RFC Errata
Found 3 records.
Status: Reported (3)
RFC 6125, "Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", March 2011
Note: This RFC has been obsoleted by RFC 9525
Source of RFC: IETF - NON WORKING GROUPArea Assignment: app
Errata ID: 5654
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Owen Friel
Date Reported: 2019-03-13
Section 7.4 says:
A more recent approach, formally specified in [TLS-EXT], is for the client to use the TLS "Server Name Indication" (SNI) extension when sending the client_hello message, stipulating the DNS domain name it desires or expects of the service. The service can then return the appropriate certificate in its Certificate message, and that certificate can represent a single DNS domain name.
It should say:
A more recent approach, formally specified in [TLS-EXT], is for the client to use the TLS "Server Name Indication" (SNI) extension when sending the client_hello message, stipulating the DNS domain name it desires or expects of the service. The service can then return the appropriate certificate in its Certificate message, and that certificate can represent a single DNS domain name. The client SHOULD include the "source domain" in the SNI extension and SHOULD NOT include the “derived domain”.
Notes:
There is nothing wrong with the text, however its missing some clarifying text.
When a client discovers a service using SRV, when it is doing TLS it should include the "source domain" in the SNI extension and SHOULD NOT include the “derived domain” in SNI. Now, this is obviously the correct thing to do. However, it doesnt explicitly state this anywhere in the RFC, or in RFC6066.
Errata ID: 5673
Status: Reported
Type: Editorial
Publication Format(s) : TEXT
Reported By: Michael James
Date Reported: 2019-03-25
Throughout the document, when it says:
If the certificate will be used for only a single type of application service, then the service provider is encouraged to request a certificate that includes a DNS-ID and, if appropriate for the application service type, an SRV-ID or URI-ID that limits the deployment scope of the certificate to only the defined application service type.
It should say:
If the certificate will be used for only a single type of application service, the service provider is encouraged to request a certificate that includes a DNS-ID and, if appropriate for the application service type, an SRV-ID or URI-ID that limits the deployment scope of the certificate to only the defined application service type.
Notes:
All the sentences in the RFC (not just the one above) are written as pseudo code using IF...THEN. Normative English sentence structure the IF is a Conjunction for a Subordinating Clause. The THEN after the comma should be dropped to start the subject or main clause of the sentence.
Errata ID: 6325
Status: Reported
Type: Editorial
Publication Format(s) : TEXT
Reported By: tom petch
Date Reported: 2020-11-06
Section 10.2 says:
[X.520] International Telecommunications Union, "Information
Technology - Open Systems Interconnection - The
Directory: Selected attribute types", ITU-
T Recommendation X.509, ISO Standard 9594-6,
August 2005.
It should say:
[X.520] International Telecommunications Union, "Information
Technology - Open Systems Interconnection - The
Directory: Selected attribute types", ITU-
T Recommendation X.520, ISO Standard 9594-6,
August 2005.
Notes:
Selected attribute types is X.520 not X.509