Re: [lamps] CAA tags

Tim Hollebeek <tim.hollebeek@digicert.com> Mon, 18 December 2017 20:45 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9D0126CD8 for <spasm@ietfa.amsl.com>; Mon, 18 Dec 2017 12:45:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j0-_Y7LLGvjq for <spasm@ietfa.amsl.com>; Mon, 18 Dec 2017 12:45:48 -0800 (PST)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 585BF1200FC for <spasm@ietf.org>; Mon, 18 Dec 2017 12:45:48 -0800 (PST)
Received: from [216.82.251.38] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-13.bemta-12.messagelabs.com id 7B/43-24474-BF8283A5; Mon, 18 Dec 2017 20:45:47 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupml+JIrShJLcpLzFFi42K5obCFX/e3hkW UwdYtrBYzr/xks5h0fy6jxbxryQ7MHu8+PWf1WLLkJ5NH8+7dLAHMUayZeUn5FQmsGYc+/WMt +N7CWDH1/AKWBsa9VV2MnBwsAu+ZJH5sqOti5OIQEpjCJPHg6QwmkISQwBFGif9zWUBsNgEDi Wt7j4PFRQTUJB5OP8MKYjMLeEv8v9cEViMsICvx8M5uZogaOYkFB7+yQthuEj0/djBCLFOV+L f1KDuIzSsQIzFv4TkmiMVLmCQ29h0HS3AKBEpM3vMAzGYUEJP4fmoNE8QycYlbT+aD2RICIhI PL55mg7BFJV4+/scKYStJ3F77gxHClpW4NL+bEWSBhMAhdok5u+9AJfQktk58C2X7Smxbe5oF omgZo8SN76+BEhxAjpbExF+BEEfESMz9fAhqWbbEnofnoWwriY6Jx1kheg8zS3T8aGeBSMhIP D7SDTV0GpvEhvOfWSBhmiIxZRXEJGEBKYm7VzoZJzBqzkLy3SygHmaB+YwSvd37WWeBw0lQ4u TMJywQRVESC2ZuYIewtSSmrn0FFdeWWLbwNfMsoMOZBTQljl1WQhUGsa0lZvw6yAZhK0pM6X4 INcZU4vXRj4wLGLlXMaoXpxaVpRbpmuolFWWmZ5TkJmbm6BoaGunlphYXJ6an5iQmFesl5+du YgQmw3oGBsYdjMv++RxilORgUhLlnaVsESXEl5SfUpmRWJwRX1Sak1p8iFGGg0NJgnedOlBOs Cg1PbUiLTMHmJZh0hIcPEoivM/VgNK8xQWJucWZ6RCpU4z2HHP23vrDxLHh5l0guQ9MPpv5uo FZiCUvPy9VSpy3BWSqAEhbRmke3FBYHrnEKCslzMvIwMAgxFOQWpSbWYIq/4pRnINRSZh3Ocg Unsy8Erjdr4DOYgI6a2qEOchZJYkIKakGxsiQgC9Cqw2FzJOSHrcaTf62K5cjnPWlyD3OtSYC scExwsU8kXzRnseTXzvmbwq5rqjjWqygmWjlNCHnjLH+4fxmZYb75ae8z0oYCrvocrIcO3kpR erf8vl6VvmyT54XHAtK8zp+TY1x1+8Vc0ozyi6HFfzZyd/wb0PK7udc7ht/x9R5LYxQYinOSD TUYi4qTgQA1qq1hR4EAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-6.tower-163.messagelabs.com!1513629946!169685907!1
X-Originating-IP: [216.32.180.15]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 122225 invoked from network); 18 Dec 2017 20:45:46 -0000
Received: from mail-sn1nam02lp0015.outbound.protection.outlook.com (HELO NAM02-SN1-obe.outbound.protection.outlook.com) (216.32.180.15) by server-6.tower-163.messagelabs.com with AES256-SHA256 encrypted SMTP; 18 Dec 2017 20:45:46 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rh1GqczHFsgic5cbwFtQwl4MpT7b5ZFLs3C+YXyOHlU=; b=JkiQq4Rwy5Cl1Yxb/LJjDsXFbmcXKneJrM0Z2zcNv93/AyZLfL6ay3aroDKFYFmxl+QtkKzH1Sm8V7KMdjrB4Y6h4hHlwP17VEkaDgrpaKQ2dujJ1rex+p2ru2QNdsOE71nLD2QgplpGT+C/wG3kAm2A8wd+rTl1CenVBYINce8=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1290.namprd14.prod.outlook.com (10.173.132.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Mon, 18 Dec 2017 20:45:45 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0323.018; Mon, 18 Dec 2017 20:45:45 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Jacob Hoffman-Andrews <jsha@eff.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] CAA tags
Thread-Index: AdN4J3TZ60fppeKgRNaOHREkYP39nwADzsgAAAD5epAAAYUKgAAAB/wg
Date: Mon, 18 Dec 2017 20:45:45 +0000
