The IESG has approved the following document: - 'X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP' (draft-ietf-pkix-rfc2560bis-20.txt) as Proposed Standard This document is the product of the Public-Key Infrastructure (X.509) Working Group. The IESG contact persons are Sean Turner and Stephen Farrell. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-pkix-rfc2560bis/ Technical Summary This document specifies a protocol used by a relying party to determine the current status of a digital certificate without requiring the RP to acquire a CRL. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFC 2560 and RFC 6277, and updates RFC 5912. Working Group Summary This draft represents a long WG process that was initiated through publication of "draft-cooper-pkix-rfc2560bis-00.txt" in June 2010. This document represents a complete re-write of the OCSP document, while remaining bits-on-the-wire compatability with RFC 2560. It is very hard to demonstrate that all requirements of a complete re-write are backwards compatible with the original RFC, so the WG agreed to adopt a new approach: only errors and ambiguities with the original draft would be addressed, and the structure of the original document would be preserved as much as possible. Since the change of direction and authorship in 2012, the document has progressed in it's current form. A major question for this document was posed by the CA Browser Forum (CABF) as a result of the compromised CA DigiNotar. In that compromise, the designated OCSP responder continued to respond "good" to certificates, that DigiNotar had no record of issuing. This caused the CABF to issue requirements on the behavior of OCSP responders that were not fully supported by RFC 2560. This was thoroughly debated in the WG. A straw-poll demonstrated a strong majority for the following way of dealing with this problem: If an OCSP receives a query for a certificate that was not issued by the CA in question, and if the responder is aware of this, the responder should reply to the a request as though the cert in question has been revoked. The conclusion of this WG decision has dominated the process of concluding this document. Document Quality This document is of good quality and suitable for publication. This document has deliberately retained text and the outline of RFC 2560 whenever possible, e.g., when text has not been determined to be wrong or ambiguous. The document could have a better structure, but the WG decided to retain the outline of the original RFC as much as possible, to make it easier to review the changes in this update. Personnel Steve Kent (PKIX cochair), Cognizant AD: Sean Turner.
