Telechat Review of draft-ietf-stir-certificates-ocsp-12
review-ietf-stir-certificates-ocsp-12-secdir-telechat-hallam-baker-2026-02-09-00
| Request | Review of | draft-ietf-stir-certificates-ocsp |
|---|---|---|
| Requested revision | No specific revision (document currently at 12) | |
| Type | Telechat Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2026-02-17 | |
| Requested | 2026-01-30 | |
| Authors | Jon Peterson , Sean Turner | |
| I-D last updated | 2026-01-30 (Latest revision 2025-11-04) | |
| Completed reviews |
Genart IETF Last Call review of -11
by Vijay K. Gurbani
(diff)
Secdir IETF Last Call review of -11 by Phillip Hallam-Baker (diff) Secdir Telechat review of -12 by Phillip Hallam-Baker |
|
| Assignment | Reviewer | Phillip Hallam-Baker |
| State | Completed | |
| Request | Telechat review on draft-ietf-stir-certificates-ocsp by Security Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/secdir/TkfjsTal6DklO6Y4Zk1NsRtmDKQ | |
| Reviewed revision | 12 | |
| Result | Ready | |
| Completed | 2026-02-09 |
review-ietf-stir-certificates-ocsp-12-secdir-telechat-hallam-baker-2026-02-09-00
OCSP is a well established protocol with properties that are well understood,
the authors know it well. There are thus likely to be few surprises applying it
to an application.
The document appropriately directs the reader to the well known privacy
concerns of using OCSP - the party providing the responder has a source for
traffic analysis.
One possible area that might deserve greater attention is the case where the
OCSP responder is operated by an entirely separate party to the CA. For
example, in a Lawful Intercept system.
Another possibility might be worth mentioning is that given that we expect to
be using ECDH as the signature algorithm, rather than pre-generating actual
signatures, a responder can pregenerate signing pairs {x, x.P}, then apply them
to generating signature as needed.