rolandshoemaker
commented
7 years ago The golang x/crypto/ocsp library doesn't support the nonce extension and using a request/response nonce prevents offline signing as each response needs to be signed with the individual request nonce in the body which is not performant.
Also since OCSP responses have a built in validity period there are very few scenarios where a replay attack would actually be that bad.
When reading about OCSP in general I see that each request / response pair supports the use of a nonce to help guard against replay attacks.
Hence I was surprised to read at https://github.com/cloudflare/cfssl/blob/master/ocsp/responder.go#L227 that
We don't intend to support nonces- would you mind describing why this is the case?