On Fri, Mar 05, 2021 at 04:46:15PM -0800, Eric Rescorla wrote: > This leaves us with the case where Bob's certificate is no longer valid but > Bob has a new certificate [0]. In this case, just re-validating does not > help. Does that happen so often that we need protocol machinery other than > just tearing down the connection and starting over?
Probably not. I've seen 5 day server certificates in use. And while it's possible to keep connections open that long or longer, as Viktor points out, if you do keep a connection open and active longer than that and the server is still there (i.e., some node has its address and the connection's traffic keys), then that's probably good enough evidence that the server is still valid and still would have a fresh cert if you were to reconnect to it. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls