Re: [Acme] Before entering WGLC ...
> This might be easier to read, though is actually slightly longer: > Where a CAA property has an "account-uri" parameter, a CA MUST NOT > consider that property to authorize issuance in the context of a given > certificate issuance request unless the CA recognises the URI > specified as identifying the account making that request. I like this. Martin and Russ, your views? ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Before entering WGLC ...
> A CA MAY proceed with issuance if a CAA record is present whose value matches > the account-uri parameter of the account making the request. > If no CAA records have such a match, then the CA MUST NOT proceed with > issuance. This neglects to include the other criteria for validation of a CAA record, however; the wording here suggests this is the only aspect of a CAA record that needs to be validated. If you want to describe a sufficient condition, rather than a necessary one, it stands to reason you'd have to copy and paste large amounts of language from the CAA specification into the specification. Currently we have A CA MUST only consider a property with an "account-uri" parameter to authorize issuance where the URI specified is an URI that the CA recognises as identifying the account making a certificate issuance request. We could also negate it, which might actually be better - the above is slightly more susceptible to be confused for a statement of a sufficient condition: A CA MUST NOT consider a property with an "account-uri" parameter to authorize issuance unless the URI specified is an URI that the CA recognises as identifying the account making a certificate issuance request. This might be easier to read, though is actually slightly longer: Where a CAA property has an "account-uri" parameter, a CA MUST NOT consider that property to authorize issuance in the context of a given certificate issuance request unless the CA recognises the URI specified as identifying the account making that request. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Before entering WGLC ...
How about this: A CA MAY proceed with issuance if a CAA record is present whose value matches the account-uri parameter of the account making the request. If no CAA records have such a match, then the CA MUST NOT proceed with issuance. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Before entering WGLC ...
> Like Russ, I find the statement very difficult to read. Would > inverting it be better? > > > A CA MUST NOT issue authorize issuance if a CAA record is present unless > > the "account-uri" parameter identifies the account making a certificate > > issuance request. See previous reply. Issuance is not determined by the presence of "a" CAA record; there may be multiple and issuance is authorized if any are considered to match the request. Establishing that a specific CAA record is not matched is not a sufficient condition for refusing issuance, because another adjacent CAA record might authorise it. I think any attempt to describe this criterion in terms of specific situational MUST NOTs with regard to a single CAA record is futile. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Before entering WGLC ...
Like Russ, I find the statement very difficult to read. Would inverting it be better? > A CA MUST NOT issue authorize issuance if a CAA record is present unless the > "account-uri" parameter identifies the account making a certificate issuance > request. On 19 June 2017 at 00:16, Salz, Richwrote: > Thank you. For me, it addresses the issue. Russ, are you ok? > > ___ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Before entering WGLC ...
Thank you. For me, it addresses the issue. Russ, are you ok? ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Before entering WGLC ...
> > . . . A CA MUST only consider a property with an "account-uri" > > parameter to authorize issuance where the URI specified is an URI > > that the CA recognises as identifying the account making a > > certificate issuance request. > > > > > This is not a [crisp] MUST statement. I think it is trying to say two > > > things > when the "account-uri" is present: > > > > > (1) the CA MUST NOT issue a certificate containing the domain name that > contains the CAA Resource Record if it does not recognize the account > referenced by the URI. > > > > > (2) the CA MUST use the account referenced by the URI in the > authorization process for a certificate request for the domain containing the > CAA Resource Record. > > > > > If this is correct, please separate these two requirements. If it is not > correct, please explain the text. > > > > Can you post an update next week? If not, would it help to add another > author to do so? I would like to move this forward to the IESG soon. Please > respond by early next week. > > I don't understand this issue. The wording is clear. It's understandable, yes. Does Russ's proposal have the same meaning? I'm not sure. That means, I think that the original wording could stand a bit of clarification. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Before entering WGLC ...
> Hugo, the CAA document is in WGLC. Russ raised the following issue on some > text in section 2: > > . . . A CA MUST only consider a property with an "account-uri" > parameter to authorize issuance where the URI specified is an URI > that the CA recognises as identifying the account making a > certificate issuance request. > > > This is not a [crisp] MUST statement. I think it is trying to say two > > things when the "account-uri" is present: > > > (1) the CA MUST NOT issue a certificate containing the domain name that > > contains the CAA Resource Record if it does not recognize the account > > referenced by the URI. > > > (2) the CA MUST use the account referenced by the URI in the authorization > > process for a certificate request for the domain containing the CAA > > Resource Record. > > > If this is correct, please separate these two requirements. If it is not > > correct, please explain the text. > > Can you post an update next week? If not, would it help to add another > author to do so? I would like to move this forward to the IESG soon. Please > respond by early next week. I don't understand this issue. The wording is clear. ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
[Acme] Before entering WGLC ...
Hugo, the CAA document is in WGLC. Russ raised the following issue on some text in section 2: . . . A CA MUST only consider a property with an "account-uri" parameter to authorize issuance where the URI specified is an URI that the CA recognises as identifying the account making a certificate issuance request. > This is not a [crisp] MUST statement. I think it is trying to say two things > when the "account-uri" is present: > (1) the CA MUST NOT issue a certificate containing the domain name that > contains the CAA Resource Record if it does not recognize the account > referenced by the URI. > (2) the CA MUST use the account referenced by the URI in the authorization > process for a certificate request for the domain containing the CAA Resource > Record. > If this is correct, please separate these two requirements. If it is not > correct, please explain the text. Can you post an update next week? If not, would it help to add another author to do so? I would like to move this forward to the IESG soon. Please respond by early next week. Thank you. -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme