RFC Errata
RFC 5280, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", May 2008
Note: This RFC has been updated by RFC 6818, RFC 8398, RFC 8399, RFC 9549, RFC 9598, RFC 9608, RFC 9618
Source of RFC: pkix (sec)
Errata ID: 7634
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Nick Harper
Date Reported: 2023-09-08
Held for Document Update by: Deb Cooley
Date Held: 2024-10-29
Section 4.1 says:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
It should say:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
Notes:
The definition in section 4.1 disagrees with the definition in appendix A.1 (page 116) on whether the name of the field containing the signature is "signatureValue" or "signature". This error appears in RFC 3280 and RFC 2459 as well.
The versions of X.509 in force when RFCs 2459, 3280, and 5280 were published use neither of those names. (Those versions of X.509 considered a signature to be an encrypted hash and called the field "encrypted".) The current version, ITU-T X.509 (10/2019), defines this field to be "signature" in section 6.2.1. (X.509 defines the Certificate type using a component type of SIGNATURE, which has two fields named "algorithmIdentifier" and "signature".)
In addition to changing the field name in the definition of the Certificate type in section 4.1, the title and text of subsection 4.1.1.3 should be updated to replace "signatureValue" with "signature".
Verifier note: Hold for document update to avoid changes that potentially break ASN.1