Just to be clear, CRLs only help here as an analogy. As I read the DANE specs, a relying party would not be required to do CRL checking on a cert with a Type 3 TLSA assertion, because that assertion says that the public key in the cert is to be used as a trust anchor. (And TAs are by definition exempt from further validation.
Your initial instinct was right. TLSA associations are secured with DNSSEC, so the follow the same models for revocation, rollover, etc. So short TTLs are the only tool you have. --Richard On Sunday, March 3, 2013, Yoav Nir wrote: > Hi Christian > > There may be ways in some environments to push updates, but it's neither > universal nor reliable. So the perception is correct. It's not much > different from waiting for the NextUpdate time of the CRL. > > And the solution is also the same: short TTLs, frequent CRL updates, short > response validity interval. With either technology it's a trade-off > between timely revocation and load on the issuer. > > Yoav > > -----Original Message----- > From: [email protected] <javascript:;> > [mailto:[email protected]<javascript:;>] > On Behalf Of Christian Becker > Sent: Sunday, March 03, 2013 12:16 PM > To: [email protected] <javascript:;> > Subject: [dane] revocation of keys or certificates > > Comparing PKIX and DANE I regularly get asked about the certificate > revocation in DANE. To me revocation is straight forward: you change keys > in the TLSA record. BUT what if the key was propagated with a large TTL to > the caches of the worlds DNS servers. In that case the revocation process > can only be considered done when the TTL has elapsed. > > Is that the right perception and are there any solution for that, except > of a recommendation to keep the TTL small? > > Thanks, > Christian > > _______________________________________________ > dane mailing list > [email protected] <javascript:;> > https://www.ietf.org/mailman/listinfo/dane >
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
