> On 7 Mar 2021, at 17:25, Benjamin Kaduk <bkaduk=40akamai....@dmarc.ietf.org> > wrote: > > On Sun, Mar 07, 2021 at 12:15:24PM +0000, Graham Bartlett wrote: >> >> I would imagine that the implementation would pull the session down once >> the certificate expires, so the session only lasts for the lifetime of the >> certificate. > > Many people expect this, but I don't think there's universal agreement > that it's the right behavior. The divide between authentication and > authorization that (IIRC) Viktor called out is relevant here -- the > initial key exchange and, to large extent, authentication, do not suddenly > become invalid upon credential expiry, but any authorization derived from > the credential might. So it seems that whether the session should terminate > at the certificate expiry time is rather dependent on what the session is > being used for.
Maybe there’s a need for a BCP here. It is unclear to me how to apply these discussions to SIP and we have a few points worth noting from this dicussion. - Describe the dependencies in Benjamins statement above and how they apply to protocols - Open a new session before deciding to close the old one - Application timers to cert expiry Seems like something for UTA to me. /O _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
