| < draft-salter-rfc5430bis-00.txt | draft-salter-rfc5430bis-01.txt > | |||
|---|---|---|---|---|
| INTERNET-DRAFT M. Salter | INTERNET-DRAFT M. Salter | |||
| Obsoletes: RFC 5430 (if approved) National Security Agency | Obsoletes: RFC 5430 (if approved) National Security Agency | |||
| Intended Status: Informational R. Housley | Intended Status: Informational R. Housley | |||
| Vigil Security | Vigil Security | |||
| April 4, 2011 | September 30, 2011 | |||
| Suite B Profile for Transport Layer Security (TLS) | Suite B Profile for Transport Layer Security (TLS) | |||
| <draft-salter-rfc5430bis-00.txt> | <draft-salter-rfc5430bis-01.txt> | |||
| Abstract | Abstract | |||
| The United States government has published guidelines for "NSA Suite | The United States government has published guidelines for "NSA Suite | |||
| B Cryptography" that defines cryptographic algorithm policy for | B Cryptography" that defines cryptographic algorithm policy for | |||
| national security applications. This document defines a profile of | national security applications. This document defines a profile of | |||
| Transport Layer Security (TLS) version 1.2 that is fully compliant | Transport Layer Security (TLS) version 1.2 that is fully compliant | |||
| with Suite B. | with Suite B. | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 05, 2011. | This Internet-Draft will expire on 2 April 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 28 ¶ | skipping to change at page 2, line 27 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction ...................................................3 | 1. Introduction ...................................................3 | |||
| 2. Conventions Used in This Document ..............................3 | 2. Conventions Used in This Document ..............................3 | |||
| 3. Suite B Requirements ...........................................4 | 3. Suite B Requirements ...........................................4 | |||
| 3.1. Minimum Levels of Security (minLOS).......................4 | 3.1. Minimum Levels of Security (minLOS).......................4 | |||
| 3.2. Suite B TLS Authentication................................5 | 3.2. Suite B TLS Authentication................................5 | |||
| 4. Suite B Compliance and Interoperability Requirements ...........6 | 4. Suite B Compliance and Interoperability Requirements ...........6 | |||
| 4.1. Acceptable Curves .........................................7 | 4.1. Acceptable Curves .........................................7 | |||
| 4.2. Certificates ..............................................7 | 4.2. Certificates ..............................................8 | |||
| 4.3. signature_algorithms Extension ............................7 | 4.3. signature_algorithms Extension ............................8 | |||
| 4.4. CertificateRequest Message ................................8 | 4.4. CertificateRequest Message ................................8 | |||
| 4.5. CertificateVerify Message .................................8 | 4.5. CertificateVerify Message .................................9 | |||
| 4.6. ServerKeyExchange Message Signature .......................8 | 4.6. ServerKeyExchange Message Signature .......................9 | |||
| 5. Security Considerations ........................................9 | 5. Security Considerations ........................................9 | |||
| 6. Acknowledgements ...............................................9 | 6. Acknowledgements ...............................................9 | |||
| 7. IANA Considerations ............................................9 | 7. IANA Considerations ...........................................10 | |||
| 8. References .....................................................9 | 8. References ....................................................10 | |||
| 8.1. Normative References ......................................9 | 8.1. Normative References .....................................10 | |||
| 8.2. Informative References ...................................10 | 8.2. Informative References ...................................10 | |||
| 9. Annex: A Transitional Suite B Profile .........................11 | 9. Annex: A Transitional Suite B Profile .........................11 | |||
| 1. Introduction | 1. Introduction | |||
| The United States government has posted the Fact Sheet on National | This document specifies the conventions for using National Security | |||
| Security Agency (NSA) Suite B Cryptography [NSA], and at the time of | Agency (NSA) Suite B Cryptography [SuiteB] with the Transport Layer | |||
| writing, it states: | Security (TLS) protocol and the Datagram Transport Layer Security | |||
| (DTLS) protocol. | ||||
| A Cryptographic Interoperability Strategy (CIS) was developed to | ||||
| find ways to increase assured rapid sharing of information both | ||||
| within the U.S. and between the U.S. and her partners through | ||||
| the use of a common suite of public standards, protocols, | ||||
| algorithms and modes referred to as the "Secure Sharing Suite" | ||||
| or S.3. The implementation of CIS will facilitate the development | ||||
| of a broader range of secure cryptographic products which will | ||||
| be available to a wide customer base. The use of selected | ||||
| public cryptographic standards and protocols and Suite B is the | ||||
| core of CIS. | ||||
| In 2005, NSA announced Suite B Cryptography which built upon the | ||||
| National Policy on the use of the Advanced Encryption Standard | ||||
| (AES) to Protect National Security Systems and National Security | ||||
| Information. In addition to the AES algorithm, Suite B includes | ||||
| cryptographic algorithms for key exchanges, digital signatures | ||||
| and hashing. Suite B cryptography has been selected from | ||||
| cryptography that has been approved by NIST for use by the U.S. | ||||
| Government and specified in NIST standards or recommendations. | ||||
| This document does not define any new cipher suites; instead, it | This document does not define any new cipher suites; instead, it | |||
