Re: I-D Action:draft-ietf-pkix-ocspagility-01.txt

[Stefan Santesson <stefan@xxxxxxxxxxx>]

Thanks Seth. Good catches both of them.

Comments in line.


On 09-08-14 4:47 PM, "Seth Hitchings" <shitchings@xxxxxxxxxxxxxx> wrote:

> 
> Hi Stefan,
> 
> I have two reasonably straightforward comments.
> 
> 1. Section 3 defines an OCSP request extension, but neglects to specify
> which of the two extension lists (requestExtensions or
> singleRequestExtensions) the extension should be included in.
> 

As this is a declaration of the general preference of the client It must be
included in requestExtensions.

I'll add a note.

> 2. Section 4.1, item 3 refers to the "signing algorithm used to sign the
> CertID specified in the query", however, the CertID is not signed. Is
> this meant to specify that the server use the signing algorithm used by
> the client to sign the entire OCSPRequest, or to specify that the server
> use the signing algorithm used by the CA to sign the certificate
> identified by the CertID? If the answer is the latter, what is the
> expected behavior if the request queries multiple certificates that were
> signed using different signature algorithms?
> 

It's meant to specify the signing algorithm used to sign the request if the
request is signed.

> Thanks,
> Seth Hitchings
> CoreStreet, Ltd.