RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 4556, "Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)", June 2006

Note: This RFC has been updated by RFC 6112, RFC 8062, RFC 8636

Source of RFC: krb-wg (sec)

Errata ID: 3820
Status: Reported
Type: Editorial
Publication Format(s) : TEXT

Reported By: Nicolas Williams
Date Reported: 2013-12-05

Section 3.2.2 says:

      The type of the otherName field is AnotherName.  The type-id field
      of the type AnotherName is id-pkinit-san:

       id-pkinit-san OBJECT IDENTIFIER ::=
         { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
           x509SanAN (2) }

It should say:

      The type of the otherName field is AnotherName.  The type-id field
      of the type AnotherName is id-kerberos-san:

       id-kerberos-san OBJECT IDENTIFIER ::=
         { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
           x509SanAN (2) }

Notes:

The certificate subject alternative name (SAN) type added by RFC4556 is and has been used more generically than its symbolic name denotes.

Note that there is no risk in using id-pkinit-san for non-PKINIT purposes as presence of that SAN is -naturally- insufficient by itself to cause an AS to issue a ticket to the client for the named principal. RFC4556 is quite clear on this point.

Therefore id-pkinit-san should have been named id-kerberos-san, and should be referred to as id-kerberos-san going forward. (If there was a registry of PKIX certificate extensions we would additionally ask IANA to updte it.)

There are a few other mentions of id-pkinit-san in RFC4556, all of which should read id-kerberos-san instead.

Report New Errata



Advanced Search