[TLS] [Technical Errata Reported] RFC8422 (8179)

2024-11-16 Thread RFC Errata System
The following errata report has been submitted for RFC8422,
"Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security 
(TLS) Versions 1.2 and Earlier".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8179

--
Type: Technical
Reported by: warren.wang <648936...@qq.com>

Section: 5.4.  Server Key Exc

Original Text
-
   The ServerKeyExchange message is extended as follows.

   enum {
   ec_diffie_hellman
   } KeyExchangeAlgorithm;

   o  ec_diffie_hellman: Indicates the ServerKeyExchange message
  contains an ECDH public key.

  select (KeyExchangeAlgorithm) {
  case ec_diffie_hellman:
  ServerECDHParamsparams;
  Signature   signed_params;
  } ServerKeyExchange;

.

enum {
ecdsa(3),
ed25519(7)
ed448(8)
} SignatureAlgorithm;
select (SignatureAlgorithm) {
   case ecdsa:
digitally-signed struct {
opaque sha_hash[sha_size];
};
   case ed25519,ed448:
digitally-signed struct {
opaque rawdata[rawdata_size];
};
} Signature;
  ServerKeyExchange.signed_params.sha_hash
  SHA(ClientHello.random + ServerHello.random +
 ServerKeyExchange.params);
  ServerKeyExchange.signed_params.rawdata
  ClientHello.random + ServerHello.random +
 ServerKeyExchange.params;

   NOTE: SignatureAlgorithm is "rsa" for the ECDHE_RSA key exchange
   algorithm and "anonymous" for ECDH_anon.  These cases are defined in
   TLS.  SignatureAlgorithm is "ecdsa" or "eddsa" for ECDHE_ECDSA.

Corrected Text
--
The extended ServerKeyExchange message seems just for tls version 1.0 and 
version 1.1, not for 1.2, because tls version 1.2 ServerKeyExchange message 
format is different from version 1.0 and 1.1. The following is tls version 1.2 
ServerKeyExchange message format:

 struct {
 select (KeyExchangeAlgorithm) {
 case dh_anon:
 ServerDHParams params;
 case dhe_dss:
 case dhe_rsa:
 ServerDHParams params;
 digitally-signed struct {
 opaque client_random[32];
 opaque server_random[32];
 ServerDHParams params;
 } signed_params;
 case rsa:
 case dh_dss:
 case dh_rsa:
 struct {} ;
 /* message is omitted for rsa, dh_dss, and dh_rsa */
 /* may be extended, e.g., for ECDH -- see [TLSECC] */
 };
 } ServerKeyExchange;

it does not specify the message format for ECDH_RSA and ECDH_anon, the "NOTE" 
in original text does not apply to tls version 1.2, because it doesn't have the 
"Signature" field.

Notes
-
the ServerKeyExchange for ECDH_RSA and ECDH_anon should be specified for tls 
version 1.2.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC8422 (draft-ietf-tls-rfc4492bis-17)
--
Title   : Elliptic Curve Cryptography (ECC) Cipher Suites for 
Transport Layer Security (TLS) Versions 1.2 and Earlier
Publication Date: August 2018
Author(s)   : Y. Nir, S. Josefsson, M. Pegourie-Gonnard
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Held for Document Update] RFC8448 (5645)

2024-10-18 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8448, "Example Handshake Traces for TLS 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5645

--
Status: Held for Document Update
Type: Technical

Reported by: Anthony Mai 
Date Reported: 2019-02-28
Held by: Paul Wouters (IESG)

Section: 2

Original Text
-
   Ephemeral private keys are shown as they are generated in the traces.

Corrected Text
--
   Ephemeral private keys are shown as they are generated in the traces.
Note that X25519 private keys are trimmed in accordance to [RFC 7748]
Section 5, before use. This is done by clearing bit 0 to 2 of the first
byte and bit 7 of the last byte. And then set bit 6 of the last byte.

Notes
-
On page 3,5,16,20,29,43,44,55,57, there are ten X25519 ephemeral private
keys listed. None of these private key value, when used directly in X25519
calculation, will yield the associated public key listed. These private key
values are not the actual values used. Instead up to 5 bits are modified as
recommended by RFC 7748 section 5. Some implementations may choose NOT to
do such trimming, and it does not affect the connectivity, as the private
keys are never sent over the wire and does not affect network behavior.

Not clarifying how the X25519 private keys were modified before using could
cause serious confusion. I personally struggled for a day before figuring
out this little obscure detail.

--
RFC8448 (draft-ietf-tls-tls13-vectors-07)
--
Title   : Example Handshake Traces for TLS 1.3
Publication Date: January 2019
Author(s)   : M. Thomson
Category: INFORMATIONAL
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6150)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6150

--
Status: Rejected
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Rejected by: Paul Wouters (IESG)

Section: GLOBAL

Original Text
-
Note that certificate-based client authentication is not available 
in PSK handshake flows (including 0-RTT). 

Corrected Text
--
Note that certificate-based client authentication is not available 
in PSK handshake flows (including 0-RTT), post-handshake 
certificate-based client authentication is possible.

Notes
-

 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6148)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6148

--
Status: Rejected
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Rejected by: Paul Wouters (IESG)

Section: 4.2.10

Original Text
-
The selected ALPN [RFC7301] protocol, if any

Corrected Text
--
The selected ALPN [RFC7301] protocol, if extension 
application_layer_protocol_negotiation is present

Notes
-

 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Held for Document Update] RFC8446 (6147)

2024-10-17 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6147

--
Status: Held for Document Update
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Held by: Paul Wouters (IESG)

Section: 4.2.10.

Original Text
-
In order to accept early data, the server MUST have accepted a PSK
cipher suiteIn addition, it MUST verify that the
following values are the same as those associated with the
selected PSK:

...

-  The selected cipher suite

Corrected Text
--


Notes
-
Accepting the "PSK cipher suite" surely implies the PSK is associated with the 
cipher suite, hence, 
"The selected cipher suite" can be dropped.

Paul Wouters(SEC AD): The text was changed a little to solve this issue

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6144)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6144

--
Status: Rejected
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Rejected by: Paul Wouters (IESG)

Section: 4.2.8.

Original Text
-
Upon receipt of this extension in a HelloRetryRequest, the client
MUST verify that...the selected_group field does not
correspond to a group which was provided in the "key_share" extension
in the original ClientHello.

Corrected Text
--
Upon receipt of this extension in a HelloRetryRequest, the client
MUST verify that...a key share was not offered (in the "key_share" 
extension in the original ClientHello) for the group in the 
selected_group field.

Notes
-
The original text requires knowledge of the "key_share" extension and is rather 
hard to read,
the proposed text should be easier to understand.
 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Held for Document Update] RFC8446 (6140)

2024-10-17 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6140

--
Status: Held for Document Update
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Held by: Paul Wouters (IESG)

Section: 4.4.2.2.

Original Text
-
This fallback chain SHOULD NOT use the deprecated SHA-1 hash
algorithm in general, but MAY do so if the client's advertisement
permits it, and MUST NOT do so otherwise.

Corrected Text
--
This fullback chain MUST NOT use the deprecated SHA-1 hash,
except if advertised by the client, in which case it MAY.

Notes
-
The original text is difficult to read, eliminating the unnecessary "SHOULD 
NOT" seems to make it 
easier.

Paul Wouters(SEC AD): accepted with slightly different text, keeping the SHOULD 
NOT -> MUST NOT change proposed here

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6137)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6137

--
Status: Rejected
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-28
Rejected by: Paul Wouters (IESG)

Section: 4.2.10

Original Text
-
symmetric cipher suite

Corrected Text
--
cipher suite

Notes
-

 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6152)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6152

--
Status: Rejected
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2020-05-01
Rejected by: Paul Wouters (IESG)

Section: 4

Original Text
-
Clients MUST check for ["supported_versions"] prior to
processing the rest of the ServerHello (although they will have to 
parse the ServerHello in order to read the extension). -- Section 4.2.1.

Upon receipt of a HelloRetryRequest, the client MUST check the
legacy_version, legacy_session_id_echo, cipher_suite, and
legacy_compression_method as specified in Section 4.1.3 and then
process the extensions, starting with determining the version using
"supported_versions". -- Section 4.1.4

Upon receiving a message with type server_hello, implementations MUST
first examine the Random value... -- Section 4.1.3.


Corrected Text
--


Notes
-
These requirements are seemingly conflicting. I suspect checking for 
"supported_versions" must 
come first, since that may influence subsequent steps, e.g., checking 
legacy_compression_method 
and the Random value. It doesn't seem to matter whether legacy_version, 
legacy_session_id_echo, 
cipher_suite, and legacy_compression_method are checked before the Random 
value, so it doesn't
seem to matter which check is second and which is third. (Noting, as per one of 
my earlier reports,
dated 28 Apr, Section 4.1.3 defines no checks for legacy_version nor 
legacy_compression_method. 
Perhaps the latter should be checked to be zero, aborting with alert 
illegal_parameter if it isn't, as per
Section 4.1.2.)
 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6145)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6145

--
Status: Rejected
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Rejected by: Paul Wouters (IESG)

Section: 4.2.10.

Original Text
-
When a PSK is used and early data is allowed for that PSK

Corrected Text
--


Notes
-
I couldn't find restrictions that forbid early data for a PSK. Explaining where 
such restrictions
could exist would be useful. E.g., PSKs might be associated with data that 
forbids early data.
 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6143)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6143

--
Status: Rejected
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Rejected by: Paul Wouters (IESG)

Section: 4.2.7

Original Text
-
As of TLS 1.3, servers are permitted to send the "supported_groups"
extension to the client.

Corrected Text
--


Notes
-
It is unclear whether servers are permitted to send the "supported_groups" 
extension to 
the client without solicitation, i.e., when the client does not first send the 
extension to the 
server. Clarification would be useful.
 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (7620)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7620

--
Status: Rejected
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2023-08-28
Rejected by: Paul Wouters (IESG)

Section: 6.1

Original Text
-
Each party MUST send a "close_notify" alert before closing its write
side of the connection, unless it has already sent some error alert.
This does not have any effect on its read side of the connection.
Note that this is a change from versions of TLS prior to TLS 1.3 in
which implementations were required to react to a "close_notify" by
discarding pending writes and sending an immediate "close_notify"
alert of their own.  That previous requirement could cause truncation
in the read side.  Both parties need not wait to receive a
"close_notify" alert before closing their read side of the
connection, though doing so would introduce the possibility of
truncation.

Corrected Text
--
Each party MUST send a "close_notify" alert before closing its write
side of the connection, unless it has already sent some error alert.
This SHOULD NOT have any effect on the read side of the sender's connection;
parties SHOULD receive a "close_notify" alert before closing the read side of 
their connection.
Note that this is a change from versions of TLS prior to TLS 1.3 in
which receivers were required to react to a "close_notify" by
discarding pending writes and sending an immediate "close_notify"
alert of their own.  That previous requirement could cause truncation
in the read side.  Both parties need not wait to receive a
"close_notify" alert before closing their read side of the
connection, though doing so would introduce the possibility of
truncation.

Notes
-
As-is there's a specification-level vulnerability: Specification-compliant 
implementations may be vulnerable to truncation attacks.

I suggest using SHOULD NOT & SHOULD for better signposting and to avoid 
specification-level vulnerability.

I also suggest minor tweaks for readability.
 --VERIFIER NOTES-- 
   Rejected by WG. See 
https://github.com/tlswg/tls13-spec/pull/1357/commits/d2a36a8029067cb20ff431fcaa8b3a4e537e4bf6

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6127)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6127

--
Status: Rejected
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-24
Rejected by: Paul Wouters (IESG)

Section: 4.1.2.

Original Text
-
If a "key_share" extension was supplied in the HelloRetryRequest,
replacing the list of shares with a list containing a single
KeyShareEntry from the indicated group.

Corrected Text
--
If a "key_share" extension was supplied in the HelloRetryRequest,
replacing the list of shares with a list containing a single
KeyShareEntry from the indicated group. Note: A "key_share" 
extension may not be supplied in a HelloRetryRequest message 
when a server receives  an "early_data" (Section 4.2.10).

Notes
-

 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6126)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6126

--
Status: Rejected
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-24
Rejected by: Paul Wouters (IESG)

Section: 4.1.1

Original Text
-
Note that if the PSK can be used without (EC)DHE, then
non-overlap in the "supported_groups" parameters need not be fatal, 
as it is in the non-PSK case discussed in the previous paragraph.

Corrected Text
--
Note that if the PSK can be used without (EC)DHE, then
non-overlap in the "supported_groups" parameters need not be fatal, 
as it is in the non-PSK case discussed in the previous paragraph, 
because PSK-only key exchange mode does not need supported_groups.

Notes
-
If "the PSK can be used without (EC)DHE", then PSK-only key exchange mode can 
be used, which doesn't require supported_groups. This is perhaps worthy of 
explanation.
 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6124)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6124

--
Status: Rejected
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-24
Rejected by: Paul Wouters (IESG)

Section: 2

Original Text
-
   In the Key Exchange phase, the client sends the ClientHello  
   (Section 4.1.2) message, which contains a random nonce   
   (ClientHello.random); its offered protocol versions; a list of   
   symmetric cipher/HKDF hash pairs; either a set of Diffie-Hellman key 
   shares (in the "key_share" (Section 4.2.8) extension), a set of  
   pre-shared key labels (in the "pre_shared_key" (Section 4.2.11)  
   extension), or both; and potentially additional extensions.   

Corrected Text
--
   In the Key Exchange phase, the client sends the ClientHello  
   (Section 4.1.2) message, which contains a random nonce   
   (ClientHello.random); its offered protocol versions; a list of   
   symmetric cipher/Hash algorithm pairs; either a set of Diffie-Hellman key
 
   shares (in the "key_share" (Section 4.2.8) extension), a set of  
   pre-shared key labels (in the "pre_shared_key" (Section 4.2.11)  
   extension), or both; and potentially additional extensions.   

or

   In the Key Exchange phase, the client sends the ClientHello  
   (Section 4.1.2) message, which contains a random nonce   
   (ClientHello.random); its offered protocol versions; a list of   
   symmetric cipher/Hash algorithm (to be used with HKDF) pairs; either a set 
of Diffie-Hellman key 
   shares (in the "key_share" (Section 4.2.8) extension), a set of  
   pre-shared key labels (in the "pre_shared_key" (Section 4.2.11)  
   extension), or both; and potentially additional extensions.   

