Understanding OSCP nonce support

[gdhgdhgdh]

When reading about OCSP in general I see that each request / response pair supports the use of a nonce to help guard against replay attacks.

Hence I was surprised to read at https://github.com/cloudflare/cfssl/blob/master/ocsp/responder.go#L227 that We don't intend to support nonces - would you mind describing why this is the case?

[rolandshoemaker]

The golang x/crypto/ocsp library doesn't support the nonce extension and using a request/response nonce prevents offline signing as each response needs to be signed with the individual request nonce in the body which is not performant.

Also since OCSP responses have a built in validity period there are very few scenarios where a replay attack would actually be that bad.

[di-org]

Since this issue is still open: A replay attack should not be considered "not that bad", especially when talking about protecting cryptographic operations.

Use of a NONCE for OSCP was written into section 4.4.1 in the 06/1999 OSCP standard RFC-2560 and most recently updated by the NONCE Extension standard RFC-8954 in 11/2020. Not supporting NONCE functionality is not complying with an published internet standard.

While agreed that there is a performance hit when using NONCEs, so too is there a performance hit when using TLS over Non-TLS HTTP, but we still do it in part to protect the integrity of the data, as does a NONCE w/ OSCP.