> > Hmm, first of all, the responder (as I understood RFC 2560) should
> > always send back the exact same nonce. However, the client shouldn't
> > go crashing, it should give back an error code of some kind.
> >
>
> Yes I agree. I'll look into it.
I read the RFC very carefully. There is no sentence like "if the client
sends a nonce-extension, the server SHALL reply to it". In fact point 4.4
states:
"Support for all extensions is optional for both clients and responders."
So any OCSP-responder not answering to OCSP-nonce is completly conforming
with RFC2560. Therefore, openssl should give a warning, not an error.
ciao, Fl0
PS: The responder will go public this week. I´ll announce the IP-address
here.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
