IETF Logo Mail Archive

Re: [Sidrops] what to do when the CRL is hosed?

Christopher Morrow <christopher.morrow@gmail.com> Thu, 02 April 2020 14:19 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 492AE3A1337 for <sidrops@ietfa.amsl.com>; Thu, 2 Apr 2020 07:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DWleKuWgtfvB for <sidrops@ietfa.amsl.com>; Thu, 2 Apr 2020 07:18:59 -0700 (PDT)
Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com [IPv6:2607:f8b0:4864:20::f2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E16DD3A1326 for <sidrops@ietf.org>; Thu, 2 Apr 2020 07:18:58 -0700 (PDT)
Received: by mail-qv1-xf2f.google.com with SMTP id n1so1715013qvz.4 for <sidrops@ietf.org>; Thu, 02 Apr 2020 07:18:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=4HnLPwxmm34eZKzEs/5mNzw8WW57rouqk8RUY3nB5ac=; b=a5MlnJ9YUZiuZtJ2hh/7IByXoDtBwda5Fo//dfARQ8b1FpCIri6CnQK9yWRcIbemLg XlKgrFKe/hIT0oGnOqByoYY7Tbl7ONkyQSx7wEDr0j4DjE5p2JEOcSc3283c06MdyraY UFuH5+xNcFaW685DsYZoEGtADqBRymqEShE8CKJCUvRuqZbEjUnzxCfloNULqNai/HL6 ZI+koGgU84YVTAMVmCKGgqJleV6HKnutAJO6NejJ6nRqcgwsbET4q2JBTMYV03IxiVtA 6qG+AllaBWrI+vwoAq+09laKqIvyGRK4/UvTRYxqV2+O3YONYpGXp41d6Iwy3+H+TZK8 TsnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=4HnLPwxmm34eZKzEs/5mNzw8WW57rouqk8RUY3nB5ac=; b=mUvPwgiDPRrVJLl5y3xCjqGFu+8MpnXDOcFqP/stwoa16SZvtOcYQkphOH74pLgH2T Y3QhhZ23LnJOVriip/8TnVVN0TC7QvO9W9LBbCldV/GxaMxQgPs9hk0CuKz9C7grVX/L EWhRXMX8Fc8a1ZQMqSRgjLVvuhkmWsTaVqiFlR3RPpDrO9F3JjqiCdOAToZULQbZvWtS MbpEcXMgpTCzhTWIjcaD6McRC8i1YpBg2TG87fdoyta5M6OT6qK4y9zngJt8/kdfQ0J4 hTc93VK4l/GZIiNrSrvQFs2QqkdumkIQ8WjFVpuKyrRtq6Ea5EFo5J+9g94XLs2AYusb XPZw==
X-Gm-Message-State: AGi0PuadvkHFJCLc2/I5PfXtXgRyE8bhVm6cw4Nwmi00BVukYtiHpcrf fg65qT9bWWTWi21iyLZ4qWJlQZEH4VytU5VFOjE=
X-Google-Smtp-Source: APiQypI+/0+eFzpqoNhYLNUhrPtEjf55JjG1TJctAkdVqSrlp/51RCNbT4P+vxMaLLHFd7OoUiYAPVQTRh/205MzV00=
X-Received: by 2002:a0c:aee5:: with SMTP id n37mr3266680qvd.173.1585837137606; Thu, 02 Apr 2020 07:18:57 -0700 (PDT)
MIME-Version: 1.0
References: <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <253D1ED7-52D8-4A00-9D69-095E61D09C9F@nlnetlabs.nl> <db920115-e188-700f-ceb2-08cd2996046a@verizon.net> <3a683da4-42f9-28c6-f0dd-4d11d3c67857@ripe.net> <4fe26a30-4a08-41a5-be7f-0c5997230d0a@www.fastmail.com> <3B072025-68C5-4E62-9466-5122D483F691@nlnetlabs.nl> <20200324135828.GG60268@vurt.meerval.net> <20200324152009.6e6a2c3f@glaurung.nlnetlabs.nl> <20200324151101.GH60268@vurt.meerval.net> <7f54a255-643f-cd2d-12c2-da19562bbffa@verizon.net> <7465c59f-fa10-4083-8e52-291cb47587f6@www.fastmail.com> <ed15512c-4fac-f8b1-f616-4dcf7afbf396@verizon.net> <CAL9jLab_tLDwh8=thqPfWw29g+LK__T2MUfCZmLDv1v_Z77x+w@mail.gmail.com> <CAKr6gn2VN8kXB2KS5LUkuSkihoE5KqUqfD+NTLuopnTVYF1QQA@mail.gmail.com> <FBA774C0-8F96-4C47-A154-D4CA3343F892@zdns.cn> <CAL9jLaaBTha6Q1AZm5V0R=-fGZMAsmAgPrcwKo3L6pvJnn1=KA@mail.gmail.com> <6c7d5f08-20d5-f4d7-18a2-04fa3ae87067@ripe.net>
In-Reply-To: <6c7d5f08-20d5-f4d7-18a2-04fa3ae87067@ripe.net>
From: Christopher Morrow <christopher.morrow@gmail.com>
Date: Thu, 02 Apr 2020 10:18:46 -0400
Message-ID: <CAL9jLab3j+aJGKA3z68YguF31uZfmOCju80unDxAi2vqb4z6OQ@mail.gmail.com>
To: Robert Kisteleki <robert@ripe.net>
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/xMTfOGyKYRTwJYp06XBTUbhJiFw>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2020 14:19:01 -0000

On Thu, Apr 2, 2020 at 4:02 AM Robert Kisteleki <robert@ripe.net> wrote:
>
>
> >> So it is right time to reconsider the requirements posed on RP in case of “wrong” MFT.
> >
> > yes this last sentence is the discussion I'd like to see happen... I
> > think guiding that with:
> >   "Here are the ways an manifest could go badly: bad sig, bad content,
> > missing content, missing manifest..."
> >
> > and:
> >   "given the damage from X, Y, Z, the proposed actions for an RP
> > are... because ..."
>
> I was thinking along the same lines while having a related conversation
> with Job/Tim here:
>
> > I believe a more nuanced approach is needed, like if there's a problem
> > on a particular validation path (a cert is missing or has an error) then
> > invalidate that path, if a CRL is missing then warn but use a stale one,
> > but leave the otherwise unaffected bits validated.
>
> If repository R hosts objects for CAs A, B, ... Z, A has subtrees
> A1...A9 and there's a problem with the manifest of A1, the rest (B..Z)
> is perfectly fine an usable. IMO A2..A9 are fine as well. As for A1: the
> RP action IMO should really depend on what the exact issue is, for example:
> - an object is missing: check if you have it from the previous run and
> if so, use it

I would like to believe that whether a repository is 1 organization
(one repository only vaslii!)
or an organization that is hosting many repositories, the story about
CRL/MFT is the same,
at the single repository level.

In practical terms this means that RIR who host 'large numbers of
repositories for their customers'
are really just running a slew of little items. Any breakage at the
individual level is indistinguishable
from that which a self-hosted ca/repository may make. At the top of
the tree, yes there are more
possible ways to get broken, and the effect on the locally-hosted (or
self-hosted far away!)
repositories from breakage up-tree is certainly bad... but I'd rather
not get lost in that discussion.

> - a CRL is missing / corrupt / expired: warn but use the previous one
>
> I'd be happy to contribute and I think that if this happens,
> contribution from operator(s) would be extremely useful.
>

ok, I think for the upcoming interim let's see if we can have a
strawman to discuss :)

v2.23.0 | Report a Bug | By Email