Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 01 December 2022 03:29 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C479C13A062 for <spasm@ietfa.amsl.com>; Wed, 30 Nov 2022 19:29:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBMsbOE02Ouq for <spasm@ietfa.amsl.com>; Wed, 30 Nov 2022 19:29:15 -0800 (PST)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A1ECC13A060 for <spasm@ietf.org>; Wed, 30 Nov 2022 19:29:14 -0800 (PST)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B1243Po023414; Wed, 30 Nov 2022 21:29:09 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=kC5EQpMYP5QbTmhU6XE6FrT8fI9k0pM7hx5WtcB22M0=; b=LRuFnUllHkxT+lb96xUjynp7c6zBLgLDZuI0S5oZYrRdmqSegxCd7Lj75Qzk1brpA6g3 0QAf3FdpkbRplfrwwXmhXqB42kK4KnCUQ12cJzORdQYtOubeZ3+8/x4UnIo7LVuab55K wj4sQ+0SB10rhVboRMhwqw+VxWK4mG0UC++0kSVqc3G7Lzp2uinupTOYzn1USPxi+b72 jUbEVfPEVDExBPR8nKY9IFjFKlAoB6SwdKFsDGEKA8MuUvUgyNG3gWYasLqyYmD4qyEL Ao6QQAzCcnaBAQ2aaCg7shbNy8LkSmvKrpxVZsH7yL6waXYL0Zd0YiYIPIhzhkryWhuR gg==
Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam02lp2044.outbound.protection.outlook.com [104.47.56.44]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3m6k59g527-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 30 Nov 2022 21:29:08 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aPj24/rmbYijEOAEZaEpxCe1LTV1V8eOpVtQ0oH5OwCauT9WKzUi8vIeUoC4znX4WqWjgMx3NoVSbkNFfFzDID1ccEZbjMOGGEcqU859aElITwHedGtgHCOKTiXW/oKTnlAOkkR/aDP/HyAS0v5fidaCUwhqsCQDFiOot+SHIkSH3m07fUJh+tP5pVn/W58ZivAnjl+01yPPOV03VUuxAW0c7JyBJ/rlM0d9XNREvlRyjnIohnHJe6WwBr+ERR5yX9TfTmw/xjojNFRr28AZ5A11Yt7VICHlXnhW0SBX5BwMAZ89SoF55x997hN+5jMU4p8E5BlofAfXkTVrZlj2Ag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kC5EQpMYP5QbTmhU6XE6FrT8fI9k0pM7hx5WtcB22M0=; b=UHME7rklKSFQjEUjBgqqm/YO1iDmKgWcoz9Sui6z45//GbxgH2uEYNIw9Mgepkz3iYmjWgZQqSX+UTTH47DhluK2Q4RrZb64Z5mYK1x5ZSoCsxbEu3v07F1L4UrCLgUzDTgoH4dxXHKYMT/MEgLTnJoE1CzTiANtfZlLKJLmYwYRpc0LYj1uw2WPX+DrpwNGPR9e/Ynb0kX6MIfc+0nDobEztArDcl1wUBQxJzf+wYBn7IPHlQlARBphh7VyErNs4oJ3/LWVH+6fq7Ra9UhmClMLQ9JoNuMDbBIuuDaSFaYOAXh/2cbZ0Ebjq5vqFsVMAkYjqLQrvLq+bBX2t/8Xsw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by BL1PR11MB5399.namprd11.prod.outlook.com (2603:10b6:208:318::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.23; Thu, 1 Dec 2022 03:29:03 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1%8]) with mapi id 15.20.5857.023; Thu, 1 Dec 2022 03:29:03 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>, Seo Suchan <tjtncks@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [EXTERNAL] Re: [lamps] CAA processing for email addresses
Thread-Index: AQHZBP0Z3+hC38iBp0er4vdj9NEiiq5YGFqAgAAB3ACAAAJqAIAAF4sAgAApw78=
Date: Thu, 01 Dec 2022 03:29:02 +0000
Message-ID: <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie> <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie> <CH0PR11MB5739CDF4AC9F496DA341DA249F159@CH0PR11MB5739.namprd11.prod.outlook.com> <87bfb6bc-24d0-fafc-d0b9-546640bda7c3@cs.tcd.ie>
In-Reply-To: <87bfb6bc-24d0-fafc-d0b9-546640bda7c3@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|BL1PR11MB5399:EE_
x-ms-office365-filtering-correlation-id: 4df65a21-6bb2-4892-3910-08dad34c31a4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: b9E5/J7xj9uKnNrNORdpRT5Z3tS6jsu+0KR0KBhST55MA/S+yUlArdYGeHk2BEGu3i4Qr8YZF+RdwIt85VyErHNSS/Lj6O0dxcvAuUBTHX79momUC5RtR6wIwLSHAoRjK55RVHLgFCIJ2aOML8KGTezv3kVkyim59JOylMc1I/uLKUXRQW/vKMQsfXeeUv5VHQANI+3NTaZJrKdcpFJj0Z9souRLwrn/P7ikKFnqFOYECvZ0ik5V6M8zNpHxs52XsnpSghRdGRTiZ4IsDmaaCd7Bpy6W0V7bp6Iu5HvZPvIi7dF0oGSbmGviFwwZ/VtcEq85jiYvX5OF2vqubvRK/nQgMEdF1DTzfR6bAZzb2HlxGq3pSdE7MsbTS1HtEnHDl9dhgg3QYjprdj26WNLx3UntsSlqWNLRXaU+ZhFRTSnUVafY35387pX/3/gqML1vWsE97S3o0+Kkn33vEeBt/IcLSdRNPNK8OGP0eXH3SN8B8e7/Oh0Qc0UqfoPv3IyJoFna5Ncwu1zmse/KcsjLBtYcHU3NdlESiYjv9mDK4JZxvnOHTNLJ/msHfUk8+hcHrhWSo1f0z5F7IIFPuH2IYXkhyOlIWSZSfEmKxB7Esex/NpyQnUgCqEmmeopC2QxBytpTK7RMrywU8XaYo6Wfh+yhpmyLLbyhQX3z0yES2erCSJFB2zrQhJ+txcTU9wc1HNgVzH3AyzLc6yokO4MMR+wjOMk265aXequI43GpP7s=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(136003)(39860400002)(346002)(396003)(376002)(366004)(451199015)(6506007)(2906002)(66476007)(41300700001)(66556008)(186003)(64756008)(316002)(296002)(8676002)(110136005)(52536014)(76116006)(8936002)(9686003)(5660300002)(33656002)(71200400001)(478600001)(26005)(66946007)(66446008)(7696005)(53546011)(122000001)(38070700005)(38100700002)(86362001)(83380400001)(55016003)(199583001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Z4yVlRjeOXrLyoh6Bl/nAUSZZTNLijAyUWJhcX9rLYYOXwjkCOf7jz7TWpmU2R90jVEimEUWdJmRSFn++Rf3eII0ndOULmYYrGjwO+FVNoFSSWj5tCyG/0b+9Iq5MZByfp5HRuJ2JxUnT8hlmTA96lF8yCdzMCBmE4grbLS3Wm/bowBaNqM6xD0CO0s/Gk/2UyTni0TBfbUuIJwNvJQzxM/f24R4fgDyVHaLx1WjQsSJg/IK7mFYE8A09TUMaMvLbQQn9sJuJNWvdfe3S4sjuz0+nuuFI0W4HGv0KsnDOHehiEN3oyUhI1bLBhFZXOUxU471qGtHoqiJA6aKoJWG859S2Z9EpdMhB0pVG0TZHVytnEMlBfnd1PCeKzBbhfWsYAZrEHBCHbW+wT/Y5i7/sX0G4Jgucy44547ziOgpvpXeUFgR3lUuZXhILJrmpZbbcsIevi9UZJpn9c5u9Cn91tI6o06GBrVHsNb4Iw7+Cq/YDyjN2eGVHiKrkbPyfk5i3hGqsFEkbKXb8G5VL/hv8iCApt/ZouZ6SY+AqxG9uy1ZD+ufj2KhOZ2YBkpgxqQhSG+8GgrONMS01iJVEIInGk6LAYk1sLPK3C2geSBgPGlmXUNGnI+dJW8yd3xPHAHbnkqmcRkZBFGy1ogzUDaxMtEwOrVxccK8vroVSREq07oKscLr6VCPihf3Jnvbl6oDp1ULZ3RED81krPeR6j87jp5CRTjLLC/SLTxnP/tNsuT+Qavf5bgnHO73vYuNin7282OUMDEA2jhVGdc4F0Tek2fUo93K3vdI9j04+P3jU0dxELTIlUu4ayFL07vvaN/f359ajZFsmAn4BcuSxfOho2PfeAUu3O2J+xnSSmVco8p+R7CR09prJW4Qqaa/jkuy4SlhaoY9On8R18hrS6Z9heih3QOnfFE4GAY9iOGy2yUOAQoenpeShCyJO9ujN6rhZa90c95+qc8YpFyA/bL8sqaPP/sJozohwxYEnuJhnQIg5xD5MaEpxPnp3qfX1xsqTgXXlG6lzXcCpISeuXeJELrph6rqPKqnI11PgadWHP/g0BuqGjkvYijFP+jZS+aIcLOqbMipyNvDlEj8fknKrEA4wWfTRc6K5OgHsbv989p2likwoOf4fH5mfytfIHBmaFF+U9BPxppAMkQjowjdRcF8LW5lbKtQsP7jtFrhXomyZE41ndrAkvo4aUkZzvVZi+wHJZ7SbuGrARgMqggfFHi08NPaVPyGYxyswSNpZyhOQJcGTBlaQDxGjwGZH0DgWvUab5YAFJuRj8lsxp6H0upOKoza8oInpj6zzYuHeXT0SC1gTnWILLvcPdBhWd5QicdFpGCRWAa4QDgfTus2JPzxrajRGo02MSl2JhvdbGEAeV0iSXk+63hFCNpfNuqe8hRKRZ+n57AqpK44Ug2oFn9IFJm/5rpFsePCNhGpSXyuFGcj4/wsSZV7582KzFAkIdUkV+oME+QLuT4k6VKaLuwbI+puOm+XHVGRiQfN2Sx7/XiPCb4/JtVyK2vevEqH0t2nzYyaf5az5A8dRJfiHtmc1vocr3+ho+jh+usv5Pimb9xZ6HIABSYwlsdZQQ2360SJso1xzxkqzQP6KuofkwwDhrVY5tkJ8SoO5W7IYWs=
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB57394997AEBA7EF1FA81C4D69F149CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4df65a21-6bb2-4892-3910-08dad34c31a4
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2022 03:29:02.9854 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8jI3TBIcEo6eEmylbCCgEDYK3RIwQ5G5bk6h8KHXRBTepevVi8C5wiJjE8RU67fUc0bPpKLEiKPNX7qUq6llg6Y/4pZM2r1DFblmnbbqL+E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR11MB5399
X-Proofpoint-ORIG-GUID: XgmcCmLznI85nmM0gwEp8INvsWpYWis6
X-Proofpoint-GUID: XgmcCmLznI85nmM0gwEp8INvsWpYWis6
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-01_02,2022-11-30_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=729 lowpriorityscore=0 malwarescore=0 spamscore=0 clxscore=1011 adultscore=0 mlxscore=0 phishscore=0 bulkscore=0 priorityscore=1501 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212010020
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MaorNZFS_R9V1kFPFKOanu28xx4>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 03:29:17 -0000
Hi Stephen, We should really hear from the author and/or CA/B F on the driver for this, but ... If you're running a gmail, vanity, alumni, whatever, email server and want to allow people to get their own S/MIME cert, then don't specify a issuemail CAA RR? I'm not the world's biggest CAA expert, but I imagine the analogous issue exist if you run a web hosting service and want to allow people to subdomain and bring their own cert .. then don't specify a CAA --- Mike Ounsworth ________________________________ From: Stephen Farrell <stephen.farrell@cs.tcd.ie> Sent: Wednesday, November 30, 2022, 6:51 PM To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>; Seo Suchan <tjtncks@gmail.com>; spasm@ietf.org <spasm@ietf.org> Subject: Re: [EXTERNAL] Re: [lamps] CAA processing for email addresses Hiya, On 30/11/2022 23:43, Mike Ounsworth wrote: > The gmails and yahoos don't do S/MIME right?, so are probably out of > scope here. Well, no. Not if this proposes restricting what they can subsequently do I'd say. Same for alumni and vanity mail providers too and probably others of the many and varied email corner cases perhaps. Let's not forget the bad side effects of dmarc "p=reject" which is also a well-intentioned and partly effective thing aimed at only a subset of email deployments, but that has affected many others. > It's probably the @<gov-dept>.gov's or > @<massivecorp>.com's who have robust enough S/MIME deployments to > care about restricting which PKI can issue for them. Even if so, (and it seems a reasonable guess), I don't know to what extent such email deployments have seen issues with certificate mis-issuance, which IIUC is the main reason for any CAA RR. Cheers, S. Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- Re: [lamps] CAA processing for email addresses Russ Housley
- [lamps] CAA processing for email addresses Corey Bonnell
- Re: [lamps] CAA processing for email addresses Seo Suchan
- Re: [lamps] CAA processing for email addresses Corey Bonnell
- Re: [lamps] CAA processing for email addresses Stephen Farrell
- Re: [lamps] CAA processing for email addresses Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Corey Bonnell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Antonios Chariton
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Corey Bonnell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Nicolas Lidzborski
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Nicolas Lidzborski
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Corey Bonnell
- Re: [lamps] CAA processing for email addresses Seo Suchan
- Re: [lamps] CAA processing for email addresses Seo Suchan
- Re: [lamps] CAA processing for email addresses Corey Bonnell