RE: DISCUSS: MUST reject in OCSPv1

[Stephen Kent <kent@xxxxxxx>]

At 6:54 +0000 12/5/03, Liaquat Khan wrote:
> Ryan,
>
> We also agree with your viewpoint, particular the point about a nonce
> being a matter for local client policy. 
>
> In the various OCSP clients we have, the option of whether to include
> nonce or not in the request message is left to local policy (i.e. the
> administrator can configure whether or not nonce is included in the
> request message).

Yes, a client decides whether to include a nonce, or not. But, we 
need the standard to clearly indicate what the client will do with a 
response, when a nonce is included in a request. This is fundamental 
to the definition of the protocol.

> If the administrator decides nonces are necessary (to prevent replays)
> then he/she will select these and our OCSP clients will include these in
> the requests.  Now if an OCSP response is received back without a nonce
> it will be rejected by our OCSP clients.

that is an appropriate thing for the client to do, and is consistent 
with the "MUST reject" clarification that Russ articulated at the WG 
meeting.

> =On the other hand, if the administrator feels nonces are not required
> (to allow for cached responses) then he/she will not select to include
> one in outgoing responses.

right.

> The situation "we would like to have nonces in OCSP requests as default,
> but if the server legitimately doesn't support nonces we are happy to
> forgo nonces or we will generate a fresh request without a nonce" is not
> that common in my opinion.  If such a case does exist, local policy will
> probably be also happy to choose to not include a nonce in the OCSP
> request message in the first place.
>
> Regards,
> Liaquat

the hard part in all of this is how the client knows what the server 
is capable of doing, which seems not to be part of the discussion 
above.

Steve