Re: [Sidrops] what to do when the CRL is hosed?

Randy Bush <randy@psg.com> Wed, 26 February 2020 06:12 UTC

Return-Path: <randy@psg.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D98BD3A0E4F for <sidrops@ietfa.amsl.com>; Tue, 25 Feb 2020 22:12:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9BN5KBtxh0zQ for <sidrops@ietfa.amsl.com>; Tue, 25 Feb 2020 22:12:37 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8EB33A0E4C for <sidrops@ietf.org>; Tue, 25 Feb 2020 22:12:37 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1j6pvw-0007ca-Fb; Wed, 26 Feb 2020 06:12:36 +0000
Date: Tue, 25 Feb 2020 22:12:36 -0800
Message-ID: <m2k149x4ff.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Louis Poinsignon <louis.poinsignon@gmail.com>
Cc: sidrops@ietf.org
In-Reply-To: <CANw9378e0VVPZXjjtktm-eUBxe1sPeK-69CyLWXLHocL3Ws-=g@mail.gmail.com>
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <CANw9378e0VVPZXjjtktm-eUBxe1sPeK-69CyLWXLHocL3Ws-=g@mail.gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/IH_KQLWqXHWcKqGFT7ciVpqiFN0>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 06:12:39 -0000

> Why not reducing the maximum validity of certificates to one day?

for example, because the CPS of at least one high level CA is, or at
least used to be, only willing to commit to publishing once a day.

as i said elsewhere, this is much ado about a non-damaging ops gl!tch.
exposing our weak PKI clue and inclination to more complexity is not
constructive.

randy