[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: POLL: MUST reject in OCSPv1

To: mmyers@xxxxxxxxx
Subject: Re: POLL: MUST reject in OCSPv1
From: "Terry Hayes" <thayes0993@xxxxxxx>
Date: Mon, 8 Dec 2003 12:29:38 -0800
Cc: ietf-pkix@xxxxxxx, cadams@xxxxxxxxxxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: AOL
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

NO

As I have said many times previously, requiring the server to recognize a particular extension is incompatible with the current OCSP protocol definition.  If you remove item 4 from the proposed resolution (or change it to allow the server to include the extension), then I change my "vote" to YES.

Terry Hayes


Michael Myers wrote on 12/8/2003, 10:46 AM:
> 
> All, 
> 
> OK, so let's take a full-up poll on what we were looking at a 
> couple of weeks ago to see where we stand today.  Please respond 
> with either YES or NO.  Take discussions to the DISCUSS thread. 
> 
> This approach preserves installed base functionality and yet 
> enables a clear and technically complete resolution of the 
> various perspectives. 
> 
> To date, on the related DISCUSS thread, six have voiced 
> agreement to this path forward and two disagree.  From that 
> record: 
> 
> AGREE 
> ----- 
> David Engberg,      Corestreet 
> Florian Oelmaier,   Sytrust 
> Ambarish Malpani,   Cenzic 
> Marc Branchaud,     RSA 
> Miguel Rodriguez,   SeguriDATA 
> Frank Balluffi,     Deutsche Bank 
> 
> DISAGREE 
> -------- 
> Ryan Hurst,         Microsoft 
> Alex Deacon,        VeriSign 
> 
> 
> PROPOSED 
> -------- 
> The proposed resolution is as follows: 
> 
> 1. Cycle v1 as Proposed Standard.  It was well 
>    on its way to Draft but we'll pull it back. 
> 
> 2. Define nonceUnsupported extension subject 
>    to the following semantics. 
> 
> 3. Clients that send a nonce: 
> 
>    a. MUST reject a non-nonced response if 
>       that response includes either the value 
>       "good" or "revoked" AND it fails to 
>       include the nonceUnsupported extension; 
> 
>    b. Else, if such response includes the 
>       nonceUnsupported extension, clients 
>       MAY accept the response subject to the 
>       advice in the Security Considerations 
>       section of this document. 
> 
> 4. Conversely, if a server receives a nonced 
>    request but is unable to incorporate the 
>    nonce in its response, the server MUST 
>    include the nonceUnsupported extension. 
> 
> We now have clearance to cycle v1 at Proposed so that's no 
> longer a predicate. 
> 
> Thank you for your continued patience as we work towards 
> resolving this issue. 
> 
> Mike

Follow-Ups:
- RE: POLL: MUST reject in OCSPv1
  - From: Michael Myers

References:
- POLL: MUST reject in OCSPv1
  - From: Michael Myers

Prev by Date: Re: Certificate Policy Standardization
Next by Date: RE: POLL: MUST reject in OCSPv1
Previous by thread: POLL: MUST reject in OCSPv1
Next by thread: RE: POLL: MUST reject in OCSPv1
Index(es):
- Date
- Thread