# RFC Errata

### Errata Search

Source of RFC
Summary Table Full Records

Found 1 record.

## Status: Held for Document Update (1)

### RFC 2412, "The OAKLEY Key Determination Protocol", November 1998

Source of RFC: ipsec (sec)

Errata ID: 3960
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT

Reported By: Daniel Kahn Gillmor
Date Reported: 2014-04-11
Held for Document Update by: Stephen Farrell
Date Held: 2014-05-08

Section 2.8 & Appx E says:

```Section 2.8:

[...] In order to maximize this, one can
choose "strong" or Sophie Germaine primes, P = 2Q + 1, where P and Q
are prime.  However, if P = kQ + 1, where k is small, then the
strength of the group is still considerable.  These groups are known
as Schnorr subgroups, and they can be found with much less
computational effort than Sophie-Germaine primes.

[...]

[...]  For Sophie Germain primes, if the
generator is a square, then there are only two elements in the
subgroup: 1 and g^(-1) (same as g^(p-1)) which we have already
recommended avoiding.

Appendix E:

[...] The
primes are chosen to be Sophie Germain primes (i.e., (P-1)/2 is also
prime), to have the maximum strength against the square-root attack
on the discrete logarithm problem.
```

It should say:

```Section 2.8:
[...] In order to maximize this, one can
choose safe primes, P = 2Q + 1, where P and Q
are prime.  However, if P = kQ + 1, where k is small, then the
strength of the group is still considerable.  These groups are known
as Schnorr subgroups, and they can be found with much less
computational effort than safe primes.

[...]

[...]  For safe primes, if the
generator is a square, then there are only two elements in the
subgroup: 1 and g^(-1) (same as g^(p-1)) which we have already
recommended avoiding.

Appendix E:
[...] The
primes are chosen to be safe primes (i.e., (P-1)/2 is also
prime), to have the maximum strength against the square-root attack
on the discrete logarithm problem.
```

Notes:

This is a terminology clarification.

For primes P and Q related such that P = 2Q + 1, P is a "safe prime" and Q is a "Sophie Germain prime" The draft gets this definition backward. The draft also suggests that "strong" primes are equivalent to Sophie Germain primes, which is not necessarily the case.

Section 2.8 also misspells "Germain" with an extra e at the end twice.

see for example: http://www.ams.org/journals/mcom/1996-65-213/S0025-5718-96-00670-9/S0025-5718-96-00670-9.pdf

Report New Errata