the diff for 6.1.5.3. Certificate Revocation Lists (CRLs) fixes some TLAs, but continues to seem to recommend long-lived certificates with CRLs. I think that CRLs are not useful, and we should not use them.
6.1.3 is clear that OCSP/CRLs may not be available when connecting! I think that use of STAR (https://datatracker.ietf.org/doc/rfc8739/ ) Short-Term, Automatically Renewed is the best recommendation! If we have to do OCSP (via https://datatracker.ietf.org/doc/rfc4806/ ) then we nodes can download their staple and provide it when connecting. New nodes can get this using the Join Proxy. Perhaps this needs to be in a new document at this point. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
