[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DISCUSS: MUST reject in OCSPv1

To: "Ryan M. Hurst" <rmh@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: DISCUSS: MUST reject in OCSPv1
From: David Engberg <dave@xxxxxxxxxxxxxx>
Date: Fri, 05 Dec 2003 14:17:46 -0500
Cc: liaquat.khan@xxxxxxxxxxxx, "'Florian Oelmaier'" <oelmaier@xxxxxxxxxxx>, ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>, <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130

Unfortunately, I think the anwer to Ryan's specific question is no. If you send a nonce and get back a response without that nonce under the current spec, you know either:

a) The server does not support nonces b) An attacker is replaying a recorded response from a nonce-supporting server

I think there needs to be another flag in the response (e.g. nonceUnsupported extension) to securely separate 'a' from 'b'.

Ryan M. Hurst wrote:

  1.
      What the responder returns if it can not return a nonce
  2.
      What the client must do when it receives a response to a nonced
      request

...

My take on #1 is that I don't see why the client needs to know that, after all if the response to a nonced request does not contain the same nonce doesn't that mean the server was unable to produce a nonced response?

Follow-Ups:
- RE: DISCUSS: MUST reject in OCSPv1
  - From: Ryan M. Hurst

References:
- RE: DISCUSS: MUST reject in OCSPv1
  - From: Ryan M. Hurst
- RE: DISCUSS: MUST reject in OCSPv1
  - From: Liaquat Khan
- RE: DISCUSS: MUST reject in OCSPv1
  - From: Ryan M. Hurst

Prev by Date: RE: DISCUSS: MUST reject in OCSPv1
Next by Date: RE: DISCUSS: MUST reject in OCSPv1
Previous by thread: RE: DISCUSS: MUST reject in OCSPv1
Next by thread: RE: DISCUSS: MUST reject in OCSPv1
Index(es):
- Date
- Thread