[smime] [Technical Errata Reported] RFC2634 (6562)
RFC Errata System <rfc-editor@rfc-editor.org> Wed, 28 April 2021 18:08 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0DBC3A198D for <smime@ietfa.amsl.com>; Wed, 28 Apr 2021 11:08:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VwKWP1nixEmV for <smime@ietfa.amsl.com>; Wed, 28 Apr 2021 11:07:57 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 489973A1996 for <smime@ietf.org>; Wed, 28 Apr 2021 11:07:57 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 7B3D3F407B3; Wed, 28 Apr 2021 11:07:43 -0700 (PDT)
To: phoffman@imc.org, rdd@cert.org, kaduk@mit.edu, paul.hoffman@vpnc.org, blaker@gmail.com
X-PHP-Originating-Script: 1005:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: David.von.Oheimb@siemens.com, smime@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20210428180743.7B3D3F407B3@rfc-editor.org>
Date: Wed, 28 Apr 2021 11:07:43 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/7_jJ7oiShtzuz-WGEWl6xPR6y8Q>
Subject: [smime] [Technical Errata Reported] RFC2634 (6562)
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2021 18:08:02 -0000
The following errata report has been submitted for RFC2634, "Enhanced Security Services for S/MIME". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6562 -------------------------------------- Type: Technical Reported by: David von Oheimb <David.von.Oheimb@siemens.com> Section: 5.4 Original Text ------------- The first certificate identified in the sequence of certificate identifiers MUST be the certificate used to verify the signature. The encoding of the ESSCertID for this certificate SHOULD include the issuerSerial field. If other constraints ensure that issuerAndSerialNumber will be present in the SignerInfo, the issuerSerial field MAY be omitted. The certificate identified is used during the signature verification process. If the hash of the certificate does not match the certificate used to verify the signature, the signature MUST be considered invalid. If more than one certificate is present in the sequence of ESSCertIDs, the certificates after the first one limit the set of authorization certificates that are used during signature validation. Corrected Text -------------- The sequence of certificate identifiers MUST contain at least one element. The first certificate identified MUST be the certificate used to verify the signature. The encoding of the ESSCertID for this certificate SHOULD include the issuerSerial field. If other constraints ensure that issuerAndSerialNumber will be present in the SignerInfo, the issuerSerial field MAY be omitted. The certificate identified is used during the signature verification process. If the hash of the certificate does not match the certificate used to verify the signature, the signature MUST be considered invalid. If more than one certificate identifier is present in the sequence of ESSCertIDs, all certificates referenced there MUST be part of the signature validation chain. Notes ----- Some aspects of the 'certs' field of a SigningCertificate attribute: SigningCertificate ::= SEQUENCE { certs SEQUENCE OF ESSCertID, policies SEQUENCE OF PolicyInformation OPTIONAL } described in the sentences quoted above are very vague. This lead to major confusion and wrong implementations. As meanwhile has been clarified, they should be re-phrased; see suggested new version above. (One may further mandate/clarify that the certificate identifiers must be given in the same order as they are expected in the validation chain, but I think this is not important because the order should not play a critical role and will be determined by the validation chain anyway.) Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC2634 (draft-ietf-smime-ess-12) -------------------------------------- Title : Enhanced Security Services for S/MIME Publication Date : June 1999 Author(s) : P. Hoffman, Ed. Category : PROPOSED STANDARD Source : S/MIME Mail Security Area : Security Stream : IETF Verifying Party : IESG
- [smime] [Technical Errata Reported] RFC2634 (6562) RFC Errata System
- Re: [smime] [Technical Errata Reported] RFC2634 (… Russ Housley