| < draft-ietf-tls-multiple-cert-status-extension-05.txt | draft-ietf-tls-multiple-cert-status-extension-06.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Pettersen | Network Working Group Y. Pettersen | |||
| Internet-Draft March 29, 2013 | Internet-Draft April 02, 2013 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: September 30, 2013 | Expires: October 04, 2013 | |||
| The TLS Multiple Certificate Status Request Extension | The TLS Multiple Certificate Status Request Extension | |||
| draft-ietf-tls-multiple-cert-status-extension-05 | draft-ietf-tls-multiple-cert-status-extension-06 | |||
| Abstract | Abstract | |||
| This document defines the Transport Layer Security (TLS) Certificate | This document defines the Transport Layer Security (TLS) Certificate | |||
| Status Version 2 Extension to allow clients to specify and support | Status Version 2 Extension to allow clients to specify and support | |||
| multiple certificate status methods. Also defined is a new method | multiple certificate status methods (commonly referred to as OCSP | |||
| based on the Online Certificate Status Protocol (OCSP) that servers | stapling). Also defined is a new method based on the Online | |||
| can use to provide status information not just about the server's own | Certificate Status Protocol (OCSP) that servers can use to provide | |||
| certificate, but also the status of intermediate certificates in the | status information not just about the server's own certificate, but | |||
| chain. | also the status of intermediate certificates in the chain. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 30, 2013. | This Internet-Draft will expire on October 04, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 7, line 51 ¶ | skipping to change at page 7, line 51 ¶ | |||
| If the response is inconclusive, then the client MAY decide to allow | If the response is inconclusive, then the client MAY decide to allow | |||
| the connection if it believes it will have the opportunity to check | the connection if it believes it will have the opportunity to check | |||
| the validity of the certificate through another means, e.g., by | the validity of the certificate through another means, e.g., by | |||
| directly querying the issuer's CRL or OCSP responders. The client | directly querying the issuer's CRL or OCSP responders. The client | |||
| MUST abort the connection if it needs to engage in activities that | MUST abort the connection if it needs to engage in activities that | |||
| require trust in the server, and the server certificate has not been | require trust in the server, and the server certificate has not been | |||
| sufficiently validated. An example of where the client might wish to | sufficiently validated. An example of where the client might wish to | |||
| continue is with EAP-TLS, where the client can use another mechanism | continue is with EAP-TLS, where the client can use another mechanism | |||
| to check the status of a certificate once it obtains network access. | to check the status of a certificate once it obtains network access. | |||
| In this case, the client could continue with the handshake, but it | In this case, the client could continue with the handshake, but it | |||
| would be inappropriate for the client to disclose a username and | MUST NOT disclose a username and password until it has fully | |||
| password until it has fully validated the server certificate. | validated the server certificate. | |||
| 3. IANA Considerations | 3. IANA Considerations | |||
| Section 2.1 defines the new TLS Extension status_request_v2 enum, | Section 2.1 defines the new TLS Extension status_request_v2 enum, | |||
| which should be added to the ExtensionType Values list in the IANA | which should be added to the ExtensionType Values list in the IANA | |||
| Transport Layer Security (TLS) Extensions registry. | Transport Layer Security (TLS) Extensions registry. | |||
| Section 2.2 describes a TLS CertificateStatusType Registry to be | Section 2.2 describes a TLS CertificateStatusType Registry to be | |||
| maintained by the IANA. The new registry is called TLS Certificate | maintained by the IANA. The new registry is called TLS Certificate | |||
| Status Types and should be defined under the Transport Layer Security | Status Types and should be defined under the Transport Layer Security | |||
| End of changes. 6 change blocks. | ||||
| 11 lines changed or deleted | 11 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||