Re: DRAFT November 2017 CA Communication

2017-10-26 Thread Kathleen Wilson via dev-security-policy 
On Wednesday, October 25, 2017 at 2:05:33 PM UTC-7, Andrew Ayer wrote:
> Hi Kathleen,
> 
> I suggest being explicit about which CAA errata Mozilla allows.
> 
> For CNAME, it's erratum 5065.
> 
> For DNAME, it's erratum 5097.
> 
> Link to errata: https://www.rfc-editor.org/errata_search.php?rfc=6844
> 

I added the link, and added a "TO DO" note regarding specifying the exact 
errata.

Looking forward to further discussion about which errata should be allowed.

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: DRAFT November 2017 CA Communication

2017-10-26 Thread Tim Hollebeek via dev-security-policy 
I don't like erratum 5097.  It just deletes the mention of DNAME, which can 
easily be misinterpreted as not permitting DNAME following for CAA (or even 
worse, allows DNAME to be handled however you want).  Erratum 5097 also has not 
been approved by IETF (and shouldn't be, for this reason).

The "natural" interpretation of DNAME, which has been discussed on various 
CA/Browser forum calls and at the Taiwan face to face meeting, is that DNAME 
must be handled in compliance with RFC 6672, which explains how synthesized 
CNAMEs work.

My own personal preferred fix for RFC 6844 is to replace "CNAME or DNAME alias 
record specified at the label X" with "CNAME alias record specified at the 
label X, or a DNAME alias record *in effect at* the label X (see RFC 6672)"

But anyway, I think everyone agrees what we want: DNAMEs work the way they do 
everywhere else.  There's nothing special about them for CAA.

-Tim

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+thollebeek=trustwave@lists.mozilla.org] 
On Behalf Of Andrew Ayer via dev-security-policy
Sent: Wednesday, October 25, 2017 5:05 PM
To: Kathleen Wilson 
Cc: Kathleen Wilson via dev-security-policy 
; 
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: DRAFT November 2017 CA Communication

Hi Kathleen,

I suggest being explicit about which CAA errata Mozilla allows.

For CNAME, it's erratum 5065.

For DNAME, it's erratum 5097.

Link to errata: 
https://scanmail.trustwave.com/?c=4062=rPzw2czQrwDIggzGnHPfXELR5_onUMc5So6YlzbIiQ=5=https%3a%2f%2fwww%2erfc-editor%2eorg%2ferrata%5fsearch%2ephp%3frfc%3d6844

We don't want CAs to think they can follow any errata they like, or to come up 
with their own interpretation of what "natural" means :-)

Regards,
Andrew

On Wed, 25 Oct 2017 12:46:40 -0700 (PDT) Kathleen Wilson via 
dev-security-policy  wrote:

> All,
> 
> I will greatly appreciate your thoughtful and constructive feedback on 
> the DRAFT of Mozilla's next CA Communication, which I am hoping to 
> send in early November.
> 
> https://scanmail.trustwave.com/?c=4062=rPzw2czQrwDIggzGnHPfXELR5_onU
> Mc5St_PkWKbjQ=5=https%3a%2f%2fwiki%2emozilla%2eorg%2fCA%2fCommunic
> ations%23November%5f2017%5fCA%5fCommunication
> 
> Direct link to the survey:
> https://scanmail.trustwave.com/?c=4062=rPzw2czQrwDIggzGnHPfXELR5_onU
> Mc5SomUljKdiw=5=https%3a%2f%2fccadb-public%2esecure%2eforce%2ecom%
> 2fmozillacommunications%2fCACommunicationSurveySample%3fCACommunicatio
> nId%3da051J3mogw7
> 
> Thanks,
> Kathleen
> 
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://scanmail.trustwave.com/?c=4062=rPzw2czQrwDIggzGnHPfXELR5_onU
> Mc5StnPlmSVhg=5=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fd
> ev-security-policy
> 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://scanmail.trustwave.com/?c=4062=rPzw2czQrwDIggzGnHPfXELR5_onUMc5StnPlmSVhg=5=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy