[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DISCUSS: MUST reject in OCSPv1

To: ietf-pkix@xxxxxxx
Subject: Re: DISCUSS: MUST reject in OCSPv1
From: Marc Branchaud <marcnarc@xxxxxxxxxxxxxxx>
Date: Thu, 27 Nov 2003 10:40:35 -0800
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031110

Ryan M. Hurst wrote:

I don't think its silly, the client is still protected from the replay if the server responds to a nonced request with a un-nonced one as the client can decide decide if he wanted the protection or needed it.

Why can't the client can decide this before making the request?

What does the client gain by making a nonced request but accepting a nonceless response?

That may sound strange, but nonce has other implications that re-play protection; it also implies freshness since pre-produced responses can not have the right nonce in it.

If the group wishes to address the use of nonces for more than replay prevention, then I think the only option is to devise a new OCSPv2 spec.

M.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- RE: DISCUSS: MUST reject in OCSPv1
  - From: Ryan M. Hurst

Prev by Date: Re: DISCUSS: MUST reject in OCSPv1
Next by Date: RE: DISCUSS: MUST reject in OCSPv1
Previous by thread: RE: DISCUSS: MUST reject in OCSPv1
Next by thread: RE: DISCUSS: MUST reject in OCSPv1
Index(es):
- Date
- Thread