Re: [lamps] CAA tags

Tim Hollebeek <tim.hollebeek@digicert.com> Mon, 18 December 2017 20:10 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0616012420B for <spasm@ietfa.amsl.com>; Mon, 18 Dec 2017 12:10:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WYM7S9ZdfiQ9 for <spasm@ietfa.amsl.com>; Mon, 18 Dec 2017 12:10:57 -0800 (PST)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 843261205D3 for <spasm@ietf.org>; Mon, 18 Dec 2017 12:10:57 -0800 (PST)
Received: from [216.82.249.212] by server-17.bemta-12.messagelabs.com id E0/C0-10763-0D0283A5; Mon, 18 Dec 2017 20:10:56 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSf0yMcRzH7/v8uB50PF2lj1s/uDLUOpIfR5s ZVg1tmB85WT3VU3dzd+V5jsUfZMZwhqZwLdXGYg2bREaFk+SySZckGRHyWypkae657xX+e30/ 7/f3+/58P/swpNIpVzF8joUXzJxRLR9NPdCc2hrZNFGrm/HuGa21tQzItcWtaQuJ+M/f3tLxp 08PECsIHW0wp2blpND6YutZlH0lNsf2YmUuerPoABrNUOwXAkqfN5LSQcnmE1Db00UcQKNchz oExUeRxHJ2BrTW3HXX/dhl0HqhQC6xLxsEnR3XSVwPhtJb/TTm+VCb53AzxU4GR2sNJbGCTYJ LpZ8JHHYQQVtfuTtgFBsD1Van24TY8fDDcc4dRrIB0N5V4mZg/aDzYaMcsz+8ezVEY38SnOy1 e+pqeHr+J8IcBM0lViSFAWv3gra3ZV5Y0MDlvE8eUwL01u+msakMwffXj0kshEODfa/HtAkcF zu9huv76goJfOE2CXt+V3pMgfCqzkphoYKGw49f03iQ6ZBfbvcMTAXPWvYjzIHQ3VFDH0FTC/ /5aqHrPsmWuGZvO04VuofmA/dsXRQ2RcK12psk5hCo+lTk4Rg48euWHPMkyLd2emGeDR/u9KB SxJSjqSIvbOWFyGitJlUwZOotJs5gjIyKmqkx8aLIZfJGLlXUpGWZKpBrtXbKZOgq6r6xwY4m MITaX2EbM0enHJualb5Nz4n6ZGGLkRftKJBh1KAQQrQ6pY/AZ/I5GQajaz+HZWC81X6KaZKsE LM5k2jIxJIDRTOD1e2DBPPG9iGXVFLmLDOvClDskqysZNVvMY88NLzrzShI5atAMplM6Z3NCy aD5X/9PQpgkNpXcVF6xdtgtozkvXe1QrhaKUicK7Vi4f5Kqlw0PSHszP1V3+OSI+KqQx6t67h 80hnet3JsSlrskmDON/TJUHpKhVHVsn6ZLqF/IHrc1YyI+K+rme03Nn9UFVUmP01Y3DauZy3q XuAd25C2dMesS/1TasJeNs0xEjMdBf7zdq7ZmNibXx/V0FeVvSfuelfVod2JZcWhxOQJ7csnV TiPOZPUlKjnosJJQeT+ANKbBSzmAwAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-8.tower-219.messagelabs.com!1513627855!200252163!1
X-Originating-IP: [207.46.163.118]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 20888 invoked from network); 18 Dec 2017 20:10:55 -0000
Received: from mail-sn1nam01lp0118.outbound.protection.outlook.com (HELO NAM01-SN1-obe.outbound.protection.outlook.com) (207.46.163.118) by server-8.tower-219.messagelabs.com with AES256-SHA256 encrypted SMTP; 18 Dec 2017 20:10:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HsxzHPCCn8k0jthRPFw9G6SehKi/Rpc3e8wj2bxsGDc=; b=RCrCRgH1+jPbh8GUQNqnJrF3d+F+h8xQFxQJPNt3hKiO/d67Rl0gIzg5Vn0nuSbdga5uHx883Zb32hHWWoZklOimkTyh//5x1kisSTsljDvKclzacnFbhlKwF9lHoRVGUpLXNGJWAU5Ya5a2RRK4xQK2ROE2sUvOZSVLm1oqPCo=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Mon, 18 Dec 2017 20:10:54 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0323.018; Mon, 18 Dec 2017 20:10:53 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] CAA tags
Thread-Index: AdN4J3TZ60fppeKgRNaOHREkYP39nwADzsgAAAD5epA=
Date: Mon, 18 Dec 2017 20:10:53 +0000
Message-ID: <DM5PR14MB12895320D99FC570E797373F830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <DM5PR14MB1289FA2B76543ABAF16FD0EF830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <0ab8efa3-378c-ece7-4fa3-913308f81c22@eff.org>
In-Reply-To: <0ab8efa3-378c-ece7-4fa3-913308f81c22@eff.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1289; 6:oqr8DGCFmiKGqS9paazg5TqDYGfxPSfhItGcrGwQVSGl6baco57GtkZJwn0h+qShnovePaM0LxW5dNkzfgp31ms9QnEqt5IloxteMwVPTUHBC5S2GDlgH64XU4xOHsGzvgM6/lSiQ3LJ9QpPMU1Cc3TLjO7vEYFwUzDimDWnWyllbUA03S2UhEjxG/k9dN8zdkanzcZ0xOE7F2O9Y807Cb+7/n8GX75Qk3c0k4X0NDHue41qFadiItdSyoPswHLGKQJHr+uQB6H/4rjbfa3Icz4rzHC2h4sG82440Jk3ohr34q/cAzgt8bbYCe2RPtqq8dgjK3S6ui25M+A+D8ODxv/Kob6yoQFFvKlJ+FLuOQI=; 5:vp4EvnpBEKbOLWN0msZ9JyIDnawDyhhvfbcGRSTPGjk9Eqevc4MMI/y0ORuhzC3lwzbpz7nWr2jJPBYKJfuU9fySSCeUG5KAFpUK98bYgrxjw1L35l8TyKU2wkLAynG1n1r61HFPc445Sz1nXeCmGK9256370OMc4QKhwMDeRw4=; 24:X5rMyqtPRKMvM3KTOWDxN/lyvwqtSwDqjzGgBCkDo5nGUGZozLuyzKBmP8KRGGL6q2N/7WKL3Qlo0NqZRBQOm3nbGjDeM4I4RAu4IV8WuoA=; 7:gaKbE9q7LzYXNApRUyleYpBDLJagrH4+pIH9AoOAcIwx0NTzmJKyCKHQM4BW2xrcW2Isfa8FogqgtegO0Cg0lSFxmrxBwiHfc8ixYEz3OLM34x34UOVI92nK230BcEOPB6ezIw6pvA4Q9cxYcuzq8V9SSRkl2BKaIo+Nc5gst2M8MxNArYymBdpa4W17u6qU83qVIRsLukTKNSkuGfesjidc4k779qT1Poic1aN6qkjia27iDuskk8ace+uqUJso
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: d8391c76-d36f-4ab5-e295-08d54653714d
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4603075)(4627115)(201702281549075)(2017052603307)(49563074); SRVR:DM5PR14MB1289;
x-ms-traffictypediagnostic: DM5PR14MB1289:
x-microsoft-antispam-prvs: <DM5PR14MB1289219B2F9B244099BD4208830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040450)(2401047)(5005006)(8121501046)(3002001)(3231023)(93006095)(93001095)(10201501046)(6041248)(20161123558100)(20161123560025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123562025)(2016111802025)(6043046)(6072148)(201708071742011); SRVR:DM5PR14MB1289; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1289;
x-forefront-prvs: 0525BB0ADF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(366004)(396003)(39860400002)(376002)(189003)(199004)(3660700001)(6246003)(105586002)(305945005)(9686003)(110136005)(6306002)(106356001)(55016002)(8676002)(7736002)(53936002)(68736007)(316002)(2906002)(86362001)(81156014)(3280700002)(81166006)(6116002)(99936001)(33656002)(8936002)(3846002)(102836003)(66066001)(74316002)(99286004)(2950100002)(2900100001)(966005)(14454004)(6506007)(77096006)(97736004)(7696005)(2501003)(5660300001)(25786009)(76176011)(59450400001)(6436002)(229853002)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1289; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0589_01D37801.9DE446C0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d8391c76-d36f-4ab5-e295-08d54653714d
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2017 20:10:53.8546 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1289
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/VKoEi7jhvlseF5J2FB2ieKYtEr4>
Subject: Re: [lamps] CAA tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2017 20:10:59 -0000


