RFC 8995, "Bootstrapping Remote Secure Key Infrastructure (BRSKI)", May 2021

Errata ID: 6648
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Michael Richardson
Date Reported: 2021-07-27

Section 5.1 says:

   Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is
   REQUIRED on the pledge side.  TLS 1.3 (or newer) SHOULD be available
   on the registrar server interface, and the registrar client
   interface, but TLS 1.2 MAY be used.  TLS 1.3 (or newer) SHOULD be
   available on the MASA server interface, but TLS 1.2 MAY be used.

It should say:

Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is
REQUIRED on the pledge side.  TLS 1.3 (or newer) SHOULD be available
on the registrar server interface, and the registrar client
interface, but TLS 1.2 MAY be used.  When TLS 1.3 is used the use of
Server Name Indicator (SNI, [RFC6066]) is not required, per RFC8446 
section 9.2, this specification is an application profile specification.

A pledge connects to the Registrar using only an IP address and it will 
not have any idea of a correct SNI value. 
This also implies that the Registrar interface may not be virtual \
hosted using SNI.

Notes:

Another errata says that SNI is mandatory on MASA interface, and the distinction between the two is subtle.

Report New Errata