Re: [lamps] CAA tags
Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 19 December 2017 14:25 UTC
Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7891270A7 for <spasm@ietfa.amsl.com>; Tue, 19 Dec 2017 06:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.246
X-Spam-Level:
X-Spam-Status: No, score=0.246 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_BL=0.01, RCVD_IN_MSPIKE_L3=0.918, TRACKER_ID=1.306, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZjCgNLqoHiHH for <spasm@ietfa.amsl.com>; Tue, 19 Dec 2017 06:25:57 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13D27126CD8 for <spasm@ietf.org>; Tue, 19 Dec 2017 06:25:57 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 74576C009F58 for <spasm@ietf.org>; Tue, 19 Dec 2017 06:25:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=KAKHOZgoDndl9r8zM3QFmaWbC9M=; b= kH2Rhvze5/U7Xc+qxRpV1y7JkTXZMxWh5wBQJ1xKT+qRFTrNA7an+eauo43gv4w+ /LbqRcSEy6qniaMH6T6kUMJxiRpyjgtzvSajcew2JG3pY7UW4uoFoi2GZt0Tj5dt eZad5/5f37ppjO25yEfsZg8Ik/b5Zm5KYpq/yLDwuYA=
Received: from mail-io0-f172.google.com (mail-io0-f172.google.com [209.85.223.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPSA id 4B225C009F53 for <spasm@ietf.org>; Tue, 19 Dec 2017 06:25:56 -0800 (PST)
Received: by mail-io0-f172.google.com with SMTP id x129so13775584iod.13 for <spasm@ietf.org>; Tue, 19 Dec 2017 06:25:56 -0800 (PST)
X-Gm-Message-State: AKGB3mK80kUMO4E8FFA0JnVnIl7ma0nwLzJe0jUrlCcZ7/d8ZoGdgwUz HAzmjB9bdulf8PgCCxXralar+WDth21G6E8mX+o=
X-Google-Smtp-Source: ACJfBovdw0Ha1NXQIxCTMuAtsj2CeNvoLz6M7gNV5hbA3JE2ApG0d0O13EK6ZRm7ytAIUT8d0sNvXZ5IhuvSMFlIEb4=
X-Received: by 10.107.46.169 with SMTP id u41mr4115727iou.303.1513693555308; Tue, 19 Dec 2017 06:25:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.78.70 with HTTP; Tue, 19 Dec 2017 06:25:54 -0800 (PST)
In-Reply-To: <DM5PR14MB1289FA2B76543ABAF16FD0EF830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <DM5PR14MB1289FA2B76543ABAF16FD0EF830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 19 Dec 2017 09:25:54 -0500
X-Gmail-Original-Message-ID: <CAErg=HEL93NpPjEZnAFQD3Epk5dHW41qmXJGOPA_7wvKvmsGJA@mail.gmail.com>
Message-ID: <CAErg=HEL93NpPjEZnAFQD3Epk5dHW41qmXJGOPA_7wvKvmsGJA@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Jacob Hoffman-Andrews <jsha@eff.org>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c146eea9c1120560b23e05"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/S4AZd2LXAjza6rpwuSgx7ywEY3w>
Subject: Re: [lamps] CAA tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 14:25:59 -0000
Tim, >From a design consideration, if/as you look to write this up, it would be useful to understand why you pursued the route of issuer-specific parameters, rather than as new properties. That is, why is the set of policy not CAA issue 0 "example.com" CAA issue 0 "example.net" CAA validation 128 "type=EV method=1,2,3,4" Which limits issuance to example.com and example.net, iff the validation method of domain control employs methods 1, 2, 3, or 4, and the resultant process uses the EV process? [*] This obviously precludes the notion of 'account' - but I think that's illustrative of the point; something like 'account' is inherently CA-specific, while the validation methods or types are CA agnostic. The benefit of this, for a Subscriber, is they might omit the publication of an issue tag, thus not constraining per-CA, but still scoping the validation methods. Understandably, this design could also be accounted for with the CABForum declaring some pseudo-domain to express such CA-agnostic properties, such as: CAA issue 0 "example.com; type=DV,EV method=1,2,3,4" # If example.com is issuing, support for both DV and EV, using methods 1-4 CAA issue 0 "validation.cabforum.org; type=EV method=1,2,3" # Otherwise, support for EV only using methods 1-3 There are both strengths and weaknesses of both proposals, so it'd be great to see a discussion about the problem statement and desired workflows. [*] I provide these for simplicity of typing - but I think any restriction of both 'type' and 'method' needs to be versioned, as the CABF documents do change On Mon, Dec 18, 2017 at 12:41 PM, Tim Hollebeek <tim.hollebeek@digicert.com> wrote: > Here is my tags proposal, in case others want to comment on it on this > list. > > > > Note that it has been privately pointed out to me that one possible > solution to the criticality problem and the scaling problem is to use > top-level tags that are independent of the issue records: > > > > Something like: > > > > CAA 0 issue “a.example.com” > > CAA 0 issue “b.example.com” > > CAA 128 validation “Phone” > > > > -Tim > > > > ------------------------------------------------------------ > ------------------------------------------------------------ > ------------------------------- > Introduction and Motivation > > > > In addition to being able to specify which CA or CAs are allowed to issue > certificates for a given domain, RFC 6844 allows additional parameters, > such as the account number, that the CA can consume for a variety of uses. > RFC 6844 defines the format, but otherwise leaves the kinds of properties > and their meanings up to the issuer. > > While this is appropriate for a technical standard, standardizing the > names and meanings of CAA properties across the CA industry has the > following benefits: > > 1. Reduce user confusion when the same or similar property is used by > different CAs with different names and semantics > 2. Make it simpler to migrate from one CA to another while preserving > the CAA configuration > 3. Simplifying configuration and expression of CAA policies that allow > issuance from multiple CAs > 4. Allow CAA record creation tools to support creating CAA records > that contain properties that have been standardized > > History > > > > CAA property tags have been discussed at several CA/B Forum