IETF Logo Mail Archive

Re: [lamps] CAA processing for email addresses

Seo Suchan <tjtncks@gmail.com> Wed, 30 November 2022 20:02 UTC

Return-Path: <tjtncks@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F04C7C157B3A for <spasm@ietfa.amsl.com>; Wed, 30 Nov 2022 12:02:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.402
X-Spam-Level:
X-Spam-Status: No, score=0.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.999, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ov5xoSENZbhK for <spasm@ietfa.amsl.com>; Wed, 30 Nov 2022 12:02:37 -0800 (PST)
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ADDEC15790C for <spasm@ietf.org>; Wed, 30 Nov 2022 12:00:29 -0800 (PST)
Received: by mail-pg1-x52f.google.com with SMTP id r18so17055737pgr.12 for <spasm@ietf.org>; Wed, 30 Nov 2022 12:00:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:subject:from:references:to:content-language:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=yoLgLbLZIYdR0QBxcwWINQEsvnvZa6TKpsmpWrjjBys=; b=GA0pCi/cyoAa0/xyXbloUeP0Lza4AVUnQ9epto9ZDQ27SN1Y95lOHj1bJjQeQf+2m7 h8UPkLqGBa+o4tO7YBy0c+WtV8g7LO3UawdN+N1iKeBtGwo0lXQZboHGVpUME7pJ/DUh mLsaILZ0PY0sxWp2h7muT6poZpKmBYrM4pAegeZATWq5Wr/t2J927QGLcXCpetweYR6G m6b640R7d57rLgbJvpuoVJEW70O86+gZWLm92B2y72CSHR8jO5OJVZu9xtFXyFF+tDeJ m0zh6LGX+Jpc7BSJnQNkcfDRo0aDlg4mIsxEOnZLnB/7F7ZhYlVqdsKsVJMKa2XMTsmS OXkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:subject:from:references:to:content-language:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=yoLgLbLZIYdR0QBxcwWINQEsvnvZa6TKpsmpWrjjBys=; b=0gKH+pXx34GQ7a/vc7pAULrritRtRXNPF8il8C1nKeith9r97AwbMmHnS28Z/vWfid zmEtkPUIr4hpa+9oXTT1d4IRiNpwrcgtgintnNuNRWkJPTSDwClBikLHrncgR9/+fWpy alDmW1z2on9l7A3TLz20vTr6ykVgaH9D2Y5HKWMS9ezRbfe0u8FVV8bgKAE1NJfbnq70 e8T7/stslt56n5vdJHZyYHGaK2CIKapTYFZVViUCDZET+L2lN7nEm1FCzvsZx/3b4K+g UZsDuTNnxzYEM6KFrP3pM3oFrVRhRNQu6eGv5zbNeZyYBzEchJSb3ypp/K2adDTb87rZ M0ag==
X-Gm-Message-State: ANoB5pn4Dwi9kW+t72kfo7gEnoTB8AovA8oDQJa/EVmT4afkLdZ+i9/K uObWWWppLoJS2zS2n52U+8RY/CLNoUUeNdua
X-Google-Smtp-Source: AA0mqf4QDihUILKUdBdVKTKCxFe2SxkXj+LWr3lV2S0Qil0vLyBpyqNPycfKTjuLR8/jrEamp2KgUA==
X-Received: by 2002:a05:6a00:26c4:b0:574:9a44:45eb with SMTP id p4-20020a056a0026c400b005749a4445ebmr31860573pfw.1.1669838428039; Wed, 30 Nov 2022 12:00:28 -0800 (PST)
Received: from [192.168.1.172] ([220.72.44.200]) by smtp.gmail.com with ESMTPSA id lj14-20020a17090b344e00b002139459e121sm3504251pjb.27.2022.11.30.12.00.27 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 30 Nov 2022 12:00:27 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------yVauB8DvtliGJ5H8HRou0lRI"
Message-ID: <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com>
Date: Thu, 01 Dec 2022 05:00:24 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
Content-Language: en-US
To: spasm@ietf.org
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com>
From: Seo Suchan <tjtncks@gmail.com>
In-Reply-To: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/EMpmMm_qrsjZuQsneCLcpNOV3qE>
Subject: Re: [lamps] CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 20:02:41 -0000

some thoughts:

1. marking this record critical will make block TLS certificate for that 
domain unless they understand this. I think that is a footgun worth mention.

2. there are 'free to register' email domains. would it be acceptable to 
them to limit client's certificate choice?

for example, Google can set a issuemail record on gmail.com with a 
contracted CA and force user go get s/mime from that CA.

2022-12-01 오전 2:17에 Corey Bonnell 이(가) 쓴 글:
>
> Hello,
>
> Over the past several years, there have been discussions [1][2][3] on 
> extending CAA such that it can be used for domains to express 
> restrictions on the issuance of certificates for email addresses 
> (e.g., S/MIME certificates, etc.). With the recent passage of the 
> initial version of the CA/Browser Forum S/MIME Baseline Requirements, 
> there is a renewed interest in mandating that publicly trusted CAs 
> process CAA records prior to the issuance of S/MIME certificates in an 
> upcoming version of the requirements. In order to provide a full 
> specification for CAA processing for email addresses, I drafted an I-D 
> for a new CAA property tag: 
> https://www.ietf.org/archive/id/draft-bonnell-caa-issuemail-00.html. I 
> am hopeful that such a specification can be reviewed here such that 
> any update to the S/MIME Baseline Requirements that mandates CAA 
> processing can directly reference the specification.
>
> Given that CAA is a topic that is firmly within the scope of this WG, 
> I wanted to circulate the draft here and would appreciate feedback and 
> comments.
>
> Thanks,
>
> Corey
>
> [1] https://groups.google.com/g/mozilla.dev.security.policy/c/NIc2Nwa9Msg
>
> [2] https://github.com/mozilla/pkipolicy/issues/135
>
> [3] 
> https://lists.cabforum.org/pipermail/smcwg-public/2020-October/000040.html
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email