[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TLS] RFC 3456 - OCSP extension question

To: <david.nospam.hopwood@xxxxxxxxxxxxxxxx>, <tls@xxxxxxxx>
Subject: RE: [TLS] RFC 3456 - OCSP extension question
From: Joshua Ball <Joshua.Ball@xxxxxxxxxxxxx>
Date: Tue, 24 Oct 2006 14:00:09 -0700
Cc:
In-reply-to: <4536B117.7060304@xxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <EDC4EB67EC031B489B79FA4C334872E7033939FF@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <4536B117.7060304@xxxxxxxxxxxxxxxx>
Thread-index: AcbzCOKxmGK3AHbgSDiz44/3hZW9awEpTpSg
Thread-topic: [TLS] RFC 3456 - OCSP extension question

Hmmm... maybe I am misunderstanding the statement: "by prior
arrangement"

The way we are doing OCSP responses here is through AIA's, not through
sending lists of ResponderID's around. The AIA is in the server cert,
which the server uses to get the OCSP response that we send back to the
client. Is this what is meant by "by prior arrangement"?

It seems to me there are three different methods being called out here:
1. by prior arrangement - a closed environment in which the server knows
which ResponderID's are OK to use.
2. send a list of ResponderID's - client sends a list, the server uses
one from the list.
3. use of the AIA - server gets OCSP response from URL in AIA of cert.

What I am trying to understand is how our client should be forming it's
OCSP extension in this last case (or if I am misunderstanding the last
case, when it really is part of #1).

So, assuming the server is not going to parse or know anything about
ResponderID's (we don't use them on the server), what should the client
be sending? A responder_id_list<0..2^16-1> vector of 0? 

Thanks.

-----Original Message-----
From: David Hopwood [mailto:david.nospam.hopwood@xxxxxxxxxxxxxxxx] 
Sent: Wednesday, October 18, 2006 3:56 PM
To: tls@xxxxxxxx
Subject: Re: [TLS] RFC 3456 - OCSP extension question

Joshua Ball wrote:
> In regards to the implementation of RFC 3546, in particular the OCSP
extension.
> When the client does not wish to send any list of responders, what is 
> the correct sequence to send

A zero-length vector.

> (as a zero length vector apparently has a special meaning).

If the client does not wish to send a list, then logically it *must* be
the case that "the responders are implicitly known to the server - e.g.,
by prior arrangement." Otherwise how would the server know which
responder to use?

--
David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] RFC 3456 - OCSP extension question
  - From: David Hopwood

References:
- [TLS] RFC 3456 - OCSP extension question
  - From: Joshua Ball
- Re: [TLS] RFC 3456 - OCSP extension question
  - From: David Hopwood

Prev by Date: Re: [TLS] Comments on RFC-4346
Next by Date: RE: [TLS] TLS 1.1 and static DH
Previous by thread: Re: [TLS] RFC 3456 - OCSP extension question
Next by thread: Re: [TLS] RFC 3456 - OCSP extension question
Index(es):
- Date
- Thread