On Wed, Jul 01, 2020 at 06:58:10PM -0400, Michael Richardson wrote: > > the diff for 6.1.5.3. Certificate Revocation Lists (CRLs) > fixes some TLAs, but continues to seem to recommend long-lived certificates > with CRLs.
The need to diligently document support for CRL/OCSP was done on behalf of securiy reviews. It is not meant to be a recommendation. There is mentioning of short-lived certificates in a few places in the doc. > I think that CRLs are not useful, and we should not use them. I think we agree. > 6.1.3 is clear that OCSP/CRLs may not be available when connecting! > > I think that use of STAR (https://datatracker.ietf.org/doc/rfc8739/ ) > Short-Term, Automatically Renewed is the best recommendation! In general yes, but the STAR use cases typically do not take into account connectivity problems that are longer than the lifetime of a cert, whereas for the ACP this might be a problem. With CRL/OCSP, it seems as if we could define the details under loss of connectivity through these mentioned rules. This seems like an easily acceptable solution for the proponents of CRL/OCSP because they couldn't come up with a better solution and its their technology. When we are talking about expiry of short lived certs we would be talking about pootentially authenticating expired certs under limited network connectivity. Thats quite new and the proponents of CRL/OCSP would drag along the argument much longer. > If we have to do OCSP (via https://datatracker.ietf.org/doc/rfc4806/ ) > then we nodes can download their staple and provide it when connecting. > New nodes can get this using the Join Proxy. > > Perhaps this needs to be in a new document at this point. Yepp. I think to remember that MaxP was thinking of suggesting to talk about dealing with expired certs for our cases in i think LAMPS too but longer ago... Cheers Toerless > > -- > Michael Richardson <[email protected]>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > _______________________________________________ > Anima mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/anima -- --- [email protected] _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
