IETF Logo Mail Archive

Re: [Spasm] CAA erratum 4515

Jacob Hoffman-Andrews <jsha@eff.org> Sun, 12 March 2017 19:48 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E21581294C7 for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 12:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kZkoxaUXdSJV for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 12:48:39 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8F3A1294C0 for <spasm@ietf.org>; Sun, 12 Mar 2017 12:48:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=uoZ6/lI1w+nezl1BE8dqBlbUVEltNwogYtcG+2VofFA=; b=wsJHC6EsMWD6EdJ5k0FdpX+gy2OSWthoIY/UZUKv6h0Y4RG1pyqfoo/kNEFFsHDHHSg25wUkxX+7iPV++ug8UFI9a9BhOIj5AMoPN14Mb1agiws01+Oou312NRbEeZmvPeE8YvSYzuriZYcuEtmDYke+lHoMfUDz40QWHnfWAMc=;
Received: ; Sun, 12 Mar 2017 12:48:40 -0700
To: Ryan Sleevi <ryan-ietf@sleevi.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <20170311201904.GQ7733@mournblade.imrryr.org> <fede5d8f9f2c43518d8a3c502c60558a@usma1ex-dag1mb1.msg.corp.akamai.com> <389a248f-37e4-9ff7-b330-b840e7c47931@eff.org> <CAErg=HEC=YL-wWEygqtmivN0axZ_cddkM-WDc8RA+jVTJYmVgQ@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <0d7afa83-a9d7-f977-ca36-533fc13b720e@eff.org>
Date: Sun, 12 Mar 2017 12:48:37 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAErg=HEC=YL-wWEygqtmivN0axZ_cddkM-WDc8RA+jVTJYmVgQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------21232E4F3FF10312B7935172"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/QEqYqZbsNWrnnsac5fe4KbBlZxw>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, "Salz, Rich" <rsalz@akamai.com>, Peter Bowen <pzb@amzn.com>, "spasm@ietf.org" <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>, Phillip Hallam-Baker <phill@hallambaker.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 19:48:41 -0000

On 03/12/2017 12:33 PM, Ryan Sleevi wrote:
> On Sun, Mar 12, 2017 at 11:06 AM, Jacob Hoffman-Andrews <jsha@eff.org
> <mailto:jsha@eff.org>> wrote:
>
>     Looking at the types of policy I described earlier:
>
>     > 1. Policy set by user-facing domain owner for their own hostnames.
>     > 2. Blanket policy set by CDN for hostnames they operate on their
>     customers' behalf.
>     > 3. Policy set by CDN for their own hostnames, which share the same
>     base domain as the CNAME targets used in (2).
>
>     In the tree-climbing world, given the above restriction on CNAMEs
>     coexisting, it would be impossible for a CDN to express "(3) without
>     (2)". Worse, if some CDN did express (3), it would be impossible for
>     their customers to opt out by setting CAA records on their own
>     domains.
>     This would effectively bar CDNs from expressing (3) in the
>     tree-climbing
>     world. 
>
>
>     I think this is sufficient to say that tree climbing is undesirable.
>     What do other folks think?
>
>
> I think you're correct in that, in the absence of some form of
> trampoline - and an 'any' policy - it can't be expressed.
>
> However, am I mistaken in thinking that with those two - it could be?
Actually, thinking about it some more, all that's needed is an 'any'
policy. Even without a trampoline, the CDN only has to set the 'any'
policy on their CNAME target.

Separately: since we now realize that customers can't override CDN
policy by adding CAA records to their own zone, if a customer wants to
set their own CAA policy, the records have to be present on the CNAME
target. That is, the CDN would have to cooperate in adding that record.
Because different customers would no doubt want to express different
policies, the CDN would have to use a trampoline if they wanted to offer
per-customer CAA settings. However, this is true in both tree-climbing
and non-tree-climbing worlds. Do you agree?

v2.23.0 | Report a Bug | By Email