Re: [lamps] CAA for IP Address Certificates
Antonios Chariton <daknob.mac@gmail.com> Fri, 02 December 2022 15:32 UTC
Return-Path: <daknob.mac@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 875E8C14F745 for <spasm@ietfa.amsl.com>; Fri, 2 Dec 2022 07:32:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jh0qEyWrggZW for <spasm@ietfa.amsl.com>; Fri, 2 Dec 2022 07:32:53 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B9C4C14F747 for <spasm@ietf.org>; Fri, 2 Dec 2022 07:32:53 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id e13so6902929edj.7 for <spasm@ietf.org>; Fri, 02 Dec 2022 07:32:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :from:to:cc:subject:date:message-id:reply-to; bh=NWdb7rvzV144Z/QGd2stsGF+DZFHmXDNM32KxSuo83E=; b=XW+pgkuHk3ui6w0yN63ZJYMcqchA4Lw4BqkIxUogTJ7nuRk3nfZk6cdSHvl/45SAVF Z2/81N0Breezwc36OmHxe2xzcJSLOr1ZRwkjr2BAK69AoIdIR08rFga2YAtjUHPPp8SW RWu2248TtK7A/QAEVQO60zp1szUKlwp5z0bqTCVFjVAf/0bES78q8DeXYC15akQDh07p Fy+lKsK3I80RprJyP4CV+DuiJDjUDFS//ktW99D+ijsnwKRobSYpSpXwo1RffEg0+5mf famiqXBWFHh0kHYz1POYR2fuvOTbTpM0bn901gA+s2IQ5/3dE8ue+sE4qnqlv7xICRzQ 9RtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NWdb7rvzV144Z/QGd2stsGF+DZFHmXDNM32KxSuo83E=; b=rqlHTZDRA64oVzuPgOt0gs32Iz9laURcedo3p0d9+qu9Rtxt4BhVAQ4NKBRganlp9P 7QQgZUssl6fLNMZC/QTenNgbu9Oezkxqx6Z+4cFjq0a6CaP4ya7QN0IZ8BKdgMsH8etG e+1F75rWTMp/ccTW+/0k/vlDOlzoyPK0lypYO8s6hSDMHspjxssGAXJyFcJi1UnbKMHw JCc3wALDMKonDPixVB1s39jVCdScArq3P1Gm5zcCpY2NlyWwjU2LtWsH8U25pMUWeZQ5 YHdzbQD05zD6PySAg9TMil3Mt6mt3W8RMe6iPCSXwMpV+C+1p4TMCCSYZX8+cSALlo5Q IesQ==
X-Gm-Message-State: ANoB5pkQprpj+s7TG8OL9Nxvch/9GSyVeERpXuc62D+GYuOBc2KeWXru wefZG3i5kFsvM2CXSJbIHWmBjzFBBU0=
X-Google-Smtp-Source: AA0mqf4F4mWZedV3uGvPfymk8078NA1Fzi3fRt6S6W/lw9eORtIGC8VfveT5Pc2ARgDjaw17GvReqg==
X-Received: by 2002:aa7:ca4c:0:b0:46c:24fc:ba0f with SMTP id j12-20020aa7ca4c000000b0046c24fcba0fmr3469791edt.140.1669995171278; Fri, 02 Dec 2022 07:32:51 -0800 (PST)
Received: from smtpclient.apple ([2a0d:3dc0:200:0:f8dc:5701:8f86:68a3]) by smtp.gmail.com with ESMTPSA id dk13-20020a0564021d8d00b0046b471596e6sm3059094edb.57.2022.12.02.07.32.50 for <spasm@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Dec 2022 07:32:50 -0800 (PST)
From: Antonios Chariton <daknob.mac@gmail.com>
X-Google-Original-From: Antonios Chariton <DaKnOb.MaC@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_83BA0CF9-4990-4A94-AA1E-0CAC192CE85C"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
Date: Fri, 02 Dec 2022 16:32:39 +0100
References: <752FA1D6-8B86-40C6-9638-832F41880DCA@gmail.com>
To: LAMPS WG <spasm@ietf.org>
In-Reply-To: <752FA1D6-8B86-40C6-9638-832F41880DCA@gmail.com>
Message-Id: <1E6B1705-048E-459F-9DAE-8595714EBE80@gmail.com>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ntFsoVqBRrNVQHNRfA6r2Wrxgps>
Subject: Re: [lamps] CAA for IP Address Certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 15:32:57 -0000
I have uploaded the document to the Datatracker here: https://datatracker.ietf.org/doc/draft-chariton-ipcaa/ > On 30 Nov 2022, at 20:14, Antonios Chariton <DaKnOb.MaC@gmail.com> wrote: > > Hello everyone, > > I was preparing this I-D for a few months now, and it’s interesting that the publication of that coincides with the S/MIME CAA record I-D[1]. Perhaps we can exchange ideas! :) > > X.509 Certificates may include IP Addresses inside, e.g. in the Subject Alternative Names, the same way they can include domains. CAA records are only defined for domain names however, and there’s need to add support for IP addresses as well. > > For this reason, I drafted https://daknob.github.io/draft-chariton-ipcaa/ (available in TXT: https://daknob.github.io/draft-chariton-ipcaa/draft.txt). I will upload it to Datatracker and share a link here soon. > > The main idea is that CAA records are added in the “reverse DNS” zones, ip6.arpa and in-addr.arpa. Moreover, a new property is created to signal this type of CAA record. > > I have circulated this to a few people to get some early feedback, so I am including here some design decisions, explanations, and answers to questions: > > The Draft specifies the “ip” property. A common question was “why not issueip”? I felt like namespacing the property values depending on the particular need. For this reason, as “issue*” was used for TLS domain certificates and their subtypes (wildcard), I felt like the “ip*” namespace can be used for TLS IP certificates. I just saw that Corey chose “issuemail” for his Draft, but perhaps “mail*” would be a better namespace for that with this logic. We can always make it “ipissue” and “mailissue” if that’s better. What do you think of that? Future needs may arise for additional types that are better not left to parameters in the value. > > Another question was why “issue” on these two DNS zones is not enough. The reason here is that I wanted to separate the two usecases, and not allow them to be mixed. Moreover, certificates for the domain name “0.16.5.193.in-addr.arpa” are valid, and we need to be able to tell whether the requestor limits issuance for this domain, or for the IP address 193.5.16.0. Note that CAA can apply to non-WebPKI CAs that are not bound by the CA/B Forum or Root Program requirements. > > I didn’t want to have to create new parameters, e.g. “@ IN CAA 0 issue “example.com <http://example.com/>; onlyIP=1” and since Corey published the S/MIME draft I think it makes more sense now why this would not easily scale or why it’s not as clean of a solution. > > To illustrate the support for multiple such usecases, in https://daknob.github.io/draft-chariton-ipcaa/#section-4-9 I added an example that includes both “issue” and “ip” properties where I explain the expected outcome. If you believe that this is not clear enough, I can rephrase it, or add additional text. > > In the Deployment Considerations I mention that for IPv6, if there’s no CAA record, the CA may need to perform 32 DNS queries. I received some comments on whether this record can only exist at the full-address level (all 16 or 4 bytes), however I believe that this renders the hierarchical nature of DNS less useful, and e.g. an ISP with an IPv6 /29 allocation would need a zone file of 10^31 bytes. Other suggestions included picking an arbitrary number, e.g. 64 bits, however this still has the same concerns. Moreover, a lot of networks that deploy IPv6 today did not follow best practices and may assign e.g. all their VPS users’ address from within the same /64 network, in blocks of e.g. /112. > > Assuming an average of ~3 DNS delegations in an ip6.arpa zone (IANA -> RIR, RIR -> LIR, Another one just in case), this would mean that up to 3 DNS servers may have to be queried in total, not 32. As some of these delegations and zones in general have high TTL values, I don’t personally expect a great rise in the number of DNS queries. Combined with the (currently) low issuance of IP Address certificates, I wouldn’t expect this to be a problem for either CAs or authoritative DNS servers. > > Much like NS records, an allocation that is not on the 4-bit boundary for IPv6 and on the 8-bit boundary for IPv4 may need more than one CAA record to cover a subnet. For example, an IPv4 /21 will require 8 CAA records minimum to cover it. > > There may be “optimizations” for resolvers depending on their use and implementation of QNAME Minimization (RFC7816) [2]. > > Having a quick look at Corey’s draft, I think that this draft is clear enough, and I did not miss any additional Security Considerations :) > > I am planning to solicit feedback from the Mozilla Dev Security Policy mailing list [3] as well, to determine whether there exist any concerns for this for use in the WebPKI. > > Happy to receive any questions, suggestions, comments, etc. and discuss them here or privately. > > Thanks, > Antonis > > > Sources > > 1: https://mailarchive.ietf.org/arch/msg/spasm/chcrIZEit6HcdGyFGNzyiL7Dg6k/# > 2: https://www.rfc-editor.org/rfc/rfc7816 > 3: https://groups.google.com/a/mozilla.org/g/dev-security-policy
- [lamps] CAA for IP Address Certificates Antonios Chariton
- Re: [lamps] CAA for IP Address Certificates Antonios Chariton