[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: OCSP response pre-production
I agree with the statements below.
Mike, we should also add some statements of correct client behavior.
My thoughts:
(a) If a client makes a request with a nonce, it MUST reject
a response that doesn't include the same nonce.
(b) If a client makes a request without a nonce, it MUST ignore the
nonce extension in the response (it doesn't matter if there
is a nonce in the reply or not, because the server might be
returning a cached response produced in response to a
previous
request that was made with a nonce - although that wouldn't
be
the behavior of a regular http proxy).
Ambarish
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Michael Myers
> Sent: Tuesday, September 30, 2003 8:08 AM
> To: ietf-pkix@xxxxxxx
> Subject: RE: OCSP response pre-production
>
>
>
> All,
>
> I was talking to some folks offlist on this subject yesterday
> and thought I might ask if it's possible we could all get
> behind the following simple fix.
>
>
> SYNTAX: Expand v1 OCSPResponseStatus syntax to
> include (7) noncesNotAccepted.
>
>
> SEMANTICS: Responders SHOULD respond back with the
> requestor's nonce but if can't then SHALL
> respond with an error message of the value
> noncesNotAccepted.
>
> Requestors SHALL reject signed responses
> that fail to incorporate a supplied nonce.
>
> Upon receipt of noncesNotRequired, requestors
> MAY retry the request without using a nonce.
> Requestors are STRONGLY ADVISED that doing
> so MAY subject them to additional risk.
>
> Thus, essentially, requestors can set "nonce always" but if
> they want to they can have that overridden on a per-request basis.
>
> Opinions?
>
> Mike
>
>