Re: [Sidrops] once again, with feeling ...

Stephen Kent <stkent@verizon.net> Fri, 08 May 2020 15:25 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7460A3A0B56 for <sidrops@ietfa.amsl.com>; Fri, 8 May 2020 08:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NgrHtYuVW3my for <sidrops@ietfa.amsl.com>; Fri, 8 May 2020 08:25:26 -0700 (PDT)
Received: from sonic317-26.consmr.mail.bf2.yahoo.com (sonic317-26.consmr.mail.bf2.yahoo.com [74.6.129.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 009763A0410 for <sidrops@ietf.org>; Fri, 8 May 2020 08:25:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1588951524; bh=d4wpc4/k3E25eZKvAvxtQXDKABC1d8xGiuDoiQ6/CS4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=m5ImdcihtZqP2S51n90aC1aDFdak1jN1OYkXwe+G4knik5QAo2fTeHMyNPLCMUbmZyclt0N63hMuWwb1LMt1/zUdCLGuWoC2wWdfHfvdMEalI/rHv/2w+cmjKSeDfFgNFCWbc2PxztIzGKB08XxYEo6LOYQLKNRfi9QxdBTcY6G3SZOCTpWT+MLZqLzplYkYfKIIZf2Gi8j3TxwnTPDiOKQpPGHtktGb/hSL+iYhRs8ato0X/LdPyPSvAgxT0r1edZTFqjas+WikVYQxeLK0QTHBYsFtN+dOnmyTYJTOCBZTdVAq/slXTjCSwtgP5CKBH/YQ3KHScaFzLoh/KlVYgw==
X-YMail-OSG: eTCvtEsVM1kcS06Sa1Ry1umPLtmIPjoyRoYr8p12n7o7YSTqKMtR5jIMZSA2qVn t9e6tXRryunmUcSi.TMYb9ybuN4cK_o9yk4v_je1NyucnfHrJJiY7PSi19jao9jbWYwHBSRW89Gp InZBoQ3LxjU.SjHScYmqXmYqad8eEEpgshkS2bGP8iWRJznddDsjsyWc5yZ6tQLwSOmhKObq.x1l rioW7dg779gyO77T_Ho8osao7CSIvm9eYp6anmwpT7yXwNLoyGynav1U736CO9DHwIbBs418zrrL pK4vcMSaOaiuv4aagkGH23yoNAsMBR8u1D4nY_S89XwYqWoTFFQk2uxDm4HwDax2oRuUZlbDVwbZ VWOvcjRes_h5tWv2MFa0eCwDSAgPZhUxYt5c3T35SJYH9kLCVTMaArblW_5DbdVf4hK6.u8DoQZx Cxk_b_3GFcQtgrWD1.63CzKtol35Bdkd6Yr0rxe31uAYT78S3kTEyrQI_rqLO_hZt.pyxIn.Ju6N QDUsqyw9ztCA66aTbLKrzL.FBKy.aK3L7HOXepP36YH_S_prqRcYx7jdlBokdmGFslC5PocZW9hM cu.tdaBN_G0YjweQ7yzi_APj_KJm2TB6TRmzNtkZvhxmoQFiHXvu4cGadu4DA3xfbgvsdt5lOwiC aiD_aToOQoME0vwyb9juzsHChBXe6gHTR1WmnKrAnq.5WDoAGTmUnv8BDY__DmyM_oh07PRLu3Fa Al9zA6lnzzuzyW_Pc8r7QTD7Z2v137CUdoDiOmRbdno81Q2kiBPk_Be5KzLovTB7sUU8Z1XqVozd qjqo0Y0h9GpVMHELZNaqa6a3.ts0othwkE3OxBtfYLi1wpKd08ZPB7f6m9Rx0jDDqje75wvrw87v 4GSQFOxxRWRDWup.Pae4tfH3sn08mJzL0TY8kJAcwXWFDe_4Cd5_EZ_ZIor4Gr_bNbAImNZCjWfF Ytdtyj75PT6SXVPuKxKfP8BwXH4LDXDtJ2xgEaBlhIJJ16rc5WyDRku4KgmbgZN1StGMBJwFsHs2 USoXdVNzrUCUPosT_RQIz9Gi1icwmvjA39.x0yRdwc1eIBXHUZSqfsg8kEjyplN063f9C83IprLz jsvMALtT71Rc9XfZFxy_w1NhfJq7QBuDXR_oxOu2H54FuGChblKjkKWEdodxlQa9GgaM3tD904vH GDrHl6LFAVkR0E1o7ZaOvDSvQJ4PsGZ1Inyaen50UVrLOHvNvrtzbXcPF9w3ubFyNvGub6K5Qu8w TwfAPgyF.iP4oh4cXsZqAEPO4m1jd_DMS6_u5ARtdBH1hnR0U9gvAAASV2Mjm7FfK6XF2g2nkiTO 1gw_gYzx.9S91h6Pquk49z1VTMwsaJQ5DUofczF4km61LGExBgzwpNxSWzn7ZNISs8apMgGrIfHi IbnTAAP2re2d1u7EMl.MNi99LzLb8bw--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.bf2.yahoo.com with HTTP; Fri, 8 May 2020 15:25:24 +0000
Received: by smtp423.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID dba5023271ca73000d4764a19513ea4a; Fri, 08 May 2020 15:25:20 +0000 (UTC)
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
References: <75d43357-c378-c9f9-3610-84840fca8255.ref@verizon.net> <75d43357-c378-c9f9-3610-84840fca8255@verizon.net> <708AF319-17BC-4BED-B020-C04D1BCADC0B@nlnetlabs.nl>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <a347b4ea-7d41-85d0-6549-59eb2197f7c8@verizon.net>
Date: Fri, 8 May 2020 11:25:20 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <708AF319-17BC-4BED-B020-C04D1BCADC0B@nlnetlabs.nl>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Mailer: WebService/1.1.15902 hermes Apache-HttpAsyncClient/4.1.4 (Java/11.0.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/ajzF9JHSGMjapHqtSyMPw9guVpA>
Subject: Re: [Sidrops] once again, with feeling ...
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 15:25:28 -0000

Tim,
>
>> 6.  Relying Party Use of Manifests
>>   
>> <snip/>
>>   
>> The primary locator for the CRL issued by a CA is the URI contained in the CRLDP contained in the CA’s certificate.
> That would be the CRL issued by the parent to this CA, no?
Whoops. My bad. I should refer to the CRLDP in the manifest being 
fetched, not in the CA cert. I will fix that.
>
>> An RP MUST use this URI to
>> retrieve the CRL and use that CRL to determine if the EE certificate in
>> the manifest is revoked. The manifest provides an RP with a means to
>> verify that the CRL at the indication location is current.
> I thought that we would expect that the CRLDP of the MFT EE is used, and that this URI matches the id-ad-caRepository SIA in the issuing CA certificate + the name of the one and only '.crl' entry in the manifest content.

Yes, we want to compare the CRLDP in the manifest's EE cert against the 
SIA URI from the CA cert. I'll revise this text.

Thanks for noticing these errors. Rev 4 will be posted immediately.

Steve