| defines a Suite B compliant profile for use with TLS version 1.2 | defines a Suite B compliant profile for use with TLS version 1.2 | |||
| [RFC5246] or DTLS version 1.2 [4347bis] and the cipher suites defined | [RFC5246] or DTLS version 1.2 [4347bis] and the cipher suites defined | |||
| in [RFC5289]. This profile uses only Suite B algorithms. | in [RFC5289]. This profile uses only Suite B algorithms. | |||
| RFC 5430 defined an additional transitional profile for use with TLS | RFC 5430 defined an additional transitional profile for use with TLS | |||
| versions 1.0 [RFC2246] and 1.1 [RFC4346] or DTLS version 1.0 | versions 1.0 [RFC2246] and 1.1 [RFC4346] or DTLS version 1.0 | |||
| [RFC4347] and the cipher suites defined in [RFC4492]. When either | [RFC4347] and the cipher suites defined in [RFC4492]. When either | |||
| the client or the server does not support TLS version 1.2 and DTLS | the client or the server does not support TLS version 1.2 and DTLS | |||
| skipping to change at page 3, line 52 ¶ | skipping to change at page 3, line 33 ¶ | |||
| transitional profile appears in the Annex of this document. | transitional profile appears in the Annex of this document. | |||
| 2. Conventions Used in This Document | 2. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| We will use the notation "ECDSA-256" to represent the use of the | We will use the notation "ECDSA-256" to represent the use of the | |||
| ECDSA algorithm with the P-256 curve and the SHA-256 hash function. | ECDSA algorithm with the P-256 curve and the SHA-256 hash function. | |||
| Similarly, "ECDSA-384" will represent the use of the ECDSA | Similarly, "ECDSA-384" will represent the use of the ECDSA algorithm | |||
| algorithm with the P-384 curve and the SHA-384 hash function. | with the P-384 curve and the SHA-384 hash function. | |||
| 3. Suite B Requirements | 3. Suite B Requirements | |||
| The Fact Sheet on Suite B Cryptography requires key establishment | The Fact Sheet on Suite B Cryptography requires key establishment and | |||
| and authentication algorithms based on Elliptic Curve Cryptography | authentication algorithms based on Elliptic Curve Cryptography and | |||
| and encryption using AES [AES]. Suite B algorithms are defined to | encryption using AES [AES]. Suite B algorithms are defined to | |||
| support two minimum levels of security: 128 and 192 bits. | support two minimum levels of security: 128 and 192 bits. | |||
| In particular, Suite B includes: | In particular, Suite B includes: | |||
| Encryption: Advanced Encryption Standard (AES) [AES] -- | Encryption: Advanced Encryption Standard (AES) [AES] -- | |||
| FIPS 197 (with key sizes of 128 and 256 bits) | FIPS 197 (with key sizes of 128 and 256 bits) | |||
| Digital Signature: Elliptic Curve Digital Signature Algorithm | Digital Signature: Elliptic Curve Digital Signature Algorithm | |||
| (ECDSA) [DSS] - FIPS 186-3 (using the | (ECDSA) [DSS] - FIPS 186-3 (using the | |||
| curves with 256- and 384-bit prime moduli) | curves with 256- and 384-bit prime moduli) | |||
| Key Exchange: Elliptic Curve Diffie-Hellman (ECDH) - NIST | Key Exchange: Elliptic Curve Diffie-Hellman (ECDH) - NIST | |||
| Special Publication 800-56A [PWKE] (using the | Special Publication 800-56A [PWKE] (using | |||
| curves with 256- and 384-bit prime moduli) | the curves with 256- and 384-bit prime moduli) | |||
| The two elliptic curves used in Suite B each appear in the literature | The two elliptic curves used in Suite B each appear in the literature | |||
| under two different names. For sake of clarity, we list both names | under two different names. For sake of clarity, we list both names | |||
| below: | below: | |||
| Curve NIST name [SECG] name | Curve NIST name [SECG] name | |||
| -------------------------------- | -------------------------------- | |||
| P-256 nistp256 secp256r1 | P-256 nistp256 secp256r1 | |||
| P-384 nistp384 secp384r1 | P-384 nistp384 secp384r1 | |||
| skipping to change at page 4, line 48 ¶ | skipping to change at page 5, line 8 ¶ | |||
| 3.1. Minimum Levels of Security (minLOS) for Suite B TLS | 3.1. Minimum Levels of Security (minLOS) for Suite B TLS | |||
| Suite B provides two levels of cryptographic security, namely a | Suite B provides two levels of cryptographic security, namely a | |||
| 128-bit minimum level of security (minLOS_128) and a 192-bit minimum | 128-bit minimum level of security (minLOS_128) and a 192-bit minimum | |||
| level of security (minLOS_192). Each level defines a minimum | level of security (minLOS_192). Each level defines a minimum | |||
| strength that all cryptographic algorithms must provide. | strength that all cryptographic algorithms must provide. | |||
| The following combination of algorithms and key sizes are used in | The following combination of algorithms and key sizes are used in | |||
| Suite B TLS: | Suite B TLS: | |||
| Suite B Combination 1 Suite B Combination 2 | Suite B Combination 1 Suite B Combination 2 | |||
| -------------------------------- --------------------------------- | -------------------------------- -------------------------------- | |||
| AES with 128-bit key in GCM mode AES with 256-bit key in GCM mode | AES with 128-bit key in GCM mode AES with 256-bit key in GCM mode | |||
| ECDH using the 256-bit prime ECDH using the 384-bit prime | ECDH using the 256-bit prime ECDH using the 384-bit prime | |||
| modulus curve P-256 [DSS] modulus curve P-384 [DSS] | modulus curve P-256 [DSS] modulus curve P-384 [DSS] | |||
| TLS PRF with SHA-256 [SHS] TLS PRF with SHA-384 [SHS] | TLS PRF with SHA-256 [SHS] TLS PRF with SHA-384 [SHS] | |||
| Suite B TLS configured at a minimum level of security of | ||||
| 128 bits MUST use a TLS cipher suite satisfying either | ||||
| SuiteB_Combination_1 in its entirety or | Suite B TLS configured at a minimum level of security of 128 bits | |||
| SuiteB_Combination_2 in its entirety. | MUST use a TLS cipher suite satisfying either | |||
| Suite B TLS configured at a minimum level of security | SuiteB_Combination_1 in its entirety or SuiteB_Combination_2 in its | |||
| of 192 bits MUST use a TLS cipher suite satisfying | entirety. | |||
| SuiteB_Combination_2 in its entirety. | ||||
| The specific Suite B compliant cipher suites for each combination | Suite B TLS configured at a minimum level of security of 192 bits | |||
| are listed in Section 4. | MUST use a TLS cipher suite satisfying SuiteB_Combination_2 in its | |||
| entirety. | ||||
| The specific Suite B compliant cipher suites for each combination are | ||||
| listed in Section 4. | ||||
| For Suite B TLS, ECDH uses the Ephemeral Unified Model Scheme with | For Suite B TLS, ECDH uses the Ephemeral Unified Model Scheme with | |||
| cofactor set to 1 (see Section 6.1.2.2 in [PWKE]). | cofactor set to 1 (see Section 6.1.2.2 in [PWKE]). | |||
| To accommodate backward compatibility, a Suite B TLS client or | To accommodate backward compatibility, a Suite B TLS client or server | |||
| server MAY be configured to accept a cipher suite that is not part of | MAY be configured to accept a cipher suite that is not part of Suite | |||
| Suite B. However, whenever a Suite B TLS client and a Suite B | B. However, whenever a Suite B TLS client and a Suite B TLS server | |||
| TLS server establish a TLS version 1.2 session, Suite B | establish a TLS version 1.2 session, Suite B algorithms MUST be | |||
| algorithms MUST be employed. | employed. | |||
| 3.2 Suite B TLS Authentication | 3.2 Suite B TLS Authentication | |||
| Suite B TLS MUST use ECDSA for digital signatures; | Suite B TLS MUST use ECDSA for digital signatures; authentication | |||
| authentication methods other than ECDSA-256 and | methods other than ECDSA-256 and ECDSA-384 MUST NOT be used for TLS | |||
| ECDSA-384 MUST NOT be used for TLS authentication. If a relying | authentication. If a relying party receives a signature based on any | |||
| party receives a signature based on any other authentication | other authentication method, it MUST return a TLS error and stop the | |||
| method, it MUST return a TLS error and stop the TLS handshake. | TLS handshake. | |||
| A system compliant with the Suite B TLS and configured at a | A system compliant with the Suite B TLS and configured at a minimum | |||
| minimum level of security of 128 bits MUST use either ECDSA-256 or | level of security of 128 bits MUST use either ECDSA-256 or ECDSA-384 | |||
| ECDSA-384 for client or server authentication. One party can | for client or server authentication. One party can authenticate with | |||
| authenticate with ECDSA-256 when the other party authenticates with | ECDSA-256 when the other party authenticates with ECDSA-384. This | |||
| ECDSA-384. This flexibility allows interoperation between a client | flexibility allows interoperation between a client and a server that | |||
| and a server that have ECDSA authentication keys of different | have ECDSA authentication keys of different sizes. | |||
| sizes. | ||||
| Clients and servers in a system configured at a minimum level of | Clients and servers in a system configured at a minimum level of | |||
| security of 128 bits MUST be able to verify ECDSA-256 signatures | security of 128 bits MUST be able to verify ECDSA-256 signatures and | |||
| and SHOULD be able to verify ECDSA-384 signatures unless it is | SHOULD be able to verify ECDSA-384 signatures unless it is absolutely | |||
| absolutely certain that the implementation will never need to | certain that the implementation will never need to verify | |||
| verify certificates originating from an authority which uses an | certificates originating from an authority which uses an ECDSA-384 | |||
| ECDSA-384 signing key. | signing key. | |||
| A system compliant with the Suite B TLS and configured at a | A system compliant with the Suite B TLS and configured at a minimum | |||
| minimum level of security of 192 bits MUST use ECDSA-384 for client | level of security of 192 bits MUST use ECDSA-384 for client and | |||
| and server authentication. | server authentication. | |||
| Clients and servers in a system configured at a minimum level of | Clients and servers in a system configured at a minimum level of | |||
| security of 192 bits MUST be able to verify ECDSA-384 signatures. | security of 192 bits MUST be able to verify ECDSA-384 signatures. | |||
| In all cases, the client MUST authenticate the server. The server | In all cases, the client MUST authenticate the server. The server | |||
| MAY authenticate the client, as needed by the specific application. | MAY authenticate the client, as needed by the specific application. | |||
| 4. Suite B Compliance and Interoperability Requirements | 4. Suite B Compliance and Interoperability Requirements | |||
| TLS versions 1.1 [RFC4346] and earlier do not support Galois | TLS versions 1.1 [RFC4346] and earlier do not support Galois | |||
| CounterMode (GCM) cipher suites [RFC5289]. However, TLS version | CounterMode (GCM) cipher suites [RFC5289]. However, TLS version 1.2 | |||
| 1.2 [RFC5246] and later do support GCM. For Suite B TLS, GCM cipher | [RFC5246] and later do support GCM. For Suite B TLS, GCM cipher | |||
| suites MUST be used, therefore a Suite B TLS client MUST implement | suites MUST be used, therefore a Suite B TLS client MUST implement | |||
| TLS version 1.2 or later. | TLS version 1.2 or later. | |||
| A Suite B TLS client configured at a minimum level of security of | A Suite B TLS client configured at a minimum level of security of 128 | |||
| 128 bits MUST offer the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 or | bits MUST offer the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 or the | |||
| the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ciphersuite in the | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ciphersuite in the | |||
| ClientHello message. The TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ClientHello message. The TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | |||
