Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)
Tim Hollebeek <tim.hollebeek@digicert.com> Wed, 20 December 2017 17:28 UTC
Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA4491270A3 for <spasm@ietfa.amsl.com>; Wed, 20 Dec 2017 09:28:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5fADly8qCIzY for <spasm@ietfa.amsl.com>; Wed, 20 Dec 2017 09:28:18 -0800 (PST)
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22CC01241F3 for <spasm@ietf.org>; Wed, 20 Dec 2017 09:28:18 -0800 (PST)
Received: from [216.82.242.46] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-4.bemta-8.messagelabs.com id 03/04-09815-1BD9A3A5; Wed, 20 Dec 2017 17:28:17 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSa0hTYRjH955ztp2GJ45T83EY1IHMDIdS2dI +1JdaVFTQh7DAzvTkRrvIzowFXZYolXbR0kxTl2YRpVnNQgspZ5YtoVohtq5aVGo3u2pEtLN3 3b793vf/f57/8748NKl+qtDQgtMh2K28mVOoqP4preeTW2rTM1MOt87XjY6eoXRV98cVurq+7 AWk/t3HV3J9Y+M4ofc92E2tJDPlJqvB5lwvN56uqyfyipqQc8eJUaULed2oGE2gKfY9AXUBXT FS0Wq2nICekhoCH64hqB0aV0ouBZsCfR03CImjWQd03i2hJI5il8KOojdyfL8M2nfeRpgXwfG ru5Q4YRoMdJ1VSMyw62Cvv5TCAY0E3Gn1hIQJ7EJ45DkWKkbsJPjmawqFkWwsBF64QwxsNAzc vaXAHANDz3/KMXPwsHkMYZ4MfncJkgKA9Sqh9OKRsEkLF8rehk3LwfO4l8KmFgTnvgyRxYgOH pKg7PsqPMQ6qP3kDYdthILqzjAvg+NPPoRru0jor7gUni4e+gf9YaFSAbt6/CFBzeZA+SncKY rVwOP7uxHmeHj9qENeihKr/3lpdbCeZN0IBi/0EtWhP4uEm1UvKGxKgorm4TDPhBP1IyTmDDj 8vVOBeSqUlwwoMc+Bke5RdBTRp1CiKNg3Cfbk1DStwW7KNTosvMmcnJqi01oEUeRzBTNvELXZ Nst5FFyz7TIZakOllxd7URxNcDFMgz49Uz3RYMvZbORFY5Y93yyIXhRP0xwwJ2uCWqRdyBWcG 0zm4K7+loGO4KKZQklmxDzeIppyseRDs+iajsAPgn5ZNeIi1ZTVZhU0scxWycpKVmO+9U+j33 vvR5M1UQySyWTqiDzBbjE5/teHUSyNuCjGJ3WJMFkdf/KGg6MQwVEq1syVRnHwfyWNC23zRPR lHJokzPi6Yk7LzP335K0tW5p9P4oi164o3HJwetlbW0PRWNbVHErFDbzceYW7rm4rzg+kD85u byhYrU6O0X5e6B+b9+xAoCtjSa+sMW0iU6g5GndpXpsnzzruN+gFLlO1516903il2/jeldBVu bWgUrUvrtyd1pTuWpTg5CjRyKcmkXaR/wWGQGgr8gMAAA==
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-8.tower-96.messagelabs.com!1513790895!103317867!1
X-Originating-IP: [216.32.180.178]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 14707 invoked from network); 20 Dec 2017 17:28:15 -0000
Received: from mail-bn3nam01lp0178.outbound.protection.outlook.com (HELO NAM01-BN3-obe.outbound.protection.outlook.com) (216.32.180.178) by server-8.tower-96.messagelabs.com with AES256-SHA256 encrypted SMTP; 20 Dec 2017 17:28:15 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zJ75FPbfglfMMxD0FpTQV/Q75g5WZQ81MQS+7W78rSM=; b=eAHg23DcOADt6IkGAFNw6QqTcjigml3o+F8Q17b/BZbCw/A6EQ05nRLf5Q03zN4WWJGHo0AdebUoxi9IgnDWWXmTBIGprBSkmysSCE8I71xNmoog/c5LFtFmm5ZNeb4DuxdAHXAehWgpJiBgWslsG8vJyhC4U5jBFgQybH9ta64=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1290.namprd14.prod.outlook.com (10.173.132.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Wed, 20 Dec 2017 17:28:14 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0323.018; Wed, 20 Dec 2017 17:28:14 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Corey Bonnell <CBonnell@trustwave.com>, Jacob Hoffman-Andrews <jsha@eff.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)
Thread-Index: AQHTcFCyWaXtVbwstEuAXIDvoZy1oKNFZbiAgAPSpGCAAz8rgIAAF5QA
Date: Wed, 20 Dec 2017 17:28:14 +0000
Message-ID: <DM5PR14MB12890C21BF6E8271AB6397CB830C0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <20171208180055.ACB1EB81ACE@rfc-editor.org> <5AB43438-406D-482D-81DD-B9A30BE84459@vigilsec.com> <ad5b6045-84ba-32b3-7739-b2464fc40c2f@eff.org> <DM5PR14MB128950E8291574FAA0161BC8830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <B94567AD-1DB4-4508-B629-F7F760237A15@trustwave.com>
In-Reply-To: <B94567AD-1DB4-4508-B629-F7F760237A15@trustwave.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1290; 6:+pN4lwWjFl2JXtJCTmvp3g7giKEr4TCuQeyZ2AFZrzSzcstvbRAkWwbuPpbQlNMBDU5NubbeFG3+4cDO/T2ec6NDLG9+Yy39iJc0+scicK9YB+6LGTWvJcl+rgcFRwfSQ/ak+bYWX4JRy/peA8DGFknpyi6PG9HR7yc1QY+bxNHb/dFHpwwuWv4P3zueBVFKFrm4eH5ddyyZ6C2fr3cOwPmI4wm3CmrEZMPkCo+yuTB1MdLRxXJ6+xfeqcKAtQk5953D/Rx3rnXqhMI0XtR82pzE/kaFh6jFbQSsmiXJ7+j0F0aKH4Me1lZbYL/Rp39zdm0mzkAsGVqWBsU0zWLsFFbsymmM9hGH/d8SYbgSZqk=; 5:/qOZqbPhlZZKAxpA38vf7qhl/A/hKs0nHNlRPUTKO4GYjLnCp9eh2XNmQWRUQtDJUVL/Pa5z0QRK8HHcz3xr7LChNiK2LXn6gA41EkSGco6ZPCx6rxg+4YND/Y8scwtX9nYIf0MgetX5dAdkmuDawRIJtn8VkDU+WvV+VgN1Gfc=; 24:GNOVImICqbRjmO8ebMY/SQE6Jk/VpVxejzMMdB+e5y7lbKEAr59qHd2MUkpD4u7ftRFnBSGvu+7jYaMt6ycD43pQ1Zk6sK5AQOD2HyE5H4E=; 7:XGy4XRH/GWVC4uH3if2q6+S9gyk5BlnbOryG+y8N6HscHK5xB1Y3ZEkddKrhRNMGjSdiCCDx2ciC9nqrDN5Jvi0hMT3Bma4XlEY6FlToNV/taj6bXAhI8d2Czg8d9L7eHM5kRwvbcNOsZVEUcWmePfEGiSgagNyAU42jMx2xzVI+dUYauCg278wq40XY3di3p+vvHxeaMdazjmBLocrr30lBgL+qTGtdJtJlSlDx//rXlKkEWgojLy0g6MNxXbAe
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: b6cf9772-b4ec-4ac3-f188-08d547cf0d1e
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4603075)(4627115)(201702281549075)(2017052603307)(7153060)(49563074); SRVR:DM5PR14MB1290;
x-ms-traffictypediagnostic: DM5PR14MB1290:
x-microsoft-antispam-prvs: <DM5PR14MB129055A17B8CDCDAA0A8F0ED830C0@DM5PR14MB1290.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(258766100185102);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040470)(2401047)(8121501046)(5005006)(3231023)(3002001)(93006095)(93001095)(10201501046)(6041268)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(2016111802025)(20161123564045)(6043046)(6072148)(201708071742011); SRVR:DM5PR14MB1290; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1290;
x-forefront-prvs: 0527DFA348
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(366004)(376002)(39860400002)(346002)(396003)(199004)(24454002)(189003)(13464003)(55016002)(575784001)(53936002)(3280700002)(5660300001)(2950100002)(97736004)(561944003)(305945005)(3846002)(8676002)(6246003)(25786009)(74316002)(93886005)(7736002)(33656002)(102836003)(81156014)(81166006)(86362001)(2900100001)(2501003)(6116002)(99936001)(66066001)(2906002)(3660700001)(68736007)(6306002)(106356001)(316002)(59450400001)(8936002)(14454004)(966005)(229853002)(7696005)(6436002)(99286004)(478600001)(110136005)(77096006)(6506007)(53546011)(105586002)(76176011)(9686003)(19400905002)(19627235001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1290; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_075E_01D3797D.39A78870"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b6cf9772-b4ec-4ac3-f188-08d547cf0d1e
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2017 17:28:14.5633 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1290
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/yUzf_e7xpW6UFJ4ovXa1DPGMY6E>
Subject: Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2017 17:28:22 -0000
This looks good to me. I could get behind this. -Tim > -----Original Message----- > From: Corey Bonnell [mailto:CBonnell@trustwave.com] > Sent: Wednesday, December 20, 2017 9:04 AM > To: Tim Hollebeek <tim.hollebeek@digicert.com>; Jacob Hoffman-Andrews > <jsha@eff.org>; spasm@ietf.org > Subject: Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200) > > After thinking about this further, I’m in favor of using semicolons to delimit > parameters, as Tim mentioned that we likely need to continue using the > semicolon to delimit the identifying domain name from the parameter list due > to its current ubiquity. It would be inconsistent to use a semicolon to delimit > the identifying domain name from the parameter list but also mandate that > parameter name/value pairs be delimited using whitespace. That being said, I > like the idea that non-significant whitespace can be used in records to > improve human readability. > > Given that RFC 5234 prohibits the use of implicit “linear white space” in > section 3.1 (https://clicktime.symantec.com/a/1/223l- > OOuL7oxSQZbmNPzrW-fzlB3ZyRehuXa1uhXQ_0=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fwww.rfcreader.c > om%2F%23rfc5234_line204), RFC 