IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses

Antonios Chariton <daknob.mac@gmail.com> Fri, 02 December 2022 15:51 UTC

Return-Path: <daknob.mac@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21582C14CEE0 for <spasm@ietfa.amsl.com>; Fri, 2 Dec 2022 07:51:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i5J-jAepUXB8 for <spasm@ietfa.amsl.com>; Fri, 2 Dec 2022 07:51:17 -0800 (PST)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7767BC14F73A for <spasm@ietf.org>; Fri, 2 Dec 2022 07:51:17 -0800 (PST)
Received: by mail-ej1-x632.google.com with SMTP id b2so12488321eja.7 for <spasm@ietf.org>; Fri, 02 Dec 2022 07:51:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=uzMT3m8PLqg7Becyai7PRVKbxT5rAvRAXAU6LDXDKs8=; b=X75nTjWKC89xtFDT4c8gFpCcwvQzRx3RRy9szH8FpJ7atgAtFY/HwsjeN85QZw1PcA nX7G4RWvyB75ODwtJ9o9VoZy0c97i0V3VJ3/7jf2O2WBzdfvV3FeqbkMWgwPpdsubID/ hyQLZ5ulbJnaMFB8fZNOC3kbGxT4/wNSEsnjBHhz+XaqBJCxrG0kL76yfqHCk28OhGao ehFMaU//WocHk4AyWhWCFtg3EZqKf0PJk36s4RQmJUaeQs6+Pn6NO8fn9gY02VVggcG4 sk3su1J6Y9Blnj58isys46X7hRaypIbrPzS6mfjSLjwAl1tiwMBtr7hkFmXueiRyKnur Tw6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uzMT3m8PLqg7Becyai7PRVKbxT5rAvRAXAU6LDXDKs8=; b=UJKKaLZdMQpC2ZzwhvPDvf04yj/OBFPTphNdSeZxbU23kauKnf0wqAW+JB3q4BTTr0 WSlZGAZ7z8IuPbGl2Se1BFCA/yc7Gik8EWIbPuehZ3D91UU/QOkLnxnsVGWMETDbkCp1 FoELVKc0sG2H2ymS8BHEr1zpD2oNYhy4NsOaglbXyEwJQE8EMB5mII/GESSSNac6rUQ+ yWS96QYnOkxR6fB2+oxozX8KVjPNA/NIJ/+dWCfIqTOOXbR5C04koojjVqmcIL95H/mJ 3KQZNs7P71VDN7lwzPkmpgi7ONF8J83xzgGEzhNm9qiFfajzgb2Z5/Nx9XYzchjEkAxm 106Q==
X-Gm-Message-State: ANoB5plBwsx+s7EO+Z4oab5xMO8o/LASFgWohwq1tmBDPv0Wfxyiri5u 0je0Kj/s6GZRbArYhWfoF2hV+e3wZII=
X-Google-Smtp-Source: AA0mqf6x1br4J76+cSOeewKQo6lRgtbUer+QDMuqAnywlIcKNwl3EBaz5u8GWj9ahJh76eyhX0RO7A==
X-Received: by 2002:a17:906:4d88:b0:7c0:bbac:1921 with SMTP id s8-20020a1709064d8800b007c0bbac1921mr4580109eju.530.1669996275409; Fri, 02 Dec 2022 07:51:15 -0800 (PST)
Received: from smtpclient.apple ([2a0d:3dc0:200:0:f8dc:5701:8f86:68a3]) by smtp.gmail.com with ESMTPSA id kx17-20020a170907775100b007b2a58e31dasm3154153ejc.145.2022.12.02.07.51.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Dec 2022 07:51:14 -0800 (PST)
From: Antonios Chariton <daknob.mac@gmail.com>
X-Google-Original-From: Antonios Chariton <DaKnOb.MaC@gmail.com>
Message-Id: <BEDF0316-E072-427A-B050-12EBB2068281@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DE722074-4F78-4FF5-814A-545E6B6DC5BB"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
Date: Fri, 02 Dec 2022 16:51:04 +0100
In-Reply-To: <CAMm+Lwh++P3uZA3VETyAODhAGVFh4_sQhRBX63_KesLKNc04+w@mail.gmail.com>
Cc: Corey Bonnell <Corey.Bonnell@digicert.com>
To: "spasm@ietf.org" <spasm@ietf.org>
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie> <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie> <CH0PR11MB5739CDF4AC9F496DA341DA249F159@CH0PR11MB5739.namprd11.prod.outlook.com> <87bfb6bc-24d0-fafc-d0b9-546640bda7c3@cs.tcd.ie> <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com> <DM6PR14MB2186AC61073AA34BC230CE2B92149@DM6PR14MB2186.namprd14.prod.outlook.com> <CH0PR11MB5739C121E1D96CE28382B4D49F149@CH0PR11MB5739.namprd11.prod.outlook.com> <CAMm+LwiXQzN4O=efFg6e7U1C2oW7YFPbx51ZjLhMDL5Z0s87rg@mail.gmail.com> <876b96f2-4a51-df07-a31a-4fe6caafcb73@cs.tcd.ie> <CAMm+Lwh++P3uZA3VETyAODhAGVFh4_sQhRBX63_KesLKNc04+w@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/KenfyuD2BSZWmqQFWpjOByfLNTY>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 15:51:18 -0000

