[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP response pre-production

To: "Manger, James H" <James.H.Manger@xxxxxxxxxxxxxxxx>
Subject: Re: OCSP response pre-production
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Mon, 29 Sep 2003 12:03:16 +0200
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Bull SA.
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

(...)

[Florian]

Client Type I) Given you have a client with the following behaviour:
A) always includes a nonce into his request
B) accepts responses without nonce

(...)

[James]

So the proposed server-generated nonces are simply a mechanism to allow
Client Type I operate securely. I fully agree with you, that such a
client behaviour (accepting responses without nonce) seems to be
desirable from an operating point of view.

If a client Type I "accepts responses without nonce" (i.e. "B condition") then a nonce generated by the server is ignored by the client and thus does not help, and "do NOT allow Client Type I operate securely".

Denis

Follow-Ups:
- RE: OCSP response pre-production
  - From: Florian Oelmaier

References:
- RE: OCSP response pre-production
  - From: Manger, James H

Prev by Date: request for reviewing our interoperability experiment report
Next by Date: Re: OCSP response pre-production (was RE: POLL: Use of nonces in OCSP)
Previous by thread: RE: OCSP response pre-production
Next by thread: RE: OCSP response pre-production
Index(es):
- Date
- Thread