On 8/9/22 4:12 PM, Eric Rescorla wrote:
n Tue, Aug 9, 2022 at 4:08 PM Benjamin Kaduk <bka...@akamai.com> wrote:
On Tue, Aug 09, 2022 at 03:59:01PM -0700, Eric Rescorla wrote:
>
3. Are you aware of some other set of rules for certificate issuance
that require
revocation after the certificate has expired?
Removing certs from revocation lists after the certificate has expired
is pretty much required in any scalable deployment which has a
non-trivial time horizon (basically any commercial CA). That is because
the list would grow without bounds.
It's not necessary to solve the 'Getting started, clock not set yet'
feature, however. For that case you only need to ignore 'not Before'
when validating a TLS cert associated with an NTS call. You can always
arrange for the unset clock to be older than the current time, so if the
cert is expired based on the unset clock, the cert is expired for real.
bob
-Ekr
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
