[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)



When a customer asks what's the maximum time period after a certificate is
revoked will the user of that certificate still have access, the answer with
dangling phase 2 SAs would be:

CRLexpirationInterval+Phase1Life+Phase2Life

without dangling phase 2 SAs:

CRLexpirationInterval+phase1Life

I believe that the relative difference between these two periods is small
and generally the Phase2Life will be by far the smallest component.

If a customer is concerned about this question the answer should be:
manually force a retrieval of a new CRL and manually delete the associated
SAs.

-dave