X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
draft-ietf-pkix-rfc2560bis-20

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: RFC Editor <rfc-editor@rfc-editor.org>,
    pkix mailing list <pkix@ietf.org>,
    pkix chair <pkix-chairs@tools.ietf.org>
Subject: Protocol Action: 'X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP' to Proposed Standard (draft-ietf-pkix-rfc2560bis-20.txt)

The IESG has approved the following document:
- 'X.509 Internet Public Key Infrastructure Online Certificate Status
   Protocol - OCSP'
  (draft-ietf-pkix-rfc2560bis-20.txt) as Proposed Standard

This document is the product of the Public-Key Infrastructure (X.509)
Working Group.

The IESG contact persons are Sean Turner and Stephen Farrell.

A URL of this Internet Draft is:
http://datatracker.ietf.org/doc/draft-ietf-pkix-rfc2560bis/

Ballot Text

Technical Summary

This document specifies a protocol used by a relying party to determine
the current status of a digital certificate without requiring the RP to
acquire a CRL. Additional mechanisms addressing PKIX operational
requirements are specified in separate documents. This document
obsoletes RFC 2560 and RFC 6277, and updates RFC 5912. 

Working Group Summary

This draft represents a long WG process that was initiated through
publication of "draft-cooper-pkix-rfc2560bis-00.txt" in June 2010. This
document represents a complete re-write of the OCSP document, while
remaining bits-on-the-wire compatability with RFC 2560. It is very hard
to demonstrate that all requirements of a complete re-write are
backwards compatible with the original RFC, so the WG agreed to adopt a
new approach: only errors and ambiguities with the original draft would
be addressed, and the structure of the original document would be
preserved as much as possible. Since the change of direction and
authorship in 2012, the document has progressed in it's current form.
A major question for this document was posed by the CA Browser Forum
(CABF) as a result of the compromised CA DigiNotar. In that compromise,
the designated OCSP responder continued to respond "good" to
certificates, that DigiNotar had no record of issuing. This caused the
CABF to issue requirements on the behavior of OCSP responders that were
not fully supported by RFC 2560. This was thoroughly debated in the WG.
A straw-poll demonstrated a strong majority for the following way of
dealing with this problem: If an OCSP receives a query for a certificate
that was not issued by the CA in question, and if the responder is aware
of this, the responder should reply to the a request as though the cert
in question has been revoked. The conclusion of this WG decision has
dominated the process of concluding this document. 

Document Quality

This document is of good quality and suitable for publication.
This document has deliberately retained text and the outline of RFC 2560
whenever possible, e.g., when text has not been determined to be wrong
or ambiguous. The document could have a better structure, but the WG
decided to retain the outline of the original RFC as much as possible,
to make it easier to review the changes in this update. 

Personnel

Steve Kent (PKIX cochair), Cognizant AD: Sean Turner.

RFC Editor Note