[Sidrops] 6486-bis: Out of Scope Manifest Entries

Martin Hoffmann <martin@opennetlabs.com> Mon, 17 August 2020 14:47 UTC

Return-Path: <martin@opennetlabs.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EDB33A0ECA for <sidrops@ietfa.amsl.com>; Mon, 17 Aug 2020 07:47:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a3EPpmY3cBRk for <sidrops@ietfa.amsl.com>; Mon, 17 Aug 2020 07:47:20 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF70C3A0E9F for <sidrops@ietf.org>; Mon, 17 Aug 2020 07:47:20 -0700 (PDT)
Received: from glaurung.nlnetlabs.nl (unknown [IPv6:2a04:b904::743]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 1CCA42D4DA for <sidrops@ietf.org>; Mon, 17 Aug 2020 16:47:19 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none (p=none dis=none) header.from=opennetlabs.com
Authentication-Results: dicht.nlnetlabs.nl; spf=none smtp.mailfrom=martin@opennetlabs.com
Date: Mon, 17 Aug 2020 16:47:18 +0200
From: Martin Hoffmann <martin@opennetlabs.com>
To: sidrops@ietf.org
Message-ID: <20200817164718.2ef60645@glaurung.nlnetlabs.nl>
Organization: Open Netlabs
X-Mailer: Claws Mail 3.17.6 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/YqG3PmU8S9BJKTpr6nfEgN0xaGA>
Subject: [Sidrops] 6486-bis: Out of Scope Manifest Entries
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 14:47:29 -0000

Hej igen,

I am not entirely sure what to make of section 6.6 "Out of Scope
Manifest Entries" of the draft 8486-bis. It essentially says that all
objects that are not in the scope of the manifest make the whole fetch
break.

I suppose this is here to deal with multiple CRLs?

But does it also include cases where issued certificates are expired or
revoked? Section 2 (the section references 6.2, but I suppose this is a
mistake) doesn’t quite make that clear since it has non-expired and
non-revoked in parentheses.

Does it also cover other objects that are not signed objects? I
am assuming that anything that isn’t a .crl or .cer must be a signed
object to allow for addition of new objects while staying compatible
with older relying party software. In this case, these would already
have stopped the fetch in section 6.4 as not validating signed objects.

Perhaps the section could be made more clear and list what exactly
constitutes out of scope entries?

Kind regards,
Martin