6844 must explicitly state in the production > rules that non-significant whitespace is supported. With that in mind, I believe > that the ABNF production rules in RFC 6844 section 5.1 > (https://clicktime.symantec.com/a/1/QXA3DmFxWmhgnol1OsR_jPGPFCJRny > 0xy6bKiW3sKgo=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fwww.rfcreader.c > om%2F%23rfc6844_line447) for “issuevalue” should be modified to > something similar to this: > > issuevalue = *WSP [domain] *WSP [";" *WSP [parameters] *WSP] > parameters = (parameter *WSP “;” *WSP parameters) / parameter > parameter = tag "=" value > tag = 1*(ALPHA / DIGIT) > value = *(%x21-3A / %x3C-7E) > > (The “parameter” and “tag” production rules are unchanged but I listed them > here to list the relevant rules in one place.) > > Note that I removed the “space” production rule, as RFC 5234 provides us > with a nearly identical (differing only in the number of allowed repetitions, but > the character class is the same) “WSP” rule in its core module > (https://clicktime.symantec.com/a/1/-0fHBEr5CPqHK4BAN-1-SoYnA0YT- > 6fhfpIyNPkPvE4=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fwww.rfcreader.c > om%2F%23rfc5234_line520). Also note that I modified the “value” rule, as we > need to exclude the semicolon (ASCII code 0x3B) from the set of allowed > characters in parameter values. > > Thanks, > Corey > > Corey Bonnell > Senior Software Engineer > > Trustwave | SMART SECURITY ON DEMANDwww.trustwave.com > <https://clicktime.symantec.com/a/1/WBsY- > EHcHWXZ8gHVn_TTn1EioTncr2wyhIBkPnoJz5U=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fwww.trustwave.c > om%2F> > > 2017 Best Managed Security Service Winner – SC Media > > On 12/18/17, 9:41 AM, "Spasm on behalf of Tim Hollebeek" <spasm- > bounces@ietf.org on behalf of tim.hollebeek@digicert.com> wrote: > > As pointed out on the cabf_validation list, the original text isn't just > ambiguous, the RFC contradicts itself. I don't feel too strongly either > way, as long as it gets resolved soon, as property tags are about to become > commonly deployed (there were several proposed uses discussed at the > Taipei > face-to-face meeting of the CA/Browser forum). > > I do however have a slight preference for only having a single separator > (whitespace), not two in order to avoid confusion about what to do about > whitespace after semicolons and around = signs. > > The semicolon doesn't really serve a useful purpose, though we do have to > keep one since there are existing CAA records out there that use it. I'd > like the grammar to essentially be: > > domain ; [name = value]+ > > with the clarification that whitespace is ignored. > > So my personal preference is the first style you mentioned, in line with the > submitted errata: > > https://clicktime.symantec.com/a/1/guXt- > wbIajcv9dPXp03AETYKnnGzu7bRQAzwwoTu1BQ=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa > ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdg > MZzyv9PQ%26s%3D5%26u%3Dhttp%3A%2F%2Fexample.com IN CAA 0 issue > "https://clicktime.symantec.com/a/1/WSJJP7Kr5g1Ihc2JaYcIqr4LdXmpgvuwtx > BN746PBxk=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa > ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdld > On33- > ag%26s%3D5%26u%3Dhttp%253a%252f%252fexample%252enet%253b > foo=bar bar=qux" > > It's the style I used in my proposal for industry standard property tag > names on cabf_validation last week. > > -Tim > > > -----Original Message----- > > From: Spasm [mailto:spasm-bounces@ietf.org] On Behalf Of Jacob > Hoffman- > > Andrews > > Sent: Friday, December 15, 2017 9:06 PM > > To: spasm@ietf.org > > Subject: Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 > (5200) > > > > On 12/08/2017 10:16 AM, Russ Housley wrote: > > > https://clicktime.symantec.com/a/1/P19HMr1W_-AM1Bgx1hv9xaT- > Y052koOWPbFvWFXceKc=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa > ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdlJ > PySquaA%26s%3D5%26u%3Dhttp%3A%2F%2Fwww.rfc- > editor.org%2Ferrata%2Feid5200 > > > > The question here is whether CAA records with property tags should look > > like: > > > > https://clicktime.symantec.com/a/1/guXt- > wbIajcv9dPXp03AETYKnnGzu7bRQAzwwoTu1BQ=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa > ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdg > MZzyv9PQ%26s%3D5%26u%3Dhttp%3A%2F%2Fexample.com IN CAA 0 issue > "https://clicktime.symantec.com/a/1/WSJJP7Kr5g1Ihc2JaYcIqr4LdXmpgvuwtx > BN746PBxk=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa > ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdld > On33- > ag%26s%3D5%26u%3Dhttp%253a%252f%252fexample%252enet%253b > foo=bar bar=qux" > > > > or: > > > > https://clicktime.symantec.com/a/1/guXt- > wbIajcv9dPXp03AETYKnnGzu7bRQAzwwoTu1BQ=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa > ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdg > MZzyv9PQ%26s%3D5%26u%3Dhttp%3A%2F%2Fexample.com IN CAA 0 issue > "https://clicktime.symantec.com/a/1/WSJJP7Kr5g1Ihc2JaYcIqr4LdXmpgvuwtx > BN746PBxk=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa > ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdld > On33- > ag%26s%3D5%26u%3Dhttp%253a%252f%252fexample%252enet%253b > foo=bar; bar=qux" > > > > (note the second semicolon) > > > > I think the original text is ambiguous on the point, and since property > tags are > > not yet widely deployed this is a somewhat free choice. I think the > version > > where property tags are separated by semicolons makes more sense and > is > > less error prone. It also happens to be what Hugo Landau's draft for CAA > > Record Extensions uses: > > https://clicktime.symantec.com/a/1/oeSHiU8l3ajgJiEMVtTF83- > EFY63Rq8bkGOhkAfEU4w=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=https%3A%2F%2Fscanmail.trustw > ave.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdl > FIyn6uOA%26s%3D5%26u%3Dhttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdra > ft-ietf-acme-caa-03%23page-9 > > > > And what was briefly implemented in Let's Encrypt's Boulder (since rolled > > back due to a bug): > > > > https://clicktime.symantec.com/a/1/e4GMdQoD7tFbx08- > UGuLKKtPdCFSB5rS2W-lBYmcerE=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=https%3A%2F%2Fscanmail.trustw > ave.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdg > QUz3v8bQ%26s%3D5%26u%3Dhttps%3A%2F%2Fgithub.com%2Fletsencrypt% > 2Fboulder%2Fpull%2F3145%2Ffiles%23diff- > > 3efab53f2bcc543ac2e771ec882c57c1L310 > > > > So my feeling is we should reject this erratum and clarify in the other > > direction, requiring semicolons between property tags. Thoughts? > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://clicktime.symantec.com/a/1/Op2fbuRdBuUkj-Y9VkPB3yT4ud- > Nr0bBS0NRCEoC6mQ=?d=RZrpddyRRTQ154PRoAlI- > Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf > BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw > sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU > GamB8As9HkVGdCAEm0- > YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb > Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj- > UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq > BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=https%3A%2F%2Fscanmail.trustw > ave.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdg > ofny- > qPw%26s%3D5%26u%3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistin > fo%2Fspasm >
- [lamps] Fwd: [pkix] [Technical Errata Reported] R… Russ Housley
- Re: [lamps] Fwd: [pkix] [Technical Errata Reporte… Jacob Hoffman-Andrews
- Re: [lamps] Fwd: [pkix] [Technical Errata Reporte… Tim Hollebeek
- Re: [lamps] Fwd: [pkix] [Technical Errata Reporte… Corey Bonnell
- Re: [lamps] Fwd: [pkix] [Technical Errata Reporte… Tim Hollebeek