RE: DISCUSS: MUST reject in OCSPv1

["Ryan M. Hurst" <rmh@xxxxxxxxxxxxxxxxxxxxx>]

I am concerned with the idea of making any change to the standard that
"changes the 5 year old protocol".

This is particularly true since I don't see anyone on the list saying
this NonceUnsupported is needed, just that they would accept it.

I still think what is done with the nonce is a matter of local (client)
policy, and that if replay protection is desired responses not
containing the requested nonce MUST be rejected.

But since I appear to be odd man out on this, I would rather see us fall
back to Russ's original recommendation of MUST reject than break a 5
year old standard. 

Ryan
-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Florian Oelmaier
Sent: Thursday, December 04, 2003 1:47 AM
To: David Engberg; ietf-pkix@xxxxxxx
Subject: RE: DISCUSS: MUST reject in OCSPv1



> I like the elegance of Russ and Florian's ideas for securely
signalling 
> that a server doesn't support nonces by using a special value for the 
> nonce in replies.  This seems like the "right" place to put this
message 
> to the client.

Just for the record: I think you are referring to our server-generated
nonces when you talk about "Florian's idea". And while Russel is
signalling "NonceUnsupported" with a special nonce-value, we are
singalling "NonceSupported" with the inclusion of a nonce into every
request (mirrored from the request or server-generated). Thus we are not
subject to the attack you mention, as this does not need any additional
code in any existing client.

Russ proposal is a change in the protocol. Thus we need to update all
the clients and servers out there. Seeing that the proposed change is
needed and recognizing it as a good solution, I would accept this. 

-- 
Florian Oelmaier
SyTrust