On Mon, Aug 8, 2022 at 10:04 PM Peter Gutmann <[email protected]> wrote:
> Hal Murray <[email protected]> writes: > > >Many security schemes get tangled up with time. TLS has time limits on > >certificates. That presents a chicken-egg problem for NTP when getting > >started. > > > >I'm looking for ideas, data, references, whatever? > > For commercial CAs, the expiry time is a billing mechanism, not a security > mechanism. The CABF BRs only require that revocation entries be maintained during the lifetime of the certificate. I don't know what existing CA practice is, but it appears to me that a compliant CA could simply stop publishing revocation expiration after expiry, in which case a post-expired certificate is in an indeterminate state. -Ekr
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
