Re: [Spasm] CAA erratum 4515

[Ryan Sleevi <ryan-ietf@sleevi.com>]

On Thu, Mar 9, 2017 at 4:07 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote:

> On 03/09/2017 12:35 PM, Ryan Sleevi wrote:
>
> I want to be careful here restricting it to the notion of "CDNs",
>
> I'm using CDN as a shorthand for "hosting provider or CDN." In the Twitter
> example, the other stakeholders are the marketing department and the
> contractor who develops the web content, neither of whom have CNAMEs in the
> mix. Is there another entity type I'm missing?
>
> *Hole punching and the includeSubDomains problem*
>>
> As you noted elsewhere, to effectively get this scenario, the operator of
> superbowl2017.twitter.com (which we'll call example.com) would need to
> set up the destination of CNAME in such a way as to be able to
> appropriately express the per-customer policy (if Twitter handles
> certificate provisioning) - that is, superbowl2017.twitter.example.com -
>  or, as you noted, would need to effectively set the CAA record as a
> 'wildcard' / for every customer.
>
> I don't understand why example.com would need to set a per-customer
> policy. If terrier.dog handles certificates for their customers, they would
> do so with a limited set of CAs, and could set that as policy on their
> domain names. If a specified customer like www.staffie.dog needs a
> different policy, they can set it on their own hostname:
>
> www.staffie.dog.        CAA 0 issue "sad-hacker-totally-real-ca.net"
>
>
> I don't think trampolining is necessary to make this work.
>
> If terrier.dog doesn't handle certificates, e.g., if they expect customers
> to bring their own cert from any CA, then they can't reasonably set a
> blanket policy for all their customers. In that situation, I think it would
> similarly be up to the customer to set a CAA policy on their own hostname
> if they wanted one, since the customer is the one with the CA relationship.
>

The pronouns here (re: "they") make it a bit confusing to follow your
argument.

I'm also trying to stick to using domains reserved for purpose, rather than
use staffie.dog and terrier.dog. For sake of clarity, I'll rephrase it as:

From:
www.staffie.dog.        CNAME staffie.terrier.dog.
staffie.terrier.dog.    A 192.0.2.1
terrier.dog.            CAA 0 issue "happy-hacker-fake-ca.net"

To:
www.example.com    CNAME staffie.example.net
staffie.example.net   A 192.0.2.1
example.net             CAA 0 issue "evil-ca.example.org"


Now that we've got that basic bit out, I'm going to try to briefly cover
the permutations of configurations here, with the introduction of some
terminology:

- Self-Managed = The domain operator of example.com handles certificate
acquisition for www.example.com
- Externally-Managed = The domain operator of example.net handles
certificate acquisition for www.example.com

and
- Recursive = As currently specified
- Non-Recursive = As Erratum 4515 proposes

Finally, one last dimension - whether or not a 'trampoline' is involved,
where
- Trampoline = example.com points their CNAME to a host at example.net that
is dedicated 'for them' (the 'staffie.example.net' case)

We end up with the following configurations:

- Self-Managed, Recursive, Trampoline'd
www.example.com  CNAME staffie.example.net
www.example.com  CAA 0 issue "good-ca.example.org"
example.com          CAA 0 issue "good-ca.example.org"
staffie.example.net A 192.0.2.1
example.net           CAA 0 issue "evil-ca.example.org"

- Externally-Managed, Recursive, Trampoline'd
www.example.com  CNAME staffie.example.net
example.com          CAA 0 issue "good-ca.example.org"
staffie.example.net  A 192.0.2.1
example.net            CAA 0 issue "evil-ca.example.org"

- Self-Managed, Non-Recursive, Trampolined
www.example.com  CNAME staffie.example.net
example.com          CAA 0 issue "good-ca.example.org"
staffie.example.net A 192.0.2.1
example.net           CAA 0 issue "evil-ca.example.org"

- Externally-Managed, Non-Recursive, Trampolined
EITHER:
www.example.com  CNAME staffie.example.net
example.com          CAA 0 issue "good-ca.example.org"
staffie.example.net A 192.0.2.1
staffie.example.net CAA 0 issue "evil-ca.example.org"
example.net           CAA 0 issue "evil-ca.example.org"

OR (and more problematically)

www.example.com  CNAME staffie.example.net
www.example.com  CAA 0 issue "evil-ca.example.org"
example.com          CAA 0 issue "good-ca.example.org"
staffie.example.net A 192.0.2.1
example.net           CAA 0 issue "evil-ca.example.org"

I say problematic here, because now example.com is responsible for
'tracking' example.net's configuration, and if example.net wants to change
configuration, it needs to notify example.com

For the non-trampoline case, the initial configuration looks something like:
www.example.com CNAME example.net
example.com         CAA 0 issue "good-ca.example.org"
example.net           A 192.0.2.1
example.net           CAA 0 issue "evil-ca.example.org"

For which we end up with the following permutations:
- Self-managed, recursive
www.example.com CNAME example.net
www.example.com CAA 0 issue "good-ca.example.org"
example.com         CAA 0 issue "good-ca.example.org"
example.net          A 192.0.2.1
example.net          CAA 0 issue "evil-ca.example.org"

- Externally-managed, recursive
www.example.com CNAME example.net
example.com         CAA 0 issue "good-ca.example.org"
example.net          A 192.0.2.1
example.net          CAA 0 issue "evil-ca.example.org"

- Self-managed, non-recursive
www.example.com CNAME example.net
www.example.com CAA 0 issue "good-ca.example.org"
example.com         CAA 0 issue "good-ca.example.org"
example.net          A 192.0.2.1
example.net          CAA 0 issue "evil-ca.example.org"

- Externally-managed, non-recursive
www.example.com CNAME example.net
example.com         CAA 0 issue "good-ca.example.org"
example.net          A 192.0.2.1
example.net          CAA 0 issue "evil-ca.example.org"


Have I reasonably summarized at least what the configurations would need to
look like, under the various algorithms? I figure it's probably important
to checkpoint here, before starting the subjective portion.