Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)

Tim Hollebeek <tim.hollebeek@digicert.com> Wed, 20 December 2017 17:28 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA4491270A3 for <spasm@ietfa.amsl.com>; Wed, 20 Dec 2017 09:28:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5fADly8qCIzY for <spasm@ietfa.amsl.com>; Wed, 20 Dec 2017 09:28:18 -0800 (PST)
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22CC01241F3 for <spasm@ietf.org>; Wed, 20 Dec 2017 09:28:18 -0800 (PST)
Received: from [216.82.242.46] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-4.bemta-8.messagelabs.com id 03/04-09815-1BD9A3A5; Wed, 20 Dec 2017 17:28:17 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSa0hTYRjH955ztp2GJ45T83EY1IHMDIdS2dI +1JdaVFTQh7DAzvTkRrvIzowFXZYolXbR0kxTl2YRpVnNQgspZ5YtoVohtq5aVGo3u2pEtLN3 3b793vf/f57/8748NKl+qtDQgtMh2K28mVOoqP4preeTW2rTM1MOt87XjY6eoXRV98cVurq+7 AWk/t3HV3J9Y+M4ofc92E2tJDPlJqvB5lwvN56uqyfyipqQc8eJUaULed2oGE2gKfY9AXUBXT FS0Wq2nICekhoCH64hqB0aV0ouBZsCfR03CImjWQd03i2hJI5il8KOojdyfL8M2nfeRpgXwfG ru5Q4YRoMdJ1VSMyw62Cvv5TCAY0E3Gn1hIQJ7EJ45DkWKkbsJPjmawqFkWwsBF64QwxsNAzc vaXAHANDz3/KMXPwsHkMYZ4MfncJkgKA9Sqh9OKRsEkLF8rehk3LwfO4l8KmFgTnvgyRxYgOH pKg7PsqPMQ6qP3kDYdthILqzjAvg+NPPoRru0jor7gUni4e+gf9YaFSAbt6/CFBzeZA+SncKY rVwOP7uxHmeHj9qENeihKr/3lpdbCeZN0IBi/0EtWhP4uEm1UvKGxKgorm4TDPhBP1IyTmDDj 8vVOBeSqUlwwoMc+Bke5RdBTRp1CiKNg3Cfbk1DStwW7KNTosvMmcnJqi01oEUeRzBTNvELXZ Nst5FFyz7TIZakOllxd7URxNcDFMgz49Uz3RYMvZbORFY5Y93yyIXhRP0xwwJ2uCWqRdyBWcG 0zm4K7+loGO4KKZQklmxDzeIppyseRDs+iajsAPgn5ZNeIi1ZTVZhU0scxWycpKVmO+9U+j33 vvR5M1UQySyWTqiDzBbjE5/teHUSyNuCjGJ3WJMFkdf/KGg6MQwVEq1syVRnHwfyWNC23zRPR lHJokzPi6Yk7LzP335K0tW5p9P4oi164o3HJwetlbW0PRWNbVHErFDbzceYW7rm4rzg+kD85u byhYrU6O0X5e6B+b9+xAoCtjSa+sMW0iU6g5GndpXpsnzzruN+gFLlO1516903il2/jeldBVu bWgUrUvrtyd1pTuWpTg5CjRyKcmkXaR/wWGQGgr8gMAAA==
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-8.tower-96.messagelabs.com!1513790895!103317867!1
X-Originating-IP: [216.32.180.178]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 14707 invoked from network); 20 Dec 2017 17:28:15 -0000
Received: from mail-bn3nam01lp0178.outbound.protection.outlook.com (HELO NAM01-BN3-obe.outbound.protection.outlook.com) (216.32.180.178) by server-8.tower-96.messagelabs.com with AES256-SHA256 encrypted SMTP; 20 Dec 2017 17:28:15 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zJ75FPbfglfMMxD0FpTQV/Q75g5WZQ81MQS+7W78rSM=; b=eAHg23DcOADt6IkGAFNw6QqTcjigml3o+F8Q17b/BZbCw/A6EQ05nRLf5Q03zN4WWJGHo0AdebUoxi9IgnDWWXmTBIGprBSkmysSCE8I71xNmoog/c5LFtFmm5ZNeb4DuxdAHXAehWgpJiBgWslsG8vJyhC4U5jBFgQybH9ta64=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1290.namprd14.prod.outlook.com (10.173.132.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Wed, 20 Dec 2017 17:28:14 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0323.018; Wed, 20 Dec 2017 17:28:14 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Corey Bonnell <CBonnell@trustwave.com>, Jacob Hoffman-Andrews <jsha@eff.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)
