IETF Logo Mail Archive

Re: [lamps] CAA tags

Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 19 December 2017 14:25 UTC

Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7891270A7 for <spasm@ietfa.amsl.com>; Tue, 19 Dec 2017 06:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.246
X-Spam-Level:
X-Spam-Status: No, score=0.246 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_BL=0.01, RCVD_IN_MSPIKE_L3=0.918, TRACKER_ID=1.306, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZjCgNLqoHiHH for <spasm@ietfa.amsl.com>; Tue, 19 Dec 2017 06:25:57 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13D27126CD8 for <spasm@ietf.org>; Tue, 19 Dec 2017 06:25:57 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 74576C009F58 for <spasm@ietf.org>; Tue, 19 Dec 2017 06:25:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=KAKHOZgoDndl9r8zM3QFmaWbC9M=; b= kH2Rhvze5/U7Xc+qxRpV1y7JkTXZMxWh5wBQJ1xKT+qRFTrNA7an+eauo43gv4w+ /LbqRcSEy6qniaMH6T6kUMJxiRpyjgtzvSajcew2JG3pY7UW4uoFoi2GZt0Tj5dt eZad5/5f37ppjO25yEfsZg8Ik/b5Zm5KYpq/yLDwuYA=
Received: from mail-io0-f172.google.com (mail-io0-f172.google.com [209.85.223.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPSA id 4B225C009F53 for <spasm@ietf.org>; Tue, 19 Dec 2017 06:25:56 -0800 (PST)
Received: by mail-io0-f172.google.com with SMTP id x129so13775584iod.13 for <spasm@ietf.org>; Tue, 19 Dec 2017 06:25:56 -0800 (PST)
X-Gm-Message-State: AKGB3mK80kUMO4E8FFA0JnVnIl7ma0nwLzJe0jUrlCcZ7/d8ZoGdgwUz HAzmjB9bdulf8PgCCxXralar+WDth21G6E8mX+o=
X-Google-Smtp-Source: ACJfBovdw0Ha1NXQIxCTMuAtsj2CeNvoLz6M7gNV5hbA3JE2ApG0d0O13EK6ZRm7ytAIUT8d0sNvXZ5IhuvSMFlIEb4=
X-Received: by 10.107.46.169 with SMTP id u41mr4115727iou.303.1513693555308; Tue, 19 Dec 2017 06:25:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.78.70 with HTTP; Tue, 19 Dec 2017 06:25:54 -0800 (PST)
In-Reply-To: <DM5PR14MB1289FA2B76543ABAF16FD0EF830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <DM5PR14MB1289FA2B76543ABAF16FD0EF830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 19 Dec 2017 09:25:54 -0500
X-Gmail-Original-Message-ID: <CAErg=HEL93NpPjEZnAFQD3Epk5dHW41qmXJGOPA_7wvKvmsGJA@mail.gmail.com>
Message-ID: <CAErg=HEL93NpPjEZnAFQD3Epk5dHW41qmXJGOPA_7wvKvmsGJA@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Jacob Hoffman-Andrews <jsha@eff.org>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c146eea9c1120560b23e05"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/S4AZd2LXAjza6rpwuSgx7ywEY3w>
Subject: Re: [lamps] CAA tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 14:25:59 -0000

Tim,

>From a design consideration, if/as you look to write this up, it would be
useful to understand why you pursued the route of issuer-specific
parameters, rather than as new properties.

That is, why is the set of policy not

CAA issue 0 "example.com"
CAA issue 0 "example.net"
CAA validation 128 "type=EV method=1,2,3,4"

Which limits issuance to example.com and example.net, iff the validation
method of domain control employs methods 1, 2, 3, or 4, and the resultant
process uses the EV process? [*]

This obviously precludes the notion of 'account' - but I think that's
illustrative of the point; something like 'account' is inherently
CA-specific, while the validation methods or types are CA agnostic.

The benefit of this, for a Subscriber, is they might omit the publication
of an issue tag, thus not constraining per-CA, but still scoping the
validation methods.

