Re: [Sidrops] rev 4 (corrected CRLDP source changes, thanks to Tim)

Oleg Muravskiy <oleg@ripe.net> Fri, 15 May 2020 09:18 UTC

Return-Path: <oleg@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4073B3A07C8 for <sidrops@ietfa.amsl.com>; Fri, 15 May 2020 02:18:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbJ4DItbnVOy for <sidrops@ietfa.amsl.com>; Fri, 15 May 2020 02:18:07 -0700 (PDT)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D72E3A07BF for <sidrops@ietf.org>; Fri, 15 May 2020 02:18:07 -0700 (PDT)
Received: from bufobufo.ripe.net ([193.0.23.13]) by molamola.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from <oleg@ripe.net>) id 1jZWTm-00077F-30; Fri, 15 May 2020 11:18:06 +0200
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=[IPv6:2001:67c:2e8:1200::36a]) by bufobufo.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from <oleg@ripe.net>) id 1jZWTl-0001o5-Vb; Fri, 15 May 2020 11:18:05 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Oleg Muravskiy <oleg@ripe.net>
In-Reply-To: <20200515090840.12a9464a@grisu.home.partim.org>
Date: Fri, 15 May 2020 11:18:05 +0200
Cc: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>, sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <2F7B5AE6-8250-4937-B246-12F6F1C978CD@ripe.net>
References: <be9450ba-fe9c-465f-98a2-919772b3b32a.ref@verizon.net> <be9450ba-fe9c-465f-98a2-919772b3b32a@verizon.net> <20200512211314.4C2CD20156DBC4@minas-ithil.hactrn.net> <73b88326-d537-93eb-b0d0-a0a82507081c@verizon.net> <m2imh0x750.wl-randy@psg.com> <076ad9b0-ea5d-47a4-52f7-8b913dc6c1ae@verizon.net> <C49A008F-02FE-4A97-9E96-5EAAFBA5AC48@nlnetlabs.nl> <156c83ba-d4d8-8baa-7f87-a2600cb9c19a@verizon.net> <20200515090840.12a9464a@grisu.home.partim.org>
To: Martin Hoffmann <martin@opennetlabs.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-ACL-Warn: Delaying message
X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b742b2b50bb3707312f22078de4085f7d83
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/39kWSzsvktVdt3-dge3LYobM9qs>
Subject: Re: [Sidrops] rev 4 (corrected CRLDP source changes, thanks to Tim)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 09:18:10 -0000

On 15 May 2020, at 09:08, Martin Hoffmann <martin@opennetlabs.com> wrote:
> 
> Stephen Kent wrote:
>> Tim,
>> 
>>> If not, then indeed we need to have a discussion about how to deal
>>> properly with multiple CRLS. E.g. do you check *all* of them for
>>> each issued certificate, or do you only check the CRL matching the
>>> CRLDP of that certificate? I would also be very curious to know
>>> which use case warrants having this complexity.  
>> 
>> My suggestion is the KISS approach - first .crl file that has a valid 
>> hash is the one to use, and others are ignored. That's less forgiving 
>> than what Rob accommodates, but being forgiving here might take
>> pressure of a CA to do its job properly.
> 
> I’m not sure it really does. Rather, it will lead to strange looking
> issues: If the wrong CRL accidentally made it onto the manifest and it
> comes first, all objects are invalid even though everything sort of
> looks fine. This may even come and go if a CA reorders the CRLs when
> it reissues the manifest[0]. If all CRLs are referenced by objects, some
> objects suddenly are invalid while others aren’t.
> 
> I think invalidating the manifest with a clear warning is the more
> straightforward approach and much easier to debug.

I tend to agree with this approach. It will keep RFC and validator’s code simple and force CAs to fix their bugs.

Oleg