errata logo graphic

Found 4 records.

Status: Verified (1)

RFC6238, "TOTP: Time-Based One-Time Password Algorithm", May 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 2866

Status: Verified
Type: Technical

Reported By: Michal Altair Valasek
Date Reported: 2011-07-20
Verifier Name: Sean Turner
Date Verified: 2011-11-12

Section Appendix B says:

The test token shared secret uses the ASCII string value "12345678901234567890".

It should say:

The test token shared secrets use the following ASCII string values:
- HMAC-SHA1: "12345678901234567890" (20 bytes)
- HMAC-SHA256: "12345678901234567890123456789012" (32 bytes)
- HMAC-SHA512: "1234567890123456789012345678901234567890123456789012345678901234" (64 bytes)

Notes:

The secret values are different for different hash types. The example Java code respects this, but the test vector documentation does not.


Status: Reported (1)

RFC6238, "TOTP: Time-Based One-Time Password Algorithm", May 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 4249

Status: Reported
Type: Technical

Reported By: David Woodhouse
Date Reported: 2015-01-30

Section 4.2 says:

The provisioning flow is out of scope of this document; refer to
[RFC6030] for such provisioning container specifications.

Notes:

It's insufficient to simply refer to RFC6030 here. See RFC6030 §4.3.4 where it states that the precise semantics of fields such as the <Suite> element are defined according to the algorithm profile. It does provide in §10 the definitions for HOTP and PIN algorithms — but it doesn't give them for TOTP because the standardisation of TOTP came later.

So *someone* needs to tell us what strings to put in the <Suite> element to indicate SHA1/SHA256/SHA512 etc. Either an update to RFC6030, or I would have thought it was better done with a section in RFC6238... which is missing.

Am I missing something?


Status: Held for Document Update (2)

RFC6238, "TOTP: Time-Based One-Time Password Algorithm", May 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 3338

Status: Held for Document Update
Type: Editorial

Reported By: Samuel Whited
Date Reported: 2012-09-06
Held for Document Update by: Sean Turner

Section 1.2 says:

Basically, the output of the HMAC-SHA-1 calculation is truncated to
obtain user-friendly values:

It should say:

The output of the HMAC-SHA-1 calculation is truncated to
obtain user-friendly values:

Notes:

Starting a sentence with `Basically' is often considered bad form.
Qualifiers such as basically add nothing to the sentence and should
generally be avoided.


Errata ID: 3339

Status: Held for Document Update
Type: Editorial

Reported By: Samuel Whited
Date Reported: 2012-09-06
Held for Document Update by: Sean Turner

Section 4.2 says:

Basically, we define TOTP as TOTP = HOTP(K, T), where T is an integer
and represents the number of time steps between the initial counter
time T0 and the current Unix time.

It should say:

We define TOTP as TOTP = HOTP(K, T), where T is an integer
and represents the number of time steps between the initial counter
time T0 and the current Unix time.

Notes:

As mentioned in a previous errata, starting a sentence with
`Basically' is often considered bad form. Qualifiers such as
basically add nothing to the sentence and should generally be
avoided.


Report New Errata