[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dangling SA Summary



Dan,

One minor observation re your comments. A CRL contains a NextIssue date and
time.  That provides a convenient trigger for fetching a new CRL. One can
argue that an IPsec peer ought to attempt to fetch CRLs when they are
claimed to be available, and that any SAs that were authenticated under
certs that are now invalid, as per the fteched CRL(s), should be deleted.
I'm not saying that one has to do this, but rather that it does seem like a
reasonable approach.

Steve


Follow-Ups: References: