IETF Logo Mail Archive

Re: [Spasm] CAA erratum 4515

Jacob Hoffman-Andrews <jsha@eff.org> Thu, 09 March 2017 21:07 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 683B71294E7 for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 13:07:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Level:
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TREw1ekQhCNM for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 13:07:55 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35CCA12940C for <spasm@ietf.org>; Thu, 9 Mar 2017 13:07:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=GSJqW+/rDKx/xhnOg4xAYGvMljyeOPOs3/8HhR7I3JI=; b=5tRC1RRaCbKaCK0a+zxXHi+hgaf8GAJZeR+9GGmMQA40CDvyavmhZFQwZDttLVg7+oTglGNUKCvVU4YiOYnoUiev/18632mcew5TIjsbJ6gx4n+ixxu2R7DxCmuAAEmty018p5mgAPvEohCBtRCZwZWAvOmTGdSnktezNCJ5oj0=;
Received: ; Thu, 09 Mar 2017 13:07:56 -0800
To: Ryan Sleevi <ryan-ietf@sleevi.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org>
Date: Thu, 09 Mar 2017 13:07:53 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------85F20BC0B6CDC39EB1C2F5C4"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Fsk1_M2UhuA69sA8lrJzO-HwM3k>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 21:07:56 -0000

On 03/09/2017 12:35 PM, Ryan Sleevi wrote:
> I want to be careful here restricting it to the notion of "CDNs",
I'm using CDN as a shorthand for "hosting provider or CDN." In the
Twitter example, the other stakeholders are the marketing department and
the contractor who develops the web content, neither of whom have CNAMEs
in the mix. Is there another entity type I'm missing?

>     *Hole punching and the includeSubDomains problem*
>
> As you noted elsewhere, to effectively get this scenario, the operator
> of superbowl2017.twitter.com <http://superbowl2017.twitter.com> (which
> we'll call example.com <http://example.com>) would need to set up the
> destination of CNAME in such a way as to be able to appropriately
> express the per-customer policy (if Twitter handles certificate
> provisioning) - that is, superbowl2017.twitter.example.com
> <http://superbowl2017.twitter.example.com> -  or, as you noted, would
> need to effectively set the CAA record as a 'wildcard' / for every
> customer.
I don't understand why example.com would need to set a per-customer
policy. If terrier.dog handles certificates for their customers, they
would do so with a limited set of CAs, and could set that as policy on
their domain names. If a specified customer like www.staffie.dog needs a
different policy, they can set it on their own hostname:

www.staffie.dog.        CAA 0 issue "sad-hacker-totally-real-ca.net"


I don't think trampolining is necessary to make this work.

If terrier.dog doesn't handle certificates, e.g., if they expect
customers to bring their own cert from any CA, then they can't
reasonably set a blanket policy for all their customers. In that
situation, I think it would similarly be up to the customer to set a CAA
policy on their own hostname if they wanted one, since the customer is
the one with the CA relationship.

v2.23.0 | Report a Bug | By Email