Re: [lamps] CAA processing for email addresses

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 30 November 2022 23:12 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B4A9C092EE3 for <spasm@ietfa.amsl.com>; Wed, 30 Nov 2022 15:12:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dHTTQUsryixQ for <spasm@ietfa.amsl.com>; Wed, 30 Nov 2022 15:12:12 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on2125.outbound.protection.outlook.com [40.107.15.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A433C15AB41 for <spasm@ietf.org>; Wed, 30 Nov 2022 15:12:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WK22ghKZLvmB7eveNQpbWInAE36bkOBBBgnIk36mdI+7n00Ciff3YrtU/dwW7D14eT4PneQGVhCsJolBnhI/0bWQ+cYfK9TatR0gaqKKMTYDytKVnYKfGS5JVPf4GwubdruLsDJ6uHrExEODsSma0Fl6Czy3yyMseBf+iaSzFMWmyQtG3ZuomSN6v4oxOibWoIaTz7QLhJ0zqXhjya7emHQ6z27F3VxmnFhl4qggq/DnnxtDVZ/FurR0QprX9YJskIt6Atu30ME6WWu2XCjXFg3Gf4feZ2QqOpeTDA5HWQ0BMAaMYIU5bjzayBak5g3ILHkin4C6WiYF3PgVv+fegw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vVYIjxqaLawQMmSEQcHNAMBaNBcux5Ejo8ibIkpi2AA=; b=dWmeWOrH1iXHPmP9o7ECJAnujwAZS6lTaKnGueSapb5DBl1/JWC53IPVdTjVYNttXG00/6JC0uugGzhXOmNfSTjOZzEd8iIw8PbQmo2PrXqCB9okR+Bu+tErku7gqahwWAFlG4STAr0uEiYmNQLEmLr1MSF50xhHlrox/eyPGcjGCZzlMXxUpcyxLq+jlT/c0C+tloSaWjhT4KA/E+/L4l8d45fifa40Y9u9X4r3wV71DM3BL+vrUdGzryF8wkzvIN9o5pipHZQfPSbLjeZWZD+34oEP9iPd7KzqXBlTva5AmW6OUQGIO7aD7CnfVgnzAjjx28mpx8XvyrJ4lswrwQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vVYIjxqaLawQMmSEQcHNAMBaNBcux5Ejo8ibIkpi2AA=; b=mLj+w4Qga2HIEVcVZVVUf8MX5L2taBBlV69+XEXXitskhYolBxWPdwEx+utlZD0SK4tJewHHjxngFcpTUk7wNHC4qZC8akmZdGyYCDFN6IfteYS8I74rLLVjvwiisA+JiHve0f6BuOFmdIdyCzrkxtmF7lQ4ItEclrw1OndNR1FBUEsvxzEsEmcuPil/y6CzG03RbGXq5jZLSJeI0DZ2zXw17EHPcJn6jk5aD82dUh2ieEAtLSOEUGvV36ER0ON3YbtB1f6/0vQxLX5SSqtMTEPVBudbiNDwZVmat+jolbx4YjJu4gH1fuDa59LgrBeooyLlBqyfOGq4bGK+0PmBFA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by PR3PR02MB6219.eurprd02.prod.outlook.com (2603:10a6:102:74::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.19; Wed, 30 Nov 2022 23:12:09 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::ec35:f546:d772:4fc6]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::ec35:f546:d772:4fc6%4]) with mapi id 15.20.5857.023; Wed, 30 Nov 2022 23:12:09 +0000
Message-ID: <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie>
Date: Wed, 30 Nov 2022 23:12:07 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>, Seo Suchan <tjtncks@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------Rj0qfiudt9uYOl6IuvQNPcYc"
X-ClientProxiedBy: DB6PR07CA0183.eurprd07.prod.outlook.com (2603:10a6:6:42::13) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|PR3PR02MB6219:EE_
X-MS-Office365-Filtering-Correlation-Id: 057cee69-37b3-43ee-43f8-08dad3284e31
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: mD4kz+XokJrGJyu1TMhpKSxszidAQcqy/0sFyQPM+Pc6XdnWsjM1nC3WHOiph23vbPfY7Kb8hg/yWanlicsWuYmT6Wkd7o97A8kcX31uu7y8Cn4DfeK5Ux3AiDrmS5/KbhSU98ys5hUWFrSGnH/a/aU+z9Sc77mQJDzmd81BtzUpHlC5/L9IKQqDkgLevvVQLGgK6zw5hccv+CyOKFxjVA/A1XP5LU55+iL0LAMwnLf6HqGGtEXbE1jBaFbG4moAW4dMOdRWUBjm25DAttnbbWdubrU73EW5D21F6ZanqMbxjMTSOLDd0KvkWGvxmvOIvrw02U6DZR/krhhi8vGxuFRyK2Gn2yMZAjHlZzA3/sort5JKKV+QveMVycvtlrJPTMO9NMGQsNzhoxfKvskYHjTff7b4lnrW9qYaqRDDYKpnxkThcUe+OOgAdAFQbjKO5v8ZbddK0pDit6QJ7NFElH5iZ2e6oevGcD16+ytP17FiwiIrdH9aw6AocfdmHztR/hLWHYLlBoGWdKpVNT6kOzbmOcMNkdwsEB586MLZH4V4tcAFHDq6RJq6bK8NDrH73PfgD58lVmsFPMP/tyZpIrkBbBVBp6ixshjwygAZtlkAzQuDuFEwyXYb9hAhRCXZrp6zcNiTdqTtVWwmlehEeBUAvpNs8L8DGgIOkgAwqQQZcLZELv2CXvxhrv9RyMcisykW1J+W6nYGLq5LUddtC+9m9oPXprFyq9UoSZMHVv/MmvPEgbR4UbhtIjf518YwjQyM+qkUilGWu2320cdyZQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(396003)(39860400002)(366004)(376002)(136003)(346002)(451199015)(31696002)(235185007)(8676002)(6512007)(41300700001)(316002)(8936002)(66476007)(6506007)(186003)(53546011)(66946007)(786003)(45080400002)(66556008)(6486002)(2616005)(478600001)(86362001)(33964004)(110136005)(38100700002)(21480400003)(44832011)(2906002)(83380400001)(5660300002)(31686004)(36756003)(41320700001)(199583001)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: Ei1KkswC9ElHZs5zZK9LY44EhbJY2jdZBnOREJ0Aj4D43IdHOYmsUQ79lzoM9MtBeFbFMIrODCVfaZNaPoVVqeaQrNcaLbbeI+R03JeoIuG4KK03CKlkZ9GWw6O33dj15atI/Oy2oWOH8RfHdk1SpkWlfaD9dsJFvYhEQnt7FLuWgp4UxuQSiidzUV4YrhXRMbWZqEWFiH7I7Pe7Fr25RQqBS3nNfymvwMCCBSK4kT6SSGXC6QTjDIdPtmNBBw4Kws/sU34ToJ29xhLYJAGLTNgNib5NtDN7qIaJwEXVa8TVSLHr7v71PhmIg1zEXyTFAK/MuYLxI3vL95j0iSx2YwI0W+HwwSUfS6zsX7VFhgylgivGADgBCc1g/GiUJCLwKWuyFOLp/iCG4lR1cgixRGoFSTMz1ZweMs9im4nDvRjhwjOopBjAMGxI+7dkMdC3QECvu+Iben61hChA/JgaWseVddHU2iIXyQYrd51mMJdTeMqNK4cad8HkjkGfcuf4zhDC9xPb+3StLC4K2lL+jKtwjzamY8PK/lQq8vEG7HVvwhu0KWCHKzE2Isn/td8D9eptlRE/oD9Xc5qsAmFwWw9mjdChAB/t98Dem34LLVQfnTckDZsy+HSBREIXBSMaUEU/Kh7WGd6yAR3qIAu0AnNXIpn+3vHk7mXgaS44f8Ajki3eb+pXaJtPasDloxvQN3OEZs7V3FA/Y//qhzXvliqZrnWpH+rPpYPOftOWH+Y02MiyXebblp2iISMn9G+RgLU10+r10sLeb46f6ubz4vl198vwxM/0lwaroKTISwDi7yzNFhkxAVDgxhlDlwDltHEHILU2P6nf5WRQ9kFfdFzN8XVzNDgjUPCUI3y0ElfUB1dpcxUCzgZQoj77NPGJB/h0VJ4O6rEV5GTRiLmQpI+tlR7PIh9YAlMf0zzYanhUT8iE7CXM03W20dFewEAxxVxW+KRXr/UHY18rVJ9fCBBWLMgPRobvS7z+772bzV4QYxz7+BPYMVsTDfoidbZpzLiJdGSJ6D5b3+/18AEx7s6Fmosn5OkG5k/y0OfmyQOI8d292dR7RoRxGLbqjel9I312SFxpDopqXcC4SxnTohgc47jKNZd4+oO6HZoyexE/RBZm5yzx/P2kH3kzN9eQhpqPs03Qd/w/EGAqf749yOyazNJvVHCHqnD/u53Zv0JnKeR6rTo5DDmLMo8IF/mVBZ7zbgxzHoyxqfplXtHR26bkz+y9jU4ggVGrL+m+Egi0yEGPIGCZXXx5qerzEJ6amZ5Pp0O8ahm6FyUCUlL2gxdKDAHhJLGjEji8E1zgEb8CKtxdL5+rtdFmAZX3P+GCuGwITEleijfFhFyGWTE9ejkJ7UvVvPVjXG65/MNLrvPE36IovX88lqJil5Z9EBassAfFsbsQppnHpJqRwyaLNLwJ5i2UOGjaqlKHmDOhScUOO2eryeSRzDEyRCLHfPcxqHHmoHiSst5zOwehaIaeHvMMPSk7ov9vTgt6FZzexCmy9hu8xip5VSl/wOUwFL7fNtcX21/GfJLv6Lh1vLaC5U3Mc/FR6XQouCXXXlolxM+JWC4Wma6IfgMndpvMoh/s+Dyko8ZKcItyCmb1rGR/3w4lw6MbVqcu5RImrr/UcZpbm/orukqHN8MahAmM43Du
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 057cee69-37b3-43ee-43f8-08dad3284e31
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Nov 2022 23:12:09.1756 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: uAC6M5U6aa607IcMu0qKBaTlWgPhXxtciUbelYryapyN0DmCQy6Tw8XIdysBXbiZ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR02MB6219
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/oqAwMQMMjm6aFEK6XSZXGci7pBs>
Subject: Re: [lamps] CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 23:12:17 -0000

Hiya,

On 30/11/2022 20:47, Corey Bonnell wrote:
> Fundamentally, CAA is a mechanism for domains to express the allowed
> set of CAs that may issue certificates. Given that the mailbox
> provider owns/controls the domain name in question, I believe it is
> entirely acceptable for such a mailbox provider to limit the set of
> CAs that can issue S/MIME certificates for the provider’s domain.
I don't think the last part of the above is reasonable.

CAA is reasonable for a certificate for the domain (name)
itself, but not for a certificate for an individual email
address, where the service (e.g. smime) doea not affect
the entire domain.

I guess I should go and read the draft now:-)

S.