IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Sun, 07 March 2021 15:51 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 552693A182A for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 07:51:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.101
X-Spam-Level: *
X-Spam-Status: No, score=1.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RAND_MKTG_HEADER=3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=SrJ6Wngy; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=SrJ6Wngy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7p-iKHvuA74e for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 07:50:59 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80080.outbound.protection.outlook.com [40.107.8.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F04DE3A1826 for <tls@ietf.org>; Sun, 7 Mar 2021 07:50:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7qHXn1pQO/1W4/3hm4XmG8GqS3n1qnNwmswBIkA0U7U=; b=SrJ6WngyKPwJL4v+7qLaY6NocC457zfV2e6mdKf7snDFn2wjitBG6uJf8KmItKOQMAoKRqOybY+s1LpcIxZchl7eStMYcIwlmV6ZUf8l3Tn7bboyEyjMhgzvkKUnfRYmi40jWVW1BoyFiZwo2cYYOBHHFFTzCPyPBHrQkuO2S3Q=
Received: from DB6PR0801CA0065.eurprd08.prod.outlook.com (2603:10a6:4:2b::33) by AS8PR08MB6360.eurprd08.prod.outlook.com (2603:10a6:20b:33e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.19; Sun, 7 Mar 2021 15:50:52 +0000
Received: from DB5EUR03FT017.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:2b:cafe::9e) by DB6PR0801CA0065.outlook.office365.com (2603:10a6:4:2b::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Sun, 7 Mar 2021 15:50:51 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT017.mail.protection.outlook.com (10.152.20.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Sun, 7 Mar 2021 15:50:51 +0000
Received: ("Tessian outbound e9089734ffc7:v71"); Sun, 07 Mar 2021 15:50:51 +0000
X-CR-MTA-TID: 64aa7808
Received: from cbd93b7c31bb.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id A5C0D8DC-9253-4FF0-BF9F-EE352C1ECB79.1; Sun, 07 Mar 2021 15:50:45 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id cbd93b7c31bb.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sun, 07 Mar 2021 15:50:45 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hrCDqptIaobrIAHxoqXjV2zQnbJIv6azrS1r/DdDvLvQzQYD0MI786uZr9tCDIGUvUglZzYeZ5gv6m/yeruym6SvafgQCTK6C0slEHUM5E9nVlnIoae1yHg3shU2g8DMqYagRe4Ce2LwtYv4AikHL6c8gTLQpaT99achIzf1Ia+8lXmiWSFQTOLzO7wlw0E6a/l5pKPSDAggZ7qniF29GUyGsuJzDL+QcXFPI1D7lr8b8oN3vr8gEvIugX2HVwzYsNhw0TvsFAkRvabFp8yXPaif0kkNtBswuJ0Vmvj2Ke50uvBd7efmoY/NxqF3S4/DGHp8fk4nrIoxdndFoLzHtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7qHXn1pQO/1W4/3hm4XmG8GqS3n1qnNwmswBIkA0U7U=; b=azMLmDDJYlnkvUYpW1k98+s7yngyjO2Isr+R01COAyM3fme8ix/Phs/h3ulx8LqqeTbQuStq9mQ8GYYHTKYxYjct1prWsZ1bbBp78Nx+YWezcQQN52qX8vNpXW3M/rPOWR9jQ/nO1ElCmwRRTm2zA834MoghiJYTMyHe5NOTUMSN+lqYL73bVEPlIjFR7YE8wIrT8MLim1VkLf7AQTj1y4A6UtcoV7qVvaqj+N6dz42WKIxFOYsdAD8ThSGTI/KdJj6/ggBMYG8M4ocqXCghpnjYJDwC8zYHqV6Ut5t2DCd5M64y/DHSIr7mm6MJshx2t8rhtwrvG55vNWdrqEII4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7qHXn1pQO/1W4/3hm4XmG8GqS3n1qnNwmswBIkA0U7U=; b=SrJ6WngyKPwJL4v+7qLaY6NocC457zfV2e6mdKf7snDFn2wjitBG6uJf8KmItKOQMAoKRqOybY+s1LpcIxZchl7eStMYcIwlmV6ZUf8l3Tn7bboyEyjMhgzvkKUnfRYmi40jWVW1BoyFiZwo2cYYOBHHFFTzCPyPBHrQkuO2S3Q=
Received: from VI1PR08MB2639.eurprd08.prod.outlook.com (2603:10a6:802:25::13) by VI1PR08MB4301.eurprd08.prod.outlook.com (2603:10a6:803:f7::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Sun, 7 Mar 2021 15:50:43 +0000
Received: from VI1PR08MB2639.eurprd08.prod.outlook.com ([fe80::f004:92db:341e:9d6b]) by VI1PR08MB2639.eurprd08.prod.outlook.com ([fe80::f004:92db:341e:9d6b%7]) with mapi id 15.20.3890.037; Sun, 7 Mar 2021 15:50:43 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Graham Bartlett <graham.ietf@gmail.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lap1qA2AgAAjloD///6jAIAAVjGAgABa2YCAAAxsAIAA7tCAgADWUACAABXAgIAAS/fQ
Date: Sun, 07 Mar 2021 15:50:43 +0000
Message-ID: <VI1PR08MB2639140AD11739CAA6D63EFCFA949@VI1PR08MB2639.eurprd08.prod.outlook.com>
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com> <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com> <20210306061124.GY30153@localhost> <1615013752661.15146@cs.auckland.ac.nz> <20210306211036.GZ30153@localhost> <1615111060736.9067@cs.auckland.ac.nz> <CAO4D2DN=kbUtSs=7GqDPibpDeJjL4GO7OWa22wbBHvNJeQU66A@mail.gmail.com>
In-Reply-To: <CAO4D2DN=kbUtSs=7GqDPibpDeJjL4GO7OWa22wbBHvNJeQU66A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: A2C7AE94483F3F45BDB6694870AD0497.0
x-checkrecipientchecked: true
Authentication-Results-Original: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.115.86]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 49c1d919-1eb9-4098-222d-08d8e180c8a0
x-ms-traffictypediagnostic: VI1PR08MB4301:|AS8PR08MB6360:
X-Microsoft-Antispam-PRVS: <AS8PR08MB6360ECC1403BEEAF552CE901FA949@AS8PR08MB6360.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: xuFFJiw11a9S+Y9kk9mdXlonNHXfsJGntsrZkTfAbP8vn/8p7J9zCtPloN50GZu2RS3tLPqcY3DVyiDYSzAT0N8CMyc/IEsE+iycrCje67Z1EBmVrqlXuTkPtRoQ7RIMtwUl9TMssviGEHjpVJDptLon9IBXL/L8eVmDjK37k/S7Hw+qQdF9VPyMyYt6TjGa7oQBOMURXEIVk0Hb5VYq112J+0NhRbCNDtfM8D2Lnb6suT7iBZnvxVbkNBQBfVAKz9Mx1fN4t4VyrdcwgLYEHXFXEBEhIwtlfoVjTy/ZSW31S6PCihgbzkWrmSakR250UB/oLbvzW/oAVtx+FJX3IIZ0AX/gjqshcOwk7DRt8gIVjfV09guaJ9ZnLp/2ZaGcpiWzmgNoYlyeprRljNw2tn5njhj5EspEVzym1pFEo8HzBun9WOS7WkGwz/Yrtu0IwBXnndx7NwvpFlIhvhO6GUx+CukGbWwW/pneSZHcE+LGqBWw7aqoA8ExnGvMz+IMrJ1hjnm7CBl3be1Ptc5HyCB2gN2PFpV++E8FGTNECD+L5gITMnHJo4sG4kRI5wI1/V9G7MRCP6vd7vZaPlf3HVviX0CtT1HoSMVUR++KdQaRi9ZfwukAWj6B+e9OGdewgpesWqIbwWHzOUYeYoTV5OjpH2+sCtAtbm1cVlSQnBc=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR08MB2639.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(39860400002)(366004)(346002)(396003)(71200400001)(33656002)(55016002)(110136005)(54906003)(478600001)(9686003)(2906002)(5660300002)(4326008)(66476007)(76116006)(66556008)(64756008)(66946007)(8676002)(83380400001)(186003)(52536014)(166002)(8936002)(316002)(966005)(6506007)(66446008)(53546011)(26005)(86362001)(7696005)(219973002)(557034005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: