RFC Errata

Errata Search

Source of RFC  
Summary Table Full Records

RFC 6238, "TOTP: Time-Based One-Time Password Algorithm", May 2011

Area Assignment: sec

Errata ID: 4249

Status: Reported
Type: Technical

Reported By: David Woodhouse
Date Reported: 2015-01-30

Section 4.2 says:

The provisioning flow is out of scope of this document; refer to
[RFC6030] for such provisioning container specifications.


It's insufficient to simply refer to RFC6030 here. See RFC6030 §4.3.4 where it states that the precise semantics of fields such as the <Suite> element are defined according to the algorithm profile. It does provide in §10 the definitions for HOTP and PIN algorithms — but it doesn't give them for TOTP because the standardisation of TOTP came later.

So *someone* needs to tell us what strings to put in the <Suite> element to indicate SHA1/SHA256/SHA512 etc. Either an update to RFC6030, or I would have thought it was better done with a section in RFC6238... which is missing.

Am I missing something?

Report New Errata