> -----Original Message----- > From: Mason, David [mailto:David_Mason@nai.com] > Sent: June 18, 1999 5:30 PM > To: ipsec@lists.tislabs.com > Subject: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff) > > > When a customer asks what's the maximum time period after a > certificate is > revoked will the user of that certificate still have access, > the answer with > dangling phase 2 SAs would be: > > CRLexpirationInterval+Phase1Life+Phase2Life > > without dangling phase 2 SAs: > > CRLexpirationInterval+phase1Life Where does the CRLexpirationInterval term come from? The RFCs require that the phase 1 lifetime be reduced so that it can't live past your current CRL expiration anyway. Are you assuming that implementations are not using that? > > I believe that the relative difference between these two > periods is small > and generally the Phase2Life will be by far the smallest component. Again, if the system user configures his/her system to be that way, you're correct. However, there is nothing in the RFCs that make that a requirement. Finally, no one seems to repond to my comment that with dangling phase 2 SAs, clean deletion of the phase 2 SAs at both ends if the certificate becomes revoked may not be possible. Is this something else no one cares about?
Unrecognized Data: application/ms-tnef