[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
When a customer asks what's the maximum time period after a certificate is
revoked will the user of that certificate still have access, the answer with
dangling phase 2 SAs would be:
CRLexpirationInterval+Phase1Life+Phase2Life
without dangling phase 2 SAs:
CRLexpirationInterval+phase1Life
I believe that the relative difference between these two periods is small
and generally the Phase2Life will be by far the smallest component.
If a customer is concerned about this question the answer should be:
manually force a retrieval of a new CRL and manually delete the associated
SAs.
-dave