Hi I have a fair amount of hands on experience with IPsec VPNs, and many organisations look to use TLS in a similar manner.
To give you an example of where you might look to perform a regular revocation check on long lived connections; Solution with many remote devices (think remote access, so phones, laptops, IoT devices etc) A remote device is compromised, on the gateway there could be 1000s of devices connected. I've found that most vendor solutions aren't geared up for an admin to easily determine the compromised device and prevent this reconnecting. Most organisations have a disconnect between the SOC, PKI team and the team that manages the remote access gateway, getting a process that'll involve all 3 teams usually doesn't work. I've found that the best method to prevent the device from connecting is for the certificate to be revoked, the CRL refreshed and then a re-authentication performed on all active connections. I'm not as familiar with TLS as I am IPsec, but hope that this explains a scenario where I feel re-authentication would be very valuable. cheers On Sun, Mar 7, 2021 at 9:58 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Nico Williams <n...@cryptonector.com> writes: > > >When expirations are short, you will not forget to renew. That's part of > the > >point of short-lived certificates. > > So instead of getting one chance a year for your control system to break > itself if the renewal fails, you get hundreds of them? > > Peter. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