Message-ID: <DM5PR14MB1289520C260D1634FBF5C1E4830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <DM5PR14MB1289FA2B76543ABAF16FD0EF830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <0ab8efa3-378c-ece7-4fa3-913308f81c22@eff.org> <DM5PR14MB12895320D99FC570E797373F830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <CAErg=HGMOVmvEoD=hy3rnTb=J1uQeu-SHrTn1JEeRnQuXzqg-Q@mail.gmail.com>
In-Reply-To: <CAErg=HGMOVmvEoD=hy3rnTb=J1uQeu-SHrTn1JEeRnQuXzqg-Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1290; 6:9Nta9C/iaa+2E/lbOlKhu52wGm9vWt+LWyhrEkMDeLnK4/TwPRnlgNSVoIUR/f0IdGt6VPie9ziXhYD67Q/OOiSMbZWA6efm0Oqo9myDD/H4LjFizHg6dYxDjnIgE0/+teorsaKDMwKby30tcVwVxDvmCm6IW5PGH7f+hKivPD0MTC6Hzeb+e/D4mWtrSzCVj5t+q3MpehZG6VnuKQc2Ah2xHxa4edMnTxcWydOr+rKF85B2VEVdXgy4zMEJ761qckP2faBKnTP4hBs61u+PXsMEeOq+LzbI3+DEEPZlOuozEwdiK1koiEmJl/s1p7XeUsLFZyWZ2IYzT/gZULHeWM4gXdZFJPGiyUjqbek+g4k=; 5:Vdwnr1yTzcvI5WwAJFj2sGNIpuYMk0uFandMm/WVqen+acpRxaPAQGlaO/f208xpBzTX2kW78H7rzwiwFkuGZVPJI0hHEpUEuE3l6GRjNqTztHtpax3W1TZTQcohaF+iyW+QRdjBg/JlOAYdiKWdWoDVU4Fc+cfvUtH9g+JN0EM=; 24:dogrzIaltGwA55ps6IVCZ/AZZkCbKa2oYTCrr/fMs4Fv67UiRzs1AWkhNnOXxFUP8AGDMxc1aZG0giGsKN5WPFpOtX+5VcFql/P/vMt+PbQ=; 7:CXiiy6Ug2PPxo/PteHgbEvuvsZAMxw9lmC4MSx4iwsl29cst/MRMGSxN3v6J7qGShZ7HutE3p5MDWWdp58lZ8/1wGuwWEpNs+p5kWOeDpnHP+hbdmo4TLky8AD0N+XjYBO9IT/I3E8oqTOf5FoUvdcyCAYszrYEk7XFh73Sfb/RFJimfw2N7aiD9ahK8+5lKkcUTrbIq9ahO3J5PjSZYq45fkjZ5OmJEwjVhob+60JxizNj28DMq26fIAGsxyRwL
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 8ef6eb37-dc38-426e-42bf-08d546584fd0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4603075)(4627115)(201702281549075)(2017052603307)(49563074); SRVR:DM5PR14MB1290;
x-ms-traffictypediagnostic: DM5PR14MB1290:
x-microsoft-antispam-prvs: <DM5PR14MB1290A88CB3DAC22E4971A8BD830E0@DM5PR14MB1290.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040450)(2401047)(5005006)(8121501046)(3002001)(3231023)(10201501046)(93006095)(93001095)(6041248)(20161123558100)(2016111802025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123560025)(20161123555025)(20161123562025)(6043046)(6072148)(201708071742011); SRVR:DM5PR14MB1290; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1290;
x-forefront-prvs: 0525BB0ADF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(39860400002)(376002)(366004)(45074003)(199004)(189003)(24454002)(55016002)(14454004)(59450400001)(6306002)(68736007)(3660700001)(93886005)(105586002)(106356001)(6506007)(6436002)(236005)(478600001)(14971765001)(99286004)(966005)(54896002)(54906003)(606006)(53546011)(229853002)(7696005)(9686003)(76176011)(77096006)(316002)(8676002)(3280700002)(97736004)(6916009)(6246003)(25786009)(2950100002)(8936002)(53936002)(5660300001)(4326008)(3846002)(790700001)(6116002)(102836003)(7736002)(2906002)(66066001)(74316002)(99936001)(86362001)(2900100001)(33656002)(81156014)(81166006)(19400905002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1290; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0598_01D37806.7CC29460"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8ef6eb37-dc38-426e-42bf-08d546584fd0
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2017 20:45:45.1814 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1290
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/dtuLx90qMf9CzmB_6R5G9_IxWf8>
Subject: Re: [lamps] CAA tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2017 20:45:51 -0000

