Skip to main content

CAA Security Tag for Cryptographic Domain Validation
draft-birgelee-lamps-caa-security-00

Document Type Active Internet-Draft (individual)
Authors Henry Birge-Lee , Grace Cimaszewski , Cyrill Krähenbühl , Liang Wang , Aaron Gable , Prateek Mittal
Last updated 2024-11-14
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-birgelee-lamps-caa-security-00
Limited Additional Mechanisms for PKIX and SMIME            H. Birge-Lee
Internet-Draft                                            G. Cimaszewski
Intended status: Experimental                           C. E. Krähenbühl
Expires: 18 May 2025                                             L. Wang
                                                    Princeton University
                                                                A. Gable
                                                                    ISRG
                                                               P. Mittal
                                                    Princeton University
                                                        14 November 2024

          CAA Security Tag for Cryptographic Domain Validation
                  draft-birgelee-lamps-caa-security-00

Abstract

   CAA "security" tags are a type of CAA record (defined in RFC 6844)
   with the critical flag set that specify that for a certificate to be
   issued, the issuance process must be conducted in a manner that is
   robust against global man-in-the-middle adversaries by leveraging
   authenticated communication between a CA and a domain.  Cryptographic
   domain validation procedures are authenticated and resilient against
   attacks by both on-path and off-path network attackers which may be
   between the CA and the domain contained in the certificate.  This
   document defines the syntax of "security" CAA records as well as
   acceptable means for validating domains in a cryptographic manner.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://birgelee.github.io/draft-caa-security-tag/draft-birgelee-
   lamps-caa-security.html.  Status information for this document may be
   found at https://datatracker.ietf.org/doc/draft-birgelee-lamps-caa-
   security/.

   Discussion of this document takes place on the Limited Additional
   Mechanisms for PKIX and SMIME Working Group mailing list
   (mailto:spasm@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/spasm/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/spasm/.

   Source for this draft and an issue tracker can be found at
   https://github.com/birgelee/draft-caa-security-tag.

Birge-Lee, et al.          Expires 18 May 2025                  [Page 1]
Internet-Draft              CAA Security Tag               November 2024

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 18 May 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3
   3.  Security CAA Record Syntax  . . . . . . . . . . . . . . . . .   3
   4.  Well-known Properties . . . . . . . . . . . . . . . . . . . .   4
   5.  Permissible Methods . . . . . . . . . . . . . . . . . . . . .   5
   6.  Permissible Options . . . . . . . . . . . . . . . . . . . . .   7
   7.  Applicability . . . . . . . . . . . . . . . . . . . . . . . .   7
   8.  Single "security" Tag for Each Domain . . . . . . . . . . . .   8
   9.  CAA "security" Tag Protection . . . . . . . . . . . . . . . .   8
   10. Security Considerations . . . . . . . . . . . . . . . . . . .   8
   11. IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   12. Normative References  . . . . . . . . . . . . . . . . . . . .   9
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10

Birge-Lee, et al.          Expires 18 May 2025                  [Page 2]
Internet-Draft              CAA Security Tag               November 2024

1.  Introduction

   A "security" CAA record is compliant with RFC 6844 and puts
   restrictions on the circumstances under which a CA can sign a
   certificate for a given domain.  A “security” CAA record on a domain
   implies that validation for this domain must be done in a manner that
   offers security against network adversaries even if an adversary is
   capable of intercepting and/or modifying communication between the CA
   and the domain being validated.  Issuance of a certificate to a
   domain with a "security" CAA tag MUST follow one of the specified
   Cryptographic Domain Validation (CDV) methods outlined in this
   document or future extensions.  CDV methods MUST rely on
   cryptographic protocols (like DNSSEC or DoH/DoT) that offer security
   properties even in the presence of man-in-the-middle adversaries that
   can intercept any communication which occurs over the public
   Internet.

   Not all CDV methods are in themselves compliant with the CA/Browser
   Forum's Baseline Requirements for the Issuance and Management of
   Publicly‐Trusted TLS Server Certificates.  Any CDV method that does
   not additionally meet the CA/Browser Forum Baseline Requirements for
   TLS server certificate issuance must be used in conjunction with a
   method that satisfies CA/Browser Forum's Baseline Requirements for
   the Issuance and Management of Publicly‐Trusted TLS Server
   Certificates.  Such methods are indicated in their descriptions.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Security CAA Record Syntax

   The flags field of the security tag MUST have the critical bit set in
   the flags byte of the CAA record.

   The "security" tag MUST have the tag field of the CAA record be the
   word "security".

   The value field of the "security" tag MUST be one of three values

   1.  an empty string.

   2.  entirely whitespace.

