RE: OCSP response pre-production

[Paul Hoffman / IMC <phoffman@xxxxxxx>]

At 9:09 PM +0200 9/27/03, Florian Oelmaier wrote:
> with all due respect: Please quote the paragraph of RfC 2560 stating
> that a response without nonce is "malformed".

This is exactly what we are trying to write up now.

> I am very sure that all client
> implementors out there are aware of this situation. All my test of OCSP
> clients back this statement up - most reject these reponses, but all are
> able to deal with the situation.

This is a very valuable data point, and one that is quite relevant to 
Mike's initial question. If it is true (we'd need to ask the 
implementers again), it would certainly make it possibl for the WG to 
go towards a solution like Alex's which puts the onus on the client 
to decide what to do with a response from a server that didn't do 
what it was told to.

> Summary: Right now the RfC is VERY CLEAR in this point: a response
> without nonce to a request with nonce is NOT MALFORMED and completely
> conform with RfC2560.

It is malformed if you read section 4.4.1 as requiring a nonce in the 
response when it was included in the query, as many people here have 
interpreted. "Optional" doesn't mean "can be put in or omitted at 
will".

--Paul Hoffman, Director
--Internet Mail Consortium