Re: [Sidrops] proposed, revised text for Section 6

Stephen Kent <stkent@verizon.net> Thu, 07 May 2020 15:38 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F34BA3A0A09 for <sidrops@ietfa.amsl.com>; Thu, 7 May 2020 08:38:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbgrEu8ZS0HH for <sidrops@ietfa.amsl.com>; Thu, 7 May 2020 08:38:26 -0700 (PDT)
Received: from sonic314-13.consmr.mail.bf2.yahoo.com (sonic314-13.consmr.mail.bf2.yahoo.com [74.6.132.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D2CF3A0A07 for <sidrops@ietf.org>; Thu, 7 May 2020 08:38:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1588865905; bh=wZGqEVtcZRACq/R6xhk1jdYZWPixxpJ4Ym6Ud/0pV7I=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Y8KQGRkG9Yv43pY+CamH9+nzWIHBTxlQEf1os5MZhlXcCFgB4zwMsvE/2R59mpC7G1MvQnZ4+zGJupFM1j89z6VoE6mEPw9IxLbecni9NATj0rsbsTZmaWysmiQ9FniC5CuQr4imC21dC7mhpnCyP8hJHlAWdn82sSSAEuVYCUUTnq4jQStjuP+5HTVHQpkTiwrmCM1AsKcE/5gO4diIJK6bZrOssoL+BJLiy3pMowvbzCP8Jq4QnD2/9Az9x9VPhVLMxm5WI0TCTiQg26tVq2QgdDFhhmD+mfwdVN//PyUk3twwDIHqLweE9+6so08ZMQwD371vxT0+9GfftZZDrA==
X-YMail-OSG: dZWHeCQVM1m.J.GwO6OGLfIfIIN2fpvzcvOuvDdTnH_mUF0J1ahEWHF7ZxiwoMy i0cL80LaamtIKGVhBQDxLbYHqlk6DyK1YCDfYV9SppuTUQ.RGoCGJ76V187RP_Mqx7M1V_psSsOg DeRd7fR5etbzS4DcvZ1lukctiQTcO9.czeLqQxjxcW0XCkfD3dahGOqSP2.OvwlYzg739BUFxxtY B_NnzEPyKQm3IfOpKCiWCbUzzFyn86mEMfc8IVCtyLW7qqzZ8WXSkBLavS2aaRKpBcMXj.JJ2ZhJ Ws7CdljwBVvHeYaLqZXAJL846ew8hn6RXm6IzKzv2Gixn6JCpDW6DqIx4DYyoU1w89L_tqU78XEk q0B.ZS3PrxuYhMWommJyVNYCDlg54mmr6eC7bc6vJR1O9lxjQyCkouZJDJCsR7PveE4.vPM_IL9g InyvwjMLaunCXogEaQwG8TLU4VEX_7P53TQZN72jTanfuUmS43OwlQm4euh466PjGqqCnFusBNd4 5KnqOoqmsPZryrXC6fO0Qk39_Ij56kvrkt_Y9Cgaf14BqgNIZKs5JhTSSYDSXdU7SyEmRpHeVwT0 g5buYBEqdd7_mgPKXtYnkGR4eNLi5iDpCxEJmPo8EU4vjz2v3Tpcs.5b94fgvbfCFhfL7O.BIDyS 5KrZsgCgaCaaMeydAaopLQLfXTuwA0BT4rKEF038F_F_ZIA5NBHUYXeAzm8hHoqecpptgNgvwgTt Paif8Sj..tHKDUBW8Hi1dQUIzdn8TeZfBKeH_qHfANlRmu0brotHSupgTiRg9AYGFnTy7qXrJach zoXg9VolPTTbjylC3iqa5JknHpnapHwI_hJUqJAxi5gmfjQDpCvzGzDYWHko1gLWZ.DX1VK3w6IW xSj5aZwezIrWxC2P5uP.2gU9rQeXzJBgLtrSHItcKrpnOIco7_lG1cRe3yTmh1k79XFun0lxnak6 HWeDRCSVLWZG9at7pS4uyS.N.Xl0VlPEFjpcQOpPRdcFefKggqI.w6NVymPRNSjW895y5_FbV4lH hdfdGJ27H2HxiCffnByL4_eWc.10brgdEBiDD8Qj5lQ30Vw1JTFKPxlNKo1pAtrGU8xo6DQnhZck 0q2UV7xZu1sfOOcCogDkQyuTH3yiEJlqQeq1hJi0uZ6M4Tfc_QRmfbs16NiB.mbKnGcKhIJ7xRQT lezg.jpxUNJAbeNL9h_SBs1gOqHHBlyX4k92WeyWCxI_pPFWFQ6Y9hDJ3DeeRDdo3sSWPEg7s9sJ XtKVy28J2K6zwkSaQrMIpvTmEgUMiHZgVjL.bM7UDRogTZzO_TCJv_xUH511DnC7HD7hHTxYF7fI KfQdrjtkF.wadeOEoH8g4h6.INDtREdElaGqHkC7s9KmkOfcRk1_Hcfj0yjrFkeiwYUFgV09_.kn uBMV0HrI-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.bf2.yahoo.com with HTTP; Thu, 7 May 2020 15:38:25 +0000
Received: by smtp425.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 57b79290b34f9850e15154201c256a31; Thu, 07 May 2020 15:38:22 +0000 (UTC)
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: Oleg Muravskiy <oleg@ripe.net>, "sidrops@ietf.org" <sidrops@ietf.org>
References: <557f0928-c7b1-4b8d-b3b6-078733f7ef8a.ref@verizon.net> <557f0928-c7b1-4b8d-b3b6-078733f7ef8a@verizon.net> <1065C1CC-191A-4CFF-A87C-4F1CB165F303@ripe.net> <507640b8-30e7-9f95-e6ed-adba12efb090@verizon.net> <7A134E0C-52E1-4FAD-A4E6-D971EFCDC63E@nlnetlabs.nl>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <cc0fb3bc-1ebf-9417-fa60-361cb899b938@verizon.net>
Date: Thu, 7 May 2020 11:38:21 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <7A134E0C-52E1-4FAD-A4E6-D971EFCDC63E@nlnetlabs.nl>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Mailer: WebService/1.1.15756 hermes Apache-HttpAsyncClient/4.1.4 (Java/11.0.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/1RDXNuP1H8oNlR2MbAH99kxwQPk>
Subject: Re: [Sidrops] proposed, revised text for Section 6
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 15:38:28 -0000

