Errata Search
RFC Number:		Errata ID:
Source of RFC		Status:	All/Any Verified+Reported Verified Reported Held for Document Update Rejected
Area Acronym:	All/Any app art gen int ops rai rtg sec tsv wit	Type:	All/Any Editorial Technical
WG Acronym:		Submitter Name:
Other:	All/Any IAB INDEPENDENT IRTF Legacy Editorial	Date Submitted:
Summary Table Full Records

Found 3 records.

Status: Verified (1)

RFC 9711, "The Entity Attestation Token (EAT)", April 2025

Source of RFC: rats (sec)

Errata ID: 8528
Status: Verified
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Steven Bellock
Date Reported: 2025-08-09
Verifier Name: Deb Cooley
Date Verified: 2025-10-28

Section Appendix A says:

/ eat_nonce /       10: h'48df7b172d70b5a18935d0460a73dd71',
/ eat_nonce /       10: h'e253cabedc9eec24ac4e25bcbeaf7765',
/ eat_nonce /       10: h'd79b964ddd5471c1393c8888',
/ eat_nonce /       10: h'99b67438dba40743266f70bf75feb1026d5134
                              97a229bfe8',
/ eat_nonce /         10: h'8b0b28782a23d3f6',
/ eat_nonce / 10: h'5e19fba4483c7896',
/ eat_nonce /       10: h'3515744961254b41a6cf9c02',

It should say:

/ Nonce /      10: h'48df7b172d70b5a18935d0460a73dd71',
/ Nonce /      10: h'e253cabedc9eec24ac4e25bcbeaf7765',
/ Nonce /      10: h'd79b964ddd5471c1393c8888',
/ Nonce /      10: h'99b67438dba40743266f70bf75feb1026d5134
                              97a229bfe8',
/ Nonce /         10: h'8b0b28782a23d3f6',
/ Nonce / 10: h'5e19fba4483c7896',
/ Nonce /      10: h'3515744961254b41a6cf9c02',

Notes:

For all the CWT examples in Appendix A, where the claim name is "eat_nonce" it should be changed to "Nonce", as "eat_nonce" is only for JWT.

Status: Rejected (2)

RFC 9711, "The Entity Attestation Token (EAT)", April 2025

Source of RFC: rats (sec)

Errata ID: 8401
Status: Rejected
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Muhammad Usama Sardar
Date Reported: 2025-05-01
Rejected by: Deb Cooley
Date Rejected: 2025-06-27

Section 1 says:

For attestation, the keys are associated with
specific devices and are configured by device manufacturers. 

It should say:

The quoted text is inaccurate and just an opinion of the editors. 
It should preferably be removed from the RFC.

Notes:

In SGX, the keys are not configured by the manufacturer alone. The platform owner can provide a random value called OWNER_EPOCH.

See this for technical details: https://mailarchive.ietf.org/arch/msg/rats/4V2zZHhk5IuxwcUMNWpPBpnzpaM/
--VERIFIER NOTES--
Incorrectly specified errata. The corrected text is not actually correct.

Errata ID: 8404
Status: Rejected
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Muhammad Usama Sardar
Date Reported: 2025-05-04
Rejected by: Deb Cooley
Date Rejected: 2025-06-27

Section 8.4 says:

The nonce claim is based on a value usually derived
   remotely (outside of the entity).

It should say:

See notes

Notes:

Attester-generated nonce does not provide any replay protection since the Attester can pre-generate an Evidence that might not reflect the actual system state, but a past one.

See the attack trace for Attester-generated nonce at:
https://mailarchive.ietf.org/arch/msg/rats/jcAv9FKbYSIVtUNQ8ggEHL8lrmM/

For replay protection, nonce should *always* be derived remotely (for example, by the Relying Party).
--VERIFIER NOTES--
Incorrectly formatted errata. The corrected text is not correct.

Report New Errata