Re: Periodic certificate validation check

["Greg Carter" <greg@carter-engineering.com>]

I remember talking about this way back...

Ideally you would constrain the IKE phase one SA life time to not be greater
than the next update time of the CRL (and not past the certificate
lifetime).  However you wouldn't fetch the CRL until after you agreed on the
SA.  So you would have to modify the SA lifetime locally (no big deal) if
the agreed lifetime was longer than the next update field in the CRL.  Then
initiate a new IKE SA just prior to the CRL next update period.  At which
time a new CRL will be available, so the new IKE exchange will force a CRL
check, if it fails your IKE set-up would fail and you would follow the
normal failure path.

Since the CRL lifetime is set by those running the CA, it is assumed that
the security policy in place is satisfied with the CRL update period.  So
theoretically, constraining the IPSec lifetimes to those of the CRL should
be OK.

If you were using OCSP the same applies (use the next update field).
Greg Carter
----- Original Message -----
From: "Amey Gokhale" <agokhale@postmaster.co.uk>
To: <ipsec@lists.tislabs.com>
Sent: Monday, September 23, 2002 7:51 AM
Subject: Periodic certificate validation check


> Hi list,
>
> During IKE, with certificate based authentication method, validity(CRL
checking) of the user certificate is done only during initial stage that is
during SA negotiation.
>
> If the certificate gets revoked after the connection is established, does
the implementation should check periodically for the validity of the
certificate in between a running connection? If yes then does some
notification need to be generated n sent to the other party about the
revoked certificate?