Re: [Anima] use of CRLs in I-D Action: draft-ietf-anima-autonomic-control-plane-26.txt

Toerless Eckert <> Wed, 01 July 2020 23:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 570573A11E3 for <>; Wed, 1 Jul 2020 16:41:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.87
X-Spam-Status: No, score=-0.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tl4-2nvoTUMp for <>; Wed, 1 Jul 2020 16:41:06 -0700 (PDT)
Received: from ( [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1AB7C3A11C9 for <>; Wed, 1 Jul 2020 16:41:05 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 75A16548068; Thu, 2 Jul 2020 01:41:00 +0200 (CEST)
Received: by (Postfix, from userid 10463) id 6D358440043; Thu, 2 Jul 2020 01:41:00 +0200 (CEST)
Date: Thu, 02 Jul 2020 01:41:00 +0200
From: Toerless Eckert <>
To: Michael Richardson <>
Message-ID: <>
References: <> <14763.1593644290@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <14763.1593644290@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <>
Subject: Re: [Anima] use of CRLs in I-D Action: draft-ietf-anima-autonomic-control-plane-26.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Jul 2020 23:41:08 -0000

On Wed, Jul 01, 2020 at 06:58:10PM -0400, Michael Richardson wrote:
> the diff for  Certificate Revocation Lists (CRLs)
> fixes some TLAs, but continues to seem to recommend long-lived certificates with CRLs.

The need to diligently document support for CRL/OCSP was done on
behalf of securiy reviews. It is not meant to be a recommendation.
There is mentioning of short-lived certificates in a few places in the

> I think that CRLs are not useful, and we should not use them.

I think we agree.

> 6.1.3 is clear that OCSP/CRLs may not be available when connecting!
> I think that use of STAR ( )
> Short-Term, Automatically Renewed is the best recommendation!

In general yes, but the STAR use cases typically do not take into
account  connectivity problems that are longer than the lifetime of
a cert, whereas for the ACP this might be a problem.

With CRL/OCSP, it seems as if we could define the details under
loss of connectivity through these mentioned rules. This seems
like an easily acceptable solution for the proponents of CRL/OCSP
because they couldn't come up with a better solution and its their

When we are talking about expiry of short lived certs we would be
talking about pootentially authenticating expired certs under
limited network connectivity. Thats quite new and the proponents
of CRL/OCSP would drag along the argument much longer.

> If we have to do OCSP (via )
> then we nodes can download their staple and provide it when connecting.
> New nodes can get this using the Join Proxy.
> Perhaps this needs to be in a new document at this point.

Yepp.  I think to remember that MaxP was thinking of suggesting to
talk about dealing with expired certs for our cases in i think LAMPS too
but longer ago...


> --
> Michael Richardson <>, Sandelman Software Works
>  -= IPv6 IoT consulting =-

> _______________________________________________
> Anima mailing list