On 3/24/19 4:16 AM, Wang Haiguang wrote:
> We do plan to include an expire date in the identity design. The
> valid period is a decision that should be decide either by the user
> or the PKG manager.
The problem here is that you do not want to get into the
position of allowing a known compromised key to be treated
as valid for, say, a period of several years. Even if you
replace the private key in the handset, a "compromise"
typically involves the existence of an uncontrolled instance
of the private key. Consequently you need to either narrowly
constrain the key lifetime or provide a revocation mechanism.
Melinda
--
Software longa, hardware brevis
PGP key fingerprint 4F68 2D93 2A17 96F8 20F2
34C0 DFB8 9172 9A76 DB8F
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls