Re: I-D Action:draft-ietf-pkix-ocspagility-02.txt

[Stefan Santesson <stefan@xxxxxxxxxxx>]

In line;


On 09-08-16 3:58 PM, "Sean Turner" <turners@xxxxxxxx> wrote:

> 
> Is this ID intended to be an update of RFC 2560?  If so, then it should
> indicate as much on the 1st page's header.
> 

Yes it should, I'll add.

> Shouldn't this be standards track and not informational track
> (http://www.ietf.org/proceedings/73/minutes/pkix.htm)?
> 
I think that is also correct. I'll update unless I hear objections.

> Sec 3: In the para after the ASN.1 snippet, I think we should add "The
> object identifiers (OIDs) are listed in order of their preference" or
> something similar.
> 

Good suggestion

> Sec 4.1 bullet #5 makes me ask if the required algorithms in this
> version of OCSP (RFC 2560) are DSA/RSA (must/should) with SHA-1 (must),
> then are responses signed with RSA and SHA-256 considered non-compliant
> with RFC 2560? 

No, I can't see that the draft claims this, or that we would like to say
this. First of all, this list is optional (Given by the first sentence of
4.1)

> Also, the requirements in Sec 4.3 of RFC 2560 are for
> the client with the exception of SHA-1 so it seems like there might be a
> disconnect because there is no explicit server musts use X algorithm.
> 
Well, the server would naturally select one algorithm that is supported by
the clients.

But with respect to the OCSP agility document, maybe could improve the
guidelines if we say the following instead:

   5.  Using a mandatory or recommended signing algorithm specified for
       the version of the OCSP protocol in use.


/Stefan