Re: [lamps] CAA Simplification draft
Jacob Hoffman-Andrews <jsha@eff.org> Wed, 13 September 2017 05:28 UTC
Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E6F0132031 for <spasm@ietfa.amsl.com>; Tue, 12 Sep 2017 22:28:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xJk6-E3ZwB6D for <spasm@ietfa.amsl.com>; Tue, 12 Sep 2017 22:28:32 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADFB1133077 for <spasm@ietf.org>; Tue, 12 Sep 2017 22:28:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=KHfxPg0AxO5uFxQeFbad4sV3d+N/hBGAv6ih53e2z2k=; b=ywimDOtWwJ/JZZUrv24+LiayWEWgK8FyvPb0NkfLeG3pQt+bQ8JyDVJgVOvJHOrEGnqSUFIfgG8DJt3hUp4YGzQkZdD2tq1NEVwZyQF+EEJ5aD5ne7jdVGzNBS59JAxz0QzZAjj4Wt/RJIB2c5efjZU081qDUxex6APdDEN14wk=;
Received: ; Tue, 12 Sep 2017 22:28:29 -0700
To: Roland Bracewell Shoemaker <roland@letsencrypt.org>, spasm@ietf.org
References: <02d4e149-b777-5b5c-1cd0-a2c2aae49311@eff.org> <91ee5ecc-9b4f-1e7c-c9eb-e7248426e63f@letsencrypt.org>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <08389c8a-b9f4-c950-4c3a-2df118a1c638@eff.org>
Date: Tue, 12 Sep 2017 22:28:30 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <91ee5ecc-9b4f-1e7c-c9eb-e7248426e63f@letsencrypt.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_FgL1fFduNKRajSbRU2moKXJR8Q>
Subject: Re: [lamps] CAA Simplification draft
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 05:28:34 -0000
Thanks Roland! I've incorporated this feedback into a new draft: https://www.ietf.org/id/draft-hoffman-andrews-caa-simplification-01.txt. If anyone else would like to propose edits or make PRs, I have a copy available on GitHub: https://github.com/jsha/caa-simplification. On 09/12/2017 06:28 PM, Roland Bracewell Shoemaker wrote: > While this removes the ambiguities with regard to CNAME and DNAME alias > handling I think the definition of the algorithm is still unnecessarily > hard to read. Also references to 'CNAME' should be replaced with > 'aliases' since 1034 section 4.3.2 as updated by 6672 also handles > DNAMEs (although to be honest I think any references to specific 1034 > 4.3.2 behavior can just be removed since they are incorporated simply by > referencing that algorithm). > > I'd suggest that Section 4 paragraphs 3-9 be replaced with the following > cleaned up definition using pseudocode and a better explanation of the > steps the algorithm uses in the example: > > https://github.com/jsha/caa-simplification/compare/master...rolandshoemaker:alg-cleanup?expand=1 > > I'd also recommend this RFC be paired down to only section 4 since that > is all that is being changed and make it a 'Updates' instead of > 'Obsoletes' style RFC that just redefines the lookup algorithm. > > Thanks for doing the work on this! I think taking this approach, of > simplifying the algorithm definition, is better as completely > re-designing the algorithm and using a different record style, > especially given this is what CABF has already adopted, without a well > defined reason is just asking for more problems down the line. > > On 09/12/2017 05:23 PM, Jacob Hoffman-Andrews wrote: >> Hi all, >> >> This is a revision to RFC6844 as discussed previously on the list and at >> IETF 99. In particular, RFC6844 specifies that CAs should implement >> "tree climbing" not only on the original FQDN, but also on any >> intermediate CNAMEs discovered during primary lookup. As discussed >> on-list, this disallows certain deployment scenarios, and can produce >> surprising results in common CNAME-based hosting scenarios. >> >> Additionally, because RFC6844 re-specified parts of CNAME lookup, some >> details were ambiguous. This draft updates RFC6844 to eliminate tree >> climbing on CNAME targets, and to reference RFC 1034 for the standard >> DNS lookup algorithm, including CNAME resolution. >> >> Because all of this draft is the same as RFC6884 except for the >> "Certification Authority Processing" section, I've retained the original >> two authors and added my own name. Please let me know if IETF etiquette >> indicates a different approach. >> >> I'd like to propose this draft for adoption by the WG. >> >> https://www.ietf.org/id/draft-hoffman-andrews-caa-simplification-00.txt >> >> Thanks, >> Jacob >> >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://www.ietf.org/mailman/listinfo/spasm >> > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] CAA Simplification draft Jacob Hoffman-Andrews
- Re: [lamps] CAA Simplification draft Roland Bracewell Shoemaker
- Re: [lamps] CAA Simplification draft Jacob Hoffman-Andrews
- Re: [lamps] CAA Simplification draft Roland Bracewell Shoemaker
- Re: [lamps] CAA Simplification draft fujiwara
- Re: [lamps] CAA Simplification draft Phillip Hallam-Baker
- Re: [lamps] CAA Simplification draft Jacob Hoffman-Andrews