Notes
-

 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6121)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6121

--
Status: Rejected
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-24
Rejected by: Paul Wouters (IESG)

Section: 1

Original Text
-
cryptographic modes

Corrected Text
--
cryptographic algorithms

Notes
-

 --VERIFIER NOTES-- 
   rejected by WG

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6120)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6120

--
Status: Rejected
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-24
Rejected by: Paul Wouters (IESG)

Section: 1

Original Text
-
the underlying transport is a reliable, in-order data stream



Corrected Text
--
the underlying transport layer is a reliable, in-order stream delivery service

or

the underlying transport protocol is a reliable, in-order stream delivery 
service

or similar

Notes
-
Similar elsewhere
 --VERIFIER NOTES-- 
   rejected by WG.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Held for Document Update] RFC8447 (6009)

2024-10-17 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8447, "IANA Registry Updates for TLS and DTLS". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6009

--
Status: Held for Document Update
Type: Editorial

Reported by: Benjamin Kaduk 
Date Reported: 2020-03-07
Held by: Paul Wouters (IESG)

Section: 14

Original Text
-
   o  Added a "Recommended" column to the registry.  X.509 and Raw


Corrected Text
--
   o  Added a "Recommended" column to the registry.  X509 and Raw


Notes
-
Update to match https://www.rfc-editor.org/errata/eid5976

--
RFC8447 (draft-ietf-tls-iana-registry-updates-05)
--
Title   : IANA Registry Updates for TLS and DTLS
Publication Date: August 2018
Author(s)   : J. Salowey, S. Turner
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Held for Document Update] RFC8446 (7073)

2024-10-17 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7073

--
Status: Held for Document Update
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2022-08-06
Held by: Paul Wouters (IESG)

Section: 4.4

Original Text
-
These messages are encrypted under keys derived from the 
[sender]_handshake_traffic_secret.

Corrected Text
--
These messages are encrypted under keys derived from the 
[sender]_handshake_traffic_secret, except for post-handshake authentication

Notes
-
There's an exception

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Held for Document Update] RFC8446 (7003)

2024-10-17 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7003

--
Status: Held for Document Update
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2022-06-22
Held by: Paul Wouters (IESG)

Section: 4.6.1.

Original Text
-
At any time after the server has received the client Finished message, it MAY 
send a NewSessionTicket message.

Corrected Text
--
At any time after the server has received both a "psk_key_exchange_modes" 
extension and a Finished message, it MAY send a NewSessionTicket message.



Notes
-
Section 4.2.9. demands 

In order to use PSKs, clients MUST also send a "psk_key_exchange_modes" 
extension.

Hence, an additional restriction is needed in Section 4.6.1.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Held for Document Update] RFC8446 (6151)

2024-10-17 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6151

--
Status: Held for Document Update
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2020-04-30
Held by: Paul Wouters (IESG)

Section: 4.4

Original Text
-
   | Post- | ClientHello ... client  | client_application_traffic_ |
   | Handshake | Finished +  | secret_N|
   |   | CertificateRequest  | |

Corrected Text
--
   | Post- | ClientHello ... client  | [sender]_application_traffic|
   | Handshake | Finished +  | _secret_N   |
   |   | CertificateRequest  | |

Notes
-


--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Rejected] RFC8446 (6136)

2024-10-17 Thread RFC Errata System
The following errata report has been rejected for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6136

--
Status: Rejected
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2020-04-28
Rejected by: Paul Wouters (IESG)

Section: 4.1.4

Original Text
-
   Upon receipt of a HelloRetryRequest, the client MUST check the
   legacy_version, legacy_session_id_echo, cipher_suite, and 
   legacy_compression_method as specified in Section 4.1.3 

Corrected Text
--


Notes
-
Section 4.1.3 defines no checks for legacy_version nor legacy_compression_method
 --VERIFIER NOTES-- 
   It does have the listed fields and values it should contain (to check) in 
the previous 4.1.3 section.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Technical Errata Reported] RFC9147 (8141)

2024-10-15 Thread RFC Errata System
The following errata report has been submitted for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8141

--
Type: Technical
Reported by: Nick Harper 

Section: 4

Original Text
-
   This 128-bit value is used in the ACK message as well as in the
   "record_sequence_number" input to the Authenticated Encryption with
   Associated Data (AEAD) function.

Corrected Text
--
   This 128-bit value is used in the ACK message.

Notes
-
The end of this paragraph contradicts this by saying "In DTLS 1.3 the 64-bit 
sequence_number is used as the sequence number for the AEAD computation". If 
the 128-bit value was used as the "record sequence number" as described in RFC 
8446 section 5.3, it appears that would require the AEAD to have an N_MAX of at 
least 16 bytes to fit all of the 128 bits, and none of the TLS 1.3 AEADs have 
an N_MAX that big. Thus, I assume the end of the paragraph is correct and the 
opening is incorrect.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Technical Errata Reported] RFC9147 (8108)

2024-09-18 Thread RFC Errata System
The following errata report has been submitted for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8108

--
Type: Technical
Reported by: David Benjamin 

Section: 7.2

Original Text
-
   acknowledgements for records which have already been ACKed.  As noted
   above, the receipt of any record responding to a given flight MUST be
   taken as an implicit acknowledgement for the entire flight to which
   it is responding.

Corrected Text
--
   acknowledgements for records which have already been ACKed.  As noted
   above, the receipt of any record responding to a given flight MUST be
   taken as an implicit acknowledgement for the entire flight to which
   it is responding.

   If any element of record_numbers in the ACK references an epoch that
   is higher than the epoch in which the ACK was received, the
   implementation MUST terminate the connection with an
   "illegal_parameter" alert.

Notes
-
Section 7 discusses that you cannot send ACKs for later epochs, but does not 
say anything about what the receiver does. To prevent an attacker from, e.g., 
using a plaintext ACK to interfere with ACKs of an encrypted epoch, I think we 
need to tell the receiver to check this.

Otherwise we need to be much more explicit about the points at which the 
receiver MUST close old epochs. Honestly, we probably should be explicit about 
this too, but we should also be clear on this point.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Technical Errata Reported] RFC9147 (8107)

2024-09-18 Thread RFC Errata System
The following errata report has been submitted for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8107

--
Type: Technical
Reported by: David Benjamin 

Section: 7

Original Text
-
   During the handshake, ACK records MUST be sent with an epoch which is
   equal to or higher than the record which is being acknowledged.  Note
   that some care is required when processing flights spanning multiple
   epochs.  For instance, if the client receives only the ServerHello
   and Certificate and wishes to ACK them in a single record, it must do
   so in epoch 2, as it is required to use an epoch greater than or
   equal to 2 and cannot yet send with any greater epoch.
   Implementations SHOULD simply use the highest current sending epoch,
   which will generally be the highest available.  After the handshake,
   implementations MUST use the highest available sending epoch.

Corrected Text
--
   During the handshake, ACK records MUST be sent with an epoch which is
   equal to or higher than the record which is being acknowledged.  Note
   that some care is required when processing flights spanning multiple
   epochs.  For instance, if the client receives only the ServerHello
   and Certificate and wishes to ACK them in a single record, it must do
   so in epoch 2, as it is required to use an epoch greater than or
   equal to 2 and cannot yet send with any greater epoch.
   Implementations SHOULD simply use the highest current sending epoch,
   which will generally be the highest available.  The exception is that
   implementations MUST NOT send ACK records in epoch 1 (early data). If
   the highest current sending epoch is epoch 1 (early data),
   implementations MUST use epoch 0 (unencrypted) to send ACK records.
   After the handshake, implementations MUST use the highest available
   sending epoch.

Notes
-
With the caveat that unencrypted ACKs are generally goofy (see 
https://mailarchive.ietf.org/arch/msg/tls/ZEj04LyL3hJXeK1nsiOBoB2vCsg/), the 
document currently believes they exist. As long as they exist, the rule in the 
text right now does not work. The server may reject 0-RTT, in which case it 
will never see epoch 1.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Verified] RFC9147 (8100)

2024-09-13 Thread RFC Errata System
The following errata report has been verified for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8100

--
Status: Verified
Type: Editorial

Reported by: David Benjamin 
Date Reported: 2024-09-12
Verified by:   

Section: 4.1

Original Text
-
   *  If the first byte is alert(21), handshake(22), or ack(proposed,
  26), the record MUST be interpreted as a DTLSPlaintext record.

Corrected Text
--
   *  If the first byte is alert(21), handshake(22), or ack(26), the
  record MUST be interpreted as a DTLSPlaintext record.

Notes
-
This appears to be a remnant from before the codepoint was officially allocated.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Editorial Errata Reported] RFC9147 (8100)

2024-09-12 Thread RFC Errata System
The following errata report has been submitted for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8100

--
Type: Editorial
Reported by: David Benjamin 

Section: 4.1

Original Text
-
   *  If the first byte is alert(21), handshake(22), or ack(proposed,
  26), the record MUST be interpreted as a DTLSPlaintext record.

Corrected Text
--
   *  If the first byte is alert(21), handshake(22), or ack(26), the
  record MUST be interpreted as a DTLSPlaintext record.

Notes
-
This appears to be a remnant from before the codepoint was officially allocated.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS][Editorial Errata Reported] RFC6347 (8089)

2024-08-23 Thread RFC Errata System
The following errata report has been submitted for RFC6347,
"Datagram Transport Layer Security Version 1.2".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8089

--
Type: Editorial
Reported by: Kamil Milewski 

Section: 4.2.2

Original Text
-
   struct {
 HandshakeType msg_type;
 uint24 length;
 uint16 message_seq;   // New field
 uint24 fragment_offset;   // New field
 uint24 fragment_length;   // New field
 select (HandshakeType) {
   case hello_request: HelloRequest;
   case client_hello:  ClientHello;
   case hello_verify_request: HelloVerifyRequest;  // New type
   case server_hello:  ServerHello;
   case certificate:Certificate;
   case server_key_exchange: ServerKeyExchange;
   case certificate_request: CertificateRequest;
   case server_hello_done:ServerHelloDone;
   case certificate_verify:  CertificateVerify;
   case client_key_exchange: ClientKeyExchange;
   case finished: Finished;
 } body;
   } Handshake;

Corrected Text
--
   struct {
 HandshakeType msg_type;
 uint24 length;
 uint16 message_seq;   // New field
 uint24 fragment_offset;   // New field
 uint24 fragment_length;   // New field
 select (HandshakeType) {
   case hello_request: HelloRequest;
   case client_hello:  ClientHello;
   case server_hello:  ServerHello;
   case hello_verify_request: HelloVerifyRequest;  // New field
   case certificate:Certificate;
   case server_key_exchange: ServerKeyExchange;
   case certificate_request: CertificateRequest;
   case server_hello_done:ServerHelloDone;
   case certificate_verify:  CertificateVerify;
   case client_key_exchange: ClientKeyExchange;
   case finished: Finished;
 } body; } Handshake;

Notes
-
Change the order of cases inside select field to keep it:
1. In ascending order
2. Consistent with the structure in 4.3.2

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC6347 (draft-ietf-tls-rfc4347-bis-06)
--
Title   : Datagram Transport Layer Security Version 1.2
Publication Date: January 2012
Author(s)   : E. Rescorla, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS][Technical Errata Reported] RFC9147 (8067)

2024-08-07 Thread RFC Errata System
The following errata report has been submitted for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8067

--
Type: Technical
Reported by: David Benjamin 

Section: 5.3

Original Text
-
   legacy_session_id:  Versions of TLS and DTLS before version 1.3
  supported a "session resumption" feature, which has been merged
  with pre-shared keys (PSK) in version 1.3.  A client which has a
  cached session ID set by a pre-DTLS 1.3 server SHOULD set this
  field to that value.  Otherwise, it MUST be set as a zero-length
  vector (i.e., a zero-valued single byte length field).

Corrected Text
--
   legacy_session_id:  Versions of TLS and DTLS before version 1.3
  supported a "session resumption" feature, which has been merged
  with pre-shared keys (PSK) in version 1.3.  A client which has a
  cached session set by a pre-DTLS 1.3 server SHOULD set this
  field according to that session.  Otherwise, it MUST be set as a
  zero-length vector (i.e., a zero-valued single byte length field).

Notes
-
The old text is written as if only ID-based DTLS 1.2 sessions (as opposed to 
ticket-based DTLS 1.2 sessions) require filling in legacy_session_id. This is 
not quite true. (D)TLS 1.2 ticket sessions (usually!) also fill in 
legacy_session_id, but to a random value. See the second paragraph of Section 
3.4 of RFC 5077. This is needed because a (D)TLS 1.2 server still indicates 
resumption by echoing the session ID.

I say usually because RFC 5077 unhelpfully makes this behavior optional for the 
client. The client may instead leave session ID empty, in which case the 
ServerHello is ambiguous on whether resumption happened! Instead, the client 
must detect resumption based on whether ServerHello is followed by 
ChangeCipherSpec (resumption) or more cleartext handshake messages (full 
handshake). This is a mess for the state machine and, as far as I know, no one 
does this. (Except for RFC 4851. That was a mistake.) Moreover, this 
alternative does not work for DTLS, where ChangeCipherSpec is not sequenced 
relative to handshake messages. Although I cannot find any text that says this. 
It seems DTLS 1.2 implementors needed to figure that out for themselves.

Given this mess, I've opted to just be vague and say "set this field according 
to that session". We can't really say "that value" because, in the ticket case, 
you synthesize one. I'd also rather not wade into the mess that is this 
behavior being de jure optional, but de facto required, for DTLS 1.2.

This errata also applies to https://www.rfc-editor.org/errata/eid8066. In the 
replacement text, "cached session ID" should say "cached session".

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS][Technical Errata Reported] RFC9147 (8066)

2024-08-06 Thread RFC Errata System
The following errata report has been submitted for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8066

--
Type: Technical
Reported by: David Benjamin 

Section: 5

Original Text
-
   DTLS implementations do not use the TLS 1.3 "compatibility mode"
   described in Appendix D.4 of [TLS13].  DTLS servers MUST NOT echo the
   "legacy_session_id" value from the client and endpoints MUST NOT send
   ChangeCipherSpec messages.

   With these exceptions, the DTLS message formats, flows, and logic are
   the same as those of TLS 1.3.

Corrected Text
--
   DTLS implementations do not use the TLS 1.3 "compatibility mode"
   described in Appendix D.4 of [TLS13].  DTLS endpoints MUST NOT send
   ChangeCipherSpec messages when negotiating DTLS 1.3.

   Additionally, the "legacy_session_id_echo" field of the ServerHello
   message, described in Section 4.1.3 of [TLS13], MUST be empty in DTLS
   1.3.  DTLS 1.3 servers MUST NOT echo the "legacy_session_id" value
   from the ClientHello.  DTLS 1.3 clients MUST abort the handshake with
   an "illegal_parameter" alert if the field is not empty.  This applies
   even if the "legacy_session_id" field of the ClientHello is non-empty
   due to a cached session ID set by a pre-DTLS 1.3 server (see Section
   5.3).

   With these exceptions, the DTLS message formats, flows, and logic are
   the same as those of TLS 1.3.

Notes
-
DTLS 1.3's continuity with DTLS 1.2 makes this a little subtle. First, a 
DTLS-1.3-capable endpoint may well need to send ChangeCipherSpec if it 
negotiates DTLS 1.3, so add a small clarification here.

More importantly, the changes described here do more than disable the 
provisions of Appendix D.4. Compatibility mode is only half-negotiated in TLS 
1.3, with the ServerHello provisions being unconditional from Section 4.1.3 of 
RFC 8446:

   legacy_session_id_echo:  The contents of the client's
  legacy_session_id field.  Note that this field is echoed even if
  the client's value corresponded to a cached pre-TLS 1.3 session
  which the server has chosen not to resume.  A client which
  receives a legacy_session_id_echo field that does not match what
  it sent in the ClientHello MUST abort the handshake with an
  "illegal_parameter" alert.

In particular, even if we disable the provisions of D.4, a DTLS 1.3 client may 
still send a non-empty legacy_session_id if it is offering a DTLS 1.2 session. 
That means matching legacy_session_id and always being empty aren't *quite* the 
same.

The old text overrode 4.1.3's server text (though without citing the section) 
but not the client text. Leaving the client text as-is will lead to an interop 
problem in the 1.2 resumption case above, so let's make that clearer. Best also 
to cite the section we're overriding.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS][Editorial Errata Reported] RFC9147 (8051)

2024-07-25 Thread RFC Errata System
The following errata report has been submitted for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8051

--
Type: Editorial
Reported by: David Benjamin 

Section: 6.1

Original Text
-
   *  Epoch value (2) is used for messages protected using keys derived
  from [sender]_handshake_traffic_secret.  Messages transmitted
  during the initial handshake, such as EncryptedExtensions,
  CertificateRequest, Certificate, CertificateVerify, and Finished,
  belong to this category.  Note, however, that post-handshake
  messages are protected under the appropriate application traffic
  key and are not included in this category.

Corrected Text
--
   *  Epoch value (2) is used for messages protected using keys derived
  from [sender]_handshake_traffic_secret.  Messages transmitted
  during the handshake, such as EncryptedExtensions,
  CertificateRequest, Certificate, CertificateVerify, and Finished,
  belong to this category.  Note, however, that post-handshake
  messages are protected under the appropriate application traffic
  key and are not included in this category.

Notes
-
The discussion of "initial handshake" appears to be a remnant of DTLS 1.2, 
where a single connection may have multiple handshakes via renegotiation. In 
(D)TLS 1.3, there is only one handshake per connection.

Looking to RFC 8446, the only references to "initial handshake" refer to 
resumption, talking about the handshake in the initial connection, vs the 
handshake in resumption connections. This reference is not trying to 
distinguish initial vs resumption handshakes, so the use of "initial handshake" 
is a bit confusing. I believe plain "handshake" is the right terminology.

NB: There are two other references to "initial handshake", one in the diagram 
in Section 8, and another in Section 11. I believe they too should be switched 
to "handshake".

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS][Technical Errata Reported] RFC9147 (8050)

2024-07-25 Thread RFC Errata System
The following errata report has been submitted for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8050

--
Type: Technical
Reported by: David Benjamin 

Section: 8

Original Text
-
   With a 128-bit key as in AES-128, rekeying 2^64 times has a high
   probability of key reuse within a given connection.  Note that even
   if the key repeats, the IV is also independently generated.  In order
   to provide an extra margin of security, sending implementations MUST
   NOT allow the epoch to exceed 2^48-1.  In order to allow this value
   to be changed later, receiving implementations MUST NOT enforce this
   rule.  If a sending implementation receives a KeyUpdate with
   request_update set to "update_requested", it MUST NOT send its own
   KeyUpdate if that would cause it to exceed these limits and SHOULD
   instead ignore the "update_requested" flag.  Note: this overrides the
   requirement in TLS 1.3 to always send a KeyUpdate in response to
   "update_requested".

Corrected Text
--
   With a 128-bit key as in AES-128, rekeying 2^64 times has a high
   probability of key reuse within a given connection.  Note that even
   if the key repeats, the IV is also independently generated.  In order
   to provide an extra margin of security, sending implementations MUST
   NOT allow the epoch to exceed 2^48-1.  If a sending implementation
   receives a KeyUpdate with request_update set to "update_requested",
   it MUST NOT send its own KeyUpdate if that would cause it to exceed
   these limits and SHOULD instead ignore the "update_requested" flag.
   Note: this overrides the requirement in TLS 1.3 to always send a
   KeyUpdate in response to "update_requested".

   Exceeding the above limit is not possible with the key update
   mechanisms defined in this document.  After the handshake, each epoch
   change consumes a message_seq value, which is limited to 2^16-1. Both
   sending and receiving implementations MAY instead enforce an epoch
   limit of 2^16-1.  In this case, the implementation MUST check for
   this limit, if reached, terminate the association. In some cases, it
   is otherwise possible for the epoch number to reach 2^16+1.

Notes
-
See https://mailarchive.ietf.org/arch/msg/tls/6y8wTv8Q_IPM-PCcbCAmDOYg6bM/ for 
details. Strictly speaking, as noted in the corrected text, the maximum epoch 
value does not *quite* fit in 2^16. However, bumping the implementation's size 
just to accommodate two more epochs seems pointless.

The 2^16-1 value comes from the minimum number of messages in the sending side 
of a handshake, 2 (ClientHello + Finished as a client). Post-handshake, epochs 
begin at 3. From there, we can send at most 2^16-2 KeyUpdates, ending at epoch 
2^16-2+3 = 2^16+1.

In particular, I believe NSS stores the epoch as 16-bit in DTLS 1.3. We plan to 
do so in BoringSSL as well. It is a natural choice because epochs are 16-bit in 
DTLS 1.2. Without this erratum, I believe NSS, and any other implementation 
making this choice, is non-compliant because the spec says the receiver "MUST 
NOT enforce this rule".

To that end, I've deleted that sentence because we cannot *actually* change 
this value. DTLS 1.3 tried, but failed, to enable a larger epoch space. Maybe 
we can try again in DTLS 1.4, or decide we don't care and properly revert to 
16-bit.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS][Technical Errata Reported] RFC9147 (8048)

2024-07-25 Thread RFC Errata System
The following errata report has been submitted for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8048

--
Type: Technical
Reported by: David Benjamin 

Section: 5.2

Original Text
-
   The first message each side transmits in each association always has
   message_seq = 0.  Whenever a new message is generated, the
   message_seq value is incremented by one.  When a message is
   retransmitted, the old message_seq value is reused, i.e., not
   incremented.  From the perspective of the DTLS record layer, the
   retransmission is a new record.  This record will have a new
   DTLSPlaintext.sequence_number value.

Corrected Text
--
   The first message each side transmits in each association always has
   message_seq = 0.  Whenever a new message is generated, the
   message_seq value is incremented by one.  Implementations MUST NOT
   allow message_seq to wrap, but instead MUST establish a new
   association, terminating the old association.  When a message is
   retransmitted, the old message_seq value is reused, i.e., not
   incremented.  From the perspective of the DTLS record layer, the
   retransmission is a new record.  This record will have a new
   DTLSPlaintext.sequence_number value.

Notes
-
While pondering what to do about 
https://mailarchive.ietf.org/arch/msg/tls/6y8wTv8Q_IPM-PCcbCAmDOYg6bM/, I 
noticed that we don't say anything about message_seq wrapping. Since we don't 
reset that counter, it's not only possible for it to wrap, but for the peer to 
induce you to wrap it. This seems warrant some text. I borrowed the "MUST NOT 
allow ... to wrap, but instead ..." phrasing from Section 4.2.1.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS][Technical Errata Reported] RFC9147 (8047)

2024-07-25 Thread RFC Errata System
The following errata report has been submitted for RFC9147,
"The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8047

--
Type: Technical
Reported by: David Benjamin 

Section: 8

Original Text
-
   As with TLS 1.3, DTLS 1.3 implementations send a KeyUpdate message to
   indicate that they are updating their sending keys.  As with other
   handshake messages with no built-in response, KeyUpdates MUST be
   acknowledged.  In order to facilitate epoch reconstruction
   (Section 4.2.2), implementations MUST NOT send records with the new
   keys or send a new KeyUpdate until the previous KeyUpdate has been
   acknowledged (this avoids having too many epochs in active use).

Corrected Text
--
   As with TLS 1.3, DTLS 1.3 implementations send a KeyUpdate message to
   indicate that they are updating their sending keys. As with other
   handshake messages with no built-in response, KeyUpdates MUST be
   acknowledged. Acknowledgements are used to both control
   retransmission and transition to the next epoch. Implementations MUST
   NOT send records with the new keys until the KeyUpdate and all
   preceding messages have been acknowledged. This facilitates epoch
   reconstruction (Section 4.2.2) and avoids too many epochs in active
   use, by ensuring the peer has processed the KeyUpdate and started
   receiving at the new epoch.

   A KeyUpdate message terminates the post-handshake stream in an epoch.
   After sending KeyUpdate in an epoch, implementations MUST NOT send
   any new post-handshake messages in that epoch. Note that, if the
   implementation has sent KeyUpdate but is waiting for an ACK, the next
   epoch is not yet active. In this case, subsequent post-handshake
   messages may not be sent until receiving the ACK.

Notes
-
See https://mailarchive.ietf.org/arch/msg/tls/_ku3-YDcroNmG_QKZsYTtqYzC0M/ for 
discussion. This is option 7 from that discussion, as well as the fix for the 
other issue described at the top of 
https://mailarchive.ietf.org/arch/msg/tls/GYX_teYy5CTFiGCBgbQJQwv_Fj4/

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC9147 (draft-ietf-tls-dtls13-43)
--
Title   : The Datagram Transport Layer Security (DTLS) Protocol 
Version 1.3
Publication Date: April 2022
Author(s)   : E. Rescorla, H. Tschofenig, N. Modadugu
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org


[TLS] [Errata Verified] RFC8773 (7598)

2024-04-09 Thread RFC Errata System
The following errata report has been verified for RFC8773,
"TLS 1.3 Extension for Certificate-Based Authentication with an External 
Pre-Shared Key". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7598

--
Status: Verified
Type: Editorial

Reported by: Russ Housley 
Date Reported: 2023-08-11
Verified by: RFC Editor  

Section: 5.1

Original Text
-
When the "psk_key_exchange_modes" extension is included in the
ServerHello message, servers MUST select the psk_dhe_ke mode
for the initial handshake.

Corrected Text
--
When the "psk_key_exchange_modes" extension is included in the
ClientHello message, servers MUST select the psk_dhe_ke mode
for the initial handshake.

Notes
-
According to RFC 8446, the "psk_key_exchange_modes" extension only appears in 
the ClientHello message. Further, the slides presented on this topic at IETF 
101show the "psk_key_exchange_modes" extension in the ClientHello message and 
no other place.  It is pretty clear that this is an editorial error.


--
RFC8773 (draft-ietf-tls-tls13-cert-with-extern-psk-07)
--
Title   : TLS 1.3 Extension for Certificate-Based Authentication 
with an External Pre-Shared Key
Publication Date: March 2020
Author(s)   : R. Housley
Category: EXPERIMENTAL
Source  : Transport Layer Security
Stream  : IETF

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (6820)

2024-04-05 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6820

--
Status: Held for Document Update
Type: Technical

Reported by: Leander Schwarz 
Date Reported: 2022-01-21
Held by: Paul Wouters (IESG)

Section: 6.2

Original Text
-
unsupported_extension:  Sent by endpoints receiving any handshake
  message containing an extension known to be prohibited for
  inclusion in the given handshake message, or including any
  extensions in a ServerHello or Certificate not first offered in
  the corresponding ClientHello or CertificateRequest. 

Corrected Text
--
unsupported_extension:  Sent by endpoints receiving any handshake
  message containing an extension in a ServerHello or Certificate
  not first offered in the corresponding ClientHello or 
  CertificateRequest.

Notes
-
The definition of the unsupported_extension alert in section 6.2 contradicts 
the statements in section 4.2:

If an implementation receives an extension
which it recognizes and which is not specified for the message in
which it appears, it MUST abort the handshake with an
   "illegal_parameter" alert.

While this might not be inconsistent due to the "abort the handshake with an X 
alert" specification at the beginning of section 6.2, it might lead to 
confusion. (see 
https://mailarchive.ietf.org/arch/msg/tls/hGOGWZRMg718mWqOZ06LwjV9360/).

Paul Wouters(AD): Currently discussed at:

https://github.com/tlswg/tls13-spec/issues/1352
https://github.com/tlswg/tls13-spec/pull/1353

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (5874)

2024-04-05 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5874

--
Status: Held for Document Update
Type: Technical

Reported by: Mr Laurie Perrin 
Date Reported: 2019-10-12
Held by: Paul Wouters (IESG)

Section: 5.1

Original Text
-
...

   Application Data messages contain data that is opaque to TLS.
   Application Data messages are always protected.  Zero-length
   fragments of Application Data MAY be sent, as they are potentially
   useful as a traffic analysis countermeasure.  Application Data
   fragments MAY be split across multiple records or coalesced into a
   single record.

Corrected Text
--
...

   Application Data messages contain data that is opaque to TLS.
   Application Data messages are always protected.  Zero-length
   fragments of Application Data (i.e. those encapsulating an
   TLSInnerPlaintext record having a content field of length zero)
   MAY be sent, as they are potentially useful as a traffic analysis
   countermeasure. Application Data fragments MAY be split across
   multiple records or coalesced into a single record.

Notes
-
In the interest of clarity, it may be prudent to specify the type of record for
which a fragment of length zero is being considered - it cannot be that of the
TLSCiphertext itself, for "Application Data messages are always protected,"
therefore I infer this relates to the TLSInnerPlaintext content field (of
length "TLSPlaintext.length") - i.e. to the TLSPlaintext fragment.

Note: This comment also applies to previous versions of the TLS specification,
in particular with the introduction of the respective text concerning 
zero-length
fragments in RFC 5246. In TLS 1.2, this would be the GenericXXCipher content
field of length "TLSCompressed.length" - i.e. to the TLSCompressed fragment.

Note: The implications of zero-length records must be considered with respect to
potential vectors for denial of service.

Paul Wouters(AD): Currently discussed at:

https://github.com/tlswg/tls13-spec/issues/1346
https://github.com/tlswg/tls13-spec/pull/1347

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (5717)

2024-03-28 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5717

--
Status: Held for Document Update
Type: Editorial

Reported by: Daniel Migault 
Date Reported: 2019-05-03
Held by: Paul Wouters (IESG)

Section: 2.2.

Original Text
-
 Figure 3 shows a pair of handshakes in which the first handshake
   establishes a PSK and the second handshake uses it:
 
  Client   Server
 
   Initial Handshake:
  ClientHello
  + key_share   >
  ServerHello
  + key_share
{EncryptedExtensions}
{CertificateRequest*}
   {Certificate*}
 {CertificateVerify*}
   {Finished}
< [Application Data*]
  {Certificate*}
  {CertificateVerify*}
  {Finished}>
<  [NewSessionTicket]
  [Application Data]<--->  [Application Data]
 
 
   Subsequent Handshake:
  ClientHello
  + key_share*
  + pre_shared_key  >
  ServerHello
 + pre_shared_key
 + key_share*
{EncryptedExtensions}
   {Finished}
< [Application Data*]
  {Finished}>
  [Application Data]<--->  [Application Data]
 
   Figure 3: Message Flow for Resumption and PSK


Corrected Text
--
 Figure 3 shows a pair of handshakes in which the first handshake
   establishes a PSK and the second handshake uses it:
 
  Client   Server
 
   Initial Handshake:
  ClientHello
  + key_share   >
  ServerHello
  + key_share
{EncryptedExtensions}
{CertificateRequest*}
   {Certificate*}
 {CertificateVerify*}
   {Finished}
< [Application Data*]
  {Certificate*}
  {CertificateVerify*}
  {Finished}>
<  [NewSessionTicket]
  [Application Data]<--->  [Application Data]
 
 
   Subsequent Handshake:
  ClientHello
  + key_share*
  + psk_key_exchange_modes
  + pre_shared_key  >

  ServerHello
 + pre_shared_key
 + key_share*
{EncryptedExtensions}
   {Finished}
< [Application Data*]
  {Finished}>
  [Application Data]<--->  [Application Data]
 
   Figure 3: Message Flow for Resumption and PSK


Notes
-
The pre_shared_key requires the pre_share_key extension.

This Issue and PR should address this erratum:
https://github.com/tlswg/tls13-spec/issues/1344
https://github.com/tlswg/tls13-spec/pull/1345


--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (6204)

2024-03-28 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6204

--
Status: Held for Document Update
Type: Editorial

Reported by: Chris Wood 
Date Reported: 2020-06-03
Held by: Paul Wouters (IESG)

Section: E.1

Original Text
-
Implementations MUST NOT combine external PSKs with certificate-based 
authentication of either the client or the server unless negotiated by some 
extension.

Corrected Text
--
Implementations MUST NOT combine external PSKs with certificate-based 
authentication of either client or the server. Future specifications MAY 
provide an extension to permit this. 

Notes
-
The existing text can be misread as permitting this combination upon 
negotiation of the "post_handshake_auth" extension, which would be incorrect. 
[1] describes an attack that can occur based on this misinterpretation. The 
proposed text aims to make clear that a *new* extension is required for this 
combination. 

Paul Wouters(AD): See 
https://mailarchive.ietf.org/arch/msg/tls/uDjERicvcTimiecyhiSrYA0H1Sc/
[1] https://link.springer.com/article/10.1007%2Fs11416-020-00352-0

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (6139)

2024-03-28 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6139

--
Status: Verified
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Verified by: Paul Wouters (IESG)

Section: 4.4.2.2.

Original Text
-
As servers MAY require the presence of the "server_name" extension, clients
SHOULD send this extension, when applicable.

Corrected Text
--
As servers MAY require the presence of the "server_name" extension, client
SHOULD send this extension.

Notes
-
Since it is unclear when it is applicable for a server to send the extension, 
dropping "when applicable"
seems appropriate. Alternatively, giving some extra guidance would be useful.

Paul Wouters(AD): Resolved with alternative Corrected Text:

As servers MAY require the presence of the "server_name" extension, clients 
SHOULD send this extension when the server is identified by name.


--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (7250)

2024-03-28 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7250

--
Status: Verified
Type: Technical

Reported by: Alan DeKok 
Date Reported: 2022-11-14
Verified by: Paul Wouters (IESG)

Section: 4.6.1

Original Text
-
   The client MAY use this PSK for future handshakes by including the
   ticket value in the "pre_shared_key" extension in its ClientHello
   (Section 4.2.11).

Corrected Text
--
(to add)

  Where the client does not support session tickets, this extension MUST be 
ignored.

Notes
-
I've seen a TLS implementation which doesn't implement session tickets.  That's 
fine, but the implementation doesn't *ignore* session tickets it receives.  
Instead, it treats reception of the ticket as un recoverable error, and drops 
the TLS connection.

It's also worth adding a note to section 4.2 at the bottom of page 38.  To note 
that in general, f an extension isn't supported AND doesn't materially affect 
the TLS exchange, THEN it should be ignored.

i.e. there's nothing in the spec which mentions Postel's law "be conservative 
in what you send, be liberal in what you accept".  So implementors reading this 
document are free to do all kinds of odd things.

In addition, the text in Section 4.2 at the bottom of page 38 says:

"
  Designers
  and implementors should be aware of the fact that until the
  handshake has been authenticated, active attackers can modify
  messages and insert, remove, or replace extensions.
"

The implicit conclusion here is that an implementation receiving extensions 
must sanity check them.  e.g. an attacker adding an undefined / unknown 
extension should not cause the entire session to be torn down.

Paul Wouters(AD): Resolved but with the Corrected Text:

The client MAY use this PSK for future handshakes by including the ticket value 
in the "pre_shared_key" extension in its ClientHello (Section 4.2.11). Clients 
which receive a NewSessionTicket message but do not support resumption MUST 
silently ignore this message.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (7303)

2024-03-28 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7303

--
Status: Verified
Type: Technical

Reported by: Eric Lawrence 
Date Reported: 2023-01-12
Verified by: Paul Wouters (IESG)

Section: 6.1

Original Text
-
This alert notifies the recipient that the sender will not send any more 
messages on this connection. 

Corrected Text
--
This alert notifies the recipient that the sender will not send any more 
messages on this connection. close_notify alerts should be sent with a severity 
level of WARNING.

Notes
-
Apparently, TLS/1.0 specified these should be set to WARNING, not FATAL, but 
this text got lost somewhere along the way. 
https://github.com/pion/dtls/issues/195

OpenSSL/NSS both send as WARNING, and servers that have tried sending as FATAL 
have encountered compatibility problems with clients which treat FATAL alerts 
differently than WARNING alerts: e.g. 
https://source.chromium.org/chromium/chromium/src/+/main:third_party/boringssl/src/ssl/tls_record.cc;l=591;drc=c0872c02015009bf3dbab0a83c0452d141e8e9cf?q=tls_open_record&ss=chromium%2Fchromium%2Fsrc

Paul Wouters(AD): Resolved but with the following Corrected Text:

close_notify:  This alert notifies the recipient that the sender will not send 
any more messages on this connection.  Any data received after a closure alert 
has been received MUST be ignored. This alert MUST be sent with 
AlertLevel=warning.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (6123)

2024-03-28 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6123

--
Status: Verified
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2020-04-24
Verified by: Paul Wouters (IESG)

Section: 2

Original Text
-
The handshake protocol allows peers to negotiate a protocol version, select 
cryptographic algorithms, optionally authenticate each other, and establish 
shared secret keying material.

Corrected Text
--


Notes
-
Only client authentication is optional (albeit, server authentication is 
implicit for PSK-only key exchange mode)

Paul Wouters(AD): corrected with the following text:

The handshake protocol allows peers to negotiate a protocol version, select 
cryptographic algorithms, authenticate each other (with client authentication 
being optional), and establish shared secret keying material.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (5483)

2024-03-28 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5483

--
Status: Verified
Type: Technical

Reported by: Patrick Kelsey 
Date Reported: 2018-08-28
Verified by: Paul Wouters (IESG)

Section: 4.2.8.2

Original Text
-
For X25519 and X448, the contents of the public value are the byte
string inputs and outputs of the corresponding functions defined in
[RFC7748]: 32 bytes for X25519 and 56 bytes for X448.

Corrected Text
--
For X25519 and X448, the contents of the public value are the byte
string outputs of the corresponding functions defined in [RFC7748]: 32
bytes for X25519 and 56 bytes for X448.

Notes
-
Per Section 7.4.2 of this RFC and Section 6 of RFC7748, the byte string inputs 
to the corresponding ECDH scalar multiplication function are the private key 
and the u-coordinate of the standard public base point, the former of which of 
course must not be transmitted and the latter of which is a known constant.

Paul Wouters (AD): Resolved but with the following Corrected Text:

For X25519 and X448, the contents of the public value is the K_A or
K_B value described in Section 6 of [RFC7748].  This is 32 bytes for
X25519 and 56 bytes for X448.

>From another perspective, including the byte string inputs in the contents of 
>the public value would contradict the resulting content sizes given at the end 
>of the cited paragraph as well as the statement in Section 7.4.2 that the 
>public key put into the KeyShareEntry is the output of ECDH scalar 
>multiplication function.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (6401)

2024-03-28 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6401

--
Status: Held for Document Update
Type: Technical

Reported by: Eric Covener 
Date Reported: 2021-01-20
Held by: Paul Wouters (IESG)

Section: 4.6.2

Original Text
-
When the client has sent the "post_handshake_auth" extension (see
Section 4.2.6), a server MAY request client authentication at any
time after the handshake has completed by sending a
CertificateRequest message.  

Corrected Text
--
When the client has sent the "post_handshake_auth" extension (see
Section 4.2.6), a server MAY request client authentication during the 
main handshake and/or at any time after the handshake has completed by 
sending a CertificateRequest message.  



Notes
-
4.6.2 is ambiguous as to whether it forbids "main handshake" (mid-handshake) 
client 
authentication when the client has sent  the "post_handshake_auth" extension. I 
think 
the language would be stronger if it were really forbidden, and openssl 
s_server permits 
this behavior and rfc8740 implies it as well.

The "main handshake" language is adopted from 4.3.2 but "main" could be dropped 
as 
"handshake" is not ambiguous in 1.3 due to no renegotiation.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC5246 (6244)

2024-03-20 Thread RFC Errata System
The following errata report has been held for document update 
for RFC5246, "The Transport Layer Security (TLS) Protocol Version 1.2". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6244

--
Status: Held for Document Update
Type: Editorial

Reported by: Victor S. Osipov 
Date Reported: 2020-07-29
Held by: Paul Wouters (IESG)

Section: 6.2.3.2

Original Text
-
IV
The Initialization Vector (IV) SHOULD be chosen at random, and
MUST be unpredictable. Note that in versions of TLS prior to 1.1,
there was no IV field, and the last ciphertext block of the
previous record (the "CBC residue") was used as the IV. This was
changed to prevent the attacks described in [CBCATT]. For block
ciphers, the IV length is of length
SecurityParameters.record_iv_length, which is equal to the
SecurityParameters.block_size.

Corrected Text
--
IV
The Initialization Vector (IV) SHOULD be chosen at random, and
MUST be unpredictable. Note that in versions of TLS prior to 1.1,
there was no IV field, and the last ciphertext block of the
previous record (the "CBC residue") was used as the IV. This was
changed to prevent the attacks described in [CBCATT]. For block
ciphers, the IV length is of length
SecurityParameters.record_iv_length, which is equal to the
SecurityParameters.block_length.

Notes
-
This is an error here. The structure SecurityParameters hasn't the element 
block_size.
It has the element block_length.
See in section 6.1:
struct {
ConnectionEnd entity;
PRFAlgorithm prf_algorithm;
BulkCipherAlgorithm bulk_cipher_algorithm;
CipherType cipher_type;
uint8 enc_key_length;
uint8 block_length;
uint8 fixed_iv_length;
uint8 record_iv_length;
MACAlgorithm mac_algorithm;
uint8 mac_length;
uint8 mac_key_length;
CompressionMethod compression_algorithm;
opaque master_secret[48];
opaque client_random[32];
opaque server_random[32];
} SecurityParameters;


Paul Wouters (AD): Note this RFC is obsoleted and all of this text already got 
removed

--
RFC5246 (draft-ietf-tls-rfc4346-bis-10)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.2
Publication Date: August 2008
Author(s)   : T. Dierks, E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Rejected] RFC5246 (6572)

2024-03-20 Thread RFC Errata System
The following errata report has been rejected for RFC5246,
"The Transport Layer Security (TLS) Protocol Version 1.2".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6572

--
Status: Rejected
Type: Technical

Reported by: Johannes Görlich 
Date Reported: 2021-05-05
Rejected by: Paul Wouters (IESG)

Section: 9

Original Text
-
In the absence of an application profile standard specifying otherwise, a 
TLS-compliant application MUST implement the cipher suite 
TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the definition).

Corrected Text
--
In the absence of an application profile standard specifying otherwise, a 
TLS-compliant application MUST implement the cipher suite 
TLS_RSA_WITH_AES_128_GCM_SHA256 (see Appendix A.5 for the definition).

Notes
-
A must-be-implement cipher suite should not relay on a bulk encryption 
algorithm which is vulnerable to plain-text attacks or on a secure hash 
algorithm which has been proven to be insecure.
 --VERIFIER NOTES-- 
errata is not the right process for a change such as proposed.
See also: https://mailarchive.ietf.org/arch/msg/tls/2mKIkvRoQNMEMkT04JAqBifEJSo/

--
RFC5246 (draft-ietf-tls-rfc4346-bis-10)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.2
Publication Date: August 2008
Author(s)   : T. Dierks, E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Rejected] RFC7301 (5176)

2024-03-20 Thread RFC Errata System
The following errata report has been rejected for RFC7301,
"Transport Layer Security (TLS) Application-Layer Protocol Negotiation 
Extension".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5176

--
Status: Rejected
Type: Technical

Reported by: Ilya Grigorik 
Date Reported: 2017-11-02
Rejected by: Paul Wouters (IESG)

Section: 6

Original Text
-
IANA Considerations

Corrected Text
--
+Protocol:  HTTP/1.0
+Protocol:  HTTP/0.9

Notes
-
RFC does not register ALPN identifiers for http/0.9 or http/1.0.
 --VERIFIER NOTES-- 
Errata is not the method for modifying requests to IANA 

See also: https://mailarchive.ietf.org/arch/msg/tls/j_A2WszoHniWzD609Cal5lFslxw/

--
RFC7301 (draft-ietf-tls-applayerprotoneg-05)
--
Title   : Transport Layer Security (TLS) Application-Layer Protocol 
Negotiation Extension
Publication Date: July 2014
Author(s)   : S. Friedl, A. Popov, A. Langley, E. Stephan
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC7919 (7579)

2024-03-20 Thread RFC Errata System
The following errata report has been verified for RFC7919,
"Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport 
Layer Security (TLS)". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7579

--
Status: Verified
Type: Technical

Reported by: Tim Geiser 
Date Reported: 2023-07-31
Verified by: Paul Wouters (IESG)

Section: Appendix A

Original Text
-
The primes in these finite field groups are all safe primes; that is,
a prime p is a safe prime when q = (p-1)/2 is also prime.  Where e is
the base of the natural logarithm and square brackets denote the
floor operation, the groups that initially populate this registry are
derived for a given bit length b by finding the lowest positive
integer X that creates a safe prime p where:

 p = 2^b - 2^{b-64} + {[2^{b-130} e] + X } * 2^64 - 1


Corrected Text
--
The primes in these finite field groups are all safe primes; that is,
a prime p is a safe prime when q = (p-1)/2 is also prime.  Where e is
the base of the natural logarithm and square brackets denote the
floor operation, the groups that initially populate this registry are
derived for a given bit length b by finding the lowest positive
integer X that creates a safe prime p where:

 p = 2^b - 2^{b-64} + {[2^{b-130} * e] + X } * 2^64 - 1


Notes
-
The multiplication sign ('*' in ASCII) is missing in the explanatory 
introduction of Appendix A that describes the equation used for deriving the 
primes. It is correct in all five concrete derivations A.1 through A.5

--
RFC7919 (draft-ietf-tls-negotiated-ff-dhe-10)
--
Title   : Negotiated Finite Field Diffie-Hellman Ephemeral 
Parameters for Transport Layer Security (TLS)
Publication Date: August 2016
Author(s)   : D. Gillmor
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (6141)

2024-03-20 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6141

--
Status: Verified
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Verified by: Paul Wouters (IESG)

Section: 4.4.3

Original Text
-
   -  The context string

Corrected Text
--
   -  The context string (defined below)

Notes
-


--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (6122)

2024-03-20 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6122

--
Status: Verified
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-24
Verified by: Paul Wouters (IESG)

Section: 1.2

Original Text
-
The key derivation functions have been redesigned.

Corrected Text
--
The key derivation function has been redesigned.

Notes
-


--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (6146)

2024-03-20 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6146

--
Status: Verified
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Verified by: Paul Wouters (IESG)

Section: 4.2.10.

Original Text
-
The TLS version number

Corrected Text
--
The selected TLS version number

Notes
-


--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (6142)

2024-03-20 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6142

--
Status: Verified
Type: Technical

Reported by: Ben Smyth 
Date Reported: 2020-04-29
Verified by: Paul Wouters (IESG)

Section: 4.6.1.

Original Text
-
Clients MUST NOT cache tickets for longer than 7 days

Corrected Text
--
Clients MUST NOT use tickets for longer than 7 days

Notes
-
"MUST NOT cache" is surely overly zealous and may unnecessarily result in 
non-compliant implementations

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (5868)

2024-03-20 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5868

--
Status: Verified
Type: Technical

Reported by: Hubert Kario 
Date Reported: 2019-10-02
Verified by: Paul Wouters (IESG)

Section: 4.2.3

Original Text
-
   ECDSA algorithms:  Indicates a signature algorithm using ECDSA
  [ECDSA], the corresponding curve as defined in ANSI X9.62 [ECDSA]
  and FIPS 186-4 [DSS], and the corresponding hash algorithm as
  defined in [SHS].  The signature is represented as a DER-encoded
  [X690] ECDSA-Sig-Value structure.

Corrected Text
--
   ECDSA algorithms:  Indicates a signature algorithm using ECDSA
  [ECDSA], the corresponding curve as defined in ANSI X9.62 [ECDSA]
  and FIPS 186-4 [DSS], and the corresponding hash algorithm as
  defined in [SHS].  The signature is represented as a DER-encoded
  [X690] ECDSA-Sig-Value structure as defined in [RFC4492].

Notes
-
There is a possibility for confusion as the ECDSA-Sig-Value has two conflicting 
definitions in authoritative standards. TLS always used the following (see 
RFC4492):

   ECDSA-Sig-Value ::= SEQUENCE {
 r  INTEGER,
 s  INTEGER
   }

but the publicly accessible SECG SEC1 v2.0 (https://www.secg.org/sec1-v2.pdf) 
defines it like this:

ECDSA-Sig-Value ::= SEQUENCE {
 r INTEGER,
 s INTEGER,
 a INTEGER OPTIONAL,
 y CHOICE { b BOOLEAN, f FieldElement } OPTIONAL
}

I think using the RFC5480 in the Corrected Text would be cleaner than RFC4492, 
but the former is not an existing reference, so we would need to update section 
12 also.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (6138)

2024-03-20 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6138

--
Status: Held for Document Update
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-28
Held by: Paul Wouters (IESG)

Section: 4.2.10

Original Text
-
   For externally  
   provisioned PSKs, the associated values are those provisioned along 
   with the key.  For PSKs established via a NewSessionTicket message, 
   the associated values are those which were negotiated in the
   connection which established the PSK.  

   ...

   For externally established 
   PSKs, the associated values are those provisioned along with the key.
   For PSKs established via a NewSessionTicket message, the associated  
   values are those negotiated in the connection during which the ticket
   was established. 

Corrected Text
--
   For externally  
   provisioned PSKs, the associated values are those provisioned along 
   with the key.  For PSKs established via a NewSessionTicket message, 
   the associated values are those which were negotiated in the
   connection which established the PSK.  

Notes
-
Drop largely verbatim duplicated text

Paul Wouters (AD):  This got incorporated into the bis document, but not 
exactly as suggested.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (6135)

2024-03-20 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6135

--
Status: Held for Document Update
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-28
Held by: Paul Wouters (IESG)

Section: Global

Original Text
-
list, series, set, and vector are seemingly used as synonyms. 

Corrected Text
--
Using list, series, set, xor vector would help at least one reader. 


Notes
-
Additionally, consistent usage is desirable, e.g., page 31 uses "A list of 
extensions" whereas "A set of 
extensions" is used on page 60. Elsewhere inconsistently usage causes 
confusion, e.g., 
Page 48:

   client_shares:  A list of offered KeyShareEntry values in descending
  order of client preference.

   This vector MAY be empty if the client is requesting a

(Replace "vector" with "list", or vice versa.)

Paul Wouters (AD):  This got incorporated into the bis document, but not 
exactly as suggested.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (6128)

2024-03-20 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6128

--
Status: Held for Document Update
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-24
Held by: Paul Wouters (IESG)

Section: GLOBAL

Original Text
-
terminate and abort are used interchangeable, but this isn't explained until 
after such use.

In Section 6.2, we have: In the rest of this specification, when the phrases 
"terminate the connection" and "abort the handshake" are used without a 
specific alert it means that the implementation SHOULD send the alert indicated 
by the
descriptions below.  

Corrected Text
--
Perhaps explain terminology earlier. At the very least, in Section 6.2, open 
the above sentence with "Throughout this specification"



Notes
-
 This got incorporated into the bis document, but not exactly as suggested.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (6125)

2024-03-20 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6125

--
Status: Held for Document Update
Type: Editorial

Reported by: Ben Smyth 
Date Reported: 2020-04-24
Held by: Paul Wouters (IESG)

Section: GLOBAL

Original Text
-
PSKs are referred to as out-of-band and external

Corrected Text
--
Referring to PSKs as either out-of-band xor external would help at least one 
reader

Notes
-
 This got incorporated into the bis document, but not exactly as suggested.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC6176 (5536)

2024-03-18 Thread RFC Errata System
The following errata report has been verified for RFC6176,
"Prohibiting Secure Sockets Layer (SSL) Version 2.0". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5536

--
Status: Verified
Type: Technical

Reported by: Eugene Adell 
Date Reported: 2018-10-19
Verified by: Paul Wouters (IESG)

Section: 1

Original Text
-
   RFC 4346 [TLS1.1], and later RFC 5246 [TLS1.2], explicitly warned
   implementers that the "ability to send version 2.0 CLIENT-HELLO
   messages will be phased out with all due haste".  This document
   accomplishes this by updating the backward compatibility sections
   found in TLS [TLS1.0][TLS1.1][TLS1.2].

Corrected Text
--
   RFC 2246 [TLS1.0], and later RFC 4346 [TLS1.1], then RFC 5246
   [TLS1.2] explicitly warned implementers that the "ability to send
   version 2.0 CLIENT-HELLO messages will be phased out with all due
   haste". This document accomplishes this by updating the backward
   compatibility sections found in TLS [TLS1.0][TLS1.1][TLS1.2].

Notes
-
The warning on the version 2.0 Client Hello is as old as the first TLS version 
(RFC 2246 Appendix E). That's what the authors meant and wanted to highlight by 
listing two of the three RFCs containing this warning. This is confirmed by 
their last sentence. It looks like a small mistake without concrete effects, I 
push this errata considering "IESG Processing of RFC Errata for the IETF Stream 
rule 6"

--
RFC6176 (draft-ietf-tls-ssl2-must-not-04)
--
Title   : Prohibiting Secure Sockets Layer (SSL) Version 2.0
Publication Date: March 2011
Author(s)   : S. Turner, T. Polk
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Rejected] RFC5246 (5036)

2024-03-17 Thread RFC Errata System
The following errata report has been rejected for RFC5246,
"The Transport Layer Security (TLS) Protocol Version 1.2".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5036

--
Status: Rejected
Type: Technical

Reported by: Stefan Goeman 
Date Reported: 2017-06-09
Rejected by: Paul Wouters (IESG)

Section: 7.4.1.2

Original Text
-
The ClientHello Structure indicates that a SessionID could be present.
However if I take a wireshark of a TLS session I always see a "Session 
ID Length" field, either with value 0 or value 32

Corrected Text
--
In the ClientHello structure and ServerHello structure, include 
a 1 byte "Session ID Length" field.

Notes
-
The ClientHello Structure indicates that a SessionID could be present.
However if I take a wireshark of a TLS session I always see a 
"Session ID Length" field, either with value 0 or value 32.
 --VERIFIER NOTES-- 
This erratum is incorrect.

Here is the definition of SessionID:
  opaque SessionID<0..32>;

The angle brackets mean that it is variable length and the 0..32 means that 
there is
a one-byte length field.

--
RFC5246 (draft-ietf-tls-rfc4346-bis-10)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.2
Publication Date: August 2008
Author(s)   : T. Dierks, E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC7905 (5251)

2024-03-17 Thread RFC Errata System
The following errata report has been held for document update 
for RFC7905, "ChaCha20-Poly1305 Cipher Suites for Transport Layer Security 
(TLS)". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5251

--
Status: Held for Document Update
Type: Technical

Reported by: Xavier Bonnetain 
Date Reported: 2018-02-01
Held by: Paul Wouters (IESG)

Section: 4. Security

Original Text
-
   Poly1305 is designed to ensure that forged messages are rejected with
   a probability of 1-(n/2^107), where n is the maximum length of the
   input to Poly1305.  In the case of (D)TLS, this means a maximum
   forgery probability of about 1 in 2^93.

Corrected Text
--
   Poly1305 is designed to ensure that forged messages are rejected with
   a probability of 1-(n/2^106), where n is the maximum length of the
   input to Poly1305.  In the case of (D)TLS, this means a maximum
   forgery probability of about 1 in 2^92.

Notes
-
The security claimed on poly1305 is slightly beyond what was proven by the 
designer (see https://cr.yp.to/mac/poly1305-20050329.pdf), and the trivial 
forgery attempt with a message of length 1 succeeds with probability 2^{-106}.

Paul Wouters(AD): See 
https://mailarchive.ietf.org/arch/msg/tls/dBMIsLsaA7XevXpd9hzJ6skMqE4/

--
RFC7905 (draft-ietf-tls-chacha20-poly1305-04)
--
Title   : ChaCha20-Poly1305 Cipher Suites for Transport Layer 
Security (TLS)
Publication Date: June 2016
Author(s)   : A. Langley, W. Chang, N. Mavrogiannopoulos, J. 
Strombergson, S. Josefsson
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8996 (7796)

2024-02-05 Thread RFC Errata System
The following errata report has been verified for RFC8996,
"Deprecating TLS 1.0 and TLS 1.1". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7796

--
Status: Verified
Type: Editorial

Reported by: Gaëtan Leurent 
Date Reported: 2024-02-03
Verified by: RFC Editor  

Section: 10.2

Original Text
-
[Bhargavan2016] Bhargavan, K. and G. Leuren,

Corrected Text
--
[Bhargavan2016] Bhargavan, K. and G. Leurent,

Notes
-
The last name "Leurent" is misspelt is the references.

--
RFC8996 (draft-ietf-tls-oldversions-deprecate-12)
--
Title   : Deprecating TLS 1.0 and TLS 1.1
Publication Date: March 2021
Author(s)   : K. Moriarty, S. Farrell
Category: BEST CURRENT PRACTICE
Source  : Transport Layer Security
Area: Security
Stream  : IETF

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC8996 (7796)

2024-02-03 Thread RFC Errata System
The following errata report has been submitted for RFC8996,
"Deprecating TLS 1.0 and TLS 1.1".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7796

--
Type: Editorial
Reported by: Gaëtan Leurent 

Section: 10.2

Original Text
-
[Bhargavan2016] Bhargavan, K. and G. Leuren,

Corrected Text
--
[Bhargavan2016] Bhargavan, K. and G. Leurent,

Notes
-
The last name "Leurent" is misspelt is the references.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC8996 (draft-ietf-tls-oldversions-deprecate-12)
--
Title   : Deprecating TLS 1.0 and TLS 1.1
Publication Date: March 2021
Author(s)   : K. Moriarty, S. Farrell
Category: BEST CURRENT PRACTICE
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8446 (7774)

2024-01-22 Thread RFC Errata System
The following errata report has been verified for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7774

--
Status: Verified
Type: Editorial

Reported by: Rebecca VanRheenen 
Date Reported: 2024-01-22
Verified by: RFC Editor  

Section: 4.1.3

Original Text
-
ServerHello.Random

Corrected Text
--
ServerHello.random

Notes
-
Lowercase "random".

This report was created/verified per Paul Wouter's note at 
https://www.rfc-editor.org/errata/eid7769.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC8446 (7774)

2024-01-22 Thread RFC Errata System
The following errata report has been submitted for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7774

--
Type: Editorial
Reported by: Rebecca VanRheenen 

Section: 4.1.3

Original Text
-
ServerHello.Random

Corrected Text
--
ServerHello.random

Notes
-
Lowercase "random".

This report was created per https://www.rfc-editor.org/errata/eid7769.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC7919 (4908)

2024-01-16 Thread RFC Errata System
The following errata report has been held for document update 
for RFC7919, "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for 
Transport Layer Security (TLS)". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid4908

--
Status: Held for Document Update
Type: Technical

Reported by: Martin Thomson 
Date Reported: 2017-01-16
Held by: Paul Wouters (IESG)

Section: 4

Original Text
-
   If a compatible TLS server receives a Supported Groups extension from
   a client that includes any FFDHE group (i.e., any codepoint between
   256 and 511, inclusive, even if unknown to the server), and if none
   of the client-proposed FFDHE groups are known and acceptable to the
   server, then the server MUST NOT select an FFDHE cipher suite.  In
   this case, the server SHOULD select an acceptable non-FFDHE cipher
   suite from the client's offered list.  If the extension is present
   with FFDHE groups, none of the client's offered groups are acceptable
   by the server, and none of the client's proposed non-FFDHE cipher
   suites are acceptable to the server, the server MUST end the
   connection with a fatal TLS alert of type insufficient_security(71).

