[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: session with expired certificate

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: session with expired certificate
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 06 Jun 2003 09:04:12 -0700
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <HBF.20030606pxis@bombur.uio.no>

At 05:46 AM 6/6/2003, Hallvard B Furuseth wrote:
>The thread about the bindDN being deleted reminded me of something:
>
>What happens if the client or server certificate expires during the
>session?  Should the session revert to 'unknown' auth state, as was
>suggested in the bindDN thread?  Should the server or client (depending
>on which certificate expired) close the TLS session, if any?

I think this is really a TLS issue.  From an LDAP perspective,
the TLS layer generates a closure alert and we proceed from
there.  Requirements for implementations to generate a TLS
alert in such cases should be stated in TLS specifications.
If not adequately covered already, you might comment to the
TLS WG.  They are currently revising RFC 2246.

>BTW, is this the same as if the bindDN names a strongAuthenticationUser
>and binds with its certificate, or is that a third case?

LDAP does not support the X.511 "strong" method.

Kurt

Follow-Ups:
- Re: session with expired certificate
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>

References:
- session with expired certificate
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: RE: What Does De-Reference Mean?
Next by Date: Re: session with expired certificate
Index(es):
- Chronological
- Thread