[pkix] [Technical Errata Reported] RFC5272 (7629)
RFC Errata System <rfc-editor@rfc-editor.org> Mon, 04 September 2023 12:12 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61D00C14CE5D for <pkix@ietfa.amsl.com>; Mon, 4 Sep 2023 05:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.533
X-Spam-Level:
X-Spam-Status: No, score=0.533 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_SOFTFAIL=0.732, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7BQ42i-QgBeM for <pkix@ietfa.amsl.com>; Mon, 4 Sep 2023 05:12:40 -0700 (PDT)
Received: from rfcpa.amsl.com (unknown [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B569EC151061 for <pkix@ietf.org>; Mon, 4 Sep 2023 05:12:40 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 9267CD683F; Mon, 4 Sep 2023 05:12:40 -0700 (PDT)
To: jimsch@nwlink.com, mmyers@fastq.com, rdd@cert.org, paul.wouters@aiven.io, kent@bbn.com, stefan@aaa-sec.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: piotr.popis@enigma.com.pl, pkix@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20230904121240.9267CD683F@rfcpa.amsl.com>
Date: Mon, 04 Sep 2023 05:12:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/QvYxgAjkNYRBStE5gsZjXYYHZCw>
Subject: [pkix] [Technical Errata Reported] RFC5272 (7629)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Sep 2023 12:12:44 -0000
The following errata report has been submitted for RFC5272, "Certificate Management over CMS (CMC)". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid7629 -------------------------------------- Type: Technical Reported by: Piotr Popis <piotr.popis@enigma.com.pl> Section: 3.2.1.3.4. Original Text ------------- For the PKI Response, SignedData allows the server to sign the returning data, if any exists, and to carry the certificates and CRLs corresponding to the PKI Request. If no data is being returned beyond the certificates and CRLs, the EncapsulatedInfo and SignerInfo fields are not populated. Corrected Text -------------- For the PKI Response, SignedData allows the server to sign the returning data, if any exists, and to carry the certificates and CRLs corresponding to the PKI Request. If no data is being returned beyond the certificates and CRLs, the eContent field in the EncapsulatedContentInfo and SignerInfo fields are not populated. Only if the server is unable to sign the response (and unable to use any RecipientInfo options of the AuthenticatedData content type), and at the same time it should send a negative response, Full PKI Response SignedData type containing a CMC Status Info control MUST be returned using a CMCFailInfo with a value of internalCAError and a bodyPartID of 0, and the eContent field in the EncapsulatedContentInfo as well as SignerInfo fields MUST not be populated. Notes ----- This change is needed to comply with Errata ID 7379 (the first para) and covers the case (the second para) where the server shall send a negative response (Full PKI Response) as it is unable to sign the certificate and at the same time it is unable to sign the response itself (e.g. due to a loss in connection to the HSM). Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC5272 (draft-ietf-pkix-2797-bis-07) -------------------------------------- Title : Certificate Management over CMS (CMC) Publication Date : June 2008 Author(s) : J. Schaad, M. Myers Category : PROPOSED STANDARD Source : Public-Key Infrastructure (X.509) Area : Security Stream : IETF Verifying Party : IESG
- [pkix] [Technical Errata Reported] RFC5272 (7629) RFC Errata System