MB5739CDF4AC9F496DA341DA249F159@CH0PR11MB5739.namprd11.prod.outlook.com> <87bfb6bc-24d0-fafc-d0b9-546640bda7c3@cs.tcd.ie> <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com> <DM6PR14MB2186AC61073AA34BC230CE2B92149@DM6PR14MB2186.namprd14.prod.outlook.com> <CH0PR11MB5739C121E1D96CE28382B4D49F149@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739C121E1D96CE28382B4D49F149@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 01 Dec 2022 13:46:35 -0500
Message-ID: <CAMm+LwiXQzN4O=efFg6e7U1C2oW7YFPbx51ZjLhMDL5Z0s87rg@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
Cc: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Corey Bonnell <Corey.Bonnell@digicert.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a09df105eec8a47e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/BKoVysHKPp8TeME7-YB_-vRicLc>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 18:46:48 -0000

I support adoption of this draft.

The use of DNS for email is broken as far as serving individuals goes and
that isn't something S/MIME can fix. If your email address is
alice@example.com and you don't own example.com, you don't have control of
that email unless you control example.com.

This is not what we want for the case where example.com is a mail service
provider offering public mail service. But that is the architecture of SMTP
which was built on the assumption that institutions connected to the
Internet, not individuals. Trying to change that architecture post facto is
not going to work.

So the best approach for S/MIME is to make it work for institutions. Which
means the owner of example.com can decide whether to issue S/MIME certs or
not. That will mean that a public service mail provider can prevent
customers getting S/MIME certs but that really isn't their biggest problem
as the service provider can shut them down completely.

Email users of such a service provider can still make use of other PKIs to
validate their keys. I might have issues trying to use CAA records with
OpenPGP for that reason.


The only thing I would add is that I think the current approach to S/MIME
cert issue is broken as a business model and if people want S/MIME to
really succeed, the way to make it work is make it align with the WebPKI
model where organizations buy one cert rather than one cert per email user.

So I would like to see any CAA mechanism for S/MIME to distinguish between
delegating the ability to issue end entity certs and cert signing certs.


On Thu, Dec 1, 2022 at 10:25 AM Mike Ounsworth <Mike.Ounsworth=
40entrust.com@dmarc.ietf.org> wrote:

