[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: session with expired certificate
At 05:46 AM 6/6/2003, Hallvard B Furuseth wrote:
>The thread about the bindDN being deleted reminded me of something:
>
>What happens if the client or server certificate expires during the
>session? Should the session revert to 'unknown' auth state, as was
>suggested in the bindDN thread? Should the server or client (depending
>on which certificate expired) close the TLS session, if any?
I think this is really a TLS issue. From an LDAP perspective,
the TLS layer generates a closure alert and we proceed from
there. Requirements for implementations to generate a TLS
alert in such cases should be stated in TLS specifications.
If not adequately covered already, you might comment to the
TLS WG. They are currently revising RFC 2246.
>BTW, is this the same as if the bindDN names a strongAuthenticationUser
>and binds with its certificate, or is that a third case?
LDAP does not support the X.511 "strong" method.
Kurt