Re: [lamps] CAA records on CNAMEs
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 19 March 2019 13:05 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4B113127F for <spasm@ietfa.amsl.com>; Tue, 19 Mar 2019 06:05:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.647
X-Spam-Level:
X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7Iv3ik2JM9I for <spasm@ietfa.amsl.com>; Tue, 19 Mar 2019 06:05:26 -0700 (PDT)
Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com [209.85.210.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE62F131277 for <spasm@ietf.org>; Tue, 19 Mar 2019 06:05:25 -0700 (PDT)
Received: by mail-ot1-f49.google.com with SMTP id c16so6208541otn.4 for <spasm@ietf.org>; Tue, 19 Mar 2019 06:05:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cOVMcxwN/GKjJo9gag5q6Q/NfdQnioNCObSLDl+saaI=; b=L6H3dt6+KiwEkbBWAsa5FHu3b32T2nDqybNFfLcZ2KK+EncrLqe+eItvj4QTOETICQ DeYuME52GXoBgT1feETE4NkWzAy8O+CQ83/+mWdZeGV2pWAk04PqGEtGrFpt3+vv1aqq nKY0LtAu7kJjyI25bd6Gu2U7VuLb/UIkDCF/6ucIstwzE6RIr5AfbjJdc60xXa0ewwza H4eQoIDjGZKvwaHRoO7i6RK7nxMhncWqRM7daGYG102guDBsYRBtUAoNXyMsZw32pcT+ EIGx/SipFHc7b8uUOEOXZdlH8CvWUjM7u8sXnPEp8HpLSgysQYzUTvxt0KSyjDswmMoK VkdA==
X-Gm-Message-State: APjAAAWQ69VNek006tf/PW/VdmsuQ2L+AzzUooaU2DBzDuMthsmwQtqm +f1Jk3yAeJSA3iQte/9QTpAEfJ8RJ8yD61Ekl28=
X-Google-Smtp-Source: APXvYqynVimAZr5wsXJlc+8aTGj6+KA4kQICO0z6ckvNxT97H5cjYQnPxiMtfoT4XaBUwwxR4kmX58H4ZVPEmqbjjTA=
X-Received: by 2002:a9d:7608:: with SMTP id k8mr1370950otl.157.1553000724733; Tue, 19 Mar 2019 06:05:24 -0700 (PDT)
MIME-Version: 1.0
References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII> <20190318160211.GC22311@netmeister.org> <BN6PR14MB1106E81499036021704CA32683470@BN6PR14MB1106.namprd14.prod.outlook.com>
In-Reply-To: <BN6PR14MB1106E81499036021704CA32683470@BN6PR14MB1106.namprd14.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 19 Mar 2019 09:05:13 -0400
Message-ID: <CAMm+LwhgFpGsBY5gr5rJGc7MV1HhzxBR5b7TAWYQeZyNVyTiZQ@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Jan Schaumann <jschauma@netmeister.org>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000088a4a605847228f2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/doZYJq89OHZw4FBMkG-blYBE2-Q>
Subject: Re: [lamps] CAA records on CNAMEs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 13:05:30 -0000
The logic of override would be that you end up with an override version of each tag. I don't think the semantics end up as being what you want them to be either. Example.com could have hundreds of Web Service hosts, so the override scheme would end up with an enormous collection of CAA records. On Mon, Mar 18, 2019 at 12:53 PM Tim Hollebeek <tim.hollebeek@digicert.com> wrote: > The problem is the "override" proposal adds another huge level of > complexity > on top of the semantics of the issue tag and every other tag involved in > the > issuance of certificates in the future (there will be more). > > As such, I think the proposal is strictly inferior to much simpler > solutions > e.g. the ones involving prefix tags. You can even do clever things like > saying the prefix tag is only relevant for CNAME records (this avoids > having > to do an additional DNS lookup for every node just to check if the prefix > tag exists at that node). > > The prefix tag issue resurfaces every six to twelve months or so; > interested > persons should probably just concentrate on pushing that across the goal > line. Though I think it probably isn't necessary to hold up RFC6844bis for > it. We already said "no" to one other request to extend CAA that > potentially could have held up RFC6844bis. It can be its own RFC. > > -Tim > > > -----Original Message----- > > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Jan Schaumann > > Sent: Monday, March 18, 2019 12:02 PM > > To: spasm@ietf.org > > Subject: Re: [lamps] CAA records on CNAMEs > > > > Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > > > On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote: > > > > > > An