RFC 8994, "An Autonomic Control Plane (ACP)", May 2021

Errata ID: 7558
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT, PDF, HTML
Reported By: J. William Atwood
Date Reported: 2023-07-02
Held for Document Update by: Rob Wilton
Date Held: 2024-01-15

Section 6.2.1 says:

   ACP nodes MUST NOT support certificates with RSA public keys of less
   than a 2048-bit modulus or curves with group order of less than 256
   bits.  They MUST support certificates with RSA public keys with
   2048-bit modulus and MAY support longer RSA keys.  They MUST support
   certificates with ECC public keys using NIST P-256 curves and SHOULD
   support P-384 and P-521 curves.

   ACP nodes MUST NOT support certificates with RSA public keys whose
   modulus is less than 2048 bits, or certificates whose ECC public keys
   are in groups whose order is less than 256 bits.  RSA signing
   certificates with 2048-bit public keys MUST be supported, and such
   certificates with longer public keys MAY be supported.  ECDSA
   certificates using the NIST P-256 curve MUST be supported, and such
   certificates using the P-384 and P-521 curves SHOULD be supported.

It should say:

   ACP nodes MUST NOT support certificates with RSA public keys whose
   modulus is less than 2048 bits, or certificates whose ECC public keys
   are in groups whose order is less than 256 bits.  RSA signing
   certificates with 2048-bit public keys MUST be supported, and such
   certificates with longer public keys MAY be supported.  ECDSA
   certificates using the NIST P-256 curve MUST be supported, and such
   certificates using the P-384 and P-521 curves SHOULD be supported.

Notes:

The second paragraph in the original text appears to be a more carefully-written version of the first paragraph. Therefore the first paragraph should be deleted and the second paragraph retained.

Report New Errata