Thread-Index: AQHTcFCyWaXtVbwstEuAXIDvoZy1oKNFZbiAgAPSpGCAAz8rgIAAF5QA
Date: Wed, 20 Dec 2017 17:28:14 +0000
Message-ID: <DM5PR14MB12890C21BF6E8271AB6397CB830C0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <20171208180055.ACB1EB81ACE@rfc-editor.org> <5AB43438-406D-482D-81DD-B9A30BE84459@vigilsec.com> <ad5b6045-84ba-32b3-7739-b2464fc40c2f@eff.org> <DM5PR14MB128950E8291574FAA0161BC8830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <B94567AD-1DB4-4508-B629-F7F760237A15@trustwave.com>
In-Reply-To: <B94567AD-1DB4-4508-B629-F7F760237A15@trustwave.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1290; 6:+pN4lwWjFl2JXtJCTmvp3g7giKEr4TCuQeyZ2AFZrzSzcstvbRAkWwbuPpbQlNMBDU5NubbeFG3+4cDO/T2ec6NDLG9+Yy39iJc0+scicK9YB+6LGTWvJcl+rgcFRwfSQ/ak+bYWX4JRy/peA8DGFknpyi6PG9HR7yc1QY+bxNHb/dFHpwwuWv4P3zueBVFKFrm4eH5ddyyZ6C2fr3cOwPmI4wm3CmrEZMPkCo+yuTB1MdLRxXJ6+xfeqcKAtQk5953D/Rx3rnXqhMI0XtR82pzE/kaFh6jFbQSsmiXJ7+j0F0aKH4Me1lZbYL/Rp39zdm0mzkAsGVqWBsU0zWLsFFbsymmM9hGH/d8SYbgSZqk=; 5:/qOZqbPhlZZKAxpA38vf7qhl/A/hKs0nHNlRPUTKO4GYjLnCp9eh2XNmQWRUQtDJUVL/Pa5z0QRK8HHcz3xr7LChNiK2LXn6gA41EkSGco6ZPCx6rxg+4YND/Y8scwtX9nYIf0MgetX5dAdkmuDawRIJtn8VkDU+WvV+VgN1Gfc=; 24:GNOVImICqbRjmO8ebMY/SQE6Jk/VpVxejzMMdB+e5y7lbKEAr59qHd2MUkpD4u7ftRFnBSGvu+7jYaMt6ycD43pQ1Zk6sK5AQOD2HyE5H4E=; 7:XGy4XRH/GWVC4uH3if2q6+S9gyk5BlnbOryG+y8N6HscHK5xB1Y3ZEkddKrhRNMGjSdiCCDx2ciC9nqrDN5Jvi0hMT3Bma4XlEY6FlToNV/taj6bXAhI8d2Czg8d9L7eHM5kRwvbcNOsZVEUcWmePfEGiSgagNyAU42jMx2xzVI+dUYauCg278wq40XY3di3p+vvHxeaMdazjmBLocrr30lBgL+qTGtdJtJlSlDx//rXlKkEWgojLy0g6MNxXbAe
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: b6cf9772-b4ec-4ac3-f188-08d547cf0d1e
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4603075)(4627115)(201702281549075)(2017052603307)(7153060)(49563074); SRVR:DM5PR14MB1290;
x-ms-traffictypediagnostic: DM5PR14MB1290:
x-microsoft-antispam-prvs: <DM5PR14MB129055A17B8CDCDAA0A8F0ED830C0@DM5PR14MB1290.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(258766100185102);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040470)(2401047)(8121501046)(5005006)(3231023)(3002001)(93006095)(93001095)(10201501046)(6041268)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(2016111802025)(20161123564045)(6043046)(6072148)(201708071742011); SRVR:DM5PR14MB1290; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1290;
x-forefront-prvs: 0527DFA348
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(366004)(376002)(39860400002)(346002)(396003)(199004)(24454002)(189003)(13464003)(55016002)(575784001)(53936002)(3280700002)(5660300001)(2950100002)(97736004)(561944003)(305945005)(3846002)(8676002)(6246003)(25786009)(74316002)(93886005)(7736002)(33656002)(102836003)(81156014)(81166006)(86362001)(2900100001)(2501003)(6116002)(99936001)(66066001)(2906002)(3660700001)(68736007)(6306002)(106356001)(316002)(59450400001)(8936002)(14454004)(966005)(229853002)(7696005)(6436002)(99286004)(478600001)(110136005)(77096006)(6506007)(53546011)(105586002)(76176011)(9686003)(19400905002)(19627235001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1290; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_075E_01D3797D.39A78870"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b6cf9772-b4ec-4ac3-f188-08d547cf0d1e
