[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Minor comments on OCSP-06

To: IETF-PXIX <ietf-pkix@xxxxxxx>
Subject: Minor comments on OCSP-06
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Wed, 23 Sep 1998 09:59:40 -0700
Sender: owner-ietf-pkix@xxxxxxx

Here are a few minor/editorial comments on OCSP-06. An additional
comment (on "Archive cutoff") has been separated from this list of
comments since it might generate a new thread. Some of them might be
a duplication of comments already made.

1. On page 2, in the second paragraph of the section 3 a sentence
may let think that once the OCSP server replies « good » the
certificate can be accepted. The only thing that is known is « not
revoked ». A better rewording would be : « An OCSP client issues a
status request to an OCSP responder and obtains a revocation status
of the certificate in question. »
 
2. On page 3, third paragraph before the bottom of the page. The
term « produceAt » is used but not yet introduced. For clarity of
reading a rephrasing should be made. Hereafter is a proposal : « At
the minimum, this positive response indicates that the certificate
is not revoked, but does not necessarily mean that the certificate
was ever issued or that the current time is within the certificate’s
validity interval ».
 
3. On page 3, second paragraph before the bottom of the page. « On
hold » is reason code under « revoke ». In the explanations it would
be nice to remember here that « on hold » is under this category.
Here is a proposal: « The « revoked » state indicates that the
certificate has been definitively or temporarily revoked (i.e.
placed on hold). »
 
4. On page 4, in the fifth paragraph of the section 3.3. the
response « certRequired » is of no use any more since only a CertId
can be placed in the request. Therefore it should be deleted. [This
comment has already be made].
 
5. On page 6, the fifth item of the section 4.2. states : « The
response is in its validity period ». It is unclear to understand
what this means. It may be guessed that it is the time interval
between the « thisUpdate » and « nextUpdate ». However in section
5.2.2.1. pages 9/10, nextUpdate is optional so this test cannot be
done in general. By splitting this item into two items, a better
wording would be :
 
6.  The time at which the status being indicated is known to be 
    correct (thisUpdate) is sufficiently recent.
 
7.  When available, the time at or before which newer information 
    will be available about the status of the certificate 
    (nextUpdate)is greater than the current time.
 
8. On page 8, in the same way  « certRequired (4)  » should be
deleted. [This comment has already be made]
 
9. On page 9, CRLReason should be expanded so that the « on hold »
status can be made visible. This is pretty important since by trying
again it is possible to get later on a « good » result. 
 
10. On page 11, The section 5.4 "Extensions" should be renumbered 6
in order to have a section dealing with all the optional extensions. 

Denis

Prev by Date: Amending the PKIX-WG Charter to reflect the addition of timestamping
Next by Date: Archive cutoff & Retention period
Previous by thread: Amending the PKIX-WG Charter to reflect the addition of timestamping
Next by thread: Archive cutoff & Retention period
Index(es):
- Date
- Thread