Re: [Rescert] Notes from RPKI security review

To: Resource Cert List <rescert@apnic.net>
Subject: Re: [Rescert] Notes from RPKI security review
From: Rob Austein <sra@hactrn.net>
Date: Tue, 19 Jun 2007 20:59:32 -0400
Delivered-to: rescert@clove.apnic.net
In-reply-to: <467879FF.7000506@psg.com>
List-archive: <http://www.apnic.net/mailing-lists/rescert>
List-help: <mailto:rescert-request@apnic.net?subject=help>
List-id: <rescert.apnic.net>
List-post: <mailto:rescert@apnic.net>
List-subscribe: <http://mailman.apnic.net/mailman/listinfo/rescert>, <mailto:rescert-request@apnic.net?subject=subscribe>
List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/rescert>, <mailto:rescert-request@apnic.net?subject=unsubscribe>
References: <20070612212938.1D32222828@thrintun.hactrn.net> <46785C05.4070305@apnic.net> <20070619235532.EBA5622828@thrintun.hactrn.net> <46787159.2060508@psg.com> <20070620003814.AE9B422828@thrintun.hactrn.net> <467879FF.7000506@psg.com>
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Tue, 19 Jun 2007 14:51:11 -1000, Randy Bush wrote:
>
> > I've been using subjectAltName heavily for several years now and have
> > seen no problems.  Doesn't make you wrong, but OpenSSL and Apache
> > clearly can deal with it and I was assuming we'd support it in our
> > client and server code.
> 
> i occasionally get whacked by a client saying "you have a cert for foux
> when i want one for barre" when the cert has an altname of barre.

We're writing the clients, we can choose to get this right. :)

> >>> Also note that we don't currently say anything about CRLs in the
> >>> business PKI universe.
> >> not our business.  can't have parent reaching through child's irbe to
> >> biz key back end to check a crl.  irbes should check crls for the biz
> >> certs in their back ends, innuendo intended.
> > Mumble.  Agree about not reaching through somebody else's IRBE.  Had
> > been thinking of publishing CRLs via HTTP in some boring fashion, but
> > that has potential network partition issues.  I suspect you're right
> > but it seems a bit lame somehow.
> 
> A can not ask B's irbe to check the cert because that is trusting B,
> whose very cert you are trying to validate.

Cert contqains CRLDP (inserted by cert's issuer) telling me where to
look to find out if cert has been revoked.  Whom am I trusting that I
should not be trusting, and what makes you think I'm trusting
anybody's IRBE?

Follow-Ups:
- Re: [Rescert] Notes from RPKI security review
  - From: Randy Bush <randy@psg.com>

References:
- [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Geoff Huston <gih@apnic.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Randy Bush <randy@psg.com>
- Re: [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Randy Bush <randy@psg.com>

Prev by Date: Re: [Rescert] Notes from RPKI security review
Next by Date: Re: [Rescert] Notes from RPKI security review
Previous by thread: Re: [Rescert] Notes from RPKI security review
Next by thread: Re: [Rescert] Notes from RPKI security review
Index(es):
- Date
- Thread