[Spasm] CAA erratum 4515
Jacob Hoffman-Andrews <jsha@eff.org> Thu, 09 March 2017 20:05 UTC
Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A69F129463 for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 12:05:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.742
X-Spam-Level:
X-Spam-Status: No, score=-6.742 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihZRRej4PrOm for <spasm@ietfa.amsl.com>; Thu, 9 Mar 2017 12:05:25 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1E7412944C for <spasm@ietf.org>; Thu, 9 Mar 2017 12:05:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:MIME-Version:Date:Message-ID:To:Subject:From; bh=QR2+inWsHvFm1VOqXl8otlAI1HPV7GvB9yxJZdYF3Vg=; b=J4Ky9TElwjdYfj8WrFgwMOWORzAZDg95HFaEQZVrp7LaaBJdWQZMb2jLaqt0BCGWViAJXgrH5vMGpDx5rmYRQWvpAS+R2TCdrcFO7X5re9kCi5R1vyiq0XVDGPGyndesdxWb6YjY3nMIVraSWeYnR47OBZrv+lxrub20XsL7cXI=;
Received: ; Thu, 09 Mar 2017 12:05:23 -0800
From: Jacob Hoffman-Andrews <jsha@eff.org>
To: SPASM <spasm@ietf.org>, Ryan Sleevi <rsleevi@chromium.org>, Phillip Hallam-Baker <philliph@comodo.com>, Patrick Donahue <pat@cloudflare.com>, Peter Bowen <pzb@amzn.com>, Gervase Markham <gerv@mozilla.org>, Rob Stradling <rob.stradling@comodo.com>
Message-ID: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org>
Date: Thu, 09 Mar 2017 12:05:20 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------78C1DD85B7A24005A28EE38A"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vHL260X6Zb2C0VSwDwa8VZC1Kw0>
Subject: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 20:05:28 -0000
Good news! The CA/Browser forum made CAA checking mandatory, effective 8 September 2017 <https://cabforum.org/pipermail/public/2017-February/009722.html>. As part of the process, we had a very interesting conversation (see bottom for specific email links) about the processing algorithm specified in RFC 6844 <https://tools.ietf.org/html/rfc6844#section-4>section 4 <https://tools.ietf.org/html/rfc6844#section-4> and how to handle CNAMEs. Specifically, if there exists a set of records like so: www.staffie.dog. CNAME staffie.terrier.dog. staffie.terrier.dog. A 192.0.2.1 terrier.dog. CAA 0 issue "happy-hacker-fake-ca.net" Should issuance for www.staffie.dog require a CAA query for terrier.dog? Or should it only require CAA queries for www.staffie.dog and staffie.terrier.dog? It looks like we're not the first to be confused by this. In October 2015, Tom Clegg filed erratum 4515 <https://www.rfc-editor.org/errata_search.php?rfc=6844&eid=4515>, changing the behavior. My position is that his approach is better, and we should formally adopt it. I'd like to define some terms so we can speak clearly: - Recursion: What a recursive resolver does: finding and querying authoritative resolvers, and chasing CNAMEs. - Tree climbing: Looking up records for parent domains sequentially, e.g. "www.staffie.dog", "staffie.dog", "dog". The current RFC says that CA software should recurse, then tree climb on any CNAME results, then tree climb on the original name, and repeat. *The argument from naturalness* I think the most natural way to think of CNAMEs is analogous to symlinks. If you `dig A www.staffie.dog` from a recursive resolver, you get back an IP address and don't need to care about the chain of intervening CNAMEs. The CAA RFC asks CA software to "peek inside" the CNAME chain for further processing, which is a significant difference from how other resource record types are handled. *The argument from ease of implementation *Right now, recursive resolvers take care of all CNAME chasing, including loop detection. To implement CAA as it is defined today, CA software needs to implement some moderately complex code to tree climb not only the original name, but also CNAME results. This means the CA software needs to implement its own loop detection as well. I think we're likely to see inconsistent and buggy results. On the other hand, erratum 4515 allows CA software to make three simple, predictable requests to its recursive resolver: CAA www.staffie.dog. CAA staffie.dog. CAA dog. ** *The argument from you don't need that* As I understand it, the argument for the current algorithm is that it makes it easier for CDNs to deploy CAA records. For instance, if terrier.dog is a CDN serving the terrier community, and they only request certificates from Happy Hacker Fake CA, they can easily express that policy by putting a CAA record on terrier.dog. I would argue that it's just as easy for terrier.dog to configure their authoritative resolver to return a CAA record for *.terrier.dog. *The argument from CDNs don't want to do that* Cloudflare helpfully chimed in on the original thread saying that they wouldn't actually want to deploy a blanket CAA record for all their customers, even though Cloudflare uses a well-defined set of CAs. That's because doing so would prevent customers from getting their own certificates from other CAs for non-HTTPS uses, or for subdomains like party.www.staffie.dog. Even though the customers could override this by setting their own CAA resource records, this is a hassle that Cloudflare doesn't want to impose. Other CDNs are likely to feel similarly. *Hole punching and the includeSubDomains problem* Part of the debate is informed by deployment difficulties with HPKP includeSubDomains. For instance, in a previous job I deployed HTTPS at Twitter. We configured HPKP preloading with includeSubDomains on twitter.com, including all of the CAs that any of our CDNs used. Sometimes, for example, the marketing department, would hire a contractor to build a quickie website like superbowl2017.twitter.com. The contractor would have their own relationship with a hosting provider or CDN, who might use a CA not on the list. It would have been nice to be able to define hole punching, so superbowl2017.twitter.com could have its own definition of which CA keys are allowed. That's not possible with HPKP, but it is possible with CAA, intentionally. However, it's the tree climbing that gets us the hole punching property, not the alternating tree climb / recursion currently specified in RFC 6844. So adopting erratum 4515 would not break the hole punching property. *Previous conversation* * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009803.html> /philliph at comodo.com/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009804.html> /Peter Bowen/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009810.html> /philliph at comodo.com/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009811.html> /Peter Bowen/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009814.html> /Peter Bowen/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009815.html> /Ryan Sleevi/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009816.html> /Peter Bowen/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009817.html> /Ryan Sleevi/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009819.html> /philliph at comodo.com/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009836.html> /Jacob Hoffman-Andrews/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009837.html> /Ryan Sleevi/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009838.html> /Jacob Hoffman-Andrews/ * [cabfpub] Ballot 187 - Make CAA Checking Mandatory <https://cabforum.org/pipermail/public/2017-February/009839.html> /Phillip Hallam-Baker/ /(whole thread: /https://cabforum.org/pipermail/public/2017-February/thread.html)
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews