Re: [Sidrops] rev 4 (corrected CRLDP source changes, thanks to Tim)

Tim Bruijnzeels <> Thu, 14 May 2020 07:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E8A603A0400 for <>; Thu, 14 May 2020 00:36:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5VFkOx0k3s4n for <>; Thu, 14 May 2020 00:36:01 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 15CF63A03F6 for <>; Thu, 14 May 2020 00:35:52 -0700 (PDT)
Received: from [IPv6:2001:981:4b52:1:edc9:447a:8576:9b98] (unknown [IPv6:2001:981:4b52:1:edc9:447a:8576:9b98]) by (Postfix) with ESMTPSA id 4282937389; Thu, 14 May 2020 09:35:50 +0200 (CEST)
Authentication-Results:; dmarc=fail (p=none dis=none)
Authentication-Results:; spf=fail
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1589441750; bh=oSuLmQoAJOLsq2OA6jgvgfwX0o23I/DUoDrZlcJiuIQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=XnaXwaauu81oXU4hSEtTeykOmMttSjljMi7WZoCREhWHMDhE1kc5UpjQwtfUhs4AG tHtlErUGPsUCgersqKjE5Eeb0ZuEm41Zbw9xPHeotcaBqUlEjVsBqlQpQNb7t8D1s4 NT8u1BdWWk+8Y6g0F/8j/zwBtwTckbt7ESE3xKS0=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.\))
From: Tim Bruijnzeels <>
In-Reply-To: <>
Date: Thu, 14 May 2020 09:35:49 +0200
Cc: "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <>
To: Stephen Kent <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Sidrops] rev 4 (corrected CRLDP source changes, thanks to Tim)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 May 2020 07:36:04 -0000


> On 13 May 2020, at 18:11, Stephen Kent <> wrote:
> Guys,
>>> I will revise the text describing how to handle this case, based on WG
>>> consensus. Your approach is very robust, but also complex. Since there
>>> should be only one CRL in the manifest, and since Tim says that no
>>> RPKI CA generates more than??? one, I tend to favor a simple
>>> requirement here, but ...
>> indeed no ca SHOULD push more than one CRL.  but i do not think i would
>> recommend not defending against it.
>> randy
> I think we all agree that the revised Section 6 text needs to accommodate the possibility that a manifest will list more than one CRL, even though this OUGHT NOT happen (see RFC 6919). The only question?? is how hard do we require an RP to work if it encounters more than one CRL. I prefer a simple approach to selecting one, and a mandatory warning. Rob has offered a more sophisticated, and complex approach, based on his working RP code.

What may not have been clear from my earlier message is that I agree that in today's world it's worth supporting the possibility of more than one .crl like Rob A. has done.

That said, we are looking to improve things here, and reducing corner cases is good.

This is about the number of current .crl files on a manifest, not about files that may still linger in the repository under the directory - e.g. for other keys. Even if it is not explicit, RFC 6480 certainly points at having one CRL per keypair. And 6 out of 6 independent CA implementations have done exactly that. Therefore I think it would be perfectly safe to add a requirement in the MFT RFC update that there MUST be one CRL only. This will simplify things greatly for RPs.

If not, then indeed we need to have a discussion about how to deal properly with multiple CRLS. E.g. do you check *all* of them for each issued certificate, or do you only check the CRL matching the CRLDP of that certificate? I would also be very curious to know which use case warrants having this complexity.


> I await a consensus from the WG.
> Steve
> _______________________________________________
> Sidrops mailing list