RE: DISCUSS: MUST reject in OCSPv1

["Deacon, Alex" <alex@xxxxxxxxxxxx>]

If I could be ensured that every OCSP client used to hit ocsp.verisign.com
would not include a nonce, then I would have no problem with a MUST reject.
However because this environment receives requests from a heterogeneous
population of clients over which we have no administrative control (to
paraphrase an earlier email of yours), there will undoubtedly be cases where
cert validation will fail....not because the cert has been revoked, but
because the response does not include a nonce.  

I believe that clients should have the ability to make up their own mind
(local policy) in determining if they should reject or accept such a
response.  A MUST reject would not allow for this or force a client to not
be compliant with the spec.

Alex



> -----Original Message-----
> From: Michael Myers [mailto:mmyers@xxxxxxxxx] 
> Sent: Friday, December 05, 2003 10:47 AM
> To: Ryan M. Hurst; ietf-pkix@xxxxxxx
> Subject: RE: DISCUSS: MUST reject in OCSPv1
> 
> 
> 
> 
> > From: Ryan M. Hurst
> > Sent: Friday, December 05, 2003 10:57 AM
> >
> > [rmh]As I said, I am willing to accept the
> > must reject if that means that others will
> > drop the idea of adding breaking changes to
> > the v1 protocol.
> 
> So now we've come full circle.  A plain MUST reject is where 
> we got started and which principle Russ affirmed in 
> Minneapolis. I'm curious what others think.
> 
> Mike
> 
>