Fwd: CAs for IPv6 only sites
0 views
Skip to first unread message
David Groep
May 29, 2025, 4:07:37 AM5/29/25
to All IGTF Members (igtf-general)
Dear all,
This is (only) relevant to those IGTF members that provide PKIX trust
anchor services:
On another list that I am on, Ivan (below) did a survey on the reachability
of the CRLs on today's recommended internet protocol: IPv6. While I see
a lot of CAs that have indeed entered the 21st century, there are also
quite a few where only the historic protocol "IPv4" is supported.
Some are clearly duplicates (a legacy CA with a complex hierarchy will
have many failures, of course), but still this could do with significant
improvement.
If you do not avail over modern IP on the server itself, content
delivery networks can proxy that for you, often even at no cost. The
CloudFlare free plan is one of them, but there are others. With them you
get IPv6 for free (CILogon used that one for a long time).
Please review the list, and help maintain security of the trust fabric
by allowing relying parties to download your CRL. Unless your CRL is
retrievable over IPv6, sites may not be able to get it, and as a
result your CA will be effectively disabled, which may impacting your
subscribers.
Cheers,
DavidG.
-------- Forwarded Message --------
Subject: CAs for IPv6 only sites
Date: Wed, 28 May 2025 18:00:41 +0000
From: Ivan Glushkov <0000077dc9e48f8...@IN2P3.FR>
To: ip...@hepix.org <ip...@hepix.org>
CC: Eduardo Bach <eduard...@cern.ch>, smc...@umich.edu <smc...@umich.edu>,
rc...@umass.edu <rc...@umass.edu>
Dear HEPiX IPv6 experts,
We are trying to investigate what is needed for a site to run in IPv6 only in
ATLAS. We do have already an IPv6 only batch queue at CERN that conceptually
proves that our workflow management system and data management systems are able
to handle an IPv6 only compute resources.
On the other hand when Eduardo tried to get the CRLs from some CAs we realized
that many CAs are not available via IPv6 [1]. For CERN CA Maarten already opened
a SNOW ticket [2] but what should be the general approach here? I think we
should NOT advice the sites to go for solutions that handle somehow IPv4 traffic
on IPv6 sites (NAT64, dual stack caches, etc) but go the other way around - see
which services are showstoppers and put pressure on them.
Cheers,
Ivan
[1] #CA_DIR="/etc/grid-security/certificates"
# for pem in "$CA_DIR"/*.pem; do openssl x509 -in "$pem" -noout -text | grep
-A5 "CRL Distribution" | grep -i uri | grep -Eo 'http[s]?://[^ ]+\.crl'; done |
while read -r url; do curl -6 -s --connect-timeout 5 -o /dev/null "$url" && echo
"IPv6 OK $url" || echo "IPv6 FAIL $url"; done
IPv6 FAIL
http://cafiles.cern.ch/cafiles/crl/CERN%20Root%20Certification%20Authority%202.crl
IPv6 FAIL http://crl.cesnet-ca.cz/CESNET_CA_Root.crl
IPv6 FAIL http://ca.grid.arn.dz/pki/pub/crl/cacrl.crl
IPv6 FAIL http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
IPv6 FAIL http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
IPv6 FAIL http://crl4.digicert.com/DigiCertGridRootCA.crl
IPv6 FAIL http://crl3.digicert.com/DigiCertGridRootCA.crl
IPv6 FAIL http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
IPv6 FAIL http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
IPv6 FAIL http://crl.enterprise.sectigo.com/ResearchandEducationTrustECCRootCA.crl
IPv6 OK http://crl.geant-prv.harica.gr/GEANT-TCS-Root-E5.crl
IPv6 FAIL http://crl.enterprise.sectigo.com/ResearchandEducationTrustRSARootCA.crl
IPv6 OK http://crl.geant-prv.harica.gr/GEANT-TCS-Root-R5.crl
IPv6 OK http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
IPv6 OK http://crl.usertrust.com/USERTrustECCCertificationAuthority.crl
IPv6 OK http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
IPv6 OK http://crl.usertrust.com/USERTrustECCCertificationAuthority.crl
IPv6 OK http://crl.harica.gr/HARICA-TLS-Root-2021-ECC.crl
IPv6 OK http://crl.harica.gr/HARICA-TLS-Root-2021-RSA.crl
IPv6 OK http://crl.harica.gr/HARICA-TLS-Root-2021-ECC.crl
IPv6 OK http://crl.harica.gr/HARICA-TLS-Root-2021-RSA.crl
IPv6 FAIL http://irangrid.ipm.ac.ir/pki/pub/crl/cacrl.crl
IPv6 OK http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
IPv6 FAIL http://ra.magrid.ma/pub/crl/cacrl.crl
IPv6 OK http://ca.nordugrid.org/NorduGrid-2015.crl
IPv6 FAIL http://www.ncp.edu.pk/pk-grid-ca/2007/CRL/ncp.crl
IPv6 FAIL http://ca.unamgrid.unam.mx/pub/crl/unamgrid-crl.crl
IPv6 OK http://crl.dutchgrid.nl/dcaroot/g1/crl/crl.crl
IPv6 OK http://signet-ca.ijs.si/pub/crl/signet02crl.crl
IPv6 OK http://ups.savba.sk/ca/slovakgrid.crl
IPv6 FAIL http://ca.unamgrid.unam.mx/pub/crl/cacrl.crl
IPv6 FAIL http://crl.emsign.com?RootCAG1.crl
IPv6 FAIL http://crl.emsign.com?RootCAG1.crl
IPv6 FAIL http://crl.emsign.com?TrustedRootCAC4.crl
IPv6 FAIL http://crl.emsign.com/?TrustedRootCAC5.crl
IPv6 FAIL http://crl.private.emsign.com?4R5.crl
<http://crl.private.emsign.com/?4R5.crl>
[2]
https://cern.service-now.com/service-portal?id=ticket&table=incident&n=INC4492900
########################################################################
ipv6 mailing list
ip...@hepix.org
http://listserv.in2p3.fr/archives/ipv6.html
To unsubscribe from the ipv6 list, click the following link:
https://listserv.in2p3.fr/cgi-bin/wa?SUBED1=ipv6&A=1
This is (only) relevant to those IGTF members that provide PKIX trust
anchor services:
On another list that I am on, Ivan (below) did a survey on the reachability
of the CRLs on today's recommended internet protocol: IPv6. While I see
a lot of CAs that have indeed entered the 21st century, there are also
quite a few where only the historic protocol "IPv4" is supported.
Some are clearly duplicates (a legacy CA with a complex hierarchy will
have many failures, of course), but still this could do with significant
improvement.
If you do not avail over modern IP on the server itself, content
delivery networks can proxy that for you, often even at no cost. The
CloudFlare free plan is one of them, but there are others. With them you
get IPv6 for free (CILogon used that one for a long time).
Please review the list, and help maintain security of the trust fabric
by allowing relying parties to download your CRL. Unless your CRL is
retrievable over IPv6, sites may not be able to get it, and as a
result your CA will be effectively disabled, which may impacting your
subscribers.
Cheers,
DavidG.
-------- Forwarded Message --------
Subject: CAs for IPv6 only sites
Date: Wed, 28 May 2025 18:00:41 +0000
From: Ivan Glushkov <0000077dc9e48f8...@IN2P3.FR>
To: ip...@hepix.org <ip...@hepix.org>
CC: Eduardo Bach <eduard...@cern.ch>, smc...@umich.edu <smc...@umich.edu>,
rc...@umass.edu <rc...@umass.edu>
Dear HEPiX IPv6 experts,
We are trying to investigate what is needed for a site to run in IPv6 only in
ATLAS. We do have already an IPv6 only batch queue at CERN that conceptually
proves that our workflow management system and data management systems are able
to handle an IPv6 only compute resources.
On the other hand when Eduardo tried to get the CRLs from some CAs we realized
that many CAs are not available via IPv6 [1]. For CERN CA Maarten already opened
a SNOW ticket [2] but what should be the general approach here? I think we
should NOT advice the sites to go for solutions that handle somehow IPv4 traffic
on IPv6 sites (NAT64, dual stack caches, etc) but go the other way around - see
which services are showstoppers and put pressure on them.
