[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP response pre-production


At 2:08 PM -0700 9/26/03, Deacon, Alex wrote: 
This summary assumes that the OCSP responder has control of the OCSP
clients.

No, it very explicitly doesn't.

  This may not be the case, especially when responding to OCSP
requests for certs issued from SSL CA's (i.e. every flavor of browser/ocsp
client on earth).

Correct.

  As I stated in my response to Russ, the responder could
reject a request with a nonce, but why not reply with a request without a
nonce, and let the client decided if it wants to accept or reject it.

This does not make sense from an interoperability standpoint. If the responder does not have control of the clients, why do you say that the responder should send back malformed responses and let the client deal with them? If you have no control over the clients, you cannot assume that clients will be able to deal with malformed responses.

  If a
client requires that the nonce in the result, the result is the same, the
response is rejected.

No, the new result is that the client is confused by the malformed response. This is much worse.

--Paul Hoffman, Director
--Internet Mail Consortium