Re: [lamps] Ambiguities in RFC 6844 regarding CAA resource record sets with no "issue" property tags

Tim Hollebeek <tim.hollebeek@digicert.com> Sat, 03 February 2018 00:55 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5875B124234 for <spasm@ietfa.amsl.com>; Fri, 2 Feb 2018 16:55:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WrE4P6BSvwyM for <spasm@ietfa.amsl.com>; Fri, 2 Feb 2018 16:55:29 -0800 (PST)
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78DE1200C1 for <spasm@ietf.org>; Fri, 2 Feb 2018 16:55:28 -0800 (PST)
Received: from [216.82.242.46] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-13.bemta-8.messagelabs.com id AF/CB-03109-F78057A5; Sat, 03 Feb 2018 00:55:27 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphl+JIrShJLcpLzFFi42K5obB1h249R2m UwYpF7BYfP65jsZh0fy6jxbxryQ7MHkuW/GTyaN69m8Xj1M1OlgDmKNbMvKT8igTWjCsPPzEX /G1hrLg1dy9bA+PT6i5GLg4WgfdMEs27W9hBHCGBqUwSv2f+Y+pi5ARyjjJKfL6fDWKzCRhIX Nt7HCjOwSEi4CdxZI4QSJhZQFVibt8cFhBbWCBP4vjX/WwgtohAvsScq9ehbCuJWx1TwWpYBF QkmhuWsYPYvAIxEjubzkHtbWOUmDBlNzNIglMgUGLO8qNgNzAKiEl8P7WGCWKZuMStJ/PBbAk BEYmHF0+zQdiiEi8f/2OFqI+RmPv5EFRcSeL22h+MELasxKX53YwgyyQEtjBJnJg/hxUioSex deJbqCJfiY0n/rNCFHUySayZdpsZ5GMJAS2JQ9s5IWqyJSZ8Ow1V7yXx/0w/M0T9cyaJc7ePs 0MkZCTW9m5lgki0s0mcmD6BGRKkKRJTVsGcVy2xY/F29gmMWrOQfDcLqIdZYD6jxJYJF9hngc NJUOLkzCcsEEVREq0TjrFD2FoSU9e+goprSyxb+Jp5FtCxzAKaEscuK6EKg9jWEjN+HWSDsBU lpnQ/hBpjKvH66EfGBYzcqxg1ilOLylKLdA1N9ZKKMtMzSnITM3N0DQ0s9HJTi4sT01NzEpOK 9ZLzczcxAtNhPQMD4w7GA8/dDzFKcjApifLu/FkSJcSXlJ9SmZFYnBFfVJqTWnyIUYaDQ0mCd wt7aZSQYFFqempFWmYOMDHDpCU4eJREeO1B0rzFBYm5xZnpEKlTjPYcV6Y/b2Pm2PLoJZA8AC ZvvHjdxizEkpeflyolzpsC0iYA0pZRmgc3FJZJLjHKSgnzMjIwMAjxFKQW5WaWoMq/YhTnYFQ S5k0DmcKTmVcCt/sV0FlMQGf9zC4EOaskESEl1cDoGHfx6KeqOZGGXXvFRWbrT17WLXsoeM4R AR5NP9mQS2Khm8QVZB8WqjYe2xuoXHzt/C4WNZZ9CTMYn77Mfb+rS03F5qWPw95e7Rzd01PvG Jum2wp/WWzO+VjmafCFy9Iqm9X8Xx9nfxL+fpWRwG7v+Jy8+ed+z7jqddl5grSo3701RdPlN5 xRYinOSDTUYi4qTgQAdhTQvh8EAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-14.tower-96.messagelabs.com!1517619326!100468172!1
X-Originating-IP: [216.32.181.184]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 30220 invoked from network); 3 Feb 2018 00:55:26 -0000
Received: from mail-by2nam01lp0184.outbound.protection.outlook.com (HELO NAM01-BY2-obe.outbound.protection.outlook.com) (216.32.181.184) by server-14.tower-96.messagelabs.com with AES256-SHA256 encrypted SMTP; 3 Feb 2018 00:55:26 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CYAPL2S0A72V3OCmNvHFSH0y2OghmW5LThKPqaTdSQE=; b=itWnLbaMLYm74tedRZczl9vCWLo/+y20g3Wcd80gItl3t0L9bINTq3LuiV+UWQbe7s+qbSq2Y6Ls8hL+LCj328nMLHieQo3T1TqgNAnq645TrgDdNPcH/Nf/gqqUQfNpPgjrZ9IglozII7v25sZ1mrFWEC3ybjwtQbX+inczf0Q=
Received: from MWHPR14MB1376.namprd14.prod.outlook.com (10.173.232.139) by MWHPR14MB1392.namprd14.prod.outlook.com (10.173.232.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.444.14; Sat, 3 Feb 2018 00:55:23 +0000
Received: from MWHPR14MB1376.namprd14.prod.outlook.com ([10.173.232.139]) by MWHPR14MB1376.namprd14.prod.outlook.com ([10.173.232.139]) with mapi id 15.20.0444.023; Sat, 3 Feb 2018 00:55:23 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>, Corey Bonnell <CBonnell@trustwave.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Ambiguities in RFC 6844 regarding CAA resource record sets with no "issue" property tags
Thread-Index: AQHTi+4QDmko90Ob9kiZJwieEDaNDqOR9xiAgAACFtA=
Date: Sat, 3 Feb 2018 00:55:22 +0000
Message-ID: <MWHPR14MB1376EA5AE22B99B956BB6B5683F80@MWHPR14MB1376.namprd14.prod.outlook.com>
References: <878C91A0-6875-47A4-872F-F5D1F7F7AE7E@trustwave.com> <CAErg=HFibyNDfzo5RC7D06dhzw_Y7KLmsgpden7rHxnx2tEcag@mail.gmail.com>
