IETF Logo Mail Archive

Re: [Spasm] CAA erratum 4515

Patrick Donahue <pat@cloudflare.com> Thu, 09 March 2017 21:45 UTC

Return-Path: <pat@cloudflare.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D613F1294FB for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 13:45:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EV_3Ofc7MDVg for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 13:45:28 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16929129498 for <spasm@ietf.org>; Thu, 9 Mar 2017 13:45:28 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id 1so140990550qkl.3 for <spasm@ietf.org>; Thu, 09 Mar 2017 13:45:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Hw2wzzldfF0UF8kcZZ9ZqVHwAATq1GQ6h1i19z4Hx4U=; b=dMClh/oy71PWT8IuZGbp9+HD1hveaYY9QWaou4z2WfyQhdizGtkqg3I77hIU+/l0pf uFkz1UPopMNP1GFqNDcyzy6IlSl9IW6yYqIiJP1DoKaNolrUjAtglfN6G5ChBfBYeucC KFy3UYxvDNILQtZhWZGFyrunq54VuuTH1uZyU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Hw2wzzldfF0UF8kcZZ9ZqVHwAATq1GQ6h1i19z4Hx4U=; b=cAORqrfY5reyjdZqrO9Ae60OR+IB3nOlLGL468u+T9RUAqgCoj18Hm6pJXpH1m0y1Q eh4pPw6BDmnowiFhMK4gAvG9xf4m1sl3XHX0Jb4m+fnM7UJ8raYW254kHMPrqA8JGQ84 seFR4/6zRZnRt/kYzPTjQV0AyjtxgVvjA1NobB7Cpc778V+ospPkRoaENP5s3miKVO9c uxeRNAbp5DFhDXN+DgzE/MtnvC5h4RLHCSAgIg7wJxPHEBKBlc5wJ4k3D8AW0ObLE1/l K7VzVthICh1tl4XOy7oOQy2tNuTL1PW2+3F9ya9h2WG63TP5/c/Ik4wwTiYKN3Q2zScV CbJQ==
X-Gm-Message-State: AMke39lUTh/LvQ2Mfv8U55EGmXmUgKmEMBM10suutWN4YKFNM0mxo/J0x8OFC2guaFmOqZgWy7Prf5CjulWr5bhX
X-Received: by 10.55.64.139 with SMTP id n133mr15732231qka.38.1489095927076; Thu, 09 Mar 2017 13:45:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.94.48 with HTTP; Thu, 9 Mar 2017 13:45:26 -0800 (PST)
In-Reply-To: <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org>
From: Patrick Donahue <pat@cloudflare.com>
Date: Thu, 09 Mar 2017 13:45:26 -0800
Message-ID: <CACh0qCKPXvbmxJE=26xoRmc-h=YV8B3_dU5Y2jdLcznz4dA4hQ@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: multipart/alternative; boundary="001a114897b4c5319d054a53290e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/FxCfUqQWtueDlTojDEylV-Y-tU8>
Cc: Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 21:45:30 -0000

I've previously shared my thoughts on this topic here:
https://cabforum.org/pipermail/public/2017-February/009850.html.

With respect to Jacob's initial tee-up:

www.staffie.dog.        CNAME staffie.terrier.dog.
staffie.terrier.dog.    A 192.0.2.1
terrier.dog.            CAA 0 issue "happy-hacker-fake-ca.net"


Should issuance for www.staffie.dog require a CAA query for terrier.dog? Or
> should it only require CAA queries for www.staffie.dog and
> staffie.terrier.dog?


I'm a bit confused here as I would say "no" to the first question and I
would say that staffie.terrier.dog is irrelevant in the second part of the
question (but a CA may need to check staffie.dog if nothing set at
www.staffie.dog).

Can someone explain why the issuance check would need to do anything other
than:

   1. Look up CAA record for www.staffie.dog.
   1. If present
         1. Pass/fail based on contents.
      2. Else (i.e., if not present)
         1. Look up CAA record for staffie.dog.
            1. If present, pass/fail based on contents.
            2. If not present, pass.


If you control where www.staffie.dog points, you can do anything you want
with it content-wise. Why are we proposing tying certificate issuance to
the underlying (hosting provider/CDN/whatever) implementation?

If CAs are required to look up intermediate hostnames that are part of the
CNAME chain, we—as a large managed DNS provider—will be far less likely to
encourage CAA adoption and build tools to facilitate it. Otherwise we risk
not being able to issue certificates for our non-authoritative DNS
customers and, as a result, provide a poorer user experience while
simultaneously increasing our support costs.

For example, I've had calls the past couple of weeks with SaaS customers
that provide their app to hundreds of thousands of their end-customers on a
"vanity" hostname, e.g., app.saas-customer.com (rather than a non-"vanity"
hostname such as saas-customer.cloudflare-customer.com)

During onboarding, our customer instructs their end-customer to CNAME the
subdomain "app" (or whatever) to customers.cloudflare-customer.com, which
is reverse proxied through our network and thus facilitates doing HTTP DCV
at /.well-known/pki. Why should cloudflare-customer.com's CA preferences
for their own domain affect what certificates their end-customer can
receive?

On Thu, Mar 9, 2017 at 1:07 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote:

> On 03/09/2017 12:35 PM, Ryan Sleevi wrote:
>
> I want to be careful here restricting it to the notion of "CDNs",
>
> I'm using CDN as a shorthand for "hosting provider or CDN." In the Twitter
> example, the other stakeholders are the marketing department and the
> contractor who develops the web content, neither of whom have CNAMEs in the
> mix. Is there another entity type I'm missing?
>
> *Hole punching and the includeSubDomains problem*
>>
> As you noted elsewhere, to effectively get this scenario, the operator of
> superbowl2017.twitter.com (which we'll call example.com) would need to
> set up the destination of CNAME in such a way as to be able to
> appropriately express the per-customer policy (if Twitter handles
> certificate provisioning) - that is, superbowl2017.twitter.example.com -
>  or, as you noted, would need to effectively set the CAA record as a
> 'wildcard' / for every customer.
>
> I don't understand why example.com would need to set a per-customer
> policy. If terrier.dog handles certificates for their customers, they would
> do so with a limited set of CAs, and could set that as policy on their
> domain names. If a specified customer like www.staffie.dog needs a
> different policy, they can set it on their own hostname:
>
> www.staffie.dog.        CAA 0 issue "sad-hacker-totally-real-ca.net"
>
>
> I don't think trampolining is necessary to make this work.
>
> If terrier.dog doesn't handle certificates, e.g., if they expect customers
> to bring their own cert from any CA, then they can't reasonably set a
> blanket policy for all their customers. In that situation, I think it would
> similarly be up to the customer to set a CAA policy on their own hostname
> if they wanted one, since the customer is the one with the CA relationship.
>
>


-- 
Patrick R. Donahue
pat@cloudflare.com

PGP Fingerprint: 2E8D 5A38 682E EC00 C0F3  E7F2 D9BE 68D2 ABF3 6B24

v2.23.0 | Report a Bug | By Email