Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)

Jacob Hoffman-Andrews <jsha@eff.org> Sat, 16 December 2017 04:06 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10A88124D85 for <spasm@ietfa.amsl.com>; Fri, 15 Dec 2017 20:06:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6hnrVREzRBE for <spasm@ietfa.amsl.com>; Fri, 15 Dec 2017 20:06:03 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6F621270A3 for <spasm@ietf.org>; Fri, 15 Dec 2017 20:06:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=cEmvLm5bKtX98TB/5y25IgNRq+Q9RRTZXCS9f2gNHAQ=; b=m7HlNl61pyOwnUoU5+w9Cfgcg+qE47n6efFb7WOaBnSgjb5xc96fKsN12uEsNx2nXIiRL6+FOPNedFAKV6QIHrvbOvSHNdpGrK68YXYEqxYof+MRlw0OqM4y67wC52cEMqB8vIqVEOStNg1kTv3D8NEjBrYRj0zBdyoCPn0qaD0=;
Received: ; Fri, 15 Dec 2017 20:05:59 -0800
To: spasm@ietf.org
References: <20171208180055.ACB1EB81ACE@rfc-editor.org> <5AB43438-406D-482D-81DD-B9A30BE84459@vigilsec.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <ad5b6045-84ba-32b3-7739-b2464fc40c2f@eff.org>
Date: Fri, 15 Dec 2017 20:05:57 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <5AB43438-406D-482D-81DD-B9A30BE84459@vigilsec.com>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/QW06wKAk43gwi9reJlJf27n75E0>
Subject: Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Dec 2017 04:06:06 -0000

On 12/08/2017 10:16 AM, Russ Housley wrote:
> http://www.rfc-editor.org/errata/eid5200

The question here is whether CAA records with property tags should look
like:

example.com. IN CAA 0 issue "example.net; foo=bar bar=qux"

or:

example.com. IN CAA 0 issue "example.net; foo=bar; bar=qux"

(note the second semicolon)

I think the original text is ambiguous on the point, and since property
tags are not yet widely deployed this is a somewhat free choice. I think
the version where property tags are separated by semicolons makes more
sense and is less error prone. It also happens to be what Hugo Landau's
draft for CAA Record Extensions uses:
https://tools.ietf.org/html/draft-ietf-acme-caa-03#page-9

And what was briefly implemented in Let's Encrypt's Boulder (since
rolled back due to a bug):

https://github.com/letsencrypt/boulder/pull/3145/files#diff-3efab53f2bcc543ac2e771ec882c57c1L310

So my feeling is we should reject this erratum and clarify in the other
direction, requiring semicolons between property tags. Thoughts?