IETF Logo Mail Archive

Re: [Spasm] CAA erratum 4515

Jacob Hoffman-Andrews <jsha@eff.org> Wed, 15 March 2017 17:17 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F9F8131721 for <spasm@ietfa.amsl.com>; Wed, 15 Mar 2017 10:17:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.798
X-Spam-Level:
X-Spam-Status: No, score=-9.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-2.796, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VVLmn0rMldQ9 for <spasm@ietfa.amsl.com>; Wed, 15 Mar 2017 10:17:45 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B47C13172B for <spasm@ietf.org>; Wed, 15 Mar 2017 10:17:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=bYwBs2x6CWc/uI11vuQKdYUaLYFMOVETa7Z5Xhfm8tg=; b=DXaZoNkgrdqc58ah48N8gl4tkpPmULruGL2+h46ysFtl/oTsax2a3dCP5Xgmddh4VL8KiJc9s7Sb4D3IOEBTNvnucTAjvOrGZ+7squNZDk5unbXCRvP79P8lNBqdDFe7twvTYdQ3j2OYeJmEtYDTpIqZbj8wp39PrG1SPrHViyk=;
Received: ; Wed, 15 Mar 2017 10:17:44 -0700
To: "Salz, Rich" <rsalz@akamai.com>, Ryan Sleevi <ryan-ietf@sleevi.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <20170311201904.GQ7733@mournblade.imrryr.org> <fede5d8f9f2c43518d8a3c502c60558a@usma1ex-dag1mb1.msg.corp.akamai.com> <389a248f-37e4-9ff7-b330-b840e7c47931@eff.org> <CAErg=HEC=YL-wWEygqtmivN0axZ_cddkM-WDc8RA+jVTJYmVgQ@mail.gmail.com> <0d7afa83-a9d7-f977-ca36-533fc13b720e@eff.org> <CAErg=HF2WnSYtxs6r_svx-zCmt8ApkVsg6R7cezaYO=3WoVKQA@mail.gmail.com> <7129a939-35f1-f55b-703b-9f39f6110520@eff.org> <CAErg=HESLRQU=vg3sOFhBoBas7bBmL-z4ZkeeXOLD+y60OU5NA@mail.gmail.com> <e3384bdd6e5f4529b3b1d8abf7b32b83@usma1ex-dag1mb1.msg.corp.akamai.com>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Peter Bowen <pzb@amzn.com>, "spasm@ietf.org" <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>, Phillip Hallam-Baker <phill@hallambaker.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <e2e8e857-51d6-5138-ab66-4f3f4cff1590@eff.org>
Date: Wed, 15 Mar 2017 10:17:38 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <e3384bdd6e5f4529b3b1d8abf7b32b83@usma1ex-dag1mb1.msg.corp.akamai.com>
Content-Type: multipart/alternative; boundary="------------F9178EAEBC982B3F4BFE8C0F"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/EHueyCOPLFDHPucFGdyAeJujCZs>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 17:17:47 -0000

On 03/15/2017 07:46 AM, Ryan Sleevi wrote:
> Agreed. I think the lack of 'client' override - and apologies for my
> own ignorance here, as I couldn't find where the exclusivity was
> stated that ONLY a CNAME record may exist - is a pretty compelling
> argument against the tree climbing.
>
> While I disagree with some of the points below, I think this is the
> key argument about why recursion-into-CNAME-and-tree-climb may not be
> desirable - because it affords less control in the default
> configuration, and makes it easier to misconfigure.
Great. So should I take it that you are now in support of revising the
RFC to specify non-tree-climbing behavior?

> As an argument, I think this is unnecessary/unrelated, right? As in,
> you can look up the existence *of* a CNAME record without transiting
> that CNAME record. Put differently, and perhaps selfishly, it's "just"
> DNS :)
Ultimately, as long as we agree, I'm not too concerned about which
argument carried the day. For me, the argument about being "intuitive"
or "similar to other DNS operations" is important for the same reason
you cite above: I think doing otherwise makes it easier to misconfigure.

> Perhaps in the DNS world, but it's SOP for the Certificate Authority
> world. Consider the act of validating using approved email addresses -
> or validating the 'registerable' domain. Both of these algorithms
> start with an FQDN and then climb the tree until they are able to
> establish an authortative link, and then everything below that tree is
> accepted as validated.
Yes, but Certificate Authorities certainly don't tree-climb on CNAME
targets, which is what this conversation is about.


On 03/15/2017 07:57 AM, Salz, Rich wrote:
>> I argue that this is less intuitive and more difficult than in the tree-climbing world. 
> Did you mean "than in the *non* tree-climbing world?
Yep, thanks for spotting that.

v2.23.0 | Report a Bug | By Email