[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP response pre-production

To: "Paul Hoffman / IMC" <phoffman@xxxxxxx>, "Michael Myers" <mmyers@xxxxxxxxx>, "David Engberg" <dave@xxxxxxxxxxxxxx>, <oelmaier@xxxxxxxxxxx>, "Ambarish Malpani" <ambarish@xxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: OCSP response pre-production
From: "Ryan M. Hurst" <rmh@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Sep 2003 10:00:39 -0700
Cc: "Russ Housley" <housley@xxxxxxxxxxxx>, "Stephen Kent" <kent@xxxxxxx>, "Tim Polk" <tim.polk@xxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcOETJZ2c+hveLpbQmudawHuz5x3AgAAxcUQ
Thread-topic: OCSP response pre-production

I concur with this, er "me too" :)

Ryan

-----Original Message-----
From: Paul Hoffman / IMC [mailto:phoffman@xxxxxxx] 
Sent: Friday, September 26, 2003 9:40 AM
To: Michael Myers; Ryan M. Hurst; David Engberg; oelmaier@xxxxxxxxxxx;
Ambarish Malpani; ietf-pkix@xxxxxxx
Cc: Russ Housley; Stephen Kent; Tim Polk
Subject: RE: OCSP response pre-production

I hate to send "me too" responses, but everything Mike says in his 
extended discussion is exactly right. My summary would be:

- If you can't sign, you must reject requests with nonces.

- Caching servers can ask a different server to sign. They can 
respond to all requests that don't ahve nonces, and they (probably 
selectively) send back the requests that have nonces to a server 
willing to sign them.

- If you control the OCSP clients and you don't want to sign the 
responses, inhibit the clients from sending requests with nonces.


--Paul Hoffman, Director
--Internet Mail Consortium

Prev by Date: Re: OCSP response pre-production
Next by Date: RE: OCSP response pre-production
Previous by thread: RE: POLL: Use of nonces in OCSP
Next by thread: RE: OCSP response pre-production
Index(es):
- Date
- Thread