[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DISCUSS: MUST reject in OCSPv1

To: "Tom Gindin" <tgindin@xxxxxxxxxx>
Subject: RE: DISCUSS: MUST reject in OCSPv1
From: "Michael Myers" <mmyers@xxxxxxxxx>
Date: Fri, 12 Dec 2003 17:04:44 -0700
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

> -----Original Message-----
> From: Tom Gindin
> Sent: Friday, December 12, 2003 3:58 PM
>
> Mike:
>
> While we're on this subject, do we need to
> include that a client "MUST" reject a response
> containing a nonce which does not match the
> request?

Tom,

We may be saying the same thing:

if( req->sent_nonce != rsp->rcvd_nonce )
   fail( BADNONCE )
else
   proceed( rsp );

The more interesting question along these lines is the one
regarding Florian's server-unilateral nonces.  I.e. a client
receives a nonce extension in the response even though the
client didn't provide a nonce extension in its request.  While
I'm not yet convinced of this practice's security value, I see
no reason to preclude it in our forthcoming clarification
regarding nonces.

Mike

References:
- Re: DISCUSS: MUST reject in OCSPv1
  - From: Tom Gindin

Prev by Date: Re: DISCUSS: MUST reject in OCSPv1
Next by Date: Re: DN Encoding by UTF8String
Previous by thread: Re: DISCUSS: MUST reject in OCSPv1
Next by thread: RE: DISCUSS: MUST reject in OCSPv1
Index(es):
- Date
- Thread