Re: [lamps] CAA tree climbing, gurrghhg
Phillip Hallam-Baker <phill@hallambaker.com> Sat, 07 October 2017 03:17 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E917213219C for <spasm@ietfa.amsl.com>; Fri, 6 Oct 2017 20:17:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXZP_y1yq54C for <spasm@ietfa.amsl.com>; Fri, 6 Oct 2017 20:17:47 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BADD313219B for <spasm@ietf.org>; Fri, 6 Oct 2017 20:17:47 -0700 (PDT)
Received: by mail-oi0-x236.google.com with SMTP id j126so32397273oia.10 for <spasm@ietf.org>; Fri, 06 Oct 2017 20:17:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=XaiMd15xmrkajaX2h7KByAy3AkgW4lgQ493eZDby9BA=; b=WFe5qYTwMpulK58TUFbusukBYGycJJH14bO5vFsSM00SwEf03YYijN8vIruvVE1W1l tZIAUxWCW+h3/NfbQPsStpeludfvEMtXS50rf5sm7AOh5PLgekzCP4OVZZAGY4G4mKii +JNyxhV8Id5MbNyBV5asYVCvez0zW8ArH7GQS0xiSsj0P0BIc4YbMsxSwRoyRRgb6OtH +0YLAiyw786s0cVuFfuJEB9UadCa5i0NhOfJykeg9krtpx20ITgzMrELPh9aGCsrf9p2 PUdJQmWBh5KjjxzKuwaZE9RhAEYTlUHPR5ZGAF9VBsWvtzM/2hdTzVqNwNx+RoBHVVVs bYlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=XaiMd15xmrkajaX2h7KByAy3AkgW4lgQ493eZDby9BA=; b=t1v843HAweJHGj6p/f380+dBuP+55MJ3SAatL9SLrHaQQdpNgEQ5ati5NFKUUt8LUI p7wGRnUI23+Wa29s9O/NAgHZNdSlo5buFSUPcymXdXujKsLsmIng/OtXVr91FqGFkdoI dXiNBbrMO+/9hu9ijwvbT/B3MboIzm2bklNqwGStVnuYJY/uMErTaJXgwzIqPjfTaiN5 n0eONX/EW517OepDNByP5izclCn2/c0YoyYRUC1xsyzf55UoBX/YoLQ3pT2XBMEKXF69 CimLanebyq1skuxi5e+h3eV7W18XmWSrXwdoFlH74u8nyfxWLTJpeej6+dRguW/Hxce2 Mm/Q==
X-Gm-Message-State: AMCzsaX2Jw50Z1SgWElLbwr4FPI0/pMKwNe9vFSE9ch+fwvGfbl3dhNx OcGxx1sSFEnGTUrNtufzofRK5VKSvlf2S76P6T8=
X-Google-Smtp-Source: AOwi7QAeV+6fEWl1q39KYKLE9qEuO7eLRobfKmezT0A+ecgQzhNDBmR4D0bMkLVccS5/dD61giR25xvECQyUdVK2xSM=
X-Received: by 10.202.195.212 with SMTP id t203mr2136230oif.279.1507346267098; Fri, 06 Oct 2017 20:17:47 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.95.12 with HTTP; Fri, 6 Oct 2017 20:17:46 -0700 (PDT)
In-Reply-To: <alpine.OSX.2.21.1710061814390.33785@ary.qy>
References: <CACh0qC+jRjPMsf7YmDqoKZ0X1zWE2p=fUAo5uN3bZwwzBRG9Kg@mail.gmail.com> <alpine.OSX.2.21.1710061656080.33175@ary.qy> <7b98f765-4fea-5b71-e860-e46c11d6617e@eff.org> <alpine.OSX.2.21.1710061814390.33785@ary.qy>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 06 Oct 2017 23:17:46 -0400
X-Google-Sender-Auth: 2KIbXNi1yzalX_j8B_gnw36AVVs
Message-ID: <CAMm+LwhiPhqQbfhHHaZZ6aoA5WS=FZ5q+ETtC4CLA_OWirgrhw@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: SPASM <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="001a1134fdeacdd2fd055aec6655"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/YAR-4BEejh7wo-ZCx5viU8VJn80>
Subject: Re: [lamps] CAA tree climbing, gurrghhg
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Oct 2017 03:17:50 -0000
There is an interesting difference with this spec. If the spec goes through IETF process and becomes an RFC and the folk in CABForum vote to do so, this goes into production as a compliance requirement. One side effect of that is that there cannot be any loose ends. PSL is a loose end. We debated the dbound problem at great length and then decided that it doesn't matter. There are really only a few TLDs of any consequence and if they did something silly, we can vote to unsilly as a special case. And since they know that, it is unlikely folk will be silly. Yes, VeriSign could put a CAA record in .com but I bet they won't because even if they go mad and do, we can pass a CABForum rule with a special exception. On Fri, Oct 6, 2017 at 6:27 PM, John R Levine <johnl@taugh.com> wrote: > I see that the current draft says that CAs climb up the tree a label at a > time all the way to the TLD, looking for a CAA policy record. > > I think you will find a great deal of resistance to that design, because > it runs into the dbound problem. If I register fobar.hockey, I do not want > the .hockey TLD setting my default certificate policy. > > DMARC has a similar problem looking for policy records for mail > authentication. If there's no _dmarc record for a particular domain, > implementations find the related "organizational domain", roughly the > highest name under the same management, and it looks for a _dmarc record > for the organizational domain. Current implementations use the mozilla PSL > or something similar; if we were able to converge in something in dbound or > its reincarnation, they'd use that instead. > > I cheefully agree that the PSL is awful, but as far as I can tell all of > the alternatives are worse. > > R's, > John > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Next steps on CAA Phillip Hallam-Baker
- Re: [lamps] Next steps on CAA Jacob Hoffman-Andrews
- Re: [lamps] Next steps on CAA Russ Housley
- Re: [lamps] Next steps on CAA John Levine
- Re: [lamps] Next steps on CAA Patrick Donahue
- Re: [lamps] Next steps on CAA John R Levine
- Re: [lamps] Next steps on CAA Phillip Hallam-Baker
- Re: [lamps] Next steps on CAA Jacob Hoffman-Andrews
- Re: [lamps] Next steps on CAA John R Levine
- Re: [lamps] Next steps on CAA Jacob Hoffman-Andrews
- Re: [lamps] Next steps on CAA John R Levine
- [lamps] CAA tree climbing, gurrghhg John R Levine
- Re: [lamps] Next steps on CAA Phillip Hallam-Baker
- Re: [lamps] CAA tree climbing, gurrghhg Phillip Hallam-Baker
- Re: [lamps] CAA tree climbing, gurrghhg John R Levine
- Re: [lamps] CAA tree climbing, gurrghhg Ryan Sleevi
- Re: [lamps] CAA tree climbing, gurrghhg John R Levine
- Re: [lamps] CAA tree climbing, gurrghhg Phillip Hallam-Baker
- Re: [lamps] Next steps on CAA John Levine
- Re: [lamps] Next steps on CAA Phillip Hallam-Baker
- Re: [lamps] Next steps on CAA John R Levine
- Re: [lamps] Next steps on CAA Phillip Hallam-Baker
- Re: [lamps] Next steps on CAA John R Levine