Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-caa-issuemail-06: (with DISCUSS)
Corey Bonnell <Corey.Bonnell@digicert.com> Wed, 09 August 2023 13:07 UTC
Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16CE5C151532; Wed, 9 Aug 2023 06:07:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BaX4p2iD9tUZ; Wed, 9 Aug 2023 06:07:18 -0700 (PDT)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on2131.outbound.protection.outlook.com [40.107.100.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D546C14CE46; Wed, 9 Aug 2023 06:07:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bXw5hHbXBNTVMXXX9GAkA8SYgOlU+XoXz+V3w5681h8sESNkzZGu1JSIL36OlGxYAsgrGxW7GxbGIBkaA0OWFYKgvsYbqAF/i+fqeNI8btc0Yhfsi7Iepub22al/9cd0Jfu3EQW8xrcVGLvePIBSMCum11Dz1E4rZu0Cs/mlfoCf6HJ8SafSJx3Q8vS9dYBAWDc/JG61Qpu7M49aRcSR3a+Xs0KLp+5hy/6Qo8DsKVHu3wVkXN87Dd9epW5VUJrwm/mX6n3vHKZhSW1uk0ZOoFugNE9jyNE/gcX+fafBKp4NCrEGsJXM3SqPwz9+aYg55qPKyRYLarIjDPbEE33qlA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NLL60vZP//D6RaCuRk8n+XsCVzWOr+QFRNndpDZV+Yo=; b=hVmCxBxG0lD1YZgXf1OzgUXZMryvfOJYpc5WEpg6xO/cbU9Z+j3rTNbf8ooW8jDKADDgL7AQSt2iBD0i7SeBzOldG4wldVurBkxUW7jNVt3V/tXy195kRWmXT0rzU62GOewsk5QDFCHlM86AGi+6wNvo177a3+iFu/AZA1crTiGpNzMEjOPkWVHJu9l/keCvwMd5it+JEOprw7jcfoVUtWiR1IuvOq6n6vLvj5fqnSMkjy5zS95r0tWTDdQU9nf4cq/7J2+iltKqI7DFWntKZkXNyYg9FFKJucM6hJFcXEpBho7LP/ON896Q0pgnXUsLJAPuSjJzQff/r1SDqdfBRA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NLL60vZP//D6RaCuRk8n+XsCVzWOr+QFRNndpDZV+Yo=; b=14YRW9ZDkwnig8OoZTlpMy5PO0HMG5sIrkK0FYFjAdYtUTk2Elm235PGXiOCZfAYUzkn7A897P9NW75ZPMb64esquGkylDTeYCt4kkfK/8RquvicCrx9kTPBc25X5jZyP/ba4tjEGwKYqJ7NV0N91MDvnBdJFqCoEelWM5VrbNkRBYPMoo5n0q9otF1u4kxTMR50jwz6s7utjcqSXv0kzWLKFgJGB8edyOvDY19XA5QAWKkqtULoa4P606k0ojUxWUghxi2N/2iB5y4h8W2ie2y0qwwO1Y4Sy/A7bbcYXdA5g776ijv7HAYBCDX3ZfsnlLiUxQzSTOnUaAw4AwAYAA==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by IA0PR14MB6571.namprd14.prod.outlook.com (2603:10b6:208:401::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6652.27; Wed, 9 Aug 2023 13:07:13 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::8c48:2f88:b55b:cb1c]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::8c48:2f88:b55b:cb1c%7]) with mapi id 15.20.6652.026; Wed, 9 Aug 2023 13:07:12 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>
CC: "draft-ietf-lamps-caa-issuemail@ietf.org" <draft-ietf-lamps-caa-issuemail@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Thread-Topic: Paul Wouters' Discuss on draft-ietf-lamps-caa-issuemail-06: (with DISCUSS)
Thread-Index: AQHZymGSonXsr9oZC0GEYMuyIHwMT6/h4Afg
Date: Wed, 09 Aug 2023 13:07:12 +0000
Message-ID: <DM6PR14MB2186C081260DE77CCE56C1319212A@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <169154482350.52645.261962838818876269@ietfa.amsl.com>
In-Reply-To: <169154482350.52645.261962838818876269@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|IA0PR14MB6571:EE_
x-ms-office365-filtering-correlation-id: 5d0f3753-d677-4b71-c969-08db98d98bee
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +5BJWduf8Ga8pVqJTCrMy639fTAjT3l6UX/TnM5F8NpFgxr+60dxr0GakdGwX++6cnW/2ZwlMjyJcg8qvePJO1Shy1omPHpxouE1NDL4c0rYYpyMq6eH1XEo5EYqyAtfTMbK+UKj5vePc+ECs+H25Xdc93/0ifH78Pivs3youYrjZF9cE3opG+T0GSQhNURxd8vXmeXQDv/v4WTA3A4arRzaKfBBw40h2X/ukObfbZVZFykjCdAunxz4fS7cIiQy8U6OE1MlV0/cviLmckq9zkgJ17/ukJbYifilR+UX75VUA3gTPT09Zx6iPeuNEC4dd7cLYcr66pFM9HimH8jvnLLUZts9FpiHkpTtw/dtso4amg2wv6C6pouBpL9F3bP0N925YAdIvz3LlR8kwlNfUJ84W+pJoWzcFdRhBGxCzDuNDBfH6ejrosYps6iNHvr/pKKbHQItlta9uZoOPgqgv3b2AtAhMWWkJsj5gmVdVvg2H62sJfwj2itY2nWnxidkfdHSlutx5zJ/g+9OV7u0w6bV9/W29hUpYh1ApVDP0uoUx1bauYfD7Bq25/Vmg0Uv6v5MnJfYqsmYA/7qfTXvNbeWOnfGkoiQYNdnyFVEMwg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(346002)(366004)(136003)(396003)(39860400002)(186006)(451199021)(1800799006)(83380400001)(55016003)(7696005)(2906002)(110136005)(4326008)(64756008)(5660300002)(38070700005)(8936002)(66446008)(38100700002)(52536014)(8676002)(316002)(66556008)(76116006)(66476007)(54906003)(66946007)(86362001)(33656002)(966005)(478600001)(122000001)(9686003)(71200400001)(99936003)(41300700001)(26005)(53546011)(6506007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DQf0wWG7RnO+1kCZA8R2dm0kqiIUbAXg5pW8aBYLVYK1xAuJtrYLukpQJD2bS5YKaHbTrF48414cA+T/XSyHJYY/Cl24OaeqwLGpXbeAWZazoniOEGNeuLRVbwOQj468yQ6OL/ceCz/LUvRBCPFVDe+1xL3t9RLK0viJjtDtNDEbjx5ZvBSgzQ9ShF/kj6qf1hbWKm9dfToTmw95mJ+Wec1G8LtU+zLT3NW4L3na771xci4OYVXfZYmVXoTlC1+iT221n9ZPPcRkESsKCJoCVU2WUT2qqisWpX+gznjShLDwQMzPmrzE1TtWTQ8vX2dyyoG1LzDL2M/v0ARy8JP4vX5zQllh+a64YSiZlu/nomYjhWNcCHkceLDp0dGpMPKckRHMp/z0PK9782XuJE3nFRNKEjRCPKjtDEpkwJYQKnx7PSdp1JK3nrzJEEJbZ4RmRmelV2BZJRSbT1+5ObccV2L3ldE0ZEmi4Ytej+qbFH3GR4AnJeSfmryJmIU+DcAh3j+lyztWCmqbjT0hMUntYxyAl2qcr8K7WVEhuZM6D5r8skoqVUyU4fwVhYpjvCxPLFS+M+32pFb5KwqPBKuUi6qMG1WU5Gs3tWkdaGOsr9Mnia5mxDfijLmdG7yEZHaC9MoRe+GpEAj4cbmLgj5y9vcWF4Ay0tDHK3MPP+fKuCgP0+PWk/5ZOWbAnQtS1nHtt4hUt0gdmZsEpvw2BQFXgTDC5YvQqyaFvEGzWZuPTfWKVuIqQcIGwL5oPlg/e0HBzvchFFYAC8MZy4DCKywXonZl8BTcCZrSb58AaAEiOtzGXqgow+GiKhJQpl7QB9COrPHQ8YIDNs4EhO5DdPebIsCZEfeNZfABbmMcji/mJFkzUS+6EaSA11+Z6qCeDmhHv9NQDBW5uHayw1RM5hUEaI4BzEgvdf4s75zikbawbQSZyEpBm6K0kiUKKu09VZ3nkNVl9i11n+LsiLcNY5cmjEMJLJsJuaT/IWS4Wmv/7Cqw34r5J9eZ4uYyNlFlc3lRbC4dD0Ei2XjNZpGHqmP1JEgIp7qLmC17mTCsm6xSiGkIl8BdUGlxP1FexP9BJDeti9iBeqOAu8VlCrGhUGrsBQwJLrRDmoe/wb0D9CHWDCeVDzZe0TMvqiaAy1Mp0pYpPPIQsduEOwm3qXz8DXf/aPPWJtj+JrVuOS0kVLru5H6CzqlcH8jIUw805+e/4h/rZmO6W8/rvp3Pxl2H3Y2ocKPTLR81I7jwGkMexYA5KudVZ5AaX2Hv8btt7/lHL6GekX4rnF4F5UaS1FtjAtjcbLtw/wvaJPTnvbQZj145EUdC3lY09RPDxIqWueKl6Tr0mmMyh3fFJmjO/kM4zwyoCqy53C9iDB3x15O6M9VPXb9orUnPaxUpnrWAiLC/BVKmVpTAVb1GCyPCKknuEZVRnBwVsFvFpR7WDWF3BHWrsvy05n6mLY8W3fQ+Kg8zp2pbzb53nZ9oOEzC5YZc5wh3MnNnNeWQn7s01NEKGMpmM5Dknql12ZF4xBg7bP4lWO+ArkrR3zwKuVJX4PJ4Jqk+Iy5eIPBo2pGRE+MORCbaQ2na4bsykey3WyN0IZXAyNhp
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_00F0_01D9CAA0.DAE996E0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5d0f3753-d677-4b71-c969-08db98d98bee
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2023 13:07:12.5935 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wJdxISA9S7IZokVelUlXLFKGPE6j7Y3coy1uS77Nr5wvFR2J0Q4WMaByVibirVANrDjuKpPdYfXGG25AKl2KFGKhTm6TuBIpw/qDRGMNVA8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR14MB6571
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/FUKiQg61KFuBfg3XKk0_6ZHWmNQ>
Subject: Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-caa-issuemail-06: (with DISCUSS)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2023 13:07:22 -0000
Hi Paul, Thank you for your review and your comments. Replies inline. > is it the desired behaviour that toronto.nohats.ca can override the > nohats.ca policy and issues certs for paul@toronto.nohats.ca? This also brings into question whether Public Suffix List (PSL) type restrains matter. My understanding is that this behavior is intended and desired based on the discussions surrounding the tree-climbing algorithm as defined in RFC 6844 and later amended in 8659. Phillip provides an excellent description of this design choice here [1]. Additionally, the use of Public Delegation Points/PSL was removed in later drafts of RFC 6844 [2] and replaced with a simpler algorithm that merely walks up each label to the DNS root. > Section 5.4 contains an example of conflicting records, and the text then describes a process of "failing open". From a security point of view, I would argue this should "fail close" and not allow issuance. Was this discussed in the WG? What is the rationale behind this "more vulnerable to mistakes" interpretation? I don't believe this specific point was discussed in the context of this draft, but this behavior is the same as defined in RFC 6844. I believe this is a feature and not a bug, as the "failing closed" behavior in the face of conflicting records would prevent domains from using multiple CA providers. Thanks, Corey [1] https://mailarchive.ietf.org/arch/msg/pkix/CvkHdFP6gdXRCTmq5TXjvMlGOV0/ [2] https://mailarchive.ietf.org/arch/msg/pkix/87NqhuFaKCVQO--8pSD3NhjQd2U/ -----Original Message----- From: Paul Wouters via Datatracker <noreply@ietf.org> Sent: Tuesday, August 8, 2023 9:34 PM To: The IESG <iesg@ietf.org> Cc: draft-ietf-lamps-caa-issuemail@ietf.org; lamps-chairs@ietf.org; spasm@ietf.org; housley@vigilsec.com; housley@vigilsec.com Subject: Paul Wouters' Discuss on draft-ietf-lamps-caa-issuemail-06: (with DISCUSS) Paul Wouters has entered the following ballot position for draft-ietf-lamps-caa-issuemail-06: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-lamps-caa-issuemail/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Issue #1 The discovery of such a Relevant RRSet MUST be performed using the algorithm specified in section 3 of [RFC8659]. The input domain to the discovery algorithm SHALL be the domain "part" ([RFC5322]) of the email address that is being certified. And RFC 8659 states: The search for a CAA RRset climbs the DNS name tree from the specified label up to, but not including, the DNS root "." until a CAA RRset is found. While this algorithm makes sense for a CAA to restrict issuing, I'm not sure it makes sense for email addresses where the permission might be granted by a parent. eg ig there is a CAA record saying "no email certs" at nohats.ca, and there is a CAA record saying "sure, issue stuff" at toronto.nohats.ca, is it the desired behaviour that toronto.nohats.ca can override the nohats.ca policy and issues certs for paul@toronto.nohats.ca? This also brings into question whether Public Suffix List (PSL) type restrains matter. It might very well be the intent, but then perhaps it should be made a little more explicit ? (and then I have to rethink about what I think about subdomains overriding their parents) Issue #2: Section 5.4 contains an example of conflicting records, and the text then describes a process of "failing open". From a security point of view, I would argue this should "fail close" and not allow issuance. Was this discussed in the WG? What is the rationale behind this "more vulnerable to mistakes" interpretation?
- [lamps] Paul Wouters' Discuss on draft-ietf-lamps… Paul Wouters via Datatracker
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Corey Bonnell
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters