Re: [Sidrops] what to do when the CRL is hosed?

Job Snijders <job@ntt.net> Mon, 24 February 2020 23:43 UTC

Return-Path: <job@instituut.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00BD53A159E for <sidrops@ietfa.amsl.com>; Mon, 24 Feb 2020 15:43:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C4sV9lAJMwNL for <sidrops@ietfa.amsl.com>; Mon, 24 Feb 2020 15:43:28 -0800 (PST)
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2FA83A159D for <sidrops@ietf.org>; Mon, 24 Feb 2020 15:43:27 -0800 (PST)
Received: by mail-wm1-f51.google.com with SMTP id s144so969118wme.1 for <sidrops@ietf.org>; Mon, 24 Feb 2020 15:43:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=nEKnTOCea8njKTuL5sKNMmlVpIe/GqOtOFBHvqi6DpE=; b=ZaqWyvRQw8UQf6g2AJX2I+jEF0aEhWIQ/qiW3b0sRUGgzpYijP6nXnFshoraryOLqt fksSYzLiuAeHfKXIBhCgY2OIj1wRt9KatvcFYyqSqRbD3MXG4PIGiXihBRi6QcsHkQbu IZBHVGImA2vEyhW5Rpa+6k05vYCiLqMIEs/g3P16eMqkrCI1fy2JgKTzMpiYeAFqZUfe vbwtoBrS8HwTBMENz09ppDIg4vcxB5PxCpyEkNHcXDGE/v8hplhzhOsspJpv+z3G584k h49ux/M4q1rvTdAkxE/84YjOSVxghAV3sY40FWG5BPxbBF1YTmp2SOqychthQjrkZ4DE +ELA==
X-Gm-Message-State: APjAAAXwjZMRh/OMYU0o2NPzmydAXaYkzXBdXd/8YghUixNY3a8DjelA Sq73QSglv+QT3OE2mmno4NnMNQ==
X-Google-Smtp-Source: APXvYqx6Q1wZSLWORKuWj1ZPsBfMJ0QH83HHPKjZb52/3YWHgH/84o0zqI79xV5NGsZnt377RZXe9A==
X-Received: by 2002:a05:600c:2254:: with SMTP id a20mr1383379wmm.188.1582587805884; Mon, 24 Feb 2020 15:43:25 -0800 (PST)
Received: from vurt.meerval.net (vurt.meerval.net. [192.147.168.22]) by smtp.gmail.com with ESMTPSA id n5sm3928793wrq.40.2020.02.24.15.43.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Feb 2020 15:43:25 -0800 (PST)
Received: from localhost (vurt.meerval.net [local]) by vurt.meerval.net (OpenSMTPD) with ESMTPA id 916c22fc; Mon, 24 Feb 2020 23:43:24 +0000 (UTC)
Date: Mon, 24 Feb 2020 23:43:23 +0000
From: Job Snijders <job@ntt.net>
To: Jared Mauch <jared@puck.nether.net>
Cc: sidrops@ietf.org, claudio@openbsd.org
Message-ID: <20200224234323.GC60925@vurt.meerval.net>
References: <20200224211531.GB60925@vurt.meerval.net> <10259FC6-FE65-4B34-81B2-A37FCFA29BF2@puck.nether.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <10259FC6-FE65-4B34-81B2-A37FCFA29BF2@puck.nether.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/DcHphA_f0_CUbP1Ojde7w3YKBTo>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 23:43:29 -0000

On Mon, Feb 24, 2020 at 05:19:33PM -0500, Jared Mauch wrote:
> I think you may be right in absolute terms. You are likely wrong that
> unless you have cached CRL experience saying it's bad you have no
> reason to distrust. 

CRLs in RPKI != CRLs in TLS/browser context.

> Also cryptographically signed data can be sent insecurely and be
> validated against change or tampering. Perhaps you are worried about
> privacy?

I don't think I'm concerned about privacy.

My point was that in the application of X509 in the use case of RPKI: if
the CRL is expired, you have more than enough reason to distrust.

Kind regards,

Job