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2017 17:28:14.5633 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1290
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/yUzf_e7xpW6UFJ4ovXa1DPGMY6E>
Subject: Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2017 17:28:22 -0000

This looks good to me.  I could get behind this.

-Tim

> -----Original Message-----
> From: Corey Bonnell [mailto:CBonnell@trustwave.com]
> Sent: Wednesday, December 20, 2017 9:04 AM
> To: Tim Hollebeek <tim.hollebeek@digicert.com>om>; Jacob Hoffman-Andrews
> <jsha@eff.org>rg>; spasm@ietf.org
> Subject: Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)
> 
> After thinking about this further, I’m in favor of using semicolons to delimit
> parameters, as Tim mentioned that we likely need to continue using the
> semicolon to delimit the identifying domain name from the parameter list due
> to its current ubiquity. It would be inconsistent to use a semicolon to delimit
> the identifying domain name from the parameter list but also mandate that
> parameter name/value pairs be delimited using whitespace. That being said, I
> like the idea that non-significant whitespace can be used in records to
> improve human readability.
> 
> Given that RFC 5234 prohibits the use of implicit “linear white space” in
> section 3.1 (https://clicktime.symantec.com/a/1/223l-
> OOuL7oxSQZbmNPzrW-fzlB3ZyRehuXa1uhXQ_0=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fwww.rfcreader.c
> om%2F%23rfc5234_line204), RFC 6844 must explicitly state in the production
> rules that non-significant whitespace is supported. With that in mind, I believe
> that the ABNF production rules in RFC 6844 section 5.1
> (https://clicktime.symantec.com/a/1/QXA3DmFxWmhgnol1OsR_jPGPFCJRny
> 0xy6bKiW3sKgo=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fwww.rfcreader.c
> om%2F%23rfc6844_line447) for “issuevalue” should be modified to
> something similar to this:
> 
> issuevalue = *WSP [domain] *WSP [";" *WSP [parameters] *WSP]
> parameters = (parameter *WSP “;” *WSP parameters) / parameter
> parameter = tag "=" value
> tag = 1*(ALPHA / DIGIT)
> value = *(%x21-3A / %x3C-7E)
> 
> (The “parameter” and “tag” production rules are unchanged but I listed them
> here to list the relevant rules in one place.)
> 
> Note that I removed the “space” production rule, as RFC 5234 provides us
> with a nearly identical (differing only in the number of allowed repetitions, but
> the character class is the same) “WSP” rule in its core module
> (https://clicktime.symantec.com/a/1/-0fHBEr5CPqHK4BAN-1-SoYnA0YT-
> 6fhfpIyNPkPvE4=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fwww.rfcreader.c
> om%2F%23rfc5234_line520). Also note that I modified the “value” rule, as we
> need to exclude the semicolon (ASCII code 0x3B) from the set of allowed
> characters in parameter values.
