As mentioned above, we have such an extension already insofar as
indicating support for Delegated Credentials means indicating a desire
for a very short credential lifetime and an acceptance of the clock skew
risks.
Given how little use its seen, I don't know that its a good motivation
for Trust Expressions.
On 30/04/2024 16:33, Eric Rescorla wrote:
On Tue, Apr 30, 2024 at 8:29 AM Watson Ladd <watsonbl...@gmail.com> wrote:
On Tue, Apr 30, 2024 at 8:25 AM Eric Rescorla <e...@rtfm.com> wrote:
>
>
> On the narrow point of shorter lifetimes, I don't think the
right way to advertise that you have an accurate clock is to
advertise that you support some set of root certificates.
>
> If we want to say that, we should have an extension that
actually says you have an accurate clock.
That says you *think* you have an accurate clock.
Quite so. However, if servers gate the use of some kind of short-lived
credential
on a client signal that the client thinks it has an accurate clock
(however that
signal is encoded) and the clients are frequently wrong about that,
we're going
to have big problems.
-Ekr
Sincerely,
Watson
--
Astra mortemque praestare gradatim
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
