Re: Unsigned DPD responses for SCVP15

[David Engberg <dave@xxxxxxxxxxxxxx>]

My preference is the same as Mike's (Option #2, server may choose not to 
sign {path, rev-info} unless client indicates signing is required with a 
request flag).

This gives the greatest flexibility to deployers, who can deploy servers 
that either:

  (a) always sign everything

  (b) never sign anything and return errors if requested to

  (c) sign if client asks for a signature, don't sign if client
      doesn't ask and response type permits.

Trevor's Option #1 (Fixed server policy) only permits deployments of (a) 
and (b).  I believe that (c) is a potentially useful configuration, and 
I don't think there's a strong reason to absolutely preclude it.

Thanks


Trevor Freeman wrote:
> I have been asked to add unsigned responses for DPD clients to SCVP15. 
> There are two models proposed on how we accomplish that both of which 
> meet the requirements for 3379. I would therefore like some feedback on 
> how the group views the two mechanisms
>
>  
>
> Global Server Policy that it is DPD only
>
> The first proposal is to make the option controlled by the server as a 
> global policy. Therefore the server would publish via policy that is 
> only supports DPD as such never signs a response. DPV client and DPD 
> clients wanting a signed response then know to use another server.
>
>  
>
> SCVP Request option to not sign response
>
> The second option is to leave it to the client to signal to the server 
> it does not need a signature on the response by a new flag in the 
> request (or its twin the flag indicates it does want a signature on the 
> response). This allows clients to be benevolent towards the server by 
> asking it to skip the signature. Server can still at their discretion 
> still sign.
>
>  
>
> Needless to say it is possible to hybridize the two but I am hopeful we 
> can try and keep this as simple as possible be picking on of the two.
>
> Trevor