RFC Errata

Errata Search

Source of RFC  
Summary Table Full Records

RFC 6487, "A Profile for X.509 PKIX Resource Certificates", February 2012

Note: This RFC has been updated by RFC 7318, RFC 8209

Source of RFC: sidr (rtg)
See Also: RFC 6487 w/ inline errata

Errata ID: 3238
Status: Verified
Type: Technical
Publication Format(s) : TEXT

Reported By: Stephen Kent
Date Reported: 2012-05-31
Verifier Name: Stewart Bryant
Date Verified: 2013-01-11

Section 6.3 says:

         The CA MAY honor ExtendedKeyUsage extensions of keyCertSign and
         cRLSign if present, as long as this is consistent with the
         BasicConstraints SubjectType sub-field, when specified.

It should say:

         The CA MAY honor ExtendedKeyUsage extensions in requests for EE
         certificates that are issued to routers or other devices, consistent with values
         specified in Standards Track RFCs that adopt this profile and that identify
         application-specific requirements that motivate the use of such EKUs.


The current text appears to be the result of a "cut and paste" error. It is essentially identical to the text
for the Key Usage extension, and names two fields that appear in that extension, not in an EKU extension. The text I propose above parallels what appears in Section 4.8.5, which describes how an
EKU MAY be used in RPKI certificates.

Report New Errata

Advanced Search