summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2001-06-24 18:30:13 +0000
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2001-06-24 18:30:13 +0000
commit840e1d61f7cee3945631a1e7da87907964c7322f (patch)
treebd1fcc3be82f7990af39384845825f5811bfcec5 /doc
parent1825e73f1b022acab89bd3e56df668c1c1949074 (diff)
downloadgnutls-840e1d61f7cee3945631a1e7da87907964c7322f.tar.gz
added more up to date documentation
Diffstat (limited to 'doc')
-rw-r--r--doc/protocol/draft-ietf-pkix-ac509prof-05.txt2184
-rw-r--r--doc/protocol/draft-ietf-tls-camellia-00.txt232
-rw-r--r--doc/protocol/draft-ietf-tls-extensions-00.txt1176
-rw-r--r--doc/protocol/draft-ietf-tls-https-04.txt54
-rw-r--r--doc/protocol/draft-ietf-tls-misty1-00.txt183
-rw-r--r--doc/protocol/draft-ietf-tls-openpgp-01.txt (renamed from doc/protocol/draft-ietf-tls-openpgp-00.txt)26
-rw-r--r--doc/protocol/draft-ietf-tls-seedhas-00.txt223
-rw-r--r--doc/protocol/draft-ietf-tls-wireless-00.txt743
-rw-r--r--doc/protocol/rfc2817.txt731
9 files changed, 1920 insertions, 3632 deletions
diff --git a/doc/protocol/draft-ietf-pkix-ac509prof-05.txt b/doc/protocol/draft-ietf-pkix-ac509prof-05.txt
deleted file mode 100644
index 7bd8e4e54a..0000000000
--- a/doc/protocol/draft-ietf-pkix-ac509prof-05.txt
+++ /dev/null
@@ -1,2184 +0,0 @@
-
-
-
-PKIX Working Group S. Farrell
-INTERNET-DRAFT Baltimore Technologies
-Expires in six months R. Housley
- SPYRUS
- 8 August 2000
-
- An Internet Attribute Certificate
- Profile for Authorization
- <draft-ietf-pkix-ac509prof-05.txt>
-
-
-
-Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of [RFC2026].
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts. Internet-Drafts are draft documents valid for a maximum of
- six months and may be updated, replaced, or obsoleted by other
- documents at any time. It is inappropriate to use Internet- Drafts
- as reference material or to cite them other than as "work in
- progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
-
-Abstract
-
- This specification defines a profile for the use of X.509 Attribute
- Certificates in Internet Protocols. Attribute certificates may be
- used in a wide range of applications and environments covering a
- broad spectrum of interoperability goals and a broader spectrum of
- operational and assurance requirements. The goal of this document is
- to establish a common baseline for generic applications requiring
- broad interoperability as well as limited special purpose
- requirements. The profile places emphasis on attribute certificate
- support for Internet electronic mail, IPSec, and WWW security
- applications.
-
-
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 1]
-
-INTERNET-DRAFT August 2000
-
-
-Table of Contents
-
- Status of this Memo.............................................1
- Abstract........................................................1
- Table of Contents...............................................1
- 1. Introduction.................................................3
- 1.1 Delegation and AC chains...............................4
- 1.2 Attribute Certificate Distribution ("push" vs. "pull").4
- 1.3 Document Structure.....................................5
- 2. Terminology..................................................6
- 3. Requirements.................................................7
- 4. Attribute Certificate Profile................................8
- 4.1 X.509 Attribute Certificate Definition.................8
- 4.2 Profile of Standard Fields............................10
- 4.2.1 Version.........................................10
- 4.2.2 Holder..........................................10
- 4.2.3 Issuer..........................................11
- 4.2.4 Signature.......................................12
- 4.2.5 Serial Number...................................12
- 4.2.6 Validity Period.................................12
- 4.2.7 Attributes......................................13
- 4.2.8 Issuer Unique Identifier........................13
- 4.2.9 Extensions......................................13
- 4.3 Extensions............................................14
- 4.3.1 Audit Identity..................................14
- 4.3.2 AC Targeting....................................15
- 4.3.3 Authority Key Identifier........................16
- 4.3.4 Authority Information Access....................16
- 4.3.5 CRL Distribution Points.........................17
- 4.3.6 No Revocation Available.........................17
- 4.4 Attribute Types.......................................17
- 4.4.1 Service Authentication Information..............18
- 4.4.2 Access Identity.................................18
- 4.4.3 Charging Identity...............................19
- 4.4.4 Group...........................................19
- 4.4.5 Role............................................19
- 4.4.6 Clearance.......................................20
- 4.5 Profile of AC issuer's PKC............................21
- 5. Attribute Certificate Validation............................22
- 6. Revocation..................................................23
- 7. Optional Features...........................................24
- 7.1 Attribute Encryption..................................24
- 7.2 Proxying..............................................25
- 7.3 Use of ObjectDigestInfo...............................26
- 7.4 AA Controls...........................................27
- 8. Security Considerations.....................................29
- 9. References..................................................31
- Author's Addresses.............................................32
- Full Copyright Statement.......................................32
- Appendix A: Object Identifiers.................................33
- Appendix B: ASN.1 Module.......................................34
-
-
-
-Farrell & Housley [Page 2]
-
-INTERNET-DRAFT August 2000
-
-
-1. Introduction
-
- The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
- in this document are to be interpreted as described in [RFC2119].
