Re: [lamps] WG Last Call for rfc6844bis

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 12 October 2018 21:44 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C777B12872C for <spasm@ietfa.amsl.com>; Fri, 12 Oct 2018 14:44:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.012
X-Spam-Level:
X-Spam-Status: No, score=-0.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTEEQHdTY2BX for <spasm@ietfa.amsl.com>; Fri, 12 Oct 2018 14:44:46 -0700 (PDT)
Received: from mail1.bemta24.messagelabs.com (mail1.bemta24.messagelabs.com [67.219.250.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83B76126BED for <spasm@ietf.org>; Fri, 12 Oct 2018 14:44:46 -0700 (PDT)
Received: from [67.219.250.196] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-1.bemta.az-b.us-west-2.aws.symcld.net id 52/6C-08740-DC511CB5; Fri, 12 Oct 2018 21:44:45 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTWUwTURSGuTPTdlSqQylwJK6NKzq1hUQxMUE fTPDBJT6piDq1Y9tYCukUKSYmiFWxaEBFVARBaSq2hgdcQkJQxLggVQQjWJdAFVzQoEQNYuIy 01u3l5Nvzv+f5d7coUlVjSKR5p0O3m7jrBr5WKpDW7uODcRdz9C1dCWnDr4JKlKP9Fah1NPdW 5eS6R7PKJG+p6mJSvc9+yxbQ26QWWyGbOcWmdn/alSR432KnEGXqQAVtCE3GkNTzEESgp4Fbj SWVjGHCfhef5bCH70I3t65JZNcckYH3c23CYnVzCwIHQ+E8ySTBr2Fp8McK3r67vdS2KOHx83 eCK+CRvdDGZ42E/r6WuQSK5lMGBz1K/CwDwTcLj8QFsYwa8Hb2R9eDzHxMHL3AoGHJcCT/uow A6OGUGe7HHMcvH35Q4b9G6HqU6uYp8X8dAheZrFlMnRVFyNpFjDXFFDnea3AAgsfjx0jMa8E9 +UfJDZ1Iaipeo2wkAS1HS8ibAXXg/JIpxoEz/1HI52mgO9QiMLCVRLeX2ygsDAJhgP7I3xHDp 3liyRWMUYo87XKS9G8in9OVyHWk1LjkfYAURG+pxhoO9lPVYhHIpkNcLh9G/YngafwpwLzPPC eeUdingufS59S/+cVIi+BS0acnQ5lxaFI5ULYd39YXoPG+dAig91iMjuyOIuV1et0rF6fzOpT UtiUhVpuJ2vQ5gpsHi842GQtlydohfysrVaj1sY7GpD4Ko05e2c0oh6XqRVNpAlNnNKwoyVDN d6Qbcw3c4J5sz3XygutaBJNa0DpVF/PUMXYeRPv3Gaxik/7twx0tEatTJFkpZDDZQkWE5buou X00JO9J0j6xYkiMQ6F476BHjEWSVFF2bJtfGKC0ioVM1KxOdf2p/XvH6cLTU6MVaKoqChVdA5 vz7I4/tcHUQKNNLHKK1KXaIvN8WeDQXE5QlyueUWLtJyD+yslFqDjmbse+WtjaOepZfn1N0uq b075OvK1eLdny3Djt8ruCfRQXwm7arEp+Go9u917sedeapO6cm2oRFe6o/nKprnnpqXHrVyQ9 6xp6aX5lK+t0OW6URe/unC2N1AGuUWEv3NOKd8wVYDFmd/KzO6YgfnnVQZr2pd4y+ihxjT3rI GOTA0lmDl9EmkXuF/CKJBaMwQAAA==
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-32.tower-344.messagelabs.com!1539380683!313142!1
X-Originating-IP: [207.46.163.88]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 31084 invoked from network); 12 Oct 2018 21:44:44 -0000
Received: from mail-bl2nam02lp0088.outbound.protection.outlook.com (HELO NAM02-BL2-obe.outbound.protection.outlook.com) (207.46.163.88) by server-32.tower-344.messagelabs.com with AES256-SHA256 encrypted SMTP; 12 Oct 2018 21:44:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rJrlnc0RN079TOLe0wygw8JlZNP9+XjCb7bhfcHlnIQ=; b=n16n1Jc2/HVAhg6mw1tgEQCLdVa6/GZzo6YzGbufq6nB8UYaFxF8VedcPVidxX+8wqcEg/IyWe+jVoMfqsDzGvCTHHIzebJputWpREIbO3tN6jk054D76GShb7YQVBLW0CNweiZv4sGO4ekPWBJWhpl2dFseBS/yQ2n6KwJn/fQ=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1811.namprd14.prod.outlook.com (10.171.177.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1228.24; Fri, 12 Oct 2018 21:44:41 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::14a4:c8e1:5979:3ae1]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::14a4:c8e1:5979:3ae1%2]) with mapi id 15.20.1228.020; Fri, 12 Oct 2018 21:44:41 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Russ Housley <housley@vigilsec.com>, SPASM <spasm@ietf.org>
Thread-Topic: [lamps] WG Last Call for rfc6844bis
Thread-Index: AQHUYYx49OvVTNXTEUG4xpwbXU/0E6UaadrggABC3oCAAXDVAIAABu8AgAAAXXA=
Date: Fri, 12 Oct 2018 21:44:41 +0000
Message-ID: <BN6PR14MB110629377C8A3853C624394483E20@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <F72DABEA-234C-4644-914A-81FBCC86D11B@vigilsec.com> <BN6PR14MB11063B4401B3C6BEBAF7A68D83E10@BN6PR14MB1106.namprd14.prod.outlook.com> <CAErg=HE4iNQGJnyB7Jjm8AK-wmzQZa188cF=XcJqG1Bsp65cng@mail.gmail.com> <BN6PR14MB1106E657320C80078F537A4F83E20@BN6PR14MB1106.namprd14.prod.outlook.com> <CAErg=HHvTygDW3qAYdURS0wtS679kEuFhadyT3LKSjr0g9Da_Q@mail.gmail.com>
In-Reply-To: <CAErg=HHvTygDW3qAYdURS0wtS679kEuFhadyT3LKSjr0g9Da_Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [98.111.253.32]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1811; 6:w1MXE6GcrEc5Sh0PgrhkZwMVAkoULFcgWm+3RIBQTHHEub9suLsh9p/OuC8eYMVy46cFmt/j74Gv7iioY05zz4FrT3AkVPxZDxKP22e866VPuNYp3A92lwajPKUL1AS19IVdVoUWR1SIezA5e5/8yie9wfL0c+cPRq4q7gIalWH2DpQGNVfS5aZTSGDRVi38ymvAyPKPmGxpzhDEAxIQ4aiG+Ko2re5hoz4PDCVY5QJnwG3v7kLvUDc5o/JPKecfTci9aSH1XMZrC11qXH5VyffUPmXmCPMF4N2lL74rjfKrOlVcmwzA4ERxwvRJqbb9FeolPEwQurOxcPKZC12jBbKTB8xlmzMabVNaOZPtwXtzqPrO0l3hxEA5u95XAtuLKCvmmfwrw7XKlEndUtKhML3Neh3JdY34T/+yMwayPGcqU+WMXFqrPjpqTNcwVnb56QiUeIt3BYMsCsvwlV57bA==; 5:LAA4O/ZFiOhWUgSuOEFM6L+JRKeqUQv+z3Z0OZvnPvL4jfFeckgoGXoAzV3ujJc7xPohlsnef7/fGITvoPz0rvGqsAI7NXVa9DICfuofzI9MOL2ZSKXMl5xnVY4qdwYYbgRrHRHaDHeG3M++kXQ8s8Bw08HrzDzVIqbY2JPKUB4=; 7:+6JKOuLthv3wToSESht/8UJGSAp4xfBKEx+j0+sV9mOZWF0mbE9/tzQWklbKsMuK+pZIqLGoj8NWWTEPPp8v1lL5WzeEjIaXyj8O27x9B9Ql+iUM938GUBGAl9eYH+C7klAdMIVqukn6MHvPoUU6sse4d23x01RRH2X18UaZziAWIaEtk5ESNNwTCAGIuMI+FPjeuxHV2jAIcecCSssPr0t3jxzoIOtP/3hIN7jGHGS4GOJwzCn/sHWEW2f43vXE
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: bbb2eeab-be59-4586-8c47-08d6308beace
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1811;
x-ms-traffictypediagnostic: BN6PR14MB1811:
x-microsoft-antispam-prvs: <BN6PR14MB1811F5C65FD837D527BE74CF83E20@BN6PR14MB1811.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(100405760836317)(269456686620040)(21748063052155)(28532068793085)(190501279198761)(227612066756510)(258766100185102);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(3231355)(944501410)(4983020)(52105095)(3002001)(10201501046)(93006095)(93001095)(149066)(150057)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(20161123562045)(201708071742011)(7699051); SRVR:BN6PR14MB1811; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1811;
x-forefront-prvs: 0823A5777B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(346002)(366004)(39850400004)(136003)(189003)(199004)(13464003)(68736007)(6246003)(2906002)(97736004)(966005)(33656002)(561944003)(25786009)(54906003)(66066001)(14454004)(5250100002)(4326008)(99286004)(81156014)(71190400001)(8676002)(71200400001)(81166006)(8936002)(54896002)(74316002)(606006)(55016002)(7736002)(6916009)(5660300001)(6306002)(9686003)(53936002)(316002)(229853002)(6436002)(486006)(105586002)(86362001)(44832011)(236005)(102836004)(93886005)(6506007)(790700001)(53546011)(2900100001)(3846002)(6116002)(7696005)(76176011)(66574009)(478600001)(99936001)(11346002)(256004)(26005)(186003)(446003)(14444005)(476003)(106356001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1811; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: RXLjodiFTEU37n9Cd8Q8iMgpb6muZadx51P1ougfh/1sFk/mh+HVKBSOsRoz6ZKVwSH2h0fffiBYRZoxdcljKSRnG9mR2nNN1C55U7ZCx6S7d71x+jcehtQRlje03S8g+REkUZwgx4PVG6DP0K2lyGsxLv135kAc+egFaH++FzPOjY6+ppmRalmiBvpYZbdZya6Z6wlAHfMmcYW2WkoNyOBvcLpGP33fRJOdnGEyUuL6RdmO0ncjj7vNc/r13a3iFEDRAaNALeNi3auzlj0P/TlY0TFZs2xh1jLODYXUsAabeZdbU7uSj4ZzHD3JpQJRj+wYaPrJ6ZmUD6SdHTtZMtfNNvEOWWQiRQ8fhnsEjh4=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_06D9_01D46253.349D2AF0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bbb2eeab-be59-4586-8c47-08d6308beace
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2018 21:44:41.5644 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1811
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/aOmZNsN2vMZ8JJuj5qHKDzPJbRk>
Subject: Re: [lamps] WG Last Call for rfc6844bis
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 21:44:51 -0000

 

I actually support not holding up 6844bis and doing it as a separate draft, but people on the call wanted me to find out what the non-CABF LAMPS participants thought.

 

I don’t think extensions to CAA are outside the scope of the charter, or the 6844bis effort for that matter.  Which is why I was willing to ask and see how the group would like to handle it.

 

Also, I was asked by the chair to bring it up during the WGLC, so it is inappropriate for you to try to shut down the discussion.

 

-Tim

 

From: Ryan Sleevi <ryan-ietf@sleevi.com> 
Sent: Friday, October 12, 2018 5:38 PM
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Russ Housley <housley@vigilsec.com>om>; Ryan Sleevi <ryan-ietf@sleevi.com>om>; SPASM <spasm@ietf.org>
Subject: Re: [lamps] WG Last Call for rfc6844bis

 

 

 

On Sat, Oct 13, 2018 at 6:16 AM Tim Hollebeek <tim.hollebeek@digicert.com <mailto:tim.hollebeek@digicert.com> > wrote:

Your characterization of what the Forum “wants” is at odds with previous discussions in London, where working with IANA was explicitly called out as a goal.

 

Yes, to register the appropriate strings to be associated with an Informational or CA/Browser Forum maintained document.

 

It also is at odds with the unanimous consensus on the last validation call, where everyone agreed that working together with IETF on this was desirable.

 

That’s cool and all, but that’s not how the CA/Browser Forum measures consent (via Ballot), and that’s not at odds with what I suggested. Write a draft, recognize the use cases, and if it to be published in IETF at all, do it as Informational.

 

In any event, you’re talking about something not on the charter, and doing it as soon as WGLC starts - and suggesting delay - is poor choice. Does 6844bis address what Lamps was chartered to do? Yes. Does any of your hypothetical proposal require change to those mechanisms? No. So let’s stop talking about it in WGLC, focus on the charter and the question asked, and once there’s something more to discuss, revisit charter revisions and consensus. But don’t hold up 6844bis to add features to a document designed to be independently extensible.

 

 

 

-Tim

 

From: Ryan Sleevi <ryan-ietf@sleevi.com <mailto:ryan-ietf@sleevi.com> > 
Sent: Thursday, October 11, 2018 7:13 PM
To: Tim Hollebeek <tim.hollebeek@digicert.com <mailto:tim.hollebeek@digicert.com> >
Cc: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com> >; SPASM <spasm@ietf.org <mailto:spasm@ietf.org> >
Subject: Re: [lamps] WG Last Call for rfc6844bis

 

 

 

On Fri, Oct 12, 2018 at 4:25 AM Tim Hollebeek <tim.hollebeek@digicert.com <mailto:tim.hollebeek@digicert.com> > wrote:

LAMPS chair hat off; CABF Validation Subcommittee (formerly, Validation
Working Group) hat on.

Recently at the CA/Browser Forum, allowing customers to use CAA  to limit
the validation methods that can be used for a domain has been identified
as one of the Forum's highest priorities.  I started a thread on the idea
back
in December:

https://mailarchive.ietf.org/arch/msg/spasm/Jse-FslACq3wair2B2_YSwpViNs

While CAs can potentially unilaterally implement this on their own outside 
the Forum with parameters (as in the acme-caa draft), uniformity throughout 
the industry would be desirable.  The Forum also has the ability to mandate 
implementation by a specific date.

This was discussed on this morning's Validation Subcommittee call, and it
was suggested we ask the group if there is interest in including this in RFC



6844-bis, or whether it would be preferable to handle it as a separate
draft.

 

Handle it as a separate draft, and recharter the WG If there is consensus to adopt draft text. The charter we have does not include that effort, and there are more ways to botch it then to get it right. It’s an extension, in theory, so let it be defined as such in a separate document.

 

Personally, I believe such an extension would be better spec’d as Informational (thus, at odds with 6844-bis, which is Standards Track), because what the Forum “wants” is an extension whose namespace is defined and maintained by the CA/Browser Forum, not the IETF or IANA, and not designed to interoperate with other PKIs that use CPs other than the Baseline Requirements. If members of the Forum want Lamps to adopt such work, they should first work through what it is they want before asking Lamps to recharter to consider their industry-specific use case.

 

So no, don’t add a rechartering discussion for WGLC just because some folks had an extension they want to figure out.

 


-Tim

> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org> > On Behalf Of Russ Housley
> Sent: Thursday, October 11, 2018 2:01 PM
> To: SPASM <spasm@ietf.org <mailto:spasm@ietf.org> >
> Subject: [lamps] WG Last Call for rfc6844bis
> 
> This is the LAMPS WG Last Call for "DNS Certification Authority
Authorization
> (CAA) Resource Record" <draft-ietf-lamps-rfc6844bis-01>.
> 
> Please review the document and send your comments to the list by 22
> October 2018.
> 
> If no concerns are raised, the document will be forwarded to the IESG with
a
> request for publication as Proposed Standard.
> 
> Russ & Tim
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org> 
> https://www.ietf.org/mailman/listinfo/spasm
_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org> 
https://www.ietf.org/mailman/listinfo/spasm