[sidr] [Technical Errata Reported] RFC6487 (6854)

RFC Errata System <rfc-editor@rfc-editor.org> Wed, 16 February 2022 17:47 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31B7F3A1459 for <sidr@ietfa.amsl.com>; Wed, 16 Feb 2022 09:47:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQ8CbNS0tizV for <sidr@ietfa.amsl.com>; Wed, 16 Feb 2022 09:46:59 -0800 (PST)
Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1900:3001:11::31]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 791C23A1458 for <sidr@ietf.org>; Wed, 16 Feb 2022 09:46:59 -0800 (PST)
Received: by rfc-editor.org (Postfix, from userid 499) id 65B404C1CE; Wed, 16 Feb 2022 09:46:58 -0800 (PST)
To: gih@apnic.net, ggm@apnic.net, robertl@apnic.net, aretana.ietf@gmail.com, jgs@juniper.net, martin.vigoureux@nokia.com, morrowc@ops-netman.net, sandy@tislabs.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: corey.bonnell@digicert.com, sidr@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20220216174658.65B404C1CE@rfc-editor.org>
Date: Wed, 16 Feb 2022 09:46:58 -0800 (PST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/eWFJlKzoQyLRuo7a_vYxUaGC98U>
Subject: [sidr] [Technical Errata Reported] RFC6487 (6854)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2022 17:47:05 -0000

The following errata report has been submitted for RFC6487,
"A Profile for X.509 PKIX Resource Certificates".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6854

--------------------------------------
Type: Technical
Reported by: Corey Bonnell <corey.bonnell@digicert.com>

Section: 4.8.1

Original Text
-------------
   The Basic Constraints extension field is a critical extension in the
   resource certificate profile, and MUST be present when the subject is
   a CA, and MUST NOT be present otherwise.

   The issuer determines whether the "cA" boolean is set.

Corrected Text
--------------
   The Basic Constraints extension field is a critical extension in the
   resource certificate profile, and MUST be present when the subject is
   a CA, and MUST NOT be present otherwise.

   If this extension is present, then the "cA" field MUST be true.

Notes
-----
The original text is contradictory. If the basicConstraints extension is prohibited in end-entity certificates, then it follows that whenever the extension is present in a certificate, that certificate is a CA certificate. If the certificate is a CA certificate, then the "cA" boolean MUST be true in all cases. It is nonsensical to allow a "cA" field value of false.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC6487 (draft-ietf-sidr-res-certs-22)
--------------------------------------
Title               : A Profile for X.509 PKIX Resource Certificates
Publication Date    : February 2012
Author(s)           : G. Huston, G. Michaelson, R. Loomans
Category            : PROPOSED STANDARD
Source              : Secure Inter-Domain Routing
Area                : Routing
Stream              : IETF
Verifying Party     : IESG