From: "Florian Oelmaier" <[EMAIL PROTECTED]> flo> Let me try hard to think intelligent: We have a PKI. All people flo> share the same time (i.e. using NTP). Our CA generates flo> OCSP-responses for its 10 Sub-CAs every 2 minutes with a flo> "nextUpdate" interval of 2 minutes. As OCSP-Responses for Sub-CAs flo> are used very frequently they will be distributed all over our flo> company every 2 Minutes to 30-50 central webservers that answer flo> OCSP-responses. Those are *your* conditions. You might as well get responses that have "nextUpdate" intervals of an hour! flo> What about OCSP-nonce. You dont need it, you dont wanna have it. If you don't need it or don't want it, do not use it in the request. That's where it's optional, I believe. flo> Thats why it is optional for the responder to use it. No, that's why it's optional *for the requestor* to use it. flo> And any replay attack can harm you exactly 2 minutes. Thats the flo> time for a revocation to become effective in this scenario. This flo> problem is very similiar to the problem identrus had for flo> validating their Level-1 CA´s. Again, that's in your world. flo> PS: for all on the list not reading IETF-malinglists: flo> http://www.imc.org/ietf-pkix/old-archive-97/1303.html I'm not sure that discussion explains it. Perhaps I'm too bullheaded... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP nonce was: RE: cvs commit: openssl/ssl s3_lib.cssl.hssl_algs.cssl_ciph.cssl_locl.h tls1.h
Richard Levitte - VMS Whacker Thu, 08 Feb 2001 10:57:32 -0800
- Re: OCSP nonce was: RE: cvs commit: openssl/... Richard Levitte - VMS Whacker
- Re: OCSP nonce was: RE: cvs commit: ope... Dr S N Henson
- Re: OCSP nonce was: RE: cvs commit: ope... Richard Levitte - VMS Whacker
- Re: OCSP nonce was: RE: cvs commit:... Dr S N Henson
