[caops-wg] OCSP - use of nonce
Olle Mulmo
mulmo at pdc.kth.se
Tue May 31 05:58:01 CDT 2005
> There are a couple of remarks about nonces that I think the
> sophisticated security worker - especially some of the ones I was
> hoping to interest in this service - would not agree to. I have no
> problem with the language in 4.5 but the client recommendation
> somewhere in section 7 just says flat out don't do it -- seems
> contradictory. There are circumstances where real time is needed. We
> need a nuanced nonce instead.
The intended spirit of Section 7 was to say don't do it -- by default.
Your suggested modifications below will be incorporated.
>
> In 7.3, say
> OCSP clients are not recommended to include nonces except ... - or -
> OCSP clients should only include nonces ... in requests to local
> Trusted responders or other OCSP responders by prior agreement and
> consultation. (See section 4.5.)
>
> In 4.5 say
> Some services may not support nonce requests, and in other cases it
> may produce intolerable burden on the OCSP responder and delay for the
> client application. Nonces should only be used in situations where
> the most up to date information is required, particularly to meet
> security requirements.
>
> [Drop the "overkill" sentence - not useful.]
More information about the caops-wg
mailing list