Merge erratum 7629 (#28)

* Merge erratum 7629 * Update draft-mandel-lamps-rfc5272bis.md * Merge-erratum-7628 (#29) * Update draft-mandel-lamps-rfc5272bis.md
lamps-wg · Dec 21, 2023 · 01faa6b · 01faa6b
1 parent 3b3ae12
commit 01faa6b
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/draft-mandel-lamps-rfc5272bis.md b/draft-mandel-lamps-rfc5272bis.md
@@ -77,6 +77,14 @@ informative:
     target: https://www.rfc-editor.org/errata/eid4775
     title: RFC 5272 erratum 4775
     date: 2016-08-11
+  erratum7628
+    target: https://www.rfc-editor.org/errata/eid7628
+    title: RFC 5272 erratum 7628
+    date: 2023-09-04
+  erratum7629
+    target: https://www.rfc-editor.org/errata/eid7629
+    title: RFC 5272 erratum 7629
+    date: 2023-09-04
 
 --- abstract
 
@@ -218,10 +226,15 @@ Note: For now, this section will be list of the changes introduced
 </aside>
 
 --02 todo:
+
 * Updates ASN.1 to use 2002 ASN.1 module baseed on {{CMC-Updates}}
 * To support adopting SHA-256 and HMAC-SHA256:
   * Add maca-hMAC-SHA256 to POPAlgs
   * Add mda-sha256 to WitnessAlgs
+  * Add maca-hMAC-SHA256 and mda-sha256 to example in Appendix B
+* Merge {{erratum7628}}
+* Merge {{erratum7629}}
+* Address management of KEM certificate
 
 --01 todo:
 
@@ -894,7 +907,8 @@ client or no certificate exists for a signing key.
 > The id-cmc-authData control ({{AuthenticatedDataControl}}), and
 
 > The top-level wrapper in environments where an encryption-only key
-  is being certified.
+  is being certified or where a shared-secret exists, but a PKI-based
+  trust (needed for SignedData) has not yet been established.
 
 This content type can include both PKIData and PKIResponse as the
 encapsulated content types. These embedded content types can contain
@@ -946,6 +960,14 @@ corresponding to the PKI Request. If no data is being returned
 beyond the certificates and CRLs, the `EncapsulatedInfo` and `SignerInfo`
 fields are not populated.
 
+Only if the server is unable to sign the response (and unable to use
+any `RecipientInfo` options of the `AuthenticatedData` content type),
+and at the same time it should send a negative response,
+Full PKI Response `SignedData` type containing a CMC Status Info control
+MUST be returned using a `CMCFailInfo` with a value of internalCAError and
+a `bodyPartID` of 0, and the eContent field in the `EncapsulatedContentInfo`
+as well as `SignerInfo` fields MUST not be populated.
+
 ####  Other Message Bodies {#OtherMessageBodies}
 
 The otherMsgSequence field of the PKI Request/Response allows for