alternative solution was suggested in the slides noted above: > > > > change the CAA resolution algorithm to first attempt a _prefix on > > > > which I can set an override (i.e., '_prefix.someapp.example.com IN > > > > CAA issue "letsencrypt.org"'). This proposal was not reflected in > > > > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, > > > > however, so I assume there was discussion that concluded this to be > > undesirable? > > > > > > That lookup happens just on the full name, right after lookup on the > > > name itself, right? I.e., not on any tree-climbed names. > > > > I'm not the author of the original proposal, but I'd think the lookup > could work > > in one of two ways: > > > > 1) only perform the lookup on the full name iff it is a CNAME > > 2) perform the lookup on any tree-climbed name > > > > (1) has the advantage of simplicity, at the cost of (some) inconsistency; > (2) has > > the advantage of consistency at the cost of complexity and performance. > > Worse is Better suggests (1). > > > > > > As for how to handle combinations with DNAMEs, I suppose under (1), the > > situation is largely unchanged: > > > > With 'example.com DNAME example.net' a lookup for a CAA record for > > someapp.example.com would yield: > > > > - per the DNAME requirement, there must not be any record for > > someapp.example.com, so we only look at someapp.example.net: > > - if someapp.example.net has a CAA record, return that; else > > - if someapp.example.net is a CNAME to someapp.example.org: > > - if _caa.someapp.example.net has a CAA record, return that; else > > - if someapp.example.org has a CAA record, return that; else > > - try example.com, which falls under the DNAME, so check example.net; if > > that has a CAA record, return; else > > - try .com > > > > > > > > A third possibility might be to add another 'override' tag to the > > > > CAA definition, e.g.: > > > > > > > > example.com CAA 0 issue "digicert.com" > > > > example.com CAA 0 override "someapp.example.com > > issue:letsencrypt.org" > > > > > And are overrides recursive or not? Based on description it looked > > > that they require exact match. > > > > For simplicity, I think it might make sense to require that an 'override' > can only > > be given for specific labels above in the tree. > > That is, no wildcards and no further recursion. > > > > In order to simplify matching of records and names, we could swap the > order, > > to the symtax might be: > > > > override "<issue|issuewild|iodef>:<value> <name>" > > > > In example, this might look like so: > > > > example.com CAA 0 iodef "mailto:security@example.com" > > example.com CAA 0 issue "digicert.com" > > example.com CAA 0 override "issue:letsencrypt.org foo.example.com" > > example.com CAA 0 override "issuewild:globalsign.com bar.example.com" > > example.com CAA 0 override "iodef:mailto:bofh@example.net > > bofh.example.com" > > > > > > I'll also note that in a parallel thread on mozilla.dev.security.policy, > it was > > noted that there may be a need for an explicit way to allow any CA to > issue (in > > contrast to not having a CAA record, and thus requiring a tree-climb > ending > > only possibly in an implicit approval of any CA): > > https://groups.google.com/d/msg/mozilla.dev.security.policy/DVa- > > xn1VsOA/DhQk9RZmDAAJ > > > > -Jan > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://www.ietf.org/mailman/listinfo/spasm > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Wicinski
- Re: [lamps] CAA records on CNAMEs Russ Housley
- Re: [lamps] CAA records on CNAMEs Ilari Liusvaara
- Re: [lamps] CAA records on CNAMEs Ilari Liusvaara
- Re: [lamps] CAA records on CNAMEs Tim Wicinski
- Re: [lamps] CAA records on CNAMEs Salz, Rich
- Re: [lamps] CAA records on CNAMEs Phillip Hallam-Baker
- Re: [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Hollebeek
- Re: [lamps] CAA records on CNAMEs Jan Schaumann
- Re: [lamps] CAA records on CNAMEs Tim Hollebeek
- Re: [lamps] CAA records on CNAMEs Phillip Hallam-Baker