IETF Logo Mail Archive

[Spasm] CAA erratum 4515

Jacob Hoffman-Andrews <jsha@eff.org> Thu, 09 March 2017 20:05 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A69F129463 for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 12:05:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.742
X-Spam-Level:
X-Spam-Status: No, score=-6.742 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihZRRej4PrOm for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 12:05:25 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1E7412944C for <spasm@ietf.org>; Thu, 9 Mar 2017 12:05:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:MIME-Version:Date:Message-ID:To:Subject:From; bh=QR2+inWsHvFm1VOqXl8otlAI1HPV7GvB9yxJZdYF3Vg=; b=J4Ky9TElwjdYfj8WrFgwMOWORzAZDg95HFaEQZVrp7LaaBJdWQZMb2jLaqt0BCGWViAJXgrH5vMGpDx5rmYRQWvpAS+R2TCdrcFO7X5re9kCi5R1vyiq0XVDGPGyndesdxWb6YjY3nMIVraSWeYnR47OBZrv+lxrub20XsL7cXI=;
Received: ; Thu, 09 Mar 2017 12:05:23 -0800
From: Jacob Hoffman-Andrews <jsha@eff.org>
To: SPASM <spasm@ietf.org>, Ryan Sleevi <rsleevi@chromium.org>, Phillip Hallam-Baker <philliph@comodo.com>, Patrick Donahue <pat@cloudflare.com>, Peter Bowen <pzb@amzn.com>, Gervase Markham <gerv@mozilla.org>, Rob Stradling <rob.stradling@comodo.com>
Message-ID: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org>
Date: Thu, 09 Mar 2017 12:05:20 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------78C1DD85B7A24005A28EE38A"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vHL260X6Zb2C0VSwDwa8VZC1Kw0>
Subject: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 20:05:28 -0000

Good news! The CA/Browser forum made CAA checking mandatory, effective 8
September 2017
<https://cabforum.org/pipermail/public/2017-February/009722.html>. As
part of the process, we had a very interesting conversation (see bottom
for specific email links) about the processing algorithm specified in
RFC 6844 <https://tools.ietf.org/html/rfc6844#section-4>section 4
<https://tools.ietf.org/html/rfc6844#section-4> and how to handle
CNAMEs. Specifically, if there exists a set of records like so:

www.staffie.dog.        CNAME staffie.terrier.dog.

staffie.terrier.dog.    A 192.0.2.1

terrier.dog.            CAA 0 issue "happy-hacker-fake-ca.net"


Should issuance for www.staffie.dog require a CAA query for terrier.dog?
Or should it only require CAA queries for www.staffie.dog and
staffie.terrier.dog? It looks like we're not the first to be confused by
this. In October 2015, Tom Clegg filed erratum 4515
<https://www.rfc-editor.org/errata_search.php?rfc=6844&eid=4515>,
changing the behavior. My position is that his approach is better, and
we should formally adopt it.

I'd like to define some terms so we can speak clearly:

 - Recursion: What a recursive resolver does: finding and querying
authoritative resolvers, and chasing CNAMEs.

 - Tree climbing: Looking up records for parent domains sequentially,
e.g. "www.staffie.dog", "staffie.dog", "dog".

The current RFC says that CA software should recurse, then tree climb on
any CNAME results, then tree climb on the original name, and repeat.

*The argument from naturalness*

I think the most natural way to think of CNAMEs is analogous to
symlinks. If you `dig A www.staffie.dog` from a recursive resolver, you
get back an IP address and don't need to care about the chain of
intervening CNAMEs. The CAA RFC asks CA software to "peek inside" the
CNAME chain for further processing, which is a significant difference
from how other resource record types are handled.

*The argument from ease of implementation

*Right now, recursive resolvers take care of all CNAME chasing,
including loop detection. To implement CAA as it is defined today, CA
software needs to implement some moderately complex code to tree climb
not only the original name, but also CNAME results. This means the CA
software needs to implement its own loop detection as well. I think
we're likely to see inconsistent and buggy results. On the other hand,
erratum 4515 allows CA software to make three simple, predictable
requests to its recursive resolver:

CAA www.staffie.dog.
CAA staffie.dog.
CAA dog.
**
*The argument from you don't need that*

As I understand it, the argument for the current algorithm is that it
makes it easier for CDNs to deploy CAA records. For instance, if
terrier.dog is a CDN serving the terrier community, and they only
request certificates from Happy Hacker Fake CA, they can easily express
that policy by putting a CAA record on terrier.dog. I would argue that
it's just as easy for terrier.dog to configure their authoritative
resolver to return a CAA record for *.terrier.dog.

*The argument from CDNs don't want to do that*

Cloudflare helpfully chimed in on the original thread saying that they
wouldn't actually want to deploy a blanket CAA record for all their
customers, even though Cloudflare uses a well-defined set of CAs. That's
because doing so would prevent customers from getting their own
certificates from other CAs for non-HTTPS uses, or for subdomains like
party.www.staffie.dog. Even though the customers could override this by
setting their own CAA resource records, this is a hassle that Cloudflare
doesn't want to impose. Other CDNs are likely to feel similarly.

*Hole punching and the includeSubDomains problem*

Part of the debate is informed by deployment difficulties with HPKP
includeSubDomains. For instance, in a previous job I deployed HTTPS at
Twitter. We configured HPKP preloading with includeSubDomains on
twitter.com, including all of the CAs that any of our CDNs used.

Sometimes, for example, the marketing department, would hire a
contractor to build a quickie website like superbowl2017.twitter.com.
The contractor would have their own relationship with a hosting provider
or CDN, who might use a CA not on the list. It would have been nice to
be able to define hole punching, so superbowl2017.twitter.com could have
its own definition of which CA keys are allowed. That's not possible
with HPKP, but it is possible with CAA, intentionally.

However, it's the tree climbing that gets us the hole punching property,
not the alternating tree climb / recursion currently specified in RFC
6844. So adopting erratum 4515 would not break the hole punching property.


*Previous conversation*

  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009803.html>  /philliph
    at comodo.com/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009804.html>  /Peter
    Bowen/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009810.html>  /philliph
    at comodo.com/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009811.html>  /Peter
    Bowen/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009814.html>  /Peter
    Bowen/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009815.html>  /Ryan
    Sleevi/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009816.html>  /Peter
    Bowen/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009817.html>  /Ryan
    Sleevi/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009819.html>  /philliph
    at comodo.com/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009836.html>  /Jacob
    Hoffman-Andrews/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009837.html>  /Ryan
    Sleevi/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009838.html>  /Jacob
    Hoffman-Andrews/
  * [cabfpub] Ballot 187 - Make CAA Checking Mandatory 
    <https://cabforum.org/pipermail/public/2017-February/009839.html>  /Phillip
    Hallam-Baker/

/(whole thread:
/https://cabforum.org/pipermail/public/2017-February/thread.html)

v2.23.0 | Report a Bug | By Email