IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 30 November 2022 23:43 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64738C09F946 for <spasm@ietfa.amsl.com>; Wed, 30 Nov 2022 15:43:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CJVQwtSXhlb2 for <spasm@ietfa.amsl.com>; Wed, 30 Nov 2022 15:43:53 -0800 (PST)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEFCEC0D7C33 for <spasm@ietf.org>; Wed, 30 Nov 2022 15:43:52 -0800 (PST)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2AUIavQd030754; Wed, 30 Nov 2022 17:43:46 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=TUNQLl524Kk1ICLeFTal+mGCt2hBLhiaSBYwXmZTwmc=; b=hpJCz6lyzZkpuV0Eq4qTF1ablkq3cuPnaH7qQASwdVUhMwi5H+eVm7Bsw8L7s3ktzLWx ip+j573lk+n58ogjW7Fk4UF5thZdUudF/FlH7DD+sCJsKDfi8BexwPdlJN4gfjVi2xBW 2WGQ3kD0A6276qtrrPpNcsZTha1WKrN8ai+aBOHoNUY5SK4A8JmFAhXwfkfSFIPKnfXF 6bSTVNZyAXDp1ma6m4cbRsdKq8uaTnGMdAj+SCJUlu/JHsQSFIXEI7lXQu5KeahD5FRJ JweYmBI3GlMW9otrq8p1CKqUHHOI3rCX2ahHAqjTntXHnB5Oa1FRgc4e203RmwtaV5Ko lw==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2108.outbound.protection.outlook.com [104.47.70.108]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3m3gc8rgxs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 30 Nov 2022 17:43:46 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JWtcShiXeTVhLDztKALUSS4Vea4CyisgU5Be5FDBgiUkHXu4rSZ59rMPFAzEyqsgMMN5BnWIz5Oyi545FwacnHdj0WKmQrQ/Gp7A6Sei2rYVMepSu88Y0g7mrpmJ/g1FftQI48xtYv0jWxtQuTKcc74vKdSXeXZqTW0sDvWD11D4IyxLUcE+Xi1pEKmRvSR6w4AFFf5ig8DsraqY1TvSO6i3cLxUI3q3XBPU3OTABRO6rPeelykgTJIfF9i6z6jpa1qu03a72Q5Bv1oFBrAqgYFjwP/cXZpdO2RUw/vUUP+V7b/VkhMMf/mrJOowfJMEj0FaMsMQsDtr4RwbqQO1Ng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TUNQLl524Kk1ICLeFTal+mGCt2hBLhiaSBYwXmZTwmc=; b=U5kKZQECkJBDQuVhaT3zrW+2+nIXKw3juGWWl6CymfsQo9sJ5mcIHM+JEKZ9vBeB3sDZFCIp6U/F2wh+QhDQdWVSAS8tuM3/60YJp20AOecjpYbDu8SDz3V1pFOjJ/uMHILkG7SBZrTnlru8yw3FvCUQX/mQ1u/1Quvl91Qx8o54x4gqYBwFMFCZSMszn8U2TE4YtzxnDVaqYkjg/piqxvhjhVEpa4e909JeAMG5NdwEkI3kr3BOLdqZMIROiY9ywvG3b1GlL1vDFtop3Lv6zPp7ubsYtzZ1m7pGmK631Pgb+uVbV2MHWbt6e4VKu9YymcJ63DYnZJcKxDUZA8r8IQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by DM8PR11MB5622.namprd11.prod.outlook.com (2603:10b6:8:36::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.23; Wed, 30 Nov 2022 23:43:42 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1%8]) with mapi id 15.20.5857.023; Wed, 30 Nov 2022 23:43:42 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>, Seo Suchan <tjtncks@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [EXTERNAL] Re: [lamps] CAA processing for email addresses
Thread-Index: AQHZBP0Z3+hC38iBp0er4vdj9NEiiq5YGFqAgAAB3ACAAAJqAA==
Date: Wed, 30 Nov 2022 23:43:42 +0000
Message-ID: <CH0PR11MB5739CDF4AC9F496DA341DA249F159@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie> <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie>
In-Reply-To: <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-Mentions: Corey.Bonnell=40digicert.com@dmarc.ietf.org
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|DM8PR11MB5622:EE_
x-ms-office365-filtering-correlation-id: 8db93bf8-48ed-4ea7-0280-08dad32cb6e9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rk7pT71Wr/Tb/PoeN9I9AzrVHbwjL6f8MmtRPYpUUgnOQQOHt/ZoNKH4u8OXr0SFTyO7e56vdeUlDt/jXftBqSPp9owgms6MqejasJVhlLdvP53VDrPdzEUXNm2iadEWQHeIpBRyIE1vkIiO1R6zLYbG6dkjKRdriysTC063sJNXzuYpLy9pjFKC/9lwONyJZTiruogoIHrlrgn4edLrrg+u+jxBEgKRpRu3pykobEraSXWW/+0QjqFMXw02Hd9tIFiERbCSl8mMbk2TBcwB9C1UIfcwNnrldO1laDf9PMj2ipI1fQVivPnpnLVqrCJRvPCEAxtCp3A4dvVjRaAIbzBuNxlUKX3+/pcuJcVhneKZS4/hO8QF8sjLkjcQlzXwN/PUjJeiM1wwBqbuHwpdqAGhaRhBpJgc23MeTaGvhMbbFZJwllnj5xZJQlFqEt/w5kIhjZYN2KfoOEEwRkfydb83myIknsAE0NYm5GmFeEdJvQc88BFsp3ynLV3oN6CznZZEbqT+yNIRunsYQkMlu5rt9PQlQo5vGV6iRnu00BXrK47uDsqpyzkC6CH4TABziPWcBFYsBfM1vt0Yf9cb5GFSse8VbXK/uyY+lkwt98oBvQDn13SofN/z1zMpyUKa63evw5RNk8ravNtukpCKYK/rh8ITjHsBOCj5unrPAX8tV6u7L5B/ZndRH6pupnVFgpNa3TvV8lPQtPODa7616LYofbpvgQggUOjLbXIxYG/Z1l2kuM4oEhDvgNZHjPjd
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(346002)(366004)(376002)(396003)(39860400002)(136003)(451199015)(478600001)(966005)(83380400001)(2906002)(53546011)(86362001)(71200400001)(110136005)(38100700002)(5660300002)(38070700005)(122000001)(66476007)(8676002)(41300700001)(8936002)(6506007)(52536014)(7696005)(64756008)(66946007)(66446008)(66556008)(9686003)(76116006)(26005)(296002)(316002)(33656002)(186003)(55016003)(199583001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: IrJ/YUqVTvenWnV+iLmbG8euDN9wWfj9Q0DtKsHhtTzlw7iMVZ7Vf2OqvFUAngQB7NRiUKsz6ab6Pg9QlV7oq4uyWy3Ymx3pOaunEJS/qR4+oiB51SGD2faxlI39ZBdW3bt0+IinOAr44ORhMcuTM7naJH5NNPT66prwujFKemz0Jeyw2vBzjDWW845p37FwTWnrJJZ7jszNCZyLSe2T4vwrZ/sMp3JIOpD1NbvSsqacy5YX0qywa3konkPNXCrH9i804aw34pUB6IEIaMOruh6BCYoeI3mCy4wdmvc4psYYrDMU1tOaVLmouUuOtYNW6GUMwGgLDpA+LV3vBuC4rcUyA2XD8sKhoEwYdI3s/CGY92XM0NqTefBdYYwpvyiXjGKgI+B+cAloqarvJSIqjmcxEE054CZPZu2PIyaFt5rXv3eYPCfxtcmQ4eVzXRW3+ujf11Lrbx9HRTKfi4lCEy1o1Ghr7/dd2ZAAJSfwIuD7sfyT2QNqhT+oVQrXvYcpEw0lLK9IGge6dWTY0eOZ1/gDa/EofJkQnYXgTxZCrgqo1d3ZYOmUWEfPVeR65vJ3bae/9Qzl7aQN6YBEaZq4o18cQy3YklvBLX2a66IEdqurCWIMtIyjeFfz7Y9LiL4bvmM09ajuLzMkkLwMjGUHNa/t8aRSv5qkj+RSDZbYeEN4Z+Uuur61vCaHo5QVct1qEpKZyK5jFiMLZi0Ls03Si+PsdUTpbOsc2PIBzKsD/0r5ZNupryIdHRhC/antwLMgzwq9/YtpJGw5EZupIKJsiOnKDREqn2OnoIFCtUDcCgoPfAZQiD2u0sJfJF9FNa1xSa/3HvnusIKvnzb8NpzDoLO9zLQVGzhYgdGBD0PkuQHFZc+pZrvBaBC6EetNXZ/hruYiwJYfDEps76/m6qsxUWbPgcZF1AGCw3GAUX0CDsBBQadTVrdeHY/Fsnu1+6ebPgxRFo7wq1PHZqqLrGxvb8oBsBs7+kAFPZFLsbW6qDjL+QOucFyYpRC8bdwNM3AZXFspeckqCU+2C4eX5ZMPYtPESvLR6K1xQv1sjmcc9e1jjW/4+y8tZdd2BZ8iB33cVbqoa6vroiQ9oN7W6K0I3v98/HMqO6q7Ee/cXvIKTpc/H+kpr+bk1J13NkTw8VqSl5HpYV0/JmS8OhvfSeQ8YlU7SrcEdU0ARj5AyNRxns5ei2Pyc0el3rnyAtj4Y7WWKrxlTnA3J60HP+e7G08Jz+BgAnlS2esL6eBwTW/2BFCoFb3Z+ruKrnJDR6wWw0PRXxzwdOctCkDr/uF3rcAXTMDjaOw8d9QYBF81Kr71YDE6goJIczNsR6E+BuDvyaNGlTixPic0Ad2zZ02whnMSlSjMm9MgRcVvRFSeq41tTg95gV4xATA+qV9vdb95SyG9WkwNUUnoIsUEWRMpQQGnorCdht0FR6tZTx/pT/wvcMI8HMgf09Cakg89x5iox7gr+3lN1oB8K+crq4GVtWmYWA4d9qOyNBctc8Ag7h8vkKWB9TtaUVj0lwt0RGSNT88BFjv01cU47but5/tKlEb2NlF1ZA97KTqighEZFwofk4f3PTbzAP1576YIgq2Y2VtMJUky6UvlU2Ma7ZvFjHJgHw==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8db93bf8-48ed-4ea7-0280-08dad32cb6e9
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2022 23:43:42.6935 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: trf88KZu1Nsm5bQNTv23fctG+7T+uQZc41j2IHRVusIX6I1UWPrvFAkX71Ru2Z6p+hK6+Q33xkW1J5rew+QOl8j0Sz1vl9/DHyWXXu0KbnY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR11MB5622
X-Proofpoint-GUID: pl-Noyo9p2RklTTbkMFZOMHKBH7Pio22
X-Proofpoint-ORIG-GUID: pl-Noyo9p2RklTTbkMFZOMHKBH7Pio22
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-11-30_04,2022-11-30_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=933 adultscore=0 priorityscore=1501 spamscore=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 clxscore=1011 impostorscore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2211300168
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/CY0DT2g5QW6aE3fiKXJBS4Q0yMM>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 23:43:57 -0000

I just skimmed too.


> how many email providers/operators have been involved in developing this approach and how many of those have experience deploying smime or other applications that call for certs containing email addresses?

The gmails and yahoos don't do S/MIME right?, so are probably out of scope here. It's probably the @<gov-dept>.gov's or @<massivecorp>.com's who have robust enough S/MIME deployments to care about restricting which PKI can issue for them.



@Corey Bonnell can you expand on why CA/B wants a CAA `issuemail` separate from the CAA `issue`?


I notice that CAA `issuevmc` was registered [1], [2] to specify which CA can issue VMCs for you, so it seems to be following the pattern to allow CAA to specify different CAs for different purposes.


[1]: https://bimigroup.org/resources/VMC_Requirements_latest.pdf
[2]: https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xml

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Stephen Farrell
Sent: November 30, 2022 5:19 PM
To: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>; Seo Suchan <tjtncks@gmail.com>; spasm@ietf.org
Subject: [EXTERNAL] Re: [lamps] CAA processing for email addresses

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________

Hiya,

On 30/11/2022 23:12, Stephen Farrell wrote:
> I guess I should go and read the draft now:-)

Just did that - it's nice and short:-)

I'm not liking the idea tbh. But I have a question: how many email providers/operators have been involved in developing this approach and how many of those have experience deploying smime or other applications that call for certs containing email addresses?

As you might guess from the question I think such involvement is kinda needed as there are so many odd corner cases in email services as they've grown up over the last half century.

Thanks,
S.
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email