Re: [Spasm] CAA erratum 4515
Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 10 March 2017 19:43 UTC
Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197501299A3 for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 11:43:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DVKHCjQDCZlu for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 11:43:40 -0800 (PST)
Received: from homiemail-a63.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7B7C129998 for <spasm@ietf.org>; Fri, 10 Mar 2017 11:43:36 -0800 (PST)
Received: from homiemail-a63.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a63.g.dreamhost.com (Postfix) with ESMTP id 342D36000505 for <spasm@ietf.org>; Fri, 10 Mar 2017 11:43:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=XIr+F8xVLHQWCwhGILXJFlCompU=; b= Lm6ZiIbHm2F/Wg58g9gh6xM94Wjwo1MBLW8qR8eyI1kMAvbjzSVeVpfxfb4BboGO Zg+sPKh2jnOt8CgSFD3lGJhy0lmleSrCt8aFe1nJtMQYs6tQXlk1WsWLIcakpz2K TKn/oH2+8hw5k2d8TQFMofrGWmrNV/nYp3XsnCSP8s0=
Received: from mail-lf0-f54.google.com (mail-lf0-f54.google.com [209.85.215.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a63.g.dreamhost.com (Postfix) with ESMTPSA id C74C86000502 for <spasm@ietf.org>; Fri, 10 Mar 2017 11:43:35 -0800 (PST)
Received: by mail-lf0-f54.google.com with SMTP id z15so22880777lfd.1 for <spasm@ietf.org>; Fri, 10 Mar 2017 11:43:35 -0800 (PST)
X-Gm-Message-State: AMke39mqv9ewBJlOfRsB5c1Qj6Qr/GNiR+gxe/inViEng36gG8vt46GWXxcdpE+Ptc+311wq0OKoQONM16+Q1Q==
X-Received: by 10.25.157.65 with SMTP id g62mr5555391lfe.29.1489175013876; Fri, 10 Mar 2017 11:43:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.193.197 with HTTP; Fri, 10 Mar 2017 11:43:33 -0800 (PST)
In-Reply-To: <8f216ae1-d236-79c1-5baf-44cf7bfa619b@eff.org>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <8f216ae1-d236-79c1-5baf-44cf7bfa619b@eff.org>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 10 Mar 2017 14:43:33 -0500
X-Gmail-Original-Message-ID: <CAErg=HFeAMLF4vY59oTBh=OpeChyG8SpJ406cE=CpjouA9fq8w@mail.gmail.com>
Message-ID: <CAErg=HFeAMLF4vY59oTBh=OpeChyG8SpJ406cE=CpjouA9fq8w@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: multipart/alternative; boundary="001a11411ca2b5f0f3054a659394"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/aWPQW1RbYhLfcrnzruSiLdQu4IU>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 19:43:42 -0000
On Fri, Mar 10, 2017 at 2:22 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote: > I chose these advisedly. Example.{com,net,org} are actively harmful for > reading comprehension, because their distinguishing parts are small and > come at the end rather than the beginning. Since this is a conversation, > not a normative document, I believe there's no requirement to use the > reserved domains. Do you disagree? > Considering how many 'discussion' examples I've seen get implemented in code as part of tests (often incorrectly), I try to err on the side of "Do no harm". Especially with countless email and spam filters that are going to start poking the domains to see if they should block the emails. > Since we both care about terminology, I'm going to recommend we instead > use the RFC 6844 terms I used in my previous email: tree climbing vs > non-tree climbing. Recursive already has a technical meaning in RFC 1035 > which differs from this one. > Fair point > These configurations are a little confusing, since you don't define goals. > I assume the goals in this example are: > (a) Every domain and subdomain in the example is covered by a CAA policy, > and > (b) Those CAA records are compatible with these policies: > (1) the owner of the user-facing domain will only buy certs from a > certain CA > (2) the owner of the CDN domain will only buy certs from another, > different CA. > > Is that accurate? I'll adopt the CA names "user-facing.ca." and " > enterprise.ca", since both our example CA names implied goodness or > badness, which is not relevant to the discussion. > I'm not sure user-facing and enterprise brings the level of clarity you hoped for, because it also implies a degree of policy that is different from the self-managed/externally managed case. But I think we're in agreement that we're talking "Foo" and "Bar" and never the twain shall meet. > I'm going to introduce one more assumption: the CDN issues certificates > for their own internal subdomains, and wants a CAA policy for those. This > is necessary to explain why the CDN sets any CAA records at all in the > Self-managed case. And I think this is what's implied by your examples - > right? > I think "internal subdomains" introduces an unnecessary degree of ambiguity, especially with your example of "enterprise.ca". I'm not sure if this is indicative that we're talking past each other or not. Both organizations want to set their own CAA policy as appropriate. I think that should be uncontroversial and without complication. > I think it makes the most sense to start with two baseline configs: > trampoline'd and non-trampoline'd, and from there define what *additional* > CAA records are necessary in the various worlds of Self-managed vs > Externally managed, and tree climbing vs non-. > > Trampoline'd config: > > www.staffie.dog. CNAME staffie.terrier.dog. > staffie.terrier.dog. A 192.0.2.1 > > > Non-trampoline'd config (all customers CNAME to the same www subdomain): > > www.beagle.dog. CNAME www.hound.dog.www.hound.dog. A 192.0.2.2 > > > Self-managed, tree-climbing: > > www.staffie.dog. CAA 0 issue "user-facing.ca"staffie.dog. CAA 0 issue "user-facing.ca"www.beagle.dog. CAA 0 issue "user-facing.ca"beagle.dog. CAA 0 issue "user-facing.ca" > terrier.dog. CAA 0 issue "enterprise.ca" > hound.dog. CAA 0 issue "enterprise.ca" > > I personally find this structure much harder to follow, so I may have missed things - if only because you're describing the permutations for trampoline and non-trampoline in the same configuration, and I think that makes it harder to compare the implications of these two configurations - which was very much my objective in providing further discussion. > Now, if we like, we can factor out the CAA records that appear in every > example: those for the base domains staffie.dog, beagle.dog, terrier.dog, > and hound.dog. That allows us to look at the differences between the worlds > more closely, and see what CAA records are required beyond those: > I'm sorry. At this point, I'm no longer able to follow your logic, despite having read this several times.
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews