Re: [pkix] [Technical Errata Reported] RFC5280 (6830)
Stefan Santesson <stefan@aaa-sec.com> Wed, 02 February 2022 20:29 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 169DD3A1EF6 for <pkix@ietfa.amsl.com>; Wed, 2 Feb 2022 12:29:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nY_6aEwIFgLd for <pkix@ietfa.amsl.com>; Wed, 2 Feb 2022 12:29:13 -0800 (PST)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54C4B3A1EF4 for <pkix@ietf.org>; Wed, 2 Feb 2022 12:29:12 -0800 (PST)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 6212C2F0F322 for <pkix@ietf.org>; Wed, 2 Feb 2022 21:29:08 +0100 (CET)
Received: from s899.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 51E442E3661C; Wed, 2 Feb 2022 21:29:08 +0100 (CET)
Received: from s474.loopia.se (unknown [172.22.191.6]) by s899.loopia.se (Postfix) with ESMTP id 4D23F2C98FFD; Wed, 2 Feb 2022 21:29:08 +0100 (CET)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s934.loopia.se ([172.22.191.5]) by s474.loopia.se (s474.loopia.se [172.22.190.14]) (amavisd-new, port 10024) with LMTP id d5h4HFUSG6f2; Wed, 2 Feb 2022 21:29:07 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 85.235.7.89
Received: from [192.168.1.218] (gw.aaa-sec.ideon.se [85.235.7.89]) (Authenticated sender: mailstore2@aaa-sec.com) by s934.loopia.se (Postfix) with ESMTPSA id 617E37DCDEC; Wed, 2 Feb 2022 21:29:07 +0100 (CET)
Message-ID: <9edc4ee3-0636-9d40-fe12-07d8d106a071@aaa-sec.com>
Date: Wed, 02 Feb 2022 21:29:06 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Thunderbird/97.0
Content-Language: sv-SE
To: Russ Housley <housley@vigilsec.com>, RFC Editor <rfc-editor@rfc-editor.org>
Cc: David Cooper <david.cooper@nist.gov>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Tim Polk <wpolk@nist.gov>, "Roman D. Danyliw" <rdd@cert.org>, Ben Kaduk <kaduk@mit.edu>, Corey Bonnell <corey.bonnell@digicert.com>, IETF PKIX <pkix@ietf.org>, LAMPS <spasm@ietf.org>
References: <20220202170813.D7560E9749@rfc-editor.org> <6FB29781-E5A4-4706-A177-C126274F6164@vigilsec.com>
From: Stefan Santesson <stefan@aaa-sec.com>
Organization: 3xA Security AB
In-Reply-To: <6FB29781-E5A4-4706-A177-C126274F6164@vigilsec.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/J0FxjtvckWztsTDInflQLI20vbw>
Subject: Re: [pkix] [Technical Errata Reported] RFC5280 (6830)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2022 20:29:18 -0000
I agree Den 2022-02-02 kl. 18:16, skrev Russ Housley: > This seems correct to me. > >> On Feb 2, 2022, at 12:08 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: >> >> The following errata report has been submitted for RFC5280, >> "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid6830 >> >> -------------------------------------- >> Type: Technical >> Reported by: Corey Bonnell <corey.bonnell@digicert.com> >> >> Section: Appendix A.1 >> >> Original Text >> ------------- >> -- Note - upper bounds on string types, such as TeletexString, are >> -- measured in characters. Excepting PrintableString or IA5String, a >> -- significantly greater number of octets will be required to hold >> -- such a value. As a minimum, 16 octets, or twice the specified >> -- upper bound, whichever is the larger, should be allowed for >> -- TeletexString. For UTF8String or UniversalString at least four >> -- times the upper bound should be allowed. >> >> Corrected Text >> -------------- >> -- Note - upper bounds on string types, such as TeletexString, are >> -- measured in characters. Excepting PrintableString or IA5String, a >> -- significantly greater number of octets will be required to hold >> -- such a value. As a minimum, 16 octets, or twice the specified >> -- upper bound, whichever is the larger, should be allowed for >> -- TeletexString. For UTF8String or UniversalString, four >> -- times the upper bound should be allowed. >> >> Notes >> ----- >> "at least four times" is likely a holdover from RFC 3280, as the same text exists in that RFC. In RFC 3280, the definition of UTF-8 in UTF8String was normatively referencing RFC 2279, which allowed for a maximum of 6 octets to represent a single Unicode character in UTF-8. However, RFC 5280 was updated to normatively reference RFC 3629, which restricts the allowed set of characters in a UTF-8 string to match those allowed in UTF-16 (i.e., the BMP and 16 supplementary planes as opposed to all 32k planes). As a result, the maximum length for a single RFC 3629 UTF-8 character is 4 octets, rendering the guidance of "at least four times" wholly unnecessary; "four times" is sufficient in all cases. >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> can log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC5280 (draft-ietf-pkix-rfc3280bis-11) >> -------------------------------------- >> Title : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile >> Publication Date : May 2008 >> Author(s) : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk >> Category : PROPOSED STANDARD >> Source : Public-Key Infrastructure (X.509) >> Area : Security >> Stream : IETF >> Verifying Party : IESG
- [pkix] [Technical Errata Reported] RFC5280 (6830) RFC Errata System
- Re: [pkix] [Technical Errata Reported] RFC5280 (6… Russ Housley
- Re: [pkix] [Technical Errata Reported] RFC5280 (6… Stefan Santesson