In-Reply-To: <CAErg=HFibyNDfzo5RC7D06dhzw_Y7KLmsgpden7rHxnx2tEcag@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR14MB1392; 7:84rfjC0Udt42tZUaWWxMVvJsiBNJbqxhjZJdvalezC2SfHELzAattu8BUO71Wdmff+tf+DQhB7D/1bhU8fOGwKpZiFH66NoCUiPaT7vAaIGvSVpZc1HEOg1Ril+ZgJ+ZL95DIhCLwXnmPPtG5sSvk5GSFUGrU8q9m/bxwetbdoWaXqTwtVvlWnuSDONR8IobFxREv/LwDlUt5Zq1Eom0BEqE7xki/kaN83L7ahICd7QuXCsQpNnrnkgHao9i7zny
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: d4d0cadc-f623-4ba0-29eb-08d56aa0ce6f
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7024125)(7026125)(7027125)(7023125)(5600026)(4604075)(3008032)(2017052603307)(7153060)(49563074)(7193020); SRVR:MWHPR14MB1392;
x-ms-traffictypediagnostic: MWHPR14MB1392:
x-microsoft-antispam-prvs: <MWHPR14MB1392EC8ADB5EFB1F314A05E083F80@MWHPR14MB1392.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040501)(2401047)(8121501046)(5005006)(3231101)(2400082)(944501161)(93006095)(93001095)(10201501046)(3002001)(6041288)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(2016111802025)(6043046)(6072148)(201708071742011); SRVR:MWHPR14MB1392; BCL:0; PCL:0; RULEID:; SRVR:MWHPR14MB1392;
x-forefront-prvs: 05724A8921
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7966004)(39380400002)(346002)(376002)(366004)(39860400002)(396003)(51444003)(199004)(189003)(14454004)(76176011)(7696005)(77096007)(316002)(86362001)(790700001)(3846002)(6116002)(186003)(2906002)(110136005)(81156014)(81166006)(508600001)(8676002)(68736007)(97736004)(8936002)(606006)(6506007)(26005)(102836004)(66066001)(3280700002)(236005)(3660700001)(25786009)(2950100002)(4326008)(106356001)(53386004)(99286004)(105586002)(6246003)(229853002)(6306002)(6436002)(53936002)(74316002)(1680700002)(7736002)(9686003)(55016002)(2900100001)(54896002)(33656002)(5660300001)(99936001)(336705003); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR14MB1392; H:MWHPR14MB1376.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: l/f/FEcb638M6vpwdHXcJvOl/XA7YLTKsQWc2MGAD7aehLkJOQ12NAkeizLbJkr/ITODs7tCFm8dnGKNaKzlJw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_020B_01D39C4E.FB8ED3A0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d4d0cadc-f623-4ba0-29eb-08d56aa0ce6f
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2018 00:55:22.9121 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR14MB1392
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/dRhuagkI8X9Y3hrXUGqCDFnoGPY>
Subject: Re: [lamps] Ambiguities in RFC 6844 regarding CAA resource record sets with no "issue" property tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Feb 2018 00:55:31 -0000

> It's not clear to me that "relevant" is not defined by the RFC, given the following:

 

I agree, and in my response I made it clear that “relevant” clearly indicates the record set retrieved via the described algorithm.  The wording isn’t the best, but I think that part is clear.

 

> Means that subdomain1.subdomain2.example.com <http://subdomain1.subdomain2.example.com> . is unrestricted by issuance (i.e. the parent's restrictions do not apply) because the relevant record set does not contain an issue field.

 

Unfortunately, I do not believe this is clear, despite it being clear that this was the intent.  There’s explicit text that says that if there’s no record set is returned issuance is allowed.

 

There is also text that states that if an issue record includes the CA, issuance is allowed.

 

An overly literal reading of the text would indicate that in the absence of either of those two conditions (the record set is non empty and there is no issue tag that allows issuance),

then issuance is not allowed.  As I pointed out in my analysis, this reading of the text is inconsistent with text elsewhere in the RFC, and that your analysis correctly identifies what the

RFC *intended* to say.

 

Therefore I support Corey’s errata to make it clear that the RFC says what we all seem to agree it was intended to say.  Just to avoid any unnecessary compliance silliness.

 

-Tim