Draft: draft-ietf-pkix-lightweight-ocsp-profile-05 Reviewer: Ron Bonica [rbonica@juniper.net] Review Date: Wednesday 7/5/2006 1:23 PM CST IETF LC Date: 6/29/2006 Summary: This document is almost ready for publication as an Informational RFC. However, I do have a few small questions, listed below: 1: Something about the formatting of this document caused the IETF ID Nit-checker to go off the deep end. It detects the following problems when many of them do not exist. idnits 1.103 tmp/draft-ietf-pkix-lightweight-ocsp-profile-05.txt: Checking nits according to http://www.ietf.org/ID-Checklist.html: * The document seems to lack a Security Considerations section. * The document seems to lack an IANA Considerations section. * The document seems to lack an Authors' Addresses Section. Checking conformance with RFC 3978/3979 boilerplate... the boilerplate looks good. * There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Checking nits according to http://www.ietf.org/ietf/1id-guidelines.txt: Nothing found here (but these checks do not cover all of 1id-guidelines.txt yet). Miscellaneous warnings: None. Experimental warnings: - Missing Reference: 'OCSP' is mentioned on line 616, but not defined - Missing Reference: 'OCSPMP' is mentioned on line 634, but not defined - Missing Reference: 'RFC2119' is mentioned on line 613, but not defined - Missing Reference: 'PKIX' is mentioned on line 621, but not defined - Missing Reference: 'HTTP' is mentioned on line 609, but not defined - Missing Reference: 'TLS' is mentioned on line 626, but not defined - Missing Reference: 'TLSEXT' is mentioned on line 629, but not defined - Missing Reference: '0' is mentioned on line 757, but not defined - Missing Reference: '1' is mentioned on line 688, but not defined - Missing Reference: '3' is mentioned on line 841, but not defined Run idnits with the --verbose option for more detailed information. 2: In section 1.1.1 you mandate the use of SHA1. Why SHA-1? Are you sure that it will be strong enough in the future? 3: In Section 5, you say that clients MUST cache responses? Should that be a MUST? Why? What would happen if the client didn't cache responses.