I think that CAA for S/MIME is useful, and can help enforce policies for an enterprise, and even for large e-mail providers (although probably not for their main domain gmail.com <http://gmail.com/> / hotmail.com <http://hotmail.com/> / etc.). I participate here on my personal capacity and won’t speak on behalf of Gmail.

Two things I’d maybe consider, one of which is described in my thread[1] too:

- Perhaps “mailissue” or “mail” is better (explained in the thread) or even “smime”. This allows for “smimeentity” and “smimeserver” for example, if there’s a future need for that.

- I don’t know if I would make this critical

Marking this as critical will require all CAs (at least) to build support for it, otherwise its presence will block issuance of TLS certificates. My suggestion is to make this non-critical (as it is not necessary to use CAA for this domain at all), and then require parsing of CAA “mail” (or whatever) properties in the requirements that include this doc. In this case, it can be the CA/B Forum BRs. If they specify that CAs MUST follow / understand / support / conform to … RFCXXXX then you achieve the criticality in the publicly trusted space, without breaking all CAA implementations in the meantime.

I would argue that this property is not critical for a CA that does not issue S/MIME certs, and in my view the critical flag is for things necessary for all CAA uses, not just one.

In terms of adoption, I would like to see CAA for S/MIME, and this is a good and simple way to achieve it. The lack of Certificate Transparency in the space will make it more difficult to detect misissuance / non-conformity, but when detected it would make it hopefully easier to prove. Without speaking on behalf of any Root Program, I imagine this would help many stakeholders in the S/MIME ecosystem.

Antonis


1: https://mailarchive.ietf.org/arch/msg/spasm/dQLF1fQQPNX9A59YV4imXRz9ABw/

> On 1 Dec 2022, at 22:42, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> 
> But this is not a proposal that would be relevant to Mail Service Operators like Gmail or Hotmail.
> 
> It is only relevant to enterprises running mail services under their own DNS name. Outsourcing that to a mail service provider would not impact the use of CAA or S/MIMe in the slightest.
> 
> 
> On Thu, Dec 1, 2022 at 3:02 PM Stephen Farrell <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>> wrote:
>> 
>> 
>> On 01/12/2022 18:46, Phillip Hallam-Baker wrote:
>> > I support adoption of this draft.
>> 
>> In the absence of mail service operators who say they want
>> this, I'm against adoption. (If this does originate in CAB
>> forum, I'm not aware folks like that are represented there.)
>> 
>> If some mail service operators wanted this, I'd consider what
>> they said.
>> 
>> S.
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email