Re: [Sidrops] mft/ee validity time window alignment issue - Re: I-D Action: draft-ietf-sidrops-6486bis-05.txt

[Stephen Kent <stkent@verizon.net>]

Job,
> Hi all,
>
> I think the latest changes looked great on paper (and indeed simplify
> the text significantly), but are not operationally feasible.
>
> Quoting from draft-ietf-sidrops-6486bis-05 section 4.2.1 "Manifest":
>> Because a "one-time-use" EE certificate is employed to verify a
>> manifest, the EE certificate MUST have a validity period that
>> coincides with the interval from thisUpdate to nextUpdate in the
>> manifest, to prevent needless growth of the CA's CRL.
> It appears there are quite some CAs out there where 'nextUpdate' and
> 'notAfter' are not equivalent, I estimate it would reduce the global VRP
> count from ~ 263,175 down to ~ 209,931.
I am impressed by the work you did to discover which CAs are issuing EE 
certs for manifests that would not comply with the proposed changes. 
However, as Tim noted in his response, his CA code fails to follow the 
existing spec, so we should assume that there will need to a a gradual 
transition to a new, more restrictive spec. thus, saying that the 
proposed spec is "not operationally feasible" is an overstatement.

Nonetheless, I am open to suggestions on what we choose to mandate (vs. 
recommend) in terms of CA behavior, and to what extent we require (v.s 
recommend) that RPs check to see if CAs are following any new specs.

Steve