[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: session with expired certificate

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: session with expired certificate
From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
Date: Fri, 6 Jun 2003 18:29:31 -0700 (PDT)
Cc: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>, <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <5.2.0.9.0.20030606084349.01cb5620@127.0.0.1>

On Fri, 6 Jun 2003, Kurt D. Zeilenga wrote:

> At 05:46 AM 6/6/2003, Hallvard B Furuseth wrote:
> >The thread about the bindDN being deleted reminded me of something:
> >
> >What happens if the client or server certificate expires during the
> >session?  Should the session revert to 'unknown' auth state, as was
> >suggested in the bindDN thread?  Should the server or client (depending
> >on which certificate expired) close the TLS session, if any?
>
> I think this is really a TLS issue.  From an LDAP perspective, the TLS
> layer generates a closure alert and we proceed from there.
> Requirements for implementations to generate a TLS alert in such cases
> should be stated in TLS specifications. If not adequately covered
> already, you might comment to the TLS WG.  They are currently revising
> RFC 2246.

I don't think it's something either TLS or LDAP specifications should
specify (except maybe as a Security Consideration, please supply text if
you want something said).  This is really a server (or client) policy
issue.  In general there is no necessary relation between the duration of
a session established with a credential and the validity period of the
credential itself.  My Kerberos ticket expired an hour ago (which means
I've been at work too long), but the IMAP session in which I'm reading
this mail continues.

 - RL "Bob"

References:
- Re: session with expired certificate
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: session with expired certificate
Next by Date: Fwd: Re: StartTLS and referral
Index(es):
- Chronological
- Thread