Re: [Sidrops] what to do when the CRL is hosed?

Oleg Muravskiy <oleg@ripe.net> Wed, 26 February 2020 08:28 UTC

Return-Path: <oleg@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DFAF3A1086 for <sidrops@ietfa.amsl.com>; Wed, 26 Feb 2020 00:28:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9kG04qzCMw0j for <sidrops@ietfa.amsl.com>; Wed, 26 Feb 2020 00:28:38 -0800 (PST)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 395B83A1085 for <sidrops@ietf.org>; Wed, 26 Feb 2020 00:28:38 -0800 (PST)
Received: from allealle.ripe.net ([193.0.23.12]) by mahimahi.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from <oleg@ripe.net>) id 1j6s3X-000AkQ-IS for sidrops@ietf.org; Wed, 26 Feb 2020 09:28:35 +0100
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=[IPv6:2001:67c:2e8:1200::279]) by allealle.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from <oleg@ripe.net>) id 1j6s3W-0002GZ-E0; Wed, 26 Feb 2020 09:28:34 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Oleg Muravskiy <oleg@ripe.net>
In-Reply-To: <CAKr6gn2wJg1DYBOm6Ccn3ChggVB9Srhw2oEF76OZ_kLcPMsYcw@mail.gmail.com>
Date: Wed, 26 Feb 2020 09:28:33 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <766BF90A-C42B-47B3-B62E-C429E48BBBD7@ripe.net>
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <CAKr6gn2wJg1DYBOm6Ccn3ChggVB9Srhw2oEF76OZ_kLcPMsYcw@mail.gmail.com>
To: SIDR Operations WG <sidrops@ietf.org>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
X-ACL-Warn: Delaying message
X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b74f827bbda451a15ec68e00dc1054d1474
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/V6o2peGoVtEX9ERy0DlNw5eAPUQ>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 08:28:39 -0000

I tend to agree with Steve and George that manifests could not replace CRLs. And while the rfc5280/section-6.3 only demands to fetch the (time-wise) valid CRL and does not specify what to do if that isn’t possible, my interpretation of this section is that the validator should not accept/ignore a CRL past its validity period.

With regard to manifests, the number of inconsistencies between the content of a manifest and a repository, the absence of rules of how to handle these inconsistencies, and as a result, the complexity of processing manifests during validation is much higher than the complexity of processing the CRL. I would rather get rid of manifests after fully transitioning to RRDP than putting more responsibilities on manifests.

But this is of course me as a software developer speaking. The decision should be made by operators.

Oleg