| < draft-ietf-tls-oob-pubkey-04.txt | draft-ietf-tls-oob-pubkey-05.txt > | |||
|---|---|---|---|---|
| TLS P. Wouters | TLS P. Wouters, Ed. | |||
| Internet-Draft Red Hat | Internet-Draft Red Hat | |||
| Intended status: Standards Track J. Gilmore | Intended status: Standards Track H. Tschofenig, Ed. | |||
| Expires: January 17, 2013 | Expires: April 25, 2013 Nokia Siemens Networks | |||
| J. Gilmore | ||||
| S. Weiler | S. Weiler | |||
| SPARTA, Inc. | SPARTA, Inc. | |||
| T. Kivinen | T. Kivinen | |||
| AuthenTec | AuthenTec | |||
| H. Tschofenig | October 22, 2012 | |||
| Nokia Siemens Networks | ||||
| July 16, 2012 | ||||
| Out-of-Band Public Key Validation for Transport Layer Security | Out-of-Band Public Key Validation for Transport Layer Security (TLS) | |||
| draft-ietf-tls-oob-pubkey-04.txt | draft-ietf-tls-oob-pubkey-05.txt | |||
| Abstract | Abstract | |||
| This document specifies a new certificate type for exchanging raw | This document specifies a new certificate type for exchanging raw | |||
| public keys in Transport Layer Security (TLS) and Datagram Transport | public keys in Transport Layer Security (TLS) and Datagram Transport | |||
| Layer Security (DTLS) for use with out-of-band public key validation. | Layer Security (DTLS) for use with out-of-band public key validation. | |||
| Currently, TLS authentication can only occur via X.509-based Public | Currently, TLS authentication can only occur via X.509-based Public | |||
| Key Infrastructure (PKI) or OpenPGP certificates. By specifying a | Key Infrastructure (PKI) or OpenPGP certificates. By specifying a | |||
| minimum resource for raw public key exchange, implementations can use | minimum resource for raw public key exchange, implementations can use | |||
| alternative public key validation methods. | alternative public key validation methods. | |||
| skipping to change at page 2, line 6 ¶ | skipping to change at page 2, line 6 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 17, 2013. | This Internet-Draft will expire on April 25, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. New TLS Extensions . . . . . . . . . . . . . . . . . . . . . . 4 | 3. New TLS Extension . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. TLS Handshake Extension . . . . . . . . . . . . . . . . . . . 5 | 4. TLS Handshake Extension . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. Client Hello . . . . . . . . . . . . . . . . . . . . . . . 5 | 4.1. Client Hello . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. Server Hello . . . . . . . . . . . . . . . . . . . . . . . 6 | 4.2. Server Hello . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.3. Certificate Request . . . . . . . . . . . . . . . . . . . 6 | 4.3. Certificate Request . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.4. Certificate Payload . . . . . . . . . . . . . . . . . . . 6 | 4.4. Other Handshake Messages . . . . . . . . . . . . . . . . . 8 | |||
| 4.5. Other TLS Messages . . . . . . . . . . . . . . . . . . . . 6 | 4.5. Client authentication . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 13 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 11 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 1. Introduction | 1. Introduction | |||
| Traditionally, TLS server public keys are obtained in PKIX containers | Traditionally, TLS server public keys are obtained in PKIX containers | |||
| in-band using the TLS handshake and validated using trust anchors | in-band using the TLS handshake and validated using trust anchors | |||
| based on a [PKIX] certification authority (CA). This method can add | based on a [PKIX] certification authority (CA). This method can add | |||
| a complicated trust relationship that is difficult to validate. | a complicated trust relationship that is difficult to validate. | |||
| Examples of such complexity can be seen in [Defeating-SSL]. | Examples of such complexity can be seen in [Defeating-SSL]. | |||
| Alternative methods are available that allow a TLS client to obtain | Alternative methods are available that allow a TLS client to obtain | |||
| the TLS server public key: | the TLS server public key: | |||
| o The TLS server public key is obtained from a DNSSEC secured | o The TLS server public key is obtained from a DNSSEC secured | |||
