ietf-wg-acme
diff --git a/‎draft-ietf-acme-acme.md‎
Lines changed: 4 additions & 4 deletions b/‎draft-ietf-acme-acme.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎rfced/draft-ietf-acme-acme.clean.xml‎
Lines changed: 22 additions & 4 deletions b/‎rfced/draft-ietf-acme-acme.clean.xml‎
Lines changed: 22 additions & 4 deletions
@@ -191,7 +191,7 @@ deploying an HTTPS server using ACME, the experience would be something like thi
   automatically downloads and installs it, potentially notifying the operator
   via email, SMS, etc.
 * The ACME client periodically contacts the CA to get updated certificates,
-  stapled Online Certificate Status Protocol (OCSP) responses, or whatever else would be required to keep the web server functional and its credentials up to date.
+  stapled Online Certificate Status Protocol (OCSP) responses {{?RFC6960}}, or whatever else would be required to keep the web server functional and its credentials up to date.
 
 In this way, it would be nearly as easy to deploy with a CA-issued certificate
 as with a self-signed certificate. Furthermore, the maintenance of that
@@ -226,7 +226,7 @@ from the client.
 # Protocol Overview
 
 ACME allows a client to request certificate management actions using a set of
-JavaScript Object Notation (JSON) messages carried over HTTPS {{!RFC8259}} {{!RFC2818}}.
+JavaScript Object Notation (JSON) messages {{!RFC8259}} carried over HTTPS {{!RFC2818}}.
 Issuance using ACME resembles a traditional CA's issuance process, in which a user creates an account,
 requests a certificate, and proves control of the domain(s) in that certificate in
 order for the CA to issue the requested certificate.
@@ -354,7 +354,7 @@ integrity for the HTTPS request URL.
 ## HTTPS Requests
 
 Each ACME function is accomplished by the client sending a sequence of HTTPS
-requests to the server, carrying JSON messages {{!RFC2818}}{{!RFC8259}}.  Use of
+requests to the server {{!RFC2818}}, carrying JSON messages {{!RFC8259}}.  Use of
 HTTPS is REQUIRED. Each subsection of
 {{certificate-management}} below describes the message formats used by the
 function and the order in which messages are sent.
@@ -2513,7 +2513,7 @@ server SHOULD set the Retry-After header field to a time after the server's
 next validation query, since the status of the challenge will not change until
 that time.
 
-Clients can explicitly request a retry by resending their response to a
+Clients can explicitly request a retry by re-sending their response to a
 challenge in a new POST request (with a new nonce, etc.). This allows clients
 to request a retry when the state has changed (e.g., after firewall rules have been
 updated). Servers SHOULD retry a request immediately on receiving such a POST
 
@@ -176,7 +176,7 @@ under http://example.com.</t>
 automatically downloads and installs it, potentially notifying the operator
 via email, SMS, etc.</t>
   <t>The ACME client periodically contacts the CA to get updated certificates,
-stapled Online Certificate Status Protocol (OCSP) responses, or whatever else would be required to keep the web server functional and its credentials up to date.</t>
+stapled Online Certificate Status Protocol (OCSP) responses <xref target="RFC6960"/>, or whatever else would be required to keep the web server functional and its credentials up to date.</t>
 </list></t>
 
 <t>In this way, it would be nearly as easy to deploy with a CA-issued certificate
@@ -213,7 +213,7 @@ from the client.</t>
 <section anchor="protocol-overview" title="Protocol Overview">
 
 <t>ACME allows a client to request certificate management actions using a set of
-JavaScript Object Notation (JSON) messages carried over HTTPS <xref target="RFC8259"/> <xref target="RFC2818"/>.
+JavaScript Object Notation (JSON) messages <xref target="RFC8259"/> carried over HTTPS <xref target="RFC2818"/>.
 Issuance using ACME resembles a traditional CA's issuance process, in which a user creates an account,
 requests a certificate, and proves control of the domain(s) in that certificate in
 order for the CA to issue the requested certificate.</t>
@@ -341,7 +341,7 @@ integrity for the HTTPS request URL.</t>
 <section anchor="https-requests" title="HTTPS Requests">
 
 <t>Each ACME function is accomplished by the client sending a sequence of HTTPS
-requests to the server, carrying JSON messages <xref target="RFC2818"/><xref target="RFC8259"/>.  Use of
+requests to the server <xref target="RFC2818"/>, carrying JSON messages <xref target="RFC8259"/>.  Use of
 HTTPS is REQUIRED. Each subsection of
 <xref target="certificate-management"/> below describes the message formats used by the
 function and the order in which messages are sent.</t>
@@ -2618,7 +2618,7 @@ server SHOULD set the Retry-After header field to a time after the server's
 next validation query, since the status of the challenge will not change until
 that time.</t>
 
-<t>Clients can explicitly request a retry by resending their response to a
+<t>Clients can explicitly request a retry by re-sending their response to a
 challenge in a new POST request (with a new nonce, etc.). This allows clients
 to request a retry when the state has changed (e.g., after firewall rules have been
 updated). Servers SHOULD retry a request immediately on receiving such a POST
@@ -4374,6 +4374,24 @@ in the use of HTTP.</t>
 
 
 
+<reference  anchor="RFC6960" target='https://www.rfc-editor.org/info/rfc6960'>
+<front>
+<title>X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP</title>
+<author initials='S.' surname='Santesson' fullname='S. Santesson'><organization/></author>
+<author initials='M.' surname='Myers' fullname='M. Myers'><organization/></author>
+<author initials='R.' surname='Ankney' fullname='R. Ankney'><organization/></author>
+<author initials='A.' surname='Malpani' fullname='A. Malpani'><organization/></author>
+<author initials='S.' surname='Galperin' fullname='S. Galperin'><organization/></author>
+<author initials='C.' surname='Adams' fullname='C. Adams'><organization/></author>
+<date year='2013' month='June'/>
+<abstract><t>This document specifies a protocol useful in determining the current status of a digital certificate without requiring Certificate Revocation Lists (CRLs). Additional mechanisms addressing PKIX operational requirements are specified in separate documents.  This document obsoletes RFCs 2560 and 6277.  It also updates RFC 5912.</t></abstract>
+</front>
+<seriesInfo name='RFC' value='6960'/>
+<seriesInfo name='DOI' value='10.17487/RFC6960'/>
+</reference>
+
+
+
 <reference  anchor="RFC7525" target='https://www.rfc-editor.org/info/rfc7525'>
 <front>
 <title>Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>