Re: [Sidrops] what to do when the CRL is hosed?

Martin Hoffmann <martin@opennetlabs.com> Tue, 25 February 2020 08:03 UTC

Return-Path: <martin@opennetlabs.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F24F23A099D for <sidrops@ietfa.amsl.com>; Tue, 25 Feb 2020 00:03:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Gexkf7hkxGI for <sidrops@ietfa.amsl.com>; Tue, 25 Feb 2020 00:03:46 -0800 (PST)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51B373A0999 for <sidrops@ietf.org>; Tue, 25 Feb 2020 00:03:45 -0800 (PST)
Received: from glaurung.nlnetlabs.nl (DSL01.212.114.251.79.ip-pool.NEFkom.net [212.114.251.79]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id CB31929E01; Tue, 25 Feb 2020 09:03:41 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none (p=none dis=none) header.from=opennetlabs.com
Authentication-Results: dicht.nlnetlabs.nl; spf=none smtp.mailfrom=martin@opennetlabs.com
Date: Tue, 25 Feb 2020 09:03:38 +0100
From: Martin Hoffmann <martin@opennetlabs.com>
To: Job Snijders <job@ntt.net>
Cc: sidrops@ietf.org, claudio@openbsd.org
Message-ID: <20200225090338.10464b1a@glaurung.nlnetlabs.nl>
In-Reply-To: <20200224211531.GB60925@vurt.meerval.net>
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net>
Organization: Open Netlabs
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/VGPahvjCPeSDjaLQiLdeV7B-S1A>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2020 08:03:48 -0000

Job Snijders wrote:
> 
> Of course - in making strong statements like this one I can not afford
> to assume I am right, so if you disagree - please tell me how I am
> wrong (in detail :-) ).

Let me counter with a different strong statement: In the context of
RPKI, CRLs offer no additional value and can safely be ignored.

The reason is the manifests. Unlike CRLs which only say "these
certificates are not to be considered valid anymore", manifests say
"this is the complete set of objects currently issued by this CA". They
also refer to concrete objects, identifying them both by URI and a hash
over their content. This is a much more powerful mechanism than CRLs.

What’s more, they offer a soft and a hard deadline for validity. Their
next update field is a soft deadline, much like with CRLs. But there’s
also a hard deadline in that the certificate they’ve been signed with
expires eventually. While the former has the same ambiguity as the next
update field of the CRL, the latter doesn’t. If the manifest is
expired, the CA is basically gone.

Further, the CRL is included in the manifest. So you can’t even replay
an old CRL without also replaying the old manifest.

Essentially, no information conveyed by the CRL isn’t also conveyed by
the manifest. The CRL solely serves to provide additional complexity
for the code generating and validating RPKI objects and, apparently,
creates ambiguity in the interpretation of the specification.

Kind regards,
Martin