Re: [lamps] CAA tags

Phillip Hallam-Baker <> Tue, 19 December 2017 06:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A00EA1205F0 for <>; Mon, 18 Dec 2017 22:24:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0pVE8qoMNwQE for <>; Mon, 18 Dec 2017 22:23:59 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c0f::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D77341241FC for <>; Mon, 18 Dec 2017 22:23:58 -0800 (PST)
Received: by with SMTP id p31so9133239ota.4 for <>; Mon, 18 Dec 2017 22:23:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=Z1C4UuHiEftLyJG3SvumKmgIB+Oq5XPP0IXRvx1tdRM=; b=JIDAYlL9mdBKUSVZT/gCOWvsi35SrVxGwJVGfRqAwdRcFxH2evcpPEWtLXHZPcrEh4 6y/mkVbJB6PAcrqjGA0R2/iDNuSjQnP9DjKCZdeWLW4CIh1e0GyhXQaCYr3SEw0gFzCu jwIZwbPz/byLJ/svUFsi3n6p0BCaVDCWTnktmGmywrQ/mhN/m5SjzbJMf52rEfYAMGi7 539ov52PnDPDEKH0kDq6c5qFrEAWujZ0plAmSsRWTj8c/qGX52U3ni54gi/2QlsqAaIR v1nHz72ZbuVVAroB2AaAY9qIvmGWvd3e+JlTU88ayo8/vHao19M5zwElScNpiL3DCr8l tFUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=Z1C4UuHiEftLyJG3SvumKmgIB+Oq5XPP0IXRvx1tdRM=; b=ZbGmxPUV9qOFxHywKgHDpLsxYTN7FncTAibQDsMm94sagj1DNjQmvlK42QSgsei6oA hbn9olxy6IzpGwe7acP4skSFeGPBl9yRrZMZxZMsTkZsZ2YdgKHkVCqj2DydYslAu0bT U0YtBlhkQxttz9p8JRIVKf6LZ2uQV0b8b5SNBeXQdfJIZWBlod1h+SfiG7NSBpVLvBk3 gtqPUKpcgeEx6D9V4cWQ+kDp/McUbxMdTaeG1YabSuE23iksNcQHjiRBFM4+ySObc3GT 0Qhutclmfj1VAKHM10CRmvji71+qzK484HhDh9IhpFjXG8GZSQbsQoR39AOULo/Vnpyk VoJA==
X-Gm-Message-State: AKGB3mJf5jApeXeFw0GxijqOtom531PwlZWUD0KSe5jZf4K90eQypgKT 5wgupgOfu+J7BrYqc3BRw7y1ak2KkQZB+0t41Io=
X-Google-Smtp-Source: ACJfBotcyXnXOx1h+09ezvVzDfQgqMf2bdRt+MgTwDPGYNbiFS1V2/9xAbEAOo/QSJh6Qnr72xMd2Tehtn6HA0wj67k=
X-Received: by with SMTP id a33mr1768387ote.149.1513664638139; Mon, 18 Dec 2017 22:23:58 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 18 Dec 2017 22:23:57 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <>
From: Phillip Hallam-Baker <>
Date: Tue, 19 Dec 2017 01:23:57 -0500
X-Google-Sender-Auth: COOl-ehJyAkVagckQbvL5yjZrwE
Message-ID: <>
To: Rob Stradling <>
Cc: SPASM <>
Content-Type: multipart/alternative; boundary="001a1141fb7c10c11c0560ab8305"
Archived-At: <>
Subject: Re: [lamps] CAA tags
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Dec 2017 06:24:00 -0000

We did indeed start with OIDs. But the reason I agreed to Domain Names was
that the suggestion (I seem to remember it was Paul Hoffman) was obviously
the right one.

Most of the things people want to do with tags can be done with domain
names. More importantly, it can be done outside the IETF. If you want 'any
EV' issuer, get the CABForum to approve for the purpose.

Restricting to specific validation methods is interesting and might be a
justified use for the criticality flag.

The other point to ponder is how a server that needs a cert discovers where
the cert issuing service is. The idea was that if the CAA record specifies, a server would then be able to use that information to work
out how to get a cert and automate the whole process.

Remember that at the time, there was this idea that DNS records should not
make use of prefixes and should not make use of additional parsing beyond
DNS record markers. At this point, I think we can safely ignore both
notions as broken and if I was to do it again would suggest it just be a
TXT type record. But we can't that's water under the bridge now, sorry.

On Mon, Dec 18, 2017 at 5:02 PM, Rob Stradling <>

> On 18/12/17 20:42, Ryan Sleevi wrote:
> <snip>
>> I think Jacob's suggestion of OIDs is not at all unreasonable, and avoids
>> the ambiguities you raise and allows them to be addressed by policy in the
>> Forum.
> We had policy OIDs in early versions of the I-D [1] that later became
> RFC6844, but we had to strip this out in favour of domain names when the
> document was adopted by PKIX.  WG consensus and all that.
> I'm not sure what that decision might mean for any other proposals to use
> OIDs with CAA.
> [1]
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> _______________________________________________
> Spasm mailing list