IETF Logo Mail Archive

Re: [Spasm] CAA erratum 4515

Jacob Hoffman-Andrews <jsha@eff.org> Fri, 10 March 2017 21:50 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8888F1294AA for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 13:50:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fwCnXF_fOygz for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 13:50:53 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 862BC129452 for <spasm@ietf.org>; Fri, 10 Mar 2017 13:50:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=WGQ+tCxAg5jZ9SzGQ+UxzgdXINP/a/4luaiC4LukRGQ=; b=iHoeJrmtgTx3bGE8Qa0Ks06ZinhvudwEKw501Ljn7eH35ZgAhsUtPxW66Thu7GW5Jj5OjPt+yZdOJJAa+v/DPXHSW9cj12FhYcZEA2mjU7OcmTnH4oKES+2LCeQrXipXH6rWt+hayeE0R8T7u/7GwGi0qbymIXdV58sp1cBQVfY=;
Received: ; Fri, 10 Mar 2017 13:50:54 -0800
To: Ryan Sleevi <ryan-ietf@sleevi.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <8f216ae1-d236-79c1-5baf-44cf7bfa619b@eff.org> <CAErg=HFeAMLF4vY59oTBh=OpeChyG8SpJ406cE=CpjouA9fq8w@mail.gmail.com> <7f9c38ad-aa39-c403-0320-7300619b9986@eff.org> <CAErg=HE34vYrrtCe1jGgaO0mAdGqiYaGMEpJaXJDf4Pp19WN-Q@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <e00e0b36-b3f4-d544-0f85-5af10641d310@eff.org>
Date: Fri, 10 Mar 2017 13:50:51 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAErg=HE34vYrrtCe1jGgaO0mAdGqiYaGMEpJaXJDf4Pp19WN-Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------EF636348A49E62651C6696DE"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_x4dcXVr4YLF2PXy7xlGf7HcgbU>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 21:50:55 -0000

On 03/10/2017 01:18 PM, Ryan Sleevi wrote:
> Which example? Are you talking about "example.net <http://example.net>
>           CAA 0 issue "evil-ca.example.org <http://evil-ca.example.org>" ?
Yep.
>
> That's because the site operator should be able to set their own
> policy for their own domains. This is why I dislike the "CDN" example,
> because it comes with it the implication that somehow "example.net
> <http://example.net>" is reserved only for CDN customers, whereas I
> think the marketing site example, a more common scenario, has the
> marketing company providing services at their own domain (e.g.
> "www.example.net <http://www.example.net>") and co-hosts one or more
> customer domains ("terrier.example.net <http://terrier.example.net>").
> The point here is that it's rare for a single domain tree to be
> limited to a single (self-hosted/externally-hosted) policy.
Great, looks like we're in agreement here. Personally I was taking it
for granted that CDNs (or hosting providers) often have a mix of
subdomains serving both their own sites and their customer sites, so
this didn't feel confusing, but I appreciate you clarifying it.
>
>  
>
>>     These configurations are a little confusing, since you don't
>>     define goals. I assume the goals in this example are:
>>      (a) Every domain and subdomain in the example is covered by a
>>     CAA policy, and
>     Can you confirm whether this is an implicit goal in your examples?
>
>
> I'm not sure I would suggest it like that, but again, I think we may
> simply be agreeing but talking past eachother :) I see "example.com
> <http://example.com>" and "example.net <http://example.net>" as two
> independent organizations with their own policies, for which they wish
> to express as efficiently and simply as possible.
Yep, that makes sense. One thing that might help is to detail that there
are actually three policies in play, that we've tended to squash into two:

1. Policy set by user-facing domain owner for their own hostnames.
2. Blanket policy set by CDN for hostnames they operate on their
customers' behalf.
3. Policy set by CDN for their own hostnames, which share the same base
domain as the CNAME targets used in (2).

The goal is that these can be set as three independent policies, without
unintended interactions.

Also, one thing I want to clarify: To what extent are you trying to
incentivize (2) and make it easy to do? I've been assuming that's a core
goal for you, but I may be misunderstanding that.
> If domain operators wish to operate with their own policy, but support
> customers with another policy, the trampoline is necessary or the
> customer has an additional configuration step.
This depends. Are the CDNs trying to support unique policies on a
per-customer basis, or a blanket policy as in (2) above? If it's a
blanket policy, no trampoline is needed. The CDN does need to have a
CNAME target that is not a base domain, but that target doesn't need to
be unique per-customer: i.e., not a trampoline.
> If domain operators wish to operate with their own policy, and support
> customers with the same policy (on the domains the domain operator
> operates), while allowing their customers to operate with their own
> policy on the customer domains, the trampoline is necessary.
I don't think this case is significantly different than the above. One
policy gets set on the CDN's base domain, while the other policy gets
set on the CNAME target. If those policies happen to be the same, that's
fine.

v2.23.0 | Report a Bug | By Email