Online Certificate Status Protocol Algorithm Agility
RFC 6277

Note: This ballot was opened for revision 11 and is now closed.

(Tim Polk) Yes

(Jari Arkko) (was Discuss) No Objection

(Ron Bonica) No Objection

(Stewart Bryant) No Objection

(Ralph Droms) No Objection

(Adrian Farrel) (was Discuss) No Objection

Comment (2011-01-05)
No email
send info
The RFC Editor will ask you to remove the citation from the Abstract. 

---

http://www.rfc-editor.org/rfc-style-guide/abbrev.expansion.txt shows 
that OCSP is not a "well-known" acronym. SO could you please expand it 
in the document title, the Abstract, and on first use in Section 2.

---

A number of other acronyms are used without expansion.
CA
CRL
DSA

---

Section 5.1

Did you think of splitting option 5 into:
  5. select a mandatory algorithm
  6. select a recommended algorithm
since there is a very marked difference in the likelihood of success.

(Russ Housley) No Objection

(Alexey Melnikov) No Objection

Comment (2011-01-04 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
In Section 4:

   The client MUST support each of the specified preferred signature
   algorithms and the client MUST specify the algorithms in the order of
   preference.

I think this is not actually saying what the order is. I suggest adding something like
"from the most preferred to the least preferred"


8.3. Denial of Service Attack

   Algorithm agility mechanisms defined in this document introduces a
   slightly increased attack surface for Denial of Service attacks where
   the client request is altered to require algorithms that are not
   supported by the server, alternatively does not match pre-generated
   responses.

The last part (after the final comma) is not readable.


[NEWASN] - is this a Downref? If it is (and it wasn't explicitly called out during the IETF LC), is [NEWASN] in the Downref registry?

(Peter Saint-Andre) No Objection

Comment (2011-01-05 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
1. Section 8.1 uses the phrases "considered unacceptably insecure" and "not considered acceptably secure". Are these equivalent?

2. In Section 8.3, please consider citing RFC 4732 on the concept of denial of service attacks.

(Robert Sparks) No Objection

(Sean Turner) Recuse

Comment (2011-01-04 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
I am going to recuse myself from this draft because I was involved in proposing the ASN.1 structure.  I don't consider that an insignificant contribution.  I am however happy with this draft.