Christian Becker wrote: > Comparing PKIX and DANE I regularly get asked about the certificate > revocation in DANE.
There is no revocation in DANE. There is only expiration through RRSIG Signature Expiriation and invalidation through zone key roll-over. > > In that case the revocation process can only be considered > done when the TTL has elapsed. TTL is meaningless here. TTL's purpose is a mere guidance for caching, TTL does not provide any security. It is an unsigned(!!) DNS record attribute that an intermediary can make up at will. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
