Re: [Sidrops] once again, with feeling ...

Tim Bruijnzeels <tim@nlnetlabs.nl> Fri, 08 May 2020 14:53 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 254F43A0B6A for <sidrops@ietfa.amsl.com>; Fri, 8 May 2020 07:53:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AFsu4M5RbUQJ for <sidrops@ietfa.amsl.com>; Fri, 8 May 2020 07:53:06 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD7093A0B71 for <sidrops@ietf.org>; Fri, 8 May 2020 07:53:05 -0700 (PDT)
Received: from [IPv6:2001:981:4b52:1:f47f:88a8:9ce1:c5a8] (unknown [IPv6:2001:981:4b52:1:f47f:88a8:9ce1:c5a8]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 9FF3C2F24C; Fri, 8 May 2020 16:53:02 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1588949582; bh=XI0AJzMb3By7mp3wh3INoI7iHumcKXPg9NOG2aU8hhI=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=K+vGAxJmLtc1wodsk04QUjumWp7gQgthrRYsEyyWhNB8L0eXZqwYsBAXKXrqR7Lyy uf2KQ7idPk5/g4bC243cT0EFFiJOfz0kfsURVL4XXvkjGimSTQbZ2C5p7WHVy8ZXdD HdEQOaGPRS6DbxrCvbar55MYYVrj4g90/xPAtr7Q=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <75d43357-c378-c9f9-3610-84840fca8255@verizon.net>
Date: Fri, 8 May 2020 16:53:02 +0200
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <708AF319-17BC-4BED-B020-C04D1BCADC0B@nlnetlabs.nl>
References: <75d43357-c378-c9f9-3610-84840fca8255.ref@verizon.net> <75d43357-c378-c9f9-3610-84840fca8255@verizon.net>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/amfjQzV4qQFkxkONXbGiRb7UXRI>
Subject: Re: [Sidrops] once again, with feeling ...
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 14:53:11 -0000

Hi Steve, all,

I did not have time yet to read everything, so a quick comment only for now.. below.

Have a great weekend!
Tim

> On 8 May 2020, at 16:38, Stephen Kent <stkent=40verizon.net@dmarc.ietf.org> wrote:
> 
> I made some more revisions, adding a paragraph to the overview, and a section explaining what I meant by termination of manifest processing.
> 
> have a good weekend,
> 
> Steve
> 
> -----
> 
> 
> 
> 
> 6.  Relying Party Use of Manifests
>  
> <snip/>
>  
> The primary locator for the CRL issued by a CA is the URI contained in the CRLDP contained in the CA’s certificate.

That would be the CRL issued by the parent to this CA, no?

> An RP MUST use this URI to 
> retrieve the CRL and use that CRL to determine if the EE certificate in 
> the manifest is revoked. The manifest provides an RP with a means to
> verify that the CRL at the indication location is current.

I thought that we would expect that the CRLDP of the MFT EE is used, and that this URI matches the id-ad-caRepository SIA in the issuing CA certificate + the name of the one and only '.crl' entry in the manifest content.