Understandably, this design could also be accounted for with the CABForum
declaring some pseudo-domain to express such CA-agnostic properties, such
as:

CAA issue 0 "example.com; type=DV,EV method=1,2,3,4"        # If example.com
is issuing, support for both DV and EV, using methods 1-4
CAA issue 0 "validation.cabforum.org; type=EV method=1,2,3" # Otherwise,
support for EV only using methods 1-3

There are both strengths and weaknesses of both proposals, so it'd be great
to see a discussion about the problem statement and desired workflows.

[*] I provide these for simplicity of typing - but I think any restriction
of both 'type' and 'method' needs to be versioned, as the CABF documents do
change

On Mon, Dec 18, 2017 at 12:41 PM, Tim Hollebeek <tim.hollebeek@digicert.com>
wrote:

> Here is my tags proposal, in case others want to comment on it on this
> list.
>
>
>
> Note that it has been privately pointed out to me that one possible
> solution to the criticality problem and the scaling problem is to use
> top-level tags that are independent of the issue records:
>
>
>
> Something like:
>
>
>
> CAA 0 issue “a.example.com”
>
> CAA 0 issue “b.example.com”
>
> CAA 128 validation “Phone”
>
>
>
> -Tim
>
>
>
> ------------------------------------------------------------
> ------------------------------------------------------------
> -------------------------------
> Introduction and Motivation
>
>
>
> In addition to being able to specify which CA or CAs are allowed to issue
> certificates for a given domain, RFC 6844 allows additional parameters,
> such as the account number, that the CA can consume for a variety of uses.
> RFC 6844 defines the format, but otherwise leaves the kinds of properties
> and their meanings up to the issuer.
>
> While this is appropriate for a technical standard, standardizing the
> names and meanings of CAA properties across the CA industry has the
> following benefits:
>
>    1. Reduce user confusion when the same or similar property is used by
>    different CAs with different names and semantics
>    2. Make it simpler to migrate from one CA to another while preserving
>    the CAA configuration
>    3. Simplifying configuration and expression of CAA policies that allow
>    issuance from multiple CAs
>    4. Allow CAA record creation tools to support creating CAA records
>    that contain properties that have been standardized
>
> History
>
>
>
> CAA property tags have been discussed at several CA/B Forum meetings, most
> recently at the October meeting in Taipei.  Four were suggested: Acceptable
> validation methods, an account identifier, certificate types (DV/OV/EV),
> and ability to specify a brand.
>
>
> Method of Adoption
>
>
>
> Since these CAA properties are just a voluntary industry standard that any
> CA could implement, they don’t necessarily have to exist in a standards
> document.  However, it seems like it would be helpful if the names and
> semantics were agreed upon by the industry as a whole, so it is probably
> best to include them in the Baseline Requirements as an optional feature
> CAs MAY implement.
>
> On the other hand, it might be desirable to reserve the names, and require
> that if these particular property names are used, the semantics MUST be the
> semantics specified in the Baseline Requirements.
>
>
> Brands
>
>
>
> I’m starting with this one because I’m going to argue it isn’t necessary.
> CAs can and do have multiple names that they accept in CAA records.  It is
> hard to imagine a brand existing without the associated domain and website
> also existing.  I’d suggest that CAs that maintain multiple brands simply
> use a different domain name for each brand, e.g.
>
> certs.example.com               CAA 0 issue “megaca.com”
>
> catlover.example.com         CAA 0 issue “certsforcats.com”    #
> certsforcats is a brand owned by MegaCA.
>
> CAAs can also publicize examples of CAA records that allow for issuance by
> all of their brands.
> Acceptable Validation Methods
>
>
>