OZwE2lGi/y6rg+IkcC/BpQO256L9xlrmV2K8vuorgVLnxKvaZfRDM4bEeAIlZe+xAud92IQBgANED3r7HQw4IEeC7mfPix39ISidM0CSPA4Kve4j2QY35k9xJIODkTzEeN46O3zZc1hYcvWNS8pobZBWqNC80Io3VCOmzdvMUW9OHk7W3AlBa1py9O+K7EVw6ViyKHW3n1JwlNAUmqEG217AnDnaseCsByI4l55jiUZqc3P3VtVpRf9ZQnkQv8vKmvlxQdeISWeopPm6fooRcCMwlBUrHVpfGdAzL9OTegYAcn+1jHV6ScFhmRvvXePDS7txBkimCzehM46NFC0KOSV3om5SUVkhpoLu+sftPofHpQ65M7ttpZ6H38gNWMf93eKuw7U75gOuO3nA33A+z7gFG1QA1J5KIaJPeM8b44aOYr0l/uR+jmsoW2ph/Z/gjU3xDhe3QUD8/XhsbpEM0fXjNsK3DLEvAeGrzo5JhdMsTUKT3bRb5UGmRMw77wIIOil1UpSZSCOMf3oLioOzXIr1c1crQsbItjBt3ZAqgT44qrRraYGho+JhByh8ZaDfTwq8tivE6L6Wbsx0pYIKPIzflzE/K+OeQ83mba4HxvvO9vlItuQUIhvxwA5vaC6zxYZsEFN53u1sa2GbLtTbkNi0H7u9K6VZawzMVXOmRVz0gwPybLv+6um3RFGknrNgGHHXz22DS5hoLCdRIcmyiIVFTw3JE4xewwCc7S56n0PDATWVh5aUULMCROkCB6YCNfZp/bozpo58epKiPD0bdssCijKxsF1dCRDqeb1DFXi62WwQGahpuKjEcW32N0SkzmiRVvMPFQMLYvyAhGq34m83PkWeVdSBo2MlM5a9b78KUN1JNUPtvfh5R0B9JBUQ6TZ5zHWErA+diYOmMHRQuVNwbsUzy4uxwQhwdI7uX0p1VgH6YbBaWd3tY5lkuk4xxh+E0vMqVBukjtVJ+FVaoWGUsDiTcXDXbphYaV14Eu+61HEckp/mvTg8jXjI16nutrlm4ooQCOFWIX924DM2I6nhFS1ACaJn9ead9jMjc9ZbvkYBSflrhYvT3/7TBeohDucmAXgE2lIc2QwJR3xtR5J29hNVjExMuHBDpXXIBFip6Kw1eZUzT8ucg/3QgYX3J7Ttb5nnXAc1UDE+x8LS2eE2lG3jyMpDlOjMSeVtWzq9hVmDTtqkBZVX0XUpXbEC7p+4nWDTENFZEwmDEd2qIroaDia5nTKVRuERf+ssmVCfxNqCROtvKNVGKZU/PoWdEJHycCdYaR9I1lcIzklxmQyCLdgmZ4UdBw1+NkzqCEI=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1PR08MB2639140AD11739CAA6D63EFCFA949VI1PR08MB2639eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB4301
Original-Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT017.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 88c25116-7f90-4623-97f8-08d8e180c3ef
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: EWMIXx16CFDkK3GGMkwXLKPYIn5XNOOW7guSmfnFiAGGbcCoXEQcxlvrn4U9EDOVvmSzJMt35SU7y25nYDy+QPSjjfXLBnxT1qO3KUJ0D5x3lTpuyUg90+MLo0xdxEOT7H8K4cbyTStscwiAXH7WXbfGNr3D0d0zOUrBKdsNHpNP+ZnbzVSee/bHS81tPA2rXKBps6QGV7Iwoc4VcEnPfcRZY7L9dJjvVlvWi74ZY+gFX18zKipUrbOBYTYLFoYFKNslgl3kfZpuLTWgn2vHKA/A/XuEn47mgPv0bDNJRj75c+/hZqo1QD5ElIZ7YhDd4ZgT1CeSDePJ+FXylCxjZyZ4IR+lxTUIIJmMxXyiKuQcht4ZqnbSiYXPST7mqREXsARMVYREEMf5ku3COjp7FHkvX39eiNzE43EI54OYW3UbyTXJH0Gwo+EPgaoewUBnUzkf5mdfPwgz8xW9ScbNCUm02dC7KBs1g9wVh8l0wK0y/GjXgSJwmqwS6sMEs0CYBR1umcrLfSbNPcCSLzDvm94CpGvEWZvmQxyqj9gPWXWfiNfdNgce0Xu16BDe2izlj49mIH7bRKMOnLHIn8drqFMHDiYejVysZ4WqnhEbiK0tBglYbnABYURV1OPm/Z2KsfZzyHnQ+NIDXjnzNrDEtI045cqfqEGmwF2jVrFJd01aA72XCGqSgwuLg5KpDtPnm+1punCMpT8AgWeAWGDwFa09fElplI9SHMfJPmothVMKkEo7t6dYeqrftCaHRN9Z3WhCNVFPekWbQmEPXp/PRx+CM4YjomiNM70YexTvVI0=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(376002)(136003)(396003)(39860400002)(346002)(36840700001)(46966006)(47076005)(5660300002)(82310400003)(4326008)(86362001)(186003)(166002)(26005)(82740400003)(83380400001)(2906002)(36860700001)(336012)(33656002)(356005)(81166007)(8936002)(9686003)(53546011)(6506007)(55016002)(33964004)(8676002)(52536014)(7696005)(110136005)(54906003)(478600001)(70586007)(70206006)(966005)(316002)(219973002)(557034005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Mar 2021 15:50:51.0836 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 49c1d919-1eb9-4098-222d-08d8e180c8a0
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT017.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6360
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AOT-46xpMgfUqyR8Wfry_ZeOsyA>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2021 15:51:03 -0000

