Olle Mulmo wrote:
There are a couple of remarks about nonces that I think the sophisticated security worker - especially some of the ones I was hoping to interest in this service - would not agree to. I have no problem with the language in 4.5 but the client recommendation somewhere in section 7 just says flat out don't do it -- seems contradictory. There are circumstances where real time is needed. We need a nuanced nonce instead.
The intended spirit of Section 7 was to say don't do it -- by default. Your suggested modifications below will be incorporated.
We agree with you in the sense that this document should recommend some "default" OCSP behaviour, however other available options or possible configurations (like the decision of using nonces or not at all) should be mentioned and refered in section 9 where the idea of writting a "OCSP Policy" is explained. In further versions of this document we should define with more detail such "policy" and even recommend how to fine-tune OCSP clients to keep a balance between performance and security. The use of nonces is another parameter that affects the Quality of Service of an OCSP Response just as is the case for the CautionaryPeriod. -- ____________________ Jesus Luna Garcia PhD Student. Polytechnic University of Catalonia Barcelona, Spain jluna@ac.upc.edu