On Thu, Jul 7, 2016 at 6:13 PM, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> > I also checked if one could do some funky stuff with credential lifetime > notation to limit the lifetime. Nothing came up (apart for using 16-bit > count in decaseconds (das) only allowing presenting lifetimes up to 7 > days, 14 hours, 2 minutes and 30 seconds). :-> > What would it be anchored to if it's not an absolute time? If you anchor the interval to, say, the issue time of the end-entity cert you haven't limited the resolution of the interval in any useful way: it still needs to be able to express intervals that end at or after the expire time. I suppose an implementor could be less likely to screw up if you also include and sign the interval start and require two things: (1) interval start <= now() + fuzz (2) interval length < 7 days Are these really much easier than (1) interval start <= now() +- fuzz <= interval end (2) interval end - interval start < 7 days ? Kyle
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
