[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DISCUSS: MUST reject in OCSPv1

To: "Ryan M. Hurst" <rmh@xxxxxxxxxxxxxxxxxxxxx>, "David Engberg" <dave@xxxxxxxxxxxxxx>
Subject: RE: DISCUSS: MUST reject in OCSPv1
From: "Michael Myers" <mmyers@xxxxxxxxx>
Date: Fri, 5 Dec 2003 13:51:36 -0700
Cc: <liaquat.khan@xxxxxxxxxxxx>, "'Florian Oelmaier'" <oelmaier@xxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

> From: Ryan M. Hurst
> Sent: Friday, December 05, 2003 12:25 PM
>
> [rmh] But what prevents the nonce unsupported
>       response from being replayed?



While a caveated response can be replayed, it bears with it
unambiguous signed proof that the client's request for
anti-replay would not have been successful in the first place.

This is substantially different from replay of a nonceless
response captured from a server able and willing to support
nonces, but also able and willing to support non-nonced requests
(hence the capture and replay).

In the former case, the replay protection is not there to begin
with and the server/service is being forthright about that.  Any
lawyer will tell you, full disclosure is good thing, especially
in the case when one has no contracted relationship with a
relying party.

In the latter case, anti-replay *is* available but the client is
being blocked from it by an attacker.  This is not so good.

Mike

References:
- RE: DISCUSS: MUST reject in OCSPv1
  - From: Ryan M. Hurst

Prev by Date: I-D ACTION:draft-ietf-pkix-sha244-00.txt
Next by Date: Cached OCSP responses vs. single entry CRLs
Previous by thread: Re: DISCUSS: MUST reject in OCSPv1
Next by thread: RE: DISCUSS: MUST reject in OCSPv1
Index(es):
- Date
- Thread