[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP response pre-production

To: <ietf-pkix@xxxxxxx>
Subject: RE: OCSP response pre-production
From: "Michael Myers" <mmyers@xxxxxxxxx>
Date: Tue, 30 Sep 2003 08:08:03 -0700
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

All,

I was talking to some folks offlist on this subject yesterday
and thought I might ask if it's possible we could all get behind
the following simple fix.


SYNTAX:     Expand v1 OCSPResponseStatus syntax to
            include (7) noncesNotAccepted.


SEMANTICS:  Responders SHOULD respond back with the
            requestor's nonce but if can't then SHALL
            respond with an error message of the value
            noncesNotAccepted.

            Requestors SHALL reject signed responses
            that fail to incorporate a supplied nonce.

            Upon receipt of noncesNotRequired, requestors
            MAY retry the request without using a nonce.
            Requestors are STRONGLY ADVISED that doing
            so MAY subject them to additional risk.

Thus, essentially, requestors can set "nonce always" but if they
want to they can have that overridden on a per-request basis.

Opinions?

Mike

Follow-Ups:
- RE: OCSP response pre-production
  - From: Ambarish Malpani

References:
- RE: OCSP response pre-production
  - From: Florian Oelmaier

Prev by Date: Self-Issued certificate requirements?
Next by Date: RE: OCSP response pre-production
Previous by thread: Man-in-the-middle attacks (was: OCSP response pre-production)
Next by thread: RE: OCSP response pre-production
Index(es):
- Date
- Thread