Comparing PKIX and DANE I regularly get asked about the certificate revocation in DANE. To me revocation is straight forward: you change keys in the TLSA record. BUT what if the key was propagated with a large TTL to the caches of the worlds DNS servers. In that case the revocation process can only be considered done when the TTL has elapsed.
Is that the right perception and are there any solution for that, except of a recommendation to keep the TTL small? Thanks, Christian _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
