Re: [lamps] CAA tags
Ryan Sleevi <ryan-ietf@sleevi.com> Mon, 18 December 2017 20:42 UTC
Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16AA312D851 for <spasm@ietfa.amsl.com>; Mon, 18 Dec 2017 12:42:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Soz4G-02gWnu for <spasm@ietfa.amsl.com>; Mon, 18 Dec 2017 12:42:07 -0800 (PST)
Received: from homiemail-a111.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E25C1200FC for <spasm@ietf.org>; Mon, 18 Dec 2017 12:42:07 -0800 (PST)
Received: from homiemail-a111.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTP id 05F263C001C17 for <spasm@ietf.org>; Mon, 18 Dec 2017 12:42:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=SkiWCfGo3CcseF/w6fp9l0tv4sE=; b= PgMu9ddJFt67zUop3EMFk3o/sYhDXBzJum1/lVMaNWazHi8nM9CaFGg8w/ZRrbjJ jUX70b9QhM26ArtoqZs4YI7RFe9XoDDQK+d0HY63TO6ZAoZJMa4IUGDFriJQ6Lsz oMtJmdTll7MoYYKZFL6bRZPuJxy7/UV/DexbSeXaL6M=
Received: from mail-it0-f46.google.com (mail-it0-f46.google.com [209.85.214.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTPSA id E02DF3C001C18 for <spasm@ietf.org>; Mon, 18 Dec 2017 12:42:06 -0800 (PST)
Received: by mail-it0-f46.google.com with SMTP id p139so240008itb.1 for <spasm@ietf.org>; Mon, 18 Dec 2017 12:42:06 -0800 (PST)
X-Gm-Message-State: AKGB3mLGCfnyFVtBOkZhMsOOMbRM/K2g0hLx8nAS2l/xw5zdJiOqS0lh +qmqeOOfk1WXGLXCtV8cHRr1CM4fORDTSp2HDzI=
X-Google-Smtp-Source: ACJfBot9+h/+72ollqG23UJ07CrSEVehg16KQgjrRGzXyE7xkOQltun1iaM0heFn/GZ2SBws/XayvtJUbPiL/xO/jYo=
X-Received: by 10.36.61.149 with SMTP id n143mr459320itn.67.1513629726159; Mon, 18 Dec 2017 12:42:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.78.70 with HTTP; Mon, 18 Dec 2017 12:42:05 -0800 (PST)
In-Reply-To: <DM5PR14MB12895320D99FC570E797373F830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <DM5PR14MB1289FA2B76543ABAF16FD0EF830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <0ab8efa3-378c-ece7-4fa3-913308f81c22@eff.org> <DM5PR14MB12895320D99FC570E797373F830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Mon, 18 Dec 2017 15:42:05 -0500
X-Gmail-Original-Message-ID: <CAErg=HGMOVmvEoD=hy3rnTb=J1uQeu-SHrTn1JEeRnQuXzqg-Q@mail.gmail.com>
Message-ID: <CAErg=HGMOVmvEoD=hy3rnTb=J1uQeu-SHrTn1JEeRnQuXzqg-Q@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Jacob Hoffman-Andrews <jsha@eff.org>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="001a1144452e2645c10560a36229"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/NcLgldGMuyTL4JTNv2avoawFsTw>
Subject: Re: [lamps] CAA tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2017 20:42:09 -0000
On Mon, Dec 18, 2017 at 3:10 PM, Tim Hollebeek <tim.hollebeek@digicert.com> wrote: > > > > > readable text labels, like Validation=Phone? > > > > My issue with validation=phone is that it is not precise enough; there's > one > > version of validation by phone defined in the BRs today, but what if that > > changes significantly? One could solve this by defining a versioned > validation > > method, e.g. validation=phone-01, with an IANA registry to register new > ones > > as requirements change. > > The lack of precision bothered me a bit too when I was proposing it, > especially since some people have discussed breaking up some of the > larger catch-all ones. I like the version number, but I think we have to > be > > a bit careful. Is the version just a minimum version? If I have CAA set > to > > validation=phone-01, do I have to update my CAA record every time the > BR validation methods are changed? How big of a change requires revving > the version number of the validation method? > > Should the BR version number be used instead? E.g. validation=phone-1.5.4? > This might make more sense as the BR version number does get bumped on > every validation rev (and non-validation rev ...). > > > However, there does seem to be some interest in embedding information > > about validation methods in certificates. It would be nice if there was a > > correspondence between the namespace used in CAA and the one used in > > certificates. > > That would be nice. Maybe an IANA registry for validation methods might > make sense, but I'm unfamiliar with how easy/difficult that is to set up/ > modify. > It'd be great if there was a spec writeup for discussion - or is this a pre-spec seeds of thoughts? I think Jacob's suggestion of OIDs is not at all unreasonable, and avoids the ambiguities you raise and allows them to be addressed by policy in the Forum. > > It's easy to define a URI mapping for an existing account identifier. > > For instance, if customers have a numeric id 123456, the CA can specify > that > > the corresponding account-uri is https://ca.example.net/accounts/123456. > > There's no requirement that account-uris are fetchable. > > I get that, but a URI is longer and more complicated. Quirin's research > shows that a significant fraction of CAA users CANNOT SPELL THEIR CA'S > NAME. I shudder to think how they will manage to mangle a URI ... > I also agree with Jacob's suggestion here, and prefer a single, canonical representation.
- [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Jacob Hoffman-Andrews
- Re: [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Ryan Sleevi
- Re: [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Rob Stradling
- Re: [lamps] CAA tags Phillip Hallam-Baker
- Re: [lamps] CAA tags Stephen Farrell
- Re: [lamps] CAA tags Ryan Sleevi
- Re: [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Stephen Farrell
- Re: [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Ryan Sleevi
- Re: [lamps] CAA tags Tim Hollebeek