RFC Errata
RFC 6485, "The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure (RPKI)", February 2012
Note: This RFC has been obsoleted by RFC 7935
Source of RFC: sidr (rtg)See Also: RFC 6485 w/ inline errata
Errata ID: 4339
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Sandra Murphy
Date Reported: 2015-04-20
Verifier Name: Alvaro Retana
Date Verified: 2015-05-21
Section 2. says:
In a certification request, the OID appears in the PKCS #10 signatureAlgorithm field [RFC2986] or in the Certificate Request Message Format (CRMF) POPOSigningKey signature field [RFC4211].
It should say:
In a certification request, the OID appears in the PKCS #10 signatureAlgorithm field [RFC2986] or in the Certificate Request Message Format (CRMF) POPOSigningKey algorithmIdentifier field [RFC4211].
Notes:
This is technically a technical change, as it would technically affect implementation, but I believe in fact it is just a typo. Only a very inexperienced implementor would put the RFC6485 algorithm OID in the signature field of the POPOSigningKey.
This problem was noted in a message to the sidr list https://www.ietf.org/mail-archive/web/sidr/current/msg06587.html and supported by another message https://www.ietf.org/mail-archive/web/sidr/current/msg06649.html
At noted in the message to the sidr list, RFC4211 says that the POPOSigningKey is:
POPOSigningKey ::= SEQUENCE {
poposkInput [0] POPOSigningKeyInput OPTIONAL,
algorithmIdentifier AlgorithmIdentifier,
signature BIT STRING }
The OID mentioned in the RFC6485 text is for the algorithm identifier and so should appear in the algorithmIdentifier field, not the signature field.