Re: [Sidrops] what to do when the CRL is hosed?
Stephen Kent <stkent@verizon.net> Tue, 24 March 2020 15:38 UTC
Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BD873A0C04 for <sidrops@ietfa.amsl.com>; Tue, 24 Mar 2020 08:38:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.563
X-Spam-Level:
X-Spam-Status: No, score=-3.563 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-1.463, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L3w2TOkfCtj6 for <sidrops@ietfa.amsl.com>; Tue, 24 Mar 2020 08:38:22 -0700 (PDT)
Received: from sonic310-24.consmr.mail.ne1.yahoo.com (sonic310-24.consmr.mail.ne1.yahoo.com [66.163.186.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4EBB3A0BDE for <sidrops@ietf.org>; Tue, 24 Mar 2020 08:38:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1585064300; bh=Fg86v8sRy9ntKDRW9e/U3Gx1Jo90nRVTE8JXA50sr+c=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=efE30TX52EYTXMiHHgLonl+ucAUkfREGD74QxGWszivM+DR5UWYGoSWbV50YLcS1JEcxb+I7mUA6R2YW4pyDq910NGg/mMZqZLqDdUNE5NuvBo5d6M7spamuURjURfTqw9omwJ6nHOlPbuH1/Fl/7j/+obe0zNRQy7OqwOzD7H5pZtZwOWBn3iDGjna0Ulc/QXCkhFLBI52/wwHqdrzIhsR2iq22wXaXei4cJlKaJyCw+B7chCvx0jQoK8aU98MMWpRbV0fgbyUwzxUKpJYi2kDDPvfRtnQsqB5wxs762oGDOkss5Q1qSrHyu3Cvjgf9iZbd0+roRih8dnwqVdznjw==
X-YMail-OSG: RPlqmw4VM1nOgL3kr1P5vzFf87pszgpMiEEnqfp1Ua4ZBsWPJ9cI8pBh4nLicOC n2930COyFMMxUEyxFgcQfq2d.AxGEH95FdffjC_jBb2eheZM2xMXkn3QWxmMGb8tL6l_hfwxQdd0 u5CCse8dS7yBoxGKaXhf7WYwZyzq4nSRxbboEy_Z0lBDfhF.hJAerjE3BurHqQ.gb3JYuNx7LOcT VN7rjrKTxHxpi0cS3AkFlsicVt44Wkg0lFQtH6FWEGqtEJ.tTN0fzo8v0jnWzok8.jX6RbVbm_jb vuCmCDeCxHHJT0cMLbzULnwaRqLSdI3e2jp.dO7QFAFPY7Apd7y5sGhdTGWY4uOzPAjJNT9K17iO .JYT6ZGgYItYa0eu00G8Wulwiza6ylWhpLXfYJhZgNUFdZdYhW0xhVnEzUE2SVaJlb4Qgec31LC_ Cthv6aRKW2jwBZH_HmIi5zmtfuJJ.mfjuiDqe49t18BrKvpQXtWhp1U138.oLaOqI3h.OZe_Co25 j.MbwS8w1z3V6GA9VsnBjUjlC8oz9JqOyc3dHbmA2oQad7ZD_xY7miYnFjS0C3qFcT7DMmOTY0vg Tkt5milznfDh7TN9z6DwliesrjIMKD7DYDAH_hoUGjYLCvIco1elLOF5DLsm6KGextFX1PG8ILlX C1d1aiuDlbsUVw5xcTTIN_7odDGx6SesbhexVvjGrtZkupM0a7tTUWUSZ4M2PI1p6Mu3wAJRL_uG u6miyA1LJzZqN8A3gk.D356rxfOvUHWYBsGsJCaqFSrqLbANYNe2EdDvvlb47rx0fq0cn3o5GVG0 AWnr4TvibJqwxryZ8zQp0r9q_EQfayFBL35xTSoQIpB3IrA60fYkuPdKctjALwYfY6PTMV9JzOwy 1UW5NVvkPcseXBhFhBgHJ6RpX5wX3nLiLkyrrzZv4u6BIObKj6q.1jAtM01Yy1KRhfvioVx7ImjI MwiW_hjjANIF4zab1mkzmXpwfYGnLc8C8wWGb_6QozSCYNmCzkKv255TgvrflyCvqt7Q_fesdGxP 1aKAc5U7SCPkBqLu763VoWF0zkbzpIyxOkeroaAiGKki8PDYl2Anu9vlaQ__lY3OjTzDN9Ln6ojW bwjsbrheWtCLn75.MUAL_.0qaf.jf5eu6zXO8ALHwBK4WNAGvC7Zqv8IrEAUjCntKFqfABO0ZtjH PLZpVbvY..5ucx9lBN9JVDbphDxn1JuB3Wg5MZjxNpycHnplTsGV2889bZKfTIkPzxXc7s_fbwc_ IueYnmwCUAY5GPKHD2dZfxn.3UmU5He2j8O0yHmk1yPJm_OErTNMXOEqAbdzPSTw5cJkd0RfF.3u hbEE2VF6zUBXY7InbU3cFLJi43TZ67Y_at7hl3ZBXXh8NJwp_0Nn_8HbZlTLidpgIs8cAuuP0Is_ TSuYPiWvlW3FYFL1CqCaRVJlJTiDOgw--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.ne1.yahoo.com with HTTP; Tue, 24 Mar 2020 15:38:20 +0000
Received: by smtp416.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 98143ce3d8f924c6fb805513f9023641; Tue, 24 Mar 2020 15:38:18 +0000 (UTC)
