[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:-ipsec-pki-req-03 - certificate validity

To: ipsec@lists.tislabs.com
Subject: Re:-ipsec-pki-req-03 - certificate validity
From: Paul Hoffman <paul.hoffman@vpnc.org>
Date: Wed, 27 Oct 1999 15:10:44 -0700
In-Reply-To: <3.0.6.32.19991027122038.00acf7d0@127.0.0.1>
Sender: owner-ipsec@lists.tislabs.com

At 12:20 PM 10/27/99 +0200, Rodney Thayer wrote:
>The original intent of this section was to require validity,
>which we all agree we should worry about, as opposed to CRL's,
>which many people don't use.  When the document was converted
>to PKIX compatibility (such as it is) this mutated into a CRL
>requirement.

This is an interesting place to diverge from PKIX if this group wants to. 
We can define validity to mean "a chain to a trusted root" *without* 
checking for revocation. It would simplify a great deal in implementations, 
but it would also expose IKE systems to attacks they aren't susceptible to 
if they check revocation often.

Personally, I think we should leave these two linked.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:

Re:-ipsec-pki-req-03 - certificate validity

From: Stephen Kent <kent@po1.bbn.com>

References:

Re:-ipsec-pki-req-03 - certificate validity

From: Rodney Thayer <rodney@ssh.fi>

Prev by Date: Re:-ipsec-pki-req-03 - EKU's
Next by Date: Re: Main mode using pre-shared keys
Prev by thread: Re:-ipsec-pki-req-03 - certificate validity
Next by thread: Re:-ipsec-pki-req-03 - certificate validity
Index(es):
- Main
- Thread