Certification Authority Authorization (CAA) Processing for Email Addresses
draft-ietf-lamps-caa-issuemail-07

[Ballot comment]
I'm only balloting NoObjection instead of Yes because this is quite far outside my area of expertise...

I'd like to thank Tim Chown for the OpsDir review (https://datatracker.ietf.org/doc/review-ietf-lamps-caa-issuemail-05-opsdir-lc-chown-2023-07-21/) and Tim Wicinski for the DNSDir reviews (https://datatracker.ietf.org/doc/review-ietf-lamps-caa-issuemail-04-dnsdir-lc-wicinski-2023-07-01/ ), and the authors for addressing the comments.

[Ballot discuss]

Issue #1

        The discovery of such a Relevant RRSet MUST be performed using the
        algorithm specified in section 3 of [RFC8659]. The input domain to the
        discovery algorithm SHALL be the domain "part" ([RFC5322]) of the email
        address that is being certified.

And RFC 8659 states:

        The search for a CAA RRset climbs the DNS name tree from the
        specified label up to, but not including, the DNS root "." until
        a CAA RRset is found.


While this algorithm makes sense for a CAA to restrict issuing, I'm not sure it
makes sense for email addresses where the permission might be granted by a parent.

eg ig there is a CAA record saying "no email certs" at nohats.ca,
and there is a CAA record saying "sure, issue stuff" at toronto.nohats.ca,

is it the desired behaviour that toronto.nohats.ca can override the nohats.ca
policy and issues certs for paul@toronto.nohats.ca?  This also brings into
question whether Public Suffix List (PSL) type restrains matter.

It might very well be the intent, but then perhaps it should be made a little more
explicit ? (and then I have to rethink about what I think about subdomains overriding
their parents)


Issue #2:

Section 5.4 contains an example of conflicting records, and the text then
describes a process of "failing open". From a security point of view, I
would argue this should "fail close" and not allow issuance. Was this discussed
in the WG? What is the rationale behind this "more vulnerable to mistakes"
interpretation?

[Ballot comment]
# GEN AD review of draft-ietf-lamps-caa-issuemail-06

CC @larseggert

Thanks to Christer Holmberg for the General Area Review Team (Gen-ART) review
(https://mailarchive.ietf.org/arch/msg/gen-art/GYC_l7lPAXHT5faG--KuCiqfAVk).

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### Grammar/style

#### Section 3, paragraph 6
```
ters, digits, and the hyphen (known as a "LDH label") * "parameters": A semic
                                      ^
```
Use "an" instead of "a" if the following word starts with a vowel sound, e.g.
"an article", "an hour".

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT].

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments
[IRT]: https://github.com/larseggert/ietf-reviewtool

[Ballot comment]
I concur with Eric's observation that the shepherd writeup is missing the "Why?" portion of the document status answer.

I suggest mentioning in the IANA Considerations section that the registry group being referenced is "Public Key Infrastructure using X.509 (PKIX) Parameters".

[Ballot comment]

# Éric Vyncke, INT AD, comments for draft-ietf-lamps-caa-issuemail-05

Thank you for the work put into this document. The examples of section 5 are useful for the reader.

Please find below one nit.

Special thanks to Russ Housley for the shepherd's detailed write-up including the WG consensus *but it lacks*  the justification of the intended status.

Please note that Tim Wicinski  is the DNS directorate reviewer and you may want to consider this int-dir review as well when it will be available (no need to wait for it though):
https://datatracker.ietf.org/doc/draft-ietf-lamps-caa-issuemail/reviewrequest/17830/ (and I have noted the interaction between the author and Tim for his Last Call DNSDIR review)

I hope that this review helps to improve the document,

Regards,

-éric

# NITS

## Section 3

"LDH", even if defined in the RFC editor abbreviation, would benefit from an expansion in the text.

Expert approved the Certification Authority Restriction Properties registration with the following comment:

"One nit that did come to mind is that the document says 'email' and does not specify the email protocol. While it is currently reasonably obvious this is going to be SMTP, that may not be the case in the future. If the instant messaging people ever come up with a federated approach they are likely to end up using alice@example.com type addresses. If they are offering end-to-end secure messages of email length, well what would we need SMTP for?"