> 
> Thanks,
> Corey
> 
> Corey Bonnell
> Senior Software Engineer
> 
> Trustwave | SMART SECURITY ON DEMANDwww.trustwave.com
> <https://clicktime.symantec.com/a/1/WBsY-
> EHcHWXZ8gHVn_TTn1EioTncr2wyhIBkPnoJz5U=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fwww.trustwave.c
> om%2F>
> 
> 2017 Best Managed Security Service Winner – SC Media
> 
> On 12/18/17, 9:41 AM, "Spasm on behalf of Tim Hollebeek" <spasm-
> bounces@ietf.org on behalf of tim.hollebeek@digicert.com> wrote:
> 
>     As pointed out on the cabf_validation list, the original text isn't just
>     ambiguous, the RFC contradicts itself.  I don't feel too strongly either
>     way, as long as it gets resolved soon, as property tags are about to become
>     commonly deployed (there were several proposed uses discussed at the
> Taipei
>     face-to-face meeting of the CA/Browser forum).
> 
>     I do however have a slight preference for only having a single separator
>     (whitespace), not two in order to avoid confusion about what to do about
>     whitespace after semicolons and around = signs.
> 
>     The semicolon doesn't really serve a useful purpose, though we do have to
>     keep one since there are existing CAA records out there that use it.  I'd
>     like the grammar to essentially be:
> 
>         domain ; [name = value]+
> 
>     with the clarification that whitespace is ignored.
> 
>     So my personal preference is the first style you mentioned, in line with the
>     submitted errata:
> 
>         https://clicktime.symantec.com/a/1/guXt-
> wbIajcv9dPXp03AETYKnnGzu7bRQAzwwoTu1BQ=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa
> ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdg
> MZzyv9PQ%26s%3D5%26u%3Dhttp%3A%2F%2Fexample.com IN CAA 0 issue
> "https://clicktime.symantec.com/a/1/WSJJP7Kr5g1Ihc2JaYcIqr4LdXmpgvuwtx
> BN746PBxk=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa
> ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdld
> On33-
> ag%26s%3D5%26u%3Dhttp%253a%252f%252fexample%252enet%253b
> foo=bar bar=qux"
> 
>     It's the style I used in my proposal for industry standard property tag
>     names on cabf_validation last week.
> 
>     -Tim
> 
>     > -----Original Message-----
>     > From: Spasm [mailto:spasm-bounces@ietf.org] On Behalf Of Jacob
> Hoffman-
>     > Andrews
>     > Sent: Friday, December 15, 2017 9:06 PM
>     > To: spasm@ietf.org
>     > Subject: Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844
>     (5200)
>     >
>     > On 12/08/2017 10:16 AM, Russ Housley wrote:
>     > > https://clicktime.symantec.com/a/1/P19HMr1W_-AM1Bgx1hv9xaT-
> Y052koOWPbFvWFXceKc=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa
> ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdlJ
> PySquaA%26s%3D5%26u%3Dhttp%3A%2F%2Fwww.rfc-
> editor.org%2Ferrata%2Feid5200
>     >
>     > The question here is whether CAA records with property tags should look
>     > like:
>     >
>     > https://clicktime.symantec.com/a/1/guXt-
> wbIajcv9dPXp03AETYKnnGzu7bRQAzwwoTu1BQ=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa
> ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdg
> MZzyv9PQ%26s%3D5%26u%3Dhttp%3A%2F%2Fexample.com IN CAA 0 issue
