Re: [Spasm] CAA erratum 4515
Jacob Hoffman-Andrews <jsha@eff.org> Fri, 10 March 2017 19:22 UTC
Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E0551296EA for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 11:22:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mwFQRvvLZ9Hb for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 11:22:41 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDA2F1297A8 for <spasm@ietf.org>; Fri, 10 Mar 2017 11:22:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=5IgTvTH1ski/sw7WbJdiAt5IFiNFOKAFmifaI2UlS1c=; b=tqwIQLS+I8pHKW2F1gBDHClyUEwohq3dI5Fm2TOoC5JCQoAJ/jyeUSUEH79ZujY7tE16depfDr1BQSg4oiU027Nf5K3bg+aoM9ExeNO5JCErREncmzW0388EzOIP6xqgu/eCuQN04CslnPJJMYrHdia2cKNhgn0Jr0H9xftrl+g=;
Received: ; Fri, 10 Mar 2017 11:22:41 -0800
To: Ryan Sleevi <ryan-ietf@sleevi.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <8f216ae1-d236-79c1-5baf-44cf7bfa619b@eff.org>
Date: Fri, 10 Mar 2017 11:22:38 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------021AD533BD46CD5B1241D834"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Lj4sPtydZ3dBY_23f4jaCWKRaFM>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 19:22:44 -0000
On 03/10/2017 09:02 AM, Ryan Sleevi wrote:
> I'm also trying to stick to using domains reserved for purpose, rather
> than use staffie.dog and terrier.dog.
I chose these advisedly. Example.{com,net,org} are actively harmful for
reading comprehension, because their distinguishing parts are small and
come at the end rather than the beginning. Since this is a conversation,
not a normative document, I believe there's no requirement to use the
reserved domains. Do you disagree?
> - Self-Managed = The domain operator of example.com
> <http://example.com> handles certificate acquisition for
> www.example.com <http://www.example.com>
> - Externally-Managed = The domain operator of example.net
> <http://example.net> handles certificate acquisition for
> www.example.com <http://www.example.com>
Good terms, agreed.
> - Recursive = As currently specified
> - Non-Recursive = As Erratum 4515 proposes
Since we both care about terminology, I'm going to recommend we instead
use the RFC 6844 terms I used in my previous email: tree climbing vs
non-tree climbing. Recursive already has a technical meaning in RFC 1035
which differs from this one.
> - Trampoline = example.com <http://example.com> points their CNAME to
> a host at example.net <http://example.net> that is dedicated 'for
> them' (the 'staffie.example.net <http://staffie.example.net>' case)
+1.
> We end up with the following configurations:
These configurations are a little confusing, since you don't define
goals. I assume the goals in this example are:
(a) Every domain and subdomain in the example is covered by a CAA
policy, and
(b) Those CAA records are compatible with these policies:
(1) the owner of the user-facing domain will only buy certs from a
certain CA
(2) the owner of the CDN domain will only buy certs from another,
different CA.
Is that accurate? I'll adopt the CA names "user-facing.ca." and
"enterprise.ca", since both our example CA names implied goodness or
badness, which is not relevant to the discussion.
I'm going to introduce one more assumption: the CDN issues certificates
for their own internal subdomains, and wants a CAA policy for those.
This is necessary to explain why the CDN sets any CAA records at all in
the Self-managed case. And I think this is what's implied by your
examples - right?
I think it makes the most sense to start with two baseline configs:
trampoline'd and non-trampoline'd, and from there define what
*additional* CAA records are necessary in the various worlds of
Self-managed vs Externally managed, and tree climbing vs non-.
Trampoline'd config:
www.staffie.dog. CNAME staffie.terrier.dog.
staffie.terrier.dog. A 192.0.2.1
Non-trampoline'd config (all customers CNAME to the same www subdomain):
www.beagle.dog. CNAME www.hound.dog.
www.hound.dog. A 192.0.2.2
Self-managed, tree-climbing:
www.staffie.dog. CAA 0 issue "user-facing.ca"
staffie.dog. CAA 0 issue "user-facing.ca"
www.beagle.dog. CAA 0 issue "user-facing.ca"
beagle.dog. CAA 0 issue "user-facing.ca"
terrier.dog. CAA 0 issue "enterprise.ca"
hound.dog. CAA 0 issue "enterprise.ca"
Self-managed, non-tree-climbing:
staffie.dog. CAA 0 issue "user-facing.ca"
beagle.dog. CAA 0 issue "user-facing.ca"
terrier.dog. CAA 0 issue "enterprise.ca"
hound.dog. CAA 0 issue "enterprise.ca"
Externally-managed, tree-climbing:
staffie.dog. CAA 0 issue "user-facing.ca"
beagle.dog. CAA 0 issue "user-facing.ca"
terrier.dog. CAA 0 issue "enterprise.ca"
hound.dog. CAA 0 issue "enterprise.ca"
Externally-managed, non-tree-climbing:
staffie.dog. CAA 0 issue "user-facing.ca"
beagle.dog. CAA 0 issue "user-facing.ca"
staffie.terrier.dog. CAA 0 issue "enterprise.ca"
terrier.dog. CAA 0 issue "enterprise.ca"
www.hound.dog. CAA 0 issue "enterprise.ca"
hound.dog. CAA 0 issue "enterprise.ca"
Now, if we like, we can factor out the CAA records that appear in every
example: those for the base domains staffie.dog, beagle.dog,
terrier.dog, and hound.dog. That allows us to look at the differences
between the worlds more closely, and see what CAA records are required
beyond those:
*Reduced examples*
Self-managed, tree-climbing:
www.staffie.dog. CAA 0 issue "user-facing.ca"
www.beagle.dog. CAA 0 issue "user-facing.ca"
Self-managed, non-tree-climbing:
none
Externally-managed, tree-climbing:
none
Externally-managed, non-tree-climbing:
staffie.terrier.dog. CAA 0 issue "enterprise.ca"
www.hound.dog. CAA 0 issue "enterprise.ca"
*Mixed-management*
Complicating things further, we additionally need to consider
"Mixed-management," the use case that Patrick described, where CDN
certificates are externally managed, but owners of user-facing domains
also buy their own certificates for domains that are CDN-managed. I
think in practice, all "Externally-managed" arrangements are actually
"Mixed-management." Under the assumption that most owners of user-facing
domains are unwilling or unable to deploy their own CAA records
overriding CDN CAA records, this may make deployment of blanket CAA
policies by CDNs impractical, regardless of tree-climbing or
non-tree-climbing.
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews