Script updating gh-pages from 26d5d51. [ci skip]

scionassociation · Jul 8, 2024 · d0a32dd · d0a32dd
1 parent fad8dcd
commit d0a32dd
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/Final_Tweaks/draft-dekater-scion-pki.html b/Final_Tweaks/draft-dekater-scion-pki.html
@@ -1443,7 +1443,7 @@ <h4 id="name-substitutes-to-certificate-">
 <p id="section-1.4.2-1">The CP-PKI does not explicitly support certificate revocation. Instead, it relies on the two mechanisms described above and on short-lived certificates. This approach constitutes an attractive alternative to a revocation system for the following reasons:<a href="#section-1.4.2-1" class="pilcrow">¶</a></p>
 <ul class="normal">
 <li class="normal" id="section-1.4.2-2.1">
-              <p id="section-1.4.2-2.1.1">Both short-lived certificates and revocation lists <span class="bcp14">MUST</span> be signed by a CA. Instead of periodically signing a new revocation list, the CA can simply re-issue all the non-revoked certificates. Although the overhead of signing multiple certificates is greater than that of signing a single revocation list, the overall complexity of the system is reduced. In the CP-PKI the number of certificates that each CA must renew is manageable as it is limited to at most the number of ASes within an ISD.<a href="#section-1.4.2-2.1.1" class="pilcrow">¶</a></p>
+              <p id="section-1.4.2-2.1.1">Both short-lived certificates and revocation lists must be signed by a CA. Instead of periodically signing a new revocation list, the CA can simply re-issue all the non-revoked certificates. Although the overhead of signing multiple certificates is greater than that of signing a single revocation list, the overall complexity of the system is reduced. In the CP-PKI the number of certificates that each CA must renew is manageable as it is limited to at most the number of ASes within an ISD.<a href="#section-1.4.2-2.1.1" class="pilcrow">¶</a></p>
 </li>
             <li class="normal" id="section-1.4.2-2.2">
               <p id="section-1.4.2-2.2.1">Even with a revocation system, a compromised key cannot be instantaneously revoked. Through their validity period, both short-lived certificates and revocation lists implicitly define an attack window (i.e., a period during which an attacker who managed to compromise a key could use it before it becomes invalid). In both cases, the CA must consider a tradeoff between efficiency and security when picking this validity period.<a href="#section-1.4.2-2.2.1" class="pilcrow">¶</a></p>

diff --git a/Final_Tweaks/draft-dekater-scion-pki.txt b/Final_Tweaks/draft-dekater-scion-pki.txt
@@ -383,7 +383,7 @@ Table of Contents
    short-lived certificates.  This approach constitutes an attractive
    alternative to a revocation system for the following reasons:
 
-   *  Both short-lived certificates and revocation lists MUST be signed
+   *  Both short-lived certificates and revocation lists must be signed
       by a CA.  Instead of periodically signing a new revocation list,
       the CA can simply re-issue all the non-revoked certificates.
       Although the overhead of signing multiple certificates is greater