> > readable text labels, like Validation=Phone?
> 
> My issue with validation=phone is that it is not precise enough; there's
one
> version of validation by phone defined in the BRs today, but what if that
> changes significantly? One could solve this by defining a versioned
validation
> method, e.g. validation=phone-01, with an IANA registry to register new
ones
> as requirements change.

The lack of precision bothered me a bit too when I was proposing it,
especially since some people have discussed breaking up some of the 
larger catch-all ones.  I like the version number, but I think we have to be

a bit careful.  Is the version just a minimum version?  If I have CAA set to

validation=phone-01, do I have to update my CAA record every time the 
BR validation methods are changed?  How big of a change requires revving 
the version number of the validation method?

Should the BR version number be used instead?  E.g. validation=phone-1.5.4?
This might make more sense as the BR version number does get bumped on
every validation rev (and non-validation rev ...).

> However, there does seem to be some interest in embedding information
> about validation methods in certificates. It would be nice if there was a
> correspondence between the namespace used in CAA and the one used in
> certificates.

That would be nice.  Maybe an IANA registry for validation methods might
make sense, but I'm unfamiliar with how easy/difficult that is to set up/
modify.

> It's easy to define a URI mapping for an existing account identifier.
> For instance, if customers have a numeric id 123456, the CA can specify
that
> the corresponding account-uri is https://ca.example.net/accounts/123456.
> There's no requirement that account-uris are fetchable.

I get that, but a URI is longer and more complicated.  Quirin's research
shows that a significant fraction of CAA users CANNOT SPELL THEIR CA'S
NAME.  I shudder to think how they will manage to mangle a URI ...

-Tim