On 8/11/2022 8:56 AM, Kyle Rose wrote:
On Wed, Aug 10, 2022 at 10:13 AM Peter Gutmann<pgut...@cs.auckland.ac.nz>
wrote:
So we're down to mostly non-web-PKI devices and/or the ten year problem, of
which I've encountered the latter several times with gear that sits on a
shelf
for years and then when it's time to provision it all the certificates have
long since expired, which is another reason why you ignore expiry dates
(or at
least you ignore them after you get hit by the first major outage caused by
this because until then no-one realised that it was an issue, a ticking
time-
bomb that may take years to detonate).
Expired CAs are definitely a problem for PKI participation after such a
delay, but probably one that is dwarfed by the near certain existence of
known vulnerabilities in firmware that hasn't been updated in 10 years. So
it's probably best they remain air-gapped and don't participate in active
networked systems until they've been updated, which would then include new
CA certificates.
Isn't the ANIMA WG working on these scenarios? If there is a formal
"enrollment" process for adding a device to a network, that process
could include setting the time, and possibly performing updates. I say
"possibly" here, because in scenarios like "disaster recovery", the
local network may not have global connectivity. But even so, setting the
time during enrollment seems logical.
-- Christian Huitema
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
