Re: [lamps] New draft: rfc6844bis

Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 05 June 2018 10:02 UTC

Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2099130F4D for <spasm@ietfa.amsl.com>; Tue, 5 Jun 2018 03:02:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00cyMsh48PZf for <spasm@ietfa.amsl.com>; Tue, 5 Jun 2018 03:02:45 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (homie-sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6523E130F30 for <spasm@ietf.org>; Tue, 5 Jun 2018 03:02:45 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTP id 30D2F14004028 for <spasm@ietf.org>; Tue, 5 Jun 2018 03:02:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=aH0y7VSuK0kCfPNMMqmTGKQv56E=; b= izQ2yvMbq3nQlPXW4TU0RRc/IMLgZMjtdm9FBjTIHPvo+00fYIXoNn0eGmohHEj9 JNudf81oa4YoeOP6tgHbwccaK0jOGXZDUm5YvAlhWkUqPk0HSc2oHleuOL8sEZN+ HwcfIT30DTkaHFVBqn0DAkym3f6MhWJKppiTY5lAdyE=
Received: from mail-it0-f45.google.com (mail-it0-f45.google.com [209.85.214.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTPSA id 1C8BE14004011 for <spasm@ietf.org>; Tue, 5 Jun 2018 03:02:44 -0700 (PDT)
Received: by mail-it0-f45.google.com with SMTP id k17-v6so14058521ita.0 for <spasm@ietf.org>; Tue, 05 Jun 2018 03:02:44 -0700 (PDT)
X-Gm-Message-State: APt69E0Sb9sszZ0mtf+ADcp+8hIu74627+lqG3lCVpWGNydJS/2R06oU 7nEmCtTzUcPZMAsF9A4mrs8Qz18bGepWg4R6xz8=
X-Google-Smtp-Source: ADUXVKI3eORWZ8EsYPD9DiBdb/5jnP7oCzWR0fBKOsSUMUjC1Q4+y5FV5Ut+e6ZGBlPLRQDEASihBAiXGOtPd+r4m6M=
X-Received: by 2002:a24:684d:: with SMTP id v74-v6mr7960248itb.88.1528192963512; Tue, 05 Jun 2018 03:02:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:986a:0:0:0:0:0 with HTTP; Tue, 5 Jun 2018 03:02:42 -0700 (PDT)
In-Reply-To: <98CFF920-80A3-420C-BD15-104140FAD48B@net.in.tum.de>
References: <d25080b7-d21c-219e-8d99-7c19afb5b30f@eff.org> <98CFF920-80A3-420C-BD15-104140FAD48B@net.in.tum.de>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 05 Jun 2018 06:02:42 -0400
X-Gmail-Original-Message-ID: <CAErg=HHwHpWeMB3BZQT3dRHU03tu5MYcqp3JMuHpWRdun3_O5Q@mail.gmail.com>
Message-ID: <CAErg=HHwHpWeMB3BZQT3dRHU03tu5MYcqp3JMuHpWRdun3_O5Q@mail.gmail.com>
To: Quirin Scheitle <scheitle@net.in.tum.de>
Cc: Jacob Hoffman-Andrews <jsha@eff.org>, SPASM <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bd13ce056de22618"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/LJ2oYg2KJ6D8zXXd-wHwTm5-P-4>
Subject: Re: [lamps] New draft: rfc6844bis
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2018 10:02:47 -0000

On Tue, Jun 5, 2018 at 3:49 AM, Quirin Scheitle <scheitle@net.in.tum.de>
wrote:

> 3) Validation Type   ######################
>
> We suggest a tag (i.e., not a parameter) to permit domain-level control of
> permitted/restricted validation methods. E.g., an entry such as
>
>   tum.de 0 CAA 128 dcv "dns-cname"
>   tum.de 0 CAA 128 dcv "domain-contact-postal"
>
> would permit dns-cname and domain-contact-postal methods. An entry such as
>
>   tum.de 0 CAA 128 nodcv "tls-sni”
>
> would restrict the tls-sni method, but permit all others.
> A mapping of BR/ACME defined methods to usable names would have to be
> conceived.
> This could have helped in the TLS-SNI problem a couple of months ago.


> 4) Validation Level    ######################
>
> We suggest a tag to define a minimum validation level. E.g.,
>         tum.de 0 CAA 128 vlevel "ov"
> In this example, the validation level tag vlevel would specify
> that for tum.de, only OV or EV certificates may be issued.
> This could, e.g. be used by domain name holders that exclusively
> obtain EV certificates, such as financial institutions,
> to proactively close the attack surface of DV methods.
>

I am not supportive of either of these as part of 6844-bis.

Both of these concepts are specific to a particular industry and set of
policies (namely, the commercial Web PKI and the CA/Browser Forum
documents), and as such, do not have normative references and are not
standards themselves that can be referenced.

I am supportive of the former, to be defined in the CA/Browser Forum. While
this document might countenance syntax of such an expression, the semantics
of such an expression is inherently tied to the CA/Browser Forum's
validation requirements, and thus exclusively should be viewed in that lens.

I am not supportive of the latter, even in the CA/Browser Forum, as they're
unnecessary expressions of syntax for what can already be achieved via
policy. That is, by restricting the set of CAs that can issue, one can
already restrict the type and nature of certificates issued. For nominal
views of 'high' security, this is the only defensible position - as shown
by the ample OV and EV misissuance of CAs.