[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: response to unauthorized OCSP reques
I Agree to the proposal from Graham to add a new "unauthorized" response.
I would though suggest a minor change in the definition (change noted in **)
"The response unauthorized is returned in cases where the server operates a
restricted or chargeable service and does not recognize the client *as
authorized for the request. If the OCSP responder requires a signed
requests and* an unsigned message is received from a known client the
sigRequired response should be returned. A response of unauthorized will
also be returned where the signature on a request can not be validated."
Reason (as authorized for the request):
The OCSP may recognise the client but he may not be authorized for the
specific request. I.e. the OCSP server may run services for multiple
branches of certificates where the client only is authorized to check some
of them.
Reason (next sentence):
Just a matter of taste maybe but I think it is more direct in this way. In
this way there is no direct requirement on having a signed request to
respond with unatorized which I think would be an unnessecary requirement.
Authentication of the requestor may take place in another layer (TLS) and
may also be a matter of local policy.
/Stefan
At 10:45 AM 8/11/98 +0000, Graham Bland wrote:
>I agree, unauthorized request could allow for billing to be introduced based
>on the requesters name which is only meaningful in a signed request.
>
>We can either have the response of sigRequired for an unsigned message and
>add Unauthorized or we could rename sigRequired and expand the meaning.
>
>I would add another response of unauthorizedRequest and leave the specific
>meaning of sigRequired as it is. This will be more meaningful to a client.
>
>Suggest a definition of unauthorized as
>
>"The response unauthorized is returned in cases where the server
>operates a restricted or chargeable service and does not recognize the
>client. OCSP responders may require signed requests. If an unsigned
>message is received from a known client the sigRequired response should be
>returned. A response of unauthorized will also be returned where the
>signature on a request can not be validated."
>
>Graham Bland
>
> ----------
>From: aberger@darmstadt.gmd.de
>To: ietf-pkix@imc.org
>Cc: Graham Bland
>Subject: Re: response to unauthorized OCSP reques
>Date: 11 August 1998 10:14
>
>Graham Bland wrote:
>>
>> There is a sigRequired error response which specifically covers this
>> situation.
>I interpreted it as: A rquester sends an unsigned request. The OCSP
>responder does not want to act on this request, since it is unsigned.
>Therefore it answers with sigRequired, advising the requester to
>re-issue the request but this time signed.
>
>An unauthorized request sounds sensible to me. It can also be used if
>the responder bases its decision not to serve the request on other data
>(i.e. the request is unsigned).
>
>Andreas
> --
>Fifty-three percent of Fortune 1000 executives think the
>Arch Deluxe is something that helps to run a computer.
> -- Jericho Communications
>
>--
>Zergo Limited, The Square, Basing View, Basingstoke, Hants. RG21 4EG, UK
>Tel: + 44 (0) 1442 342 600 Fax: +44 (0) 1256 812 901
>Website: http://www.zergo.com
>
>
>
-------------------------------------------------------------------
Stefan Santesson <stefan@accurata.se>
Accurata Systemsäkerhet AB
Lotsgatan 27 D Tel. +46-40 152211
216 42 Malmö Fax. +46-40 150790
Sweden Mobile +46-70 5247799
PGP fingerprint: 89BC 6C79 5B3D 591B 8547 1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------