On Thu, 8 Feb 2018, Viktor Dukhovni wrote:
For clients that do reject PKIX success based on DANE failure, and cache obtained TLSA records, it might have been good to recommend refreshing the TLSA records while the cached data is still valid (say the smaller of some refresh time or 50% of TTL has expired). That way, for a client that keeps communicating regularly may be (partially) protected against downgrades. Perhaps it is too late to make such a change at this stage in the document's life-cycle.
Is it customary for TLS clients that do PKIX validation to check the certificate expiry for long lived TLS connections? I assumed most TLS clients verification is done at the start of the connection only and the connection is then deemed verified until it closes - irrespective of the signature lifetimes of the certificate? Paul _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
