IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 02 December 2022 17:56 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65B4AC14F718 for <spasm@ietfa.amsl.com>; Fri, 2 Dec 2022 09:56:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.396
X-Spam-Level:
X-Spam-Status: No, score=-1.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HcSW4FlfHmv4 for <spasm@ietfa.amsl.com>; Fri, 2 Dec 2022 09:56:10 -0800 (PST)
Received: from mail-oa1-f50.google.com (mail-oa1-f50.google.com [209.85.160.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5D46C14F607 for <spasm@ietf.org>; Fri, 2 Dec 2022 09:56:10 -0800 (PST)
Received: by mail-oa1-f50.google.com with SMTP id 586e51a60fabf-1441d7d40c6so6376388fac.8 for <spasm@ietf.org>; Fri, 02 Dec 2022 09:56:10 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sRlrb2ELBQNuwl6ZVEBn3O4tQfTa6+ZWeUeyNIJjgQE=; b=sOkb5DyWlHvwow0MviW/o0Lrlo/iaC2zKpP6D8x/CJdkZXq7ETi5b8ChlEziR8YkjX +ifjK/JJVrejwRW874M4d6xCkdUgXEh/hh/tAcQ3/R28HGbwFnA/uzToYMRBen2ZKAdO cdNP7gWDF+c0QUaFCVs+7JwoAeIts//UfdxUsouwHZggifEqVXwIS3Wch0EGYf+5pa8b 8BXAr3o8CsIivUb/5zXchOhqn3QOLVCpW4sfowX3bJ0BY/Rs4ohj+n77HobpCtAk1efH YqvNqCsL1igyOOZqC79wxU0/HZDsQK0VZW1Zfn7LNxkHrOiCBYaXxeHkJGUIYXntof4c l70Q==
X-Gm-Message-State: ANoB5pl2gfCDpUWzLzPQbBAPeLVMNchAns/ArP/LINEYB928kHP/4Sni jp35+vxVCWSvFcKU1Y6QAF0D5B4AYB7glgWsx0zv/9JU
X-Google-Smtp-Source: AA0mqf7H0ZJhKWaUwqEVveWLMpxYpbu+kdN9ntkg8sd+YTyerU4sPzouYVLEgiSfTzY4I+5a8vRlQO4KecNOy24AXBY=
X-Received: by 2002:a05:6871:7a5:b0:141:66bf:a93e with SMTP id o37-20020a05687107a500b0014166bfa93emr44228984oap.108.1670003769802; Fri, 02 Dec 2022 09:56:09 -0800 (PST)
MIME-Version: 1.0
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie> <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie> <CH0PR11MB5739CDF4AC9F496DA341DA249F159@CH0PR11MB5739.namprd11.prod.outlook.com> <87bfb6bc-24d0-fafc-d0b9-546640bda7c3@cs.tcd.ie> <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com> <DM6PR14MB2186AC61073AA34BC230CE2B92149@DM6PR14MB2186.namprd14.prod.outlook.com> <CH0PR11MB5739C121E1D96CE28382B4D49F149@CH0PR11MB5739.namprd11.prod.outlook.com> <CAMm+LwiXQzN4O=efFg6e7U1C2oW7YFPbx51ZjLhMDL5Z0s87rg@mail.gmail.com> <876b96f2-4a51-df07-a31a-4fe6caafcb73@cs.tcd.ie> <CAMm+Lwh++P3uZA3VETyAODhAGVFh4_sQhRBX63_KesLKNc04+w@mail.gmail.com> <BEDF0316-E072-427A-B050-12EBB2068281@gmail.com>
In-Reply-To: <BEDF0316-E072-427A-B050-12EBB2068281@gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 02 Dec 2022 17:55:57 +0000
Message-ID: <CAMm+Lwhbw5n_DS1FpdBioX63S3wsifwtJmSiHGD6PiYnnETQSA@mail.gmail.com>
To: Antonios Chariton <daknob.mac@gmail.com>
Cc: "spasm@ietf.org" <spasm@ietf.org>, Corey Bonnell <Corey.Bonnell@digicert.com>
Content-Type: multipart/alternative; boundary="0000000000007903d405eedc0dc6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/bhqVfAPqbQRReeNJR2elEDQ4bAo>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 17:56:11 -0000

On Fri, Dec 2, 2022 at 10:51 AM Antonios Chariton <daknob.mac@gmail.com>
wrote:

> I think that CAA for S/MIME is useful, and can help enforce policies for
> an enterprise, and even for large e-mail providers (although probably not
> for their main domain gmail.com / hotmail.com / etc.). I participate here
> on my personal capacity and won’t speak on behalf of Gmail.
>

I agree. The point I was making earlier is that participation by the likes
of GMail is not necessary for the proposal to be useful. While it would
certainly make a good deal of sense for Google's one product to offer a
full S/MIME CA capability etc. etc. and run it all on behalf of its
industry clients, that doesn't have to happen for this proposal to succeed.

Two things I’d maybe consider, one of which is described in my thread[1]
> too:
>
> - Perhaps “mailissue” or “mail” is better (explained in the thread) or
> even “smime”. This allows for “smimeentity” and “smimeserver” for example,
> if there’s a future need for that.
>
> - I don’t know if I would make this critical
>

Don't.

It really is a mystery to me why people still get the criticality bit
wrapped around their axles. It is a bad name for a necessary tool. Calling
it critical caused people to think it means 'important'. It doesn't.

The purpose of the criticality flag in PKIX, CAA included is to tell
applications processing it, 'if you see information marked with this flag
and you do not understand what the information means, don't do anything
until you do.'

The point of the criticality flag in CAA is to provide an upgrade mechanism
for introducing new features without causing legacy infrastructures to do
bad things. It is not there to say 'this is important' or 'I triple dog
dare you'.

Making a CAA extension critical should almost always be left to the
discretion of the site operator.

v2.23.0 | Report a Bug | By Email