[smime] [Technical Errata Reported] RFC5035 (6566)
RFC Errata System <rfc-editor@rfc-editor.org> Thu, 29 April 2021 08:30 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80CBA3A35B2 for <smime@ietfa.amsl.com>; Thu, 29 Apr 2021 01:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8DOTM33HkLqx for <smime@ietfa.amsl.com>; Thu, 29 Apr 2021 01:30:34 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 233763A35B1 for <smime@ietf.org>; Thu, 29 Apr 2021 01:30:33 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 7A84BF407A8; Thu, 29 Apr 2021 01:30:19 -0700 (PDT)
To: jimsch@exmsft.com, rdd@cert.org, kaduk@mit.edu, paul.hoffman@vpnc.org, blaker@gmail.com
X-PHP-Originating-Script: 1005:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: David.von.Oheimb@siemens.com, smime@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20210429083019.7A84BF407A8@rfc-editor.org>
Date: Thu, 29 Apr 2021 01:30:19 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/Ew8ET_qdJ7CNlie3MvAMg4eTfak>
Subject: [smime] [Technical Errata Reported] RFC5035 (6566)
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2021 08:30:39 -0000
The following errata report has been submitted for RFC5035, "Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6566 -------------------------------------- Type: Technical Reported by: David von Oheimb <David.von.Oheimb@siemens.com> Section: 3 Original Text ------------- certs contains the list of certificates that are to be used in validating the message. The first certificate identified in the sequence of certificate identifiers MUST be the certificate used to verify the signature. The encoding of the ESSCertIDv2 for this certificate SHOULD include the issuerSerial field. If other constraints ensure that issuerAndSerialNumber will be present in the SignerInfo, the issuerSerial field MAY be omitted. The certificate identified is used during the signature verification process. If the hash of the certificate does not match the certificate used to verify the signature, the signature MUST be considered invalid. If more than one certificate is present, subsequent certificates limit the set of certificates that are used during validation. Corrected Text -------------- certs contains the list of certificates that are to be used in validating the message. It MUST contain at least one element. The first certificate identified in the sequence of certificate identifiers MUST be the certificate used to verify the signature. The encoding of the ESSCertIDv2 for this certificate SHOULD include the issuerSerial field. If other constraints ensure that issuerAndSerialNumber will be present in the SignerInfo, the issuerSerial field MAY be omitted. The certificate identified is used during the signature verification process. If the hash of the certificate does not match the certificate used to verify the signature, the signature MUST be considered invalid. If more than one certificate identifier is present in the sequence of ESSCertIDv2s, all certificates referenced there MUST be part of the signature validation chain. Notes ----- Some aspects of the 'certs' field of a SigningCertificateV2 attribute: SigningCertificateV2 ::= SEQUENCE { certs SEQUENCE OF ESSCertIDv2, policies SEQUENCE OF PolicyInformation OPTIONAL } described in the sentences quoted above are rather vague. This lead to major confusion and wrong implementations. As meanwhile has been clarified, they should be re-phrased; see suggested new version above. (One may further mandate/clarify that the certificate identifiers must be given in the same order as they are expected in the validation chain, but I think this is not important because the order should not play a critical role and will be determined by the validation chain anyway.) Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC5035 (draft-ietf-smime-escertid-06) -------------------------------------- Title : Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility Publication Date : August 2007 Author(s) : J. Schaad Category : PROPOSED STANDARD Source : S/MIME Mail Security Area : Security Stream : IETF Verifying Party : IESG
- [smime] [Technical Errata Reported] RFC5035 (6566) RFC Errata System