Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
Corey Bonnell <Corey.Bonnell@digicert.com> Thu, 01 December 2022 14:26 UTC
Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29C86C14CF13 for <spasm@ietfa.amsl.com>; Thu, 1 Dec 2022 06:26:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4S61tI1O1cBo for <spasm@ietfa.amsl.com>; Thu, 1 Dec 2022 06:26:23 -0800 (PST)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on20710.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8d::710]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CE68C14CF14 for <spasm@ietf.org>; Thu, 1 Dec 2022 06:26:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LL3KCXVRJCVGEe8wvhlNnO+OoNOMmiZ7FxAVzxXjWZ37FoDbySln41JJA4vGYUio/uhnyARruHtTfvBuufQwZDBoi95F26U19emcPr69ZLVANeS1bTc4DmgGtaVClyZtBCS3zn7VxhdMZs3Kw7qBG0o7Igq3+qOxHizQI6+dY+yC/qEn4HvANgzlotwTRpLNXhW0E/e23+LlhhfCom7baTE/KqxlUE/Pn28DgqS4m6roBzU2GzLG2sGxX9sTAESc3yweh2TkSCQVdSw8p72YRWWESpqSCMGKo1b+RhvIhLHqPYLL4c4EI2U2eg1sY1Adj//eI516MsrKG7EUQGKeKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0KcITHXmDiSmxVNIFrFzQ+h0bJd7JrG2sTebcsPJVgc=; b=a/ReYKr6Odl42znBh0FzR6MyZhy1LDf/UoZzDJRnxfI8RelpU36Gr/aTquLZEiEg7SFxc5V+GNKg4kRmx3IsAO7kSWQld5aL3sC7OTtHGlIOS7Rpj/NKdwnRLQiI8xtf84xjr5ADPvdRNUXjI2+QDc00o8kLr9jiCz1Q00qM0luBDffZXHU5r/dCHYyTxsHw4YhPfY9KORepZc9cDkVKIe0MYZnQ+m5flWkVmJahB0dntC38raJmwY9vRo6kQ0qzMq6bX4bytGbdeIUv6yTSATwm5xsyMb6mVD+IhZu2HaUXWX5oiulhodq6fLRcV+DT3XbJjykaBBAgeYXSoWIP+Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0KcITHXmDiSmxVNIFrFzQ+h0bJd7JrG2sTebcsPJVgc=; b=s7VOAerTMT7jnHOdhZ323Q7+40kreqY6ppRnH0oU9nO9efABlUR09ZlnJQGNe02v7FlwjApzabqfFzGAXJ8hMyyu9QaWWXu/kv1xESR+LNi/bWxtNAsxlOA+yUvbSouyx7WY9bql8ch1t0xSmPsnqkzwgkMLtETFSVqipaRvzr/Y7Ki+Ql6rQ41bBij2DiUrwIxRmhXIRMfH2rBrFrQL2HIof8b4C4443ymrraR0lKW3+7KSHQft1ZHyKZFb1+x6GwfAgGxZ1WInKDdbvHEJGzoPAQD8uKglDLTTTub8gWZBkDEYvXJGora8fesqe3O7p2j2e6TgLsjZZneRcec5TA==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by PH7PR14MB5317.namprd14.prod.outlook.com (2603:10b6:510:13b::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.8; Thu, 1 Dec 2022 14:26:18 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::c2c2:a770:a20b:58cf]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::c2c2:a770:a20b:58cf%5]) with mapi id 15.20.5880.008; Thu, 1 Dec 2022 14:26:18 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: CAA processing for email addresses
Thread-Index: AQHZBTUheBaDUxKp2UiU/n1Y4BCiTK5ZBlpA
Date: Thu, 01 Dec 2022 14:26:18 +0000
Message-ID: <DM6PR14MB2186AC61073AA34BC230CE2B92149@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie> <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie> <CH0PR11MB5739CDF4AC9F496DA341DA249F159@CH0PR11MB5739.namprd11.prod.outlook.com> <87bfb6bc-24d0-fafc-d0b9-546640bda7c3@cs.tcd.ie> <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|PH7PR14MB5317:EE_
x-ms-office365-filtering-correlation-id: 41cffc85-95af-4abe-3c9a-08dad3a802ec
