[smime] [Technical Errata Reported] RFC2634 (6563)
RFC Errata System <rfc-editor@rfc-editor.org> Wed, 28 April 2021 18:10 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9236A3A19B9 for <smime@ietfa.amsl.com>; Wed, 28 Apr 2021 11:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UYoK4d8CLTJK for <smime@ietfa.amsl.com>; Wed, 28 Apr 2021 11:10:35 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DB5C3A19AA for <smime@ietf.org>; Wed, 28 Apr 2021 11:10:35 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 7FCD6F407AF; Wed, 28 Apr 2021 11:10:21 -0700 (PDT)
To: phoffman@imc.org, rdd@cert.org, kaduk@mit.edu, paul.hoffman@vpnc.org, blaker@gmail.com
X-PHP-Originating-Script: 1005:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: David.von.Oheimb@siemens.com, smime@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20210428181021.7FCD6F407AF@rfc-editor.org>
Date: Wed, 28 Apr 2021 11:10:21 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/3WAYknwqksLQ05v6gr9o8d9BWc0>
Subject: [smime] [Technical Errata Reported] RFC2634 (6563)
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2021 18:10:40 -0000
The following errata report has been submitted for RFC2634, "Enhanced Security Services for S/MIME". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6563 -------------------------------------- Type: Technical Reported by: David von Oheimb <David.von.Oheimb@siemens.com> Section: 3 Original Text ------------- certs contains the list of certificates that are to be used in validating the message. The first certificate identified in the sequence of certificate identifiers MUST be the certificate used to verify the signature. The encoding of the ESSCertIDv2 for this certificate SHOULD include the issuerSerial field. If other constraints ensure that issuerAndSerialNumber will be present in the SignerInfo, the issuerSerial field MAY be omitted. The certificate identified is used during the signature verification process. If the hash of the certificate does not match the certificate used to verify the signature, the signature MUST be considered invalid. If more than one certificate is present, subsequent certificates limit the set of certificates that are used during validation. Corrected Text -------------- certs contains the list of certificates that are to be used in validating the message. It MUST contain at least one element. The first certificate identified in the sequence of certificate identifiers MUST be the certificate used to verify the signature. The encoding of the ESSCertIDv2 for this certificate SHOULD include the issuerSerial field. If other constraints ensure that issuerAndSerialNumber will be present in the SignerInfo, the issuerSerial field MAY be omitted. The certificate identified is used during the signature verification process. If the hash of the certificate does not match the certificate used to verify the signature, the signature MUST be considered invalid. If more than one certificate identifier is present in the sequence of ESSCertIDv2s, all certificates referenced there MUST be part of the signature validation chain. Notes ----- Some aspects of the 'certs' field of a SigningCertificateV2 attribute: SigningCertificateV2 ::= SEQUENCE { certs SEQUENCE OF ESSCertIDv2, policies SEQUENCE OF PolicyInformation OPTIONAL } described in the sentences quoted above are rather vague. This lead to major confusion and wrong implementations. As meanwhile has been clarified, they should be re-phrased; see suggested new version above. (One may further mandate/clarify that the certificate identifiers must be given in the same order as they are expected in the validation chain, but I think this is not important because the order should not play a critical role and will be determined by the validation chain anyway.) Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC2634 (draft-ietf-smime-ess-12) -------------------------------------- Title : Enhanced Security Services for S/MIME Publication Date : June 1999 Author(s) : P. Hoffman, Ed. Category : PROPOSED STANDARD Source : S/MIME Mail Security Area : Security Stream : IETF Verifying Party : IESG
- [smime] [Technical Errata Reported] RFC2634 (6563) RFC Errata System
- Re: [smime] [Technical Errata Reported] RFC2634 (… Megan Ferguson
- Re: [smime] [Technical Errata Reported] RFC2634 (… David von Oheimb