[pkix] [Errata Verified] RFC6960 (6165)
RFC Errata System <rfc-editor@rfc-editor.org> Tue, 04 June 2024 09:52 UTC
Return-Path: <wwwrun@rfcpa.rfc-editor.org>
X-Original-To: pkix@ietf.org
Delivered-To: pkix@ietfa.amsl.com
Received: from rfcpa.rfc-editor.org (unknown [167.172.21.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77CC0C14F61C; Tue, 4 Jun 2024 02:52:19 -0700 (PDT)
Received: by rfcpa.rfc-editor.org (Postfix, from userid 461) id DA745C000063; Tue, 4 Jun 2024 02:52:18 -0700 (PDT)
To: yury@strozhevsky.com, sts@aaa-sec.com, mmyers@fastq.com, ambarish@gmail.com, slava.galperin@gmail.com, cadams@eecs.uottawa.ca
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20240604095218.DA745C000063@rfcpa.rfc-editor.org>
Date: Tue, 04 Jun 2024 02:52:18 -0700
Message-ID-Hash: XCNFYFCNO5SEFHJSHSR7GLALQP32SVQT
X-Message-ID-Hash: XCNFYFCNO5SEFHJSHSR7GLALQP32SVQT
X-MailFrom: wwwrun@rfcpa.rfc-editor.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pkix.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: iesg@ietf.org, pkix@ietf.org, iana@iana.org, rfc-editor@rfc-editor.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [pkix] [Errata Verified] RFC6960 (6165)
List-Id: PKIX Working Group <pkix.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/ppEPqhzn0TeE8yQhbiEiSm3rG6s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Owner: <mailto:pkix-owner@ietf.org>
List-Post: <mailto:pkix@ietf.org>
List-Subscribe: <mailto:pkix-join@ietf.org>
List-Unsubscribe: <mailto:pkix-leave@ietf.org>
The following errata report has been verified for RFC6960, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6165 -------------------------------------- Status: Verified Type: Technical Reported by: Yury Strozhevsky <yury@strozhevsky.com> Date Reported: 2020-05-11 Verified by: Deb Cooley (IESG) Section: 1 Original Text ------------- --- Corrected Text -------------- o Appendix B.1 provides correct KeyHash type processing description. Now SHA-1 hash must be calculated for responder's public key ASN.1 value without tag, length and unused bits. Notes ----- The RFC6960 changes OCSP protocol in part of KeyHash type calculation. In RFC2560 there is the description: KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key (excluding the tag and length fields) But in Appendix B.1, which is the major OCSP descriptive module, stated: KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key -- (i.e., the SHA-1 hash of the value of the -- BIT STRING subjectPublicKey [excluding -- the tag, length, and number of unused -- bits] in the responder's certificate) The difference is in what would be under SHA-1 hash. In RFC2560 KeyHash would be calculated for entire BIT STRING value, with "unused bits" byte (first byte in BIT STRING value), but Appendix B.1 in RFC6960 states that SHA-1 hash must be calculated for BIT STRING value without "unused bits". -------------------------------------- RFC6960 (draft-ietf-pkix-rfc2560bis-20) -------------------------------------- Title : X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP Publication Date : June 2013 Author(s) : S. Santesson, M. Myers, R. Ankney, A. Malpani, S. Galperin, C. Adams Category : PROPOSED STANDARD Source : Public-Key Infrastructure (X.509) Stream : IETF Verifying Party : IESG
- [pkix] [Errata Verified] RFC6960 (6165) RFC Errata System