[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)

To: "Mason, David" <David_Mason@nai.com>, ipsec@lists.tislabs.com
Subject: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
From: Tim Jenkins <tjenkins@TimeStep.com>
Date: Mon, 21 Jun 1999 12:06:14 -0400
Sender: owner-ipsec@lists.tislabs.com

> -----Original Message-----
> From: Tim Jenkins [mailto:tjenkins@TimeStep.com]
> Sent: June 21, 1999 11:51 AM
> To: Mason, David; ipsec@lists.tislabs.com
> Subject: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
> 
> 
> 
> > -----Original Message-----
> > From: Mason, David [mailto:David_Mason@nai.com]
> > Sent: June 18, 1999 5:30 PM
> > To: ipsec@lists.tislabs.com
> > Subject: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
> > 
> > 
> > When a customer asks what's the maximum time period after a 
> > certificate is
> > revoked will the user of that certificate still have access, 
> > the answer with
> > dangling phase 2 SAs would be:
> > 
> > CRLexpirationInterval+Phase1Life+Phase2Life
> > 
> > without dangling phase 2 SAs:
> > 
> > CRLexpirationInterval+phase1Life
> 
> Where does the CRLexpirationInterval term come from? The RFCs 
> require that the phase 1 lifetime be reduced so that it can't 
> live past your current CRL expiration anyway. Are you 
> assuming that implementations are not using that?
> 

Never mind; I see it. But it's actually

CRLexpirationInterval + Phase2Life

since the phase 1 life isn't supposed to go beyond the CRL expiration; it
then has no effect on the result.

The no dangling SA case would result in

CRLexpirationInterval

only.

Prev by Date: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by Date: Re: issues from the bakeoff
Prev by thread: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
Next by thread: I-D ACTION:draft-ietf-ipsec-notifymsg-00.txt
Index(es):
- Main
- Thread