RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 3 records.

Status: Verified (2)

RFC 7469, "Public Key Pinning Extension for HTTP", April 2015

Source of RFC: websec (app)

Errata ID: 4354
Status: Verified
Type: Technical

Reported By: Kirit Saelensminde
Date Reported: 2015-05-04
Verifier Name: Barry Leiba
Date Verified: 2015-05-05

Section 3 says:

   As in Section 2.4, the token refers to the algorithm name, and the
   quoted-string refers to the base64 encoding of the SPKI Fingerprint.
   When formulating the JSON POST body, the UA MUST either use single-
   quoted JSON strings or use double-quoted JSON strings and backslash-
   escape the embedded double quotes in the quoted-string part of the
   known-pin.

....

      'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="',

It should say:

   As in Section 2.4, the token refers to the algorithm name, and the
   quoted-string refers to the base64 encoding of the SPKI Fingerprint.
   When formulating the JSON POST body, the UA MUST use double-quoted
   JSON strings and backslash-escape the embedded double quotes in the
   quoted-string part of the known-pin.

....

      "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"",

Notes:

This RFC seems to think that single quotes are permissible in JSON. This is not the case. See http://tools.ietf.org/html/rfc7159#section-7

Errata ID: 4658
Status: Verified
Type: Editorial

Reported By: Jxck
Date Reported: 2016-04-08
Verifier Name: Barry Leiba
Date Verified: 2016-04-08

Section 3. Reporting Pin Validation Failure says:

  {
    "date-time": "2014-04-06T13:00:50Z",
    "hostname": "www.example.com",
    "port": 443,
    "effective-expiration-date": "2014-05-01T12:40:50Z"

It should say:

  {
    "date-time": "2014-04-06T13:00:50Z",
    "hostname": "www.example.com",
    "port": 443,
    "effective-expiration-date": "2014-05-01T12:40:50Z",
 

Notes:

Missing comma after "effective-expiration-date": "2014-05-01T12:40:50Z" in JSON at Figure 8: Pin Validation Failure Report Example

Status: Reported (1)

RFC 7469, "Public Key Pinning Extension for HTTP", April 2015

Source of RFC: websec (app)

Errata ID: 5377
Status: Reported
Type: Technical

Reported By: Julian Reschke
Date Reported: 2018-06-02

Section 2.3.4 says:

2.3.4.  HTTP-Equiv <Meta> Element Attribute

   UAs MUST NOT heed http-equiv="Public-Key-Pins" or
   http-equiv="Public-Key-Pins-Report-Only" attribute settings on <meta>
   elements [W3C.REC-html401-19991224] in received content.

It should say:

(remove the section)

Notes:

The spec attempts to make a normative requirement on HTML consumers. It can't do that; that's the role of the HTML spec.

In addition to that, this is already covered by what recent HTML specs say about http-equiv extensibility.

Report New Errata