[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Periodic certificate validation check

To: "Greg Carter" <greg@carter-engineering.com>
Subject: Re: Periodic certificate validation check
From: "Amey Gokhale" <agokhale@postmaster.co.uk>
Date: Tue, 24 Sep 2002 13:17:22 +0100
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Keeping IKE SA lifetime just below CRL next update time could cause a lot of overhead over a VPN gateway as phillip mentioned. 

The CRL update time of verisign is 10 days. what if any third party server has frequent CRL updations? All IKE SA;s will be invalidated accordingly causing IPSec SAs to break down. That will lead frequent SA negotiations causing lot of overhead. 
In that case is there any standard approach to be followed?

Regards,
Amey Gokhale. 


On Mon, 23 Sep 2002 12:38:44 -0400
 "Greg Carter" <greg@carter-engineering.com> wrote:
> I remember talking about this way back...
> 
> Ideally you would constrain the IKE phase one SA life time to not be greater
> than the next update time of the CRL (and not past the certificate
> lifetime).  However you wouldn't fetch the CRL until after you agreed on the
> SA.  So you would have to modify the SA lifetime locally (no big deal) if
> the agreed lifetime was longer than the next update field in the CRL.  Then
> initiate a new IKE SA just prior to the CRL next update period.  At which
> time a new CRL will be available, so the new IKE exchange will force a CRL
> check, if it fails your IKE set-up would fail and you would follow the
> normal failure path.
> 
> Since the CRL lifetime is set by those running the CA, it is assumed that
> the security policy in place is satisfied with the CRL update period.  So
> theoretically, constraining the IPSec lifetimes to those of the CRL should
> be OK.
> 
> If you were using OCSP the same applies (use the next update field).
> Greg Carter
> ----- Original Message -----
> From: "Amey Gokhale" <agokhale@postmaster.co.uk>
> To: <ipsec@lists.tislabs.com>
> Sent: Monday, September 23, 2002 7:51 AM
> Subject: Periodic certificate validation check
> 
> 
> > Hi list,
> >
> > During IKE, with certificate based authentication method, validity(CRL
> checking) of the user certificate is done only during initial stage that is
> during SA negotiation.
> >
> > If the certificate gets revoked after the connection is established, does
> the implementation should check periodically for the validity of the
> certificate in between a running connection? If yes then does some
> notification need to be generated n sent to the other party about the
> revoked certificate?
> 
> 
>

Follow-Ups:
- Re: Periodic certificate validation check
  - From: "Greg Carter" <greg@carter-engineering.com>

Prev by Date: Re: IPSec NAT pass-through and TCP checksums
Next by Date: Re: Periodic certificate validation check
Prev by thread: RE: Periodic certificate validation check
Next by thread: Re: Periodic certificate validation check
Index(es):
- Date
- Thread