RE: OCSP response pre-production

["Ryan M. Hurst" <rmh@xxxxxxxxxxxxxxxxxxxxx>]

That's a good point, how about:

"Correspondingly, if a responder has only supports pre-produced
responses it may reject request that include a nonce, otherwise upon
receipt of a request containing a nonce, a responder SHALL include the
value of such nonce in the production of the associated response."

Ryan


-----Original Message-----
From: Dr Stephen Henson [mailto:shenson@xxxxxxxxxxxxxxxxxxxxx] 
Sent: Friday, September 26, 2003 10:22 AM
To: Paul Hoffman / IMC
Cc: Michael Myers; Ryan M. Hurst; David Engberg; oelmaier@xxxxxxxxxxx;
Ambarish Malpani; ietf-pkix@xxxxxxx; Russ Housley; Stephen Kent; Tim
Polk
Subject: Re: OCSP response pre-production

Firstly as I mentioned before I've no problem with nonces and the 
proposed wording.

However I'm a bit confused by this:

Paul Hoffman / IMC wrote:
> 
> 
> - If you can't sign, you must reject requests with nonces.
> 

and the proposed wording:

Michael Myers wrote:
> 
>     "Correspondingly, upon receipt of a request
>      containing a nonce, a responder SHALL include
>      the value of such nonce in the production of
>      the associated response."
> 

Which seems to suggest to me that a responder isn't allowed to reject 
requests with nonces or am I misinterpreting it?

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@xxxxxxxxxxxxxxxxxxxxx, PGP key: via homepage.