| ciphersuite is preferred and if offered, MUST appear before the | ciphersuite is preferred and if offered, MUST appear before the | |||
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ciphersuite. | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ciphersuite. | |||
| If configured at a minimum level of security of 192 bits, the | If configured at a minimum level of security of 192 bits, the client | |||
| client MUST offer the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | MUST offer the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ciphersuite | |||
| ciphersuite and MUST NOT offer the | and MUST NOT offer the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | |||
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ciphersuite. | ciphersuite. | |||
| One of these two cipher suites MUST be the first (most preferred) | One of these two cipher suites MUST be the first (most preferred) | |||
| cipher suites in the ClientHello message. A Suite B TLS client | cipher suites in the ClientHello message. A Suite B TLS client that | |||
| that offers interoperability with non-Suite B compliant servers MAY | offers interoperability with non-Suite B compliant servers MAY offer | |||
| offer additional cipher suites, but any additional cipher suites | additional cipher suites, but any additional cipher suites MUST | |||
| MUST appear after the two Suite B compliant cipher suites in the | appear after the two Suite B compliant cipher suites in the | |||
| ClientHello message. | ClientHello message. | |||
| A Suite B TLS server MUST implement TLS version 1.2 or later. | A Suite B TLS server MUST implement TLS version 1.2 or later. | |||
| A Suite B TLS server configured at a minimum level of security of | A Suite B TLS server configured at a minimum level of security of 128 | |||
| 128 bits MUST accept either the | bits MUST accept either the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | |||
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite or the | cipher suite or the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher | |||
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite if it | suite if it is offered in the ClientHellomessage, with the | |||
| is offered in the ClientHellomessage, with the | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite being preferred. | |||
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite being | ||||
| preferred. | ||||
| A Suite B TLS server configured at a minimum security level of 192 | A Suite B TLS server configured at a minimum security level of 192 | |||
| bits MUST accept the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher | bits MUST accept the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher | |||
| suite if it is offered in the ClientHello message. | suite if it is offered in the ClientHello message. | |||
| If the server is not offered either of the Suite B cipher suites | If the server is not offered either of the Suite B cipher suites and | |||
| and interoperability with non-Suite B compliant clients is desired, | interoperability with non-Suite B compliant clients is desired, then | |||
| then the Suite B TLS server MAY accept another offered cipher | the Suite B TLS server MAY accept another offered cipher suite that | |||
| suite that is considered acceptable by the server administrator. | is considered acceptable by the server administrator. | |||
| 4.1. Acceptable Curves | 4.1. Acceptable Curves | |||
| RFC 4492 defines a variety of elliptic curves. Suite B TLS | RFC 4492 defines a variety of elliptic curves. Suite B TLS | |||
| connections MUST use secp256r1(23) or secp384r1(24). These are | connections MUST use secp256r1(23) or secp384r1(24). These are the | |||
| the same curves that appear in FIPS 186-3 [DSS] as P-256 and P-384, | same curves that appear in FIPS 186-3 [DSS] as P-256 and P-384, | |||
| respectively. Secp256r1 MUST be used for the key exchange in all | respectively. Secp256r1 MUST be used for the key exchange in all | |||
| cipher suites in this specification using AES-128; secp384r1 MUST be | cipher suites in this specification using AES-128; secp384r1 MUST be | |||
| used for the key exchange in all cipher suites in this specification | used for the key exchange in all cipher suites in this specification | |||
| using AES-256. RFC 4492 requires that the uncompressed(0) form be | using AES-256. RFC 4492 requires that the uncompressed(0) form be | |||
| supported. The ansiX962_compressed_prime(1) point format MAY also be | supported. The ansiX962_compressed_prime(1) point format MAY also be | |||
| supported. | supported. | |||
| Clients desiring to negotiate only a Suite B TLS connection MUST | Clients desiring to negotiate only a Suite B TLS connection MUST | |||
| generate a "Supported Elliptic Curves Extension" containing only | generate a "Supported Elliptic Curves Extension" containing only the | |||
| the allowed curves. Clients operating at a minimum level of security | allowed curves. Clients operating at a minimum level of security of | |||
| of 128 bits MUST include secp256r1 and SHOULD include secp384r1 in | 128 bits MUST include secp256r1 and SHOULD include secp384r1 in the | |||
| the extension. Clients operating at a minimum level of security of | extension. Clients operating at a minimum level of security of 192 | |||
| 192 bits MUST include secp384r1 in the extension. In order to be able | bits MUST include secp384r1 in the extension. In order to be able to | |||
| to verify ECDSA signatures, a client and server in a system | verify ECDSA signatures, a client and server in a system configured | |||
| configured at a minimum level of security of 128 bits MUST support | at a minimum level of security of 128 bits MUST support secp256r1 and | |||
| secp256r1 and SHOULD support secp384r1 unless it is absolutely | SHOULD support secp384r1 unless it is absolutely certain that the | |||
| certain that the client and server will never need to use or verify | client and server will never need to use or verify certificates | |||
| certificates originating from an authority which uses an ECDSA-384 | originating from an authority which uses an ECDSA-384 signing key. A | |||
| signing key. A client and server in a system configured at a minimum | client and server in a system configured at a minimum level of 192 | |||
| level of 192 bits MUST support secp384r1. | bits MUST support secp384r1. | |||
| TLS connections that offer both Suite B and non-Suite B compliant | TLS connections that offer both Suite B and non-Suite B compliant | |||
| options MAY omit the extension or they MAY send the extension but | options MAY omit the extension or they MAY send the extension but | |||
| offer other curves as well as the appropriate Suite B ones. | offer other curves as well as the appropriate Suite B ones. | |||
| Servers desiring to negotiate a Suite B TLS connection SHOULD | Servers desiring to negotiate a Suite B TLS connection SHOULD check | |||
| check for the presence of the extension, but MUST NOT select a | for the presence of the extension, but MUST NOT select a non-Suite B | |||
| non-Suite B curve even if it is offered by the client. This allows | curve even if it is offered by the client. This allows a client that | |||
| a client that is willing to do either Suite B or non-Suite B TLS | is willing to do either Suite B or non-Suite B TLS connections to | |||
| connections to interoperate with a server that will only do | interoperate with a server that will only do Suite B TLS. If the | |||
| Suite B TLS. If the client does not advertise an acceptable curve, | client does not advertise an acceptable curve, the server MUST | |||
| the server MUST generate a fatal "handshake_failure" alert and | generate a fatal "handshake_failure" alert and terminate the | |||
| terminate the connection. Clients MUST check the chosen curve to | connection. Clients MUST check the chosen curve to make sure that it | |||
| make sure that it is one of the Suite B curves. | is one of the Suite B curves. | |||
| 4.2. Certificates | 4.2. Certificates | |||
| Server and client certificates used to establish a Suite B TLS | Server and client certificates used to establish a Suite B TLS | |||
| connection MUST be signed with ECDSA and MUST be compliant with the | connection MUST be signed with ECDSA and MUST be compliant with the | |||
| "Suite B Certificate and Certificate Revocation List (CRL) | "Suite B Certificate and Certificate Revocation List (CRL) Profile", | |||
| Profile", [RFC5759]. | [RFC5759]. | |||
| 4.3. signature_algorithms Extension | 4.3. signature_algorithms Extension | |||
| The signature_algorithms extension is defined in Section 7.4.1.4.1 | The signature_algorithms extension is defined in Section 7.4.1.4.1 of | |||
| of TLS version 1.2 [RFC5246]. A Suite B TLS version 1.2 or later | TLS version 1.2 [RFC5246]. A Suite B TLS version 1.2 or later client | |||
| client MUST include the signature_algorithms extension. A | MUST include the signature_algorithms extension. A Suite B TLS client | |||
| Suite B TLS client configured at a minimum level of security of 128 | configured at a minimum level of security of 128 bits MUST offer | |||
| bits MUST offer SHA-256 with ECDSA and SHOULD offer ECDSA with | SHA-256 with ECDSA and SHOULD offer ECDSA with SHA-384 in the | |||
| SHA-384 in the signature_algorithms extension unless it is absolutely | signature_algorithms extension unless it is absolutely certain that a | |||
| certain that a client will never need to use or verify certificates | client will never need to use or verify certificates originating from | |||
| originating from an authority which uses an ECDSA-384 signing key. | an authority which uses an ECDSA-384 signing key. A Suite B TLS | |||
| A Suite B TLS client configured at a minimum level of 192 bits MUST | client configured at a minimum level of 192 bits MUST offer ECDSA | |||
| offer ECDSA with SHA-384 in the signature_algorithms extension. | with SHA-384 in the signature_algorithms extension. | |||
| Following the guidance in [RFC5759], Suite B TLS connections MUST | Following the guidance in [RFC5759], Suite B TLS connections MUST | |||
| only accept signature algorithms ECDSA with either | only accept signature algorithms ECDSA with either SHA-256 or SHA-384 | |||
| SHA-256 or SHA-384 for certification path validation. (Note | for certification path validation. (Note that this is a change from | |||
| that this is a change from [RFC5430].) | [RFC5430].) | |||
| Other offerings MAY be included to indicate the signature | Other offerings MAY be included to indicate the signature algorithms | |||
| algorithms that are acceptable in cipher suites that are offered | that are acceptable in cipher suites that are offered for | |||
| for interoperability with servers that are not compliant with Suite | interoperability with servers that are not compliant with Suite B and | |||
| B and to indicate the signature algorithms that are acceptable for | to indicate the signature algorithms that are acceptable for | |||
| certification path validation in non-compliant Suite B TLS | certification path validation in non-compliant Suite B TLS | |||
| connections. | connections. | |||
| 4.4. CertificateRequest Message | 4.4. CertificateRequest Message | |||
| A Suite B TLS server configured at a minimum level of security of | A Suite B TLS server configured at a minimum level of security of 128 | |||
| 128 bits MUST include ECDSA with SHA-256 and SHOULD include | bits MUST include ECDSA with SHA-256 and SHOULD include ECDSA with | |||
| ECDSA with SHA-384 in the supported_signature_algorithms field of | SHA-384 in the supported_signature_algorithms field of the | |||
| the CertificateRequest message unless it is absolutely | CertificateRequest message unless it is absolutely certain that a | |||
| certain that a server will never need to verify certificates | server will never need to verify certificates originating from an | |||
| originating from an authority which uses an ECDSA-384 signing key. | authority which uses an ECDSA-384 signing key. A Suite B TLS server | |||
| A Suite B TLS server configured at a minimum level of security of | configured at a minimum level of security of 192 bits MUST include | |||
| 192 bits MUST include ECDSA with SHA-384 in the | ECDSA with SHA-384 in the supported_signature_algorithms field. | |||
| supported_signature_algorithms field. | ||||
| 4.5. CertificateVerify Message | 4.5. CertificateVerify Message | |||
| Using the definitions found in section 3.2, a Suite B TLS client | Using the definitions found in section 3.2, a Suite B TLS client MUST | |||
| MUST use ECDSA-256 or ECDSA-384 for the signature in | use ECDSA-256 or ECDSA-384 for the signature in the CertificateVerify | |||
| the CertificateVerify message. A Suite B TLS client configured | message. A Suite B TLS client configured at a minimum level of | |||
| at a minimum level of security of 128 bits MUST use ECDSA-256 or | security of 128 bits MUST use ECDSA-256 or ECDSA-384. A Suite B TLS | |||
| ECDSA-384. A Suite B TLS client configured at a minimum level of | client configured at a minimum level of security of 192 bits MUST use | |||
| security of 192 bits MUST use ECDSA-384. | ECDSA-384. | |||
| 4.6. ServerKeyExchange Message Signature | 4.6. ServerKeyExchange Message Signature | |||
| In the TLS_ECDHE_ECDSA-collection of cipher suites, the server | In the TLS_ECDHE_ECDSA-collection of cipher suites, the server sends | |||
| sends its ephemeral ECDH public key and a specification of the | its ephemeral ECDH public key and a specification of the | |||
| corresponding curve in the ServerKeyExchange message. These | corresponding curve in the ServerKeyExchange message. These | |||
| parameters MUST be signed with ECDSA using the server's private | parameters MUST be signed with ECDSA using the server's private key, | |||
| key, which corresponds to the public key in the server's | which corresponds to the public key in the server's certificate. | |||
| certificate. | ||||
| A Suite B TLS server MUST sign the ServerKeyExchange message using | A Suite B TLS server MUST sign the ServerKeyExchange message using | |||
| either ECDSA-256 or ECDSA-384. A system configured at a minimum | either ECDSA-256 or ECDSA-384. A system configured at a minimum | |||
| level of security of 128 bits MUST use either ECDSA-256 or ECDSA-384. | level of security of 128 bits MUST use either ECDSA-256 or ECDSA-384. | |||
| A system configured at a minimum level of security of 192-bits MUST | A system configured at a minimum level of security of 192-bits MUST | |||
| use ECDSA-384. | use ECDSA-384. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| Most of the security considerations for this document are described | Most of the security considerations for this document are described | |||
| in "The Transport Layer Security (TLS) Protocol Version 1.2" | in "The Transport Layer Security (TLS) Protocol Version 1.2" | |||
| [RFC5246], "Elliptic Curve Cryptography (ECC) Cipher Suites for | [RFC5246], "Elliptic Curve Cryptography (ECC) Cipher Suites for | |||
| Transport Layer Security (TLS)" [RFC4492], "AES Galois Counter Mode | Transport Layer Security (TLS)" [RFC4492], "AES Galois Counter Mode | |||
| (GCM) Cipher Suites for TLS" [RFC5288], and "TLS Elliptic Curve | (GCM) Cipher Suites for TLS" [RFC5288], and "TLS Elliptic Curve | |||
| Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)" | Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)" | |||
| [RFC5289]. Readers should consult those documents. | [RFC5289]. Readers should consult those documents. | |||
| In order to meet the goal of a consistent security level for the | In order to meet the goal of a consistent security level for the | |||
| entire cipher suite, Suite B TLS implementations MUST ONLY | entire cipher suite, Suite B TLS implementations MUST ONLY use the | |||
| use the curves defined in Section 4.2. Otherwise, it is possible to | curves defined in Section 4.2. Otherwise, it is possible to have a | |||
| have a set of symmetric algorithms with much weaker or stronger | set of symmetric algorithms with much weaker or stronger security | |||
| security properties than the asymmetric (ECC) algorithms. | properties than the asymmetric (ECC) algorithms. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The authors would like to thank Eric Rescorla for his work on | The authors would like to thank Eric Rescorla for his work on the | |||
| the original RFC 5430. | original RFC 5430. | |||
| This work was supported by the US Department of Defense. | This work was supported by the US Department of Defense. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| TBD. | None. | |||
| {{{ RFC Editor, please remove this section prior to publication. }}} | ||||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [4347bis] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | [4347bis] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | |||
| Security version 1.2", draft-ietf-tls-rfc4347-bis, July | Security version 1.2", draft-ietf-tls-rfc4347-bis, July | |||
| 2010. | 2010. | |||
| [AES] National Institute of Standards and Technology, | [AES] National Institute of Standards and Technology, | |||
| "Specification for the Advanced Encryption Standard | "Specification for the Advanced Encryption Standard | |||
| (AES)", FIPS 197, November 2001. | (AES)", FIPS 197, November 2001. | |||
| [DSS] National Institute of Standards and Technology, "Digital | [DSS] National Institute of Standards and Technology, "Digital | |||
| Signature Standard", FIPS 186-3,June 2009. | Signature Standard", FIPS 186-3, June 2009. | |||
| [PWKE] National Institute of Standards and Technology, | [PWKE] National Institute of Standards and Technology, | |||
| "Recommendation for Pair-Wise Key Establishment Schemes | "Recommendation for Pair-Wise Key Establishment Schemes | |||
| Using Discrete Logarithm Cryptography (Revised)", NIST | Using Discrete Logarithm Cryptography (Revised)", NIST | |||
