RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 5280, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", May 2008

Source of RFC: pkix (sec)

Errata ID: 3200
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT

Reported By: David Mandelberg
Date Reported: 2012-04-24
Held for Document Update by: Sean Turner

Section 4.1.2.2 says:

   The serial number MUST be a positive integer assigned by the CA to
   each certificate.  It MUST be unique for each certificate issued by a
   given CA (i.e., the issuer name and serial number identify a unique
   certificate).  CAs MUST force the serialNumber to be a non-negative
   integer.

It should say:

   The serial number MUST be a positive non-zero integer assigned by the
   CA to each certificate.  It MUST be unique for each certificate issued
   by a given CA (i.e., the issuer name and serial number identify a
   unique certificate).  CAs MUST force the serialNumber to be a positive
   integer.

Notes:

"positive" and "non-negative" do not mean the same thing. I used the third paragraph of the section as a tie-breaker to decide which of the two terms was intended:

Note: Non-conforming CAs may issue certificates with serial numbers
that are negative or zero. Certificate users SHOULD be prepared to
gracefully handle such certificates.

Report New Errata