Cheers,
Ivan
[1] #CA_DIR="/etc/grid-security/certificates"
# for pem in "$CA_DIR"/*.pem; do openssl x509 -in "$pem" -noout -text | grep
-A5 "CRL Distribution" | grep -i uri | grep -Eo 'http[s]?://[^ ]+\.crl'; done |
while read -r url; do curl -6 -s --connect-timeout 5 -o /dev/null "$url" && echo
"IPv6 OK $url" || echo "IPv6 FAIL $url"; done
IPv6 FAIL
http://cafiles.cern.ch/cafiles/crl/CERN%20Root%20Certification%20Authority%202.crl
IPv6 FAIL http://crl.cesnet-ca.cz/CESNET_CA_Root.crl
IPv6 FAIL http://ca.grid.arn.dz/pki/pub/crl/cacrl.crl
IPv6 FAIL http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
IPv6 FAIL http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
IPv6 FAIL http://crl4.digicert.com/DigiCertGridRootCA.crl
IPv6 FAIL http://crl3.digicert.com/DigiCertGridRootCA.crl
IPv6 FAIL http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
IPv6 FAIL http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
IPv6 FAIL http://crl.enterprise.sectigo.com/ResearchandEducationTrustECCRootCA.crl
IPv6 OK http://crl.geant-prv.harica.gr/GEANT-TCS-Root-E5.crl
IPv6 FAIL http://crl.enterprise.sectigo.com/ResearchandEducationTrustRSARootCA.crl
IPv6 OK http://crl.geant-prv.harica.gr/GEANT-TCS-Root-R5.crl
IPv6 OK http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
IPv6 OK http://crl.usertrust.com/USERTrustECCCertificationAuthority.crl
IPv6 OK http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
IPv6 OK http://crl.usertrust.com/USERTrustECCCertificationAuthority.crl
IPv6 OK http://crl.harica.gr/HARICA-TLS-Root-2021-ECC.crl
IPv6 OK http://crl.harica.gr/HARICA-TLS-Root-2021-RSA.crl
IPv6 OK http://crl.harica.gr/HARICA-TLS-Root-2021-ECC.crl
IPv6 OK http://crl.harica.gr/HARICA-TLS-Root-2021-RSA.crl
IPv6 FAIL http://irangrid.ipm.ac.ir/pki/pub/crl/cacrl.crl
IPv6 OK http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
IPv6 FAIL http://ra.magrid.ma/pub/crl/cacrl.crl
IPv6 OK http://ca.nordugrid.org/NorduGrid-2015.crl
IPv6 FAIL http://www.ncp.edu.pk/pk-grid-ca/2007/CRL/ncp.crl
IPv6 FAIL http://ca.unamgrid.unam.mx/pub/crl/unamgrid-crl.crl
IPv6 OK http://crl.dutchgrid.nl/dcaroot/g1/crl/crl.crl
IPv6 OK http://signet-ca.ijs.si/pub/crl/signet02crl.crl
IPv6 OK http://ups.savba.sk/ca/slovakgrid.crl
IPv6 FAIL http://ca.unamgrid.unam.mx/pub/crl/cacrl.crl
IPv6 FAIL http://crl.emsign.com?RootCAG1.crl
IPv6 FAIL http://crl.emsign.com?RootCAG1.crl
IPv6 FAIL http://crl.emsign.com?TrustedRootCAC4.crl
IPv6 FAIL http://crl.emsign.com/?TrustedRootCAC5.crl
IPv6 FAIL http://crl.private.emsign.com?4R5.crl
<http://crl.private.emsign.com/?4R5.crl>
[2]
https://cern.service-now.com/service-portal?id=ticket&table=incident&n=INC4492900
########################################################################
ipv6 mailing list
ip...@hepix.org
http://listserv.in2p3.fr/archives/ipv6.html
To unsubscribe from the ipv6 list, click the following link:
https://listserv.in2p3.fr/cgi-bin/wa?SUBED1=ipv6&A=1
Reply all
Reply to author
Forward
0 new messages