RE: OCSP response pre-production

["Florian Oelmaier" <oelmaier@xxxxxxxxxxx>]

> What would you think if it'd also define an extension that the client 
> can use in a request including a nonce, in order to indicate it will 
> accept an answer without a nonce if it includes the 
> pre-produced extension.

If we do that, I agree with your course, Jean-Marc. Otherwise I would
feel strongly against it. In any case I would vote to go with Davids
proposal - it seems more simple to me while accomplishing the same task
with additional security.

> The server would be breaking RFC 2560 by sending back the 
> pre-produced 
> answer, but only with a client that has explicitly indicated it is 
> expecting this behaviour.

Once again: RfC2560 allows sending of nonceless responses to nonced
requests. It clearly states that processing of every extension (and
"nonce" is an extension) is optional for both responder and client. And
OPTIONAL is clearly defined. So if we define that request-extension, the
responder would be fully on the ground of RfC2560. 

In fact I would bet that currently nearly all caching servers send back
nonceless responses to nonced requests - as this is what the RfC seems
to suggest in ist current wording. At least this is what our responder
does when configured for caching.

-- 
Florian Oelmaier
SyTrust