Re: [Spasm] CAA erratum 4515
Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 10 March 2017 17:03 UTC
Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EA6412967A for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 09:03:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AyqpgJOm858s for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 09:03:01 -0800 (PST)
Received: from homiemail-a102.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69E2212962E for <spasm@ietf.org>; Fri, 10 Mar 2017 09:03:01 -0800 (PST)
Received: from homiemail-a102.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a102.g.dreamhost.com (Postfix) with ESMTP id D9B102004760F for <spasm@ietf.org>; Fri, 10 Mar 2017 09:03:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=2UIgT2Hz9lqten19rg8M4nZT9XE=; b= YvR/9BO7aT/Dzn4v84AJVEP2N3CwHCTDmmvNkyPnEETEfdtbph8Q4O9ncLtZznGn f516GFB4hnUvew5PR4TOT2qRG6WbSHF3exjQNSEXfn1/A9nU36W2zbJNY0IUIxSO rotXx0lO8MN+LlWxB0IuMY0tlo+cjk7mCYJYg6MGFDo=
Received: from mail-lf0-f42.google.com (mail-lf0-f42.google.com [209.85.215.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a102.g.dreamhost.com (Postfix) with ESMTPSA id 79D3020047602 for <spasm@ietf.org>; Fri, 10 Mar 2017 09:03:00 -0800 (PST)
Received: by mail-lf0-f42.google.com with SMTP id j90so43421399lfk.2 for <spasm@ietf.org>; Fri, 10 Mar 2017 09:03:00 -0800 (PST)
X-Gm-Message-State: AMke39kyMfRbwC22hIub3azbQeSkKRnC9UTWhNIG3027t8lOngEHkA6GooFzAN1dbftx0lYM6BfvjYxmesi5hQ==
X-Received: by 10.25.190.76 with SMTP id o73mr5313207lff.80.1489165378623; Fri, 10 Mar 2017 09:02:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.193.197 with HTTP; Fri, 10 Mar 2017 09:02:57 -0800 (PST)
In-Reply-To: <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Fri, 10 Mar 2017 12:02:57 -0500
X-Gmail-Original-Message-ID: <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com>
Message-ID: <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: multipart/alternative; boundary="94eb2c1a1b3e67a442054a6355e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/kwZOZD80asmtzAD1Q9HjnLj2YSI>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 17:03:03 -0000
On Thu, Mar 9, 2017 at 4:07 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote: > On 03/09/2017 12:35 PM, Ryan Sleevi wrote: > > I want to be careful here restricting it to the notion of "CDNs", > > I'm using CDN as a shorthand for "hosting provider or CDN." In the Twitter > example, the other stakeholders are the marketing department and the > contractor who develops the web content, neither of whom have CNAMEs in the > mix. Is there another entity type I'm missing? > > *Hole punching and the includeSubDomains problem* >> > As you noted elsewhere, to effectively get this scenario, the operator of > superbowl2017.twitter.com (which we'll call example.com) would need to > set up the destination of CNAME in such a way as to be able to > appropriately express the per-customer policy (if Twitter handles > certificate provisioning) - that is, superbowl2017.twitter.example.com - > or, as you noted, would need to effectively set the CAA record as a > 'wildcard' / for every customer. > > I don't understand why example.com would need to set a per-customer > policy. If terrier.dog handles certificates for their customers, they would > do so with a limited set of CAs, and could set that as policy on their > domain names. If a specified customer like www.staffie.dog needs a > different policy, they can set it on their own hostname: > > www.staffie.dog. CAA 0 issue "sad-hacker-totally-real-ca.net" > > > I don't think trampolining is necessary to make this work. > > If terrier.dog doesn't handle certificates, e.g., if they expect customers > to bring their own cert from any CA, then they can't reasonably set a > blanket policy for all their customers. In that situation, I think it would > similarly be up to the customer to set a CAA policy on their own hostname > if they wanted one, since the customer is the one with