[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:-ipsec-pki-req-03 - certificate validity

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: Re:-ipsec-pki-req-03 - certificate validity
From: Paul Hoffman <paul.hoffman@xxxxxxxx>
Date: Wed, 27 Oct 1999 15:10:44 -0700
In-reply-to: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

<x-flowed>At 12:20 PM 10/27/99 +0200, Rodney Thayer wrote:

The original intent of this section was to require validity,
which we all agree we should worry about, as opposed to CRL's,
which many people don't use.  When the document was converted
to PKIX compatibility (such as it is) this mutated into a CRL
requirement.

This is an interesting place to diverge from PKIX if this group wants to. We can define validity to mean "a chain to a trusted root" *without* checking for revocation. It would simplify a great deal in implementations, but it would also expose IKE systems to attacks they aren't susceptible to if they check revocation often.

Personally, I think we should leave these two linked.

--Paul Hoffman, Director
--VPN Consortium

</x-flowed>

Follow-Ups:
- Re:-ipsec-pki-req-03 - certificate validity
  - From: Stephen Kent

References:
- Re:-ipsec-pki-req-03 - certificate validity
  - From: Rodney Thayer

Prev by Date: Re: Re:-ipsec-pki-req-03 - subject/subjectAltName
Next by Date: Re: Comments on CRACK
Previous by thread: Re:-ipsec-pki-req-03 - certificate validity
Next by thread: Re:-ipsec-pki-req-03 - certificate validity
Index(es):
- Date
- Thread