RFC Errata
RFC 8995, "Bootstrapping Remote Secure Key Infrastructure (BRSKI)", May 2021
Source of RFC: anima (ops)
Errata ID: 6649
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Michael Richardson
Date Reported: 2021-07-27
Held for Document Update by: Rob Wilton
Date Held: 2024-01-15
Section 5.5.4. says:
Even when a domain CA is authenticated to the MASA, and there is strong sales channel integration to understand who the legitimate owner is, the above id-kp-cmcRA check prevents arbitrary end-entity certificates (such as an LDevID certificate) from having vouchers issued against them.
It should say:
Even when a domain CA is authenticated to the MASA, and there is strong sales channel integration to understand who the legitimate owner is, the above id-kp-cmcRA check prevents arbitrary end-entity certificates (such as an LDevID certificate) from having vouchers issued against them. add: The id-kp-cmcRA is an Extended Key Usage (EKU) attribute. When any EKU attribute it set, then the certificate MUST have all related attributes set. This means that the Registrar certificate MUST also have the id-kp-clientAuth (for use with the MASA) and the id-kp-serverAuth (for use with the Pledge) set.
Notes:
https://mailarchive.ietf.org/arch/msg/anima/H6Xs_f3rQAh9acOEFXEYuoZZGls/