Re: [Sidrops] what to do when the CRL is hosed?
George Michaelson <ggm@algebras.org> Wed, 26 February 2020 05:29 UTC
Return-Path: <ggm@algebras.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A8C33A0975 for <sidrops@ietfa.amsl.com>; Tue, 25 Feb 2020 21:29:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mpq3UdhrEsoF for <sidrops@ietfa.amsl.com>; Tue, 25 Feb 2020 21:29:50 -0800 (PST)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A617C3A0976 for <sidrops@ietf.org>; Tue, 25 Feb 2020 21:29:49 -0800 (PST)
Received: by mail-il1-x129.google.com with SMTP id l4so1333556ilj.1 for <sidrops@ietf.org>; Tue, 25 Feb 2020 21:29:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1HqC8XGRbF85s+stuam52IvH+K66oPII20Re9ez+q6s=; b=FnQ7/2BiwdL/lMfkFIpBsBju1XDNUH2wfKpmyAyPP5z1ZI+7cphcgXzjIXpctAjABf ygGWXlcEOILd/a6ZrPjQfNPcCAxvERzcXe2qtkrImhUhoJPibbznBDfXs+KBN/lAcNqY bt7hb/e9NGU3JnQizuAY2BU4GMsr+PHeA43f1yOsvugZsZwdUwnH/CSX+aU8c2ka2GYA ow2AZsDGujCYBXfMRx7mVxtQMkrndwwlmsuwI/FzzU49QAxlTbzJeZnJ+tX8dFDuetfK iVy4OURO4PO4D6rFW4SC2Iuh+sSUJZEwErTuA4jOvNMMhzIz5e9KMKi+aTMoegFt1fKT oMzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1HqC8XGRbF85s+stuam52IvH+K66oPII20Re9ez+q6s=; b=sGyqoMyGu3bJdZZf2mq0pjngeLe6hT9LAlwJREwscKGSBHVTLr8KQInGIlePiYICb4 w9aynzjee5WmSEB8FBWiGNUXx3tZaxq5Fdn6trP9+1WUIswaMYGHuJbbwrBL7nrRf5up g3sIZJMnF5+aFD4xRCSPExo128cwWdXEfOn5NHYyL2rVuR/IIktvOK6tNhto1CCcd4Q4 8RtvAbhip8y24Q3gC+IF30mMtP1XdIpVhKp0I3o1gQV8KmUEHlDk+h95RK1tX63iBgsS SQYpajBriMdTpwWIwivXPYozhxsw+FqwX2d4y+iJROaxIoKwqhXnx3bH/O5xbxMT0OTj wl5Q==
X-Gm-Message-State: APjAAAXInTW6mWIx/tgiiaR3Z7pB0tPpZZJnh86IEPM10Vp55C08f1kz gE8Wi0ylZgHHIAwoxCz6/dz3jN1tl8vd2/lZHHooeg==
X-Google-Smtp-Source: APXvYqxiszROENVJMUCFzJ8xQzfT3G9jrbap7Zeue1qDX6Jm1o3ybssWSR0e6ZH98NU7PqRdKTUPsV8ld46rnF5HI/8=
X-Received: by 2002:a92:3cd7:: with SMTP id j84mr2699016ilf.176.1582694988327; Tue, 25 Feb 2020 21:29:48 -0800 (PST)
MIME-Version: 1.0
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <CAKr6gn2wJg1DYBOm6Ccn3ChggVB9Srhw2oEF76OZ_kLcPMsYcw@mail.gmail.com> <CAL9jLaZqg6TdtZmYMLUH5yEuXKkQwiRiH2bcj8t=fh3C2jX9VA@mail.gmail.com>
In-Reply-To: <CAL9jLaZqg6TdtZmYMLUH5yEuXKkQwiRiH2bcj8t=fh3C2jX9VA@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
Date: Wed, 26 Feb 2020 15:29:36 +1000
Message-ID: <CAKr6gn1yuG7ONfDevb3CFJOzP+_PNC2mCP3uhsr+EuBM1PGNvg@mail.gmail.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
Cc: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>, SIDR Operations WG <sidrops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/JvsMre5r335Z6IijmCJ5IF2jA8Q>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 05:29:53 -0000
the questions you pose come back down to two things to me 1) high-in-the-tree burdens exist. They're not more complex than low-in-the-tree but they (by definition) affect more things, and more people (RPs) -I have suffered failures in my service as Nathalie has, and I respect her integrity in doing a public disclosure and root-cause analysis, and I feel a similar burden. You need me to be able to say "this happened" and I have to accept you saying "what have you done, to prevent it happening again" just like Nathalie did (and accepts I believe) 2) "how do you know what it means" is really hard. A lot of statements about "..and so this means" are post-hoc interpretations of what the CA and RP *think* the situation means, but the intent is actually not overt in the situation, its latent. If you cannot point to a document which clearly says what a situation means, then I feel its undefined. That is what spec work is for. Thats why we're here. The CA did not mean to fail to publish a CRL. The RP is faced with having only out of date CRL. "what does it mean" is really hard to infer a priori. Is there a documented intent of what it should mean? Do we all agree? I feel the CRL situation is like that. There should have been one. There are only stale ones, or a badly informed one. It is confusing. Incoherent. It feels like we didn't say very clearly "what does it mean" in the spec process, if people feel there are open questions and are free as RP to interpret this, I feel we didn't adequately wire this down. If thats not true we shouldn't be discussing it, because it is documented. if you like, the question for me is 'how did you get to the word "clearly" here, because it feels like "clearly some mistake let us get to this discussion" is not a-priori, but is post-hoc reasoning, because Nathalie told us it was a mistake'. How do you know, in advance, the bad CRL situation "clearly" is a mistake? You have to ask "did you make one" and if the CA says yes, then it is possibly an RP problem, or an attack along the path to the data, or some other issue. If the CA say "oh no.. that shouldnt have happened" you "clearly" know its a mistake, but that depends on asking, and being told. Remember we now have RSYNC and RRDP, and they do not actually have to cohere, they are obviously by intent meant to be eventually consistent, but we have two ways to say what is the state of a repository. This means there are at least two ways RPs may synchronise on the state of a repository. Persisting state measured in hours around states of a repository do tend to align in both worlds, but I believe its possible for the persisting state to be incoherent (I believe this, because I believe it happened in the APNIC repositories) which is an added complexity. I think I would like a world which said "if the thing I see is malformed, and if I can tell its malformed but I can also tell it was well signed, I will go with operation error, and consider fallbacks" -but if the thing is missing, or badly signed, it feels more like an attack, or risk of attack. Well signed, but badly formed is the special state of "you did this, but it is wrong" and so I do break it out. I could believe we want some fallback behaviour. I could also believe "wrong is wrong" is a better place to be. -G
- [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Francisco Javier Moreno Arana
- Re: [Sidrops] what to do when the CRL is hosed? Ben Maddison
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Louis Poinsignon
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Nathalie Trenaman
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Rob Austein
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Jay Borkenhagen
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush