On Wed, Jul 01, 2020 at 06:58:10PM -0400, Michael Richardson wrote:
> 
> the diff for 6.1.5.3.  Certificate Revocation Lists (CRLs)
> fixes some TLAs, but continues to seem to recommend long-lived certificates 
> with CRLs.

The need to diligently document support for CRL/OCSP was done on
behalf of securiy reviews. It is not meant to be a recommendation.
There is mentioning of short-lived certificates in a few places in the
doc.

> I think that CRLs are not useful, and we should not use them.

I think we agree.

> 6.1.3 is clear that OCSP/CRLs may not be available when connecting!
> 
> I think that use of STAR (https://datatracker.ietf.org/doc/rfc8739/ )
> Short-Term, Automatically Renewed is the best recommendation!

In general yes, but the STAR use cases typically do not take into
account  connectivity problems that are longer than the lifetime of
a cert, whereas for the ACP this might be a problem.

With CRL/OCSP, it seems as if we could define the details under
loss of connectivity through these mentioned rules. This seems
like an easily acceptable solution for the proponents of CRL/OCSP
because they couldn't come up with a better solution and its their
technology.

When we are talking about expiry of short lived certs we would be
talking about pootentially authenticating expired certs under
limited network connectivity. Thats quite new and the proponents
of CRL/OCSP would drag along the argument much longer.

> If we have to do OCSP (via https://datatracker.ietf.org/doc/rfc4806/ )
> then we nodes can download their staple and provide it when connecting.
> New nodes can get this using the Join Proxy.
> 
> Perhaps this needs to be in a new document at this point.

Yepp.  I think to remember that MaxP was thinking of suggesting to
talk about dealing with expired certs for our cases in i think LAMPS too
but longer ago...

Cheers
    Toerless


> 
> --
> Michael Richardson <[email protected]>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
> 



> _______________________________________________
> Anima mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/anima


-- 
---
[email protected]

_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima

Reply via email to