[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: POLL: Nonce-specific error code for OCSP

To: "Michael Myers" <mmyers@xxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: Re: POLL: Nonce-specific error code for OCSP
From: "Florian Oelmaier" <oelmaier@xxxxxxxxxxx>
Date: 16 Oct 2003 08:48:41 -0000
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

> Should we standardize an OCSP *V1* error code that enables a
> responder to indicate its inability to respond to nonced
> requests?
> 
> Please respond with either YES or NO.

NO

Rationale: 
My first idea was to say: if it is OPTIONAL for the responder to use that error code it is ok. But in fact even the OPTIONAL inclusion harms the security of the protocol, as an attacker can fool clients into believing a particular OCSP-Responder would not support nonces, when in fact it does.

My conclusion: Dont include such an error code, due to security reasons. If other reasons (yet unknown to me) overrule these concerns make the use of this error code OPTIONAL for responders to allow compatibility with existing installations and not to harm the functionality of the protocol.

-- 
Florian Oelmaier
SyTrust

Follow-Ups:
- Re: POLL: Nonce-specific error code for OCSP
  - From: Julien Pierre

Prev by Date: Re: POLL: Nonce-specific error code for OCSP
Next by Date: RE: POLL: Nonce-specific error code for OCSP
Previous by thread: draft-ietf-pkix-x509-ipaddr-as-extn-03.txt
Next by thread: Re: POLL: Nonce-specific error code for OCSP
Index(es):
- Date
- Thread