[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DISCUSS: MUST reject in OCSPv1

To: David Engberg <dave@xxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: DISCUSS: MUST reject in OCSPv1
From: "Florian Oelmaier" <oelmaier@xxxxxxxxxxx>
Date: 4 Dec 2003 09:46:34 -0000
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


> I like the elegance of Russ and Florian's ideas for securely signalling 
> that a server doesn't support nonces by using a special value for the 
> nonce in replies.  This seems like the "right" place to put this message 
> to the client.

Just for the record: I think you are referring to our server-generated nonces when you talk about "Florian's idea". And while Russel is signalling "NonceUnsupported" with a special nonce-value, we are singalling "NonceSupported" with the inclusion of a nonce into every request (mirrored from the request or server-generated). Thus we are not subject to the attack you mention, as this does not need any additional code in any existing client.

Russ proposal is a change in the protocol. Thus we need to update all the clients and servers out there. Seeing that the proposed change is needed and recognizing it as a good solution, I would accept this. 

-- 
Florian Oelmaier
SyTrust

Follow-Ups:
- Re: DISCUSS: MUST reject in OCSPv1
  - From: David Engberg

Prev by Date: Re: RSA Algs: 01: draft-ietf-pkix-rsa-pkalgs-01.txt - ASN.1 typos
Next by Date: RE: DISCUSS: MUST reject in OCSPv1
Previous by thread: RE: DISCUSS: MUST reject in OCSPv1
Next by thread: Re: DISCUSS: MUST reject in OCSPv1
Index(es):
- Date
- Thread