[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dangling SA Summary

To: Stephen Kent <kent@bbn.com>
Subject: Re: Dangling SA Summary
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Fri, 18 Jun 1999 15:36:05 -0700
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Fri, 18 Jun 1999 18:05:14 EDT." <v04020a0ab390728872b2@[128.89.0.110]>
Sender: owner-ipsec@lists.tislabs.com

  Yes, that's eminently reasonable. It sounds like the right thing to do.

  thanks,

  Dan.

On Fri, 18 Jun 1999 18:05:14 EDT you wrote
> Dan,
> 
> One minor observation re your comments. A CRL contains a NextIssue date and
> time.  That provides a convenient trigger for fetching a new CRL. One can
> argue that an IPsec peer ought to attempt to fetch CRLs when they are
> claimed to be available, and that any SAs that were authenticated under
> certs that are now invalid, as per the fteched CRL(s), should be deleted.
> I'm not saying that one has to do this, but rather that it does seem like a
> reasonable approach.
> 
> Steve

References:

Re: Dangling SA Summary

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Dangling SA Summary
Next by Date: Re: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Prev by thread: Re: Dangling SA Summary
Next by thread: RE: Dangling SA Summary
Index(es):
- Main
- Thread