RE: DISCUSS: MUST reject in OCSPv1

[David Engberg <dave@xxxxxxxxxxxxxx>]

I like the elegance of Russ and Florian's ideas for securely signalling 
that a server doesn't support nonces by using a special value for the 
nonce in replies.  This seems like the "right" place to put this message 
to the client.

We do have to keep in mind these approaches do still expose a replay 
potential when a "new" client that supports this system communicates 
with any "old" OCSP server that currently supports nonces.

Here's the attack:  Alice makes an OCSP request for her cert in the 
morning (when her cert is valid) with a nonce value of NULL (or whatever 
the special signalling value is).  All existing servers will return a 
response that includes this special value as the nonce, since they all 
just spit back the raw bytes of whatever nonce they receive.  Alice 
records the response.

In the afternoon, Bob makes a request to get the status of her cert, 
after she has been revoked.  Alice intercepts the request, replays the 
cached response, and Bob's new client thinks that the server is 
indicating that it doesn't support nonces, so he accepts the response 
anyway.

Sending the "nonce not supported" message from the server to the client 
through a separate new extension is a little more klunky, but it might 
be worth it to avoid any issues with backward compatibility.