[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
> -----Original Message-----
> From: Tim Jenkins [mailto:tjenkins@TimeStep.com]
> Sent: June 21, 1999 11:51 AM
> To: Mason, David; ipsec@lists.tislabs.com
> Subject: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
>
>
>
> > -----Original Message-----
> > From: Mason, David [mailto:David_Mason@nai.com]
> > Sent: June 18, 1999 5:30 PM
> > To: ipsec@lists.tislabs.com
> > Subject: RE: Dangling phase 2 SAs (was RE: issues from the bakeoff)
> >
> >
> > When a customer asks what's the maximum time period after a
> > certificate is
> > revoked will the user of that certificate still have access,
> > the answer with
> > dangling phase 2 SAs would be:
> >
> > CRLexpirationInterval+Phase1Life+Phase2Life
> >
> > without dangling phase 2 SAs:
> >
> > CRLexpirationInterval+phase1Life
>
> Where does the CRLexpirationInterval term come from? The RFCs
> require that the phase 1 lifetime be reduced so that it can't
> live past your current CRL expiration anyway. Are you
> assuming that implementations are not using that?
>
Never mind; I see it. But it's actually
CRLexpirationInterval + Phase2Life
since the phase 1 life isn't supposed to go beyond the CRL expiration; it
then has no effect on the result.
The no dangling SA case would result in
CRLexpirationInterval
only.