meetings, most > recently at the October meeting in Taipei. Four were suggested: Acceptable > validation methods, an account identifier, certificate types (DV/OV/EV), > and ability to specify a brand. > > > Method of Adoption > > > > Since these CAA properties are just a voluntary industry standard that any > CA could implement, they don’t necessarily have to exist in a standards > document. However, it seems like it would be helpful if the names and > semantics were agreed upon by the industry as a whole, so it is probably > best to include them in the Baseline Requirements as an optional feature > CAs MAY implement. > > On the other hand, it might be desirable to reserve the names, and require > that if these particular property names are used, the semantics MUST be the > semantics specified in the Baseline Requirements. > > > Brands > > > > I’m starting with this one because I’m going to argue it isn’t necessary. > CAs can and do have multiple names that they accept in CAA records. It is > hard to imagine a brand existing without the associated domain and website > also existing. I’d suggest that CAs that maintain multiple brands simply > use a different domain name for each brand, e.g. > > certs.example.com CAA 0 issue “megaca.com” > > catlover.example.com CAA 0 issue “certsforcats.com” # > certsforcats is a brand owned by MegaCA. > > CAAs can also publicize examples of CAA records that allow for issuance by > all of their brands. > Acceptable Validation Methods > > > > A list of acceptable validation methods can be specified using the > “validation” tag. > > There are two challenges here, that have been discussed elsewhere in > relation to keeping records of which validation method was used for a > particular certificate. The first is that validation methods can change > over time. This seems to be less of a concern for issuance than it is for > historical validations, as a CAA record can and should be interpreted as > always requiring the version of the method that is enforced by the BRs at > issuance time. However, this can cause the exact meaning of a CAA record > to change over time as the BRs evolve. I don’t think this is a big > problem, but wanted to note it. > > The second issue is that it is possible that the numbering of the BR > validation methods could potentially change over time. For that reason, I > think it might be reasonable to standardize on a label for each validation > method, that can be used in addition to the section number: > > *BR Section (BR v. 1.5.4)* > > *Short Section* > > *Validation method label* > > 3.2.2.4.1 > > 1 > > DomainContact > > 3.2.2.4.2 > > 2 > > EmailOrSimilar > > 3.2.2.4.3 > > 3 > > Phone > > 3.2.2.4.4 > > 4 > > ConstructedEmail > > 3.2.2.4.5 > > 5 > > DomainAuthorizationDocument > > 3.2.2.4.6 > > 6 > > WebsiteChange > > 3.2.2.4.7 > > 7 > > DNSChange > > 3.2.2.4.8 > > 8 > > IPAddressLookup > > 3.2.2.4.9 > > 9 > > TestCertificate > > 3.2.2.4.10 > > 10 > > RandomValueInCertificate > > > > Examples: > > CAA 0 issue “ca.example.net; validation=3” # Call me > about all certificates > > CAA 0 issue “ca.example.net; validation=Phone” # Same as > previous example > > CAA 0 issue “ca.example.net; validation=1,2,3,4,7,8,9,10” # I don’t > like DADs and website changes > > CAA 0 issue “ca.example.net; validation=!5,6” # Same as > previous example. Worth the trouble? > Account Identifier > > > > This one is relatively straightforward, as the identifier is going to be > CA-specific anyway. Use the “account” keyword: > > CAA 0 issue “ca.example.net; account=8675309” > > The format and values of the account specifier is up to the individual CA. > Acceptable Certificate Types > > > > This one also seems to be relatively straightforward. I’ve chosen to make > the categories disjoint, so if you’re ok with more than one type, you have > to specify more than one. Use the “type” keyword. > > CAA 0 issue “ca.example.net; type=EV” # EV only > > CAA 0 issue “ca.example.net; type=DV” # DV only > > CAA 0 issue “ca.example.net; type=OV,EV” # No DV > Lack of Property Tag Value Criticality > > > > Supporting the various properties is optional. Unlike the CAA “issue” > property, these properties do not have to be ubiquitously supported to have > value, because Domain holders can restrict their issue records to only > include CAs that have publicly stated that they support the desired > property tags. > > For example, if CAs A, B, and C support the “type=EV” tag, then the > following will prevent non-EV issuance: > > CAA issue 0 “A.com; type=EV” > > CAA issue 0 “B.com; type=EV” > > CAA issue 0 “C.com; type=EV” > > Unfortunately, this does scale poorly with a large number of CAs. > > The problem is that RFC 6844 supports “Critical” for property tags (like > “issue”), but there is no way to mark a parameter tag is “Critical”. I > intend to bring this up with the IETF WG. > > Any easy solution is to use reserved bit #1 for property tag criticality: > CAA issue 64 “A.com; type=EV” # type=EV tag must be respected; > # > cannot issue if you don’t understand or enforce it. > > > Multiple Tags > > > > Just for completeness, these individual features can also be used together: > > CAA issue 0 “ca.example.com; type=EV validation=Phone account=8675309” > > > > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm > >
- [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Jacob Hoffman-Andrews
- Re: [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Ryan Sleevi
- Re: [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Rob Stradling
- Re: [lamps] CAA tags Phillip Hallam-Baker
- Re: [lamps] CAA tags Stephen Farrell
- Re: [lamps] CAA tags Ryan Sleevi
- Re: [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Stephen Farrell
- Re: [lamps] CAA tags Tim Hollebeek
- Re: [lamps] CAA tags Ryan Sleevi
- Re: [lamps] CAA tags Tim Hollebeek