IETF Logo Mail Archive

Re: [lamps] Ambiguities in RFC 6844 regarding CAA resource record sets with no "issue" property tags

Jacob Hoffman-Andrews <jsha@eff.org> Mon, 26 March 2018 23:49 UTC

Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5803127871 for <spasm@ietfa.amsl.com>; Mon, 26 Mar 2018 16:49:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.01
X-Spam-Level:
X-Spam-Status: No, score=-7.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7YkaeaEX1z2F for <spasm@ietfa.amsl.com>; Mon, 26 Mar 2018 16:49:41 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8158C126CD6 for <spasm@ietf.org>; Mon, 26 Mar 2018 16:49:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=sGtlYRlsBF5WcLoebzJsbjlOVdVlZfEaDI5JXMmjY8Q=; b=rNd6GSNsd8XbzuLwx05EOoQTv/ J+/G7E7ax1OKM3o6Rsg/1Kt/YjlUpG/6YZQ4GYfy2UEhvXKWwRAsjxyfSprRQleFcC7e3/K1yC9c0 eF7AuMsrH5Q41FQXMZSD2M9u4tMaled9BG0SHUt8ZivCUqzqseDuFU463SCk1suUXpgQ=;
Received: ; Mon, 26 Mar 2018 16:49:41 -0700
To: Corey Bonnell <CBonnell@trustwave.com>, "spasm@ietf.org" <spasm@ietf.org>
References: <878C91A0-6875-47A4-872F-F5D1F7F7AE7E@trustwave.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <ed4efa8d-c82f-018e-143c-63388e540763@eff.org>
Date: Mon, 26 Mar 2018 16:49:40 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <878C91A0-6875-47A4-872F-F5D1F7F7AE7E@trustwave.com>
Content-Type: multipart/alternative; boundary="------------46281F5E719D917C4F4D38C1"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/3ShNjTcL7StOAzTjbLbnUuRjN4w>
Subject: Re: [lamps] Ambiguities in RFC 6844 regarding CAA resource record sets with no "issue" property tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 23:49:44 -0000

I've written this up as a PR:
https://github.com/jsha/caa-simplification/pull/1/files. If there are no
objections, I'll merge it in a week for the 6844bis draft.

Note that I tweaked it slightly from your erratum
(https://www.rfc-editor.org/errata/eid5244). Where you referred just to
"issue" property tags, I mention both "issue" and "issuewild."

On 01/12/2018 01:41 PM, Corey Bonnell wrote:
>
> Hello,
>
> I believe that there are several ambiguities in RFC 6844 in regard to
> processing CAA resource record sets that do not contain "issue" records.
>
>  
>
> Section 3 of RFC 6844 (http://www.rfcreader.com/#rfc6844_line196)
> defines the "issue" property tag to authorize "the holder of the
> domain name <Issuer Domain Name> or a party acting under the explicit
> authority of the holder of that domain name to issue certificates for
> the domain in which the property is published". Based on my
> interpretation, the definition given here is suggesting that CAA issue
> restriction processing is done regardless of whether or not there is
> an "issue" record(s) present to specify the set of permitted Issuer
> Domain Names. In other words, the lack of "issue" records in a CAA
> resource record set indicates that no CA may issue for that domain,
> since no CA has been authorized to issue.
>
>  
>
> However, section 5.2 (http://www.rfcreader.com/#rfc6844_line447)
> defines the "issue" property tag to "request that certificate issuers
> perform CAA issue restriction processing for the domain and to grant
> authorization to specific certificate issuers". Based on this
> definition, it sounds as if CAA issue restriction processing is
> "opt-in". In other words, the absence of "issue" records in a CAA
> record set indicate that any CA may issue for that domain (since there
> was no "opt-in" into CAA restriction processing).
>
>  
>
> Section 4 (http://www.rfcreader.com/#rfc6844_line288) states that,
> "before issuing a certificate, a compliant CA MUST check for
> publication of a relevant CAA Resource Record set." Unfortunately, the
> term "relevant" is not defined by the RFC, which, compounded with the
> ambiguity highlighted above in regard to the definition of the "issue"
> property tag in sections 3 and 5.2, leads to ambiguity in the handling
> following scenarios:
>
>  
>
> - A CAA resource record set consisting solely of unknown non-critical
> property tags (including misspellings of "issue", such as "iisue", etc.)
>
> - A CAA resource record set consisting solely of "iodef" property tags
>
> - A CAA resource record set that contains both of the above
>
>  
>
> For each of these cases above, it is unclear which of the following
> three actions a CA should take:
>
> - Fail issuance (since the CAA resource record set did not authorize
> any CA to issue, given the definition of the "issue" property tag in
> Section 3)
>
> - Continue the tree-climbing search for records (since the resource
> record sets above could conceivably be considered as "not relevant")
>
> - Allow issuance (since the resource record sets above could
> conceivably be considered as "relevant" and any CA may issue, given
> the definition of the "issue" property tag in section 5.2)
>
>  
>
> At Trustwave, we have taken the conservative approach and will not
> issue certificates if we encounter CAA resource record sets matching
> the descriptions of the three above. However, given that we may be
> overly restrictive by doing this, as well as for a desire for CAA
> record sets to be processed uniformly regardless of the CA, we would
> like to see these ambiguities resolved.
>
>  
>
> If others agree that the current wording of the RFC is ambiguous, I
> would be happy to present changes to relevant sections to clear up the
> ambiguity, but for now I wanted to send this along to see if others
> share our interpretation of the RFC.
>
>  
>
> Thanks,
>
> Corey
>
>  
>
>  
>
>  
>
> *Corey Bonnell*
>
> Senior Software Engineer
>
> t: +1 412.395.2233
>
>  
>
> *Trustwave** *| SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
>  
>
> /2017 Best Managed Security Service Winner – SC Media/
>
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email