RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 5386, "Better-Than-Nothing Security: An Unauthenticated Mode of IPsec", November 2008

Source of RFC: btns (sec)
See Also: RFC 5386 w/ inline errata

Errata ID: 1608
Status: Verified
Type: Technical
Publication Format(s) : TEXT

Reported By: Alfred Hoenes
Date Reported: 2008-11-18
Verifier Name: Tim Polk
Date Verified: 2008-11-19

Section 2, pg. 3 says:

   o  Any peer that uses an IKEv2 AUTH method involving a digital
      signature (made with a private key to a public key cryptosystem)
      may match a BTNS PAD entry, provided that it matches no non-BTNS
      PAD entries.  Suitable AUTH methods as of August 2007 are: RSA
|     Digital Signature (method #1) and DSS Digital Signature (method
      #3); see [RFC4306], Section 3.8.

It should say:

   o  Any peer that uses an IKEv2 AUTH method involving a digital
      signature (made with a private key to a public key cryptosystem)
      may match a BTNS PAD entry, provided that it matches no non-BTNS
      PAD entries.  Suitable AUTH methods as of August 2007 are: RSA
|     Digital Signature (method #1) and DSA Digital Signature (method
      #3); see [RFC4306], Section 3.8.

Notes:

Rationale:

When referring to an authentication method, i.e. an algorithm,
the acronym used should designate the algorithm.

There is a particular distinction in the NIST FIPS documents:
a trailing 'S' designtes a Standard, and a trailing 'A' designates
an Algorithm.
In particular, the DSS (Digital Signature Standard, FIPS 186-2/3)
describes three different algorithms:
- the NIST's Digital Signature Algorithm (DSA),
- the Elliptic Curve Digital Signature Algorithm (ECDSA), and
- the RSA signature algorithm.

Hence, to avoid any potential confusion, "DSA" should be used to
designate the particular algorithm listed as the first item above.

Report New Errata