That's shifting the goalposts in order to argue against a strawman. The minimum necessary for CAA for email is to restrict the domain access.
Might some people desire more feature-rich syntax? Perhaps. Is that a necessary requirement? No. On Tue, May 15, 2018 at 12:22 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > They certainly do share a common namespace. The trouble is that the email > address has more than just that common namespace. > > If CAA is proposed for email certificates, I should be able to define a CAA > policy that prevents any CA from issuing for > particular.maligned.user.undeserving.of.email.secur...@mydomain.com while > allowing the following CAs to issue for any email address over the same > domain. > > On Tue, May 15, 2018 at 11:15 AM, Ryan Sleevi <r...@sleevi.com> wrote: > > > Both types share a common namespace. The domain name space. > > > > On Tue, May 15, 2018 at 12:10 PM, Matthew Hardeman via > dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > >> Agreed. My point was to query the position of the administration of a > >> large generic email service as to their understanding of the > implications > >> of CAA on their domains. > >> > >> Certificates have different types of SANs for good cause: the nuances of > >> the name space differ. > >> > >> For example, SAN rfc822Names versus SAN dnsNames. The X.509 certificate > >> distinguishes these names as belonging to separate name spaces. CAA > does > >> not presently have this concept. Yet the proposal here would have us > >> relying upon the more simplistic DNS names expressed in CAA records. > >> > >> On Tue, May 15, 2018 at 10:57 AM, Neil Dunbar via dev-security-policy < > >> dev-security-policy@lists.mozilla.org> wrote: > >> > >> > > >> > > On 15 May 2018, at 07:59, Matthew Hardeman <mharde...@gmail.com> > >> wrote: > >> > > > >> > > For that matter, can whoever is in charge of gmail.com < > >> > http://gmail.com/> speak to their intent as to CAA for S/MIME? > >> > > > >> > > I've certainly held certificates which include my personal gmail > >> address > >> > before. At no point did I need or seek Google's blessing to do so. I > >> can > >> > not imagine that was an uncommon case. (At least, not uncommon > >> relative to > >> > the universe of issued S/MIME certificates.) > >> > > >> > Well, I don’t see a CAA record for gmail.com <http://gmail.com/>, > thus > >> > even if CAA issue tags were reinterpreted, as suggested, to cover > >> S/MIME, > >> > such issuance would not be prohibited (unlike, say, google.com < > >> > http://google.com/>, which does have a CAA record). > >> > > >> > In other words, those certificates that you were issued hitherto could > >> not > >> > have violated CAA policy, since there was no such expression of > policy. > >> > > >> > Regards, > >> > > >> > Neil > >> > _______________________________________________ > >> > dev-security-policy mailing list > >> > dev-security-policy@lists.mozilla.org > >> > https://lists.mozilla.org/listinfo/dev-security-policy > >> > > >> _______________________________________________ > >> dev-security-policy mailing list > >> dev-security-policy@lists.mozilla.org > >> https://lists.mozilla.org/listinfo/dev-security-policy > >> > > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
