[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)




> -----Original Message-----
> From: Mason, David [mailto:David_Mason@nai.com]
> Sent: June 18, 1999 5:30 PM
> To: ipsec@lists.tislabs.com
> Subject: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
> 
> 
> When a customer asks what's the maximum time period after a 
> certificate is
> revoked will the user of that certificate still have access, 
> the answer with
> dangling phase 2 SAs would be:
> 
> CRLexpirationInterval+Phase1Life+Phase2Life
> 
> without dangling phase 2 SAs:
> 
> CRLexpirationInterval+phase1Life

Where does the CRLexpirationInterval term come from? The RFCs require that
the phase 1 lifetime be reduced so that it can't live past your current CRL
expiration anyway. Are you assuming that implementations are not using that?

> 
> I believe that the relative difference between these two 
> periods is small
> and generally the Phase2Life will be by far the smallest component.

Again, if the system user configures his/her system to be that way, you're
correct. However, there is nothing in the RFCs that make that a requirement.


Finally, no one seems to repond to my comment that with dangling phase 2
SAs, clean deletion of the phase 2 SAs at both ends if the certificate
becomes revoked may not be possible. Is this something else no one cares
about?

Unrecognized Data: application/ms-tnef