Birge-Lee, et al.          Expires 18 May 2025                  [Page 3]
Internet-Draft              CAA Security Tag               November 2024

   3.  a property_list as defined in this document.

   Values 1. and 2.  MUST be treated identically as an empty value
   field.

   A property_list is defined by the following syntax

   [whitespace]<property>[whitespace][,[whitespace]<property>[whitespace
   ] ...]

   A property is defined as

   <property_name>[whitespace][(property_list)]

   property_name is a name that identifies the property being specified.
   The name MUST consist only of lowercase letters (a-z), uppercase
   letters (A-Z), numbers (0-9), colin (:), underscore (_), and hyphen
   (-).  Names are case sensitive.

   Properties can optionally have parameters specified in parenthesis.
   The parameteres of a property are a property_list.  A property with
   no parameters MUST NOT be followed by parenthesis (i.e.,
   property_name() is not a valid statement).

   The optional property_list specified in parenthesis after each
   property contains parameters associated with that property.

   A property_list can be arbitrarily long.  Whitespace between
   properties is ignored. properties are comma-separated. property_lists
   MUST NOT be empty (i.e., property_lists must have at least one
   property).  All properties specified in a property_list MUST be
   unique.  A property_list MUST NOT have two of the same properties
   specified even if they contain different parameters.

4.  Well-known Properties

   The top-level property_list MAY contain the following properties.

   1.  *methods* If specified, this property MUST have parameters
       listing various cryptographic domain validation methods that can
       be used to validate that particular domain.  A CA MUST only use
       one of the methods specified in the parameters value_list to
       perform cryptographic domain validation.  If there is no method
       specified that the CA is capable of complying with, the CA MUST
       deny issuance.

Birge-Lee, et al.          Expires 18 May 2025                  [Page 4]
Internet-Draft              CAA Security Tag               November 2024

   2.  *options* If specified, this property MUST have parameters
       listing various options.  A CA SHOULD try to honor any option
       specified in this list.  If a CA does not understand an option or
       does not have that option implemented the, CA MAY proceed with
       issuance.

   3.  *options-critical* If specified, this property MUST have
       parameters listing various options.  To proceed with issuance, a
       CA MUST understand and implement all options specified in the
       options-critical parameter's property-list

   The top-level property_list MAY contain additional properties and a
   CA MAY proceed with issuance even if it does not understand these
   additional properties.  Subsequent RFCs MAY standardize these
   properties.

5.  Permissible Methods

   The following properties MAY be specified as parameters of the
   "methods" property.  Each method specifies particular aspects of
   certificate issuance that MUST be satisfied for a certificate to be
   issued using that method.  While some methods entail the use of CA/
   Browser Forum-compliant domain control validation methods, others do
   not entail CA/Browser Forum-compliant domain control validation and
   must be used in conjunction with a CA/Browser Forum-compliant domain
   control validation method to permit certificate issuance.

   1.  *secure-dns-record-change:* This method involves an applicant
       showing control of a DNSSEC-protected DNS record or a record that
       was retrieved via a DoH or DoT tunnel to the relevant
       authoritative nameservers used in the DNS resolution.  This can
       be done via 1) the validation method "DNS Change" specified in
       the CA/Browser Forum's Baseline Requirements for the Issuance and
       Management of Publicly‐Trusted TLS Server Certificates
       (Section 3.2.2.4.7) or 2) the "dns-01" method of the ACME RFC
       8555.  For this method to be satisfied, the FQDN where the DNS
       change is demonstrated MUST be protected by DNSSEC or lookups to
       the relevant authoritative nameservers MUST be conducted over
       authenticated channels (e.g., DoH/DoT).

   2.  *http-validation-over-tls:* This method involves the completion
       of an HTTP domain validation challenge over an HTTPS session
       using TCP port 443 where the server authenticates with an
       existing publicly-trusted valid certificate covering the domain
       in question.  The certificate cannot be self-signed or expired.
       This method MAY be directly satisfied while a CA is performing
       the "Agreed-Upon Change to Website v2" domain control validation
       method specified in the the CA/Browser Forum's Baseline

Birge-Lee, et al.          Expires 18 May 2025                  [Page 5]
Internet-Draft              CAA Security Tag               November 2024

       Requirements for the Issuance and Management of Publicly‐Trusted
       TLS Server Certificates (Section 3.2.2.4.18).  The ACME "http-01"
       challenge specified in RFC 8555 does not permit the use of HTTPS
       or port 443 when a CA is contacting the domain in question.  A CA
       MAY still satisfy the *http-validation-over-tls* method even if
       it does not initiate connections to port 443 for HTTP challenges
       so long as either 1) the connection initiated to port 80 serves a
       redirect to the same domain name over HTTPS at port 443 and the
       connection to the domain at port 443 servers a valid, trusted
       certificate or 2) in addition to contacting the domain over port
       80 the CA also contacts the domain over port 443 using HTTPS and
       the connection is established with a valid, trusted certificate
       and the same challenge value is observed.  Operators of security-
       critical domains MAY choose not to permit this method since,
       unlike other cryptographic domain validation methods specified in
       this document, its security relies on no malicious certificates
       existing for a domain at time of the creation of the "security"
       tag in the domain's policy.

