Hi Christian There may be ways in some environments to push updates, but it's neither universal nor reliable. So the perception is correct. It's not much different from waiting for the NextUpdate time of the CRL.
And the solution is also the same: short TTLs, frequent CRL updates, short response validity interval. With either technology it's a trade-off between timely revocation and load on the issuer. Yoav -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Christian Becker Sent: Sunday, March 03, 2013 12:16 PM To: [email protected] Subject: [dane] revocation of keys or certificates Comparing PKIX and DANE I regularly get asked about the certificate revocation in DANE. To me revocation is straight forward: you change keys in the TLSA record. BUT what if the key was propagated with a large TTL to the caches of the worlds DNS servers. In that case the revocation process can only be considered done when the TTL has elapsed. Is that the right perception and are there any solution for that, except of a recommendation to keep the TTL small? Thanks, Christian _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
