Re: [Sidrops] rev 4 (corrected CRLDP source changes, thanks to Tim)

Tim Bruijnzeels <tim@nlnetlabs.nl> Wed, 13 May 2020 14:32 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9CBD3A0C7F for <sidrops@ietfa.amsl.com>; Wed, 13 May 2020 07:32:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1LIkoTn0MIO for <sidrops@ietfa.amsl.com>; Wed, 13 May 2020 07:32:17 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5EC93A0C80 for <sidrops@ietf.org>; Wed, 13 May 2020 07:32:17 -0700 (PDT)
Received: from [IPv6:2001:981:4b52:1:bc2c:d6fa:cbdd:1589] (unknown [IPv6:2001:981:4b52:1:bc2c:d6fa:cbdd:1589]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 8979335EC3; Wed, 13 May 2020 16:32:15 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1589380335; bh=ty3RaBkKcKPgDG0GltDl4MQQk+MJyHPb4rOi7/VzycE=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=HD93BHqx7IjXqJCnx5+4UZJPuk+yRMEUtsXlFGbl5Awg8CM+GvRZeLIYk2pNwKkky KPv7cK5DgbMhtLiNgk/iQ45h1PkcM7wzY7ClCruEhjWFqzxRlb4m5zCbeZJ7ZUfjRl 2dW1dlxEJrJo2aQmmoYWXvDEBxLdWrjQVbjDUY5o=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <m2imh0x750.wl-randy@psg.com>
Date: Wed, 13 May 2020 16:32:15 +0200
Cc: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>, sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <70BC4878-93D3-4331-A887-AF693B7CC9AA@nlnetlabs.nl>
References: <be9450ba-fe9c-465f-98a2-919772b3b32a.ref@verizon.net> <be9450ba-fe9c-465f-98a2-919772b3b32a@verizon.net> <20200512211314.4C2CD20156DBC4@minas-ithil.hactrn.net> <73b88326-d537-93eb-b0d0-a0a82507081c@verizon.net> <m2imh0x750.wl-randy@psg.com>
To: Randy Bush <randy@psg.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/B0tflZuGLcqmOgN1TI-Flh1w9L4>
Subject: Re: [Sidrops] rev 4 (corrected CRLDP source changes, thanks to Tim)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 14:32:19 -0000


> On 13 May 2020, at 16:05, Randy Bush <randy@psg.com> wrote:
> 
>> I will revise the text describing how to handle this case, based on WG
>> consensus. Your approach is very robust, but also complex. Since there
>> should be only one CRL in the manifest, and since Tim says that no
>> RPKI CA generates more than� one, I tend to favor a simple
>> requirement here, but ...
> 
> indeed no ca SHOULD push more than one CRL.  but i do not think i would
> recommend not defending against it.

In my opinion there should be a MUST include one and only one CRL. Then offending MFTs can be considered broken, and there is no defensive code needed.

I don't see how this could be an issue for CAs given that none include more than one CRL on MFTs until now. But if other CA implementers disagree then I would be very happy to hear about it.

Tim

> 
> randy
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops