[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP response pre-production

To: <ietf-pkix@xxxxxxx>
Subject: RE: OCSP response pre-production
From: "Miguel Rodriguez" <mars@xxxxxxxxxxxxxx>
Date: Fri, 26 Sep 2003 17:51:59 -0500
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Cached (pre-produced) responses can be treated as CRLs (checked for time
validity using the ThisUpdate and NextUpdate fields). We don't worry
about replay attacks when using CRLs. 

If we want to enable the client to work with both fresh and cached
responses we could include a nonce in the request and accept responses
without it. Of course this means that we are giving up prevention
against replay attacks. This prevention only makes sense for fresh
responses. The bad scenario is a replay attack for fresh responses, how
can we avoid it? Maybe by having a way to distinguish fresh responses
from cached ones. Then the client can reject a fresh response without
the nonce included in the request. 

Opinions are welcomed,

Miguel A Rodriguez
SeguriDATA 
Mexico

References:
- RE: OCSP response pre-production
  - From: Deacon, Alex

Prev by Date: RE: OCSP response pre-production
Next by Date: RE: OCSP and Nonces
Previous by thread: RE: OCSP response pre-production
Next by thread: RE: OCSP response pre-production
Index(es):
- Date
- Thread