Dave,
Even if we do nothing, means currently exist for clients to
discover if a server respects nonces via error signalling. A
non-nonced response to a nonced request itself being an error in
perhaps then 11 of 12 client side implementions, including your
own.
All along I've been trying to avoid opening the pandora's box of
OCSPv2, but I guess it's time to do so.
The simple fix I most recently proposed could, I believe, be
applied to RFC 2560 as it progresses from Proposed to Draft due
to the poll's consensus. Meanwhile, I strongly suspect that the
syntax and semantic changes of more sophisticated solutions will
force a version delta, a new I-D and all that entails regarding
WG, IETF and IESG ratification. That is, OCSPv2.
We have a narrow window of opportunity to fix v1 as proposed and
so stem the tide of unilateral approaches to resolving its
current ambiguity regarding the use of nonces. This way,
everybody's at least on the same page in the near term.
I propose we do so and in parallel move on to v2. The v2
discussions will predictably lead us into latent issues not
associated with nonces. As these things go, that will take a
while.
Do you agree to this course of action?
Mike