> > Or use the trick we created for Identrus: make the nonce be the hash of
> > the document that made you first do the OCSP query.
>
> That doesn't prevent a replay attack, in general, of course.
If the document isn't public, then it's as good as arbitrary random bytes.
If the document *is* public, then it would be interesting to analyze what
"replay" would really mean given the timestamps within the OCSP message
itself.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