   3.  *known-account-specifier:* For a CA to issue a certificate using
       this method 1) there MUST exist a unique identifier for a CA
       subscriber account that is communicated with the CA out-of-band,
       over authenticated DNS lookups, or in another manner that is
       immune to man-in-the-middle adversaries 2) the CA may only issue
       a certificate to an applicant that has authenticated itself to
       the CA as having access to that specified subscriber account.  A
       CA does not have permission to issue under this method unless
       both of these criteria are met.  Once these criteria have been
       met, the CA MUST additionally perform a validation method that is
       compliant with the Baseline Requirements for the Issuance and
       Management of Publicly‐Trusted TLS Server Certificates.  One
       acceptable way of including this account identifier is with the
       CAA ACME account URI extension in an authenticated DNS record.

   4.  *private-key-control:* This method involves an applicant showing
       control of a private key that corresponds to a public key placed
       in a DNS record associated with the domain being validated.  The
       private key must be used to sign a message containing: a unique
       identifier for the CA, the domain name(s) in the certificate, a
       timestamp, and a hash of the public key in the certificate.  This
       message may be hashed and then have the signature generated over
       the hash of this message.  Obtaining such a signed message from a
       certificate applicant authorizes the CA specified in the message
       to sign a certificate for those domain names with the specified
       public key within 24h of the timestamp provided in the message.
       The CA MUST retrieve the public key or a hash of the public key
       corresponding to the private key used for signing the message via
       an authenticated DNS lookup using either authenticated channels

Birge-Lee, et al.          Expires 18 May 2025                  [Page 6]
Internet-Draft              CAA Security Tag               November 2024

       to the relevant authoritative nameservers (e.g., DoH or DoT) or
       validation of a DNSSEC signature chain back to the ICANN root.
       After private key control is established, the CA MUST
       additionally perform a validation method that is compliant with
       the Baseline Requirements for the Issuance and Management of
       Publicly‐Trusted TLS Server Certificates.

   In the event that *no "methods" property specified in the top-level
   property_list,* all methods specified in this document are acceptable
   as well as cryptographic domain validation defined in future RFCs.
   Future RFCs MAY specify additional methods for cryptographic domain
   validation so long as they satisfy the properties of cryptographic
   domain validation (i.e., robust against global man-in-the-middle
   adversaries).

6.  Permissible Options

   The following options MAY used as parameters in the "options" or
   "options-critical" property in the top-level property_list.

   1.  *authenticated-policy-retrival:* This option signifies to a CA
       that it MUST retrive a domain's "security" tag and any associated
       domain-owner identity (e.g., identifiers used for known-account-
       specifier and private-key-control) using authenticated DNS
       lookups or other authenticated channels.  If a CA finds this
       option as a parameter to the "options-critical" property and the
       "security" tag was not retrieved using authenticated DNS lookups,
       the CA MUST NOT issues a certificate for that domain.

   Additionally, a CA MAY choose to honor its own non-standardized
   options that do not need to be supported by other CAs or the IETF.
   These options MUST be prefixed with "-<ca_name>-" where ca_name is
   the name of the CA that initially developed the option.

7.  Applicability

   "security" CAA tags can be used on domains that are contained in both
   domain validation certificates (where only the domain name in a
   certificate is validated) and extended or organization validated
   certificates (where information like organization identity as well as
   domain name is validated).  Cryptographic Domain Validation only
   hardens the security of the validation of domain names, not broader
   identities (e.g., organization names).  The use of cryptographic
   domain validation in an OV or EV certificate only improves the
   validation of the domain name(s) contained in the certificate (in the
   common name or subject-alternate names fields) and does not impact
   the validation of other forms of identity contained in the
   certificate.  Use of cryptographic domain validation in a DV

Birge-Lee, et al.          Expires 18 May 2025                  [Page 7]
Internet-Draft              CAA Security Tag               November 2024

   certificate does not imply validation of any identity beyond the
   domain name(s) in the certificate.

8.  Single "security" Tag for Each Domain

   A single domain CANNOT have multiple "security" tags specified.  A
   domain's entire cryptographic domain validation policy MUST be
   encoded into a single "security" tag.  If a CA finds a domain that
   has multiple "security" CAA tags at the same FQDN, the CA MUST block
   issuance.

