| < draft-mavrogiannopoulos-rfc5081bis-08.txt | draft-mavrogiannopoulos-rfc5081bis-09.txt > | |||
|---|---|---|---|---|
| Network Working Group N. Mavrogiannopoulos | Network Working Group N. Mavrogiannopoulos | |||
| Internet-Draft KUL | Internet-Draft KUL | |||
| Obsoletes: 5081 (if approved) D. Gillmor | Obsoletes: 5081 (if approved) D. Gillmor | |||
| Intended status: Informational Independent | Intended status: Informational Independent | |||
| Expires: March 20, 2011 September 16, 2010 | Expires: April 6, 2011 October 3, 2010 | |||
| Using OpenPGP Keys for Transport Layer Security (TLS) Authentication | Using OpenPGP Keys for Transport Layer Security (TLS) Authentication | |||
| draft-mavrogiannopoulos-rfc5081bis-08 | draft-mavrogiannopoulos-rfc5081bis-09 | |||
| Abstract | Abstract | |||
| This memo proposes extensions to the Transport Layer Security (TLS) | This memo defines Transport Layer Security (TLS) extensions and | |||
| protocol to support the OpenPGP key format. The extensions discussed | associated semantics that allow clients and sever to negotiate the | |||
| here include a certificate type negotiation mechanism, and the | use of OpenPGP certificates for a TLS session, and specifies how to | |||
| required modifications to the TLS Handshake Protocol. This memo | transport OpenPGP certificates via TLS. It also defines the registry | |||
| replaces the Experimental [RFC5081]. | for non-X.509 certificate types. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 20, 2011. | This Internet-Draft will expire on April 6, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Changes to the Handshake Message Contents . . . . . . . . . . . 3 | 3. Changes to the Handshake Message Contents . . . . . . . . . . . 3 | |||
| 3.1. Client Hello . . . . . . . . . . . . . . . . . . . . . . . 3 | 3.1. Client Hello . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.2. Server Hello . . . . . . . . . . . . . . . . . . . . . . . 4 | 3.2. Server Hello . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. Server Certificate . . . . . . . . . . . . . . . . . . . . 4 | 3.3. Server Certificate . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.4. Certificate Request . . . . . . . . . . . . . . . . . . . . 6 | 3.4. Certificate Request . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.5. Client Certificate . . . . . . . . . . . . . . . . . . . . 6 | 3.5. Client Certificate . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.6. Other Handshake Messages . . . . . . . . . . . . . . . . . 7 | 3.6. Other Handshake Messages . . . . . . . . . . . . . . . . . 7 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 8 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 8 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 8 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix A. Changes from RFC 5081 . . . . . . . . . . . . . . . . 9 | Appendix A. Changes from RFC 5081 . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| The IETF has two sets of standards for public key certificates, one | The IETF has two sets of standards for public key certificates, one | |||
| set for use of X.509 certificates [RFC5280] and one for OpenPGP | set for use of X.509 certificates [RFC5280] and one for OpenPGP | |||
| certificates [RFC4880]. At the time of writing, TLS [RFC5246] | certificates [RFC4880]. At the time of writing, TLS [RFC5246] | |||
| standards are defined to use X.509 certificates. This document | standards are defined to use X.509 certificates. This document | |||
| specifies a way to negotiate use of OpenPGP certificates for a TLS | specifies a way to negotiate use of OpenPGP certificates for a TLS | |||
| session, and specifies how to transport OpenPGP certificates via TLS. | session, and specifies how to transport OpenPGP certificates via TLS. | |||
| The proposed extensions are backward compatible with the current TLS | The proposed extensions are backward compatible with the current TLS | |||
| specification, so that existing client and server implementations | specification, so that existing client and server implementations | |||
| that make use of X.509 certificates are not affected. | that make use of X.509 certificates are not affected. | |||
| The major changes from [RFC5081] are summarized in Appendix A. | These extensions are not backward-compatible with [RFC5081] and the | |||
| major differences are summarized in Appendix A. Although the OpenPGP | ||||
| CertificateType value is being reused by this memo with the same | ||||
| number as in [RFC5081] but different semantics, we believe that this | ||||
| causes no interoperability issues because the latter was not widely | ||||
| deployed. | ||||
| 2. Terminology | 2. Terminology | |||
| The term "OpenPGP key" is used in this document as in the OpenPGP | The term "OpenPGP key" is used in this document as in the OpenPGP | |||
| specification [RFC4880]. We use the term "OpenPGP certificate" to | specification [RFC4880]. We use the term "OpenPGP certificate" to | |||
| refer to OpenPGP keys that are enabled for authentication. | refer to OpenPGP keys that are enabled for authentication. | |||
| This document uses the same notation and terminology used in the TLS | This document uses the same notation and terminology used in the TLS | |||
| Protocol specification [RFC5246]. | Protocol specification [RFC5246]. | |||
| End of changes. 8 change blocks. | ||||
| 12 lines changed or deleted | 17 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||