Re: [Sidrops] what to do when the CRL is hosed?

Di Ma <madi@zdns.cn> Wed, 26 February 2020 07:53 UTC

Return-Path: <madi@zdns.cn>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57B253A0FFA for <sidrops@ietfa.amsl.com>; Tue, 25 Feb 2020 23:53:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oTCoVoyrJ0Sk for <sidrops@ietfa.amsl.com>; Tue, 25 Feb 2020 23:53:17 -0800 (PST)
Received: from smtpproxy21.qq.com (smtpbg702.qq.com [203.205.195.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3232E3A0FFB for <sidrops@ietf.org>; Tue, 25 Feb 2020 23:53:14 -0800 (PST)
X-QQ-mid: bizesmtp19t1582703588torqvr88
Received: from [192.168.3.24] (unknown [118.198.173.48]) by esmtp10.qq.com (ESMTP) with id ; Wed, 26 Feb 2020 15:53:06 +0800 (CST)
X-QQ-SSF: 00400000000000N0ZI80000A0000000
X-QQ-FEAT: 96xsOYpMbcrHEUX3H6/W/gY9hp1ZQ/3m04QnskroFJkTJgsvv8qowwF7ebePX 6112ekVIjSIprm9vnqpQfVwtHC8Uj4nW/RraaooTim1vipq1ANM/TZfEkg+2FsnAfTvih8u SS2m6pjQ/33x25Ez95CbXAhswQc8BIPPKYekH9SsE+yHxRM2XlofetcuhRxYjstayx0acSq iwlwf/zXtP/TLYp36VvSubmdxKundgy+MEtUVlVsXSOy43UuPTvYAHrn6xKP66VI0eHNmLe x/rA8+LXyq3ZoMGKMj0kLheCFdZ3w+k0Aha79rD5PnNDymdmDLrcoyvKsTF56fn/pqEdS+l L4fQ3cQi2WSPMbITRXL4lZv4eiI0w==
X-QQ-GoodBg: 2
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Di Ma <madi@zdns.cn>
In-Reply-To: <CAKr6gn2wJg1DYBOm6Ccn3ChggVB9Srhw2oEF76OZ_kLcPMsYcw@mail.gmail.com>
Date: Wed, 26 Feb 2020 15:52:53 +0800
Cc: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>, SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3D64213F-4318-4869-A5DB-0503F7A17AA7@zdns.cn>
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <CAKr6gn2wJg1DYBOm6Ccn3ChggVB9Srhw2oEF76OZ_kLcPMsYcw@mail.gmail.com>
To: George Michaelson <ggm@algebras.org>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
X-QQ-SENDSIZE: 520
Feedback-ID: bizesmtp:zdns.cn:qybgforeign:qybgforeign5
X-QQ-Bgrelay: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/9uqmueJKaV5cplvXg-9KaLAXBok>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 07:53:23 -0000

I think CRL is indispensable for the RPKI.

I am reassured of this argument especially by the point that George makes here. 

As far as I observed, CRL is issued in case of some hazard things happening such as key exposures, which we weigh much worse than expiration of CRL.

As the administrator of RP software RPSTIR, our implementation sees certs invalid even if this CRL is expired. We assume that the INRs covered by those invalid certs should be put into newly issue ones if the very INR holder would like to activate them in terms of routing. 

Di


> 2020年2月26日 08:23,George Michaelson <ggm@algebras.org> 写道:
> 
> 
> If you cannot see a CRL which you are told should exist, to assume the
> CRL doesn't matter feels extremely unwise. I may have mistakenly
> published entirely cryptographically valid things which do not now
> inform my intent, and I have tried to repudiate, and you cannot see
> that repudiation and now interpret states of routing in ways which do
> not reflect my true intent.
> 
> -George
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops
>