At first, I do not think that RFC2560 is that bad. In fact I think its one
of the most readable RFC I´ve ever seen.
> Now, tell me, if you look
> intelligently at it, how do you bind the request and the response to
> avoid replay attacks without requiring the exact same nonce to be
> returned? I ask you to think intelligently, not just to read the
> exact wording here.
Let me try hard to think intelligent: We have a PKI. All people share the
same time (i.e. using NTP). Our CA generates OCSP-responses for its 10
Sub-CAs every 2 minutes with a "nextUpdate" interval of 2 minutes. As
OCSP-Responses for Sub-CAs are used very frequently they will be distributed
all over our company every 2 Minutes to 30-50 central webservers that answer
OCSP-responses.
What about OCSP-nonce. You dont need it, you dont wanna have it. Thats why
it is optional for the responder to use it. And any replay attack can harm
you exactly 2 minutes. Thats the time for a revocation to become effective
in this scenario. This problem is very similiar to the problem identrus had
for validating their Level-1 CA´s.
> flo> with RFC2560. Therefore, openssl should give a warning, not an error.
>
> Well, in that case, the whole nonce thing is completely useless,
> because if it's optional, you won't avoid replay attacks.
nonce is usefull if it is there. if not you should rely on the system time.
And yes - without nonce I cannot avoid replay attacks. But I can put them
into my overall security considerations and may get (in certain cases) a
more usable system.
PS: for all on the list not reading IETF-malinglists:
http://www.imc.org/ietf-pkix/old-archive-97/1303.html
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
