RFC 8995, "Bootstrapping Remote Secure Key Infrastructure (BRSKI)", May 2021

Errata ID: 6649
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Michael Richardson
Date Reported: 2021-07-27
Held for Document Update by: Rob Wilton
Date Held: 2024-01-15

Section 5.5.4. says:

Even when a domain CA is authenticated to the MASA, and there is
strong sales channel integration to understand who the legitimate
owner is, the above id-kp-cmcRA check prevents arbitrary end-entity
certificates (such as an LDevID certificate) from having vouchers
issued against them.

It should say:

Even when a domain CA is authenticated to the MASA, and there is
strong sales channel integration to understand who the legitimate
owner is, the above id-kp-cmcRA check prevents arbitrary end-entity
certificates (such as an LDevID certificate) from having vouchers
issued against them.

add:
The id-kp-cmcRA is an Extended Key Usage (EKU) attribute.
When any EKU attribute it set, then the certificate MUST have all 
related attributes set.  
This means that the Registrar certificate MUST also have the 
id-kp-clientAuth (for use with the MASA) and the id-kp-serverAuth 
(for use with the Pledge) set.

Notes:

https://mailarchive.ietf.org/arch/msg/anima/H6Xs_f3rQAh9acOEFXEYuoZZGls/

Report New Errata