Tim,

> ...
> I agree.
>
> I think all CA implementations already do the following, which is implied by RFC 6487 and 6481 in particular. But the text is not sufficiently explicit. Updates will help, especially RP software.
>
> * There is only ever one (1!) *current* CA certificate issued for a given key (implied by RFC6492)
> * This CA certificate has the following SIA entries:
>      - id-ad-caRepository pointing to its full publication point
>      - id-ad-rpkiManifest pointing to a manifest in that publication point
>      - (still optionally) id-ad-rpkiNotify pointing to the RRDP (RFC 8182) notification file
>
> * For a CA certificate (i.e. a single key) there will be ONE current MFT only
> * For a CA certificate (i.e. a single key) there will be ONE current CRL only
> * That CRL name and hash MUST match the one and only .crl file on the MFT
> * Any issued (EE or CA) certificate under this CA certificate (single key) MUST use a CRLDP that matches the name of this .crl file, under the issuing CA certificate's id-ad-caRepository

This all sounds appropriate to me. I can state these assumptions in the 
intro for Section 6.

What do we want to do if we encounter two or more .crl files in a 
manifest? use the first one, ignore any others, and issue a warning?

What do we want to do if the CRLDP in a CA cert does not match the file 
name in the manifest? Issue a warning and use the .crl file from the 
manifest?

Steve