[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re:-ipsec-pki-req-03 - certificate validity
At 12:20 PM 10/27/99 +0200, Rodney Thayer wrote:
>The original intent of this section was to require validity,
>which we all agree we should worry about, as opposed to CRL's,
>which many people don't use. When the document was converted
>to PKIX compatibility (such as it is) this mutated into a CRL
>requirement.
This is an interesting place to diverge from PKIX if this group wants to.
We can define validity to mean "a chain to a trusted root" *without*
checking for revocation. It would simplify a great deal in implementations,
but it would also expose IKE systems to attacks they aren't susceptible to
if they check revocation often.
Personally, I think we should leave these two linked.
--Paul Hoffman, Director
--VPN Consortium
Follow-Ups:
References: