RFC Errata
Found 6 records.
Status: Verified (5)
RFC 8017, "PKCS #1: RSA Cryptography Specifications Version 2.2", November 2016
Source of RFC: IETF - NON WORKING GROUP
Errata ID: 5111
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Peter Wu
Date Reported: 2017-09-11
Verifier Name: Kathleen Moriarty
Date Verified: 2018-03-19
Section A.2.3 says:
The object identifier id-RSASSA-PSS identifies the RSASSA-PSS encryption scheme.
It should say:
The object identifier id-RSASSA-PSS identifies the RSASSA-PSS signature scheme.
Notes:
RSASSA-PSS is a signature scheme, it has no encrypt/decrypt operations.
This errata also applies to RFC 3447 (Section A.2.3)
Verified by Burt Kaliski
Errata ID: 5154
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Joost Rijneveld
Date Reported: 2017-10-12
Verifier Name: Kathleen Moriarty
Date Verified: 2018-03-18
Section A.2.4 says:
SHA-256 sha224WithRSAEncryption ::= {pkcs-1 14}
It should say:
SHA-224 sha224WithRSAEncryption ::= {pkcs-1 14}
Notes:
Good catch. Confirmed.
Background: The addition of SHA224 support to PKCS #1 required a few minor technical updates in PKCS #1 v2.2 compared to v2.1, and to the corresponding RFC8017 compared to RFC3447. PKCS #1 v2.2 got the correct update, but RFC8017 didn't -- presumably a copy-and-paste error. My oversight in reviewing the edits. Thanks, Joost, for pointing it out.
Errata ID: 5235
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Joern Heissler
Date Reported: 2018-01-14
Verifier Name: Kathleen Moriarty
Date Verified: 2018-03-18
Section 8.1.1 says:
Errors: "message too long;" "encoding error"
It should say:
Errors: "message too long"; "encoding error"
Notes:
The semicolon needs to be placed outside of the quoted strings.
Errata ID: 5577
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Dave Thompson
Date Reported: 2018-12-16
Verifier Name: Benjamin Kaduk
Date Verified: 2019-01-05
Section B.1 says:
As of today, the best (known) collision attacks against these hash functions are generic attacks with complexity 2L/2, where L is the bit length of the hash output. For the signature schemes in this document, a collision attack is easily translated into a signature forgery. Therefore, the value L / 2 should be at least equal to the desired security level in bits of the signature scheme (a security level of B bits means that the best attack has complexity 2B). The
It should say:
As of today, the best (known) collision attacks against these hash functions are generic attacks with complexity 2^(L/2), where L is the bit length of the hash output. For the signature schemes in this document, a collision attack is easily translated into a signature forgery. Therefore, the value L / 2 should be at least equal to the desired security level in bits of the signature scheme (a security level of B bits means that the best attack has complexity 2^B). The
Notes:
Superscripting presumably lost in translation from the original. RFC 3447 (for v2.1) had these correct. To a person familiar with the art they are obvious typos (Editorial) but to other readers they could change the meaning.
Errata ID: 7405
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Daniel Kahn Gillmor
Date Reported: 2023-03-25
Verifier Name: RFC Editor
Date Verified: 2023-04-27
Section 11.2, 7.2 says:
"HAASTAD" and "Haastad, J"
It should say:
"HASTAD" and "Hastad, J"
Notes:
https://epubs.siam.org/doi/10.1137/0217019 indicates that the author of "Solving Simultaneous Modular Equations of Low Degree" is "Johan Hastad", not "Johan Haastad".
Status: Held for Document Update (1)
RFC 8017, "PKCS #1: RSA Cryptography Specifications Version 2.2", November 2016
Source of RFC: IETF - NON WORKING GROUP
Errata ID: 5576
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: Dave Thompson
Date Reported: 2018-12-16
Held for Document Update by: Benjamin Kaduk
Date Held: 2019-01-05
Section B.1 says:
The object identifiers id-md2, id-md5, id-sha1, id-sha224, id-sha256, id-sha384, id-sha512, id-sha512/224, and id-sha512/256 identify the respective hash functions: ... The parameters field associated with id-sha1, id-sha224, id-sha256, id-sha384, id-sha512, id-sha512/224, and id-sha512/256 should ... Exception: When formatting the DigestInfoValue in EMSA-PKCS1-v1_5 (see Section 9.2), the parameters field associated with id-sha1, id-sha224, id-sha256, id-sha384, id-sha512, id-sha512/224, and id-sha512/256 shall have a value of type NULL. This is to maintain
It should say:
The object identifiers id-md2, id-md5, id-sha1, id-sha224, id-sha256, id-sha384, id-sha512, id-sha512-224, and id-sha512-256 identify the respective hash functions: ... The parameters field associated with id-sha1, id-sha224, id-sha256, id-sha384, id-sha512, id-sha512-224, and id-sha512-256 should ... Exception: When formatting the DigestInfoValue in EMSA-PKCS1-v1_5 (see Section 9.2), the parameters field associated with id-sha1, id-sha224, id-sha256, id-sha384, id-sha512, id-sha512-224, and id-sha512-256 shall have a value of type NULL. This is to maintain
Notes:
ASN.1 identifiers don't allow slash. The actual ASN.1 code in the middle of B.1, and the ASN.1 module in C, correctly use hyphens for id-sha512-224 and id-sha512-256.