Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
Nicolas Lidzborski <nlidz+ietf@google.com> Mon, 05 December 2022 23:16 UTC
Return-Path: <nlidz@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2993C1522D2 for <spasm@ietfa.amsl.com>; Mon, 5 Dec 2022 15:16:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.096
X-Spam-Level:
X-Spam-Status: No, score=-17.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9RqVp6w6GDVg for <spasm@ietfa.amsl.com>; Mon, 5 Dec 2022 15:16:41 -0800 (PST)
Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ACCEC14F73A for <spasm@ietf.org>; Mon, 5 Dec 2022 15:16:41 -0800 (PST)
Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-3b5d9050e48so134865687b3.2 for <spasm@ietf.org>; Mon, 05 Dec 2022 15:16:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9CCfQ2iNTfhI7jfYmNnAtlY0YOI1khTfbMkT0VtOdh4=; b=UQrllC74wgITVSDO2t3TgycONcG0mp+8vi69JO2X1eYXs3K/sZUn5b3M+Sdtnnpr3L iGMzhTcCoANYAPjCUwWPkeVhXP2aG5Tmjt9/wVI9uWkedadcr5/sH6zBLdfm04LSNuZJ UVCsBEv/0OWfocPYkB26MPtXpZ/BBugjFgSE7umiBWoNF7EKYh0T8o1PHY4p4h52pMLl VACyc77DbzBIuP3z0XPwxMT7SHYbZLfS9jKC+BbX3DsPbJUKq5Z3/m2EZhrBErQWcEzr cMFEUafug4ompnqIUzwwcko0RAKzrgPmc0ZhmQCNJKuDdj1hR2dXmR0kRQLWv/d0EIiB zTtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9CCfQ2iNTfhI7jfYmNnAtlY0YOI1khTfbMkT0VtOdh4=; b=beJvHtNS70ESyJRy00d7pKbkF1+vAG+cOzXyChfGbcTACqrSKBCZqNgZifoT7yLcaX h8MbdiXyQudeZoLjcCyOZPIfpwk4EHxYeZkhOOTywIOapf6OfteASVbuSXMMsOgtvIYI pp9tE6Uj3v2nk7JTNVtoZVgmX8Fbzshn5WYVajB+uoh/Ov1o0przt+4xiJJo3WT29z4/ rQM3YsBy5JHPnq+UIePM7qq3TUEHSIzzGp5q/jxwKGIcZTOiXl8xZchJcuxGEUS7hr5p Eq8JxGRrWUB9gq6VqJKSE5vvbzwNO6Wfm+g4aCxbd+lTVFeg9RMLcJ4T3qs9jl/APDcA U4kA==
X-Gm-Message-State: ANoB5pk3FXOPBmL2hgIqAcOOL+fewtGJvehroAL627x7ep9tmOT2JXwh zvbpjJYHqEea9KKDTBosmYYS5EtkrseRFi3WywyKpzvhK7XSjg==
X-Google-Smtp-Source: AA0mqf55RX1svu4rlmKtR3V1q+TNhSVredxfhuLabSSmvsGWgEiWoYUF+1i5c5MWhPsTEhCPRRLxqaCY4f3ko6LmP04=
X-Received: by 2002:a81:554a:0:b0:3c3:8b8e:13ee with SMTP id j71-20020a81554a000000b003c38b8e13eemr38902071ywb.77.1670282199741; Mon, 05 Dec 2022 15:16:39 -0800 (PST)
MIME-Version: 1.0
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie> <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie> <CH0PR11MB5739CDF4AC9F496DA341DA249F159@CH0PR11MB5739.namprd11.prod.outlook.com> <87bfb6bc-24d0-fafc-d0b9-546640bda7c3@cs.tcd.ie> <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com> <DM6PR14MB2186AC61073AA34BC230CE2B92149@DM6PR14MB2186.namprd14.prod.outlook.com> <CH0PR11MB5739C121E1D96CE28382B4D49F149@CH0PR11MB5739.namprd11.prod.outlook.com> <CAMm+LwiXQzN4O=efFg6e7U1C2oW7YFPbx51ZjLhMDL5Z0s87rg@mail.gmail.com> <876b96f2-4a51-df07-a31a-4fe6caafcb73@cs.tcd.ie> <CAMm+Lwh++P3uZA3VETyAODhAGVFh4_sQhRBX63_KesLKNc04+w@mail.gmail.com> <BEDF0316-E072-427A-B050-12EBB2068281@gmail.com> <DM6PR14MB218602CDD14762D46D72E72492189@DM6PR14MB2186.namprd14.prod.outlook.com>
In-Reply-To: <DM6PR14MB218602CDD14762D46D72E72492189@DM6PR14MB2186.namprd14.prod.outlook.com>
From: Nicolas Lidzborski <nlidz+ietf@google.com>
Date: Mon, 05 Dec 2022 15:16:12 -0800
Message-ID: <CAAYYu_uKgbz_kwqv+Cf+NrHQ7WmnJX0nL-L9tFt6XksuYd40CQ@mail.gmail.com>
To: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
Cc: Antonios Chariton <daknob.mac@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000031470505ef1ce104"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/rv0BjD0xjYbSw1scBqwpnkNV6tQ>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2022 23:16:45 -0000
On Sun, Dec 4, 2022 at 4:24 PM Corey Bonnell <Corey.Bonnell= 40digicert.com@dmarc.ietf.org> wrote: > Hi Antonios, > > Thanks for your comments. Responses inline. > > > > - Perhaps “mailissue” or “mail” is better (explained in the thread) or > even “smime”. This allows for “smimeentity” and “smimeserver” for example, > if there’s a future need for that. > > > > I follow your logic in your previous message and think we should settle on > a common convention in our two drafts. I’m partial to including a verb in > the property tag to disambiguate the tag from other property tags that may > be relevant to the specific certificate type but not specify any > restrictions on the set of CAs that can issue. Additionally, I think > there’s value in retaining the “verb-object” tag-naming convention > established by RFC 6844/8659 with “issuewild”. Otherwise, there will be > inconsistency in naming depending on the certificate type. > Is there a reason the tags are not tied to the Key Usage of the certs? In particular for S/MIME, you may need to consider certificates only issued for digital signature and others only for encryption. > > - I don’t know if I would make this critical > > > > I agree with you and Phillip that this tag shouldn’t be critical by > default. I’ll clarify this point in an update to the draft in the next few > days. > > - In terms of adoption, I would like to see CAA for S/MIME, and this > is a good and simple way to achieve it. > > > > I also see CAA for IP addresses as valuable for the ecosystem as well. I > plan to give your draft a fuller read shortly and will follow up with any > comments. > > > > Thanks, > > Corey > > > > *From:* Antonios Chariton <daknob.mac@gmail.com> > *Sent:* Friday, December 2, 2022 10:51 AM > *To:* spasm@ietf.org > *Cc:* Corey Bonnell <Corey.Bonnell@digicert.com> > *Subject:* Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses > > > > I think that CAA for S/MIME is useful, and can help enforce policies for > an enterprise, and even for large e-mail providers (although probably not > for their main domain gmail.com / hotmail.com / etc.). I participate here > on my personal capacity and won’t speak on behalf of Gmail. > > > > Two things I’d maybe consider, one of which is described in my thread[1] > too: > > > > - Perhaps “mailissue” or “mail” is better (explained in the thread) or > even “smime”. This allows for “smimeentity” and “smimeserver” for example, > if there’s a future need for that. > > > > - I don’t know if I would make this critical > > > > Marking this as critical will require all CAs (at least) to build support > for it, otherwise its presence will block issuance of TLS certificates. My > suggestion is to make this non-critical (as it is not necessary to use CAA > for this domain at all), and then require parsing of CAA “mail” (or > whatever) properties in the requirements that include this doc. In this > case, it can be the CA/B Forum BRs. If they specify that CAs MUST follow / > understand / support / conform to … RFCXXXX then you achieve the > criticality in the publicly trusted space, without breaking all CAA > implementations in the meantime. > > > > I would argue that this property is not critical for a CA that does not > issue S/MIME certs, and in my view the critical flag is for things > necessary for all CAA uses, not just one. > > > > In terms of adoption, I would like to see CAA for S/MIME, and this is a > good and simple way to achieve it. The lack of Certificate Transparency in > the space will make it more difficult to detect misissuance / > non-conformity, but when detected it would make it hopefully easier to > prove. Without speaking on behalf of any Root Program, I imagine this would > help many stakeholders in the S/MIME ecosystem. > > > > Antonis > > > > > > 1: > https://mailarchive.ietf.org/arch/msg/spasm/dQLF1fQQPNX9A59YV4imXRz9ABw/ > > > > On 1 Dec 2022, at 22:42, Phillip Hallam-Baker <phill@hallambaker.com> > wrote: > > > > But this is not a proposal that would be relevant to Mail Service > Operators like Gmail or Hotmail. > > > > It is only relevant to enterprises running mail services under their own > DNS name. Outsourcing that to a mail service provider would not impact the > use of CAA or S/MIMe in the slightest. > > > > > > On Thu, Dec 1, 2022 at 3:02 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > > > > On 01/12/2022 18:46, Phillip Hallam-Baker wrote: > > I support adoption of this draft. > > In the absence of mail service operators who say they want > this, I'm against adoption. (If this does originate in CAB > forum, I'm not aware folks like that are represented there.) > > If some mail service operators wanted this, I'd consider what > they said. > > S. > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- Re: [lamps] CAA processing for email addresses Russ Housley
- [lamps] CAA processing for email addresses Corey Bonnell
- Re: [lamps] CAA processing for email addresses Seo Suchan
- Re: [lamps] CAA processing for email addresses Corey Bonnell
- Re: [lamps] CAA processing for email addresses Stephen Farrell
- Re: [lamps] CAA processing for email addresses Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Corey Bonnell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Stephen Farrell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Antonios Chariton
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Corey Bonnell
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Nicolas Lidzborski
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Nicolas Lidzborski
- Re: [lamps] [EXTERNAL] Re: CAA processing for ema… Corey Bonnell
- Re: [lamps] CAA processing for email addresses Seo Suchan
- Re: [lamps] CAA processing for email addresses Seo Suchan
- Re: [lamps] CAA processing for email addresses Corey Bonnell