Re: [Spasm] CAA erratum 4515
Jacob Hoffman-Andrews <jsha@eff.org> Thu, 09 March 2017 21:07 UTC
Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 683B71294E7 for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 13:07:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Level:
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TREw1ekQhCNM for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 13:07:55 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35CCA12940C for <spasm@ietf.org>; Thu, 9 Mar 2017 13:07:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=GSJqW+/rDKx/xhnOg4xAYGvMljyeOPOs3/8HhR7I3JI=; b=5tRC1RRaCbKaCK0a+zxXHi+hgaf8GAJZeR+9GGmMQA40CDvyavmhZFQwZDttLVg7+oTglGNUKCvVU4YiOYnoUiev/18632mcew5TIjsbJ6gx4n+ixxu2R7DxCmuAAEmty018p5mgAPvEohCBtRCZwZWAvOmTGdSnktezNCJ5oj0=;
Received: ; Thu, 09 Mar 2017 13:07:56 -0800
To: Ryan Sleevi <ryan-ietf@sleevi.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org>
Date: Thu, 09 Mar 2017 13:07:53 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------85F20BC0B6CDC39EB1C2F5C4"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Fsk1_M2UhuA69sA8lrJzO-HwM3k>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 21:07:56 -0000
On 03/09/2017 12:35 PM, Ryan Sleevi wrote: > I want to be careful here restricting it to the notion of "CDNs", I'm using CDN as a shorthand for "hosting provider or CDN." In the Twitter example, the other stakeholders are the marketing department and the contractor who develops the web content, neither of whom have CNAMEs in the mix. Is there another entity type I'm missing? > *Hole punching and the includeSubDomains problem* > > As you noted elsewhere, to effectively get this scenario, the operator > of superbowl2017.twitter.com <http://superbowl2017.twitter.com> (which > we'll call example.com <http://example.com>) would need to set up the > destination of CNAME in such a way as to be able to appropriately > express the per-customer policy (if Twitter handles certificate > provisioning) - that is, superbowl2017.twitter.example.com > <http://superbowl2017.twitter.example.com> - or, as you noted, would > need to effectively set the CAA record as a 'wildcard' / for every > customer. I don't understand why example.com would need to set a per-customer policy. If terrier.dog handles certificates for their customers, they would do so with a limited set of CAs, and could set that as policy on their domain names. If a specified customer like www.staffie.dog needs a different policy, they can set it on their own hostname: www.staffie.dog. CAA 0 issue "sad-hacker-totally-real-ca.net" I don't think trampolining is necessary to make this work. If terrier.dog doesn't handle certificates, e.g., if they expect customers to bring their own cert from any CA, then they can't reasonably set a blanket policy for all their customers. In that situation, I think it would similarly be up to the customer to set a CAA policy on their own hostname if they wanted one, since the customer is the one with the CA relationship.
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews