RFC Errata
Found 2 records.
Status: Reported (1)
RFC 8448, "Example Handshake Traces for TLS 1.3", January 2019
Source of RFC: tls (sec)
Errata ID: 5645
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Anthony Mai
Date Reported: 2019-02-28
Section 2 says:
Ephemeral private keys are shown as they are generated in the traces.
It should say:
Ephemeral private keys are shown as they are generated in the traces. Note that X25519 private keys are trimmed in accordance to [RFC 7748] Section 5, before use. This is done by clearing bit 0 to 2 of the first byte and bit 7 of the last byte. And then set bit 6 of the last byte.
Notes:
On page 3,5,16,20,29,43,44,55,57, there are ten X25519 ephemeral private
keys listed. None of these private key value, when used directly in X25519
calculation, will yield the associated public key listed. These private key
values are not the actual values used. Instead up to 5 bits are modified as
recommended by RFC 7748 section 5. Some implementations may choose NOT to
do such trimming, and it does not affect the connectivity, as the private
keys are never sent over the wire and does not affect network behavior.
Not clarifying how the X25519 private keys were modified before using could
cause serious confusion. I personally struggled for a day before figuring
out this little obscure detail.
Status: Held for Document Update (1)
RFC 8448, "Example Handshake Traces for TLS 1.3", January 2019
Source of RFC: tls (sec)
Errata ID: 5720
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Martin Thomson
Date Reported: 2019-05-05
Held for Document Update by: Benjamin Kaduk
Date Held: 2019-05-06
Throughout the document, when it says:
00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02
It should say:
00 0d 00 18 00 16 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01
Notes:
The traces all show DSA signature schemes in ClientHello messages. The use of these is prohibited by RFC 8446. To be compliant, these would be removed.
Note that this isn't a simple substitution as implied above. The length fields on all of the messages would also need to be reduced by 8 in addition to making the substitution. The value of the PSK binders used in the resumption case in Section 4 would need to be recalculated also.