-
- X.509 public key certificates (PKCs) [X.509-1997, X.509-2000,
- PKIXPROF] bind an identity and a public key. An attribute
- certificate (AC) is a structure similar to a PKC; the main
- difference being that the AC contains no public key. An AC may
- contain attributes that specify group membership, role, security
- clearance, or other authorization information associated with the AC
- holder. The syntax for the AC is defined in Recommendation X.509,
- making the term "X.509 certificate" ambiguous.
-
- Some people constantly confuse PKCs and ACs. An analogy may make the
- distinction clear. A PKC can be considered to be like a passport: it
- identifies the holder, tends to last for a long time, and should not
- be trivial to obtain. An AC is more like an entry visa: it is
- typically issued by a different authority and does not last for as
- long a time. As acquiring an entry visa typically requires
- presenting a passport, getting a visa can be a simpler process.
-
- Authorization information may be placed in a PKC extension or placed
- in a separate attribute certificate (AC). The placement of
- authorization information in PKCs is usually undesirable for two
- reasons. First, authorization information often does not have the
- same lifetime as the binding of the identity and the public key.
- When authorization information is placed in a PKC extension, the
- general result is the shortening of the PKC useful lifetime. Second,
- the PKC issuer is not usually authoritative for the authorization
- information. This results in additional steps for the PKC issuer to
- obtain authorization information from the authoritative source.
-
- For these reasons, it is often better to separate authorization
- information from the PKC. Yet, authorization information also needs
- to be bound to an identity. An AC provides this binding; it is
- simply a digitally signed (or certified) identity and set of
- attributes.
-
- An AC may be used with various security services, including access
- control, data origin authentication, and non-repudiation.
-
- PKCs can provide an identity to access control decision functions.
- However, in many contexts the identity is not the criterion that is
- used for access control decisions, rather the role or group-
- membership of the accessor is the criterion used. Such access
- control schemes are called role-based access control.
-
- When making an access control decision based on an AC, an access
- control decision function may need to ensure that the appropriate AC
- holder is the entity that has requested access. One way in which the
- linkage between the request or identity and the AC can be achieved
- is the inclusion of a reference to a PKC within the AC and the use
-
-Farrell & Housley [Page 3]
-
-INTERNET-DRAFT August 2000
-
-
- of the private key corresponding to the PKC for authentication
- within the access request.
-
- ACs may also be used in the context of a data origin authentication
- service and a non-repudiation service. In these contexts, the
- attributes contained in the AC provide additional information about
- the signing entity. This information can be used to make sure that
- the entity is authorized to sign the data. This kind of checking
- depends either on the context in which the data is exchanged or on
- the data that has been digitally signed.
-
-1.1 Delegation and AC chains
-
- The X.509 standard [X.509-2000] defines authorization as the
- "conveyance of privilege from one entity that holds such privilege,
- to another entity". An AC is one authorization mechanism.
-
- An ordered sequence of ACs could be used to verify the authenticity
- of a privilege asserter's privilege. In this way, chains or paths of
- ACs could be employed to delegate authorization.
-
- Since the administration and processing associated with such AC
- chains is complex and the use of ACs in the Internet today is quite
- limited, this specification does NOT RECOMMEND the use of AC chains.
- Other (future) specifications may address the use of AC chains. This
- specification deals with the simple cases where one authority issues
- all of the ACs for a particular set of attributes. However, this
- simplification does not preclude the use of several different
- authorities, each of which manages a different set of attributes.
- For example, group membership may be included in one AC issued by
- one authority, and security clearance may be included in another AC
- issued by another authority.
-
- This means that conformant implementations are only REQUIRED to be
- able to process a single AC at a time. Processing of more than one
- AC, one after another, may be necessary. Note however, that
- validation of an AC MAY require validation of a chain of PKCs, as
- specified in [PKIXPROF].
