Document changes urn:uuid:6b74d8df-d670-55a3-87d4-a7fd48f66829 2026-02-27T03:58:08.134491+00:00 urn:datatracker-ietf-org:event:1123168 2026-02-19T15:09:27.162628+00:00 2026-02-19T15:09:27.162628+00:00 Cindy Morgan IESG state changed to <b>IESG Evaluation::AD Followup</b> from IESG Evaluation changed_state ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122961 2026-02-18T17:04:04.994212+00:00 2026-02-18T17:04:04.994212+00:00 Paul Wouters [Ballot discuss]<br>I also have what I think is a minor issue to address.<br><br>Normally with OCSP, there is a concept of "hard fail" vs "soft fail", as the action for what to do when one fails to reach the OCSP server (or fails to update a staple entry). It is unclear to me what the expected behaviour is in this ecosystem, when the OCSP has been unavailable for such a time that pregenerated staples have expired. Does one just omit the OCSP staple and let the requester judge the lack of staple? Does one refuse the call? Mark it has "potential spam" ? How is one client expected to respond when it sees no OCSP staple? Would it attempt to connect to the OCSP server's Distribution Point itself? What if that fails? Would a client treat a response differently if it used to get OCSP information from a server, but suddenly doesn't, versus a server that has never sent OCSP staples.<br><br>Perhaps a short paragraph in the Security Considerations Section could clarify this. added_comment ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122960 2026-02-18T17:04:04.994130+00:00 2026-02-18T17:04:04.994130+00:00 Paul Wouters [Ballot Position Update] New position, Discuss, has been recorded for Paul Wouters changed_ballot_position ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122848 2026-02-18T02:03:43.992905+00:00 2026-02-18T02:03:43.992905+00:00 Roman Danyliw [Ballot comment]<br>Thank you to Vijay Gurbani for the GENART review. added_comment ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122847 2026-02-18T02:03:43.992821+00:00 2026-02-18T02:03:43.992821+00:00 Roman Danyliw [Ballot Position Update] New position, No Objection, has been recorded for Roman Danyliw changed_ballot_position ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122670 2026-02-17T15:43:08.137344+00:00 2026-02-17T15:43:08.137344+00:00 Ketan Talaulikar [Ballot comment]<br>Thanks to the authors and the WG for their work on this document.<br><br>I have a few comments to share and hope it improves the document.<br><br>1) Abstract: s/Certififcate Revocation Lists/Certificate Revocation Lists<br><br>2) section 1: Perhaps s/implementation of credentials which identify the parties/implementation of credentials that identify the parties<br><br>3) section 3.5: s/OCSP may provide an important optimizations/OCSP may provide important optimizations<br><br>4) Appendix C: s/decorated URI could could then verify/decorated URI could then verify<br><br>5) Appendix C: the reference to RFC6961 seems not required since it was obsoleted by RFC8446 which is being obsoleted by RFC8446bis that is being referenced right next to RFC6961 ? added_comment ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122669 2026-02-17T15:43:08.137240+00:00 2026-02-17T15:43:08.137240+00:00 Ketan Talaulikar [Ballot Position Update] New position, No Objection, has been recorded for Ketan Talaulikar changed_ballot_position ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122553 2026-02-17T09:26:44.650281+00:00 2026-02-17T09:26:44.650281+00:00 Éric Vyncke [Ballot comment]<br><br># Éric Vyncke INT AD comments for draft-ietf-stir-certificates-ocsp-12<br>CC @evyncke<br><br>Thank you for the work put into this document.<br><br>Please find below some non-blocking COMMENT points/nits (replies would be appreciated even if only for my own education).<br><br>I hope that this review helps to improve the document,<br><br>Regards,<br><br>-éric<br><br>Note: this ballot comments follow the Markdown syntax of https://github.com/mnot/ietf-comments/tree/main, i.e., they can be processed by a tool to create github issues.<br><br>## COMMENTS (non-blocking)<br><br>### Spell checker<br><br>Please use a spell checker, e.g., `Certififcate` in the abstract ;-)<br><br>### Section 4.1<br><br>Why not a MUST in `Servers SHOULD return responses that would otherwise have been "unknown" as "not good" (i.e., return only "good" and "not good" responses).` especially as the "i.e.," part seems to be mandatory. added_comment ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122552 2026-02-17T09:26:44.650194+00:00 2026-02-17T09:26:44.650194+00:00 Éric Vyncke [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke changed_ballot_position ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122546 2026-02-17T07:57:04.700854+00:00 2026-02-17T07:57:04.700854+00:00 Gorry Fairhurst [Ballot comment]<br>It would be good to fix the spelling of "Certififcate" in the abstract! added_comment ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122545 2026-02-17T07:57:04.700749+00:00 2026-02-17T07:57:04.700749+00:00 Gorry Fairhurst [Ballot Position Update] New position, No Objection, has been recorded for Gorry Fairhurst changed_ballot_position ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122215 2026-02-14T13:00:53.713575+00:00 2026-02-14T13:00:53.713575+00:00 Deb Cooley [Ballot discuss]<br><br>I don't believe this is hard to fix....<br><br>General: I see no discussion in the main body of the specification about the use of a nonce to guarantee freshness (there are, however, nonces in the Appendix B examples). Is this intentional? Do you expect that an OCSP responder would generate OCSP proofs in advance (making the nonce option impossible)? In my opinion only, the removal of the nonce option makes it easier to pre generate OCSP proofs that allow quicker distribution in fewer round trips (this eases the ability to staple OCSP). I would recommend making a statement of expectation with regard to the use/non-use of a nonce to guarantee freshness. added_comment ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122214 2026-02-14T13:00:53.713555+00:00 2026-02-14T13:00:53.713555+00:00 Deb Cooley [Ballot comment]<br>Thanks to PHB for their secdir reviews.<br><br>Section 3, para 3: CRL partitions are mentioned without definition. The previous sentences discuss scoping mechanisms, perhaps add that these scoping mechanisms result in multiple sections of CRLs that are called partitions.<br><br>Section 8, para 2: Request/Distribution of an OCSP staple is also subject to DNS attacks. An effective mitigation for the denial of service issue is to have OCSP proofs generated in advance, and load balanced, or stored in multiple locations. added_comment ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122213 2026-02-14T13:00:53.713485+00:00 2026-02-14T13:00:53.713485+00:00 Deb Cooley [Ballot Position Update] New position, Discuss, has been recorded for Deb Cooley changed_ballot_position ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub urn:datatracker-ietf-org:event:1122186 2026-02-14T04:21:18+00:00 2026-02-14T04:21:18+00:00 (System) IANA Review state changed to <b>IANA OK - Actions Needed</b> from Version Changed - Review Needed changed_state ietf stir Ben Campbell Orie Steele active reviewers-ok ok-act iesg-eva sub-pub