Corrected Text
--
   If a compatible TLS server receives a Supported Groups extension from
   a client that includes any FFDHE group (i.e., any codepoint between
   256 and 511, inclusive, even if unknown to the server), and if none
   of the client-proposed FFDHE groups are known and acceptable to the
   server, then the server MUST NOT select an FFDHE cipher suite.  In
   this case, the server SHOULD select an acceptable non-FFDHE cipher
   suite from the client's offered list.

Notes
-
The text is overly prescriptive about the alert code that needs to used if 
there are no acceptable cipher suites available.  If the server is unable to 
pick a cipher suite, it can send a handshake_failure(40) alert, which this text 
would prohibit.  handshake_failure is at least equally valid in practice.

This eliminates the prescriptive text about the alert type.

Servers eliminate cipher suites from considerations in numerous ways.  Being 
able to definitively identify the reason as a (perceived) shortcoming in the 
strength of the offered security is actually quite challenging in practice.

It's true that insufficient_security is perhaps a more desirable code to use in 
this case, but it's not generically possible to determine that the server 
configuration is "more secure" than the combinations on offer by the client.  
Consider also the possibility that it's the server that is insecure because it 
doesn't some of the options offered by the client.  That's a general criticism 
of the value of insufficient_security, but it should at least motivate why 
insufficient_security should never be mandated in this way.

Paul Wouters(AD): After discussion with Martin, we propose that the correction 
required is only the removal of "of type insufficient_security(71).".

As Martin explains: 

Having a MUST on this is not appropriate in that sense.  What would be 
acceptable is:

   [...] the server terminates the connection according to Section 4.1.1 of 
[RFC8446].

Of course, that would depend on time travel in the sense that RFC 7919 
pre-dates TLS 1.3 by a fair bit and so it can't really refer to it like that.


--
RFC7919 (draft-ietf-tls-negotiated-ff-dhe-10)
--
Title   : Negotiated Finite Field Diffie-Hellman Ephemeral 
Parameters for Transport Layer Security (TLS)
Publication Date: August 2016
Author(s)   : D. Gillmor
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (5682)

2024-01-16 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5682

--
Status: Held for Document Update
Type: Technical

Reported by: Richard Barnes 
Date Reported: 2019-04-01
Held by: Paul Wouters (IESG)

Section: 4.3.2, B.3.2

Original Text
-
--- rfc8446.txt 2018-08-10 20:12:08.0 -0400
+++ rfc8446.erratum.txt 2019-04-01 15:44:54.0 -0400
@@ -3341,7 +3341,7 @@
 
   struct {
   opaque certificate_request_context<0..2^8-1>;
-  Extension extensions<2..2^16-1>;
+  Extension extensions<0..2^16-1>;
   } CertificateRequest;
 
 
@@ -7309,7 +7309,7 @@
 
   struct {
   opaque certificate_request_context<0..2^8-1>;
-  Extension extensions<2..2^16-1>;
+  Extension extensions<0..2^16-1>;
   } CertificateRequest;
 
 


Corrected Text
--
--- rfc8446.txt 2018-08-10 20:12:08.0 -0400
+++ rfc8446.erratum.txt 2019-04-01 15:44:54.0 -0400
@@ -3341,7 +3341,7 @@
 
   struct {
   opaque certificate_request_context<0..2^8-1>;
-  Extension extensions<2..2^16-1>;
+  Extension extensions<0..2^16-1>;
   } CertificateRequest;
 
 
@@ -7309,7 +7309,7 @@
 
   struct {
   opaque certificate_request_context<0..2^8-1>;
-  Extension extensions<2..2^16-1>;
+  Extension extensions<0..2^16-1>;
   } CertificateRequest;
 
 


Notes
-
The length of this vector can never 2.  It is either 0, if the vector is empty, 
or >=4, if the vector has at least one extension.  Nothing elsewhere in the 
spec requires a non-zero number of extensions here, so this syntax should allow 
a zero-length vector.

Paul Wouters (AD): Richard meant the diff to be the fix, not the 
original/corrected text. The diff is not in the RFC itself. There are two 
places in the mentioned sections that need this one liner fix.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8422 (5468)

2024-01-16 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8422, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport 
Layer Security (TLS) Versions 1.2 and Earlier". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5468

--
Status: Held for Document Update
Type: Editorial

Reported by: Masato Gosui 
Date Reported: 2018-08-17
Held by: Paul Wouters (IESG)

Section: 5.4

Original Text
-
   namedCurve: Specifies a recommended set of elliptic curve domain

Corrected Text
--
   namedcurve: Specifies a recommended set of elliptic curve domain

Notes
-
This fixes mismatched names of the variable "namedcurve" in the "Structure of 
this message" paragraph.

--
RFC8422 (draft-ietf-tls-rfc4492bis-17)
--
Title   : Elliptic Curve Cryptography (ECC) Cipher Suites for 
Transport Layer Security (TLS) Versions 1.2 and Earlier
Publication Date: August 2018
Author(s)   : Y. Nir, S. Josefsson, M. Pegourie-Gonnard
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC8996 (7103)

2024-01-16 Thread RFC Errata System
The following errata report has been verified for RFC8996,
"Deprecating TLS 1.0 and TLS 1.1". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7103

--
Status: Verified
Type: Editorial

Reported by: Martin Thomson 
Date Reported: 2022-08-24
Verified by: Paul Wouters (IESG)

Section: GLOBAL

Original Text
-
https://www.rfc-editor.org/rfc/rfc%E2%80%8B%204162";
class="eref">​ 4162

Corrected Text
--
https://www.rfc-editor.org/rfc/rfc4162";
class="eref">​4162

Notes
-
(Note: the line wrapping here is mine; the errata tool assumes that this is 
text, so it won't accept long lines.)

The text for this specification is OK, but the HTML rendering has some 
hard-to-notice errors in the "Updates" field in the metadata block that is 
being caused by errors in the XML source.

The XML source includes a number of Unicode zero width space characters 
(U+200B) after commas in the rfc@updates attribute.  xml2rfc is unable to 
handle these characters correctly, treating them - and the space that follows - 
as part of the RFC number.  It generates the bad link as you see above.

This can be addressed in xml2rfc, maybe, but this is probably not XML we want 
to permit.

Paul Wouters (AD): Verified, as this RFC won't get any updates.

--
RFC8996 (draft-ietf-tls-oldversions-deprecate-12)
--
Title   : Deprecating TLS 1.0 and TLS 1.1
Publication Date: March 2021
Author(s)   : K. Moriarty, S. Farrell
Category: BEST CURRENT PRACTICE
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8996 (7769)

2024-01-16 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8996, "Deprecating TLS 1.0 and TLS 1.1". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7769

--
Status: Held for Document Update
Type: Editorial

Reported by: Martin Thomson 
Date Reported: 2021-03-23
Held by: Paul Wouters (IESG)

Section: 1.1

Original Text
-
ServerHello.Random

Corrected Text
--
ServerHello.random 

Notes
-
Very pedantic, but RFC 8446 uses all lowercase for "random" to match the 
grammar.

Paul Wouters (AD): RFC 8446 itself actually also has this problem once in 
Section 4.1.3

--
RFC8996 (draft-ietf-tls-oldversions-deprecate-12)
--
Title   : Deprecating TLS 1.0 and TLS 1.1
Publication Date: March 2021
Author(s)   : K. Moriarty, S. Farrell
Category: BEST CURRENT PRACTICE
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC8446 (6205)

2024-01-16 Thread RFC Errata System
The following errata report has been held for document update 
for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6205

--
Status: Held for Document Update
Type: Editorial

Reported by: Martin Thomson 
Date Reported: 2020-06-04
Held by: Paul Wouters (IESG)

Section: 4.3.2

Original Text
-
   Servers which are authenticating with a PSK MUST NOT send the
   CertificateRequest message in the main handshake, though they MAY
   send it in post-handshake authentication (see Section 4.6.2) provided
   that the client has sent the "post_handshake_auth" extension (see
   Section 4.2.6).

Corrected Text
--
   Servers which are authenticating with a resumption PSK MUST NOT send the
   CertificateRequest message in the main handshake, though they MAY
   send it in post-handshake authentication (see Section 4.6.2) provided
   that the client has sent the "post_handshake_auth" extension (see
   Section 4.2.6).  Servers which are authenticating with an external PSK
   MUST NOT send the CertificateRequest message either in the main handshake
   or request post-handshake authentication. Future specifications MAY
   provide an extension to permit this. 

Notes
-
The lack of qualification on "authenticating with a PSK" implies that the 
statement applies equally to both external and resumption PSKs.  However, there 
are two conditions being governed: whether a certificate can be requested 
during the handshake, and whether a certificate can be requested 
post-handshake.  The latter of these requires different rules depending on the 
type of PSK.

We know from the analysis of resumption (see 
https://mailarchive.ietf.org/arch/msg/tls/TugB5ddJu3nYg7chcyeIyUqWSbA/) that 
combining a PSK handshake of either type with a client certificate is not safe. 
 Thus, the prohibition on CertificateRequest during the handshake applies 
equally to both resumption and external PSKs.

For post-handshake, Appendix E.1 already discusses the risks of combining PSKs 
with certificates, citing the same analysis as above.

   [...]  It is unsafe to use certificate-based client
   authentication when the client might potentially share the same
   PSK/key-id pair with two different endpoints.

For this reason an external PSK is not safe to use with post-handshake 
authentication.  A resumption PSK does not have this property, so the same 
prohibition doesn't apply.

Splitting the requirements as proposed makes this split clearer.

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC5246 (4912)

2024-01-15 Thread RFC Errata System
The following errata report has been verified for RFC5246,
"The Transport Layer Security (TLS) Protocol Version 1.2". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid4912

--
Status: Verified
Type: Technical

Reported by: Nikolai Malykh 
Date Reported: 2017-01-18
Verified by: Paul Wouters (IESG)

Section: A.4.1

Original Text
-
   SignatureAndHashAlgorithm
supported_signature_algorithms<2..2^16-1>;


Corrected Text
--
   SignatureAndHashAlgorithm
supported_signature_algorithms<2..2^16-2>;


Notes
-
Error in last sentence. See errata ID 2865.

Paul Wouters (AD): From errata ID 2865: The supported_signature_algorithms 
field is a variable length array. As such ceiling and floor should be 
specified, and they should be multiple of the base type (which is two bytes 
long in this case). See section 7.4.1.4.1 for a valid definition of this field.
This is already fixed in TLS 1.3 RFC8446

--
RFC5246 (draft-ietf-tls-rfc4346-bis-10)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.2
Publication Date: August 2008
Author(s)   : T. Dierks, E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC5246 (4750)

2024-01-15 Thread RFC Errata System
The following errata report has been verified for RFC5246,
"The Transport Layer Security (TLS) Protocol Version 1.2". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid4750

--
Status: Verified
Type: Technical

Reported by: Adrien de Croy 
Date Reported: 2016-07-27
Verified by: Paul Wouters (IESG)

Section: 4.3 Vectors

Original Text
-
The length of
   an encoded vector must be an even multiple of the length of a single
   element (for example, a 17-byte vector of uint16 would be illegal).

Corrected Text
--
The length of
   an encoded vector must be a whole multiple of the length of a single
   element (for example, a 17-byte vector of uint16 would be illegal).

Notes
-
Original text implies vectors can only contain even (0,2,4,6,8...) numbers of 
elements.  The example does not resolve this but indicates the intent is that 
parts of elements are not allowed. It is clear from other examples that odd 
numbers of elements are permitted.

Paul Wouters (AD): As TLS 1.2 is obsoleted by TLS 1.3, this errata is closed as 
Verified. In TLS 1.3 in RFC 8447 the text states more clearly:  Here, T' 
occupies n bytes in the data stream, where n is a multiple of the size of T. 



--
RFC5246 (draft-ietf-tls-rfc4346-bis-10)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.2
Publication Date: August 2008
Author(s)   : T. Dierks, E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC5246 (4507)

2024-01-15 Thread RFC Errata System
The following errata report has been verified for RFC5246,
"The Transport Layer Security (TLS) Protocol Version 1.2". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid4507

--
Status: Verified
Type: Technical

Reported by: Benjamin Kaduk 
Date Reported: 2015-10-19
Verified by: Paul Wouters (IESG)

Section: 7.4.1.2

Original Text
-
After sending the ClientHello message, the client waits for a
ServerHello message.  Any handshake message returned by the server,
except for a HelloRequest, is treated as a fatal error.


Corrected Text
--
After sending the ClientHello message, the client waits for a
ServerHello message.  Any other handshake message returned by the
server, except for a HelloRequest, is treated as a fatal error.

Notes
-
A ServerHello received after a ClientHello should not be treated as a fatal 
error.

Paul Wouters (AD): TLS 1.2 has been obsoleted by TLS 1.3 RFC8446. The language 
in that RFC does not contain the same issue (see 
https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2). As such, this is 
marked as Verified.

--
RFC5246 (draft-ietf-tls-rfc4346-bis-10)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.2
Publication Date: August 2008
Author(s)   : T. Dierks, E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC5054 (4546)

2024-01-15 Thread RFC Errata System
The following errata report has been verified for RFC5054,
"Using the Secure Remote Password (SRP) Protocol for TLS Authentication". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid4546

--
Status: Verified
Type: Technical

Reported by: Rick van Rein 
Date Reported: 2015-11-30
Verified by: Paul Wouters (IESG)

Section: 2.6

Original Text
-
B = k*v + g^b % N

Corrected Text
--
B = ( k*v + g^b ) % N

Notes
-
The customary binding is that + has lower priority than % and so the default 
reading of the expression would be 
B = k*v + ( g^b % N )
That is inconsistent with the existence of PAD(B) and the size of B in the test 
vectors, so the context hints at proper brackets, but this may still lead to 
implementation errors (of which I actually ran into an example).

Paul Wouters (AD): This errata is correct, but note that this RFC is applicable 
only for TLS < 1.3. For TLS 1.3, one needs to use a PAKE as replacement, such 
as those defined in RFC8492. As such, this errata is left as Verified as there 
won't be a document update for this document.