-
-1.2 Attribute Certificate Distribution ("push" vs. "pull")
-
- As discussed above, ACs provide a mechanism to securely provide
- authorization information to, for example, access control decision
- functions. However, there are a number of possible communication
- paths for ACs.
-
- In some environments it is suitable for a client to "push" an AC to
- a server. This means that no new connections between the client and
- server are required. It also means that no search burden is imposed
- on servers, which improves performance and that the AC verifier is
- only presented with what it "needs to know." In inter-domain cases
- where the client's rights should be assigned within client's "home"
- domain, the "push" model is especially suitable.
-
-Farrell & Housley [Page 4]
-
-INTERNET-DRAFT August 2000
-
-
- In other cases, it is more suitable for a client simply to
- authenticate to the server and for the server to request or "pull"
- the client's AC from an AC issuer or a repository. A major benefit
- of the "pull" model is that it can be implemented without changes to
- the client or to the client-server protocol. The "pull" model is
- especially suitable for inter-domain cases where the client's rights
- should be assigned within the server's domain, rather than within
- the client's domain.
-
- There are a number of possible exchanges involving three entities:
- the client, the server, and the AC issuer. In addition, a directory
- service or other repository for AC retrieval MAY be supported.
-
- Figure 1 shows an abstract view of the exchanges that may involve
- ACs. This profile does not specify a protocol for these exchanges.
-
-
- +--------------+
- | | Server Acquisition
- | AC issuer +----------------------------+
- | | |
- +--+-----------+ |
- | |
- | Client |
- | Acquisition |
- | |
- +--+-----------+ +--+------------+
- | | AC "push" | |
- | Client +-------------------------+ Server |
- | | (part of app. protocol) | |
- +--+-----------+ +--+------------+
- | |
- | Client | Server
- | Lookup +--------------+ | Lookup
- | | | |
- +---------------+ Repository +---------+
- | |
- +--------------+
-
- Figure 1: AC Exchanges
-
-1.3 Document Structure
-
- Section 2 defines some terminology. Section 3 specifies the
- requirements that this profile is intended to meet.; Section 4
- contains the profile of the X.509 AC. Section 5 specifies rules for
- AC validation. Section 6 specifies rules for AC revocation checks.
- Section 7 specifies optional features which MAY be supported;
- however, support for these features is not required for conformance
- to this profile. Finally, appendices contain the list of OIDs
- required to support this specification and an ASN.1 module.
-
-
-
-Farrell & Housley [Page 5]
-
-INTERNET-DRAFT August 2000
-
-
-2. Terminology
-
- For simplicity, we use the terms client and server in this
- specification. This is not intended to indicate that ACs are only to
- be used in client-server environments. For example, ACs may be used
- in the S/MIME v3 context, where the mail user agent would be both a
- "client" and a "server" in the sense the terms are used here.
-
- Term Meaning
-
- AA Attribute Authority, the entity that issues the
- AC, synonymous in this specification with "AC
- issuer"
- AC Attribute Certificate
- AC user any entity that parses or processes an AC
- AC verifier any entity that checks the validity of an AC and
- then makes use of the result
- AC issuer the entity which signs the AC, synonymous in this
- specification with "AA"
- AC holder the entity indicated (perhaps indirectly) in the
- holder field of the AC
- Client the entity which is requesting the action for
- which authorization checks are to be made
- Proxying in this specification, Proxying is used to mean
- the situation where an application server acts as
- an application client on behalf of a user.
- Proxying here does not mean granting of authority.
- PKC Public Key Certificate - uses the type ASN.1
- Certificate defined in X.509 and profiled in RFC
- 2459. This (non-standard) acronym is used in order
- to avoid confusion about the term "X.509
- certificate".
- Server the entity which requires that the authorization
- checks are made
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 6]
-
-INTERNET-DRAFT August 2000
-
-
-3. Requirements
-
- This AC profile meets the following requirements.
-
- Time/Validity requirements:
-
- 1. Support for short-lived as well as long-lived ACs. Typical
- short-lived validity periods might be measured in hours, as
- opposed to months for PKCs. Short validity periods allow ACs to
- be useful without a revocation mechanism.
-
- Attribute Types:
-
- 2. Issuers of ACs should be able to define their own attribute
- types for use within closed domains.
- 3. Some standard attribute types should be defined which can be
- contained within ACs. Examples include "access identity,"
- "group," "role," "clearance," "audit identity," and "charging
- identity."
- 4. Standard attribute types should be defined in a manner that
- permits an AC verifier to distinguish between uses of the same
- attribute in different domains. For example, the
- "Administrators group" as defined by Baltimore and the
- "Administrators group" as defined by SPYRUS should be easily
- distinguished.