| resource records using DANE [I-D.ietf-dane-protocol]. | resource records using DANE [RFC6698]. | |||
| o The TLS server public key is obtained from a [PKIX] certificate | o The TLS server public key is obtained from a [PKIX] certificate | |||
| chain from an Lightweight Directory Access Protocol (LDAP) [LDAP] | chain from an Lightweight Directory Access Protocol (LDAP) [LDAP] | |||
| server. | server. | |||
| o The TLS client and server public key is provisioned into the | o The TLS client and server public key is provisioned into the | |||
| operating system firmware image, and updated via software updates. | operating system firmware image, and updated via software updates. | |||
| Some smart objects use the UDP-based Constrained Application Protocol | Some smart objects use the UDP-based Constrained Application Protocol | |||
| (CoAP) [I-D.ietf-core-coap] to interact with a Web server to upload | (CoAP) [I-D.ietf-core-coap] to interact with a Web server to upload | |||
| sensor data at a regular intervals, such as temperature readings. | sensor data at a regular intervals, such as temperature readings. | |||
| CoAP [I-D.ietf-core-coap] can utilize DTLS for securing the client- | CoAP [I-D.ietf-core-coap] can utilize DTLS for securing the client- | |||
| to-server communication. As part of the manufacturing process, the | to-server communication. As part of the manufacturing process, the | |||
| embeded device may be configured with the address and the public key | embeded device may be configured with the address and the public key | |||
| of a dedicated CoAP server, as well as a public key for the client | of a dedicated CoAP server, as well as a public key for the client | |||
| itself. The usage of X.509-based PKIX certificates [PKIX] does not | itself. The usage of X.509-based PKIX certificates [PKIX] may not | |||
| suit all smart object deployments and would therefore be an | suit all smart object deployments and would therefore be an | |||
| unneccesarry burden. | unneccesarry burden. | |||
| The Transport Layer Security (TLS) Protocol Version 1.2 [RFC5246] | The Transport Layer Security (TLS) Protocol Version 1.2 [RFC5246] | |||
| provides a framework for extensions to TLS as well as guidelines for | provides a framework for extensions to TLS as well as guidelines for | |||
| designing such extensions. This document defines an extension to | designing such extensions. This document defines an extension to | |||
| indicate the support for raw public keys. | indicate the support for raw public keys. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 3. New TLS Extensions | 3. New TLS Extension | |||
| In order to indicate the support for multiple certificate types two | This section describes the changes to the TLS handshake message | |||
| new extensions are defined by this specification with the following | contents when raw public key certificates are to be used. Figure 3 | |||
| semantic: | illustrates the exchange of messages as described in the sub-sections | |||
| below. The client and the server exchange the newly defined | ||||
| certificate_type extension to indicate their ability and desire to | ||||
| exchange raw public keys. These raw public keys, in the form of a | ||||
| SubjectPublicKeyInfo structure, are then carried inside the | ||||
| certificate payload. The SubjectPublicKeyInfo structure is defined | ||||
| in Section 4.1 of RFC 5280. Note that the SubjectPublicKeyInfo block | ||||
| does not only contain the raw keys, such as the public exponent and | ||||
| the modulus of an RSA public key, but also an algorithm identifier. | ||||
| The structure, as shown in Figure 1, is encoded in an ASN.1 format | ||||
| and therefore contains length information as well. | ||||
| cert-send: The certificate payload in this message contains a | SubjectPublicKeyInfo ::= SEQUENCE { | |||
| certificate of the type indicated by this extension. | algorithm AlgorithmIdentifier, | |||
| subjectPublicKey BIT STRING } | ||||
| cert-receive: By including this extension an entity indicates that | Figure 1: SubjectPublicKeyInfo ASN.1 Structure. | |||
| it is able to recieve and process the indicated certificate types. | ||||
| This list is sorted by preference. | ||||
| enum { X.509(0), RawPublicKey(1), (255) } CertType; | The algorithm identifiers are Object Identifiers (OIDs). RFC 3279 | |||
| [RFC3279], for example, defines the following OIDs shown in Figure 2. | ||||
| CertType cert-receive <1..2^8-1>; | Key Type | Document | OID | |||
| -----------------------+----------------------------+------------------- | ||||
| RSA | Section 2.3.1 of RFC 3279 | 1.2.840.113549.1.1 | ||||
| .......................|............................|................... | ||||
| Digital Signature | | | ||||
| Algorithm (DSS) | Section 2.3.2 of RFC 3279 | 1.2.840.10040.4.1 | ||||
| .......................|............................|................... | ||||
| Elliptic Curve | | | ||||
| Digital Signature | | | ||||
| Algorithm (ECDSA) | Section 2.3.5 of RFC 3279 | 1.2.840.10045.2.1 | ||||
| -----------------------+----------------------------+------------------- | ||||
| CertType cert-send; | Figure 2: Example Algorithm Identifiers. | |||
| Figure 1: New TLS Extension Structures | client_hello, | |||
| certificate_type -> | ||||
| No new cipher suites are required for use with raw public keys. All | <- server_hello, | |||
| existing cipher suites that support a key exchange method compatible | certificate_type, | |||
| with the key in the certificate can be used in combination with raw | certificate, | |||
| public key certificate types. | server_key_exchange, | |||
| certificate_request, | ||||
| server_hello_done | ||||
| certificate, | ||||
| client_key_exchange, | ||||
| certificate_verify, | ||||
| change_cipher_spec, | ||||
| finished -> | ||||
| 4. TLS Handshake Extension | <- change_cipher_spec, | |||
| finished | ||||
| This section describes the semantic of the 'cert-send' and the 'cert- | Application Data <-------> Application Data | |||
| receive' extensions for the different handshake messages. | ||||
| 4.1. Client Hello | Figure 3: Basic Raw Public Key TLS Exchange. | |||
| To allow a TLS client to indicate that it is able to receive a | The "certificate_type" TLS extension carries a list of supported | |||
| certificate of a specific type it MAY include the 'cert-receive' | certificate types the client can send and receive, sorted by client | |||
| extension in the client hello message. To indicate the ability to | preference. Two values are defined for each certificate types to | |||
| process a raw public key by the server the TLS client MUST include | differentiate whether a client or a server is able to process a | |||
| the 'cert-receive' with the value one (1) (indicating "RawPublicKey") | certificate of a specific type or can also send it. This extension | |||
| in the list of supported certificate types. If a TLS client only | MUST be omitted if the client only supports X.509 certificates. The | |||
| supports X.509 certificates it MAY include this extension to indicate | "extension_data" field of this extension contains a CertTypeExtension | |||
| support for it. | structure. | |||
| Future documents may define additional certificate types that require | Note that the CertTypeExtension structure is being used both by the | |||
| addition values to be registered. | client and the server, even though the structure is only specified | |||
| once in this document. | ||||
| Note: No new cipher suites are required to use raw public keys. All | The structure of the CertTypeExtension is defined as follows: | |||
| enum { client, server } ClientOrServerExtension; | ||||
| enum { X.509-Accept (0), | ||||
| X.509-Offer (1), | ||||
| RawPublicKey-Accept (2), | ||||
| RawPublicKey-Offer (3), | ||||
| (255) | ||||
| } CertificateType; | ||||
| struct { | ||||
| select(ClientOrServerExtension) | ||||
| case client: | ||||
| CertificateType certificate_types<1..2^8-1>; | ||||
| case server: | ||||
| CertificateType certificate_type; | ||||
| } | ||||
| } CertTypeExtension; | ||||
| Figure 4: CertTypeExtension Structure. | ||||
| No new cipher suites are required to use raw public keys. All | ||||
| existing cipher suites that support a key exchange method compatible | existing cipher suites that support a key exchange method compatible | |||
| with the defined extension can be used. | with the defined extension can be used. | |||
| 4.2. Server Hello | 4. TLS Handshake Extension | |||
| If the server receives a client hello that contains the 'cert- | 4.1. Client Hello | |||
| receive' extension then two outcomes are possible. The server MUST | ||||
