RFC Errata


Errata Search
 
Source of RFC  
Summary Table Full Records

RFC 8636, "Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Algorithm Agility", July 2019

Source of RFC: kitten (sec)
See Also: RFC 8636 w/ inline errata

Errata ID: 8639
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Nico Williams
Date Reported: 2025-11-16
Verifier Name: Paul Wouters
Date Verified: 2025-11-17

Section 6 says: 

   o  The algorithm identifier (algorithmID) input parameter is the
      identifier of the respective KDF.  For example, this is id-pkinit-
      kdf-ah-sha1 if the KDF uses SHA-1 as the hash.

It should say:

   o  The algorithm identifier (algorithmID) input parameter is the
      identifier of the respective KDF with absent parameters.  For
      example, this is id-pkinit-kdf-ah-sha1 if the KDF uses SHA-1
      as the hash.

Notes:

The negotiation of KDF in PKINIT as of RFC 8636 uses an exchange of OBJECT IDENTIFIER values, not AlgorithmIdentifier values, but when a value of the OtherInfo type is created and serialized we need to know what parameters to use for the algorithmID member of the OtherInfo value, and this is not specified anywhere.

Elsewhere in RFC 8636 we see this text:

The KDFAlgorithmId structure contains an object identifier that
identifies a KDF. The algorithm of the KDF and its parameters are
defined by the corresponding specification of that KDF.

but the KDFs are all specified in RFC 8636 itself and no parameters are specified for the KDFs. There is an reference to NIST.SP.800-56Ar3 in section 6 of RFC 8636:

The KDF algorithm described in this document (based on [SP80056A])
can be implemented using any cryptographic hash function.

but NIST.SP.800-56Ar3 does not specify parameters to the KDFs either.

The question then is: what shall the parameters be set to in the OtherInfo algorithmID identifying the KDF? There are two options: exclude the parameters member (it is OPTIONAL after all), or include it with the DER encoding of NULL (common for some algorithms)?

Looking at MIT Kerberos I believe the parameters member is left absent, therefore that is what implementators should do.

Report New Errata



Advanced Search