Re: [Sidrops] what to do when the CRL is hosed?

George Michaelson <> Wed, 26 February 2020 05:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5A8C33A0975 for <>; Tue, 25 Feb 2020 21:29:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mpq3UdhrEsoF for <>; Tue, 25 Feb 2020 21:29:50 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A617C3A0976 for <>; Tue, 25 Feb 2020 21:29:49 -0800 (PST)
Received: by with SMTP id l4so1333556ilj.1 for <>; Tue, 25 Feb 2020 21:29:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1HqC8XGRbF85s+stuam52IvH+K66oPII20Re9ez+q6s=; b=FnQ7/2BiwdL/lMfkFIpBsBju1XDNUH2wfKpmyAyPP5z1ZI+7cphcgXzjIXpctAjABf ygGWXlcEOILd/a6ZrPjQfNPcCAxvERzcXe2qtkrImhUhoJPibbznBDfXs+KBN/lAcNqY bt7hb/e9NGU3JnQizuAY2BU4GMsr+PHeA43f1yOsvugZsZwdUwnH/CSX+aU8c2ka2GYA ow2AZsDGujCYBXfMRx7mVxtQMkrndwwlmsuwI/FzzU49QAxlTbzJeZnJ+tX8dFDuetfK iVy4OURO4PO4D6rFW4SC2Iuh+sSUJZEwErTuA4jOvNMMhzIz5e9KMKi+aTMoegFt1fKT oMzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1HqC8XGRbF85s+stuam52IvH+K66oPII20Re9ez+q6s=; b=sGyqoMyGu3bJdZZf2mq0pjngeLe6hT9LAlwJREwscKGSBHVTLr8KQInGIlePiYICb4 w9aynzjee5WmSEB8FBWiGNUXx3tZaxq5Fdn6trP9+1WUIswaMYGHuJbbwrBL7nrRf5up g3sIZJMnF5+aFD4xRCSPExo128cwWdXEfOn5NHYyL2rVuR/IIktvOK6tNhto1CCcd4Q4 8RtvAbhip8y24Q3gC+IF30mMtP1XdIpVhKp0I3o1gQV8KmUEHlDk+h95RK1tX63iBgsS SQYpajBriMdTpwWIwivXPYozhxsw+FqwX2d4y+iJROaxIoKwqhXnx3bH/O5xbxMT0OTj wl5Q==
X-Gm-Message-State: APjAAAXInTW6mWIx/tgiiaR3Z7pB0tPpZZJnh86IEPM10Vp55C08f1kz gE8Wi0ylZgHHIAwoxCz6/dz3jN1tl8vd2/lZHHooeg==
X-Google-Smtp-Source: APXvYqxiszROENVJMUCFzJ8xQzfT3G9jrbap7Zeue1qDX6Jm1o3ybssWSR0e6ZH98NU7PqRdKTUPsV8ld46rnF5HI/8=
X-Received: by 2002:a92:3cd7:: with SMTP id j84mr2699016ilf.176.1582694988327; Tue, 25 Feb 2020 21:29:48 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: George Michaelson <>
Date: Wed, 26 Feb 2020 15:29:36 +1000
Message-ID: <>
To: Christopher Morrow <>
Cc: Stephen Kent <>, SIDR Operations WG <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Feb 2020 05:29:53 -0000

the questions you pose come back down to two things to me

1) high-in-the-tree burdens exist. They're not more complex than
low-in-the-tree but they (by definition) affect more things, and more
people (RPs) -I have suffered failures in my service as Nathalie has,
and I respect her integrity in doing a public disclosure and
root-cause analysis, and I feel a similar burden. You need me to be
able to say "this happened" and I have to accept you saying "what have
you done, to prevent it happening again" just like Nathalie did (and
accepts I believe)

2) "how do you know what it means" is really hard. A lot of statements
about "..and so this means" are post-hoc interpretations of what the
CA and RP *think* the situation means, but the intent is actually not
overt in the situation, its latent. If you cannot point to a document
which clearly says what a situation means, then I feel its undefined.
That is what spec work is for. Thats why we're here.

The CA did not mean to fail to publish a CRL. The RP is faced with
having only out of date CRL. "what does it mean" is really hard to
infer a priori. Is there a documented intent of what it should mean?
Do we all agree?

I feel the CRL situation is like that. There should have been one.
There are only stale ones, or a badly informed one. It is confusing.
Incoherent. It feels like we didn't say very clearly "what does it
mean" in the spec process, if people feel there are open questions and
are free as RP to interpret this, I feel we didn't adequately wire
this down. If thats not true we shouldn't be discussing it, because it
is documented.

if you like, the question for me is 'how did you get to the word
"clearly" here, because it feels like "clearly some mistake let us get
to this discussion" is not a-priori, but is post-hoc reasoning,
because Nathalie told us it was a mistake'.

How do you know, in advance, the bad CRL situation "clearly" is a
mistake? You have to ask "did you make one" and if the CA says yes,
then it is possibly an RP problem, or an attack along the path to the
data, or some other issue. If the CA say "oh no.. that shouldnt have
happened" you "clearly" know its a mistake, but that depends on
asking, and being told.

Remember we now have RSYNC and RRDP, and they do not actually have to
cohere, they are obviously by intent meant to be eventually
consistent, but we have two ways to say what is the state of a
repository. This means there are at least two ways RPs may synchronise
on the state of a repository.  Persisting state measured in hours
around states of a repository do tend to align in both worlds, but I
believe its possible for the persisting state to be incoherent (I
believe this, because I believe it happened in the APNIC repositories)
which is an added complexity.

I think I would like a world which said "if the thing I see is
malformed, and if I can tell its malformed but I can also tell it was
well signed, I will go with operation error, and consider fallbacks"
-but if the thing is missing, or badly signed, it feels more like an
attack, or risk of attack. Well signed, but badly formed is the
special state of "you did this, but it is wrong" and so I do break it
out. I could believe we want some fallback behaviour. I could also
believe "wrong is wrong" is a better place to be.