| either select a certificate type from client-provided list or | ||||
| terminate the session with a fatal alert of type | ||||
| "unsupported_certificate". In the former case the procedure in | ||||
| Section 4.4 MUST be followed. | ||||
| 4.3. Certificate Request | In order to indicate the support of out-of-band raw public keys, | |||
| clients MUST include an extension of type "certificate_type" to the | ||||
| extended client hello message. The "certificate_type" TLS extension | ||||
| is assigned the value of [TBD] from the TLS ExtensionType registry. | ||||
| This value is used as the extension number for the extensions in both | ||||
| the client hello message and the server hello message. The hello | ||||
| extension mechanism is described in TLS 1.2 [RFC5246]. | ||||
| The Certificate Request payload sent by the TLS server to the TLS | 4.2. Server Hello | |||
| client MUST be accompanied by a 'cert-receive' extension, which | ||||
| indicates to the TLS client the certificate type the server supports. | ||||
| 4.4. Certificate Payload | If the server receives a client hello that contains the | |||
| "certificate_type" extension and chooses a cipher suite then two | ||||
| outcomes are possible. The server MUST either select a certificate | ||||
| type from the CertificateType field in the extended client hello or | ||||
| terminate the session with a fatal alert of type | ||||
| "unsupported_certificate". | ||||
| Certificate payloads MUST be accompanied by a 'cert-send' extension, | The certificate type selected by the server is encoded in a | |||
| which indicates the certificate format found in the Certificate | CertTypeExtension structure, which is included in the extended server | |||
| payload itself. | hello message using an extension of type "certificate_type". Servers | |||
| that only support X.509 certificates MAY omit including the | ||||
| "certificate_type" extension in the extended server hello. | ||||
| The list of supported certificate types to choose from MUST have been | If the client supports the receiption of raw public keys and the | |||
| obtained via the 'cert-receive' extension. This ensures that a | server is able to provide such a raw public key then the TLS server | |||
| Certificate payload only contains a certificate type that is also | MUST place the SubjectPublicKeyInfo structure into the Certificate | |||
| supported by the recipient. | payload. The public key MUST match the selected key exchange | |||
| algorithm. | ||||
| When the 'RawPublicKey' certificate type is selected then the | 4.3. Certificate Request | |||
| SubjectPublicKeyInfo structure MUST be placed into the Certificate | ||||
| payload. The type of the asymmetric key MUST match the selected key | ||||
| exchange algorithm. | ||||
| 4.5. Other TLS Messages | The semantics of this message remain the same as in the TLS | |||
| specification. | ||||
| 4.4. Other Handshake Messages | ||||
| All the other handshake messages are identical to the TLS | All the other handshake messages are identical to the TLS | |||
| specification. | specification. | |||
| 4.5. Client authentication | ||||
| Client authentication by the TLS server is supported only through | ||||
| authentication of the received client SubjectPublicKeyInfo via an | ||||
| out-of-band method | ||||
| 5. Examples | 5. Examples | |||
| Figure 2, Figure 3, and Figure 4 illustrate example message | Figure 5, Figure 6, and Figure 7 illustrate example message | |||
| exchanges. | exchanges. | |||
| The first example shows an exchange where the TLS client indicates | The first example shows an exchange where the TLS client indicates | |||
| its ability to process two certificate types, namely raw public keys | its ability to process two certificate types, namely raw public keys | |||
| and X.509 certificates via the 'cert-receive' extension (see [1]). | and X.509 certificates via the 'certificate_type' extension in [1]. | |||
| When the TLS server receives the client hello it processes the cert- | When the TLS server receives the client hello it processes the | |||
| receive extension and since it also has a raw public key it indicates | certificate_type extension and since it also has a raw public key it | |||
| in [2] that it had choosen to place the SubjectPublicKeyInfo | indicates in [2] that it had choosen to place the | |||