> Thanks for the explanations Corey.
>
>
>
> I support adoption of this draft.
>
>
>
> ---
>
> *Mike* Ounsworth
>
>
>
> *From:* Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
> *Sent:* December 1, 2022 8:26 AM
> *To:* Mike Ounsworth <Mike.Ounsworth@entrust.com>; Stephen Farrell <
> stephen.farrell@cs.tcd.ie>; Corey Bonnell <Corey.Bonnell@digicert.com>;
> spasm@ietf.org
> *Subject:* RE: [lamps] [EXTERNAL] Re: CAA processing for email addresses
>
>
>
> Hi Stephen and Mike,
>
> Thank you for your feedback thus far. I’ll address a few questions that
> were raised inline.
>
>
>
>    - > The gmails and yahoos don't do S/MIME right?, so are probably out
>    of
>    - > scope here.
>    -
>    - Well, no. Not if this proposes restricting what they can
>    subsequently do I'd say. Same for alumni and vanity mail providers too and
>    probably others of the many and varied email corner cases perhaps.
>
>
>
> I think Mike already addressed this, but if there are no “issuemail”
> properties in the Relevant RRSet, then there are no restrictions on which
> CA can issue certificates for the domain. Mail providers will not see any
> impact of CAs processing the “issuemail” tag unless they have explicitly
> added those records to the zone.
>
>
>
>
>
>    - @Corey Bonnell can you expand on why CA/B wants a CAA `issuemail`
>    separate from the CAA `issue`?
>
>
>
> I don’t speak for all of CA/B, but previous discussion in the SMIME WG and
> MDSP threads that I originally referenced showed that there was rough
> consensus that the existing “issue” and “issuewild” property tags are
> relevant solely to the issuance of server authentication certs and do not
> apply to S/MIME or other certificate types. There are two reasons for this:
>
>
>
>    1. Assuming that “issue” and “issuewild” restrict both serverauth and
>    S/MIME issuance, there is no way for a domain administrator to express
>    different restrictions for these two certificate types. In the mailbox
>    provider case that Stephen raised, that means it would not be possible for
>    a mailbox provider to restrict issuance of TLS certs for the domain while
>    allowing mailbox users to obtain SMIME certs from any CA. Having separate
>    property tags allows administrators to express the restrictions at a
>    granular level that more closely mirrors their arrangements with various
>    CAs for the issuance of various certificate types for that domain.
>    2. Existing deployments in the wild assume that “issue” and
>    “issuewild” tags restrict TLS server cert issuance only. It would be quite
>    surprising if one day those tags are also used to restrict S/MIME cert
>    issuance. If anything, the sudden change in semantics would likely slow
>    adoption of CAA entirely as it will be viewed as a footgun that randomly
>    breaks things whenever the CA processing of existing CAA records changes.
>
>
>
> Thanks,
>
> Corey
>
>
>
> *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *Mike Ounsworth
> *Sent:* Wednesday, November 30, 2022 10:29 PM
> *To:* Stephen Farrell <stephen.farrell@cs.tcd.ie>; Corey Bonnell <
> Corey.Bonnell=40digicert.com@dmarc.ietf.org>; Seo Suchan <
> tjtncks@gmail.com>; spasm@ietf.org
> *Subject:* Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
>
>
>
> Hi Stephen,
>
>
>
> We should really hear from the author and/or CA/B F on the driver for
> this, but ...
>
>
>
> If you're running a gmail, vanity, alumni, whatever, email server and want
> to allow people to get their own S/MIME cert, then don't specify a
> issuemail CAA RR?
>
>
>
> I'm not the world's biggest CAA expert, but I imagine the analogous issue
> exist if you run a web hosting service and want to allow people to
> subdomain and bring their own cert .. then don't specify a CAA
>
>
>
> ---
>
> Mike Ounsworth
>
>
> ------------------------------
>
> *From:* Stephen Farrell <stephen.farrell@cs.tcd.ie>
> *Sent:* Wednesday, November 30, 2022, 6:51 PM
> *To:* Mike Ounsworth <Mike.Ounsworth@entrust.com>; Corey Bonnell <
> Corey.Bonnell=40digicert.com@dmarc.ietf.org>; Seo Suchan <
> tjtncks@gmail.com>; spasm@ietf.org <spasm@ietf.org>
> *Subject:* Re: [EXTERNAL] Re: [lamps] CAA processing for email addresses
>
>
>
> Hiya,
>
> On 30/11/2022 23:43, Mike Ounsworth wrote:
> > The gmails and yahoos don't do S/MIME right?, so are probably out of
> > scope here.
>
> Well, no. Not if this proposes restricting what they can
> subsequently do I'd say. Same for alumni and vanity mail
> providers too and probably others of the many and varied
> email corner cases perhaps.
>
> Let's not forget the bad side effects of dmarc "p=reject"
> which is also a well-intentioned and partly effective thing
> aimed at only a subset of email deployments, but that has
> affected many others.
>
> > It's probably the @<gov-dept>.gov's or
> > @<massivecorp>.com's who have robust enough S/MIME deployments to
> > care about restricting which PKI can issue for them.
> Even if so, (and it seems a reasonable guess), I don't
> know to what extent such email deployments have seen
> issues with certificate mis-issuance, which IIUC is the
> main reason for any CAA RR.
>
> Cheers,
> S.
>
> *Any email and files/attachments transmitted with it are confidential and
> are intended solely for the use of the individual or entity to whom they
> are addressed. If this message has been sent to you in error, you must not
> copy, distribute or disclose of the information it contains. Please notify
> Entrust immediately and delete the message from your system.*
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.46.0 | Report a Bug | By Email | System Status