IETF Logo Mail Archive

Re: [Spasm] CAA erratum 4515

Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 10 March 2017 22:52 UTC

Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEC1E129410 for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 14:52:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T-mUwfVKBbJ5 for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 14:52:01 -0800 (PST)
Received: from homiemail-a104.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50E751293E8 for <spasm@ietf.org>; Fri, 10 Mar 2017 14:52:01 -0800 (PST)
Received: from homiemail-a104.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTP id C24E330005C24 for <spasm@ietf.org>; Fri, 10 Mar 2017 14:52:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=9oT03KG8ePgG96l2CvK6DQu4rFM=; b= hOAxIv6CMxtOFRmoWYoeQuiiqUKGYhaAnU/vkiesFwVMvzwMz5119dLit17aFFQx zcvtbu6sprrqOpdpCEvxZfdKZz+WAXKj1tgVnaRq79GYpBZDnp7qXnA3GwwTX+xC 3BwMCfpBls+0YBxmOuEkoTegTjeI1gRMBAWlZomkfho=
Received: from mail-lf0-f46.google.com (mail-lf0-f46.google.com [209.85.215.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTPSA id 6A53F30005C20 for <spasm@ietf.org>; Fri, 10 Mar 2017 14:52:00 -0800 (PST)
Received: by mail-lf0-f46.google.com with SMTP id a6so46419272lfa.0 for <spasm@ietf.org>; Fri, 10 Mar 2017 14:52:00 -0800 (PST)
X-Gm-Message-State: AMke39lU+eNaJO1hH24QH3GHe3NfQ/H3tufHE2ovGcXUtJ+9eMYTYfUDda8/p2w+oYnjsm6ImrADn3ohufUkpA==
X-Received: by 10.25.204.9 with SMTP id c9mr4957183lfg.107.1489186318705; Fri, 10 Mar 2017 14:51:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.193.197 with HTTP; Fri, 10 Mar 2017 14:51:58 -0800 (PST)
In-Reply-To: <e00e0b36-b3f4-d544-0f85-5af10641d310@eff.org>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <8f216ae1-d236-79c1-5baf-44cf7bfa619b@eff.org> <CAErg=HFeAMLF4vY59oTBh=OpeChyG8SpJ406cE=CpjouA9fq8w@mail.gmail.com> <7f9c38ad-aa39-c403-0320-7300619b9986@eff.org> <CAErg=HE34vYrrtCe1jGgaO0mAdGqiYaGMEpJaXJDf4Pp19WN-Q@mail.gmail.com> <e00e0b36-b3f4-d544-0f85-5af10641d310@eff.org>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 10 Mar 2017 17:51:58 -0500
X-Gmail-Original-Message-ID: <CAErg=HEURahEODsz9bPyS+B0NYsAioh6P5HeZsXmQUoJhC-9JQ@mail.gmail.com>
Message-ID: <CAErg=HEURahEODsz9bPyS+B0NYsAioh6P5HeZsXmQUoJhC-9JQ@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: multipart/alternative; boundary="94eb2c1a1c8287eea5054a6835a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/dVVDLe0ke9XQQFx9Dmxm1l9uXDE>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 22:52:03 -0000

On Fri, Mar 10, 2017 at 4:50 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote:

> One thing that might help is to detail that there are actually three
> policies in play, that we've tended to squash into two:
>
> 1. Policy set by user-facing domain owner for their own hostnames.
> 2. Blanket policy set by CDN for hostnames they operate on their
> customers' behalf.
> 3. Policy set by CDN for their own hostnames, which share the same base
> domain as the CNAME targets used in (2).
>
> The goal is that these can be set as three independent policies, without
> unintended interactions.
>
> Also, one thing I want to clarify: To what extent are you trying to
> incentivize (2) and make it easy to do? I've been assuming that's a core
> goal for you, but I may be misunderstanding that.
>

Thanks for summarizing that, and I agree - it's really three different
things.

I don't even think I'm trying to incentivize (2), so much as try to figure
out the solution that allows the least changes to be made re: DNS records
to support the most number of variations of these policies, and to identify
where the most likely failure points are with respect to complexity.

Or, put differently, I want as many people to be able to set CAA policies
that work "out of the box" with minimal configuration. This, of course,
relies on a subjective interpretation of what the most likely scenarios
are, and I want to fully acknowledge that up-front. I think both
tree-climbing and non-tree-climbing can work, to be abundantly clear :)


> If domain operators wish to operate with their own policy, but support
> customers with another policy, the trampoline is necessary or the customer
> has an additional configuration step.
>
> This depends. Are the CDNs trying to support unique policies on a
> per-customer basis, or a blanket policy as in (2) above? If it's a blanket
> policy, no trampoline is needed. The CDN does need to have a CNAME target
> that is not a base domain, but that target doesn't need to be unique
> per-customer: i.e., not a trampoline.
>

Fair point - some indirection is necessary, but it's not necessarily
per-customer indirection.


> If domain operators wish to operate with their own policy, and support
> customers with the same policy (on the domains the domain operator
> operates), while allowing their customers to operate with their own policy
> on the customer domains, the trampoline is necessary.
>
> I don't think this case is significantly different than the above. One
> policy gets set on the CDN's base domain, while the other policy gets set
> on the CNAME target. If those policies happen to be the same, that's fine.
>

Fair point here as well. The complexity then comes from whether this
reflects current deployment, or whether it reflects a point of deployment
which would have to change to support. I think this is what you've
identified in (2).

The fewer things that need to change - and just work out of the box - the
better the deployment scenario for CAA looks. My instinct - perhaps
incorrectly - is that tree climbing allows fewer changes for the most
participants, not that tree climbing is an intrinsic necessity.

v2.23.0 | Report a Bug | By Email