IETF Logo Mail Archive

[lamps] CAA Simplification draft

Jacob Hoffman-Andrews <jsha@eff.org> Wed, 13 September 2017 00:24 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 306A213318A for <spasm@ietfa.amsl.com>; Tue, 12 Sep 2017 17:24:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6W3nq4G0L7f for <spasm@ietfa.amsl.com>; Tue, 12 Sep 2017 17:23:58 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15EDC132707 for <spasm@ietf.org>; Tue, 12 Sep 2017 17:23:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:Subject:From:To; bh=f7zKrZe4+aqd3YdNC+euMhQuJsJnrAydsJAE2uK4Sfc=; b=jrS5qrNFWDWttA2OlDlzPvUyil5ZvON7g8w0kO+UYMWXSVzWX0dCzbQywbrERVFNdOUTkPum3vS0L95pbEIDrh5ty3HxwvRgpT+3if6Qu9jO2YX2eHOhUjWvQlGDQEUsXX6c8VCqFcDtxTpV0rvtznHpsI03G6w2QwjqHUZnd94=;
Received: ; Tue, 12 Sep 2017 17:23:55 -0700
To: SPASM <spasm@ietf.org>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <02d4e149-b777-5b5c-1cd0-a2c2aae49311@eff.org>
Date: Tue, 12 Sep 2017 17:23:51 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/QkL2PKWUadWpXBZULetCbk-9ViU>
Subject: [lamps] CAA Simplification draft
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 00:24:00 -0000

Hi all,

This is a revision to RFC6844 as discussed previously on the list and at
IETF 99. In particular, RFC6844 specifies that CAs should implement
"tree climbing" not only on the original FQDN, but also on any
intermediate CNAMEs discovered during primary lookup. As discussed
on-list, this disallows certain deployment scenarios, and can produce
surprising results in common CNAME-based hosting scenarios.

Additionally, because RFC6844 re-specified parts of CNAME lookup, some
details were ambiguous. This draft updates RFC6844 to eliminate tree
climbing on CNAME targets, and to reference RFC 1034 for the standard
DNS lookup algorithm, including CNAME resolution.

Because all of this draft is the same as RFC6884 except for the
"Certification Authority Processing" section, I've retained the original
two authors and added my own name. Please let me know if IETF etiquette
indicates a different approach.

I'd like to propose this draft for adoption by the WG.

https://www.ietf.org/id/draft-hoffman-andrews-caa-simplification-00.txt

Thanks,
Jacob

v2.23.0 | Report a Bug | By Email