RFC Errata
Found 3 records.
Status: Verified (3)
RFC 9483, "Lightweight Certificate Management Protocol (CMP) Profile", November 2023
Source of RFC: lamps (sec)
Errata ID: 7833
Status: Verified
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: David von Oheimb
Date Reported: 2024-03-01
Verifier Name: Deb Cooley
Date Verified: 2024-11-26
Section 4.1.6 says:
-- MUST be 0 for recipientInfo type PasswordRecipientInfo
It should say:
-- MUST be 3 for recipientInfo type PasswordRecipientInfo
Notes:
It turns out that we make a mistake interpreting CMS RFC 5652 section 6.1 (https://datatracker.ietf.org/doc/html/rfc5652#section-6.1).
AFAICS, this was due to a misleadingly formatted condition in that section:
IF ((originatorInfo is present) AND
___(any version 2 attribute certificates are present)) OR
___(any RecipientInfo structures include pwri) OR
___(any RecipientInfo structures include ori)
THEN version is 3
where for clarity the indentation of the 2nd line should be one more character to the right:
IF ((originatorInfo is present) AND
____(any version 2 attribute certificates are present)) OR
___(any RecipientInfo structures include pwri) OR
___(any RecipientInfo structures include ori)
THEN version is 3
(I replaced leading space chars by '_' to make sure the indentation comes across.)
So this can also be seen as an editorial erratum of RFC 5652.
Errata ID: 8183
Status: Verified
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Rajeev Ranjan
Date Reported: 2024-11-20
Verifier Name: Deb Cooley
Date Verified: 2024-11-21
Section 4.1.6.1 says:
rid REQUIRED
-- MUST contain the subjectKeyIdentifier of the CMP protection
-- certificate, if available, in the rKeyId choice, and the
-- subjectKeyIdentifier MUST equal the senderKID in the
-- PKIHeader.
-- If the CMP protection certificate does not contain a
-- subjectKeyIdentifier, the issuerAndSerialNumber choice MUST
-- be used.
It should say:
rid REQUIRED
-- MUST contain the subjectKeyIdentifier of the CMP protection
-- certificate of the request message, if available. The
-- subjectKeyIdentifier is equal the senderKID in the
-- PKIHeader of that message.
-- If the CMP protection certificate of the request message does
-- not contain a subjectKeyIdentifier, the issuerAndSerialNumber
-- choice MUST be used.
Notes:
1. rKeyId choice is wrongly used here as Section 6.2.1 of RFC 5652 does not have rKeyId choice.
2. rid value must be taken from CMP protection certificate of request message as it is used to specify the recipient.
Errata ID: 8184
Status: Verified
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Rajeev Ranjan
Date Reported: 2024-11-20
Verifier Name: Deb Cooley
Date Verified: 2024-11-21
Section 4.1.6.2 says:
rid REQUIRED
-- MUST contain the subjectKeyIdentifier of the CMP protection
-- certificate, if available, in the rKeyId choice, and the
-- subjectKeyIdentifier MUST equal the senderKID in the
-- PKIHeader.
-- If the CMP protection certificate does not contain a
-- subjectKeyIdentifier, the issuerAndSerialNumber choice MUST
-- be used
It should say:
rid REQUIRED
-- MUST contain the subjectKeyIdentifier of the CMP protection
-- certificate of the request message, if available, in the
-- rKeyId choice. The subjectKeyIdentifier is equal
-- the senderKID in the PKIHeader of that message.
-- If the CMP protection certificate of the request message does
-- not contain a subjectKeyIdentifier, the issuerAndSerialNumber
-- choice MUST be used.
Notes:
1. rid value must be taken from CMP protection certificate of request message as it is used to identify the recipient using key agreement.
2. senderKID refer to value in request message, and here we are preparing the response message. So MUST is removed.