[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Periodic certificate validation check



At 12:51 PM +0100 9/23/02, Amey Gokhale wrote:
>Hi list,
>
>During IKE, with certificate based authentication method, 
>validity(CRL checking) of the user certificate is done only during 
>initial stage that is during SA negotiation.
>
>If the certificate gets revoked after the connection is established, 
>does the implementation should check periodically for the validity 
>of the certificate in between a running connection? If yes then does 
>some notification need to be generated n sent to the other party 
>about the revoked certificate?
>
>
>With regards,
>Amey Gokhale.

Generally, this might be considered overkill. Whatever sort of 
transaction one executes, there is always the possibility that a cert 
is revoked during the course of the transaction. Few applications try 
to do any sort of continuous verification of cert validity. In the 
IPsec context, SA lifetimes could be constrained to be no longer than 
the NextIssue date/time for the relevant CRL, but even this may not 
be critical.

Steve