Re: [Sidrops] what to do when the CRL is hosed?

Tim Bruijnzeels <> Tue, 24 March 2020 14:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9F10F3A043D for <>; Tue, 24 Mar 2020 07:02:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QswNhtc7CwYl for <>; Tue, 24 Mar 2020 07:02:43 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 38CAA3A0407 for <>; Tue, 24 Mar 2020 07:02:43 -0700 (PDT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 4894C215EB; Tue, 24 Mar 2020 15:02:40 +0100 (CET)
Authentication-Results:; dmarc=fail (p=none dis=none)
Authentication-Results:; spf=fail
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1585058560; bh=+Qyekgy53FHIaorZQLYVwErN8zH7Ll3GTDiNaTMKvmQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=VT8wRpLV8p3+aHiC0vISijhebJReU6QVKlEOagZW0ME6rQJ///HXw3NHb/Uc36wi5 EuoN1TQLHlbkEdcsjf2Qe5Yjnb3K3B+LmhJmX4hr5oRnmKmNVMeeOqlI2zaYokn7aJ ruKeqAOB1MTttjGdKFnp1nSbJBYleo91Nm8Vd2xI=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.\))
From: Tim Bruijnzeels <>
In-Reply-To: <>
Date: Tue, 24 Mar 2020 11:02:38 -0300
Cc: SIDR Operations WG <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <>
To: Stephen Kent <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Mar 2020 14:02:45 -0000

> On 23 Mar 2020, at 10:33, Stephen Kent <> wrote:
> Tim,
>> In general I agree. Which is why I mentioned the example of objects one might find published outside of the context of the RPKI repository, and *not* listed on a manifest. Such objects have yet to be invented but theoretically one can think of signed structures under an existing RPKI CA cert (e.g. using their own embedded EE) - which is shared out-of-band between parties. 
> That's a very forward-looking perspective, one I had not considered.
>> What I am suggesting is that we *could* update 6486 and make validation more restrictive regarding manifests:
>> - all objects on a manifest must be present and accounted for (I agree with Job regarding partial withhold attacks)
>> - all objects on a manifest need to be validated
>> - objects that are not on a manifest can be considered invalid
>> This is in-line with the specifications defined in RFC 6481 (A Profile for Resource Certificate Repository Structure), which essentially says that all current objects must be published, and that no invalid objects may be published.
> agree.
>> Then, if the manifest is already a signed statement of everything that is current, at least regarding the currently defined object types, as defined in RFC 6481, then what is gained by checking that CA was also capable of generating a CRL - using the same authoritative key and publication method - that confirms that the objects that are current according to the manifest are indeed not revoked?
> I agree that with strict Manifest processing, CRLs provide redundant info. But, by that argument, why bother checking to see if certs are expired, since that too is redundant in a strict Manifest processing scenario?
>> Requiring the CRLs just feels like unnecessary brittleness to me (again in the context of RFC 6486). It creates multiple loci for bugs in CA implementations, and complicated error conditions that need to be checked by RPs. This is what I meant with the perhaps poorly chosen word 'pedantic'. Maybe I should have used the word 'redundancy'. Redundancy may seem like a good idea in general, but in this case it really only allows for the possibility of two conflicting signed messages. Thus it seems that this does not increase security, but provides more ways for things to break.
> redundancy is often beneficial in security systems. it helps prevent a single error from having terrible consequences. But, this strategy works only if one is flexible when responding  to an inconsistency between redundant pieces of info.

But, redundancy also introduces more moving parts which can break, and corner conditions to check.

Now it's fairly easy to get temporary inconsistencies. If CAs publish objects one by one, or in case rsync is used as a fetch mechanism (I believe that objects might change during an rsync 'session'). RRDP can resolve this, but only if CAs indeed publish their change set as a single delta.

But even with all that, my inner engineer would like to see as few moving parts as we safely get away with.

Failing that I believe one agreed on way to deal with each possible corner case between MFT and CRL is needed.

> Steve
> _______________________________________________
> Sidrops mailing list