RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)

["Waters, Stephen" <Stephen.Waters@cabletron.com>]

>A certificate binds an identity to a key in a verifiable way. You verified
>it and created IPSec SAs. If later on the cert expires it doesn't mean
>that you did not authenticate that person, only that the CA wants its
>pound of flesh again. If I buy a 6pack of beer and use a driver's license
>to verify my identity and age and that driver's license expires the next
>day it doesn't mean that I have to throw out all the beer I hadn't drank
>just because my driver's license is now expired. 

I think this analogy is flawed when compared to Phase-2 SA with lifetime.
Your beer is not going to expire when your driver's license does perhaps,
and there is little that can be done to make it expire - other than planting
a time bomb in it, but we can make sure that your Phase-2 SA does expire
when your certificate does.

In the case of Phase-2 that are only setup with lifedata, then I guess it
could be the same as your example.  The Phase-1 SA takes notice of the
lifetime of the certificate and I think we should probably do the same for
Phase-2 SA.

The revoked cert problem is another can of worms. Checking the CRL every 10
minutes in case any of the active SA should be killed seems hard work - this
is probably only solved by the security manager knowing which Security
Gateways the owner can access, and deleting any SA manually, relying on the
CRL to block later connections.


Steve.

---

• Prev by Date: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
• Next by Date: I-D ACTION:draft-ietf-ipsec-notifymsg-00.txt
• Prev by thread: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
• Next by thread: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
• Index(es):
  • Main
  • Thread