[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP response pre-production

To: "'Michael Myers'" <mmyers@xxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: OCSP response pre-production
From: "Florian Oelmaier" <oelmaier@xxxxxxxxxxx>
Date: Tue, 30 Sep 2003 01:58:17 +0200
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: SyTrust
Sender: owner-ietf-pkix@xxxxxxxxxxxx

> We have discovered a hole.  To give it a name let's call it 
> Nonce Capability Discovery.  This hole will not be filled by 
> artful requirements language alone.  We need proposed technical
> components: a few bits of ASN.1 and associated semantics.

So we need some additional signalling between client and responder. I
tried to list all the items a client would like to signal to the
responder and the other way round.

The client has 3 options that he would like to signal to the responder:
A) Client will accept a pre-produced/cached response. 
B) Client wants to get a custom-made response, but will also accept a
pre-produced/cached response.
C) Client wants to get a custom-made response and will not accept
pre-produced/cached responses.

A responder has 5 options that he would like to signal to the client:
1) Responder wants others to be able to cache (replay) this response
2) The response is a cached copy from another soure or was pre-produced
3) This is a custom-made response to a particular request (this
obviously includes 4)
4) This particular response should not be used in any type of caching
(replaying) 
5) Error: This Responder cannot produce custom-made responses

What about the following proposal (numbers corresponding to the signals
above):

A) Client does not include nonce into request.
B) Client includes nonce into request.
C) Client includes nonce into request and marks it CRITICAL.

1) Responder does not include nonce into response.
2) Responder does not include nonce into response.
3) Responder copies the nonce of the request into the response
4) If the request did not contain a nonce, the responder generates a
nonce for the response
5) We add a new error code 7: "Nonce extension cannot be processed"

Advantage: We only need to change minor things in the RfC:
- allow for CRITICAL on extensions
- add a new error code
- add some clarifications / text.

Disadvantage of this proposal: 
- we miss the opportunity to signal the "source of validation" - CRL vs.
fresh/live data.
- We cannot distinguish 1) and 2).

-- 
Florian Oelmaier
SyTrust

Follow-Ups:
- RE: OCSP response pre-production
  - From: Michael Myers
- Man-in-the-middle attacks (was: OCSP response pre-production)
  - From: Paul Hoffman / IMC

References:
- RE: OCSP response pre-production
  - From: Michael Myers

Prev by Date: RE: OCSP response pre-production
Next by Date: Man-in-the-middle attacks (was: OCSP response pre-production)
Previous by thread: RE: OCSP response pre-production
Next by thread: Man-in-the-middle attacks (was: OCSP response pre-production)
Index(es):
- Date
- Thread