Focusing on one sentence from below:


  *   I've found that the best method to prevent the device from connecting is for the certificate to be revoked, the CRL refreshed and then a re-authentication performed on all active connections.

Why would you trigger re-authentication of all connections? You could terminate the connection of the device with the compromised certificate.

In your IPSec VPN scenario, how do you get a new certificate to the compromised device?

Ciao
Hannes

From: TLS <tls-bounces@ietf.org> On Behalf Of Graham Bartlett
Sent: Sunday, March 7, 2021 12:16 PM
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>; TLS List <tls@ietf.org>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

Hi

I have a fair amount of hands on experience with IPsec VPNs, and many organisations look to use TLS in a similar manner.

To give you an example of where you might look to perform a regular revocation check on long lived connections;

Solution with many remote devices (think remote access, so phones, laptops, IoT devices etc)
A remote device is compromised, on the gateway there could be 1000s of devices connected.
I've found that most vendor solutions aren't geared up for an admin to easily determine the compromised device and prevent this reconnecting. Most organisations have a disconnect between the SOC, PKI team and the team that manages the remote access gateway, getting a process that'll involve all 3 teams usually doesn't work.

I've found that the best method to prevent the device from connecting is for the certificate to be revoked, the CRL refreshed and then a re-authentication performed on all active connections.

I'm not as familiar with TLS as I am IPsec, but hope that this explains a scenario where I feel re-authentication would be very valuable.

cheers

On Sun, Mar 7, 2021 at 9:58 AM Peter Gutmann <pgut001@cs.auckland.ac.nz<mailto:pgut001@cs.auckland.ac.nz>> wrote:
Nico Williams <nico@cryptonector.com<mailto:nico@cryptonector.com>> writes:

>When expirations are short, you will not forget to renew.  That's part of the
>point of short-lived certificates.

So instead of getting one chance a year for your control system to break
itself if the renewal fails, you get hundreds of them?

Peter.


_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email