Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-caa-issuemail-06: (with DISCUSS)
Paul Wouters <paul.wouters@aiven.io> Thu, 10 August 2023 13:05 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EF20C15153F for <spasm@ietfa.amsl.com>; Thu, 10 Aug 2023 06:05:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HEldPbi3P1as for <spasm@ietfa.amsl.com>; Thu, 10 Aug 2023 06:05:49 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB1B1C13AE5B for <spasm@ietf.org>; Thu, 10 Aug 2023 06:05:49 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id 2adb3069b0e04-4fe8c16c1b4so1267486e87.2 for <spasm@ietf.org>; Thu, 10 Aug 2023 06:05:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1691672748; x=1692277548; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oABdg4dfKdy6sQ+lV8jdKvK/n9OmpxIKynh8oNNQVqM=; b=ZSLYXXijs+RiM0o9aV/JDa+KRUoPfYHivv33IVSRABsptC5VgXuu2Lje6i4V8r7nDW kySgEYUbk5M8uE0U5XzcxvTmQxQM+4hVZLfzYADtifHW3Z6IOoTUQYDl5kVf+z7sTQCC OS/eiBKAHHuWfaxM3HEtIImriGSiJ8rvshgMw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691672748; x=1692277548; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oABdg4dfKdy6sQ+lV8jdKvK/n9OmpxIKynh8oNNQVqM=; b=k4my3bXEnyzvpSh3B2AMPsXxf6WmpAXHxM6PQeu4lBM+erHA6RBM72WqHQFCK78gAn BtCfDyOtQ1gMXOPE2H7OY04V9HuePkWvq726pu5uzfzCuTeQ6Y/DtUtaW3nHbwMEGhQO 2KMqdMhwBA9Sj56CBD4TpTblRqk24hewWXac31J0f82c2K4sESl9pDL/KZhVS34UmNq1 P4ABpqWxCqXj34zKhQxa3oFpcA79JcvW2iWpJGp0tudTBeWHbH42s7ebdK18RqICuYxe FKGrhD/IznwFPCU7qXPVhFdYw8SR0A1X0kNGiZJyJLh6mUS5EL9dqYyGhkyM7L5Wcwug 40zw==
X-Gm-Message-State: AOJu0YznfkwIcGPOnpoLizrtin0O+ldaGcXwi/vqKDLUjAg4iYaEhhiw NLqgqwV7JoDCU0grmlxv5yycJze+j+OzzB4svlzEOA==
X-Google-Smtp-Source: AGHT+IG2y395u9kuZyS28cNJmZ+zUzj9X6+wppgHt8fXQBL9ywxbqU5Lp/pLfhSMNxS6QRjUNwcoCNuBX7/payhOhhM=
X-Received: by 2002:a2e:3e14:0:b0:2b9:cdbf:5c15 with SMTP id l20-20020a2e3e14000000b002b9cdbf5c15mr1793506lja.51.1691672747546; Thu, 10 Aug 2023 06:05:47 -0700 (PDT)
MIME-Version: 1.0
References: <169154482350.52645.261962838818876269@ietfa.amsl.com> <DM6PR14MB2186C081260DE77CCE56C1319212A@DM6PR14MB2186.namprd14.prod.outlook.com>
In-Reply-To: <DM6PR14MB2186C081260DE77CCE56C1319212A@DM6PR14MB2186.namprd14.prod.outlook.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Thu, 10 Aug 2023 09:05:36 -0400
Message-ID: <CAGL5yWa-=4KMJwQDZ4mOAAve5hqBP+nM7qQWhSgwO+yJSF+0dA@mail.gmail.com>
To: Corey Bonnell <Corey.Bonnell@digicert.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-lamps-caa-issuemail@ietf.org" <draft-ietf-lamps-caa-issuemail@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="0000000000003202d706029141c8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/u4o7_AkGYcIkyIDav55ZbQlAQJI>
Subject: Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-caa-issuemail-06: (with DISCUSS)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2023 13:05:54 -0000
Corey, Thanks for answering my DISCUSS questions. I've updated my ballot to Yes. Paul On Wed, Aug 9, 2023 at 9:07 AM Corey Bonnell <Corey.Bonnell@digicert.com> wrote: > Hi Paul, > Thank you for your review and your comments. Replies inline. > > > is it the desired behaviour that toronto.nohats.ca can override the > > nohats.ca > policy and issues certs for paul@toronto.nohats.ca? This also brings into > question whether Public Suffix List (PSL) type restrains matter. > > My understanding is that this behavior is intended and desired based on > the > discussions surrounding the tree-climbing algorithm as defined in RFC 6844 > and > later amended in 8659. Phillip provides an excellent description of this > design choice here [1]. Additionally, the use of Public Delegation > Points/PSL > was removed in later drafts of RFC 6844 [2] and replaced with a simpler > algorithm that merely walks up each label to the DNS root. > > > Section 5.4 contains an example of conflicting records, and the text then > describes a process of "failing open". From a security point of view, I > would argue this should "fail close" and not allow issuance. Was this > discussed > in the WG? What is the rationale behind this "more vulnerable to mistakes" > interpretation? > > I don't believe this specific point was discussed in the context of this > draft, but this behavior is the same as defined in RFC 6844. I believe > this is > a feature and not a bug, as the "failing closed" behavior in the face of > conflicting records would prevent domains from using multiple CA providers. > > Thanks, > Corey > > [1] > https://mailarchive.ietf.org/arch/msg/pkix/CvkHdFP6gdXRCTmq5TXjvMlGOV0/ > [2] > https://mailarchive.ietf.org/arch/msg/pkix/87NqhuFaKCVQO--8pSD3NhjQd2U/ > > > -----Original Message----- > From: Paul Wouters via Datatracker <noreply@ietf.org> > Sent: Tuesday, August 8, 2023 9:34 PM > To: The IESG <iesg@ietf.org> > Cc: draft-ietf-lamps-caa-issuemail@ietf.org; lamps-chairs@ietf.org; > spasm@ietf.org; housley@vigilsec.com; housley@vigilsec.com > Subject: Paul Wouters' Discuss on draft-ietf-lamps-caa-issuemail-06: (with > DISCUSS) > > Paul Wouters has entered the following ballot position for > draft-ietf-lamps-caa-issuemail-06: Discuss > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this > introductory > paragraph, however.) > > > Please refer to > > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-lamps-caa-issuemail/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > > Issue #1 > > The discovery of such a Relevant RRSet MUST be performed using the > algorithm specified in section 3 of [RFC8659]. The input domain to > the > discovery algorithm SHALL be the domain "part" ([RFC5322]) of the > email > address that is being certified. > > And RFC 8659 states: > > The search for a CAA RRset climbs the DNS name tree from the > specified label up to, but not including, the DNS root "." until > a CAA RRset is found. > > > While this algorithm makes sense for a CAA to restrict issuing, I'm not > sure > it > makes sense for email addresses where the permission might be granted by a > parent. > > eg ig there is a CAA record saying "no email certs" at nohats.ca, > and there is a CAA record saying "sure, issue stuff" at toronto.nohats.ca, > > is it the desired behaviour that toronto.nohats.ca can override the > nohats.ca > policy and issues certs for paul@toronto.nohats.ca? This also brings into > question whether Public Suffix List (PSL) type restrains matter. > > It might very well be the intent, but then perhaps it should be made a > little > more > explicit ? (and then I have to rethink about what I think about subdomains > overriding > their parents) > > > Issue #2: > > Section 5.4 contains an example of conflicting records, and the text then > describes a process of "failing open". From a security point of view, I > would argue this should "fail close" and not allow issuance. Was this > discussed > in the WG? What is the rationale behind this "more vulnerable to mistakes" > interpretation? > > > > > >
- [lamps] Paul Wouters' Discuss on draft-ietf-lamps… Paul Wouters via Datatracker
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Corey Bonnell
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters