Found 1 record.

Status: Rejected (1)

RFC 9001, "Using TLS to Secure QUIC", May 2021

Errata ID: 7785
Status: Rejected
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Tom Pearson
Date Reported: 2024-01-26
Rejected by: Zaheduzzaman Sarker
Date Rejected: 2024-01-29

Section 5. says:

The key and IV for the packet are computed as described in
Section 5.1.  The nonce, N, is formed by combining the packet
protection IV with the packet number.  The 62 bits of the
reconstructed QUIC packet number in network byte order are left-
padded with zeros to the size of the IV.  The exclusive OR of the
padded packet number and the IV forms the AEAD nonce.

It should say:

The key and IV for the packet are computed as described in
Section 5.1.  The nonce, N, is formed by combining the packet
protection IV with the packet number.  The 32 bits of the
reconstructed QUIC packet number in network byte order are left-
padded with zeros to the size of the IV.  The exclusive OR of the
padded packet number and the IV forms the AEAD nonce.

Notes:

Given the description of packet number reconstruction in RFC9000 section 17.1 and the example in RFC9000 Appendix A3, the length of reconstructed packet number should be 32 bits, not 62 bits.
--VERIFIER NOTES--
The full packet number is 62 bits, although it is never expressed as such in the packet number field of the header. Hence, this errata is rejected.

Report New Errata