[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[caops-wg] OCSP - use of nonce

To: caops-wg@xxxxxxx
Subject: [caops-wg] OCSP - use of nonce
From: Olle Mulmo <mulmo@xxxxxxxxxx>
Date: Tue, 31 May 2005 12:58:01 +0200
Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
Sender: owner-caops-wg@xxxxxxx

There are a couple of remarks about nonces that I think the
sophisticated security worker - especially some of the ones I was hoping to interest in this service - would not agree to. I have no problem with the language in 4.5 but the client recommendation somewhere in section 7 just says flat out don't do it -- seems contradictory. There are circumstances where real time is needed. We need a nuanced nonce instead.

The intended spirit of Section 7 was to say don't do it -- by default. Your suggested modifications below will be incorporated.

In 7.3, say
OCSP clients are not recommended to include nonces except ... - or -
OCSP clients should only include nonces ... in requests to local Trusted responders or other OCSP responders by prior agreement and consultation. (See section 4.5.)

In 4.5 say
Some services may not support nonce requests, and in other cases it may produce intolerable burden on the OCSP responder and delay for the client application. Nonces should only be used in situations where the most up to date information is required, particularly to meet security requirements.

[Drop the "overkill" sentence - not useful.]

Prev by Date: [caops-wg] OCSP section 7
Next by Date: [caops-wg] OCSP - fault tolerance
Previous by thread: [caops-wg] OCSP section 7
Next by thread: [caops-wg] OCSP - fault tolerance
Index(es):
- Date
- Thread