[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DISCUSS: MUST reject in OCSPv1

To: "'Michael Myers'" <mmyers@xxxxxxxxx>, Tom Gindin <tgindin@xxxxxxxxxx>
Subject: RE: DISCUSS: MUST reject in OCSPv1
From: "Deacon, Alex" <alex@xxxxxxxxxxxx>
Date: Mon, 15 Dec 2003 09:20:48 -0800
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Mike,

> -----Original Message-----
> From: Michael Myers [mailto:mmyers@xxxxxxxxx] 
[snip]
> 
> Tom,
> 
> We may be saying the same thing:
> 
> if( req->sent_nonce != rsp->rcvd_nonce )
>    fail( BADNONCE )
> else
>    proceed( rsp );
> 
> The more interesting question along these lines is the one 
> regarding Florian's server-unilateral nonces.  I.e. a client 
> receives a nonce extension in the response even though the 
> client didn't provide a nonce extension in its request.  
> While I'm not yet convinced of this practice's security 
> value, I see no reason to preclude it in our forthcoming 
> clarification regarding nonces.

As I mentioned earlier, it will be important to clarify this case as clients
using piggybacked OCSPResponses (such as those implementing the TLS
extension) may receive a response that contains a nonce (the one the server
generated) eventhough they did not send one.

Alex

Follow-Ups:
- RE: DISCUSS: MUST reject in OCSPv1
  - From: Michael Myers

Prev by Date: Re: DN Encoding by UTF8String
Next by Date: RE: DISCUSS: MUST reject in OCSPv1
Previous by thread: RE: DISCUSS: MUST reject in OCSPv1
Next by thread: RE: DISCUSS: MUST reject in OCSPv1
Index(es):
- Date
- Thread