Re: [Spasm] CAA erratum 4515
Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 10 March 2017 21:18 UTC
Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61E8712946A for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 13:18:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKYRefgFMpRt for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 13:18:43 -0800 (PST)
Received: from homiemail-a77.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60082129408 for <spasm@ietf.org>; Fri, 10 Mar 2017 13:18:43 -0800 (PST)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id E1232A00400E for <spasm@ietf.org>; Fri, 10 Mar 2017 13:18:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=gMbWMqMc6vOZ4cg8IeCuFYmbaaY=; b= qOgMtM9W/yT59SesWqj1FpgY+uWWokYm3S0BNB0gEmNlPAHvRGYxcgFL8+HKW2tQ j5/Q+nSyMV61t6X8VkY4IhJns1sFfIfNu08A7JujXSEF6u+c3QtyvH43+kFIyTeM GpDrzhFHbW5ZiiLHUo55EFa43Qc7lyMh6mDGpgcRKW0=
Received: from mail-lf0-f43.google.com (mail-lf0-f43.google.com [209.85.215.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 81B7AA000107 for <spasm@ietf.org>; Fri, 10 Mar 2017 13:18:42 -0800 (PST)
Received: by mail-lf0-f43.google.com with SMTP id y193so45684021lfd.3 for <spasm@ietf.org>; Fri, 10 Mar 2017 13:18:42 -0800 (PST)
X-Gm-Message-State: AFeK/H0VGXsj7Ppqu1FOXondvykHTrH00oPwkZZcVhtmjAtrmrvPi14uz+4U/CDg3WTCzWL4oXGqZ2r2myOGaQ==
X-Received: by 10.46.22.85 with SMTP id 21mr562848ljw.113.1489180720790; Fri, 10 Mar 2017 13:18:40 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.193.197 with HTTP; Fri, 10 Mar 2017 13:18:40 -0800 (PST)
In-Reply-To: <7f9c38ad-aa39-c403-0320-7300619b9986@eff.org>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <8f216ae1-d236-79c1-5baf-44cf7bfa619b@eff.org> <CAErg=HFeAMLF4vY59oTBh=OpeChyG8SpJ406cE=CpjouA9fq8w@mail.gmail.com> <7f9c38ad-aa39-c403-0320-7300619b9986@eff.org>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 10 Mar 2017 16:18:40 -0500
X-Gmail-Original-Message-ID: <CAErg=HE34vYrrtCe1jGgaO0mAdGqiYaGMEpJaXJDf4Pp19WN-Q@mail.gmail.com>
Message-ID: <CAErg=HE34vYrrtCe1jGgaO0mAdGqiYaGMEpJaXJDf4Pp19WN-Q@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: multipart/alternative; boundary="f403045fc1a0de88ab054a66e73c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/PAzivNhA72DjLso9LkWpCdGTRFA>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 21:18:44 -0000
On Fri, Mar 10, 2017 at 3:22 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote: > On 03/10/2017 11:43 AM, Ryan Sleevi wrote: > > Agreed. To aid understanding, could you re-explain in your own words why > your examples show the CDN setting CAA records in the Self-managed case? I > copied that into my own examples for consistency, by I had to guess at the > reasons. > Which example? Are you talking about "example.net CAA 0 issue " evil-ca.example.org" ? That's because the site operator should be able to set their own policy for their own domains. This is why I dislike the "CDN" example, because it comes with it the implication that somehow "example.net" is reserved only for CDN customers, whereas I think the marketing site example, a more common scenario, has the marketing company providing services at their own domain (e.g. "www.example.net") and co-hosts one or more customer domains (" terrier.example.net"). The point here is that it's rare for a single domain tree to be limited to a single (self-hosted/externally-hosted) policy. > These configurations are a little confusing, since you don't define goals. > I assume the goals in this example are: > (a) Every domain and subdomain in the example is covered by a CAA policy, > and > > Can you confirm whether this is an implicit goal in your examples? > I'm not sure I would suggest it like that, but again, I think we may simply be agreeing but talking past eachother :) I see "example.com" and " example.net" as two independent organizations with their own policies, for which they wish to express as efficiently and simply as possible. > The "reduced examples" are simply the regular examples with those common > entries removed. > Right, but I think the understanding of these policies - and that these policies are in play - are key to making progress and discussion :) The fact that it involves remembering whether or not a policy is set (implicitly) is exactly why I tried to explicitly indicate in all of the examples what I mentioned above - different domains have different policies. > My goal here was to give trampoline and non-trampoline examples their own > distinct names, so we can compare them side-by-side in each world. The > conclusion I come to is that there is not a significant difference. > Right, and the conclusion I've come to is that the level of operational burden shifts, subtlely, and while I think both offer a degree of flexibility to allow the use cases, the burden for how that configuration is made and managed is sufficient enough to prefer one over the other - this is the subjective portion that I was leading to, by first making sure we had a consistent objective measure. > Maybe we can come at this from a different angle: I think you are saying > that in the non-tree-climbing world, CDNs would need to use the trampoline > to make it possible (or convenient?) to express a certain CAA policy. > If domain operators wish to operate with their own policy, but support customers with another policy, the trampoline is necessary or the customer has an additional configuration step. If domain operators wish to operate with their own policy, and support customers with the same policy (on the domains the domain operator operates), while allowing their customers to operate with their own policy on the customer domains, the trampoline is necessary. - Are you arguing that trampolines make a certain policy possible, or just > more convenient? > - In the non-tree-climbing world, are you arguing that trampolines are > necessary for Self-managed, Externally-managed, or both? > I think both of these questions misunderstands what I was trying to present. I think you're seeing it as a discussion about whether or not trampolines are required - I was attempting to discuss how the configuration looks when trampolines are used, and when they're not, and compare the operational difficulties that arise in supporting both self-managed and externally-managed issuance policies in both tree-walking and non-tree-walking scenarios.
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews