On Fri, Dec 2, 2022 at 9:56 AM Paul Wouters <[email protected]> wrote: > On Fri, 2 Dec 2022, 'Kurt Seifried' via [email protected] > wrote: > > > I read it briefly but it seems to me like there's a significant > failure/abuse scenario: > > ISP controls an IP block that it portions out to customers. ISP has a > web server and puts in the IP/IPv6 CAA records. > > > > Customers that use delegated IP space from the ISP can now only use > those CAAs as well if they want to use this standard, correct? > > > > If this is correct, and I was a CA and read this I'd be building a > PowerPoint deck for my sales team on how ISP's can partner with > > us to get a 20-50% commission on sales of certificates by doing this one > simple thing... > > No, > > As Antonios wrote: > > a CAA record in 2.0.0.c.d.3.d.0.a.2.ip6.arpa takes precedence over > one in 0.c.d.3.d.0.a.2.ip6.arpa . > > Paul >
Right, sorry got it backwards, couldn't the ISP also declare a CAA record at a lower level assuming they control the IP space.... > > > > > > > > > > > > > > > > > On Fri, Dec 2, 2022 at 9:23 AM Antonios Chariton <[email protected]> > wrote: > > Hello everyone, > > I have submitted the following Internet Draft to the IETF LAMPS Working > Group for > > consideration: https://datatracker.ietf.org/doc/draft-chariton-ipcaa/ > > > > You can read the mailing list thread here: > https://mailarchive.ietf.org/arch/msg/spasm/dQLF1fQQPNX9A59YV4imXRz9ABw/ > > > > This proposes the creation of a new CAA record property, on top of the > existing ones, e.g. “issuewild”, that will allow an > > entity controlling an IP address to benefit from the power of CAA > records. > > > > The idea is to add CAA records to the “reverse DNS” zones, ip6.arpa and > in-addr.arpa, that support the hierarchical nature of > > DNS: a CAA record in 2.0.0.c.d.3.d.0.a.2.ip6.arpa takes precedence over > one in 0.c.d.3.d.0.a.2.ip6.arpa . > > > > As this is relevant to the WebPKI, I am sending this e-mail here to > solicit your feedback on the idea, any potential > > improvements, etc. > > > > Thanks, > > Antonis > > > > GitHub Repo: https://github.com/daknob/draft-chariton-ipcaa > > HTML: https://daknob.github.io/draft-chariton-ipcaa/ > > TXT: https://daknob.github.io/draft-chariton-ipcaa/draft.txt > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "[email protected]" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to > > [email protected]. > > To view this discussion on the web visit > > > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/788376DF-8D67-48E0-AEE1-52085183217D%40gmail.com > . > > > > > > > > -- > > Kurt Seifried (He/Him) > > [email protected] > > > > -- > > You received this message because you are subscribed to the Google > Groups "[email protected]" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visithttps:// > groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa38YV3OgykOCm-x-OR0_Fh8WXNG6g7gNvcUGo9vwG3bKtQ%40mail.gma > > il.com. > > > > > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa39NfTuFd5fhRdp1UwHCuOODO_6UKUCgNyiXMrQP5GRyhw%40mail.gmail.com.
