IETF Logo Mail Archive

Re: [Sidrops] what to do when the CRL is hosed?

Stephen Kent <stkent@verizon.net> Mon, 23 March 2020 13:27 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 854433A0814 for <sidrops@ietfa.amsl.com>; Mon, 23 Mar 2020 06:27:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.664
X-Spam-Level:
X-Spam-Status: No, score=-1.664 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-1.463, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2f978C6_7n5 for <sidrops@ietfa.amsl.com>; Mon, 23 Mar 2020 06:27:03 -0700 (PDT)
Received: from sonic316-11.consmr.mail.bf2.yahoo.com (sonic316-11.consmr.mail.bf2.yahoo.com [74.6.130.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 607F93A0877 for <sidrops@ietf.org>; Mon, 23 Mar 2020 06:27:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1584970022; bh=9KYn+VnbTNCRuxOTiR/4AIo7o+kpm5baKgOV8kZj7uM=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=hp5qI3WuBKM0gaCo0TO0yRCFmLoynDSTVuABOPh3t+Gdmbdxgr/Mo0jjVInhmQ4SZNOv60XyNH0Q2z4F+JuXHXofuwGxCwvFg5cTCPmFBpIcBes3M7y0p9XtkZhjslqp7g2UN64iH5pclFBJ4TxS6KcThnEdTuR2QmicjmPabbFPoZc6KW7X0b+Txq/lJduHlFGeFt2QDT1bWnwqF+44vzU7kbnCbWj4wCE1sNRmVA5FQBLEKEs/KWbVO9ADt8UMJgTkTQZO7tKM1FAjq2LMWFu/ChTHFDVyDfYErgZu4vv38R5WeXEjtgsRJiKl5oMJqQC8KOnoDb4q1CHzNLXNiw==
X-YMail-OSG: Cz0woVMVM1lOMMDOnnlQNojd0d.jGrdaKWvFfS1hd5fF.iINv42qxIsJWFWr.Nn cqFdTrl5zxQP5MXYk8xyAiXRDsHkk0Lg0gKM2yy4EOcG84Xm18b.DqBYk0h9t735ikrKamxCOLji ZiffqTLLxfhxw8FNR2xORwu0RsAxF2Wj_3Qy226hFvSqcDwbd1gPiap06D__UPzR.LQRkjmQCeI4 VlGd4M66uz6kyVvXmVcovq1qWruL9OQpOBAdoxTPtR2YcS0CuR2l0AmhQVcJ4Y5GnNzsci0JfzPr NGWkvE6OZtyqXWjL3Wf2uAD_LFcQD5MdwHcdnPbCbz9hucM2zzC2ibBMB4PrJxZyaAjXUpm7gzZ. qKrXkxctjFYeUk3fKv34NFlAmrlkdAQzGLUaJgQEEi5lVcInWKwTJl_tpFuO6PGYm.OEFqNSHR4q .wVw9OXC8yujfo8vxFbOQEYeX.MReltY9_pAUJGxi89WvUUDht8TpjtmTQEwklNoukEAs9Tb5sr5 C5k9XvRqWOp7dXeblVzxCGl8ie8bayjonVgZ1M7qTQVmI0WhbmXPad7ieO6r0vbnDK3eY6TnIy4h 51i4eqGLxGvOwrTNs0D5Q3XIhPAzBLMS.j.awqa_71.1Ca7.VIUaKSj9ne3Jco9t9tSW6g8EdJhO nDLAb30Qy6KCyHLHSciNzgmo0S.R.N09SGeFDUnQKYCsTu_LX11sqPK4VNS3BY0o67IYk9XQ0tkj cSekRWAdMF6gVNUze6rl4esCef5tZ_uGosi0MBSsmYFRlQ6s4z4LukEFH8dWwNCQlq6wr36Qu.fO dsMpJvpdgyQ4At05yxv1vzffsJxixL0E.A2LRL2f6a9Oi4g4lpqZY8398d1LZ7yCD0itDTU5vhAk 0m4RETD1etWt8.dO3IdFqa9k7QT_uwWxhCZOfTsSC0RTLrjINH0uHmXthct36t_.NgnPOXo_L0Ry rv8LX694Me2HSRsB989TmPWeKVRI_7NZ7itXmYV1qnG1vc67h0f.vYgjfRihsYJDcFOIOKOyxroV VpKe3QQp56Z4bEZvjnxE4oZoqljYYypVjZXYpZEZGq1nrYRSVpnWiUG6PlBp12rf.Xq.a20IDZOX dp.Ymh48eIA.i.QwnZ_SJN5Uf99K.cahMqb0RVZtCXMgp9uqbQ66nv2mjlrPiX8zj6Qg9_h67d6G kZgTesx2uMv_uMrGR6ciaDzDdCOZLiuLS1o2FNTuQkP3ulJXD1bKMjKjv.HNvW6AFQnDWrN9w5Nq Fx1l6L9A_aVpy3qmdlQBWoSi.eNZ1AxBaJ79Gr5LtsUa06qF.Wov7bmd_gHdxxPDwlNw3qJRHxLe HmZ_uc9dQben5xgbBKGF66a90e2BnIdC.ohrhdA.mwEWm2DF2yL.gi1esW1JUezxN4lOBuohHAp3 7UJr.0WL7UUA-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.bf2.yahoo.com with HTTP; Mon, 23 Mar 2020 13:27:02 +0000
Received: by smtp403.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 85467086446c0f345856120ce7588e69; Mon, 23 Mar 2020 13:27:01 +0000 (UTC)
To: sidrops@ietf.org
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <20200226173935.GE72144@vurt.meerval.net> <2db8d19a-6f91-d2fc-36c3-65742ba77e6c@ripe.net> <8B09B96B-432C-4190-9DE0-DC2004AAFCC2@nlnetlabs.nl> <CC64461D-4F34-4367-AD9D-D42B2A476363@ripe.net>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <75140927-0b8b-07ab-ad2e-952e32256df1@verizon.net>
Date: Mon, 23 Mar 2020 09:27:00 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <CC64461D-4F34-4367-AD9D-D42B2A476363@ripe.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Mailer: WebService/1.1.15518 hermes Apache-HttpAsyncClient/4.1.4 (Java/1.8.0_241)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/REUXkdttBXOOoYTHRZLqsCepDBo>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2020 13:27:05 -0000

Nathalie,
> I would still welcome discussion on this. For our Validator, we 
> currently issue warnings if there is something wrong with the CRL. 
I think that is a very appropriate action.
> Some other RP (validator tools) invalidate the chain, 
that's a valid response, but one should remember that an out of date CRL 
is not invalid, it's just stale. Given the desire to balance robust 
operation security concerns, I think this may be overkill.
> one ignores the CRL. 
not a good response, and not conformant with the applicable RFCs!
> This is not a good situation. 
I agree that more uniform processing is desirable, but in the routing 
system the notion of local policy seems to be ingrained, so ...

Steve

v2.23.0 | Report a Bug | By Email