From: [EMAIL PROTECTED] (Peter Gutmann)
pgut001> Given that (statistically speaking) the client will be a
pgut001> Windoze box with a time which is more or less random, the use
pgut001> of absolute timestamps doesn't add much, it would have been
pgut001> better to use nonces+relative times ("The next update is 5
pgut001> minutes from when you got this response", with an implied "If
pgut001> this response took more than a minute or so to get to you, be
pgut001> suspicuous").
Sounds fine, except for the little detail that it's usually hard to
know how long it took a packet to come from A to B, let alone an OCSP
response that might (think of the really small ATM packets :-)) be
broken into pieces. From that point of view, relative time is just as
worthless (well, OK, it's probably not going to be hours unless you do
your OCSP checking by email (perfectly possible :-))).
I would rather think that one should stress the need for exact time if
any verification will be done correctly. It's pretty tough for
winblows users, because they are often not educated on this, but if
it's voiced as a crucial need today by many, we might see time
syncronisity (sp?) as a standard in windows and whatnot in a couple of
years.
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: OCSP nonce was: RE: cvs commit:openssl/ssls3_lib.cssl.hssl_algs.cssl_ciph.cssl_locl.h tls1.h
Richard Levitte - VMS Whacker Fri, 09 Feb 2001 00:06:32 -0800
- Re: OCSP nonce was: RE: cvs commit:openssl/s... Richard Levitte - VMS Whacker
- Re: OCSP nonce was: RE: cvs commit:open... Michael Str�der
