Draft:  draft-ietf-pkix-lightweight-ocsp-profile-09
Reviewer: Lucy Lynch [llynch@civil-tongue.net]
Review Date: 4/17/2007
IETF LC Date: 6/29/2006 (-05 reviewed by Ron Bonica)
IESG Telechat Date: 4/19/2007

Summary: This draft is basically ready for publication, but has nits that should be fixed before publication.

Nits Outstanding:

** Obsolete normative reference: RFC 2246 (ref. 'TLS')
    (Obsoleted by RFC 4346)
** Obsolete normative reference: RFC 3546 (ref. 'TLSEXT')
    (Obsoleted by RFC 4366)

There is a direct reference to "3.6. Certificate Status Request" 
in RFC 3546 inline in the text but a diff on sec 3.6 in 3546 vs 4366 shows 
only a few changes in punctuation and line breaks (see attached). Is there 
a reason why these Refs have not been updated?

History:

The last substantive discussions of this draft on the WG list happened in 
2004.

A Last Call Notice was posted Thu, 15 Jun 2006 (v.05) and Ron Bonica 
reviewed the document at that time: 
http://www.alvestrand.no/ietf/gen/reviews/draft-ietf-pkix-lightweight-ocsp-profile-05-bonica.txt 
At that time the document was tagged as Informational. The document moved 
to "Proposed Standard" with v.07.

There have been several DISCUSS tokens set on this document and the 
tracker doesn't show the final resolution but given that Sam and Russ are 
still sitting, I'll assume that their concerns have been addressed. I note 
that David Kessens flagged the use of SHA1 as a requirement in a comment 
and I'm guessing that a change in that requirement would require an 
amendment to the current document if it advances to standard.

Review Comments:

One small area of confusion. Is there a potential for a gap in timely 
update given both a "tolerance period" (sec 3) and "using the 
cache-control:max-age directive (sec 5.1) in time-based calculations ??? 
Sorry if I'm being dense here.

Revision Only Comments:

If/when the document gets another revision, two small changes in sec. 
1.2.1 OCSPResponse Structure

   "In the case a responder does not have the ability to respond"
               ^ where

and

   "case a responder only"
        ^ where