You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In case an open CSR is rejected by the parent, and we know for certain that it's positively rejected - i.e. a validly signed response tells us - rather than a connection or other failure..
Then the open CRS should be removed, because re-sending it will never work.
In a related context: we should also think about identifying that a parent no longer knows us. But unfortunately, this is not trivial to do securely. There is no clearly defined signed response that we can check for this. So, this may require future standards extensions.
The text was updated successfully, but these errors were encountered:
Essentially, the normal reasons a CSR is rejected already result in dropping the resource class (and the request). It is unclear how to recover from other cases.
To the best of our knowledge, these cases don't happen in practice, but if anyone runs into cases that seem to indicate otherwise, please re-open this issue.
In case an open CSR is rejected by the parent, and we know for certain that it's positively rejected - i.e. a validly signed response tells us - rather than a connection or other failure..
Then the open CRS should be removed, because re-sending it will never work.
In a related context: we should also think about identifying that a parent no longer knows us. But unfortunately, this is not trivial to do securely. There is no clearly defined signed response that we can check for this. So, this may require future standards extensions.
The text was updated successfully, but these errors were encountered: