Re: [pkix] [Editorial Errata Reported] RFC5280 (7634)
Russ Housley <housley@vigilsec.com> Mon, 11 September 2023 19:56 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 672D0C151099 for <pkix@ietfa.amsl.com>; Mon, 11 Sep 2023 12:56:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xqh1aMGDa4l for <pkix@ietfa.amsl.com>; Mon, 11 Sep 2023 12:56:01 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4A97C15106F for <pkix@ietf.org>; Mon, 11 Sep 2023 12:56:00 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id D03288602A; Mon, 11 Sep 2023 15:55:59 -0400 (EDT)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id B7C8386785; Mon, 11 Sep 2023 15:55:59 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20230908211555.33D6BE5EA7@rfcpa.amsl.com>
Date: Mon, 11 Sep 2023 15:55:49 -0400
Cc: David Cooper <david.cooper@nist.gov>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Stefan Santesson <stefan@aaa-sec.com>, IETF PKIX <pkix@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <54444D13-066D-4B27-BA6B-B97DF334F789@vigilsec.com>
References: <20230908211555.33D6BE5EA7@rfcpa.amsl.com>
To: ietf@nharper.org
X-Mailer: Apple Mail (2.3731.700.6)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/DF9qlJtYdY7TEVTPlIid0eKrOvk>
Subject: Re: [pkix] [Editorial Errata Reported] RFC5280 (7634)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2023 19:56:05 -0000
Wow! This has been there a long time without anyone noticing.
In checking this out, I see that CRL has the same problem:
CertificateList ::= SEQUENCE {
tbsCertList TBSCertList,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
This errata should be expanded to correct both Certificate and CertificateList in the body. The appendix is correct.
Russ
> On Sep 8, 2023, at 5:15 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>
> The following errata report has been submitted for RFC5280,
> "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid7634
>
> --------------------------------------
> Type: Editorial
> Reported by: Nick Harper <ietf@nharper.org>
>
> Section: 4.1
>
> Original Text
> -------------
> Certificate ::= SEQUENCE {
> tbsCertificate TBSCertificate,
> signatureAlgorithm AlgorithmIdentifier,
> signatureValue BIT STRING }
>
> Corrected Text
> --------------
> Certificate ::= SEQUENCE {
> tbsCertificate TBSCertificate,
> signatureAlgorithm AlgorithmIdentifier,
> signature BIT STRING }
>
> Notes
> -----
> The definition in section 4.1 disagrees with the definition in appendix A.1 (page 116) on whether the name of the field containing the signature is "signatureValue" or "signature". This error appears in RFC 3280 and RFC 2459 as well.
>
> The versions of X.509 in force when RFCs 2459, 3280, and 5280 were published use neither of those names. (Those versions of X.509 considered a signature to be an encrypted hash and called the field "encrypted".) The current version, ITU-T X.509 (10/2019), defines this field to be "signature" in section 6.2.1. (X.509 defines the Certificate type using a component type of SIGNATURE, which has two fields named "algorithmIdentifier" and "signature".)
>
> In addition to changing the field name in the definition of the Certificate type in section 4.1, the title and text of subsection 4.1.1.3 should be updated to replace "signatureValue" with "signature".
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC5280 (draft-ietf-pkix-rfc3280bis-11)
> --------------------------------------
> Title : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
> Publication Date : May 2008
> Author(s) : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk
> Category : PROPOSED STANDARD
> Source : Public-Key Infrastructure (X.509)
> Area : Security
> Stream : IETF
> Verifying Party : IESG
- [pkix] [Editorial Errata Reported] RFC5280 (7634) RFC Errata System
- Re: [pkix] [Editorial Errata Reported] RFC5280 (7… Russ Housley
- Re: [pkix] [Editorial Errata Reported] RFC5280 (7… Rebecca VanRheenen