--
RFC5054 (draft-ietf-tls-srp-14)
--
Title   : Using the Secure Remote Password (SRP) Protocol for TLS 
Authentication
Publication Date: November 2007
Author(s)   : D. Taylor, T. Wu, N. Mavrogiannopoulos, T. Perrin
Category: INFORMATIONAL
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Held for Document Update] RFC2712 (5432)

2024-01-12 Thread RFC Errata System
The following errata report has been held for document update 
for RFC2712, "Addition of Kerberos Cipher Suites to Transport Layer Security 
(TLS)". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5432

--
Status: Held for Document Update
Type: Technical

Reported by: Eugene Adell 
Date Reported: 2018-07-20
Held by: Paul Wouters (IESG)

Section: Appendix

Original Text
-


Corrected Text
--
Appendix

   RFC 2712 introduces new cipher suites values, starting with the
   cipher value { 0x00, 0x1E }.
   This cipher value was earlier known as a Fortezza cipher suite,
   and this could lead to a conflict.

Notes
-
Errata 5409 was rejected and I was suggested to post another one at this place.

RFC 2712 (Addition of Kerberos Cipher Suites to Transport Layer Security) in 
its Draft 01 version introduces new cipher suites values, among them three are 
colliding with the Fortezza cipher suites. The Draft 02 version partially 
corrects that, by shifting all of the Kerberos cipher suites values by two.
This omission of the third Fortezza cipher suite has never been corrected, and 
this remains in the same state in the final RFC 2712. As a result, the cipher 
suite value { 0x00, 0x1E } is now officially known as a Kerberos one.

Although not documented themselves by any RFC, the two non conflicting Fortezza 
cipher suites are mentioned in the same note in the TLS protocol RFC (2246, 
4346, 5246). This gives an explanation on how the Kerberos cipher suite values 
were chosen.

--
RFC2712 (draft-ietf-tls-kerb-cipher-suites-04)
--
Title   : Addition of Kerberos Cipher Suites to Transport Layer 
Security (TLS)
Publication Date: October 1999
Author(s)   : A. Medvinsky, M. Hur
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC8996 (7739)

2023-12-21 Thread RFC Errata System
The following errata report has been submitted for RFC8996,
"Deprecating TLS 1.0 and TLS 1.1".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7739

--
Type: Editorial
Reported by: mohamed abdurahman hassan 

96

Original Text
-

   application.  The authorization server should take special care when
   enabling this grant type and only allow it when other flows are not
   viable.

   This grant type is suitable for clients capable of obtaining the
   resource owner's credentials (username and password, typically using
   an interactive form).  It is also used to migrate existing clients
   using direct authentication schemes such as HTTP Basic or Digest
   authentication to OAuth by converting the stored credentials to an
   access token.


Corrected Text
--

   application.  The authorization server should take special care when
   enabling this grant type and only allow it when other flows are not
   viable.

   This grant type is suitable for clients capable of obtaining the
   resource owner's credentials (username and password, typically using
   an interactive form).  It is also used to migrate existing clients
   using direct authentication schemes such as HTTP Basic or Digest
   authentication to OAuth by converting the stored credentials to an
   access token.


Notes
-
application.  The authorization server should take special care when
   enabling this grant type and only allow it when other flows are not
   viable.

   This grant type is suitable for clients capable of obtaining the
   resource owner's credentials (username and password, typically using
   an interactive form).  It is also used to migrate existing clients
   using direct authentication schemes such as HTTP Basic or Digest
   authentication to OAuth by converting the stored credentials to an
   access token.

Instructions:
-
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--
RFC8996 (draft-ietf-tls-oldversions-deprecate-12)
--
Title   : Deprecating TLS 1.0 and TLS 1.1
Publication Date: March 2021
Author(s)   : K. Moriarty, S. Farrell
Category: BEST CURRENT PRACTICE
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC5054 (7538)

2023-10-10 Thread RFC Errata System
The following errata report has been verified for RFC5054,
"Using the Secure Remote Password (SRP) Protocol for TLS Authentication". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7538

--
Status: Verified
Type: Technical

Reported by: Mingye Wang 
Date Reported: 2023-06-07
Verified by: Paul Wouters (IESG)

Section: 2.1

Original Text
-
 The version of SRP used here is sometimes referred to as "SRP-6"
   [SRP-6].

Corrected Text
--
 The version of SRP used here is sometimes referred to as "SRP-6a"
   [SRP-6a].


 [SRP-6a]: Wu, T., "SRP Protocol Design", circa 2005, 
http://srp.stanford.edu/design.html

Notes
-
The protocol described uses a non-constant k, which is an innovation of SRP-6a 
-- never published formally in a technical report (until this RFC) and dating 
to ~2005 if we go by the libsrp version history. Actual [SRP-6] of 2002 uses a 
constant k = 3.

Reference to the [SRP-6] text is still valuable for rationale, but is not 
accurate. Confusion between these two versions is harmful and may impeded 
interoperability.

--
RFC5054 (draft-ietf-tls-srp-14)
--
Title   : Using the Secure Remote Password (SRP) Protocol for TLS 
Authentication
Publication Date: November 2007
Author(s)   : D. Taylor, T. Wu, N. Mavrogiannopoulos, T. Perrin
Category: INFORMATIONAL
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC9257 (7643)

2023-09-17 Thread RFC Errata System
The following errata report has been submitted for RFC9257,
"Guidance for External Pre-Shared Key (PSK) Usage in TLS".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7643

--
Type: Editorial
Reported by: Heikki Vatiainen 

Section: 6.1. Stack Interface

Original Text
-
   *  OpenSSL and BoringSSL: Applications can specify support for
  external PSKs via distinct ciphersuites in TLS 1.2 and below.
  Also, they can then configure callbacks that are invoked for PSK
  selection during the handshake.  These callbacks must provide a
  PSK identity and key.  The exact format of the callback depends on
  the negotiated TLS protocol version, with new callback functions
  added specifically to OpenSSL for TLS 1.3 [RFC8446] PSK support.
  The PSK length is validated to be between 1-256 bytes (inclusive).
  The PSK identity may be up to 128 bytes long.

Corrected Text
--
   *  OpenSSL and BoringSSL: Applications can specify support for
  external PSKs via distinct ciphersuites in TLS 1.2 and below.
  Also, they can then configure callbacks that are invoked for PSK
  selection during the handshake.  These callbacks must provide a
  PSK identity and key.  The exact format of the callback depends on
  the negotiated TLS protocol version, with new callback functions
  added specifically to OpenSSL for TLS 1.3 [RFC8446] PSK support.
  The PSK length is validated to be between 1-256 bytes (inclusive).
  The PSK identity may be up to 128 bytes long. OpenSSL 3.0
  increased PSK maximum length to 512 bytes and PSK identity maximum
  length to 256 bytes to match existing implementations and
  specifications.

Notes
-
OpenSSL PSK length and PSK identity length were increased to 256 and 512 
octets, respectively, for OpenSSL 3.0. There appear to be implementations and 
specifications that require these longer lengths. See here for more information:
https://github.com/openssl/openssl/pull/12777
https://github.com/openssl/openssl/pull/12771

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC9257 (draft-ietf-tls-external-psk-guidance-06)
--
Title   : Guidance for External Pre-Shared Key (PSK) Usage in TLS
Publication Date: July 2022
Author(s)   : R. Housley, J. Hoyland, M. Sethi, C. A. Wood
Category: INFORMATIONAL
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Technical Errata Reported] RFC8446 (7620)

2023-08-28 Thread RFC Errata System
The following errata report has been submitted for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7620

--
Type: Technical
Reported by: Ben Smyth 

Section: 6.1

Original Text
-
Each party MUST send a "close_notify" alert before closing its write
side of the connection, unless it has already sent some error alert.
This does not have any effect on its read side of the connection.
Note that this is a change from versions of TLS prior to TLS 1.3 in
which implementations were required to react to a "close_notify" by
discarding pending writes and sending an immediate "close_notify"
alert of their own.  That previous requirement could cause truncation
in the read side.  Both parties need not wait to receive a
"close_notify" alert before closing their read side of the
connection, though doing so would introduce the possibility of
truncation.

Corrected Text
--
Each party MUST send a "close_notify" alert before closing its write
side of the connection, unless it has already sent some error alert.
This SHOULD NOT have any effect on the read side of the sender's connection;
parties SHOULD receive a "close_notify" alert before closing the read side of 
their connection.
Note that this is a change from versions of TLS prior to TLS 1.3 in
which receivers were required to react to a "close_notify" by
discarding pending writes and sending an immediate "close_notify"
alert of their own.  That previous requirement could cause truncation
in the read side.  Both parties need not wait to receive a
"close_notify" alert before closing their read side of the
connection, though doing so would introduce the possibility of
truncation.

Notes
-
As-is there's a specification-level vulnerability: Specification-compliant 
implementations may be vulnerable to truncation attacks.

I suggest using SHOULD NOT & SHOULD for better signposting and to avoid 
specification-level vulnerability.

I also suggest minor tweaks for readability.

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC8773 (7598)

2023-08-11 Thread RFC Errata System
The following errata report has been submitted for RFC8773,
"TLS 1.3 Extension for Certificate-Based Authentication with an External 
Pre-Shared Key".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7598

--
Type: Editorial
Reported by: Russ Housley 

Section: 5.1

Original Text
-
When the "psk_key_exchange_modes" extension is included in the
ServerHello message, servers MUST select the psk_dhe_ke mode
for the initial handshake.

Corrected Text
--
When the "psk_key_exchange_modes" extension is included in the
ClientHello message, servers MUST select the psk_dhe_ke mode
for the initial handshake.

Notes
-
According to RFC 8446, the "psk_key_exchange_modes" extension only appears in 
the ClientHello message. Further, the slides presented on this topic at IETF 
101show the "psk_key_exchange_modes" extension in the ClientHello message and 
no other place.  It is pretty clear that this is an editorial error.

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC8773 (draft-ietf-tls-tls13-cert-with-extern-psk-07)
--
Title   : TLS 1.3 Extension for Certificate-Based Authentication 
with an External Pre-Shared Key
Publication Date: March 2020
Author(s)   : R. Housley
Category: EXPERIMENTAL
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC7919 (7579)

2023-07-31 Thread RFC Errata System
The following errata report has been submitted for RFC7919,
"Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport 
Layer Security (TLS)".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7579

--
Type: Editorial
Reported by: Tim Geiser 

Section: Appendix A

Original Text
-
The primes in these finite field groups are all safe primes; that is,
a prime p is a safe prime when q = (p-1)/2 is also prime.  Where e is
the base of the natural logarithm and square brackets denote the
floor operation, the groups that initially populate this registry are
derived for a given bit length b by finding the lowest positive
integer X that creates a safe prime p where:

 p = 2^b - 2^{b-64} + {[2^{b-130} e] + X } * 2^64 - 1


Corrected Text
--
The primes in these finite field groups are all safe primes; that is,
a prime p is a safe prime when q = (p-1)/2 is also prime.  Where e is
the base of the natural logarithm and square brackets denote the
floor operation, the groups that initially populate this registry are
derived for a given bit length b by finding the lowest positive
integer X that creates a safe prime p where:

 p = 2^b - 2^{b-64} + {[2^{b-130} * e] + X } * 2^64 - 1


Notes
-
The multiplication sign ('*' in ASCII) is missing in the explanatory 
introduction of Appendix A that describes the equation used for deriving the 
primes. It is correct in all five concrete derivations A.1 through A.5

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC7919 (draft-ietf-tls-negotiated-ff-dhe-10)
--
Title   : Negotiated Finite Field Diffie-Hellman Ephemeral 
Parameters for Transport Layer Security (TLS)
Publication Date: August 2016
Author(s)   : D. Gillmor
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC5054 (7538)

2023-06-06 Thread RFC Errata System
The following errata report has been submitted for RFC5054,
"Using the Secure Remote Password (SRP) Protocol for TLS Authentication".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7538

--
Type: Editorial
Reported by: Mingye Wang 

Section: 2.1

Original Text
-
 The version of SRP used here is sometimes referred to as "SRP-6"
   [SRP-6].

Corrected Text
--
 The version of SRP used here is sometimes referred to as "SRP-6a"
   [SRP-6a].


 [SRP-6a]: Wu, T., "SRP Protocol Design", circa 2005, 
http://srp.stanford.edu/design.html

Notes
-
The protocol described uses a non-constant k, which is an innovation of SRP-6a 
-- never published formally in a technical report (until this RFC) and dating 
to ~2005 if we go by the libsrp version history. Actual [SRP-6] of 2002 uses a 
constant k = 3.

Reference to the [SRP-6] text is still valuable for rationale, but is not 
accurate. Confusion between these two versions is harmful and may impeded 
interoperability.

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC5054 (draft-ietf-tls-srp-14)
--
Title   : Using the Secure Remote Password (SRP) Protocol for TLS 
Authentication
Publication Date: November 2007
Author(s)   : D. Taylor, T. Wu, N. Mavrogiannopoulos, T. Perrin
Category: INFORMATIONAL
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Technical Errata Reported] RFC7465 (7476)

2023-04-28 Thread RFC Errata System
The following errata report has been submitted for RFC7465,
"Prohibiting RC4 Cipher Suites".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7476

--
Type: Technical
Reported by: Rajeev Kumar Surroach 

Section: 7465

Original Text
-
7465

Corrected Text
--
7465

Notes
-
Solve the issue

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC7465 (draft-ietf-tls-prohibiting-rc4-01)
--
Title   : Prohibiting RC4 Cipher Suites
Publication Date: February 2015
Author(s)   : A. Popov
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Technical Errata Reported] RFC8446 (7303)

2023-01-12 Thread RFC Errata System
The following errata report has been submitted for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7303

--
Type: Technical
Reported by: Eric Lawrence 

Section: 6.1

Original Text
-
This alert notifies the recipient that the sender will not send any more 
messages on this connection. 

Corrected Text
--
This alert notifies the recipient that the sender will not send any more 
messages on this connection. close_notify alerts should be sent with a severity 
level of WARNING.

Notes
-
Apparently, TLS/1.0 specified these should be set to WARNING, not FATAL, but 
this text got lost somewhere along the way. 
https://github.com/pion/dtls/issues/195

OpenSSL/NSS both send as WARNING, and servers that have tried sending as FATAL 
have encountered compatibility problems with clients which treat FATAL alerts 
differently than WARNING alerts: e.g. 
https://source.chromium.org/chromium/chromium/src/+/main:third_party/boringssl/src/ssl/tls_record.cc;l=591;drc=c0872c02015009bf3dbab0a83c0452d141e8e9cf?q=tls_open_record&ss=chromium%2Fchromium%2Fsrc

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Technical Errata Reported] RFC8446 (7250)

2022-11-14 Thread RFC Errata System
The following errata report has been submitted for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7250

--
Type: Technical
Reported by: Alan DeKok 

Section: 4.6.1

Original Text
-
   The client MAY use this PSK for future handshakes by including the
   ticket value in the "pre_shared_key" extension in its ClientHello
   (Section 4.2.11).

Corrected Text
--
(to add)

  Where the client does not support session tickets, this extension MUST be 
ignored.