| Special Publication 800-56A, March 2007. | Special Publication 800-56A, March 2007. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4347] Rescorla, E., and N. Modadugu, "Datagram Transport Layer | [RFC4347] Rescorla, E., and N. Modadugu, "Datagram Transport Layer | |||
| skipping to change at page 10, line 33 ¶ | skipping to change at page 10, line 50 ¶ | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- | [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- | |||
| 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, | 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, | |||
| August 2008. | August 2008. | |||
| [RFC5759] Solinas, J. and Zieglar L., "Suite B Certificate and | [RFC5759] Solinas, J. and Zieglar L., "Suite B Certificate and | |||
| Certificate Revocation List (CRL) Profile", RFC 5759, | Certificate Revocation List (CRL) Profile", RFC 5759, | |||
| February 2010. | February 2010. | |||
| [SHS] National Institute of Standards and Technology, "Secure | [SHS] National Institute of Standards and Technology, "Secure | |||
| Hash Standard", FIPS 180-3,October 2008. | Hash Standard", FIPS 180-3,October 2008. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [NSA] National Security Agency, "Fact Sheet NSA Suite B | ||||
| Cryptography",February 2009, | ||||
| http://www.nsa.gov/ia/programs/suiteb_cryptography/. | ||||
| [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | |||
| RFC 2246,February 1999. | RFC 2246,February 1999. | |||
| [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer | [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| Security (TLS) Protocol Version 1.1", RFC 4346, April | (TLS) Protocol Version 1.1", RFC 4346, April 2006. | |||
| 2006. | ||||
| [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois | [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois | |||
| Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, | Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, | |||
| August 2008. | August 2008. | |||
| [RFC5430] Salter, M., Rescorla, E., and R. Housley, "Suite B | [RFC5430] Salter, M., Rescorla, E., and R. Housley, "Suite B Profile | |||
| Profile for Transport Layer Security (TLS)", RFC 5430, | for Transport Layer Security (TLS)", RFC 5430, March 2009. | |||
| March 2009. | ||||
| [SECG] Brown, D., "SEC 2: Recommended Elliptic Curve Domain | [SECG] Brown, D., "SEC 2: Recommended Elliptic Curve Domain | |||
| Parameters", | Parameters", | |||
| http://www.secg.org/download/aid-784/sec2-v2.pdf, | http://www.secg.org/download/aid-784/sec2-v2.pdf, February | |||
| February 2010. | 2010. | |||
| [SuiteB] National Security Agency, "Fact Sheet NSA Suite B | ||||
| Cryptography",February 2009, | ||||
| http://www.nsa.gov/ia/programs/suiteb_cryptography/. | ||||
| 9. Annex: A Transitional Suite B Profile for TLS 1.1 and 1.0 | 9. Annex: A Transitional Suite B Profile for TLS 1.1 and 1.0 | |||
| A transitional profile is described for use with TLS version 1.0 | A transitional profile is described for use with TLS version 1.0 | |||
| [RFC2246], TLS version 1.1 [RFC4346], or DTLS version 1.0 [RFC4347] | [RFC2246], TLS version 1.1 [RFC4346], or DTLS version 1.0 [RFC4347] | |||
| and the cipher suites defined in [RFC4492]. This profile uses the | and the cipher suites defined in [RFC4492]. This profile uses the | |||
| Suite B cryptographic algorithms to the greatest extent possible | Suite B cryptographic algorithms to the greatest extent possible and | |||
| and provides backward compatibility. While the transitional | provides backward compatibility. While the transitional profile is | |||
| profile is not a Suite B Compliant implementation of TLS, it provides | not a Suite B Compliant implementation of TLS, it provides a | |||
| a transitional path towards the Suite B compliant Profile. | transitional path towards the Suite B compliant Profile. | |||
| The following combination of algorithms and key sizes are defined | The following combination of algorithms and key sizes are defined for | |||
| for use with the Suite B TLS transitional profile: | use with the Suite B TLS transitional profile: | |||
| Transitional Suite B Combination 1 Transitional Suite B Combination 2 | Transitional Suite B Combination 1 Transitional Suite B Combination 2 | |||
| ---------------------------------- --------------------------------- | ---------------------------------- ---------------------------------- | |||
| AES with 128-bit key in CBC mode AES with 256-bit key in CBC mode | AES with 128-bit key in CBC mode AES with 256-bit key in CBC mode | |||
| ECDH using the 256-bit prime ECDH using the 384-bit prime | ECDH using the 256-bit prime ECDH using the 384-bit prime | |||
| modulus curve P-256 [DSS] modulus curve P-384 [DSS] | modulus curve P-256 [DSS] modulus curve P-384 [DSS] | |||
| Standard TLS PRF Standard TLS PRF | Standard TLS PRF Standard TLS PRF | |||
| (with SHA-1 and MD5) (with SHA-1 and MD5) | (with SHA-1 and MD5) (with SHA-1 and MD5) | |||
| HMAC with SHA-1 for message HMAC with SHA-1 for message | HMAC with SHA-1 for message HMAC with SHA-1 for message | |||
| authentication authentication | authentication authentication | |||
| A Transitional Suite B TLS system configured at a minimum level of | A Transitional Suite B TLS system configured at a minimum level of | |||
| security of 128 bits MUST use a TLS cipher suite satisfying either | security of 128 bits MUST use a TLS cipher suite satisfying either | |||
| Transitional Suite B Combination 1 in its entirety or | Transitional Suite B Combination 1 in its entirety or Transitional | |||
| Transitional Suite B Combination 2 in its entirety. | Suite B Combination 2 in its entirety. | |||
| A Transitional Suite B TLS system configured at a minimum level of | A Transitional Suite B TLS system configured at a minimum level of | |||
| security of 192 bits MUST use a TLS cipher suite satisfying | security of 192 bits MUST use a TLS cipher suite satisfying | |||
| Transitional Suite B Combination 2 in its entirety. | Transitional Suite B Combination 2 in its entirety. | |||
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA and | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA and | |||
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA satisfy the requirements of | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA satisfy the requirements of | |||
| Transitional Suite B Combination 1 and Transitional Suite B | Transitional Suite B Combination 1 and Transitional Suite B | |||
| Combination 2, respectively. | Combination 2, respectively. | |||
| A Transitional Suite B TLS client MUST implement TLS version 1.1 or | A Transitional Suite B TLS client MUST implement TLS version 1.1 or | |||
| earlier. | earlier. | |||
| A Transitional Suite B TLS system configured at a minimum level of | A Transitional Suite B TLS system configured at a minimum level of | |||
| security of 128 bits, MUST offer the | security of 128 bits, MUST offer the | |||
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher suite and/or the | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher suite and/or the | |||
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite in the | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite in the | |||
| ClientHello message. The TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ClientHello message. The TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher | |||
| cipher suite is preferred, and if it is offered, it MUST appear | suite is preferred, and if it is offered, it MUST appear before the | |||
| before the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite (if | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite (if present). | |||
| present). | ||||
| A Transitional Suite B TLS system configured at a minimum level of | A Transitional Suite B TLS system configured at a minimum level of | |||
| security of 192 bits MUST offer the | security of 192 bits MUST offer the | |||
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite in the | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite in the ClientHello | |||
| ClientHello message. | message. | |||
| One of these Transitional Suite B cipher suites MUST be the | One of these Transitional Suite B cipher suites MUST be the first | |||
| first (most preferred) in the ClientHello message. | (most preferred) in the ClientHello message. | |||
| A Transitional Suite B client that offers interoperability with | A Transitional Suite B client that offers interoperability with | |||
| non-Suite B transitional servers MAY offer additional cipher | non-Suite B transitional servers MAY offer additional cipher suites. | |||
| suites. If any additional cipher suites are offered, they MUST | If any additional cipher suites are offered, they MUST appear after | |||
| appear after the Transitional Suite B cipher suites in the | the Transitional Suite B cipher suites in the ClientHello message. | |||
| ClientHello message. | ||||
| A Transitional Suite B TLS server MUST implement TLS version 1.1 or | A Transitional Suite B TLS server MUST implement TLS version 1.1 or | |||
| earlier. | earlier. | |||
| A Transitional Suite B TLS server configured at aminimum level of | A Transitional Suite B TLS server configured at a minimum level of | |||
| security of 128 bits MUST accept the | security of 128 bits MUST accept the | |||
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher suite (preferred) or | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA cipher suite (preferred) or the | |||
| the TLS_ECHDE_ECDSA_WITH_AES_256_CBC_SHA cipher suite if offered in | TLS_ECHDE_ECDSA_WITH_AES_256_CBC_SHA cipher suite if offered in the | |||
| the ClientHello message. | ClientHello message. | |||
| A Transitional Suite B TLS server configured at a minimum level of | A Transitional Suite B TLS server configured at a minimum level of | |||
| security of 192 bits MUST accept the | security of 192 bits MUST accept the | |||
| TLS_ECHDE_ECDSA_WITH_AES_256_CBC_SHA cipher suite if offered in the | TLS_ECHDE_ECDSA_WITH_AES_256_CBC_SHA cipher suite if offered in the | |||
| ClientHello message. | ClientHello message. | |||
| If a Transitional Suite B TLS server is not offered the Transitional | If a Transitional Suite B TLS server is not offered the Transitional | |||
| Suite B cipher suites and interoperability with non-Transitional | Suite B cipher suites and interoperability with non-Transitional | |||
| Suite B clients is desired, then the server MAY accept another | Suite B clients is desired, then the server MAY accept another | |||
| offered cipher suite that is considered acceptable by the server | offered cipher suite that is considered acceptable by the server | |||
| administrator. | administrator. | |||
| A Transitional Suite B TLS server MUST sign the ServerKeyExchange | A Transitional Suite B TLS server MUST sign the ServerKeyExchange | |||
| message using ECDSA with SHA-1. The Transitional Suite B profile | message using ECDSA with SHA-1. The Transitional Suite B profile | |||
| does not impose any additional restrictions on the server | does not impose any additional restrictions on the server certificate | |||
| certificate signature or the signature schemes used elsewhere in | signature or the signature schemes used elsewhere in the | |||
| the certification path. Likewise, the Transitional Suite B Profile | certification path. Likewise, the Transitional Suite B Profile does | |||
| does not impose restrictions on signature schemes used in the | not impose restrictions on signature schemes used in the | |||
| certification path for the client's certificate when mutual | certification path for the client's certificate when mutual | |||
| authentication is employed. | authentication is employed. | |||
| Authors' Addresses | Authors' Addresses | |||
| Margaret Salter | Margaret Salter | |||
| National Security Agency | National Security Agency | |||
| 9800 Savage Rd. | 9800 Savage Rd. | |||
| Fort Meade 20755-6709 | Fort Meade 20755-6709 | |||
| USA | USA | |||
| End of changes. 59 change blocks. | ||||
| 223 lines changed or deleted | 198 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||