IETF Logo Mail Archive

Re: [Sidrops] what to do when the CRL is hosed?

Martin Hoffmann <martin@opennetlabs.com> Tue, 24 March 2020 14:20 UTC

Return-Path: <martin@opennetlabs.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 368CF3A0822 for <sidrops@ietfa.amsl.com>; Tue, 24 Mar 2020 07:20:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NO_DNS_FOR_FROM=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y73uRQZsNTOg for <sidrops@ietfa.amsl.com>; Tue, 24 Mar 2020 07:20:15 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB3283A0811 for <sidrops@ietf.org>; Tue, 24 Mar 2020 07:20:13 -0700 (PDT)
Received: from glaurung.nlnetlabs.nl (82-197-214-124.dsl.cambrium.nl [82.197.214.124]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 1EDC12165A; Tue, 24 Mar 2020 15:20:10 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none (p=none dis=none) header.from=opennetlabs.com
Authentication-Results: dicht.nlnetlabs.nl; spf=none smtp.mailfrom=martin@opennetlabs.com
Date: Tue, 24 Mar 2020 15:20:09 +0100
From: Martin Hoffmann <martin@opennetlabs.com>
To: Job Snijders <job@ntt.net>
Cc: Tim Bruijnzeels <tim@nlnetlabs.nl>, SIDR Operations WG <sidrops@ietf.org>
Message-ID: <20200324152009.6e6a2c3f@glaurung.nlnetlabs.nl>
In-Reply-To: <20200324135828.GG60268@vurt.meerval.net>
References: <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <253D1ED7-52D8-4A00-9D69-095E61D09C9F@nlnetlabs.nl> <db920115-e188-700f-ceb2-08cd2996046a@verizon.net> <3a683da4-42f9-28c6-f0dd-4d11d3c67857@ripe.net> <4fe26a30-4a08-41a5-be7f-0c5997230d0a@www.fastmail.com> <3B072025-68C5-4E62-9466-5122D483F691@nlnetlabs.nl> <20200324135828.GG60268@vurt.meerval.net>
Organization: Open Netlabs
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/8sqFYsGuPJ2pLG7ixNEes7Q8Rzs>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 14:20:22 -0000

Job Snijders wrote:
> On Tue, Mar 24, 2020 at 10:42:37AM -0300, Tim Bruijnzeels wrote:
> > 
> > With RRDP over HTTPS a lot of in transit / MITM issues are
> > mitigated.  
> 
> I'm not sure I agree - routinator, fort and octorpki are trivially
> forced to use rsync if the attacker blocks TCP port 443.

At least Routinator does not fall back to rsync once it has
successfully completed accessing the repository via RRDP once. I am
open to strengthen this to not ever use rsync if there is a RRDP URI in
the certificate. 

Kind regards,
Martin

v2.23.0 | Report a Bug | By Email