Comments on draft-ietf-pkix-time-stamp-00.txt

[Paul Hoffman / IMC <phoffman@xxxxxxx>]

A few things from my latest reading of this draft:

1) In 2.4, I think the TSTInfo ASN.1 is wrong. I believe that all of the
optional items should be tagged. With your current definition, if the nonce
and messageImprint are omitted in the response, the receiver doesn't know
if the next integer is the nonce or the serialNumber.

2) In 3.2, I do not like using port 309 for this. In the IANA registry,
that port is listed as:
entrusttime     309/tcp    EntrustTime    
entrusttime     309/udp    EntrustTime    
#                          Peter Whittaker <pww@entrust.com>
That is inappropriate for a standards-track document. I think you should
change the port registration.

3) In 3.3, "application/timestamp" is not registered with IANA. I believe
you should add the registration request in the draft.

4) In A, you need to fully specify the OID. Also, appendices don't have
their own references; those should go in the main reference section. Also,
according to RSA, PKCS-9 is *not* referencable, because they are free to
add and delete items in it at any time. I suggest that you pick an OID in
some other tree.

5) In C, the security considerations and references need to be moved up to
the main document. 

6) In D, I think this is too vague. For example, "Stock market information"
doesn't explain which data is used to get unpredictable results. The
combination of "the value of such-and-such index" and "at the close of
such-and-such day" might be used, but just "information" isn't enough. The
same is true for the other things in your list. My guess is that you should
just remove this and let it be specified by the particular TDA.

--Paul Hoffman, Director
--Internet Mail Consortium