RE: OCSP response pre-production

["Ryan M. Hurst" <rmh@xxxxxxxxxxxxxxxxxxxxx>]

As I see it there are several problems here:

First the RFC isn't clear on what the client is asking when it includes
a nonce, my take has always been that a request with a nonce is a
request that the client would like to have generated dynamically for it;
it seams from the other responses on the thread that this is was the
common interpretation. I think Mikes proposed text resolves this issue.

Next if a server can't generate a response dynamically (or forward it to
someone who can) what is he to return? I see several options here:
1. Expand section "4.4.1  Nonce" to include nonceNotSupported, this
could be returned by the server indicating to the client that it does
not support dynamic responses.

NOTE: I am not sure why the client needs to know this, but extra
information always helps in diagnostics so I am not apposed to this.

2. If a server can't support a nonce it returns internalError
NOTE: notAuthorized is also an option; authorization is a function of
policy and in this case the policy does not support the generation of
dynamic responses.

And finally what is a server supposed to return if it receives a request
without a nonce? I see several options these include:
1. Answer him! Nonce's only protect the client; if the client doesn't
want a nonce don't give him one.
2. Return internalError or notAuthorized as per above, this allows
servers in environments who want

The server to enforce client policy to refuse to answer questions that
he thinks may be questionable.

In the end I the decision to use a response is the clients, the decision
to send one is the server and the return can give a little detail or
allot.

Ryan