[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: POLL: Nonce-specific error code for OCSP

To: ietf-pkix@xxxxxxx
Subject: Re: POLL: Nonce-specific error code for OCSP
From: Julien Pierre <jpierre@xxxxxxx>
Date: Thu, 16 Oct 2003 14:27:49 -0700
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: America On-Line, Inc
References: <>
Reply-to: jpierre@xxxxxxx
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624

Florian Oelmaier wrote:

Rationale: My first idea was to say: if it is OPTIONAL for the responder to use that error code it is ok. But in fact even the OPTIONAL inclusion harms the security of the protocol, as an attacker can fool clients into believing a particular OCSP-Responder would not support nonces, when in fact it does.

Agreed. The OCSP responses with error codes are not signed, so this would present a security hole. We should not let the server return this error code in an unsigned response.

IMO, it would be acceptable to have an error code only if the response was signed and included a validity period. Each caching responder would have to prefetch such a response in order to be able to serve it back to clients that send nonces.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- RE: POLL: Nonce-specific error code for OCSP
  - From: Michael Myers

References:
- Re: POLL: Nonce-specific error code for OCSP
  - From: Florian Oelmaier

Prev by Date: Re: POLL: Nonce-specific error code for OCSP
Next by Date: Last Call: 'X.509 Extensions for IP Addresses and AS Identifiers' to Proposed Standard
Previous by thread: Re: POLL: Nonce-specific error code for OCSP
Next by thread: RE: POLL: Nonce-specific error code for OCSP
Index(es):
- Date
- Thread