On Tue, Mar 23, 2021 at 11:49:23AM -0400, Michael Richardson wrote: > Yes, that's exactly what I'm after. > We can, as you suggest, do this as an HTTP header in EST. > It could also go into some new certificate extension, although it's rather > more meta data, and it isn't clear it should get shared with peers.
Hmmm, but maybe it is worth sharing with the peers if they could alert about a device with a yet valid cert that way out of renewal policy. That could be an extension saying "holder is expected to renew every $fraction of (notAfter - notBefore)". Not that RPs should log _every_ time they see a peer with a certificate that's out of renewal policy, but that it could be useful to warn when doing so doesn't risk filling logs with useless information. In a hospital, for example, devices could have a warning light for when they need maintenance or when their peers need maintenance. Nico -- _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
