Re: [Sidrops] what to do when the CRL is hosed?

Jared Mauch <jared@puck.nether.net> Mon, 24 February 2020 22:19 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB93E3A0FE2 for <sidrops@ietfa.amsl.com>; Mon, 24 Feb 2020 14:19:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmnLeJZvAxqU for <sidrops@ietfa.amsl.com>; Mon, 24 Feb 2020 14:19:36 -0800 (PST)
Received: from puck.nether.net (puck.nether.net [IPv6:2001:418:3f4::5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC99E3A1471 for <sidrops@ietf.org>; Mon, 24 Feb 2020 14:19:36 -0800 (PST)
Received: from [10.228.78.192] (mobile-166-170-27-115.mycingular.net [166.170.27.115]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id D79A15400EE; Mon, 24 Feb 2020 17:19:34 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20200224211531.GB60925@vurt.meerval.net>
Date: Mon, 24 Feb 2020 17:19:33 -0500
Cc: sidrops@ietf.org, claudio@openbsd.org
Message-Id: <10259FC6-FE65-4B34-81B2-A37FCFA29BF2@puck.nether.net>
References: <20200224211531.GB60925@vurt.meerval.net>
To: Job Snijders <job@ntt.net>
X-Mailer: iPhone Mail (17D50)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/gU1KB6LhR5g_6zT2LJbZ3Ava5c0>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 22:19:38 -0000

I think you may be right in absolute terms. You are likely wrong that unless you have cached CRL experience saying it's bad you have no reason to distrust. 

Also cryptographically signed data can be sent insecurely and be validated against change or tampering. Perhaps you are worried about privacy?

Sent from my iCar

> On Feb 24, 2020, at 4:15 PM, Job Snijders <job@ntt.net> wrote:
> 
> Of course - in making strong statements like this one I can not afford
> to assume I am right, so if you disagree - please tell me how I am wrong
> (in detail :-) ).