RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 8995, "Bootstrapping Remote Secure Key Infrastructure (BRSKI)", May 2021

Source of RFC: anima (ops)

Errata ID: 6649
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Michael Richardson
Date Reported: 2021-07-27

Section 5.5.4. says:

Even when a domain CA is authenticated to the MASA, and there is
strong sales channel integration to understand who the legitimate
owner is, the above id-kp-cmcRA check prevents arbitrary end-entity
certificates (such as an LDevID certificate) from having vouchers
issued against them.

It should say:

Even when a domain CA is authenticated to the MASA, and there is
strong sales channel integration to understand who the legitimate
owner is, the above id-kp-cmcRA check prevents arbitrary end-entity
certificates (such as an LDevID certificate) from having vouchers
issued against them.

add:
The id-kp-cmcRA is an Extended Key Usage (EKU) attribute.
When any EKU attribute it set, then the certificate MUST have all 
related attributes set.  
This means that the Registrar certificate MUST also have the 
id-kp-clientAuth (for use with the MASA) and the id-kp-serverAuth 
(for use with the Pledge) set.

Notes:

https://mailarchive.ietf.org/arch/msg/anima/H6Xs_f3rQAh9acOEFXEYuoZZGls/

Report New Errata