> A list of acceptable validation methods can be specified using the
> “validation” tag.
>
> There are two challenges here, that have been discussed elsewhere in
> relation to keeping records of which validation method was used for a
> particular certificate.  The first is that validation methods can change
> over time.  This seems to be less of a concern for issuance than it is for
> historical validations, as a CAA record can and should be interpreted as
> always requiring the version of the method that is enforced by the BRs at
> issuance time.  However, this can cause the exact meaning of a CAA record
> to change over time as the BRs evolve.  I don’t think this is a big
> problem, but wanted to note it.
>
> The second issue is that it is possible that the numbering of the BR
> validation methods could potentially change over time.  For that reason, I
> think it might be reasonable to standardize on a label for each validation
> method, that can be used in addition to the section number:
>
> *BR Section (BR v. 1.5.4)*
>
> *Short Section*
>
> *Validation method label*
>
> 3.2.2.4.1
>
> 1
>
> DomainContact
>
> 3.2.2.4.2
>
> 2
>
> EmailOrSimilar
>
> 3.2.2.4.3
>
> 3
>
> Phone
>
> 3.2.2.4.4
>
> 4
>
> ConstructedEmail
>
> 3.2.2.4.5
>
> 5
>
> DomainAuthorizationDocument
>
> 3.2.2.4.6
>
> 6
>
> WebsiteChange
>
> 3.2.2.4.7
>
> 7
>
> DNSChange
>
> 3.2.2.4.8
>
> 8
>
> IPAddressLookup
>
> 3.2.2.4.9
>
> 9
>
> TestCertificate
>
> 3.2.2.4.10
>
> 10
>
> RandomValueInCertificate
>
>
>
> Examples:
>
> CAA 0 issue “ca.example.net; validation=3”                      # Call me
> about all certificates
>
> CAA 0 issue “ca.example.net; validation=Phone”             # Same as
> previous example
>
> CAA 0 issue “ca.example.net; validation=1,2,3,4,7,8,9,10”   # I don’t
> like DADs and website changes
>
> CAA 0 issue “ca.example.net; validation=!5,6”                 # Same as
> previous example.  Worth the trouble?
> Account Identifier
>
>
>
> This one is relatively straightforward, as the identifier is going to be
> CA-specific anyway.  Use the “account” keyword:
>
> CAA 0 issue “ca.example.net; account=8675309”
>
> The format and values of the account specifier is up to the individual CA.
> Acceptable Certificate Types
>
>
>
> This one also seems to be relatively straightforward.  I’ve chosen to make
> the categories disjoint, so if you’re ok with more than one type, you have
> to specify more than one.  Use the “type” keyword.
>
> CAA 0 issue “ca.example.net; type=EV”                         # EV only
>
> CAA 0 issue “ca.example.net; type=DV”                         # DV only
>
> CAA 0 issue “ca.example.net; type=OV,EV”                   # No DV
> Lack of Property Tag Value Criticality
>
>
>
> Supporting the various properties is optional.  Unlike the CAA “issue”
> property, these properties do not have to be ubiquitously supported to have
> value, because Domain holders can restrict their issue records to only
> include CAs that have publicly stated that they support the desired
> property tags.
>
> For example, if CAs A, B, and C support the “type=EV” tag, then the
> following will prevent non-EV issuance:
>
> CAA issue 0 “A.com; type=EV”
>
> CAA issue 0 “B.com; type=EV”
>
> CAA issue 0 “C.com; type=EV”
>
> Unfortunately, this does scale poorly with a large number of CAs.
>
> The problem is that RFC 6844 supports “Critical” for property tags (like
> “issue”), but there is no way to mark a parameter tag is “Critical”.  I
> intend to bring this up with the IETF WG.
>
> Any easy solution is to use reserved bit #1 for property tag criticality:
> CAA issue 64 “A.com; type=EV”            # type=EV tag must be respected;
>                                                                     #
> cannot issue if you don’t understand or enforce it.
>
>
> Multiple Tags
>
>
>
> Just for completeness, these individual features can also be used together:
>
> CAA issue 0 “ca.example.com; type=EV validation=Phone account=8675309”
>
>
>
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>
>

v2.23.0 | Report a Bug | By Email