draft-ietf-pkix-dpv-dpd-00.txt

[Petra Barzin <barzin@xxxxxxxxxx>]

Denis,

I carefully read draft-ietf-pkix-dpv-dpd-00.txt because we are
probably going to use it in order to build such a PKI server.
I noticed some typos in the draft and would like to suggest some
changes.

Best regards - Petra

chapter 5.2. Detailed Protocol

>   The terms imported from elsewhere are: Extensions,
>    CertificateSerialNumber, SubjectPublicKeyInfo, Name,
>    AlgorithmIdentifier, CRLReason, CompleteCertificateRefs, 
>    CompleteRevocationRefs.
Three more terms need to be imported:
     OtherCertID, CertificateValues, RevocationValues

chapter 5.2.1. Request

>   ValPolicyID :: = CHOICE {
>        policybyOId               OBJECT IDENTIFIER,
>        policybyURN               NAME }
What is the ASN.1 term "NAME"?  I only know Name, which is
a Distinguished Name. Anyhow, I'd suggest to use a GeneralName
instead of NAME:
    policybyURN              
GeneralName
 
> The value for valPolicyHash SHALL be computed on the  
> hash of the DER encoding of ValidationPolicyDef when ...
I guess you meant:
... DER encoding of ValPolicyDef, don't you?
 
> ValPolLocations :: = SEQUENCE OF Name
Again, I'd suggest to use a GeneralName:
ValPolLocations :: = SEQUENCE OF GeneralName
 
> PathValues :: = SEQUENCE {
>      certificateValues                CertificateValues,
>      revocationValues                 RevocationValues }
Move the definition to chapter 5.2.2.  Response Syntax
where it is used.
 
> validationPolicyRef is a reference to the validation 
> policy to be used.
I guess, it should be:
valPolicyRef is a reference to ...

Later on in the same paragraph:

> ... It is composed of an OID or a URN, the hash 
> algorithm to be used to compute the hash value of 
> the policy and the hash value of the policy.
add at the end of the sentence:
and optionally the locations where the policy may be retrieved from.

chapter 5.2.2.  Response Syntax

> The value for returnedRefsHash SHALL be computed 
> on the hash of the DER encoding of CertPathRefs.
Just a typo. I think it should be:
The value for pathReferencesHash SHALL ...

To make it easier to understand you could add at the end of the sentence:
... CertPathRefs which are part of the DPVResponse.

The same for the next sentence:

> The value for returnedValuesHash SHALL be computed 
> on the hash of the DER encoding of CertPathValues
The value for pathValuesHash SHALL ...
Again you could add at the end of the sentence:
... CertPathValues which are part of the DPVResponse.
 
> pathReferencesHash is a hash computed over the references of the path 
> (both the references of the certificates used and the references of 
> the revocation information used). It may also include a sequence of 
> time-stamps, if this has been requested in the request. Since only 
> the hash is included in the signature, this allows to keep signatures 
> short and does not mandate to know the values of the references of the 
> path to verify the dPVResponseStatus from the response.
... this allows to keep the whole response short and ...

The same for the next paragrah!
 

> requestExtensions is a way to allow additional elements to be 
> added later on, if needed.
responseExtensions is a way...

chapter 6.2. Detailed Protocol

One more terms needs to be imported:
     OtherCertID
 

chapter 8.2. Response

> TbsDefResponse       ::= SEQUENCE {
>     tbsResponseData                VPDefResponseData,
>     signatureAlgorithm             AlgorithmIdentifier   OPTIONAL,
>     signature                      BIT STRING            OPTIONAL,
>     certs                  [0]     EXPLICIT SEQUENCE OF Certificate
>                                        OPTIONAL }

It should be:
   TbsVPDefResponse       ::= SEQUENCE {