"certificate_unknown" seems like it should be fine for this On Mon, Oct 24, 2016 at 12:12 PM, Xiaoyin Liu <[email protected]> wrote:
> But I think the problem is that there is no TLS alert for “revocation > status inaccessible”. > > > > Best, > > Xiaoyin > > *From: *Salz, Rich <[email protected]> > *Sent: *Monday, October 24, 2016 2:15 PM > *To: *Ryan Carboni <[email protected]>; [email protected] > *Subject: *Re: [TLS] How should inability to access key revocation lists > impact the TLS handshake? > > > > How should inability to access key revocation lists impact the TLS > handshake, if previous public keys and/or certificate hashes are not cached? > > Nobody does revocation on the web, for some almost all encompassing > definition of nobody. > > Instead, OCSP and OCSP stapling. > > > I cannot see this in the standard. Considering that all one has to do is > DDOS a certificate authority nowadays... > > General PKI and key lifecycle issues are, properly, not part of the TLS > spec. > > /r$ > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