| structure into the Certificate payload (see [3]). The client uses | SubjectPublicKeyInfo structure into the Certificate payload (see | |||
| this raw public key in the TLS handshake and an out-of-band | [3]). The client uses this raw public key in the TLS handshake and | |||
| technique, such as DANE, to verify its validatity. | an out-of-band technique, such as DANE, to verify its validatity. | |||
| client_hello, | client_hello, | |||
| cert-receive=(RawPublicKey, X.509) -> // [1] | certificate_type=(RawPublicKey-Accept) -> // [1] | |||
| <- server_hello, | <- server_hello, | |||
| cert-send=RawPublicKey, // [2] | certificate_type=(RawPublicKey-Offer), // [2] | |||
| certificate, // [3] | certificate, // [3] | |||
| server_key_exchange, | server_key_exchange, | |||
| server_hello_done | server_hello_done | |||
| client_key_exchange, | client_key_exchange, | |||
| change_cipher_spec, | change_cipher_spec, | |||
| finished -> | finished -> | |||
| <- change_cipher_spec, | <- change_cipher_spec, | |||
| finished | finished | |||
| Application Data <-------> Application Data | Application Data <-------> Application Data | |||
| Figure 2: Example with Raw Public Key provided by the TLS Server | Figure 5: Example with Raw Public Key provided by the TLS Server | |||
| In our second example the TLS client and the TLS server use raw | In our second example both the TLS client and the TLS server use raw | |||
| public keys. This is a use case envisioned for smart object | public keys. This is a use case envisioned for smart object | |||
| networking. The TLS client in this case is an embedded device that | networking. The TLS client in this case is an embedded device that | |||
| only supports raw public keys and therefore it indicates this | only supports raw public keys and therefore it indicates this | |||
| capability via the 'cert-receive' extension in [1]. As in the | capability via the 'certificate_type' extension in [1]. As in the | |||
| previously shown example the server fulfills the client's request and | previously shown example the server fulfills the client's request and | |||
| provides a raw public key into the Certificate payload back to the | provides a raw public key into the Certificate payload back to the | |||
| client (see [2] and [3]). The TLS server, however, demands client | client (see [3]). The TLS server, however, demands client | |||
| authentication and for this reason a Certificate_Request payload is | authentication and therefore a certificate_request is added [4]. The | |||
| added [4], which comes with an indication of the supported | certificate_type payload indicates the TLS server supported | |||
| certificate types by the server, see [5]. The TLS client, who has a | certificate types, see [2], and particularly that the TLS server is | |||
| raw public key pre-provisioned, returns it in the Certificate payload | also able to process raw public keys sent by the client. The TLS | |||
| [7] to the server with the indication about its content [6]. | client, who has a raw public key pre-provisioned, returns it in the | |||
| Certificate payload [5] to the server. | ||||
| client_hello, | client_hello, | |||
| cert-receive=(RawPublicKey) -> // [1] | certificate_type=(RawPublicKey-Offer, RawPublicKey-Accept) -> // [1] | |||
| <- server_hello, | <- server_hello, | |||
| cert-send=RawPublicKey,// [2] | certificate_type=(RawPublicKey-Offer, | |||
| certificate, // [3] | RawPublicKey-Accept) // [2] | |||
| certificate_request, // [4] | certificate, // [3] | |||
| cert-receive=(RawPublicKey, X.509) // [5] | certificate_request, // [4] | |||
| server_key_exchange, | server_key_exchange, | |||
| server_hello_done | server_hello_done | |||
| cert-send=RawPublicKey, // [6] | certificate, // [5] | |||
| certificate, // [7] | client_key_exchange, | |||
| client_key_exchange, | change_cipher_spec, | |||
| change_cipher_spec, | finished -> | |||
| finished -> | ||||
| <- change_cipher_spec, | <- change_cipher_spec, | |||
| finished | finished | |||
| Application Data <-------> Application Data | Application Data <-------> Application Data | |||
| Figure 3: Example with Raw Public Key provided by the TLS Server and | Figure 6: Example with Raw Public Key provided by the TLS Server and | |||
| the Client | the Client | |||
| In our last example we illustrate a combination of raw public key and | In our last example we illustrate a combination of raw public key and | |||
| X.509 usage. The client uses a raw public key for client | X.509 usage. The client uses a raw public key for client | |||
| authentication but the server provides an X.509 certificate. This | authentication but the server provides an X.509 certificate. This | |||
| exchange starts with the client indicating its ability to process | exchange starts with the client indicating its ability to process | |||
| X.509 certificates. The server provides the X.509 certificate using | X.509 certificates provided by the server, and the ability to send | |||
| raw public keys. The server provides the X.509 certificate using | ||||
| that format in [3] with the indication present in [2]. For client | that format in [3] with the indication present in [2]. For client | |||
| authentication, however, the server indicates in [5] that it is able | authentication, however, the server indicates in [2] that it is able | |||
| to support raw public keys as well as X.509 certificates. The TLS | to support raw public keys. The TLS client provides a raw public key | |||
| client provides a raw public key in [7] and the indication in [6]. | in [5] after receiving and processing the TLS server hello message. | |||
| client_hello, | ||||
| cert-receive=(X.509) -> // [1] | ||||
| <- server_hello, | client_hello, | |||
| cert-send=X.509,// [2] | certificate_type=(X.509 Receive, RawPublicKey-Offer) -> // [1] | |||
| certificate, // [3] | ||||
| certificate_request, // [4] | ||||
| cert-receive=(RawPublicKey, X.509) // [5] | ||||
| server_key_exchange, | ||||
| server_hello_done | ||||
| cert-send=RawPublicKey, // [6] | <- server_hello, | |||
| certificate, // [7] | certificate_type=(X.509 Send, | |||
| client_key_exchange, | RawPublicKey-Accept), // [2] | |||
| change_cipher_spec, | certificate, // [3] | |||
| finished -> | certificate_request, // [4] | |||
| server_key_exchange, | ||||
| server_hello_done | ||||
| certificate, // [5] | ||||
| client_key_exchange, | ||||
| change_cipher_spec, | ||||
| finished -> | ||||
| <- change_cipher_spec, | <- change_cipher_spec, | |||
| finished | finished | |||
| Application Data <-------> Application Data | Application Data <-------> Application Data | |||
| Figure 4: Hybrid Certificate Example | Figure 7: Hybrid Certificate Example | |||
| 6. Security Considerations | 6. Security Considerations | |||
| The transmission of raw public keys, as described in this document, | The transmission of raw public keys, as described in this document, | |||
| provides benefits by lowering the over-the-air transmission overhead | provides benefits by lowering the over-the-air transmission overhead | |||
| since raw public keys are quite naturally smaller than an entire | since raw public keys are quite naturally smaller than an entire | |||
| certificate. There are also advantages from a codesize point of view | certificate. There are also advantages from a codesize point of view | |||
| for parsing and processing these keys. The crytographic procedures | for parsing and processing these keys. The crytographic procedures | |||
| for assocating the public key with the possession of a private key | for assocating the public key with the possession of a private key | |||
| also follows standard procedures. | also follows standard procedures. | |||
| The main security challenge is, however, how to associate the public | The main security challenge is, however, how to associate the public | |||
| key with a specific entity. This information will be needed to make | key with a specific entity. This information will be needed to make | |||
| authorization decisions. Without a secure binding, man-in-the-middle | authorization decisions. Without a secure binding, man-in-the-middle | |||
| attacks may be the consequence. This document assumes that such | attacks may be the consequence. This document assumes that such | |||
| binding can be made out-of-band and we list a few examples in | binding can be made out-of-band and we list a few examples in | |||
| Section 1. DANE [I-D.ietf-dane-protocol] offers one such approach. | Section 1. DANE [RFC6698] offers one such approach. If public keys | |||
| If public keys are obtained using DANE, these public keys are | are obtained using DANE, these public keys are authenticated via | |||
