Pekka Savola: How exactly can you check for revoked certificates if you don't have off-link network access yet? Does every node have to contain a database of these, and the possible disconnection time is the window of opportunity for the attacker? As stated in the spec: When processing the three certificates, the usual RFC 3280 certificate path validation is performed, for instance by checking for revoked certificates. (This will probably need a bit of discussion in security considerations as well..) -------------- James Kempf: The last paragraph in Section 6.1.1 says this about checking certificates received in a DCA for validity: When processing the three certificates, the usual RFC 3280 certificate path validation is performed, for instance by checking for revoked certificates. As a practical matter, the node will typically be performing the certificate check in response to a router advertisement containing a signature for which the host does not have the certificate. So the host will not at that time have a connection to the Internet by which it can perform a CRL check. Therefore, the host will be unable to perform a CRL check, exposing it to the possibility that the router may have been compromised and its certificate revoked. What to do? I'd like to suggest the following text: When procesing the three certificates, the usual RFC 3280 certificate path validation is performed. Note, however, that at the time a node is checking certificates received in a DCA from a router, it typically does not have a connection to the Internet yet, and so it is not possible to perform an on-line Certificate Revocation List (CRL) check if such a check is necessary. Until such a check is performed, acceptance of the certificate MUST be considered provisional, and the node MUST perform a check as soon as it has established a connection with the Internet through the router. If the router has been compromised, it could interfere with the CRL check. Should performance of the CRL check be disrupted or should the check fail, the node SHOULD immediately stop using the router as a default and use another router on the link instead. -------------- Jari Arkko: Works for me. -------------- Pekka Savola: Ihan hyvältä näyttää noinkin. (= Looks good like that too -- Ed.'s translation.) -------------- -------------- -------------- --------------