rikard-sics
commented
1 year ago The hard limit is in meaning of using an OSCORE Context for using a context for message decryption/encryption. Running KUDOS (rekeying) is fine even if the context has reached its limits or expired. So the "hard limit" is on the sender/recipient keys.
The "soft limit" can be about running KUDOS already (well ahead of) a context expiring or reaching limits. At least we can have recommendations to run KUDOS ahead of expiration or reaching the limits.
We should define that expiration is about the sender/recipient keys.
How do our limits and 'exp' compare to the soft and hard lifetime of IPsec?
We can clarify that what is hard about the limits and 'exp' is to do no further message processing. Running KUDOS is still fine after they have been reached.
Can we mention more strongly the recommendation to rekey well ahead of time before reaching the limits? And that how long before can be up to application policies.
(Based on feedback from Rafa Marin-Lopez)