RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 3 records.

Status: Reported (3)

RFC 6125, "Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", March 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: app

Errata ID: 5654
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Owen Friel
Date Reported: 2019-03-13

Section 7.4 says:

   A more recent approach, formally specified in [TLS-EXT], is for the
   client to use the TLS "Server Name Indication" (SNI) extension when
   sending the client_hello message, stipulating the DNS domain name it
   desires or expects of the service.  The service can then return the
   appropriate certificate in its Certificate message, and that
   certificate can represent a single DNS domain name.

It should say:

   A more recent approach, formally specified in [TLS-EXT], is for the
   client to use the TLS "Server Name Indication" (SNI) extension when
   sending the client_hello message, stipulating the DNS domain name it
   desires or expects of the service.  The service can then return the
   appropriate certificate in its Certificate message, and that
   certificate can represent a single DNS domain name. The client SHOULD
   include the "source domain" in the SNI extension and SHOULD NOT
   include the “derived domain”.

Notes:

There is nothing wrong with the text, however its missing some clarifying text.

When a client discovers a service using SRV, when it is doing TLS it should include the "source domain" in the SNI extension and SHOULD NOT include the “derived domain” in SNI. Now, this is obviously the correct thing to do. However, it doesnt explicitly state this anywhere in the RFC, or in RFC6066.

Errata ID: 5673
Status: Reported
Type: Editorial
Publication Format(s) : TEXT

Reported By: Michael James
Date Reported: 2019-03-25

Throughout the document, when it says:

   If the certificate will be used for only a single type of application
   service, then the service provider is encouraged to request a
   certificate that includes a DNS-ID and, if appropriate for the
   application service type, an SRV-ID or URI-ID that limits the
   deployment scope of the certificate to only the defined application
   service type.

It should say:

   If the certificate will be used for only a single type of application
   service, the service provider is encouraged to request a
   certificate that includes a DNS-ID and, if appropriate for the
   application service type, an SRV-ID or URI-ID that limits the
   deployment scope of the certificate to only the defined application
   service type.

Notes:

All the sentences in the RFC (not just the one above) are written as pseudo code using IF...THEN. Normative English sentence structure the IF is a Conjunction for a Subordinating Clause. The THEN after the comma should be dropped to start the subject or main clause of the sentence.

Errata ID: 6325
Status: Reported
Type: Editorial
Publication Format(s) : TEXT

Reported By: tom petch
Date Reported: 2020-11-06

Section 10.2 says:

  [X.520]          International Telecommunications Union, "Information
                    Technology - Open Systems Interconnection - The
                    Directory: Selected attribute types", ITU-
                    T Recommendation X.509, ISO Standard 9594-6,
                    August 2005.

It should say:

  [X.520]          International Telecommunications Union, "Information
                    Technology - Open Systems Interconnection - The
                    Directory: Selected attribute types", ITU-
                    T Recommendation X.520, ISO Standard 9594-6,
                    August 2005.

Notes:

Selected attribute types is X.520 not X.509

Report New Errata