| < draft-ietf-tls-oob-pubkey-00.txt | draft-ietf-tls-oob-pubkey-01.txt > | |||
|---|---|---|---|---|
| skipping to change at page 1, line 13 ¶ | skipping to change at page 1, line 13 ¶ | |||
| IETF P. Wouters | IETF P. Wouters | |||
| Internet-Draft No Hats Corporation | Internet-Draft No Hats Corporation | |||
| Intended status: Standards Track J. Gilmore | Intended status: Standards Track J. Gilmore | |||
| Expires: July 10, 2012 | Expires: July 10, 2012 | |||
| S. Weiler | S. Weiler | |||
| SPARTA, Inc. | SPARTA, Inc. | |||
| T. Kivinen | T. Kivinen | |||
| AuthenTec | AuthenTec | |||
| H. Tschofenig | H. Tschofenig | |||
| Nokia Siemens Networks | Nokia Siemens Networks | |||
| January 7, 2012 | January 20, 2012 | |||
| TLS Out-of-Band Public Key Validation | TLS Out-of-Band Public Key Validation | |||
| draft-ietf-tls-oob-pubkey-00.txt | draft-ietf-tls-oob-pubkey-01.txt | |||
| Abstract | Abstract | |||
| This document specifies a new TLS certificate type for exchanging raw | This document specifies a new TLS certificate type for exchanging raw | |||
| public keys in Transport Layer Security (TLS) and Datagram Transport | public keys in Transport Layer Security (TLS) and Datagram Transport | |||
| Layer Security (DTLS) for use with out-of-band authentication. | Layer Security (DTLS) for use with out-of-band authentication. | |||
| Currently, TLS authentication can only occur via PKIX or OpenPGP | Currently, TLS authentication can only occur via PKIX or OpenPGP | |||
| certificates. By specifying a minimum resource for raw public key | certificates. By specifying a minimum resource for raw public key | |||
| exchange, implementations can use alternative authentication methods. | exchange, implementations can use alternative authentication methods. | |||
| skipping to change at page 6, line 30 ¶ | skipping to change at page 6, line 30 ¶ | |||
| <- change_cipher_spec, | <- change_cipher_spec, | |||
| finished | finished | |||
| Application Data <-------> Application Data | Application Data <-------> Application Data | |||
| Figure 1: Example Message Flow | Figure 1: Example Message Flow | |||
| 2.1. Client Hello | 2.1. Client Hello | |||
| In order to indicate the support of out-of-bound raw public keys, | In order to indicate the support of out-of-band raw public keys, | |||
| clients MUST include an extension of type "cert_type" to the extended | clients MUST include an extension of type "cert_type" to the extended | |||
| client hello message. The "cert_type" TLS extension, which is | client hello message. The "cert_type" TLS extension, which is | |||
| defined in [RFC6091], is assigned the value of 9 from the TLS | defined in [RFC6091], is assigned the value of 9 from the TLS | |||
| ExtensionType registry. This value is used as the extension number | ExtensionType registry. This value is used as the extension number | |||
| for the extensions in both the client hello message and the server | for the extensions in both the client hello message and the server | |||
| hello message. The hello extension mechanism is described in | hello message. The hello extension mechanism is described in | |||
| [RFC5246]. | [RFC5246]. | |||
| The "cert_type" TLS extension carries a list of supported certificate | The "cert_type" TLS extension carries a list of supported certificate | |||
| types the client can use, sorted by client preference. This | types the client can use, sorted by client preference. This | |||
| skipping to change at page 9, line 32 ¶ | skipping to change at page 9, line 32 ¶ | |||
| RFC 4949, August 2007. | RFC 4949, August 2007. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [CoAP] Shelby, Z., Hartke, K., Bormann, C., and B. Frank, | [CoAP] Shelby, Z., Hartke, K., Bormann, C., and B. Frank, | |||
| "Constrained Application Protocol", | "Constrained Application Protocol", | |||
| draft-ietf-core-coap-07 (work in progress), July 2011. | draft-ietf-core-coap-07 (work in progress), July 2011. | |||
| [DANE] Hoffman, P. and J. Schlyter, "Using Secure DNS to | [DANE] Hoffman, P. and J. Schlyter, "Using Secure DNS to | |||
| Associate Certificates with Domain Names For TLS", | Associate Certificates with Domain Names For TLS", | |||
| draft-ietf-dane-protocol-12 (work in progress), | draft-ietf-dane-protocol-14 (work in progress), | |||
| September 2011. | September 2011. | |||
| [Defeating-SSL] | [Defeating-SSL] | |||
| Marlinspike, M., "New Tricks for Defeating SSL in | Marlinspike, M., "New Tricks for Defeating SSL in | |||
| Practice", February 2009, <http://www.blackhat.com/ | Practice", February 2009, <http://www.blackhat.com/ | |||
| presentations/bh-dc-09/Marlinspike/ | presentations/bh-dc-09/Marlinspike/ | |||
| BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf>. | BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf>. | |||
| [LDAP] Sermersheim, J., "Lightweight Directory Access Protocol | [LDAP] Sermersheim, J., "Lightweight Directory Access Protocol | |||
| (LDAP): The Protocol", RFC 4511, June 2006. | (LDAP): The Protocol", RFC 4511, June 2006. | |||
| End of changes. 4 change blocks. | ||||
| 4 lines changed or deleted | 4 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||