Internet DRAFT - draft-chariton-ipcaa

draft-chariton-ipcaa







Limited Additional Mechanisms for PKIX and SMIME          A. A. Chariton
Internet-Draft                                                    Google
Updates: 8659, 6844 (if approved)                        2 December 2022
Intended status: Standards Track                                        
Expires: 5 June 2023


      DNS CAA Resource Record Property for IP Address Certificates
                        draft-chariton-ipcaa-00

Abstract

   This document specifies a new DNS CAA Resource Record Property that
   allows an IP Address holder to specify one or more Certification
   Authorities (CAs) authorized to issue certificates for that IP
   Address.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://daknob.github.io/draft-chariton-ipcaa/.  Status information
   for this document may be found at https://datatracker.ietf.org/doc/
   draft-chariton-ipcaa/.

   Discussion of this document takes place on the WG Working Group
   mailing list (mailto:spasm@ietf.org), which is archived at
   https://datatracker.ietf.org/wg/lamps/about/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/spasm/.

   Source for this draft and an issue tracker can be found at
   https://github.com/daknob/draft-chariton-ipcaa.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."



Chariton                   Expires 5 June 2023                  [Page 1]

Internet-Draft                   IP-CAA                    December 2022


   This Internet-Draft will expire on 5 June 2023.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3
     2.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
     2.2.  Defined Terms . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Relevant Resource Record Set  . . . . . . . . . . . . . . . .   3
   4.  CAA ip Property . . . . . . . . . . . . . . . . . . . . . . .   3
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  Deployment Considerations . . . . . . . . . . . . . . . . . .   5
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   8.  Normative References  . . . . . . . . . . . . . . . . . . . .   5
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   The CAA Resource Records specified in [RFC8659] allow a domain holder
   to limit the CAs that are authorized to issue certificates for that
   domain.  However, there is no mechanism to provide the same
   functionality for IP Addresses that can be included in certificates.

   This document specifies a new Property for CAA records that exist in
   the Reverse DNS Zones that can achieve the same effect.

   A new Property is required so as not to interfere with certificate
   issuance for the subdomains of these two zones, and issue and
   issuewild continue to be valid.







Chariton                   Expires 5 June 2023                  [Page 2]

Internet-Draft                   IP-CAA                    December 2022


2.  Conventions and Definitions

2.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.2.  Defined Terms

   This document uses the same defined terms as Section 2.2 of
   [RFC8659].  The following term is redefined in this document:

   Relevant Resource Record Set (Relevant RRset):  A set of CAA Resource
      Records resulting from calculating the IP Address Reverse DNS FQDN
      for an IP Address.

   The following terms are additionally defined:

   IP Address:  An IPv6 or IPv4 address.

   Reverse DNS Zones:  The DNS zones ip6.arpa and in-addr.arpa.

   IP Address Reverse DNS FQDN:  The FQDN that corresponds to an IP
      Address within the Reverse DNS Zones that can be calculated by
      using the algorithms described in Section 2.5 of [RFC3596] and
      Section 3.5 of [RFC1035].

3.  Relevant Resource Record Set

   In order to determine the Relevant RRset, a compliant CA must
   calculate the IP Address Reverse DNS FQDN.

   Then, it must apply the algorithm specified in Section 3 of [RFC8659]
   for the calculated FQDN.  The search stops at the Reverse DNS Zones,
   but does not include them.

4.  CAA ip Property

   If the ip Property Tag is present in the Relevant RRset for an IP
   Address, it is a request that Issuers:

   1.  Perform CAA issue restriction processing for the IP Address, and






Chariton                   Expires 5 June 2023                  [Page 3]

Internet-Draft                   IP-CAA                    December 2022


   2.  Grant authorization to issue certificates containing that IP
       Address to the holder of the issuer-domain-name or a party acting
       under the explicit authority of the holder of the issuer-domain-
       name.

   The CAA ip Property Value has the following sub-syntax (specified in
   ABNF as per [RFC5234]):

   issue-value = *WSP [issuer-domain-name *WSP]
      [";" *WSP [parameters *WSP]]

   issuer-domain-name = label *("." label)
   label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))

   parameters = (parameter *WSP ";" *WSP parameters) / parameter
   parameter = tag *WSP "=" *WSP value
   tag = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
   value = *(%x21-3A / %x3C-7E)

   The following CAA RRset requests that no certificates be issued for
   the IP Address "2001:db8::1" by any Issuer other than
   ca1.example.net:

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
                                              CAA 0 ip "ca1.example.net"

   The following CAA RRset requests that no certificates be issued for
   the IP Address "192.0.2.2" by any Issuer other than ca2.example.org:

   2.2.0.192.in-addr.arpa  CAA 0 ip "ca2.example.org"

   The following CAA RRset requests that no certificates be issued for
   the IP Address "192.0.2.1" by any Issuer other than ca1.example.net,
   and that no certificates be issued for the domain "1.2.0.192.in-
   addr.arpa" by any Issuer other than ca2.example.org:

   1.2.0.192.in-addr.arpa  CAA 0 ip    "ca1.example.net"
   1.2.0.192.in-addr.arpa  CAA 0 issue "ca2.example.org"

   An ip Property Tag where the issue-value does not match the ABNF
   grammar MUST be treated the same as one specifying an empty issuer-
   domain-name.  For example, the following malformed CAA RRset forbids
   issuance:

e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
                                                        CAA 0 ip "%%%%%"





Chariton                   Expires 5 June 2023                  [Page 4]

Internet-Draft                   IP-CAA                    December 2022


   The CAA ip Property Tag MUST be ignored if the FQDN is not a valid IP
   Address Reverse DNS FQDN.

   An Issuer MAY choose to specify parameters that further constrain the
   issue of certificates by that Issuer -- for example, specifying that
   certificates are to be subject to specific validation policies,
   billed to certain accounts, or issued under specific trust anchors.

   For example, if ca1.example.net has requested that its customer that
   wants a certificate with the IP Address 192.0.2.32 specified their
   account number "110995" in each of the customer's CAA records using
   the (CA-defined) "account" parameter, it would look like this:

  32.2.0.192.in-addr.arpa  CAA 0 issue "ca1.example.net; account=110995"

5.  Security Considerations

   The same Security Considerations described in Section 5 of [RFC8659]
   apply to this document.  On top of these, as the IP Address Reverse
   DNS FQDN is not checked by CAs that do not comply to this document,
   the critical flag, described in Section 4.5 of [RFC8659], may have
   reduced efficacy.

6.  Deployment Considerations

   The same Deployment Considerations described in Section 6 of
   [RFC8659] apply to this document.  On top of these, deployment of CAA
   ip Property Tags will increase the amount of DNS queries required
   when issuing certificates for IPv6 addresses, as it can include up to
   32 DNS queries to the ip6.arpa zone if there are no Relevant RRsets.

7.  IANA Considerations

   The "Certification Authority Restriction Properties" registry needs
   to be updated to include the following entry:

   Tag:  ip

   Meaning:  Authorization Entry by IP Address

   Reference:  This document

8.  Normative References

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.




Chariton                   Expires 5 June 2023                  [Page 5]

Internet-Draft                   IP-CAA                    December 2022


   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3596]  Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
              "DNS Extensions to Support IP Version 6", STD 88,
              RFC 3596, DOI 10.17487/RFC3596, October 2003,
              <https://www.rfc-editor.org/info/rfc3596>.

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              <https://www.rfc-editor.org/info/rfc5234>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8659]  Hallam-Baker, P., Stradling, R., and J. Hoffman-Andrews,
              "DNS Certification Authority Authorization (CAA) Resource
              Record", RFC 8659, DOI 10.17487/RFC8659, November 2019,
              <https://www.rfc-editor.org/info/rfc8659>.

Acknowledgments

Author's Address

   Antonios A. Chariton
   Google
   Email: aac@google.com




















Chariton                   Expires 5 June 2023                  [Page 6]