> "https://clicktime.symantec.com/a/1/WSJJP7Kr5g1Ihc2JaYcIqr4LdXmpgvuwtx
> BN746PBxk=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa
> ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdld
> On33-
> ag%26s%3D5%26u%3Dhttp%253a%252f%252fexample%252enet%253b
> foo=bar bar=qux"
>     >
>     > or:
>     >
>     > https://clicktime.symantec.com/a/1/guXt-
> wbIajcv9dPXp03AETYKnnGzu7bRQAzwwoTu1BQ=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa
> ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdg
> MZzyv9PQ%26s%3D5%26u%3Dhttp%3A%2F%2Fexample.com IN CAA 0 issue
> "https://clicktime.symantec.com/a/1/WSJJP7Kr5g1Ihc2JaYcIqr4LdXmpgvuwtx
> BN746PBxk=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=http%3A%2F%2Fscanmail.trustwa
> ve.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdld
> On33-
> ag%26s%3D5%26u%3Dhttp%253a%252f%252fexample%252enet%253b
> foo=bar; bar=qux"
>     >
>     > (note the second semicolon)
>     >
>     > I think the original text is ambiguous on the point, and since property
>     tags are
>     > not yet widely deployed this is a somewhat free choice. I think the
>     version
>     > where property tags are separated by semicolons makes more sense and
> is
>     > less error prone. It also happens to be what Hugo Landau's draft for CAA
>     > Record Extensions uses:
>     > https://clicktime.symantec.com/a/1/oeSHiU8l3ajgJiEMVtTF83-
> EFY63Rq8bkGOhkAfEU4w=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=https%3A%2F%2Fscanmail.trustw
> ave.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdl
> FIyn6uOA%26s%3D5%26u%3Dhttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdra
> ft-ietf-acme-caa-03%23page-9
>     >
>     > And what was briefly implemented in Let's Encrypt's Boulder (since rolled
>     > back due to a bug):
>     >
>     > https://clicktime.symantec.com/a/1/e4GMdQoD7tFbx08-
> UGuLKKtPdCFSB5rS2W-lBYmcerE=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=https%3A%2F%2Fscanmail.trustw
> ave.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdg
> QUz3v8bQ%26s%3D5%26u%3Dhttps%3A%2F%2Fgithub.com%2Fletsencrypt%
> 2Fboulder%2Fpull%2F3145%2Ffiles%23diff-
>     > 3efab53f2bcc543ac2e771ec882c57c1L310
>     >
>     > So my feeling is we should reject this erratum and clarify in the other
>     > direction, requiring semicolons between property tags. Thoughts?
>     >
>     > _______________________________________________
>     > Spasm mailing list
>     > Spasm@ietf.org
>     > https://clicktime.symantec.com/a/1/Op2fbuRdBuUkj-Y9VkPB3yT4ud-
> Nr0bBS0NRCEoC6mQ=?d=RZrpddyRRTQ154PRoAlI-
> Q9RbRRqmTet1Xm0uCdsU_76X79txFJWMGdDB2vayT_egarHUxCPBwWT5eHf
> BNnpKlx7W1mdGFJxIUnhYLisSSX6EqRMdSKRkKNx4wnVnB7zbllNvijPQiAP0aw
> sDHbVIPazzk2B2mld5wAzznIvkCABWKNmv4EtLSB2Azz831XxmyzQpAOPgdhU
> GamB8As9HkVGdCAEm0-
> YzoAiCxR7FclB5StDbL8Rhxz6EWTqb4AvPLqa_SpYOcFuWsXrevKnJKyzleaW6qb
> Vgl8UPOOx53m6f4Rl0caquHZPVvYzzuh59qwvG64WcemTGe_h9duJ0pbCj-
> UYAwwzKOTBdAqtmAxXqS9xB80aaCuRw8cEMCdeJXpEhXH0x9p045zQRtLwqq
> BgWx9UwSIkOYJT331aaaas4Q%3D%3D&u=https%3A%2F%2Fscanmail.trustw
> ave.com%2F%3Fc%3D4062%26d%3DgNO32sFHeluIcLm6XdmrAg7jw4lzJFuSdg
> ofny-
> qPw%26s%3D5%26u%3Dhttps%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistin
> fo%2Fspasm
>