[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP response pre-production

To: "'Julien Stern'" <julien.stern@xxxxxxxxxxxxx>
Subject: RE: OCSP response pre-production
From: "Miguel Rodriguez" <mars@xxxxxxxxxxxxxx>
Date: Thu, 2 Oct 2003 11:00:22 -0500
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I agree with this too, the support for nonces should indicated in the
signed content, either as a special flag or as Julien suggested using
the nextUpdate field. I prefer any of these options over the definition
of a new (unsigned) error message.

Miguel A Rodriguez
SeguriDATA
Mexico

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of Julien Stern
> Sent: Thursday, October 02, 2003 8:41 AM
> To: ietf-pkix@xxxxxxx
> Subject: Re: OCSP response pre-production
> 
> 
> I fully agree with this too. The server has to indicate whether it
> supports nonces or not INSIDE the signed content. Server generated
> nonces are a way, this extension is another (hmm, well, the equivalent
> of server generated nonces would be an ICanProvideANonceIfYouWish
> extension, but ...).
> On this other hand, I think that it is dangerous to indicate this fact
> as an _unsigned_ error, as this error reply could easily be faked by
an
> attacker, making him think a server does not support nonces while in
> fact it does.
> 
> --
> Julien

References:
- Re: OCSP response pre-production
  - From: Julien Stern

Prev by Date: RE: OCSP response pre-production
Next by Date: RE: OCSP response pre-production
Previous by thread: RE: OCSP response pre-production
Next by thread: Re: OCSP response pre-production
Index(es):
- Date
- Thread