[caops-wg] OCSP - use of nonce

[Jesus Luna]

Olle Mulmo wrote:

>> There are a couple of remarks about nonces that I think the
>> sophisticated security worker - especially some of the ones I was 
>> hoping to interest in this service - would not agree to.  I have no 
>> problem with the language in 4.5 but the client recommendation 
>> somewhere in section 7 just says flat out don't do it -- seems 
>> contradictory.  There are circumstances where real time is needed.  
>> We need a nuanced nonce instead.
>
>
> The intended spirit of Section 7 was to say don't do it -- by default. 
> Your suggested modifications below will be incorporated.

We agree with you in the sense that this document should recommend some 
"default" OCSP behaviour, however other available options or possible 
configurations (like the decision of using nonces or not at all) should 
be mentioned and refered in section 9 where the idea of writting a "OCSP 
Policy" is explained. In further versions of this document we should 
define with more detail such "policy" and even recommend how to 
fine-tune OCSP clients to keep a balance between performance and security.
The use of nonces is another parameter that affects the Quality of 
Service of an OCSP Response just as is the case for the CautionaryPeriod.

-- 

____________________
Jesus Luna Garcia
PhD Student. Polytechnic University of Catalonia
Barcelona, Spain
jluna at ac.upc.edu