Eliot Lear <lear=40cisco....@dmarc.ietf.org> wrote:
> Consider the scenario when you have the CA sitting off somewhere in the
> distance, and a power failure or other service interruption has
> occurred. Should the client refuse to come up because stapling didn’t
> happen? Should old stapling information be retained, and what does
> that mean in the context of the nonce extension? I had thought we said
> that this risk is mitigated by the choice of the deployment to include
> the OCSP extension information in the cert- or not. At that point the
> deployment can make the decision.
Eliot,
1) it seems that if the CA hasn't put stapling information in, then it won't be
needed.
2) if you still want stapling, then it seems to me that there are lifetimes in
the
staple which can be adjusted to deal with anticipated service
interruptions in connectivity to the CA.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
