Re: [Sidrops] trying to limit RP processing variability

Martin Hoffmann <martin@opennetlabs.com> Thu, 16 April 2020 09:58 UTC

Return-Path: <martin@opennetlabs.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B96203A1362 for <sidrops@ietfa.amsl.com>; Thu, 16 Apr 2020 02:58:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id deHBFE1fd94f for <sidrops@ietfa.amsl.com>; Thu, 16 Apr 2020 02:58:20 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01FFC3A1366 for <sidrops@ietf.org>; Thu, 16 Apr 2020 02:58:19 -0700 (PDT)
Received: from glaurung.nlnetlabs.nl (82-197-214-124.dsl.cambrium.nl [82.197.214.124]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 532231CE0E; Thu, 16 Apr 2020 11:58:18 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none (p=none dis=none) header.from=opennetlabs.com
Authentication-Results: dicht.nlnetlabs.nl; spf=none smtp.mailfrom=martin@opennetlabs.com
Date: Thu, 16 Apr 2020 11:58:17 +0200
From: Martin Hoffmann <martin@opennetlabs.com>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, Job Snijders <job@ntt.net>
Message-ID: <20200416115817.6c3f4318@glaurung.nlnetlabs.nl>
In-Reply-To: <20200415143321.GM72650@diehard.n-r-g.com>
References: <a9448e54-320f-300c-d4f9-d01aca2b6ef4.ref@verizon.net> <a9448e54-320f-300c-d4f9-d01aca2b6ef4@verizon.net> <20200415150141.016d021d@glaurung.nlnetlabs.nl> <20200415140012.GB30412@vurt.meerval.net> <20200415161415.29c49f4e@glaurung.nlnetlabs.nl> <20200415143321.GM72650@diehard.n-r-g.com>
Organization: Open Netlabs
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/2FIT7iOWxKJESGQRz2SSRlr8ilE>
Subject: Re: [Sidrops] trying to limit RP processing variability
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 09:58:22 -0000

Claudio Jeker wrote:
> On Wed, Apr 15, 2020 at 04:14:15PM +0200, Martin Hoffmann wrote:
> > Job Snijders wrote:  
> > > On Wed, Apr 15, 2020 at 03:01:41PM +0200, Martin Hoffmann wrote:  
> > > >  
> > > > > 1.Manifest present, valid, current    
> > > > 
> > > > If there is a present, valid, and current manifest, the CRL can
> > > > safely be ignored for all objects.    
> > > 
> > > I'd like to ask you for some clarification, Stephen Kent listed 4
> > > different cases, I parapharsed here:
> > > 
> > > 1.1. Manifest present, valid, current AND CRL present, valid,
> > > current 1.2. Manifest present, valid, current AND CRL present,
> > > stale 1.3. Manifest present, valid, current AND CRL present,
> > > invalid 1.4. Manifest present, valid, current AND CRL missing
> > > 
> > > When you say "can safely be ignored", do you mean, MAY be ignored,
> > > SHOULD be ignored? or MUST be ignored? In all four cases?  
> > 
> > In all cases. Since it is ignored, it doesn’t really matter whether
> > it is good or bad or ugly. 
> > 
> > I suppose I would go with "SHOULD be ignored" here.  
> 
> Which CRL are we talking about? The ones listed in the manifest or
> the one referenced by the manifest certificate?

Isn’t that supposed to be the same? Each CA only issues one CRL for all
its issued certificates and replaces it upon update.

Kind regards,
Martin