[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [caops-wg] OCSP - use of nonce
- To: Olle Mulmo <mulmo@xxxxxxxxxx>
- Subject: Re: [caops-wg] OCSP - use of nonce
- From: Jesus Luna <jluna@xxxxxxxxxx>
- Date: Thu, 02 Jun 2005 18:20:50 +0200
- Cc: caops-wg@xxxxxxx
- Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
- Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
- In-reply-to: <79bdccf08cb314134f4f40ab5ea431ce@pdc.kth.se>
- References: <79bdccf08cb314134f4f40ab5ea431ce@pdc.kth.se>
- Sender: owner-caops-wg@xxxxxxx
- User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)
Olle Mulmo wrote:
There are a couple of remarks about nonces that I think the
sophisticated security worker - especially some of the ones I was
hoping to interest in this service - would not agree to. I have no
problem with the language in 4.5 but the client recommendation
somewhere in section 7 just says flat out don't do it -- seems
contradictory. There are circumstances where real time is needed.
We need a nuanced nonce instead.
The intended spirit of Section 7 was to say don't do it -- by default.
Your suggested modifications below will be incorporated.
We agree with you in the sense that this document should recommend some
"default" OCSP behaviour, however other available options or possible
configurations (like the decision of using nonces or not at all) should
be mentioned and refered in section 9 where the idea of writting a "OCSP
Policy" is explained. In further versions of this document we should
define with more detail such "policy" and even recommend how to
fine-tune OCSP clients to keep a balance between performance and security.
The use of nonces is another parameter that affects the Quality of
Service of an OCSP Response just as is the case for the CautionaryPeriod.
--
____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna@ac.upc.edu