On Thu, Feb 08, 2001 at 08:10:57PM +0100, Richard Levitte - VMS Whacker wrote:
> "Florian Oelmaier" <[EMAIL PROTECTED]>:
>>>> I read the RFC very carefully. There is no sentence like "if the client
>>>> sends a nonce-extension, the server SHALL reply to it". [...]
>>> [...] Now, tell me, if you look
>>> intelligently at it, how do you bind the request and the response to
>>> avoid replay attacks without requiring the exact same nonce to be
>>> returned? I ask you to think intelligently, not just to read the
>>> exact wording here.
>> Let me try hard to think intelligent: We have a PKI. All people
>> share the same time (i.e. using NTP). Our CA generates
>> OCSP-responses for its 10 Sub-CAs every 2 minutes with a
>> "nextUpdate" interval of 2 minutes. As OCSP-Responses for Sub-CAs
>> are used very frequently they will be distributed all over our
>> company every 2 Minutes to 30-50 central webservers that answer
>> OCSP-responses.
> Those are *your* conditions. You might as well get responses that
> have "nextUpdate" intervals of an hour!
His point, I think, is that under these conditions the OCSP responders
*can't* include the client nonce. (They don't sign the responses
themselves.)
Under different conditions nonces may be essential, true. So OCSP
responders that *can* provide nonces should *always* include one, even
if the request did not include a nonce. (This is to avoid replay of
nonce-less responses to clients who sent a request with a nonce.)
--
Bodo Möller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
