[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: response to unauthorized OCSP reques
I agree, unauthorized request could allow for billing to be introduced based
on the requesters name which is only meaningful in a signed request.
We can either have the response of sigRequired for an unsigned message and
add Unauthorized or we could rename sigRequired and expand the meaning.
I would add another response of unauthorizedRequest and leave the specific
meaning of sigRequired as it is. This will be more meaningful to a client.
Suggest a definition of unauthorized as
"The response unauthorized is returned in cases where the server
operates a restricted or chargeable service and does not recognize the
client. OCSP responders may require signed requests. If an unsigned
message is received from a known client the sigRequired response should be
returned. A response of unauthorized will also be returned where the
signature on a request can not be validated."
Graham Bland
----------
From: aberger@darmstadt.gmd.de
To: ietf-pkix@imc.org
Cc: Graham Bland
Subject: Re: response to unauthorized OCSP reques
Date: 11 August 1998 10:14
Graham Bland wrote:
>
> There is a sigRequired error response which specifically covers this
> situation.
I interpreted it as: A rquester sends an unsigned request. The OCSP
responder does not want to act on this request, since it is unsigned.
Therefore it answers with sigRequired, advising the requester to
re-issue the request but this time signed.
An unauthorized request sounds sensible to me. It can also be used if
the responder bases its decision not to serve the request on other data
(i.e. the request is unsigned).
Andreas
--
Fifty-three percent of Fortune 1000 executives think the
Arch Deluxe is something that helps to run a computer.
-- Jericho Communications
--
Zergo Limited, The Square, Basing View, Basingstoke, Hants. RG21 4EG, UK
Tel: + 44 (0) 1442 342 600 Fax: +44 (0) 1256 812 901
Website: http://www.zergo.com