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jq0a7BHNoauLi4rkKo2t66V6W2n4WebByd61Ya523bIdq1NZOpxlaGkJ7gc1PG3iqSWcgUCs8yNguIgXGN4mKNjGcCQAdvKkM+JU7/G0Bab64lv5lVte8d/8osMq4qeGLAf026Dr1OzpSUJSYYiDY2jBakZJF1hXq+4D1+RB1PeuP8zhdtpl0GQpJFxjeqi4+cdMzIEY7NYbj4hl3b4gIG92xcYFAmi+bj3oxe1wH+U9T8OA1XDE5PbDmz39A7NNaxOnq94utmX0VixAV8LxkJP2ljwCR/XPMBh6vjT0H3T3vhVFMqASpSNXulNF8A2K1ORiGn4PfE6R09tk61cWD6gdEIxevJ1CefYhcIEJC6Uweq3hZmUrCil3UaOEdhYHk8xjWfcyk6bTflsnIptIbK9oeQgLiaHQNQDzAxLjXPI1tZrbKy4nCzX/krfHPfyw773LlDaGuDqN5NQ+4uoZFmvubYztcoo0RyG0Mc3PVm43RKQj2wZ7Qb+XgYjdZyewE5Xxs15reXJoZS6CzCwKBymtS0gI+KTbmR7v1uVdHzxyjI5fDyeNbT9LlN0YBb5gdghQn5oW9hkpkypiWvtObfin6VySyMvw1k8NuVCZfnFNwggJgbIaUVcZn6T6FziKaLrYlEYZu1EKMUHh2luvsQkl6RuRRusqv9gmhOueOSbl69bwQdFicE9f9FXg1eGwIR+i7+bY59uxg7mEP08skGy3thtJxctF99xeqn2eL2A=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(39860400002)(346002)(376002)(136003)(396003)(366004)(451199015)(2906002)(83380400001)(26005)(66946007)(41300700001)(8936002)(186003)(33656002)(76116006)(55016003)(86362001)(53546011)(122000001)(99936003)(110136005)(38100700002)(52536014)(38070700005)(5660300002)(71200400001)(66476007)(66556008)(66446008)(8676002)(7696005)(9686003)(6506007)(478600001)(316002)(64756008)(199583001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: w6gzaK3K+FZqBijYw/1jbVxqDXO3xPdlQxqNV2gQAYqx3tO+GmHk8zMA2vGP293EM2BNT02MZzHdzlSzOiwlY0G/wpUN3yX4iLIXjNtilj3MH7ALM00HK4SnqLT5BLaKzC4/bRLURan0fkaqWk9+uM2G3lwBfyezM8tnO8naAZWIePCYfo3bNtNGHNP3Qnd4SZHlyF0vqzSfcmgk47WEoa716ryBOU8eVcMYOUYqvX6hGNw72JJptzuD/ZfQokXvnyPuuqEKoLi0TQkLUUnhaYh0wf0EEpQRrWiBxE8QuJ9qiIfQcDBkKCkoUP85CFxi13qLkVbb2A/qZN7NoIFSVsnGt57u/E9gq3Jk96VZv1S6L5La2A9vbQ88ZMEnn/1Qb3CMFTKmFIEiTER5Yx9JOvhhru2FBwTOTy/Qpv+WMYwFIvfKyVlxXs2OI7gDCUQRlNjBj4CjF5+RqKE370FYJROfzKvYwTfpqvQTflyZ625bh3QnAImmZYEPsLxUfX/Klh9eh4XVptPTatexFr+rkSpfYILh8gJRisq15YsbbsptH31RCVmMwMwqNpAFWwlHr1xdjxVOT6wTnab9E96270cMw+g7gCVL1oLUFunpbJuKnTQHlMJMjQoSdJVnGORn0Z7IbjzbiOHSXIgtkvySEuWoGylmiXNPYcVgcVezzbmwqI1zT4OySN18kVKo1/o6DIPK/2KCQMUm+mERupJC7sqQwJgj1nSYo/LP1LQZulef9DmOd7CwIezGdzMPfumFmd8rptuJjMsPl73IOxKC//ARVrtpJee9Dx3D4OkyGJfAWKueTmMq9+4hDlk2AAgcNlQ+3FE+emhligfe7RP+A/uwglVrzSt3YWtZwZFQb9K5ylSV98JlhtZL7cEMI09BvKDw1JFOAbEPediYCjVlyKG4wWRKo6jCOxofsGJJ9nN/Zdpg8ruFXU9BsazyQgBRFXd6PRLarNrzCq0v27mqjM0uzTMhW4U9JnvmfH98EF1Lhgt/HRlq9aMz7n65Dw9+DgvY2oDsbbPnl1GLY/dBgWogMu2Yb3xw5N5Ycl+1r+PSy/aayeMnhRsQpA42IRQ4+WzdIaSc7373wTfVDRqj8WCNuFJjz2dYtXIClDmoh8hJ13zuijTUnMgY3VJryMR2xPbpsqsMNEqao4z5cY8Nk6Ey0GJMJsX5hYmNh34GIDi7U9DjLgmUWqcsZH5dE/Cg4DBk9WTnZX6JSIFfszQXOhRYdGC9Z937sGtSTjHNLeYWpGBPfLdBHVjLnI1V5DxA+PZah/zoM1izBeONlsgaikvfxREzG22Rghyzbm3jr8vJuZkWGBomtqzelWU3iugUOUBecuNt/CMLgBl1g9SxrLRerj1KbD+wTnoUcJXBVHSRKZth8g2Nes9VczPoXDDX0HJHCOtmp6rslXsPaVQWG8MewD20Tf+CXOXef1DdsGFJFBm0n84vpMUScJCWEJOCtxAvyjtc7dL5Q4KoBUVnxCuO1I+fWKTT6KZLZeEqxBwYw9Iv+xc7rSyUpZ7XaAoe7DV7LgaoXQk+3JbLbLjs+7bN0D7a49lxTT3NEmbZal2pcM/HAq6dysuBqV/pf4bEh0f02CQdwUGAm+0W7SgiWg==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_037D_01D90566.F6A19D10"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 41cffc85-95af-4abe-3c9a-08dad3a802ec
