Re: [Spasm] CAA erratum 4515
Jacob Hoffman-Andrews <jsha@eff.org> Fri, 10 March 2017 23:47 UTC
Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71CBA12948A for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 15:47:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KC9c1LgJaYmJ for <spasm@ietfa.amsl.com>; Fri, 10 Mar 2017 15:47:50 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E1C61289C4 for <spasm@ietf.org>; Fri, 10 Mar 2017 15:47:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=nANXCFECHFPpdXvaTGXMLlhwF3asr7E9JvGBSpZ/ZzU=; b=QlP3+QzHVhh8ataGh2SPAIkKovS/Mt4JCjmim5Uz//X1ffvtErxh8Trq4YgcjsswHoDRJJYCa9ENHxOppLMKLB7WJTJn36+CKdX42PlDG4SW06UqjSLyCz36y7Q4V/71vR6BvDHCph+ooC3uJMrmQ5gf9+HsrbAGzzV9pMelHlY=;
Received: ; Fri, 10 Mar 2017 15:47:51 -0800
To: Ryan Sleevi <ryan-ietf@sleevi.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HFtk0EKASTpWwNVhcT4zk2+ei-KPv=cMYDQej2oGJi=rw@mail.gmail.com> <9c55abf5-b81b-d9cb-c88c-7ea5bc6390c8@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <8f216ae1-d236-79c1-5baf-44cf7bfa619b@eff.org> <CAErg=HFeAMLF4vY59oTBh=OpeChyG8SpJ406cE=CpjouA9fq8w@mail.gmail.com> <7f9c38ad-aa39-c403-0320-7300619b9986@eff.org> <CAErg=HE34vYrrtCe1jGgaO0mAdGqiYaGMEpJaXJDf4Pp19WN-Q@mail.gmail.com> <e00e0b36-b3f4-d544-0f85-5af10641d310@eff.org> <CAErg=HEURahEODsz9bPyS+B0NYsAioh6P5HeZsXmQUoJhC-9JQ@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <a57addb3-d297-8d60-8f40-c7e802921561@eff.org>
Date: Fri, 10 Mar 2017 15:47:48 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAErg=HEURahEODsz9bPyS+B0NYsAioh6P5HeZsXmQUoJhC-9JQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------F1ABC4BB6CE4B5614E5101D9"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/q57rkzlSGlnrDvQxvgvlo4bn4GA>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Phillip Hallam-Baker <philliph@comodo.com>, Peter Bowen <pzb@amzn.com>, SPASM <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 23:47:52 -0000
Cool, sounds like we are now on the same page, and can start talking in more subjective terms. On 03/10/2017 02:51 PM, Ryan Sleevi wrote: > > 1. Policy set by user-facing domain owner for their own hostnames. > 2. Blanket policy set by CDN for hostnames they operate on their > customers' behalf. > 3. Policy set by CDN for their own hostnames, which share the same > base domain as the CNAME targets used in (2). > I think (1) is easily handled by both tree-climbing and non-tree-climbing implementations. Both (2) and (3) are handled by both tree-climbing and non-tree-climbing implementations with deployment of two CAA records. If the policies happen to be the same, tree climbing allows the CDN to economize on CAA records by deploying just one, on their base domain. However, I think the policies are not likely to be the same. The feedback we've gotten so far from Patrick is that Cloudflare is unlikely to implement (2) because, like most CDNs and hosting providers, they are effectively a Mixed-management setup. So, what if a CDN wants to implement (3), but specifically avoid (2)? This is very easy in the non-tree-climbing world: they set a single CAA record on their base domain. In the tree-climbing world, it's very hard. The CDN would need to specify a restrictive CAA record on their base domain, and then another CAA record that specifies "Nevermind, everything is allowed again" on their CNAME target, in order to block tree-climbing to their root domain. As far as I can see, RFC 6844 doesn't define a "Nevermind, everything is allowed" CAA record. I think you could achieve the effect by creating a CAA record containing a random tag that is not otherwise used, and setting the critical bit to 0. But this is pretty hacky. Do you see a better way to implement "(3) but not (2)" in the tree-climbing world? >> If domain operators wish to operate with their own policy, and >> support customers with the same policy (on the domains the domain >> operator operates), while allowing their customers to operate >> with their own policy on the customer domains, the trampoline is >> necessary. > I don't think this case is significantly different than the above. > One policy gets set on the CDN's base domain, while the other > policy gets set on the CNAME target. If those policies happen to > be the same, that's fine. > > > Fair point here as well. The complexity then comes from whether this > reflects current deployment, or whether it reflects a point of > deployment which would have to change to support. I think this is what > you've identified in (2). Is the question here whether CNAME targets are generally subdomains or base domains? In my experience, almost always subdomains.
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews