[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: OCSP response pre-production
> -----Original Message-----
> From: Florian Oelmaier
>
> . . .
>
> I am not a friend of adding an error message that
> adds nothing to the security of the protocol but
> introduces the need for a second round-trip
> into OCSPv1. As a client cannot really rely on the
> error message the situation will not get better.
> From a security point of view, the proposed error
> message does not bring any advantage (as it can be
> faked), technically it introduces the disadvantage of
> having to do two requests.
>
> *** I therefore suggest to leave OCSPv1 as it is
> (instead of making it worse) and work with Davids
> extension to go in for OCSPv2. ***
Florian,
As I've been trying to explain, the capability for
error-triggered nonce discovery is already in place. An
environment called to task by a security auditor for sending a
canned response to a nonced request, the latter which by
technical definition is an assertion by a relying party that the
RP does NOT wish to receive a canned response, can very easily
send back any unsigned error. It's best if we at least
standardize one for interoperability if nothing else.
Mike