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2022 14:26:18.3193 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: O5fabvrq/WN+sXmOVQ0+OYOkbzclTezucGWSkoM6biJfpYjQut2mC+Q5IaACPb1GoSTCAlCWee9mDlNRbXK7JEBfDm1qOcemJrW65M6nMnY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR14MB5317
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/IoNyFGH-Yp7tI1tdMizNsYZVKc4>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 14:26:28 -0000
Hi Stephen and Mike, Thank you for your feedback thus far. I'll address a few questions that were raised inline. * > The gmails and yahoos don't do S/MIME right?, so are probably out of * > scope here. * * Well, no. Not if this proposes restricting what they can subsequently do I'd say. Same for alumni and vanity mail providers too and probably others of the many and varied email corner cases perhaps. I think Mike already addressed this, but if there are no "issuemail" properties in the Relevant RRSet, then there are no restrictions on which CA can issue certificates for the domain. Mail providers will not see any impact of CAs processing the "issuemail" tag unless they have explicitly added those records to the zone. * @Corey Bonnell can you expand on why CA/B wants a CAA `issuemail` separate from the CAA `issue`? I don't speak for all of CA/B, but previous discussion in the SMIME WG and MDSP threads that I originally referenced showed that there was rough consensus that the existing "issue" and "issuewild" property tags are relevant solely to the issuance of server authentication certs and do not apply to S/MIME or other certificate types. There are two reasons for this: 1. Assuming that "issue" and "issuewild" restrict both serverauth and S/MIME issuance, there is no way for a domain administrator to express different restrictions for these two certificate types. In the mailbox provider case that Stephen raised, that means it would not be possible for a mailbox provider to restrict issuance of TLS certs for the domain while allowing mailbox users to obtain SMIME certs from any CA. Having separate property tags allows administrators to express the restrictions at a granular level that more closely mirrors their arrangements with various CAs for the issuance of various certificate types for that domain. 2. Existing deployments in the wild assume that "issue" and "issuewild" tags restrict TLS server cert issuance only. It would be quite surprising if one day those tags are also used to restrict S/MIME cert issuance. If anything, the sudden change in semantics would likely slow adoption of CAA entirely as it will be viewed as a footgun that randomly breaks things whenever the CA processing of existing CAA records changes. Thanks, Corey From: Spasm <spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth Sent: Wednesday, November 30, 2022 10:29 PM To: Stephen Farrell <stephen.farrell@cs.tcd.ie>; Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>; Seo Suchan <tjtncks@gmail.com>; spasm@ietf.org Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses Hi Stephen, We should really hear from the author and/or CA/B F on the driver for this, but ... If you're running a gmail, vanity, alumni, whatever, email server and want to allow people to get their own S/MIME cert, then don't specify a issuemail CAA RR? I'm not the world's biggest CAA expert, but I imagine the analogous issue exist if you run a web hosting service and want to allow people to subdomain and bring their own cert .. then don't specify a CAA --- Mike Ounsworth _____ From: Stephen Farrell <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie> > Sent: Wednesday, November 30, 2022, 6:51 PM To: Mike Ounsworth <Mike.Ounsworth@entrust.com <mailto:Mike.Ounsworth@entrust.com> >; Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org <mailto:Corey.Bonnell=40digicert.com@dmarc.ietf.org> >; Seo Suchan <tjtncks@gmail.com <mailto:tjtncks@gmail.com> >; spasm@ietf.org <mailto:spasm@ietf.org> <spasm@ietf.org <mailto:spasm@ietf.org> > Subject: Re: [EXTERNAL] Re: [lamps] CAA processing for email addresses Hiya, On 30/11/2022 23:43, Mike Ounsworth wrote: > The gmails and yahoos don't do S/MIME right?, so are probably out of > scope here. Well, no. Not if this proposes restricting what they can subsequently do I'd say. Same for alumni and vanity mail providers too and probably others of the many and varied email corner cases perhaps. Let's not forget the bad side effects of dmarc "p=reject" which is also a well-intentioned and partly effective thing aimed at only a subset of email deployments, but that has affected many others. > It's probably the @<gov-dept>.gov's or > @<massivecorp>.com's who have robust enough S/MIME deployments to > care about restricting which PKI can issue for them. Even if so, (and it seems a reasonable guess), I don't know to what extent such email deployments have seen issues with certificate mis-issuance, which IIUC is the main reason for any CAA RR. Cheers, S. Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- Re: [lamps] CAA processing for email addresses Russ Housley
- [lamps] CAA processing for email addresses Corey Bonnell
- Re: [lamps] CAA processing for email addresses Seo Suchan
- Re: [lamps] CAA processing for email addresses Corey Bonnell
- Re: [lamps] CAA processing for email addresses Stephen Farrell
- Re: [lamps] CAA processing for email addresses Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Corey Bonnell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Antonios Chariton
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Corey Bonnell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Nicolas Lidzborski
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Nicolas Lidzborski
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Corey Bonnell
- Re: [lamps] CAA processing for email addresses Seo Suchan
- Re: [lamps] CAA processing for email addresses Seo Suchan
- Re: [lamps] CAA processing for email addresses Corey Bonnell