Re: [Sidrops] rev 4 (corrected CRLDP source changes, thanks to Tim)
Rob Austein <sra@hactrn.net> Tue, 12 May 2020 21:12 UTC
Return-Path: <sra@hactrn.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89E5B3A0BD4 for <sidrops@ietfa.amsl.com>; Tue, 12 May 2020 14:12:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aDs9Fcu2jfqQ for <sidrops@ietfa.amsl.com>; Tue, 12 May 2020 14:12:50 -0700 (PDT)
Received: from khatovar.hactrn.net (khatovar.hactrn.net [198.180.150.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D5743A0BCF for <sidrops@ietf.org>; Tue, 12 May 2020 14:12:47 -0700 (PDT)
Received: from minas-ithil.hactrn.net (c-73-47-196-134.hsd1.ma.comcast.net [73.47.196.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by khatovar.hactrn.net (Postfix) with ESMTPS id C9A88139A0 for <sidrops@ietf.org>; Tue, 12 May 2020 21:12:45 +0000 (UTC)
Received: from minas-ithil.hactrn.net (localhost [IPv6:::1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id 4C2CD20156DBC4 for <sidrops@ietf.org>; Tue, 12 May 2020 17:13:14 -0400 (EDT)
Date: Tue, 12 May 2020 17:13:14 -0400
From: Rob Austein <sra@hactrn.net>
To: sidrops@ietf.org
In-Reply-To: <be9450ba-fe9c-465f-98a2-919772b3b32a@verizon.net>
References: <be9450ba-fe9c-465f-98a2-919772b3b32a.ref@verizon.net> <be9450ba-fe9c-465f-98a2-919772b3b32a@verizon.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="ISO-8859-7"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20200512211314.4C2CD20156DBC4@minas-ithil.hactrn.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/D6Lib_lKMRIIzuq3-whlqJj5YIE>
Subject: Re: [Sidrops] rev 4 (corrected CRLDP source changes, thanks to Tim)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 21:12:52 -0000
On Fri, 08 May 2020 11:26:22 -0400, Stephen Kent wrote: ... > A manifest SHOULD contain exactly one CRL (.crl) file and it MUST be > at the location specified in the CRLDP in the manifest’s EE > certificate. If more than one .crl file appears in the manifest, > only file names matching the CRL specified by the CRLDP will be > processed. If more than one .crl entry appears in the manifest, and > matches the CRLDP, the first one encountered MUST be used. Any > other .crl files MUST be ignored and a warning MUST be issued. I went back and looked at how my RP code handled this. One can very quickly get lost in the weeds here, but briefly: I start with a set of "candidate manifests" and a set of "candidate CRLs", and keep pruning those sets down with one form of validity check after another (signatures and hashes must match, timestamps must be sane, URIs must match, yada yada). If, at the end of this I still have more than one candidate CRL, I don't necessarily pick the first CRL in the manifest: instead, I sort the candidates by CRL Number, thisUpdate, and time at which I retrieved that CRL object (in descending order of preference, so the timestamps only matter if CRL Number is identical, etc), and use this to pick the "most recent" valid CRL. YMMV, but this arguably yields a more useful result in this screwball situation. That said, this is (obviously) more complex to describe and to implement, so may not be worth it, given that this should never be happening in the first place. If one wants a simplified version of this algorithm that stays within the confines of a single manifest, one could do the sort by CRL Number, then thisUpdate, then position in the manifest. --Rob
- [Sidrops] rev 4 (corrected CRLDP source changes, … Stephen Kent
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Di Ma
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Job Snijders
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Di Ma
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Rob Austein
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Tim Bruijnzeels
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Stephen Kent
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Randy Bush
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Tim Bruijnzeels
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Randy Bush
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Stephen Kent
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Martin Hoffmann
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Di Ma
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Tim Bruijnzeels
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Stephen Kent
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Martin Hoffmann
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Oleg Muravskiy
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Mikhail Puzanov
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Stephen Kent
- Re: [Sidrops] rev 4 (corrected CRLDP source chang… Martin Hoffmann