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: SIDR Operations WG <sidrops@ietf.org>
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <253D1ED7-52D8-4A00-9D69-095E61D09C9F@nlnetlabs.nl> <db920115-e188-700f-ceb2-08cd2996046a@verizon.net> <BBE92EA7-5017-462B-A071-2F0F72F2C06D@nlnetlabs.nl>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <ae9ec30d-8df3-9886-ab59-0fc3b56a261d@verizon.net>
Date: Tue, 24 Mar 2020 11:38:17 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <BBE92EA7-5017-462B-A071-2F0F72F2C06D@nlnetlabs.nl>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Mailer: WebService/1.1.15518 hermes Apache-HttpAsyncClient/4.1.4 (Java/1.8.0_242)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Q3S79ayuNsjzq_NwaSB7CC1QUjk>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 15:38:40 -0000
Tim, > >> redundancy is often beneficial in security systems. it helps prevent a single error from having terrible consequences. But, this strategy works only if one is flexible when responding to an inconsistency between redundant pieces of info. >> > But, redundancy also introduces more moving parts which can break, and corner conditions to check. > > Now it's fairly easy to get temporary inconsistencies. If CAs publish objects one by one, or in case rsync is used as a fetch mechanism (I believe that objects might change during an rsync 'session'). RRDP can resolve this, but only if CAs indeed publish their change set as a single delta. yes, it is possible that a pub point may be updated during a sync operation, and thus an inconsistent set of objects will be retrieved. I would expect well-written RP code to detect this and try again, after a brief delay. For the rsynch case, one should create a new directory with all of the objects and then change the pub point to be the new directory, to make for a more "atomic" update procedure. > But even with all that, my inner engineer would like to see as few moving parts as we safely get away with. if one changes to a model in which the Manifest is the sole arbiter of cert validity, i.e., if a cert is included in a current manifest and it's signature can be validated via cert path in the RPKI, the why bother with checking cert expiration? Same for ROAs. This is a slippery slope. > Failing that I believe one agreed on way to deal with each possible corner case between MFT and CRL is needed. How many corner cases are there? Steve
- [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Francisco Javier Moreno Arana
- Re: [Sidrops] what to do when the CRL is hosed? Ben Maddison
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Louis Poinsignon
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Nathalie Trenaman
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Rob Austein
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Jay Borkenhagen
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush