IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses

Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 01 December 2022 15:25 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0EE7C14F74B; Thu, 1 Dec 2022 07:25:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFPHYnUPguI0; Thu, 1 Dec 2022 07:25:26 -0800 (PST)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93EF1C14F744; Thu, 1 Dec 2022 07:25:25 -0800 (PST)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B1DLXdW021913; Thu, 1 Dec 2022 09:25:19 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=QxX2IYqgc3QyIYjQouBg3ZeB31SmWgOe8Y4Xgy0b+pc=; b=Mee7yk7ZZ4gKUQ49Po4zjOL7CQbR+MIHBIs62uYeuZJG97fliPt06EjbtARq4CO3GF0a +tCjKEMrSXv2XAeM1K0Ty1FhGXMGlVSeZl7g7iN8Hd8Vi30CMLQWo87gLVkgDRUq7Phm ex2mllXwSxkqmgZ6Qw6GMoK1R6S2sbty7u/TnzV0l9J/6Izo7BPyZNLYFu5HwLznB1bo cYzoU40AFPA091N6hlHxN9eDJqzgPu2HnlkeDnLasGKy0sG6ndnm/kgLEacJaK/a19tN gybr2sy9+q/nfxm3YWpNiGhiXmuTFJ7MZ6jYdAlOx4/e6mOngWPPGpWHTrFizAUsrJWy bg==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2105.outbound.protection.outlook.com [104.47.58.105]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3m6k59ja2s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 01 Dec 2022 09:25:14 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ho6LgMSAAxGT8EdYs/lu8Qvw3vCi/TCU1m8GeoXRB1hGdSBwkk3RRxMWLj8rLINvY8q05nEqfihdzGGLQEQiGT2Jgl7wICOYjqXIglt1U8I9ludNnLvdc/j4nKmWdI04/KQnm5bdJRC7h1EvcZS2M0mwoU3JTQq7xaN/D8AhcoihqVqEShcAFtm55DpdIIs7EJiuB9ue1FJaMIruTRoqEBExKyufq+Vwi9bb14KQaAjg4q9fh+uKWI8/OZJeZNJvnhW0MJBeXTOxJbRMNKn1QFXRqGzGn/d2WJRLRVNKjJxVUW0IDcalJgbe+6mro6FKnwIEX0DRKBc5HIZ9pU7zZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QxX2IYqgc3QyIYjQouBg3ZeB31SmWgOe8Y4Xgy0b+pc=; b=IO5vcstC4v7pINKjqWTjiCUz52OzMOEVz6xW5aR5lwTjPcGJ2Y7xze1difgnmPIaTDIMTOBpSqnDxftyNgZqP/ZM6PhGdKSDgXKviMOvxQWv7YA/RW4NvFvskCXbPqVxH8rn4S3kXEIltuhWiGWgncY0psHxaebQa1p3vArnqDDoAU+LxzI+4scfrPjEHIeffen6+NZoqX7tVFXlODng/BpME45tysExVExey0zKiFHnFb4+G7zVDpvZAPEtQGlXHD8Rvr2KOU1OqJWR1r/RGb0jeGsRODYIB6bRDXcmY2Yrq/lPlKR8GZHjwlolmccP86WMbtjAE+ukERj3mJde5g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CY5PR11MB6462.namprd11.prod.outlook.com (2603:10b6:930:32::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.23; Thu, 1 Dec 2022 15:25:11 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1%8]) with mapi id 15.20.5857.023; Thu, 1 Dec 2022 15:25:11 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Corey Bonnell <Corey.Bonnell@digicert.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: CAA processing for email addresses
Thread-Index: AQHZBZDpjf46N9VZ7EaDFFaiSzDEPK5ZJuVw
Date: Thu, 01 Dec 2022 15:25:11 +0000
Message-ID: <CH0PR11MB5739C121E1D96CE28382B4D49F149@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie> <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie> <CH0PR11MB5739CDF4AC9F496DA341DA249F159@CH0PR11MB5739.namprd11.prod.outlook.com> <87bfb6bc-24d0-fafc-d0b9-546640bda7c3@cs.tcd.ie> <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com> <DM6PR14MB2186AC61073AA34BC230CE2B92149@DM6PR14MB2186.namprd14.prod.outlook.com>
In-Reply-To: <DM6PR14MB2186AC61073AA34BC230CE2B92149@DM6PR14MB2186.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|CY5PR11MB6462:EE_
x-ms-office365-filtering-correlation-id: 55da369b-f024-4a82-2a82-08dad3b03d16
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wVncX8q/QmNw/5Xmrsqh/tob7FqO5nGGm85YuZZZXUa8tRLReUff+pTHUMlKuxZQeGLnpsR5wXLd6BBVnayT8WgeMxk9yHRqakl4Iz+eHsX0bKPLF7Lc7MWA+urnslmiykPRKKQx3tLpTLcR/x92fB4fpOkddTZJKC0ntHTG5y/jzQeKmUf0cxKuHHeTA491QBrrzP4o47Ila0PWwOQa+J83uOwHRb3+sRpzN2Ncffr5iLmJoFlgdMYZMUfz3JFpZhIVLvLgjQqp2Y8YKEyouoHWXZWuJimzUda6y/85wB5E29WljlCfB1DUgo2aOxZ9IirJ2AslKHc/pG8RcLFU4jP+yVXmB9obbWK+NXHu6GivJ/5u3VNmqJePVrPE99/SPbM+1BNF+5jpjTSeREd1fKfvp/V27k6HdYRetEJu/I93C1tHEDrri80g7g4w9AJwxDNKYIUW9QRqkQUoT9oqV79r/uq0gKnNg1Dk7ktmAOfG9YEkh65siqgum0kxNWAaBluSECLEH3cGlSTFGAQHtMCNTSOWYEMhy12kwX6PGfmhK3NWnOlCojHWV19EsSObIORlXu9A8yhHSwzyR7krdscmB2TgYR+G6i2vORB/HHhd9k/wTVGYPfJy2pIFdiG5Fw8gGAneBnlvptnSud+LSyyoEwlm/IyG5c5Z0LRzCxw7er+pVh7gN6bE6qv1RqcaO7Ew2YW1kTDIuBy4pPR8Uwv9o/CaATThPiMLrJ805QQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(396003)(39860400002)(346002)(366004)(376002)(136003)(451199015)(86362001)(2906002)(83380400001)(316002)(55016003)(110136005)(33656002)(53546011)(66946007)(6506007)(9686003)(186003)(478600001)(64756008)(7696005)(76116006)(8676002)(66556008)(66476007)(66446008)(26005)(52536014)(5660300002)(41300700001)(38070700005)(38100700002)(71200400001)(8936002)(122000001)(199583001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2fa5oii9/iKcsdipQPhwF6kIchrzWEAXfcOi375H5ZRcHt0gqkEnlDO/G4AkxMywasJD93gYjLBh9A02qjiGP+HPTIiwJ97pE4ZJesqjMBB5G2dx0OUyZCSINfApgufD5dqJe4/O+XfAeTpCePM/lk4wmGpVrDGGCdAUmQ183gMWxIVCwAAE9Z35EO3Apl/MyAcBE+JGZwxWA2/yyaPouhsfoe2zOiUK27ysMpU1cK9bMqY9kPGrdKENCfAbO/RM9qKEVPUhVT8BFiOtvwn/FjiToS6Yd2dtqXLQvURiKFnm0yv4p4lIwuMVko2KvOpU4X17Ew33Vmz0m9nSu9yVjRBDo3lllZ56sAJ/UU9JVGk4Wmvn/NA8IJdIuFU055Y+NsxOTcedz8SagmHt1rXmQPuTAHW7F4Fm/si1VLU4oY+ORt1DyGazYbxO6yVrcVAkTGwG7ND3jYPF2jNK/k9n4hVk8ojZC9AnT2OWekeuyYH1WIwNZbcOfrOki2zBjYTD6BQ1qCgGf69IzEY7vuJJSeUd4Cz2GvWJLewcOJlhDQlIybgs3aJue6UE9j4CI/fGYsD+vwUSwQghJbfSsIjw83azfolJFId6yPVdNRm8d6Lo0DmpXTicrt6BwcPrRJnK+78/43tRwi9G3q7kKjJMcSDbaIgzdMDZKLkSIDtq4Zkx+RQ1Qp8UIpaNZQ+ClNl6bMgl3Agy5nwVRLr8lkSP1v18MQ8hQxf7ocEygNpA6AgG5wXKS5wOQyMndB1yWVhiwZ/L484oUvWJt+NDEXKwxg7hKeHtkP0GasDlZ6KhnpsikZWf06ceK9/obTggQSJDoJAf23dI+DtQyzoInbXksV7NAPTflbijZPnaDcliUPu3fazD6ycsdBXW1H599Uqi/Dm0hqA57Cux4VavLAGF0AWPfocGfAkUUtLTcj1MlIe9oBMBrB52kf4Y9okGn80XhEDnPM8WNu+OU+Ts8RvBp0z4Y12u1hrts6vnEY5euO642lnQWuzz/KOphKKcPUbYpYGJBPesy/vBWovcpHBA40Q4iiCpB+XKrQ48Wh5g8c64qNYLZ/6kR16D3eP44W9lWqw6m9yT9c54lOIbO0i4r6NCLi0y/LG5vgP40LfYHHors/Q1VitVV0bN8YHBiB4YpVyYl+z2W3vIRq4FPtYUeELPHg/7AAoI+lPEwomltnQ3rvD+cyU8QJ4hupvmeYMbRZi8A2yOj17EDO1hSrsU6v0m5vkD+7tGfctMzjBcdx4WzsKrXYFyn2PFQoGnsj/dRiUJiypB6qHRKsjB8seCIctKtaRjLzjxowi5gbxE1FAlUcvNxY8tth5WBKa8MnQnLezCzt/mglrYZc56lHzgPR8hMfEGpSXYbyTHdnYcU3JPfQATOBPo42keDthhpA0aK9PmHmcGYbPDT5YO1LoqNFhWa6ldSOEG3SWMJGJnDhDNEZb929TvCK5CDLURA33d85HSaNTK1KWGdcYQAFS8ssNn27P+CSxjjEneNcQd+IvbrmVPjQ6fZYJvompeBFH/YhjSJgn5NIZIABzp09787sBv+GLnyC9H0j5Wn/6xcWzMDK6RyCdf87IcbtcN7hHX
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739C121E1D96CE28382B4D49F149CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 55da369b-f024-4a82-2a82-08dad3b03d16
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2022 15:25:11.8289 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: v2kN/vVqEtc5jGPyObdkFgzTxq5zYSQnbapuwZ/BBRSpbuugKHZ6/nHXe9u7HIzTsrEZMkunZJ07qHJimUfY8hQt+BtrcmKZlqg8UR7Q0gQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR11MB6462
X-Proofpoint-ORIG-GUID: VTcmtIkiaFqB1lUk8FarxXGm_wBj3I-Z
X-Proofpoint-GUID: VTcmtIkiaFqB1lUk8FarxXGm_wBj3I-Z
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-01_11,2022-12-01_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 malwarescore=0 spamscore=0 clxscore=1015 adultscore=0 mlxscore=0 phishscore=0 bulkscore=0 priorityscore=1501 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212010112
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Pey79R0iQ015vvtxy7dj7ZT7t7Q>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 15:25:30 -0000

Thanks for the explanations Corey.

I support adoption of this draft.

---
Mike Ounsworth

From: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
Sent: December 1, 2022 8:26 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Stephen Farrell <stephen.farrell@cs.tcd.ie>; Corey Bonnell <Corey.Bonnell@digicert.com>; spasm@ietf.org
Subject: RE: [lamps] [EXTERNAL] Re: CAA processing for email addresses

Hi Stephen and Mike,
Thank you for your feedback thus far. I'll address a few questions that were raised inline.


  *   > The gmails and yahoos don't do S/MIME right?, so are probably out of
  *   > scope here.
  *
  *   Well, no. Not if this proposes restricting what they can subsequently do I'd say. Same for alumni and vanity mail providers too and probably others of the many and varied email corner cases perhaps.



I think Mike already addressed this, but if there are no "issuemail" properties in the Relevant RRSet, then there are no restrictions on which CA can issue certificates for the domain. Mail providers will not see any impact of CAs processing the "issuemail" tag unless they have explicitly added those records to the zone.




  *   @Corey Bonnell can you expand on why CA/B wants a CAA `issuemail` separate from the CAA `issue`?

I don't speak for all of CA/B, but previous discussion in the SMIME WG and MDSP threads that I originally referenced showed that there was rough consensus that the existing "issue" and "issuewild" property tags are relevant solely to the issuance of server authentication certs and do not apply to S/MIME or other certificate types. There are two reasons for this:


  1.  Assuming that "issue" and "issuewild" restrict both serverauth and S/MIME issuance, there is no way for a domain administrator to express different restrictions for these two certificate types. In the mailbox provider case that Stephen raised, that means it would not be possible for a mailbox provider to restrict issuance of TLS certs for the domain while allowing mailbox users to obtain SMIME certs from any CA. Having separate property tags allows administrators to express the restrictions at a granular level that more closely mirrors their arrangements with various CAs for the issuance of various certificate types for that domain.
  2.  Existing deployments in the wild assume that "issue" and "issuewild" tags restrict TLS server cert issuance only. It would be quite surprising if one day those tags are also used to restrict S/MIME cert issuance. If anything, the sudden change in semantics would likely slow adoption of CAA entirely as it will be viewed as a footgun that randomly breaks things whenever the CA processing of existing CAA records changes.

Thanks,
Corey

From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Mike Ounsworth
Sent: Wednesday, November 30, 2022 10:29 PM
To: Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>; Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org<mailto:Corey.Bonnell=40digicert.com@dmarc.ietf.org>>; Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>; spasm@ietf.org<mailto:spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses

Hi Stephen,

We should really hear from the author and/or CA/B F on the driver for this, but ...

If you're running a gmail, vanity, alumni, whatever, email server and want to allow people to get their own S/MIME cert, then don't specify a issuemail CAA RR?

I'm not the world's biggest CAA expert, but I imagine the analogous issue exist if you run a web hosting service and want to allow people to subdomain and bring their own cert .. then don't specify a CAA

---
Mike Ounsworth

________________________________
From: Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>
Sent: Wednesday, November 30, 2022, 6:51 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>; Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org<mailto:Corey.Bonnell=40digicert.com@dmarc.ietf.org>>; Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>; spasm@ietf.org<mailto:spasm@ietf.org> <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [EXTERNAL] Re: [lamps] CAA processing for email addresses


Hiya,

On 30/11/2022 23:43, Mike Ounsworth wrote:
> The gmails and yahoos don't do S/MIME right?, so are probably out of
> scope here.

Well, no. Not if this proposes restricting what they can
subsequently do I'd say. Same for alumni and vanity mail
providers too and probably others of the many and varied
email corner cases perhaps.

Let's not forget the bad side effects of dmarc "p=reject"
which is also a well-intentioned and partly effective thing
aimed at only a subset of email deployments, but that has
affected many others.

> It's probably the @<gov-dept>.gov's or
> @<massivecorp>.com's who have robust enough S/MIME deployments to
> care about restricting which PKI can issue for them.
Even if so, (and it seems a reasonable guess), I don't
know to what extent such email deployments have seen
issues with certificate mis-issuance, which IIUC is the
main reason for any CAA RR.

Cheers,
S.
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email