There are a couple of remarks about nonces that I think the sophisticated security worker - especially some of the ones I was hoping to interest in this service - would not agree to. I have no problem with the language in 4.5 but the client recommendation somewhere in section 7 just says flat out don't do it -- seems contradictory. There are circumstances where real time is needed. We need a nuanced nonce instead.
The intended spirit of Section 7 was to say don't do it -- by default. Your suggested modifications below will be incorporated.
In 7.3, say OCSP clients are not recommended to include nonces except ... - or - OCSP clients should only include nonces ... in requests to local Trusted responders or other OCSP responders by prior agreement and consultation. (See section 4.5.)
In 4.5 say Some services may not support nonce requests, and in other cases it may produce intolerable burden on the OCSP responder and delay for the client application. Nonces should only be used in situations where the most up to date information is required, particularly to meet security requirements.
[Drop the "overkill" sentence - not useful.]
Olle Mulmo wrote:
There are a couple of remarks about nonces that I think the sophisticated security worker - especially some of the ones I was hoping to interest in this service - would not agree to. I have no problem with the language in 4.5 but the client recommendation somewhere in section 7 just says flat out don't do it -- seems contradictory. There are circumstances where real time is needed. We need a nuanced nonce instead.
The intended spirit of Section 7 was to say don't do it -- by default. Your suggested modifications below will be incorporated.
We agree with you in the sense that this document should recommend some "default" OCSP behaviour, however other available options or possible configurations (like the decision of using nonces or not at all) should be mentioned and refered in section 9 where the idea of writting a "OCSP Policy" is explained. In further versions of this document we should define with more detail such "policy" and even recommend how to fine-tune OCSP clients to keep a balance between performance and security. The use of nonces is another parameter that affects the Quality of Service of an OCSP Response just as is the case for the CautionaryPeriod. -- ____________________ Jesus Luna Garcia PhD Student. Polytechnic University of Catalonia Barcelona, Spain jluna@ac.upc.edu
participants (2)
-
Jesus Luna -
Olle Mulmo