> These responses will then be distributed to many Web-Servers (not
> necessarily OCSP-Responders, see (*)!) that only distribute them. Security
> will be ensured using the time-stamps of the pre-produced response - thus
> invalidating the pre-rpoduced responce after a few minutes.
I know the standard allows this. And I know *why* (or who:) the
standard allows this. Nevertheless, once you do this, it is not OCSP.
It is deltaCRL's.
> Do the following: Give every certificate a different
> AIA, speak: a different GET-URL´s. Then ignore the actual request-data at
> the server and always replying with the preproduced response for this URL.
> Combined with a good DNS-Load-Balancing the fastest OCSP-responder you can
> get. You can call this setup: "abusing the possibility of replay-attacks for
> good".
That's disgusting. I sure hope Identrus isn't doing that for their
"infrastructure" certs.
> 3. If there is no nonce in the response, accept it and (only then)
> check the timestamping (weaker replacement for nonce).
No no no. First, OpenSSL has no internal code that uses OCSP. It has a
sample app that does the right thing. Second, it is *totally wrong* to
silently fall back to weaker security. The proper behavior is this:
If client wants a nonce, use it.
If reply comes back without a nonce, return warning
Allow client to log the fact, change its config, and retry without a
nonce
> Clearly document, that every OCSP-responder SHALL send nonce if possible. If
> it does not THE RESPONDER will expose itself to a replay attack. If any
> PKI-designer in the world does this, he will have a good requirement for it.
> In this special case, OPENSSL will help him in establishing a similar
> security policy by checking the timestamps.
Building PKI security on top of timestamps is about as strong as
building it on top of unsecure DNS. It would be *very wrong* for
OpenSSL to do this.
> I cannot think of any cause why a client wants to omit nonce!)
Because, unless the responder includes the nonce: *the security
guarantee of the nonce is useles.* It is also useless as a "due
diligence" proof, since it is trivial for the client to back-date his
OCSP query.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
