Errata Search
RFC Number:		Errata ID:
Source of RFC		Status:	All/Any Verified+Reported Verified Reported Held for Document Update Rejected
Area Acronym:	All/Any app art gen int ops rai rtg sec tsv wit	Type:	All/Any Editorial Technical
WG Acronym:		Submitter Name:
Other:	All/Any IAB INDEPENDENT IRTF Legacy Editorial	Date Submitted:
Summary Table Full Records

Found 6 records.

Status: Verified (5)

RFC 8017, "PKCS #1: RSA Cryptography Specifications Version 2.2", November 2016

Source of RFC: IETF - NON WORKING GROUP

Errata ID: 5111
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Peter Wu
Date Reported: 2017-09-11
Verifier Name: Kathleen Moriarty
Date Verified: 2018-03-19

Section A.2.3 says:

   The object identifier id-RSASSA-PSS identifies the RSASSA-PSS
   encryption scheme.

It should say:

   The object identifier id-RSASSA-PSS identifies the RSASSA-PSS
   signature scheme.

Notes:

RSASSA-PSS is a signature scheme, it has no encrypt/decrypt operations.
This errata also applies to RFC 3447 (Section A.2.3)
Verified by Burt Kaliski

Errata ID: 5154
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Joost Rijneveld
Date Reported: 2017-10-12
Verifier Name: Kathleen Moriarty
Date Verified: 2018-03-18

Section A.2.4 says:

SHA-256          sha224WithRSAEncryption     ::= {pkcs-1 14}

It should say:

SHA-224          sha224WithRSAEncryption     ::= {pkcs-1 14}

Notes:

Good catch. Confirmed.

Background: The addition of SHA224 support to PKCS #1 required a few minor technical updates in PKCS #1 v2.2 compared to v2.1, and to the corresponding RFC8017 compared to RFC3447. PKCS #1 v2.2 got the correct update, but RFC8017 didn't -- presumably a copy-and-paste error. My oversight in reviewing the edits. Thanks, Joost, for pointing it out.

Errata ID: 5235
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Joern Heissler
Date Reported: 2018-01-14
Verifier Name: Kathleen Moriarty
Date Verified: 2018-03-18

Section 8.1.1 says:

Errors:  "message too long;" "encoding error"

It should say:

Errors:  "message too long"; "encoding error"

Notes:

The semicolon needs to be placed outside of the quoted strings.

Errata ID: 5577
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Dave Thompson
Date Reported: 2018-12-16
Verifier Name: Benjamin Kaduk
Date Verified: 2019-01-05

Section B.1 says:

   As of today, the best (known) collision attacks against these hash
   functions are generic attacks with complexity 2L/2, where L is the
   bit length of the hash output.  For the signature schemes in this
   document, a collision attack is easily translated into a signature
   forgery.  Therefore, the value L / 2 should be at least equal to the
   desired security level in bits of the signature scheme (a security
   level of B bits means that the best attack has complexity 2B).  The

It should say:

   As of today, the best (known) collision attacks against these hash
   functions are generic attacks with complexity 2^(L/2), where L is the
   bit length of the hash output.  For the signature schemes in this
   document, a collision attack is easily translated into a signature
   forgery.  Therefore, the value L / 2 should be at least equal to the
   desired security level in bits of the signature scheme (a security
   level of B bits means that the best attack has complexity 2^B).  The

Notes:

Superscripting presumably lost in translation from the original. RFC 3447 (for v2.1) had these correct. To a person familiar with the art they are obvious typos (Editorial) but to other readers they could change the meaning.

Errata ID: 7405
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Daniel Kahn Gillmor
Date Reported: 2023-03-25
Verifier Name: RFC Editor
Date Verified: 2023-04-27

Section 11.2, 7.2 says:

"HAASTAD"

and

"Haastad, J"

It should say:

"HASTAD"

and

"Hastad, J"

Notes:

https://epubs.siam.org/doi/10.1137/0217019 indicates that the author of "Solving Simultaneous Modular Equations of Low Degree" is "Johan Hastad", not "Johan Haastad".

Status: Held for Document Update (1)

RFC 8017, "PKCS #1: RSA Cryptography Specifications Version 2.2", November 2016

Source of RFC: IETF - NON WORKING GROUP

Errata ID: 5576
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: Dave Thompson
Date Reported: 2018-12-16
Held for Document Update by: Benjamin Kaduk
Date Held: 2019-01-05

Section B.1 says:

   The object identifiers id-md2, id-md5, id-sha1, id-sha224, id-sha256,
   id-sha384, id-sha512, id-sha512/224, and id-sha512/256 identify the
   respective hash functions:
...
   The parameters field associated with id-sha1, id-sha224, id-sha256,
   id-sha384, id-sha512, id-sha512/224, and id-sha512/256 should
...
   Exception: When formatting the DigestInfoValue in EMSA-PKCS1-v1_5
   (see Section 9.2), the parameters field associated with id-sha1,
   id-sha224, id-sha256, id-sha384, id-sha512, id-sha512/224, and
   id-sha512/256 shall have a value of type NULL.  This is to maintain

It should say:

   The object identifiers id-md2, id-md5, id-sha1, id-sha224, id-sha256,
   id-sha384, id-sha512, id-sha512-224, and id-sha512-256 identify the
   respective hash functions:
...
   The parameters field associated with id-sha1, id-sha224, id-sha256,
   id-sha384, id-sha512, id-sha512-224, and id-sha512-256 should
...
   Exception: When formatting the DigestInfoValue in EMSA-PKCS1-v1_5
   (see Section 9.2), the parameters field associated with id-sha1,
   id-sha224, id-sha256, id-sha384, id-sha512, id-sha512-224, and
   id-sha512-256 shall have a value of type NULL.  This is to maintain

Notes:

ASN.1 identifiers don't allow slash. The actual ASN.1 code in the middle of B.1, and the ASN.1 module in C, correctly use hyphens for id-sha512-224 and id-sha512-256.

Report New Errata