Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)

Jacob Hoffman-Andrews <> Sat, 16 December 2017 04:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 10A88124D85 for <>; Fri, 15 Dec 2017 20:06:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v6hnrVREzRBE for <>; Fri, 15 Dec 2017 20:06:03 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E6F621270A3 for <>; Fri, 15 Dec 2017 20:06:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=cEmvLm5bKtX98TB/5y25IgNRq+Q9RRTZXCS9f2gNHAQ=; b=m7HlNl61pyOwnUoU5+w9Cfgcg+qE47n6efFb7WOaBnSgjb5xc96fKsN12uEsNx2nXIiRL6+FOPNedFAKV6QIHrvbOvSHNdpGrK68YXYEqxYof+MRlw0OqM4y67wC52cEMqB8vIqVEOStNg1kTv3D8NEjBrYRj0zBdyoCPn0qaD0=;
Received: ; Fri, 15 Dec 2017 20:05:59 -0800
References: <> <>
From: Jacob Hoffman-Andrews <>
Message-ID: <>
Date: Fri, 15 Dec 2017 20:05:57 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 16 Dec 2017 04:06:06 -0000

On 12/08/2017 10:16 AM, Russ Housley wrote:

The question here is whether CAA records with property tags should look
like: IN CAA 0 issue "; foo=bar bar=qux"

or: IN CAA 0 issue "; foo=bar; bar=qux"

(note the second semicolon)

I think the original text is ambiguous on the point, and since property
tags are not yet widely deployed this is a somewhat free choice. I think
the version where property tags are separated by semicolons makes more
sense and is less error prone. It also happens to be what Hugo Landau's
draft for CAA Record Extensions uses:

And what was briefly implemented in Let's Encrypt's Boulder (since
rolled back due to a bug):

So my feeling is we should reject this erratum and clarify in the other
direction, requiring semicolons between property tags. Thoughts?