RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 6 records.

Status: Verified (2)

RFC 6238, "TOTP: Time-Based One-Time Password Algorithm", May 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 2866

Status: Verified
Type: Technical

Reported By: Michal Altair Valasek
Date Reported: 2011-07-20
Verifier Name: Sean Turner
Date Verified: 2011-11-12

Appendix B says

The test token shared secret uses the ASCII string value
"12345678901234567890".

It should say:

The test token shared secrets use the following ASCII string values:
- HMAC-SHA1: "12345678901234567890" (20 bytes)
- HMAC-SHA256: "12345678901234567890123456789012" (32 bytes)
- HMAC-SHA512:
  "1234567890123456789012345678901234567890123456789012345678901234" (64 bytes)

Notes:

The secret values are different for different hash types. The example Java code respects this, but the test vector documentation does not.

Errata ID: 4678

Status: Verified
Type: Technical

Reported By: Osric Wilkinson
Date Reported: 2016-04-27
Verifier Name: Stephen Farrell
Date Verified: 2016-04-30

Section Appendix A says:

* @return: a numeric String in base 10 that includes
*              {@link truncationDigits} digits

It should say:

* @return: a numeric String in base 10 that includes
*              {@link DIGITS_POWER} digits

Notes:

The JavaDoc for the functions refers to truncationDigits, which doesn't exist in the example code. I think the authors mean the DIGITS_POWER array.

Note that this happens four times for the four different versions of the generateTOTP() method.

Status: Reported (2)

RFC 6238, "TOTP: Time-Based One-Time Password Algorithm", May 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 4249

Status: Reported
Type: Technical

Reported By: David Woodhouse
Date Reported: 2015-01-30

Section 4.2 says:

The provisioning flow is out of scope of this document; refer to
[RFC6030] for such provisioning container specifications.

Notes:

It's insufficient to simply refer to RFC6030 here. See RFC6030 §4.3.4 where it states that the precise semantics of fields such as the <Suite> element are defined according to the algorithm profile. It does provide in §10 the definitions for HOTP and PIN algorithms — but it doesn't give them for TOTP because the standardisation of TOTP came later.

So *someone* needs to tell us what strings to put in the <Suite> element to indicate SHA1/SHA256/SHA512 etc. Either an update to RFC6030, or I would have thought it was better done with a section in RFC6238... which is missing.

Am I missing something?

Errata ID: 4530

Status: Reported
Type: Technical

Reported By: Simone Campagna
Date Reported: 2015-11-11

Section Appendix A says:

 public static String generateTOTP(String key,
             String time,
             String returnDigits){
         return generateTOTP(key, time, returnDigits, "HmacSHA1");
     }

Notes:

Function will be recursive on his self. Maybe forget a second condition or statement?

Status: Held for Document Update (2)

RFC 6238, "TOTP: Time-Based One-Time Password Algorithm", May 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 3338

Status: Held for Document Update
Type: Editorial

Reported By: Samuel Whited
Date Reported: 2012-09-06
Held for Document Update by: Sean Turner

Section 1.2 says:

Basically, the output of the HMAC-SHA-1 calculation is truncated to
obtain user-friendly values:

It should say:

The output of the HMAC-SHA-1 calculation is truncated to
obtain user-friendly values:

Notes:

Starting a sentence with `Basically' is often considered bad form.
Qualifiers such as basically add nothing to the sentence and should
generally be avoided.

Errata ID: 3339

Status: Held for Document Update
Type: Editorial

Reported By: Samuel Whited
Date Reported: 2012-09-06
Held for Document Update by: Sean Turner

Section 4.2 says:

Basically, we define TOTP as TOTP = HOTP(K, T), where T is an integer
and represents the number of time steps between the initial counter
time T0 and the current Unix time.

It should say:

We define TOTP as TOTP = HOTP(K, T), where T is an integer
and represents the number of time steps between the initial counter
time T0 and the current Unix time.

Notes:

As mentioned in a previous errata, starting a sentence with
`Basically' is often considered bad form. Qualifiers such as
basically add nothing to the sentence and should generally be
avoided.

Report New Errata



Search RFCs
Advanced Search
×