Re: [Spasm] CAA erratum 4515
Ryan Sleevi <ryan-ietf@sleevi.com> Sun, 12 March 2017 19:30 UTC
Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F721294DD for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 12:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GgZQL9CgI5a5 for <spasm@ietfa.amsl.com>; Sun, 12 Mar 2017 12:30:19 -0700 (PDT)
Received: from homiemail-a34.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 747EE129525 for <spasm@ietf.org>; Sun, 12 Mar 2017 12:30:10 -0700 (PDT)
Received: from homiemail-a34.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTP id 2E9E8A004F15 for <spasm@ietf.org>; Sun, 12 Mar 2017 12:30:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=XEJntxT3mPbWRx4YZ/cAzZw1MQA=; b= XiPRuVEauEn+rkN6FFf1MPNJcdlI3+/ShiCltoKfekT2vLQap7j0GDAKihxw9Pv+ G+F2qxxeImFOuhXkVsOhINunwAMxqpl1+GRq4/LX9RIUi9enkwzVwz5k3ZGVEDGo aKH4n0cvWCIoFGKDwzJDVv7XfK25yaO4UAe0kZ2/So0=
Received: from mail-lf0-f54.google.com (mail-lf0-f54.google.com [209.85.215.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTPSA id EDF33A004F14 for <spasm@ietf.org>; Sun, 12 Mar 2017 12:30:09 -0700 (PDT)
Received: by mail-lf0-f54.google.com with SMTP id z15so34499007lfd.1 for <spasm@ietf.org>; Sun, 12 Mar 2017 12:30:09 -0700 (PDT)
X-Gm-Message-State: AMke39nsJphVxm8A4WW37SmKDD7z7fJy81yb8S2Aqv124aWS+aNfi7h7omgqrJ+d749NrnT/k/i10N/gcyFzOg==
X-Received: by 10.46.83.29 with SMTP id h29mr8923797ljb.84.1489347008081; Sun, 12 Mar 2017 12:30:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.193.197 with HTTP; Sun, 12 Mar 2017 12:30:07 -0700 (PDT)
In-Reply-To: <CAMm+LwgKOQiJNjzFtXtxt26uhdQY8UyT344dGRPWmCs2MGS-Og@mail.gmail.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <8f216ae1-d236-79c1-5baf-44cf7bfa619b@eff.org> <CAErg=HFeAMLF4vY59oTBh=OpeChyG8SpJ406cE=CpjouA9fq8w@mail.gmail.com> <7f9c38ad-aa39-c403-0320-7300619b9986@eff.org> <CAErg=HE34vYrrtCe1jGgaO0mAdGqiYaGMEpJaXJDf4Pp19WN-Q@mail.gmail.com> <e00e0b36-b3f4-d544-0f85-5af10641d310@eff.org> <CAErg=HEURahEODsz9bPyS+B0NYsAioh6P5HeZsXmQUoJhC-9JQ@mail.gmail.com> <a57addb3-d297-8d60-8f40-c7e802921561@eff.org> <CAMm+LwgKOQiJNjzFtXtxt26uhdQY8UyT344dGRPWmCs2MGS-Og@mail.gmail.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Sun, 12 Mar 2017 12:30:07 -0700
X-Gmail-Original-Message-ID: <CAErg=HHUqHKNZvC7hQZGey=aXsmDUXTNS7SHu0LVXwO6dR2gfw@mail.gmail.com>
Message-ID: <CAErg=HHUqHKNZvC7hQZGey=aXsmDUXTNS7SHu0LVXwO6dR2gfw@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: multipart/alternative; boundary="94eb2c1ce7fa5d3b49054a8d9fbc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/nvvjK2yE98KsYQYTElyMh_WhW8o>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Jacob Hoffman-Andrews <jsha@eff.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>, Phillip Hallam-Baker <philliph@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 19:30:21 -0000
On Sun, Mar 12, 2017 at 11:43 AM, Phillip Hallam-Baker < phill@hallambaker.com> wrote: > If people want an escape hole 'anyone can issue' in CAA, I would rather do > it by defining generic domains: > > ev.cabforum.org > dv.cabforum.org > > That avoids the need to define new tags or update processing code. They > are simply domains that any WebTrust or ETSI audited CA issuing to those > requirements can issue. > I think there are several flaws with this argument: - It's only applicable to set the of CAs bound by such a profile; that is, a CA who is not WebTrust audited could just as easily issue such a certificate without 'violating' either the letter or spirit of CAA, so it's pointless to try to describe policy in that way - The idea of introducing audits into the technical description is flawed, in as much as audits are post-facto evaluations of operations. So it wouldn't be a violation - of CAA or program requirements - for a CA with an EV audit to issue such a certificate as DV if their CP/CPS dictated - it'd only be post-facto misissuance. - It still effectively limits the ability to express, for a given CA, the desired policies of issuance. One organizations 'EV' can be another organizations QCP+. Let's keep to a simple principle - of simply saying 'any' - and leave distinctions about certificate policies relevant to the set of CAs being interacted with (e.g. as tags). That's the only way that really makes a defensible - and auditable - security boundary, without relying on external evaluations (whether or not a given CA is 'trusted' for EV, whether or not a given CA is audited for EV, etc)
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews