IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses

Nicolas Lidzborski <nlidz+ietf@google.com> Mon, 05 December 2022 23:16 UTC

Return-Path: <nlidz@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2993C1522D2 for <spasm@ietfa.amsl.com>; Mon, 5 Dec 2022 15:16:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.096
X-Spam-Level:
X-Spam-Status: No, score=-17.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9RqVp6w6GDVg for <spasm@ietfa.amsl.com>; Mon, 5 Dec 2022 15:16:41 -0800 (PST)
Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ACCEC14F73A for <spasm@ietf.org>; Mon, 5 Dec 2022 15:16:41 -0800 (PST)
Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-3b5d9050e48so134865687b3.2 for <spasm@ietf.org>; Mon, 05 Dec 2022 15:16:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9CCfQ2iNTfhI7jfYmNnAtlY0YOI1khTfbMkT0VtOdh4=; b=UQrllC74wgITVSDO2t3TgycONcG0mp+8vi69JO2X1eYXs3K/sZUn5b3M+Sdtnnpr3L iGMzhTcCoANYAPjCUwWPkeVhXP2aG5Tmjt9/wVI9uWkedadcr5/sH6zBLdfm04LSNuZJ UVCsBEv/0OWfocPYkB26MPtXpZ/BBugjFgSE7umiBWoNF7EKYh0T8o1PHY4p4h52pMLl VACyc77DbzBIuP3z0XPwxMT7SHYbZLfS9jKC+BbX3DsPbJUKq5Z3/m2EZhrBErQWcEzr cMFEUafug4ompnqIUzwwcko0RAKzrgPmc0ZhmQCNJKuDdj1hR2dXmR0kRQLWv/d0EIiB zTtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9CCfQ2iNTfhI7jfYmNnAtlY0YOI1khTfbMkT0VtOdh4=; b=beJvHtNS70ESyJRy00d7pKbkF1+vAG+cOzXyChfGbcTACqrSKBCZqNgZifoT7yLcaX h8MbdiXyQudeZoLjcCyOZPIfpwk4EHxYeZkhOOTywIOapf6OfteASVbuSXMMsOgtvIYI pp9tE6Uj3v2nk7JTNVtoZVgmX8Fbzshn5WYVajB+uoh/Ov1o0przt+4xiJJo3WT29z4/ rQM3YsBy5JHPnq+UIePM7qq3TUEHSIzzGp5q/jxwKGIcZTOiXl8xZchJcuxGEUS7hr5p Eq8JxGRrWUB9gq6VqJKSE5vvbzwNO6Wfm+g4aCxbd+lTVFeg9RMLcJ4T3qs9jl/APDcA U4kA==
X-Gm-Message-State: ANoB5pk3FXOPBmL2hgIqAcOOL+fewtGJvehroAL627x7ep9tmOT2JXwh zvbpjJYHqEea9KKDTBosmYYS5EtkrseRFi3WywyKpzvhK7XSjg==
X-Google-Smtp-Source: AA0mqf55RX1svu4rlmKtR3V1q+TNhSVredxfhuLabSSmvsGWgEiWoYUF+1i5c5MWhPsTEhCPRRLxqaCY4f3ko6LmP04=
X-Received: by 2002:a81:554a:0:b0:3c3:8b8e:13ee with SMTP id j71-20020a81554a000000b003c38b8e13eemr38902071ywb.77.1670282199741; Mon, 05 Dec 2022 15:16:39 -0800 (PST)
MIME-Version: 1.0
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com> <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com> <3c5ce299-8647-c481-57d8-ca604a655e0c@cs.tcd.ie> <daba6e40-227e-6229-173d-c9085902af91@cs.tcd.ie> <CH0PR11MB5739CDF4AC9F496DA341DA249F159@CH0PR11MB5739.namprd11.prod.outlook.com> <87bfb6bc-24d0-fafc-d0b9-546640bda7c3@cs.tcd.ie> <CH0PR11MB57394997AEBA7EF1FA81C4D69F149@CH0PR11MB5739.namprd11.prod.outlook.com> <DM6PR14MB2186AC61073AA34BC230CE2B92149@DM6PR14MB2186.namprd14.prod.outlook.com> <CH0PR11MB5739C121E1D96CE28382B4D49F149@CH0PR11MB5739.namprd11.prod.outlook.com> <CAMm+LwiXQzN4O=efFg6e7U1C2oW7YFPbx51ZjLhMDL5Z0s87rg@mail.gmail.com> <876b96f2-4a51-df07-a31a-4fe6caafcb73@cs.tcd.ie> <CAMm+Lwh++P3uZA3VETyAODhAGVFh4_sQhRBX63_KesLKNc04+w@mail.gmail.com> <BEDF0316-E072-427A-B050-12EBB2068281@gmail.com> <DM6PR14MB218602CDD14762D46D72E72492189@DM6PR14MB2186.namprd14.prod.outlook.com>
In-Reply-To: <DM6PR14MB218602CDD14762D46D72E72492189@DM6PR14MB2186.namprd14.prod.outlook.com>
From: Nicolas Lidzborski <nlidz+ietf@google.com>
Date: Mon, 05 Dec 2022 15:16:12 -0800
Message-ID: <CAAYYu_uKgbz_kwqv+Cf+NrHQ7WmnJX0nL-L9tFt6XksuYd40CQ@mail.gmail.com>
To: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
Cc: Antonios Chariton <daknob.mac@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000031470505ef1ce104"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/rv0BjD0xjYbSw1scBqwpnkNV6tQ>
Subject: Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2022 23:16:45 -0000

On Sun, Dec 4, 2022 at 4:24 PM Corey Bonnell <Corey.Bonnell=
40digicert.com@dmarc.ietf.org> wrote:

> Hi Antonios,
>
> Thanks for your comments. Responses inline.
>
>
>
>    - Perhaps “mailissue” or “mail” is better (explained in the thread) or
>    even “smime”. This allows for “smimeentity” and “smimeserver” for example,
>    if there’s a future need for that.
>
>
>
> I follow your logic in your previous message and think we should settle on
> a common convention in our two drafts. I’m partial to including a verb in
> the property tag to disambiguate the tag from other property tags that may
> be relevant to the specific certificate type but not specify any
> restrictions on the set of CAs that can issue. Additionally, I think
> there’s value in retaining the “verb-object” tag-naming convention
> established by RFC 6844/8659 with “issuewild”. Otherwise, there will be
> inconsistency in naming depending on the certificate type.
>

Is there a reason the tags are not tied to the Key Usage of the certs?
In particular for S/MIME, you may need to consider certificates only issued
for digital signature and others only for encryption.


>
>    - I don’t know if I would make this critical
>
>
>
> I agree with you and Phillip that this tag shouldn’t be critical by
> default. I’ll clarify this point in an update to the draft in the next few
> days.
>

>    - In terms of adoption, I would like to see CAA for S/MIME, and this
>    is a good and simple way to achieve it.
>
>
>
> I also see CAA for IP addresses as valuable for the ecosystem as well. I
> plan to give your draft a fuller read shortly and will follow up with any
> comments.
>
>
>
> Thanks,
>
> Corey
>
>
>
> *From:* Antonios Chariton <daknob.mac@gmail.com>
> *Sent:* Friday, December 2, 2022 10:51 AM
> *To:* spasm@ietf.org
> *Cc:* Corey Bonnell <Corey.Bonnell@digicert.com>
> *Subject:* Re: [lamps] [EXTERNAL] Re: CAA processing for email addresses
>
>
>
> I think that CAA for S/MIME is useful, and can help enforce policies for
> an enterprise, and even for large e-mail providers (although probably not
> for their main domain gmail.com / hotmail.com / etc.). I participate here
> on my personal capacity and won’t speak on behalf of Gmail.
>
>
>
> Two things I’d maybe consider, one of which is described in my thread[1]
> too:
>
>
>
> - Perhaps “mailissue” or “mail” is better (explained in the thread) or
> even “smime”. This allows for “smimeentity” and “smimeserver” for example,
> if there’s a future need for that.
>
>
>
> - I don’t know if I would make this critical
>
>
>
> Marking this as critical will require all CAs (at least) to build support
> for it, otherwise its presence will block issuance of TLS certificates. My
> suggestion is to make this non-critical (as it is not necessary to use CAA
> for this domain at all), and then require parsing of CAA “mail” (or
> whatever) properties in the requirements that include this doc. In this
> case, it can be the CA/B Forum BRs. If they specify that CAs MUST follow /
> understand / support / conform to … RFCXXXX then you achieve the
> criticality in the publicly trusted space, without breaking all CAA
> implementations in the meantime.
>
>
>
> I would argue that this property is not critical for a CA that does not
> issue S/MIME certs, and in my view the critical flag is for things
> necessary for all CAA uses, not just one.
>
>
>
> In terms of adoption, I would like to see CAA for S/MIME, and this is a
> good and simple way to achieve it. The lack of Certificate Transparency in
> the space will make it more difficult to detect misissuance /
> non-conformity, but when detected it would make it hopefully easier to
> prove. Without speaking on behalf of any Root Program, I imagine this would
> help many stakeholders in the S/MIME ecosystem.
>
>
>
> Antonis
>
>
>
>
>
> 1:
> https://mailarchive.ietf.org/arch/msg/spasm/dQLF1fQQPNX9A59YV4imXRz9ABw/
>
>
>
> On 1 Dec 2022, at 22:42, Phillip Hallam-Baker <phill@hallambaker.com>
> wrote:
>
>
>
> But this is not a proposal that would be relevant to Mail Service
> Operators like Gmail or Hotmail.
>
>
>
> It is only relevant to enterprises running mail services under their own
> DNS name. Outsourcing that to a mail service provider would not impact the
> use of CAA or S/MIMe in the slightest.
>
>
>
>
>
> On Thu, Dec 1, 2022 at 3:02 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
>
>
>
> On 01/12/2022 18:46, Phillip Hallam-Baker wrote:
> > I support adoption of this draft.
>
> In the absence of mail service operators who say they want
> this, I'm against adoption. (If this does originate in CAB
> forum, I'm not aware folks like that are represented there.)
>
> If some mail service operators wanted this, I'd consider what
> they said.
>
> S.
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email