Peter Gutmann wrote:
It's a "high-performance" proposal, not a high-performance proposal (in other words unmodified OCSP doesn't scale at all, so the broken version by comparison is labelled as "high-performance"). Anyway, what it does is remove replay protection, so the responder (or an outside attacker, you can't tell) replays an old response for you instead of generating a fresh one. It thus achieves better scalability at the expense of breaking the security of the protocol.
I don't agree that the security of the protocol is broken. As an OCSP responder, if I issue a response which says that a particular cert is valid for the next half an hour, I should not be unhappy if the entire world then treats it as such.
All an attacker can do (assuming they have complete control of the network) is make sure every browser respects that cert for the next half an hour, instead of just the one that was asked - i.e. they can get worst-case behaviour.
However, if it's only the web server asking for responses rather than every single client of the web server, the OCSP responder can be handing out 5-minute or 2-minute expiry responses rather than the 1 hour or 1 day responses it would need to hand out if it were being flattened by a ridiculous number of clients. So the attacker hasn't got much to tout around after the cert gets revoked - they only get an extra 5 minutes of use.
Therefore, arguably, security is increased by eliminating the nonce. Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