| authenticated via DNSSEC. Pre-configured keys is another out of band | DNSSEC. Pre-configured keys is another out of band method for | |||
| method for authenticating raw public keys. While pre-configured keys | authenticating raw public keys. While pre-configured keys are not | |||
| are not suitable for a generic Web-based e-commerce environment such | suitable for a generic Web-based e-commerce environment such keys are | |||
| keys are a reasonable approach for many smart object deployments | a reasonable approach for many smart object deployments where there | |||
| where there is a close relationship between the software running on | is a close relationship between the software running on the device | |||
| the device and the server-side communication endpoint. Regardless of | and the server-side communication endpoint. Regardless of the chosen | |||
| the chosen mechanism for out-of-band public key validation an | mechanism for out-of-band public key validation an assessment of the | |||
| assessment of the most suitable approach has to be made prior to the | most suitable approach has to be made prior to the start of a | |||
| start of a deployment to ensure the security of the system. | deployment to ensure the security of the system. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document defines two new TLS extension, 'cert-send' and 'cert- | This document defines a new TLS extension, "certificate_type", | |||
| receive', and their values need to be added to the TLS ExtensionType | assigned a value of [TBD] from the TLS ExtensionType registry defined | |||
| registry created by RFC 5246 [RFC5246]. | in [RFC5246]. This value is used as the extension number for the | |||
| extensions in both the client hello message and the server hello | ||||
| message. The new extension type is used for certificate type | ||||
| negotiation. | ||||
| The values in these new extensions contains an 8-bit CertificateType | The "certificate_type" extension contains an 8-bit CertificateType | |||
| field, for which a new registry, named "Certificate Types", is | field, for which a new registry, named "TLS Certificate Types", is | |||
| established in this document, to be maintained by IANA. The registry | established in this document, to be maintained by IANA. The registry | |||
| is segmented in the following way: | is segmented in the following way: | |||
| 1. The value (0) is defined in this document. | 1. The values 0 - 3 are defined in Figure 4. | |||
| 2. Values from 2 through 223 decimal inclusive are assigned using | 2. Values from 3 through 223 decimal inclusive are assigned via IETF | |||
| the 'Specification Required' policy defined in RFC 5226 | Consensus [RFC5226]. | |||
| [RFC5226]. | ||||
| 3. Values from 224 decimal through 255 decimal inclusive are | 3. Values from 224 decimal through 255 decimal inclusive are | |||
| reserved for 'Private Use', see [RFC5226]. | reserved for Private Use [RFC5226]. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| The feedback from the TLS working group meeting at IETF#81 has | The feedback from the TLS working group meeting at IETF#81 has | |||
| substantially shaped the document and we would like to thank the | substantially shaped the document and we would like to thank the | |||
| meeting participants for their input. The support for hashes of | meeting participants for their input. The support for hashes of | |||
| public keys has been moved to [I-D.ietf-tls-cached-info] after the | public keys has been moved to [I-D.ietf-tls-cached-info] after the | |||
| discussions at the IETF#82 meeting and the feedback from Eric | discussions at the IETF#82 meeting and the feedback from Eric | |||
| Rescorla. | Rescorla. | |||
| We would like to thank the following persons for their review | We would like to thank the following persons for their review | |||
| comments: Martin Rex, Bill Frantz, Zach Shelby, Carsten Bormann, | comments: Martin Rex, Bill Frantz, Zach Shelby, Carsten Bormann, | |||
| Cullen Jennings, Rene Struik, Alper Yegin, Jim Schaad, Paul Hoffman, | Cullen Jennings, Rene Struik, Alper Yegin, Jim Schaad, Paul Hoffman, | |||
| Robert Cragie, Nikos Mavrogiannopoulos, Phil Hunt, John Bradley, and | Robert Cragie, Nikos Mavrogiannopoulos, Phil Hunt, John Bradley, | |||
| James Manger. | Klaus Hartke, Stefan Jucker, and James Manger. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [PKIX] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [PKIX] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| skipping to change at page 11, line 28 ¶ | skipping to change at page 13, line 28 ¶ | |||
| [Defeating-SSL] | [Defeating-SSL] | |||
| Marlinspike, M., "New Tricks for Defeating SSL in | Marlinspike, M., "New Tricks for Defeating SSL in | |||
| Practice", February 2009, <http://www.blackhat.com/ | Practice", February 2009, <http://www.blackhat.com/ | |||
| presentations/bh-dc-09/Marlinspike/ | presentations/bh-dc-09/Marlinspike/ | |||
| BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf>. | BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf>. | |||
| [I-D.ietf-core-coap] | [I-D.ietf-core-coap] | |||
| Shelby, Z., Hartke, K., Bormann, C., and B. Frank, | Shelby, Z., Hartke, K., Bormann, C., and B. Frank, | |||
| "Constrained Application Protocol (CoAP)", | "Constrained Application Protocol (CoAP)", | |||
| draft-ietf-core-coap-10 (work in progress), June 2012. | draft-ietf-core-coap-12 (work in progress), October 2012. | |||
| [I-D.ietf-dane-protocol] | ||||
| Hoffman, P. and J. Schlyter, "The DNS-Based Authentication | ||||
| of Named Entities (DANE) Transport Layer Security (TLS) | ||||
| Protocol: TLSA", draft-ietf-dane-protocol-23 (work in | ||||
| progress), June 2012. | ||||
| [I-D.ietf-tls-cached-info] | [I-D.ietf-tls-cached-info] | |||
| Santesson, S. and H. Tschofenig, "Transport Layer Security | Santesson, S. and H. Tschofenig, "Transport Layer Security | |||
| (TLS) Cached Information Extension", | (TLS) Cached Information Extension", | |||
| draft-ietf-tls-cached-info-11 (work in progress), | draft-ietf-tls-cached-info-13 (work in progress), | |||
| December 2011. | September 2012. | |||
| [LDAP] Sermersheim, J., "Lightweight Directory Access Protocol | [LDAP] Sermersheim, J., "Lightweight Directory Access Protocol | |||
| (LDAP): The Protocol", RFC 4511, June 2006. | (LDAP): The Protocol", RFC 4511, June 2006. | |||
| [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | ||||
| Identifiers for the Internet X.509 Public Key | ||||
| Infrastructure Certificate and Certificate Revocation List | ||||
| (CRL) Profile", RFC 3279, April 2002. | ||||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | IANA Considerations Section in RFCs", BCP 26, RFC 5226, | |||
| May 2008. | May 2008. | |||
| [RFC6091] Mavrogiannopoulos, N. and D. Gillmor, "Using OpenPGP Keys | [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication | |||
| for Transport Layer Security (TLS) Authentication", | of Named Entities (DANE) Transport Layer Security (TLS) | |||
| RFC 6091, February 2011. | Protocol: TLSA", RFC 6698, August 2012. | |||
| Authors' Addresses | Authors' Addresses | |||
| Paul Wouters | Paul Wouters (editor) | |||
| Red Hat | Red Hat | |||
| Email: paul@nohats.ca | Email: paul@nohats.ca | |||
| Hannes Tschofenig (editor) | ||||
| Nokia Siemens Networks | ||||
| Linnoitustie 6 | ||||
| Espoo 02600 | ||||
| Finland | ||||
| Phone: +358 (50) 4871445 | ||||
| Email: Hannes.Tschofenig@gmx.net | ||||
| URI: http://www.tschofenig.priv.at | ||||
| John Gilmore | John Gilmore | |||
| PO Box 170608 | PO Box 170608 | |||
| San Francisco, California 94117 | San Francisco, California 94117 | |||
| USA | USA | |||
| Phone: +1 415 221 6524 | Phone: +1 415 221 6524 | |||
| Email: gnu@toad.com | Email: gnu@toad.com | |||
| URI: https://www.toad.com/ | URI: https://www.toad.com/ | |||
| Samuel Weiler | Samuel Weiler | |||
| skipping to change at page 12, line 36 ¶ | skipping to change at line 541 ¶ | |||
| Email: weiler@tislabs.com | Email: weiler@tislabs.com | |||
| Tero Kivinen | Tero Kivinen | |||
| AuthenTec | AuthenTec | |||
| Eerikinkatu 28 | Eerikinkatu 28 | |||
| HELSINKI FI-00180 | HELSINKI FI-00180 | |||
| FI | FI | |||
| Email: kivinen@iki.fi | Email: kivinen@iki.fi | |||
| Hannes Tschofenig | ||||
| Nokia Siemens Networks | ||||
| Linnoitustie 6 | ||||
| Espoo 02600 | ||||
| Finland | ||||
| Phone: +358 (50) 4871445 | ||||
| Email: Hannes.Tschofenig@gmx.net | ||||
| URI: http://www.tschofenig.priv.at | ||||
| End of changes. 71 change blocks. | ||||
| 189 lines changed or deleted | 263 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||