9.  CAA "security" Tag Protection

   A "security" CAA tag SHOULD be protected with a valid DNSSEC
   signature chain going back to the ICANN DNSSEC root or hosted on
   authoritative DNS servers that CAs have authenticated communication
   channels with.  Any "security" CAA record not protected by such a
   signature MAY not benefit from the security properties outlined in
   this document.  If it is not possible to have a DNSSEC signature
   chain back to the ICANN root, "security" CAA records SHOULD
   alternately be hosted in an authoritative DNS resolver that supports
   recursive-to-authoritative DNS over TLS or DNS over HTTPS.  CAs
   SHOULD also require recursive-to-authoritative DNS over TLS or DNS
   over HTTPS communication (and not permit standard unencrypted DNS
   connections) for DNS providers that host "security" CAA records.
   This prevents downgrade attacks where an adversary attempts to
   interfere with the establishment of a DNS over TLS or DNS over HTTPS
   encrypted channel and cause a fallback to unencrypted DNS over UDP/
   TCP.

   Serving "security" CAA records over authenticated DNS channels or
   using authenticated DNS records (i.e., DNSSEC) is critical to the
   effectiveness of the records because a "security" CAA record not
   protected by authenticated DNS may be suppressed by an adversary that
   can manipulate DNS responses.  This could potentially allow the
   adversary to downgrade validation to use a low-security method and
   undermine the security properties of the "security" tag.

10.  Security Considerations

   Many of the security considerations regarding "security" CAA records
   are inherited from those of CAA records more generally.  Because
   "security" CAA records do not introduce any new methods for
   validating domain ownership, they do not increase the attack surface
   of fraudulent validations. "security" CAA records reduce the attack
   surface of fraudulent validations by limiting which validation
   methods may be used and thus eliminating the risk posed by less-
   secure validation methods.  Particularly, domains without a

Birge-Lee, et al.          Expires 18 May 2025                  [Page 8]
Internet-Draft              CAA Security Tag               November 2024

   "security" CAA record are often highly vulnerable to man-in-the-
   middle adversaries that can intercept communications from a CA to the
   victim's domain.  This record significantly reduces this attack
   surface.

   As with any restriction on certificate issuance, this introduces the
   potential for a Denial of Service attack (or DoS attack).  There are
   two potential approaches to launching a DoS attack via "security" CAA
   records.  The first is to attack a domain and spoof the existence of
   a "security" CAA record in order to prevent the domain owner from
   renewing his or her certificate (presuming the domain under attack
   was not using a validation method compliant with the "security" CAA
   record).  This attack vector is not novel to "security" CAA records
   and is enabled solely by following RFC 6844 alone.  Per RFC 6844, the
   presence of any not-understood CAA record with the critical flag
   prevents issuance.  Thus, the adoption of "security" CAA records does
   not increase the attack surface for this form of DoS attack as a
   gibberish CAA record with the critical flag set could enable this
   type of attack as well.

   A second approach to a DoS attack enabled by "security" CAA records
   is to target a domain already using a "security" CAA record and
   interfere with all of the permitted validation methods with the idea
   that the presence of the "security" CAA will prevent the domain from
   falling back on alternative validation methods.  This attack vector
   is mitigated by the diversity of different methods available to
   domain owners for validating domain ownership using "security" CAA
   records.  A domain owner may use an alternate method to satisfy the
   "security" CAA record.  In the event that a domain owner truly cannot
   satisfy any cryptographic domain validation method, the domain owner
   can still mitigate this attack by removing the "security" CAA record,
   obtaining a certificate, and then reinstating the "security" CAA
   record once the attack is over.  As with all CAA records, CAs should
   not cache stale CAA record lookups that block issuance and should
   instead recheck the CAA record set when a new issuance request is
   received.

11.  IANA Considerations

   This document has no IANA actions.

12.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

Birge-Lee, et al.          Expires 18 May 2025                  [Page 9]
Internet-Draft              CAA Security Tag               November 2024

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

Acknowledgments

   TODO acknowledge.

Authors' Addresses

   Henry Birge-Lee
   Princeton University
   Email: birgelee@princeton.edu

   Grace Cimaszewski
   Princeton University
   Email: gcimaszewski@princeton.edu

   Cyrill E. Krähenbühl
   Princeton University
   Email: cyrill.k@princeton.edu

   Liang Wang
   Princeton University
   Email: lw19@princeton.edu

   Aaron Gable
   ISRG
   Email: aaron@letsencrypt.org

   Prateek Mittal
   Princeton University
   Email: pmittal@princeton.edu

Birge-Lee, et al.          Expires 18 May 2025                 [Page 10]