Marc Stern wrote: > >>> c) Steve mentioned some responders don't accept requests with >>> nonces. What is a sane default? Send nonces (more secure), or not >>> (better interop). From reading the RFC it looks like mod_ssl should >>> also be checking the validity times from the OCSP response, which >>> would help, I guess >> I'll check how we are using the API. There are some OCSP helper >> functions in OpenSSL which check the appropriate times and allow a >> configurable "skew" for cases where clocks are inaccurately set. How >> much skew to allow in practice may again depend on local policy. >> > I agree. > If using a nonce, there is no need to check the date. If not, you have > to specify the time delta to accept >
Although a nonce supporting responder avoids replay attacks I'd say we always need to check the date in case a responder fault result in it producing status information with an invalid date. I've seen real world examples where stale information was being returned by a responder. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage.
