[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DISCUSSION: Nonce-specific error code for OCSP

To: "Florian Oelmaier" <oelmaier@xxxxxxxxxxx>, "'David Engberg'" <dave@xxxxxxxxxxxxxx>
Subject: RE: DISCUSSION: Nonce-specific error code for OCSP
From: "Michael Myers" <mmyers@xxxxxxxxx>
Date: Sat, 18 Oct 2003 10:24:51 -0700
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx



It seems to me that an extended response is no improvement upon
a plain response when applied to replay detection.  It too can
be replayed because there is no dynamic binding between request
and response.  That's what the nonce extension was defined to
enable: client-side elimination of replay risks via dynamic
binding.

Further, the requestor which sent a nonce and received a
non-nonced response can today infer "responder does not support
nonces."  Something like 11 of 12 client side implementors claim
ability to detect such.  Inclusion of an extension which in
effect asserts that "I as responder give myself permission to
disregard your nonce" does nothing to improve upon that.

Mike

Follow-Ups:
- Re: DISCUSSION: Nonce-specific error code for OCSP
  - From: David Engberg
- RE: DISCUSSION: Nonce-specific error code for OCSP
  - From: Florian Oelmaier

References:
- RE: DISCUSSION: Nonce-specific error code for OCSP
  - From: Florian Oelmaier

Prev by Date: new WG
Next by Date: RE: DISCUSSION: Nonce-specific error code for OCSP
Previous by thread: RE: DISCUSSION: Nonce-specific error code for OCSP
Next by thread: RE: DISCUSSION: Nonce-specific error code for OCSP
Index(es):
- Date
- Thread