In message <[email protected]>, Martin Rex writes: > Christian Becker wrote: > > Comparing PKIX and DANE I regularly get asked about the certificate > > revocation in DANE. > > There is no revocation in DANE. > > There is only expiration through RRSIG Signature Expiriation > and invalidation through zone key roll-over. > > > > > > In that case the revocation process can only be considered > > done when the TTL has elapsed. > > TTL is meaningless here. TTL's purpose is a mere guidance for caching, > TTL does not provide any security. It is an unsigned(!!) DNS record attribut > e > that an intermediary can make up at will.
TTL is a signed field but instead being a single value it is a range. A intermediary can change it but the receiver knows what the range is supposed to be and can fix any attempt to set it to a value that is out of range. > -Martin > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