Pre-spec for discussion.  It’s current status is “I sat down for an hour, reviewed meeting minutes and read some stuff, and circulated some notes”.

 

-Tim

 

From: Ryan Sleevi [mailto:ryan-ietf@sleevi.com] 
Sent: Monday, December 18, 2017 1:42 PM
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Jacob Hoffman-Andrews <jsha@eff.org>rg>; spasm@ietf.org
Subject: Re: [lamps] CAA tags

 

 

 

On Mon, Dec 18, 2017 at 3:10 PM, Tim Hollebeek <tim.hollebeek@digicert.com <mailto:tim.hollebeek@digicert.com> > wrote:



> > readable text labels, like Validation=Phone?
>
> My issue with validation=phone is that it is not precise enough; there's
one
> version of validation by phone defined in the BRs today, but what if that
> changes significantly? One could solve this by defining a versioned
validation
> method, e.g. validation=phone-01, with an IANA registry to register new
ones
> as requirements change.

The lack of precision bothered me a bit too when I was proposing it,
especially since some people have discussed breaking up some of the
larger catch-all ones.  I like the version number, but I think we have to be

a bit careful.  Is the version just a minimum version?  If I have CAA set to

validation=phone-01, do I have to update my CAA record every time the
BR validation methods are changed?  How big of a change requires revving
the version number of the validation method?


Should the BR version number be used instead?  E.g. validation=phone-1.5.4?
This might make more sense as the BR version number does get bumped on
every validation rev (and non-validation rev ...).

> However, there does seem to be some interest in embedding information
> about validation methods in certificates. It would be nice if there was a
> correspondence between the namespace used in CAA and the one used in
> certificates.

That would be nice.  Maybe an IANA registry for validation methods might
make sense, but I'm unfamiliar with how easy/difficult that is to set up/
modify.

 

It'd be great if there was a spec writeup for discussion - or is this a pre-spec seeds of thoughts?

 

I think Jacob's suggestion of OIDs is not at all unreasonable, and avoids the ambiguities you raise and allows them to be addressed by policy in the Forum.

 

> It's easy to define a URI mapping for an existing account identifier.
> For instance, if customers have a numeric id 123456, the CA can specify
that
> the corresponding account-uri is https://ca.example.net/accounts/123456.
> There's no requirement that account-uris are fetchable.

I get that, but a URI is longer and more complicated.  Quirin's research
shows that a significant fraction of CAA users CANNOT SPELL THEIR CA'S
NAME.  I shudder to think how they will manage to mangle a URI ...

 

I also agree with Jacob's suggestion here, and prefer a single, canonical representation.