RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 3279, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", April 2002

Note: This RFC has been updated by RFC 4055, RFC 4491, RFC 5480, RFC 5758, RFC 8692

Source of RFC: pkix (sec)

Errata ID: 6672
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT

Reported By: Jaime Hablutzel
Date Reported: 2021-09-01
Held for Document Update by: Paul Wouters
Date Held: 2024-01-12

Section 2.3.5 says:

If the keyUsage extension is present in a CA or CRL issuer certificate which conveys an elliptic curve public key, any combination of the following values MAY be present:

digitalSignature;
nonRepudiation; and
keyAgreement.

If the keyAgreement value is present, either of the following values MAY be present:

encipherOnly; and
decipherOnly.

The keyUsage extension MUST NOT assert both encipherOnly and decipherOnly.

If the keyUsage extension is present in a CA certificate which conveys an elliptic curve public key, any combination of the following values MAY be present:

digitalSignature;
nonRepudiation;
keyAgreement;
keyCertSign; and
cRLSign.

It should say:

If the keyUsage extension is present in an end entity certificate which conveys an elliptic curve public key, any combination of the following values MAY be present:

digitalSignature;
nonRepudiation; and
keyAgreement.

If the keyAgreement value is present, either of the following values MAY be present:

encipherOnly; and
decipherOnly.

The keyUsage extension MUST NOT assert both encipherOnly and decipherOnly.

If the keyUsage extension is present in a CA or CRL issuer certificate which conveys an elliptic curve public key, any combination of the following values MAY be present:

digitalSignature;
nonRepudiation;
keyAgreement;
keyCertSign; and
cRLSign.

Notes:

- "a CA or CRL issuer certificate" is replaced by "an end entity certificate"
- "CA certificate" is replaced by "CA or CRL issuer certificate"

The need for this correction can be confirmed from RFC 5480, "3. Key Usage Bits".

Corrected wording has been copied from the section "2.3.1 RSA Keys" of this RFC 3279 itself.

Paul Wouters (AD): As 5480 updates 3279, this errata is resolved

Report New Errata



Advanced Search