IETF Logo Mail Archive

Re: [pkix] [Technical Errata Reported] RFC5280 (6830)

Russ Housley <housley@vigilsec.com> Wed, 02 February 2022 17:16 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EEB93A1666; Wed, 2 Feb 2022 09:16:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k370tUmJP2R6; Wed, 2 Feb 2022 09:16:13 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF7D33A165C; Wed, 2 Feb 2022 09:16:13 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 164A4EE5B1; Wed, 2 Feb 2022 12:16:13 -0500 (EST)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id E2E81EE5B0; Wed, 2 Feb 2022 12:16:12 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20220202170813.D7560E9749@rfc-editor.org>
Date: Wed, 02 Feb 2022 12:16:11 -0500
Cc: David Cooper <david.cooper@nist.gov>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Tim Polk <wpolk@nist.gov>, "Roman D. Danyliw" <rdd@cert.org>, Ben Kaduk <kaduk@mit.edu>, Stefan Santesson <stefan@aaa-sec.com>, Corey Bonnell <corey.bonnell@digicert.com>, IETF PKIX <pkix@ietf.org>, LAMPS <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6FB29781-E5A4-4706-A177-C126274F6164@vigilsec.com>
References: <20220202170813.D7560E9749@rfc-editor.org>
To: RFC Editor <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/-W0PvRbhytdhWv29z8kHchUDTyE>
Subject: Re: [pkix] [Technical Errata Reported] RFC5280 (6830)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2022 17:16:19 -0000

This seems correct to me.

> On Feb 2, 2022, at 12:08 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
> 
> The following errata report has been submitted for RFC5280,
> "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile".
> 
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid6830
> 
> --------------------------------------
> Type: Technical
> Reported by: Corey Bonnell <corey.bonnell@digicert.com>
> 
> Section: Appendix A.1
> 
> Original Text
> -------------
> -- Note - upper bounds on string types, such as TeletexString, are
> -- measured in characters.  Excepting PrintableString or IA5String, a
> -- significantly greater number of octets will be required to hold
> -- such a value.  As a minimum, 16 octets, or twice the specified
> -- upper bound, whichever is the larger, should be allowed for
> -- TeletexString.  For UTF8String or UniversalString at least four
> -- times the upper bound should be allowed.
> 
> Corrected Text
> --------------
> -- Note - upper bounds on string types, such as TeletexString, are
> -- measured in characters.  Excepting PrintableString or IA5String, a
> -- significantly greater number of octets will be required to hold
> -- such a value.  As a minimum, 16 octets, or twice the specified
> -- upper bound, whichever is the larger, should be allowed for
> -- TeletexString.  For UTF8String or UniversalString, four
> -- times the upper bound should be allowed.
> 
> Notes
> -----
> "at least four times" is likely a holdover from RFC 3280, as the same text exists in that RFC. In RFC 3280, the definition of UTF-8 in UTF8String was normatively referencing RFC 2279, which allowed for a maximum of 6 octets to represent a single Unicode character in UTF-8. However, RFC 5280 was updated to normatively reference RFC 3629, which restricts the allowed set of characters in a UTF-8 string to match those allowed in UTF-16 (i.e., the BMP and 16 supplementary planes as opposed to all 32k planes). As a result, the maximum length for a single RFC 3629 UTF-8 character is 4 octets, rendering the guidance of "at least four times" wholly unnecessary; "four times" is sufficient in all cases.
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC5280 (draft-ietf-pkix-rfc3280bis-11)
> --------------------------------------
> Title               : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
> Publication Date    : May 2008
> Author(s)           : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk
> Category            : PROPOSED STANDARD
> Source              : Public-Key Infrastructure (X.509)
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG

v2.23.0 | Report a Bug | By Email