Hello Watson, On Fri, Jun 20, 2025 at 10:50 PM Watson Ladd <watsonbl...@gmail.com> wrote:
> > What exactly is the rationale here? Do we expect that identies > actually change when a certificate expires? > Certificate confirms identity information for a certain period of validity as long as it is not revoked. Communication with an endpoint that produces a revoked or expired certificate is deemed to have unacceptable risk and typically denied. However, this risk applies to established sessions in exactly the same way as it applies to new sessions. The rationale is to ensure that the peer identity is still valid by the time the original certificate expired or got revoked. TLS 1.2 and prior could perform re-key and re-authentication through rehandshake. As the very generic rehandshake carried unacceptable security risks it was removed in TLS 1.3. Extended Key Update brings back re-key in a secure way. Similarly, Certificate Update proposal is intended to bring back re-authentication in a very limited controlled fashion. Best Regards, Yaroslav -- This communication (including any attachments) is intended for the sole use of the intended recipient and may contain confidential, non-public, and/or privileged material. Use, distribution, or reproduction of this communication by unintended recipients is not authorized. If you received this communication in error, please immediately notify the sender and then delete all copies of this communication from your system.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
