On 12/14/22 7:21 PM, Evan Burke wrote:
Generally: x= is automatic and will usually be faster, and requires no engineering effort to build out the key management service, and no ongoing operational/maintenance/infrastructure costs.
I did say "possibly a LOT, more complex".
Looks like a lot of complexity for little to no benefit over x=.
My understanding of part of the thread is that attackers are re-playing messages during the validity time covered by x= and that there is desire for a solution to overcome that.
I sort of loosely equate what I'm talking about to that of a CRL wherein it's possible to revoke / invalidate a TLS certificate before the "Not Valid After" date & time passes.
So it sounds like from the two "operational (overhead)" comments that the idea might provide an answer to the question -- as I understand it -- though some people may choose that the overhead is not worth using this answer.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
