Re: [lamps] Benjamin Kaduk's No Objection on draft-ietf-lamps-rfc6844bis-06: (with COMMENT)
Jacob Hoffman-Andrews <jsha@eff.org> Fri, 31 May 2019 00:04 UTC
Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F125120113; Thu, 30 May 2019 17:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.425
X-Spam-Level:
X-Spam-Status: No, score=-7.425 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.415, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4P1MUuRcMud; Thu, 30 May 2019 17:04:26 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5F8E120048; Thu, 30 May 2019 17:04:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version: Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ihtDTCuFyQIMAxcR9rxpUMIGlYAFcvEm1uKONrEqqIw=; b=0BT6HLItHdvUgCzu2bzFjb46RE qIvBfybDJ7YiSn4ViJ8Tr/mMnr5zlWB4Xq9seiMla7Gxr/hnKD/xw0gcAVd2Ep6pBNI/q/5oRQtSb mzKfRifbQkG9MOmFk6kYn6xWCd8Y1B6DnjhYV4Nb4eZ5zme2B4iS47m3keboKgiahV7g=;
Received: ; Thu, 30 May 2019 17:04:22 -0700
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
Cc: spasm@ietf.org, housley@vigilsec.com, draft-ietf-lamps-rfc6844bis@ietf.org, lamps-chairs@ietf.org
References: <155899913320.574.15070810245199939271.idtracker@ietfa.amsl.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <66414968-6973-6e07-d3c4-1e03e7692c06@eff.org>
Date: Thu, 30 May 2019 17:04:22 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <155899913320.574.15070810245199939271.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/VZ_kMfUxiWK6Md01zZ4A-uukXl8>
Subject: Re: [lamps] Benjamin Kaduk's No Objection on draft-ietf-lamps-rfc6844bis-06: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 00:04:28 -0000
> I'm not entirely sure why we're going "backwards" from referencing STD13 > to referencing RFCs 1034 and 1035 individually (in the definition of > "Domain Name System"). I'm not actually sure which is preferred here. For instance RFC 5280 cites RFC 1034: https://tools.ietf.org/html/rfc5280#section-11.1 > Section 3 > > RelevantCAASet(domain): > for domain is not ".": > if CAA(domain) is not Empty: > return CAA(domain) > domain = Parent(domain) > return Empty > > It would be nice to get an explicit note about whether this is intended > to be pseudocode, Python code, etc.. Specifically, the "for domain is > not '.'" syntax seems like it might be a more natural fit for a "while" > construct. Updated to mention it's pseudocode. > > Section 4.3 > > issuewild properties MUST be ignored when processing a request for a > Domain Name (that is, not a Wildcard Domain Name). > > I don't wish to revisit well-trodden ground (as I suspect this is), but > note that the provided defitinions in Section 2.2 don't seem to exclude > Wildcard Domain Names from being Domain Names, so that "that is" in the > quoted text is not accurate. (In particular, note that the Wildcard > Domain Name definition says that it is "a Domain Name consisting of > [...]".) You're right that this is well-trodden ground, but looking at this a second time, I realized I had this wrong. A Wildcard Domain Name *is* a Fully-Qualified Domain Name, since an asterisk is a valid DNS label (it's just not in Preferred Name Syntax per RFC 1034). > Section 4.5 > > The critical flag is intended to permit future versions of CAA to > introduce new semantics that MUST be understood for correct > processing of the record, preventing conforming CAs that do not > recognize the new semantics from issuing certificates for the > indicated Domain Names. > > It's not clear to me that the normative "MUST" is best, here. (Is > anyone's behavior being constrained by this statement?) The intent here is to express that future versions would be specifying a "MUST" here. Open to suggestions about how to better say that. > Section 5.1 > > An Issuer MUST NOT issue certificates if doing so would > conflict with the Relevant RRSet, irrespective of whether the > corresponding DNS records are signed. > > I recognize that this is already the security considerations section, > but this requirement introduces its own security considerations, namely > that in cases where CAA responses received by the Issuer can be spoofed, > there is an opportunity for denial of service. Section 5.4 does not > seem to address this additional consideration relating to spoofing. > Section 5.5 perhaps touches on it, but merely talks about "introduction" > of a CAA RR, which may or may not imply the possibility of spoofing to > an arbitrary reader. Added to 5.5 some language about spoofing. > > Use of DNSSEC allows an Issuer to acquire and archive a proof that > they were authorized to issue certificates for the Domain Name. > Verification of such archives MAY be an audit requirement to verify > CAA record processing compliance. Publication of such archives MAY > be a transparency requirement to verify CAA record processing > compliance. > > Neither of these "MAY"s seem to be constraining the parties involved in > this specification, which makes me wonder if they are more appropriate > as ordinary "may"s. Done > > Section 5.4 > > Data cached by third parties MUST NOT be relied on but MAY > be used to support additional anti-spoofing or anti-suppression > controls. > > Is "relied on" meant to imply "relied on as the sole source of DNS CAA > information"? Done > > Section 8 > > Should the registration of the 'CAA' RRtype also be updated to refer to > [this document]? Done
- [lamps] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [lamps] Benjamin Kaduk's No Objection on draf… Jacob Hoffman-Andrews
- Re: [lamps] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk