[Curdle] [Technical Errata Reported] RFC8410 (6229)

RFC Errata System <rfc-editor@rfc-editor.org> Sun, 12 July 2020 15:41 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 32E723A0C59 for <curdle@ietfa.amsl.com>; Sun, 12 Jul 2020 08:41:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id DvWMk3eqYD0Z for <curdle@ietfa.amsl.com>; Sun, 12 Jul 2020 08:41:05 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C088E3A0C1B for <curdle@ietf.org>; Sun, 12 Jul 2020 08:41:04 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 8DD22F40745; Sun, 12 Jul 2020 08:40:32 -0700 (PDT)
To: simon@josefsson.org, ietf@augustcellars.com, rdd@cert.org, kaduk@mit.edu, daniel.migault@ericsson.com, rsalz@akamai.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: David.von.Oheimb@siemens.com, curdle@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20200712154032.8DD22F40745@rfc-editor.org>
Date: Sun, 12 Jul 2020 08:40:32 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/X-BZnOwhhNo1IMTcaePnEeFSCs8>
Subject: [Curdle] [Technical Errata Reported] RFC8410 (6229)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jul 2020 15:41:14 -0000

The following errata report has been submitted for RFC8410,
"Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure".

You may review the report below and at:

Type: Technical
Reported by: David von Oheimb <David.von.Oheimb@siemens.com>

Section: 10.2

Original Text
An example of a self-issued PKIX certificate using Ed25519 to sign an
X25519 public key would be

Corrected Text

The given example certificate is self-issued but not self-signed (which is fine because its public key cannot be used for signing).
It includes a subjectKeyIdentifier but not an authorityKeyIdentifier.

For not self-signed certificates RFC 5280 requires in section (https://tools.ietf.org/html/rfc5280#section- that the authorityKeyIdentifier is present.

Thus for such an example certificate the authorityKeyIdentifier MUST be added in order to be a conforming certificate.
Otherwise, cert chain validation will be mislead to assume that the certificate is self-signed (while usually not actually verifying this supposition).

This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

RFC8410 (draft-ietf-curdle-pkix-10)
Title               : Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure
Publication Date    : August 2018
Author(s)           : S. Josefsson, J. Schaad
Category            : PROPOSED STANDARD
Source              : CURves, Deprecating and a Little more Encryption
Area                : Security
Stream              : IETF
Verifying Party     : IESG