RFC 2560, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", June 1999
Note: This RFC has been obsoleted by RFC 6960Source of RFC: pkix (sec)
Errata ID: 3251
Status: Held for Document Update
Publication Format(s) : TEXT
Reported By: Daniel Barclay
Date Reported: 2012-06-11
Held for Document Update by: Sean Turner
Section 184.108.40.206 says:
... They MUST reject the response if the certificate required to validate the signature on the response fails to meet at least one of the following criteria: 1. ... 2. ... 3. ...
It should say:
... They MUST reject the response if it is not the case that the certificate required to validate the signature on the response meets at least one of the following criteria: 1. ... 2. ... 3. ...
The "fails to meet at least one ... " part of the original wording is ambiguous.
It can sound like the grouping is "(fails to meet) at least one ..." rather than the (apparently) intended "fails to (meet at least one)".
Note: The submitted corrected text needs further improvement. I think it eliminates the ambiguity, but it currently is harder to follow.