the CA relationship. > The pronouns here (re: "they") make it a bit confusing to follow your argument. I'm also trying to stick to using domains reserved for purpose, rather than use staffie.dog and terrier.dog. For sake of clarity, I'll rephrase it as: From: www.staffie.dog. CNAME staffie.terrier.dog. staffie.terrier.dog. A 192.0.2.1 terrier.dog. CAA 0 issue "happy-hacker-fake-ca.net" To: www.example.com CNAME staffie.example.net staffie.example.net A 192.0.2.1 example.net CAA 0 issue "evil-ca.example.org" Now that we've got that basic bit out, I'm going to try to briefly cover the permutations of configurations here, with the introduction of some terminology: - Self-Managed = The domain operator of example.com handles certificate acquisition for www.example.com - Externally-Managed = The domain operator of example.net handles certificate acquisition for www.example.com and - Recursive = As currently specified - Non-Recursive = As Erratum 4515 proposes Finally, one last dimension - whether or not a 'trampoline' is involved, where - Trampoline = example.com points their CNAME to a host at example.net that is dedicated 'for them' (the 'staffie.example.net' case) We end up with the following configurations: - Self-Managed, Recursive, Trampoline'd www.example.com CNAME staffie.example.net www.example.com CAA 0 issue "good-ca.example.org" example.com CAA 0 issue "good-ca.example.org" staffie.example.net A 192.0.2.1 example.net CAA 0 issue "evil-ca.example.org" - Externally-Managed, Recursive, Trampoline'd www.example.com CNAME staffie.example.net example.com CAA 0 issue "good-ca.example.org" staffie.example.net A 192.0.2.1 example.net CAA 0 issue "evil-ca.example.org" - Self-Managed, Non-Recursive, Trampolined www.example.com CNAME staffie.example.net example.com CAA 0 issue "good-ca.example.org" staffie.example.net A 192.0.2.1 example.net CAA 0 issue "evil-ca.example.org" - Externally-Managed, Non-Recursive, Trampolined EITHER: www.example.com CNAME staffie.example.net example.com CAA 0 issue "good-ca.example.org" staffie.example.net A 192.0.2.1 staffie.example.net CAA 0 issue "evil-ca.example.org" example.net CAA 0 issue "evil-ca.example.org" OR (and more problematically) www.example.com CNAME staffie.example.net www.example.com CAA 0 issue "evil-ca.example.org" example.com CAA 0 issue "good-ca.example.org" staffie.example.net A 192.0.2.1 example.net CAA 0 issue "evil-ca.example.org" I say problematic here, because now example.com is responsible for 'tracking' example.net's configuration, and if example.net wants to change configuration, it needs to notify example.com For the non-trampoline case, the initial configuration looks something like: www.example.com CNAME example.net example.com CAA 0 issue "good-ca.example.org" example.net A 192.0.2.1 example.net CAA 0 issue "evil-ca.example.org" For which we end up with the following permutations: - Self-managed, recursive www.example.com CNAME example.net www.example.com CAA 0 issue "good-ca.example.org" example.com CAA 0 issue "good-ca.example.org" example.net A 192.0.2.1 example.net CAA 0 issue "evil-ca.example.org" - Externally-managed, recursive www.example.com CNAME example.net example.com CAA 0 issue "good-ca.example.org" example.net A 192.0.2.1 example.net CAA 0 issue "evil-ca.example.org" - Self-managed, non-recursive www.example.com CNAME example.net www.example.com CAA 0 issue "good-ca.example.org" example.com CAA 0 issue "good-ca.example.org" example.net A 192.0.2.1 example.net CAA 0 issue "evil-ca.example.org" - Externally-managed, non-recursive www.example.com CNAME example.net example.com CAA 0 issue "good-ca.example.org" example.net A 192.0.2.1 example.net CAA 0 issue "evil-ca.example.org" Have I reasonably summarized at least what the configurations would need to look like, under the various algorithms? I figure it's probably important to checkpoint here, before starting the subjective portion.
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews