Re: [lamps] New draft: rfc6844bis

Corey Bonnell <CBonnell@trustwave.com> Wed, 18 July 2018 16:04 UTC

Return-Path: <CBonnell@trustwave.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 007B413120F for <spasm@ietfa.amsl.com>; Wed, 18 Jul 2018 09:04:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=trustwave.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ujM2kZ-r88KN for <spasm@ietfa.amsl.com>; Wed, 18 Jul 2018 09:04:20 -0700 (PDT)
Received: from seg-node-chi-03.trustwave.com (seg-node-chi-03.trustwave.com [204.13.200.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4073A131236 for <spasm@ietf.org>; Wed, 18 Jul 2018 09:04:18 -0700 (PDT)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (Not Verified[216.32.181.119]) by seg-node-chi-03.trustwave.com with Trustwave SEG (v8, 0, 6, 10791) (using TLS: TLSv1.2, AES256-SHA256) id <B5b4f64fe0008>; Wed, 18 Jul 2018 11:04:14 -0500
Received: from SN6PR07MB4575.namprd07.prod.outlook.com (52.135.95.19) by SN6PR07MB4766.namprd07.prod.outlook.com (52.135.77.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.952.18; Wed, 18 Jul 2018 16:04:13 +0000
Received: from SN6PR07MB4575.namprd07.prod.outlook.com ([fe80::d0e2:e12:541d:c131]) by SN6PR07MB4575.namprd07.prod.outlook.com ([fe80::d0e2:e12:541d:c131%2]) with mapi id 15.20.0952.021; Wed, 18 Jul 2018 16:04:13 +0000
From: Corey Bonnell <CBonnell@trustwave.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, SPASM <spasm@ietf.org>
Thread-Topic: [lamps] New draft: rfc6844bis
Thread-Index: AQHT+Q/DosfAyanL40+VifZ4n+PYpqSIdv2AgAvWmgCAAN8pgA==
Date: Wed, 18 Jul 2018 16:04:12 +0000
Message-ID: <D099A16A-68EC-4968-B038-562847B1500E@trustwave.com>
References: <d25080b7-d21c-219e-8d99-7c19afb5b30f@eff.org> <0EA657BD-8E44-4173-8059-8A312998DAA4@trustwave.com> <171ce08e-3700-45e8-8208-08bb15077f72@eff.org>
In-Reply-To: <171ce08e-3700-45e8-8208-08bb15077f72@eff.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=CBonnell@trustwave.com;
x-originating-ip: [204.13.202.248]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR07MB4766; 7:mn9s5nr1VehdcxCXMLCndNLTDiz2bogTzB4eFWD0zCqbNURm/LlvPD+PFDSR+2EvbYt9xFC/AYu3N7tdrovKZNFxA5bZUq3ZDc+vzULwlrMS3XZbwYrQgfX2asSYDXkIJg5k7BEOI6A9cA82OoQho996v9kU7m/00D/QvlBgnSJ4YExrWEGqrMOecl798Yz/vQZK3fJpSwgBckEm5gstfppN+6W4Fbs2Yc7KZrwsH4rGgFWj3ceKR9ocnP6ZxCQb
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 207d76ba-7576-48ef-608a-08d5ecc81ad0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:SN6PR07MB4766;
x-ms-traffictypediagnostic: SN6PR07MB4766:
x-microsoft-antispam-prvs: <SN6PR07MB4766873A4FCD8A56E032F0F9CF530@SN6PR07MB4766.namprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(232896897485771)(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:SN6PR07MB4766; BCL:0; PCL:0; RULEID:; SRVR:SN6PR07MB4766;
x-forefront-prvs: 0737B96801
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(136003)(39860400002)(366004)(346002)(376002)(199004)(189003)(106356001)(72206003)(53936002)(2906002)(80792005)(105586002)(7736002)(476003)(446003)(2616005)(26005)(256004)(305945005)(102836004)(99286004)(2900100001)(68736007)(53546011)(83716003)(76176011)(5250100002)(97736004)(478600001)(6116002)(14454004)(186003)(6506007)(3846002)(966005)(11346002)(486006)(86362001)(81156014)(33656002)(36756003)(6436002)(81166006)(8676002)(5660300001)(316002)(66066001)(82746002)(8936002)(6306002)(6512007)(25786009)(6246003)(6486002)(229853002)(110136005)(19400905002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR07MB4766; H:SN6PR07MB4575.namprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: trustwave.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: l7F7K3MY3VELLe/xJlovO3E0+Ta0ABvysEKDU0XEqFXNChF6T/Xplvc257kIpLquhpA5w/wxTbCFrWvazy69JUTRyUmw/8WGavYtv9L//GkFrO/AFzoiLPWbFCIq4yOL/fVPj0rJM9bnaJrE3LctCdHbU9BAsWosospN0hiwsIKnkbQdIx+dDFSRp+PudE95XnYI0ncmvjptqdfXnX6sh5CeMvFW33Jz3yOz9ysdULuMwbV0C3Wy4JXUXm36PNvPFlQOsdw4Z3IOA1CcOxkdO8ghWvji0fg0jXrhXU6mIwjCQyogRh2NemVf/TP8dg5yniWeP7KpefeCC8nuYFi69IKlgHwWgxxyE97gsR7j4R8=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <A282298280AF754EA32359AAA1FBAB1A@namprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: trustwave.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 207d76ba-7576-48ef-608a-08d5ecc81ad0
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jul 2018 16:04:12.8700 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cb1dab68-a067-4b6b-ae7e-c012e8c33f6a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR07MB4766
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trustwave.com; s=080318_segcloud; t=1531929856; bh=qqCvHQfqwBNiGEK/sLtCiLqLC6/0lWsV1DnzcBRVu4Y=; h=From:To:Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:authentication-results: x-originating-ip:x-ms-publictraffictype: x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-exchange-antispam-report-test:x-ms-exchange-senderadcheck: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf: x-microsoft-antispam-message-info:spamdiagnosticoutput: spamdiagnosticmetadata:Content-Type:Content-ID: Content-Transfer-Encoding:MIME-Version:X-OriginatorOrg: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id: X-MS-Exchange-Transport-CrossTenantHeadersStamped; b=GyjEVZf2SlUYBIDVj5iVo13ekSmYeyPyKVJ8wp6wqV5Xmz03rYH7EROpZOwcVustK draT6BM9UdWnjR5Qhk3COST1x7S4UfTjKvWfWt9Cp5DZqTH3/n70pRCpt1GbYU4frf 6fAJ5dBf0uAaAfjZvlqptIayvGsaKxorJw2G/SG5yGdyiKre5oWU3LStQPiqbI3r0m ilXp5S+t+27f4JlUR1LC/jaBjukB2YqGcU6qoj6BqKXTsloSefAVsdJ7jNZ4meK/Bi SlbhOgpGhcV1pIvLB/wqBtZ2pEAQC+3ZvO7rNpHWM44Tkzb4FF38f5oBbA3CztsxWt MJR1J/74G85Ww==
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/P7-zVrLhROLi02jJ6DDo4XjkSlE>
Subject: Re: [lamps] New draft: rfc6844bis
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 16:04:31 -0000

A bit ago, Ilari Liusvaara pointed out on the ACME WG list (https://www.ietf.org/mail-archive/web/acme/current/msg02845.html) that the grammar in 6844-bis has a minor issue in regard to multiple whitespace character sequences, as the grammar produces ambiguous parses in that case. I agree with his analysis and proposed fix to the issuevalue production rule:

issuevalue = *WSP [domain *WSP] [";" *WSP [parameters *WSP]]

Thanks, 
Corey

´╗┐On 7/17/18, 6:45 PM, "Jacob Hoffman-Andrews" <jsha@eff.org> wrote:

    On 07/10/2018 06:58 AM, Corey Bonnell wrote:
    > It looks like the updated ABNF grammar for the issue property tag is missing some line breaks, as several of the production rules are now on the same line.
    Thanks. I've fixed this in my working copy, and it will make it into the 
    next revision.
    
    > There is one more issue that we might want to tackle as part of the 6844-bis effort: changing the "SHOULD" for making CAA queries against authoritative nameservers to a "MUST" (section 6.3: For example, all portions of the DNS lookup process SHOULD be performed against the authoritative name server). This was originally mentioned in https://scanmail.trustwave.com/?c=4062&d=ivHO2xmUBfppFKh1daO2Kedy9FsSnsVXKPKouCUq5Q&s=5&u=https%3a%2f%2fblog%2ecloudflare%2ecom%2fcaa-of-the-wild%2f but I don't think this has been brought up on this mailing list before and thought we should at least discuss it. My opinion is that it should remain a "SHOULD" in the RFC, otherwise the RFC is dictating policy. The preferable route is to define required lookup properties in policy explicitly (eg, the Baseline Requirements would dictate that all lookups MUST be performed against an authoritative nameserver).
    Yeah, I agree we should keep this as a SHOULD. I think defining what 
    exactly it means could get messy. For instance, CAs are likely to use an 
    internal recursive resolver, which in turn contacts a series of 
    authoritative resolvers.