Notes
-
I've seen a TLS implementation which doesn't implement session tickets.  That's 
fine, but the implementation doesn't *ignore* session tickets it receives.  
Instead, it treats reception of the ticket as un recoverable error, and drops 
the TLS connection.

It's also worth adding a note to section 4.2 at the bottom of page 38.  To note 
that in general, f an extension isn't supported AND doesn't materially affect 
the TLS exchange, THEN it should be ignored.

i.e. there's nothing in the spec which mentions Postel's law "be conservative 
in what you send, be liberal in what you accept".  So implementors reading this 
document are free to do all kinds of odd things.

In addition, the text in Section 4.2 at the bottom of page 38 says:

"
  Designers
  and implementors should be aware of the fact that until the
  handshake has been authenticated, active attackers can modify
  messages and insert, remove, or replace extensions.
"

The implicit conclusion here is that an implementation receiving extensions 
must sanity check them.  e.g. an attacker adding an undefined / unknown 
extension should not cause the entire session to be torn down.

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC8996 (7103)

2022-08-23 Thread RFC Errata System
The following errata report has been submitted for RFC8996,
"Deprecating TLS 1.0 and TLS 1.1".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7103

--
Type: Editorial
Reported by: Martin Thomson 

Section: GLOBAL

Original Text
-
https://www.rfc-editor.org/rfc/rfc%E2%80%8B%204162";
class="eref">​ 4162

Corrected Text
--
https://www.rfc-editor.org/rfc/rfc4162";
class="eref">​4162

Notes
-
(Note: the line wrapping here is mine; the errata tool assumes that this is 
text, so it won't accept long lines.)

The text for this specification is OK, but the HTML rendering has some 
hard-to-notice errors in the "Updates" field in the metadata block that is 
being caused by errors in the XML source.

The XML source includes a number of Unicode zero width space characters 
(U+200B) after commas in the rfc@updates attribute.  xml2rfc is unable to 
handle these characters correctly, treating them - and the space that follows - 
as part of the RFC number.  It generates the bad link as you see above.

This can be addressed in xml2rfc, maybe, but this is probably not XML we want 
to permit.

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC8996 (draft-ietf-tls-oldversions-deprecate-12)
--
Title   : Deprecating TLS 1.0 and TLS 1.1
Publication Date: March 2021
Author(s)   : K. Moriarty, S. Farrell
Category: BEST CURRENT PRACTICE
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Technical Errata Reported] RFC8446 (7073)

2022-08-06 Thread RFC Errata System
The following errata report has been submitted for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7073

--
Type: Technical
Reported by: Ben Smyth 

Section: 4.4

Original Text
-
These messages are encrypted under keys derived from the 
[sender]_handshake_traffic_secret.

Corrected Text
--
These messages are encrypted under keys derived from the 
[sender]_handshake_traffic_secret, except for post-handshake authentication

Notes
-
There's an exception

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Technical Errata Reported] RFC8446 (7003)

2022-06-22 Thread RFC Errata System
The following errata report has been submitted for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid7003

--
Type: Technical
Reported by: Ben Smyth 

Section: 4.6.1.

Original Text
-
At any time after the server has received the client Finished message, it MAY 
send a NewSessionTicket message.

Corrected Text
--
At any time after the server has received both a "psk_key_exchange_modes" 
extension and a Finished message, it MAY send a NewSessionTicket message.



Notes
-
Section 4.2.9. demands 

In order to use PSKs, clients MUST also send a "psk_key_exchange_modes" 
extension.

Hence, an additional restriction is needed in Section 4.6.1.

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Technical Errata Reported] RFC7507 (6912)

2022-04-01 Thread RFC Errata System
The following errata report has been submitted for RFC7507,
"TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol 
Downgrade Attacks".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6912

--
Type: Technical
Reported by: Jesus Alvarado 

Section: 7507

Original Text
-
RFC7507]  Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher
   Suite Value (SCSV) for Preventing Protocol Downgrade
   Attacks", RFC 7507, April 2015.
It should say:

[RFC7507]  Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher
   Suite Value (SCSV) for Preventing Protocol Downgrade
   Attacks", RFC 7507, April 2015,
   .


Corrected Text
--
7.2

Original Text:

[RFC7507]  Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher
   Suite Value (SCSV) for Preventing Protocol Downgrade
   Attacks", RFC 7507, April 2015.

Corrected Text:

[RFC7507]  Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher
   Suite Value (SCSV) for Preventing Protocol Downgrade
   Attacks", RFC 7507, April 2015,
   .

Notes:

The original text lacks the link to the RFC7507 information page.

Notes
-
On this text the person he pushed something through with 128 bit encryption for 
each federal office that I had 2 out of three approved on the senators 
transfers and everyone that put in for payment never where full approved and 
people did have to stop and come talk in person.
Jesus Alvarado 1(541)3995030

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC7507 (draft-ietf-tls-downgrade-scsv-05)
--
Title   : TLS Fallback Signaling Cipher Suite Value (SCSV) for 
Preventing Protocol Downgrade Attacks
Publication Date: April 2015
Author(s)   : B. Moeller, A. Langley
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Technical Errata Reported] RFC7507 (6901)

2022-03-29 Thread RFC Errata System
The following errata report has been submitted for RFC7507,
"TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol 
Downgrade Attacks".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6901

--
Type: Technical
Reported by: Jesus Alvarado 

Section: 1507

Original Text
-
Strength and….. a digital number off the field.

Corrected Text
--
Hybrid portal azure hit my stuff like 2012 jul 

Notes
-
I do know the set sober and California fcc airwave was moved to almost a liner 
of gateway and someone trying to hold me on router hybrid portal or company 
portal for office admin.

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC7507 (draft-ietf-tls-downgrade-scsv-05)
--
Title   : TLS Fallback Signaling Cipher Suite Value (SCSV) for 
Preventing Protocol Downgrade Attacks
Publication Date: April 2015
Author(s)   : B. Moeller, A. Langley
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Errata Verified] RFC6520 (6825)

2022-01-31 Thread RFC Errata System
The following errata report has been verified for RFC6520,
"Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) 
Heartbeat Extension". 

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6825

--
Status: Verified
Type: Editorial

Reported by: Shawna Fonua 
Date Reported: 2022-01-30
Verified by: RFC Editor  

Section: Overview

Original Text
-
HeartbeartResponse

Corrected Text
--
HeartbeatResponse

Notes
-
There is a typo of an extra 'r' in "HeartbeatReponse"

--
RFC6520 (draft-ietf-tls-dtls-heartbeat-04)
--
Title   : Transport Layer Security (TLS) and Datagram Transport 
Layer Security (DTLS) Heartbeat Extension
Publication Date: February 2012
Author(s)   : R. Seggelmann, M. Tuexen, M. Williams
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC6520 (6825)

2022-01-30 Thread RFC Errata System
The following errata report has been submitted for RFC6520,
"Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) 
Heartbeat Extension".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6825

--
Type: Editorial
Reported by: Shawna Fonua 

Section: Overview

Original Text
-
HeartbeartResponse

Corrected Text
--
HeartbeatResponse

Notes
-
There is a typo of an extra 'r' in "HeartbeatReponse"

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC6520 (draft-ietf-tls-dtls-heartbeat-04)
--
Title   : Transport Layer Security (TLS) and Datagram Transport 
Layer Security (DTLS) Heartbeat Extension
Publication Date: February 2012
Author(s)   : R. Seggelmann, M. Tuexen, M. Williams
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC8446 (6820)

2022-01-21 Thread RFC Errata System
The following errata report has been submitted for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6820

--
Type: Editorial
Reported by: Leander Schwarz 

Section: 6.2

Original Text
-
unsupported_extension:  Sent by endpoints receiving any handshake
  message containing an extension known to be prohibited for
  inclusion in the given handshake message, or including any
  extensions in a ServerHello or Certificate not first offered in
  the corresponding ClientHello or CertificateRequest. 

Corrected Text
--
unsupported_extension:  Sent by endpoints receiving any handshake
  message containing an extension in a ServerHello or Certificate
  not first offered in the corresponding ClientHello or 
  CertificateRequest.

Notes
-
The definition of the unsupported_extension alert in section 6.2 contradicts 
the statements in section 4.2:

If an implementation receives an extension
which it recognizes and which is not specified for the message in
which it appears, it MUST abort the handshake with an
   "illegal_parameter" alert.

While this might not be inconsistent due to the "abort the handshake with an X 
alert" specification at the beginning of section 6.2, it might lead to 
confusion. (see 
https://mailarchive.ietf.org/arch/msg/tls/hGOGWZRMg718mWqOZ06LwjV9360/).

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC2246 (6680)

2021-09-08 Thread RFC Errata System
The following errata report has been submitted for RFC2246,
"The TLS Protocol Version 1.0".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6680

--
Type: Editorial
Reported by: TH3D3V1L5 

Section: 2119

Original Text
-
TH3D3V1L5

Corrected Text
--
d6d6d6/md5.ul.9001.iso.rtf

Notes
-
X@-^irsa

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC2246 (no draft string recorded)
--
Title   : The TLS Protocol Version 1.0
Publication Date: January 1999
Author(s)   : T. Dierks, C. Allen
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Technical Errata Reported] RFC5246 (6572)

2021-05-05 Thread RFC Errata System
The following errata report has been submitted for RFC5246,
"The Transport Layer Security (TLS) Protocol Version 1.2".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6572

--
Type: Technical
Reported by: Johannes Görlich 

Section: 9

Original Text
-
In the absence of an application profile standard specifying otherwise, a 
TLS-compliant application MUST implement the cipher suite 
TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the definition).

Corrected Text
--
In the absence of an application profile standard specifying otherwise, a 
TLS-compliant application MUST implement the cipher suite 
TLS_RSA_WITH_AES_128_GCM_SHA256 (see Appendix A.5 for the definition).

Notes
-
A must-be-implement cipher suite should not relay on a bulk encryption 
algorithm which is vulnerable to plain-text attacks or on a secure hash 
algorithm which has been proven to be insecure.

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC5246 (draft-ietf-tls-rfc4346-bis-10)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.2
Publication Date: August 2008
Author(s)   : T. Dierks, E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC2818 (6503)

2021-03-29 Thread RFC Errata System
The following errata report has been submitted for RFC2818,
"HTTP Over TLS".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6503

--
Type: Editorial
Reported by: Jennalyn bernardo 

Section: RFC 2459

Original Text
-
HTTP Over TLS

Corrected Text
--
HTTP Over TLS

Notes
-
Pls help me to remove me here I want my own privacy thank u so much

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC2818 (draft-ietf-tls-https-04)
--
Title   : HTTP Over TLS
Publication Date: May 2000
Author(s)   : E. Rescorla
Category: INFORMATIONAL
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC8996 (6492)

2021-03-23 Thread RFC Errata System
The following errata report has been submitted for RFC8996,
"Deprecating TLS 1.0 and TLS 1.1".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6492

--
Type: Editorial
Reported by: Martin Thomson 

Section: 1.1

Original Text
-
ServerHello.Random

Corrected Text
--
ServerHello.random 

Notes
-
Very pedantic, but RFC 8446 uses all lowercase for "random" to match the 
grammar.

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC8996 (draft-ietf-tls-oldversions-deprecate-12)
--
Title   : Deprecating TLS 1.0 and TLS 1.1
Publication Date: March 2021
Author(s)   : K. Moriarty, S. Farrell
Category: BEST CURRENT PRACTICE
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Technical Errata Reported] RFC8446 (6401)

2021-01-19 Thread RFC Errata System
The following errata report has been submitted for RFC8446,
"The Transport Layer Security (TLS) Protocol Version 1.3".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6401

--
Type: Technical
Reported by: Eric Covener 

Section: 4.6.2

Original Text
-
When the client has sent the "post_handshake_auth" extension (see
Section 4.2.6), a server MAY request client authentication at any
time after the handshake has completed by sending a
CertificateRequest message.  

Corrected Text
--
When the client has sent the "post_handshake_auth" extension (see
Section 4.2.6), a server MAY request client authentication during the 
main handshake and/or at any time after the handshake has completed by 
sending a CertificateRequest message.  



Notes
-
4.6.2 is ambiguous as to whether it forbids "main handshake" (mid-handshake) 
client 
authentication when the client has sent  the "post_handshake_auth" extension. I 
think 
the language would be stronger if it were really forbidden, and openssl 
s_server permits 
this behavior and rfc8740 implies it as well.

The "main handshake" language is adopted from 4.3.2 but "main" could be dropped 
as 
"handshake" is not ambiguous in 1.3 due to no renegotiation.

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC8446 (draft-ietf-tls-tls13-28)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.3
Publication Date: August 2018
Author(s)   : E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[TLS] [Editorial Errata Reported] RFC5246 (6244)

2020-07-29 Thread RFC Errata System
The following errata report has been submitted for RFC5246,
"The Transport Layer Security (TLS) Protocol Version 1.2".

--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6244

--
Type: Editorial
Reported by: Victor S. Osipov 

Section: 6.2.3.2

Original Text
-
IV
The Initialization Vector (IV) SHOULD be chosen at random, and
MUST be unpredictable. Note that in versions of TLS prior to 1.1,
there was no IV field, and the last ciphertext block of the
previous record (the "CBC residue") was used as the IV. This was
changed to prevent the attacks described in [CBCATT]. For block
ciphers, the IV length is of length
SecurityParameters.record_iv_length, which is equal to the
SecurityParameters.block_size.

Corrected Text
--
IV
The Initialization Vector (IV) SHOULD be chosen at random, and
MUST be unpredictable. Note that in versions of TLS prior to 1.1,
there was no IV field, and the last ciphertext block of the
previous record (the "CBC residue") was used as the IV. This was
changed to prevent the attacks described in [CBCATT]. For block
ciphers, the IV length is of length
SecurityParameters.record_iv_length, which is equal to the
SecurityParameters.block_length.

Notes
-
This is an error here. The structure SecurityParameters hasn't the element 
block_size.
It has the element block_length.
See in section 6.1:
struct {
ConnectionEnd entity;
PRFAlgorithm prf_algorithm;
BulkCipherAlgorithm bulk_cipher_algorithm;
CipherType cipher_type;
uint8 enc_key_length;
uint8 block_length;
uint8 fixed_iv_length;
uint8 record_iv_length;
MACAlgorithm mac_algorithm;
uint8 mac_length;
uint8 mac_key_length;
CompressionMethod compression_algorithm;
opaque master_secret[48];
opaque client_random[32];
opaque server_random[32];
} SecurityParameters;

Instructions:
-
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--
RFC5246 (draft-ietf-tls-rfc4346-bis-10)
--
Title   : The Transport Layer Security (TLS) Protocol Version 1.2
Publication Date: August 2008
Author(s)   : T. Dierks, E. Rescorla
Category: PROPOSED STANDARD
Source  : Transport Layer Security
Area: Security
Stream  : IETF
Verifying Party : IESG

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


  1   2   >