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-lamps-caa-issuemail-04. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there is a single action which we must complete.

In the Certification Authority Restriction Properties registry on the Public Key Infrastructure using X.509 (PKIX) Parameters registry page located at:

https://www.iana.org/assignments/pkix-parameters/

a single new property will be registered as follows:

Tag: issuemail
Meaning: Authorization Entry by Email Address
Reference: [ RFC-to-be ]

As this document requests registrations in an Expert Review or Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

The IANA Functions Operator understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Specialist

The following Last Call announcement was sent out (ends 2023-07-11):

From: The IESG
To: IETF-Announce
CC: draft-ietf-lamps-caa-issuemail@ietf.org, housley@vigilsec.com, lamps-chairs@ietf.org, rdd@cert.org, spasm@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Certification Authority Authorization (CAA) Processing for Email Addresses) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: -
'Certification Authority Authorization (CAA) Processing for Email
  Addresses'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2023-07-11. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  The Certification Authority Authorization (CAA) DNS resource record
  (RR) provides a mechanism for domains to express the allowed set of
  Certification Authorities (CAs) that are authorized to issue
  certificates for the domain.  RFC 8659 contains the core CAA
  specification, where Property Tags that restrict the issuance of
  certificates which certify domain names are defined.  This
  specification defines a Property Tag that grants authorization to CAs
  to issue certificates which contain the id-kp-emailProtection key
  purpose in the extendedKeyUsage extension and one or more rfc822Name
  or otherName of type id-on-SmtpUTF8Mailbox that include the domain
  name in the subjectAltName extension.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-caa-issuemail/



No IPR declarations have been submitted directly on this I-D.

# Shepherd Write-up for draft-ietf-lamps-caa-issuemail-03

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is broad support in the LAMPS WG for this document.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was little controversy, and suggested improvements were readily
  accepted by the author.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No one has threatened an appeal.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Several Certification Authorities have expressed interest in implementing
  this specification.  The CA/Browser Forum will likely require support for
  this specification in their S/MIME Certificate Baseline Requirements.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  Individuals that participate in the CA/Browser Forum have followed the
  development of this specification carefully.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  No special reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ABNF is used.  It was checked with BAP.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    No IPR disclosures were issued against this document.

    The author has explicitly stated that he is unaware of any IPR
    that needs to be declared.

    The author has explicitly stated that he do not hold any IPR
    related to this document.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    There is one line that exceeded of 73 characters; it is an example.
    Perhaps some whitespace can be removed by the RFC Editor.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All references are RFCs.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    There are no downward references.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    No.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No, this document will not change the status of any other document.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    The new Propertay Tag is added to the "Certification Authority
    Restriction Properties" registry, which is located [here]
    (https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xhtml#caa-properties).

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No new IANA registries are needed.

# Shepherd Write-up for draft-ietf-lamps-caa-issuemail-03

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is broad support in the LAMPS WG for this document.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was little controversy, and suggested improvements were readily
  accepted by the author.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No one has threatened an appeal.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Several Certification Authorities have expressed interest in implementing
  this specification.  The CA/Browser Forum will likely require support for
  this specification in their S/MIME Certificate Baseline Requirements.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  Individuals that participate in the CA/Browser Forum have followed the
  development of this specification carefully.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  No special reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ABNF is used.  It was checked with BAP.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    No IPR disclosures were issued against this document.

    The author has explicitly stated that he is unaware of any IPR
    that needs to be declared.

    The author has explicitly stated that he do not hold any IPR
    related to this document.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    There is one line that exceeded of 73 characters; it is an example.
    Perhaps some whitespace can be removed by the RFC Editor.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All references are RFCs.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    There are no downward references.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    No.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No, this document will not change the status of any other document.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    The new Propertay Tag is added to the "Certification Authority
    Restriction Properties" registry, which is located [here]
    (https://www.iana.org/assignments/pkix-parameters/pkix-parameters.xhtml#caa-properties).

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No new IANA registries are needed.