IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses

Corey Bonnell <Corey.Bonnell@digicert.com> Thu, 01 December 2022 14:26 UTC

Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29C86C14CF13 for <spasm@ietfa.amsl.com>; Thu, 1 Dec 2022 06:26:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4S61tI1O1cBo for <spasm@ietfa.amsl.com>; Thu, 1 Dec 2022 06:26:23 -0800 (PST)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on20710.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8d::710]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CE68C14CF14 for <spasm@ietf.org>; Thu, 1 Dec 2022 06:26:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LL3KCXVRJCVGEe8wvhlNnO+OoNOMmiZ7FxAVzxXjWZ37FoDbySln41JJA4vGYUio/uhnyARruHtTfvBuufQwZDBoi95F26U19emcPr69ZLVANeS1bTc4DmgGtaVClyZtBCS3zn7VxhdMZs3Kw7qBG0o7Igq3+qOxHizQI6+dY+yC/qEn4HvANgzlotwTRpLNXhW0E/e23+LlhhfCom7baTE/KqxlUE/Pn28DgqS4m6roBzU2GzLG2sGxX9sTAESc3yweh2TkSCQVdSw8p72YRWWESpqSCMGKo1b+RhvIhLHqPYLL4c4EI2U2eg1sY1Adj//eI516MsrKG7EUQGKeKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0KcITHXmDiSmxVNIFrFzQ+h0bJd7JrG2sTebcsPJVgc=; b=a/ReYKr6Odl42znBh0FzR6MyZhy1LDf/UoZzDJRnxfI8RelpU36Gr/aTquLZEiEg7SFxc5V+GNKg4kRmx3IsAO7kSWQld5aL3sC7OTtHGlIOS7Rpj/NKdwnRLQiI8xtf84xjr5ADPvdRNUXjI2+QDc00o8kLr9jiCz1Q00qM0luBDffZXHU5r/dCHYyTxsHw4YhPfY9KORepZc9cDkVKIe0MYZnQ+m5flWkVmJahB0dntC38raJmwY9vRo6kQ0qzMq6bX4bytGbdeIUv6yTSATwm5xsyMb6mVD+IhZu2HaUXWX5oiulhodq6fLRcV+DT3XbJjykaBBAgeYXSoWIP+Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0KcITHXmDiSmxVNIFrFzQ+h0bJd7JrG2sTebcsPJVgc=; b=s7VOAerTMT7jnHOdhZ323Q7+40kreqY6ppRnH0oU9nO9efABlUR09ZlnJQGNe02v7FlwjApzabqfFzGAXJ8hMyyu9QaWWXu/kv1xESR+LNi/bWxtNAsxlOA+yUvbSouyx7WY9bql8ch1t0xSmPsnqkzwgkMLtETFSVqipaRvzr/Y7Ki+Ql6rQ41bBij2DiUrwIxRmhXIRMfH2rBrFrQL2HIof8b4C4443ymrraR0lKW3+7KSHQft1ZHyKZFb1+x6GwfAgGxZ1WInKDdbvHEJGzoPAQD8uKglDLTTTub8gWZBkDEYvXJGora8fesqe3O7p2j2e6TgLsjZZneRcec5TA==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by PH7PR14MB5317.namprd14.prod.outlook.com (2603:10b6:510:13b::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.8; Thu, 1 Dec 2022 14:26:18 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::c2c2:a770:a20b:58cf]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::c2c2:a770:a20b:58cf%5]) with mapi id 15.20.5880.008; Thu, 1 Dec 2022 14:26:18 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: CAA processing for email addresses
Thread-Index: AQHZBTUheBaDUxKp2UiU/n1Y4BCiTK5ZBlpA
Date: Thu, 01 Dec 2022 14:26:18 +0000
Message-ID: <DM6PR14MB2186AC61073AA34BC230CE2B92149@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie> <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie> <CH0PR11MB5739CDF4AC9F496DA341DA249F159@CH0PR11MB5739.namprd11.prod.outlook.com> <87bfb6bc-24d0-fafc-d0b9-546640bda7c3@cs.tcd.ie> <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|PH7PR14MB5317:EE_
x-ms-office365-filtering-correlation-id: 41cffc85-95af-4abe-3c9a-08dad3a802ec
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jq0a7BHNoauLi4rkKo2t66V6W2n4WebByd61Ya523bIdq1NZOpxlaGkJ7gc1PG3iqSWcgUCs8yNguIgXGN4mKNjGcCQAdvKkM+JU7/G0Bab64lv5lVte8d/8osMq4qeGLAf026Dr1OzpSUJSYYiDY2jBakZJF1hXq+4D1+RB1PeuP8zhdtpl0GQpJFxjeqi4+cdMzIEY7NYbj4hl3b4gIG92xcYFAmi+bj3oxe1wH+U9T8OA1XDE5PbDmz39A7NNaxOnq94utmX0VixAV8LxkJP2ljwCR/XPMBh6vjT0H3T3vhVFMqASpSNXulNF8A2K1ORiGn4PfE6R09tk61cWD6gdEIxevJ1CefYhcIEJC6Uweq3hZmUrCil3UaOEdhYHk8xjWfcyk6bTflsnIptIbK9oeQgLiaHQNQDzAxLjXPI1tZrbKy4nCzX/krfHPfyw773LlDaGuDqN5NQ+4uoZFmvubYztcoo0RyG0Mc3PVm43RKQj2wZ7Qb+XgYjdZyewE5Xxs15reXJoZS6CzCwKBymtS0gI+KTbmR7v1uVdHzxyjI5fDyeNbT9LlN0YBb5gdghQn5oW9hkpkypiWvtObfin6VySyMvw1k8NuVCZfnFNwggJgbIaUVcZn6T6FziKaLrYlEYZu1EKMUHh2luvsQkl6RuRRusqv9gmhOueOSbl69bwQdFicE9f9FXg1eGwIR+i7+bY59uxg7mEP08skGy3thtJxctF99xeqn2eL2A=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(39860400002)(346002)(376002)(136003)(396003)(366004)(451199015)(2906002)(83380400001)(26005)(66946007)(41300700001)(8936002)(186003)(33656002)(76116006)(55016003)(86362001)(53546011)(122000001)(99936003)(110136005)(38100700002)(52536014)(38070700005)(5660300002)(71200400001)(66476007)(66556008)(66446008)(8676002)(7696005)(9686003)(6506007)(478600001)(316002)(64756008)(199583001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: w6gzaK3K+FZqBijYw/1jbVxqDXO3xPdlQxqNV2gQAYqx3tO+GmHk8zMA2vGP293EM2BNT02MZzHdzlSzOiwlY0G/wpUN3yX4iLIXjNtilj3MH7ALM00HK4SnqLT5BLaKzC4/bRLURan0fkaqWk9+uM2G3lwBfyezM8tnO8naAZWIePCYfo3bNtNGHNP3Qnd4SZHlyF0vqzSfcmgk47WEoa716ryBOU8eVcMYOUYqvX6hGNw72JJptzuD/ZfQokXvnyPuuqEKoLi0TQkLUUnhaYh0wf0EEpQRrWiBxE8QuJ9qiIfQcDBkKCkoUP85CFxi13qLkVbb2A/qZN7NoIFSVsnGt57u/E9gq3Jk96VZv1S6L5La2A9vbQ88ZMEnn/1Qb3CMFTKmFIEiTER5Yx9JOvhhru2FBwTOTy/Qpv+WMYwFIvfKyVlxXs2OI7gDCUQRlNjBj4CjF5+RqKE370FYJROfzKvYwTfpqvQTflyZ625bh3QnAImmZYEPsLxUfX/Klh9eh4XVptPTatexFr+rkSpfYILh8gJRisq15YsbbsptH31RCVmMwMwqNpAFWwlHr1xdjxVOT6wTnab9E96270cMw+g7gCVL1oLUFunpbJuKnTQHlMJMjQoSdJVnGORn0Z7IbjzbiOHSXIgtkvySEuWoGylmiXNPYcVgcVezzbmwqI1zT4OySN18kVKo1/o6DIPK/2KCQMUm+mERupJC7sqQwJgj1nSYo/LP1LQZulef9DmOd7CwIezGdzMPfumFmd8rptuJjMsPl73IOxKC//ARVrtpJee9Dx3D4OkyGJfAWKueTmMq9+4hDlk2AAgcNlQ+3FE+emhligfe7RP+A/uwglVrzSt3YWtZwZFQb9K5ylSV98JlhtZL7cEMI09BvKDw1JFOAbEPediYCjVlyKG4wWRKo6jCOxofsGJJ9nN/Zdpg8ruFXU9BsazyQgBRFXd6PRLarNrzCq0v27mqjM0uzTMhW4U9JnvmfH98EF1Lhgt/HRlq9aMz7n65Dw9+DgvY2oDsbbPnl1GLY/dBgWogMu2Yb3xw5N5Ycl+1r+PSy/aayeMnhRsQpA42IRQ4+WzdIaSc7373wTfVDRqj8WCNuFJjz2dYtXIClDmoh8hJ13zuijTUnMgY3VJryMR2xPbpsqsMNEqao4z5cY8Nk6Ey0GJMJsX5hYmNh34GIDi7U9DjLgmUWqcsZH5dE/Cg4DBk9WTnZX6JSIFfszQXOhRYdGC9Z937sGtSTjHNLeYWpGBPfLdBHVjLnI1V5DxA+PZah/zoM1izBeONlsgaikvfxREzG22Rghyzbm3jr8vJuZkWGBomtqzelWU3iugUOUBecuNt/CMLgBl1g9SxrLRerj1KbD+wTnoUcJXBVHSRKZth8g2Nes9VczPoXDDX0HJHCOtmp6rslXsPaVQWG8MewD20Tf+CXOXef1DdsGFJFBm0n84vpMUScJCWEJOCtxAvyjtc7dL5Q4KoBUVnxCuO1I+fWKTT6KZLZeEqxBwYw9Iv+xc7rSyUpZ7XaAoe7DV7LgaoXQk+3JbLbLjs+7bN0D7a49lxTT3NEmbZal2pcM/HAq6dysuBqV/pf4bEh0f02CQdwUGAm+0W7SgiWg==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_037D_01D90566.F6A19D10"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 41cffc85-95af-4abe-3c9a-08dad3a802ec
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2022 14:26:18.3193 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: O5fabvrq/WN+sXmOVQ0+OYOkbzclTezucGWSkoM6biJfpYjQut2mC+Q5IaACPb1GoSTCAlCWee9mDlNRbXK7JEBfDm1qOcemJrW65M6nMnY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR14MB5317
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/IoNyFGH-Yp7tI1tdMizNsYZVKc4>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 14:26:28 -0000

Hi Stephen and Mike,

Thank you for your feedback thus far. I'll address a few questions that were
raised inline.

 

*	> The gmails and yahoos don't do S/MIME right?, so are probably out
of 
*	> scope here.
*	 
*	Well, no. Not if this proposes restricting what they can
subsequently do I'd say. Same for alumni and vanity mail providers too and
probably others of the many and varied email corner cases perhaps.

 

I think Mike already addressed this, but if there are no "issuemail"
properties in the Relevant RRSet, then there are no restrictions on which CA
can issue certificates for the domain. Mail providers will not see any
impact of CAs processing the "issuemail" tag unless they have explicitly
added those records to the zone.

 

 

*	@Corey Bonnell can you expand on why CA/B wants a CAA `issuemail`
separate from the CAA `issue`?

 

I don't speak for all of CA/B, but previous discussion in the SMIME WG and
MDSP threads that I originally referenced showed that there was rough
consensus that the existing "issue" and "issuewild" property tags are
relevant solely to the issuance of server authentication certs and do not
apply to S/MIME or other certificate types. There are two reasons for this:

 

1.	Assuming that "issue" and "issuewild" restrict both serverauth and
S/MIME issuance, there is no way for a domain administrator to express
different restrictions for these two certificate types. In the mailbox
provider case that Stephen raised, that means it would not be possible for a
mailbox provider to restrict issuance of TLS certs for the domain while
allowing mailbox users to obtain SMIME certs from any CA. Having separate
property tags allows administrators to express the restrictions at a
granular level that more closely mirrors their arrangements with various CAs
for the issuance of various certificate types for that domain.
2.	Existing deployments in the wild assume that "issue" and "issuewild"
tags restrict TLS server cert issuance only. It would be quite surprising if
one day those tags are also used to restrict S/MIME cert issuance. If
anything, the sudden change in semantics would likely slow adoption of CAA
entirely as it will be viewed as a footgun that randomly breaks things
whenever the CA processing of existing CAA records changes.

 

Thanks,

Corey

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth
Sent: Wednesday, November 30, 2022 10:29 PM
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>; Corey Bonnell
<Corey.Bonnell=40digicert.com@dmarc.ietf.org>; Seo Suchan
<tjtncks@gmail.com>; spasm@ietf.org
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses

 

Hi Stephen,

 

We should really hear from the author and/or CA/B F on the driver for this,
but ...

 

If you're running a gmail, vanity, alumni, whatever, email server and want
to allow people to get their own S/MIME cert, then don't specify a issuemail
CAA RR? 

 

I'm not the world's biggest CAA expert, but I imagine the analogous issue
exist if you run a web hosting service and want to allow people to subdomain
and bring their own cert .. then don't specify a CAA 

 

---

Mike Ounsworth

 

  _____  

From: Stephen Farrell <stephen.farrell@cs.tcd.ie
<mailto:stephen.farrell@cs.tcd.ie> >
Sent: Wednesday, November 30, 2022, 6:51 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com
<mailto:Mike.Ounsworth@entrust.com> >; Corey Bonnell
<Corey.Bonnell=40digicert.com@dmarc.ietf.org
<mailto:Corey.Bonnell=40digicert.com@dmarc.ietf.org> >; Seo Suchan
<tjtncks@gmail.com <mailto:tjtncks@gmail.com> >; spasm@ietf.org
<mailto:spasm@ietf.org>  <spasm@ietf.org <mailto:spasm@ietf.org> >
Subject: Re: [EXTERNAL] Re: [lamps] CAA processing for email addresses



Hiya,

On 30/11/2022 23:43, Mike Ounsworth wrote:
> The gmails and yahoos don't do S/MIME right?, so are probably out of
> scope here.

Well, no. Not if this proposes restricting what they can
subsequently do I'd say. Same for alumni and vanity mail
providers too and probably others of the many and varied
email corner cases perhaps.

Let's not forget the bad side effects of dmarc "p=reject"
which is also a well-intentioned and partly effective thing
aimed at only a subset of email deployments, but that has
affected many others.

> It's probably the @<gov-dept>.gov's or
> @<massivecorp>.com's who have robust enough S/MIME deployments to
> care about restricting which PKI can issue for them.
Even if so, (and it seems a reasonable guess), I don't
know to what extent such email deployments have seen
issues with certificate mis-issuance, which IIUC is the
main reason for any CAA RR.

Cheers,
S.

Any email and files/attachments transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not copy,
distribute or disclose of the information it contains. Please notify Entrust
immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email