-
- Targeting of ACs:
-
- 5. It should be possible to "target" an AC at one, or a small
- number of, servers. This means that a trustworthy non-target
- server will reject the AC for authorization decisions.
-
- Push vs. Pull
-
- 6. ACs should be defined so that they can either be "pushed" by
- the client to the server, or "pulled" by the server from a
- repository or other network service, including an online AC
- issuer.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 7]
-
-INTERNET-DRAFT August 2000
-
-
-4. Attribute Certificate Profile
-
- ACs may be used in a wide range of applications and environments
- covering a broad spectrum of interoperability goals and a broader
- spectrum of operational and assurance requirements. The goal of
- this document is to establish a common baseline for generic
- applications requiring broad interoperability and limited special
- purpose requirements. In particular, the emphasis will be on
- supporting the use of attribute certificates for informal Internet
- electronic mail, IPSec, and WWW applications.
-
- This section presents a profile for ACs that will foster
- interoperability. This section also defines some private extensions
- for the Internet community.
-
- While the ISO/IEC/ITU documents use the 1993 (or later) version of
- ASN.1; this document uses the 1988 ASN.1 syntax, as has been done
- for PKCs [PKIXPROF]. The encoded certificates and extensions from
- either ASN.1 version are bit-wise identical.
-
- Where maximum lengths for fields are specified, these lengths refer
- to the DER encoding and do not include the ASN.1 tag or length
- fields.
-
- Conforming implementations MUST support the profile specified in
- this section.
-
-4.1 X.509 Attribute Certificate Definition
-
- X.509 contains the definition of an AC given below. All types that
- are not defined in this document can be found in [PKIXPROF].
-
- AttributeCertificate ::= SEQUENCE {
- acinfo AttributeCertificateInfo,
- signatureAlgorithm AlgorithmIdentifier,
- signatureValue BIT STRING
- }
-
- AttributeCertificateInfo ::= SEQUENCE {
- version AttCertVersion DEFAULT v1,
- holder Holder,
- issuer AttCertIssuer,
- signature AlgorithmIdentifier,
- serialNumber CertificateSerialNumber,
- attrCertValidityPeriod AttCertValidityPeriod,
- attributes SEQUENCE OF Attribute,
- issuerUniqueID UniqueIdentifier OPTIONAL,
- extensions Extensions OPTIONAL
- }
-
- AttCertVersion ::= INTEGER { v1(0), v2(1) }
-
-
-
-Farrell & Housley [Page 8]
-
-INTERNET-DRAFT August 2000
-
-
-
- Holder ::= SEQUENCE {
- baseCertificateID [0] IssuerSerial OPTIONAL,
- -- the issuer and serial number of
- -- the holder's Public Key Certificate
- entityName [1] GeneralNames OPTIONAL,
- -- the name of the claimant or role
- objectDigestInfo [2] ObjectDigestInfo OPTIONAL
- -- if present, version must be v2
- }
-
- ObjectDigestInfo ::= SEQUENCE {
- digestedObjectType ENUMERATED {
- publicKey (0),
- publicKeyCert (1),
- otherObjectTypes (2) },
- -- otherObjectTypes MUST NOT
- -- be used in this profile
- otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
- digestAlgorithm AlgorithmIdentifier,
- objectDigest BIT STRING
- }
-
- AttCertIssuer ::= CHOICE {
- v1Form GeneralNames, -- v1 or v2
- v2Form [0] V2Form -- v2 only
- }
-
- V2Form ::= SEQUENCE {
- issuerName GeneralNames OPTIONAL,
- baseCertificateID [0] IssuerSerial OPTIONAL,
- objectDigestInfo [1] ObjectDigestInfo OPTIONAL
- -- at least one of issuerName, baseCertificateID
- -- or objectDigestInfo MUST be present
- }
-
- IssuerSerial ::= SEQUENCE {
- issuer GeneralNames,
- serial CertificateSerialNumber,
- issuerUID UniqueIdentifier OPTIONAL
- }
-
- AttCertValidityPeriod ::= SEQUENCE {
- notBeforeTime GeneralizedTime,
- notAfterTime GeneralizedTime
- }
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 9]
-
-INTERNET-DRAFT August 2000
-
-
- Although the Attribute syntax is defined in [PKIXPROF], we repeat
- the definition here for convenience.
-
- Attribute ::= SEQUENCE {
- type AttributeType,
- values SET OF AttributeValue
- -- at least one value is required
- }
-
- AttributeType ::= OBJECT IDENTIFIER
-
- AttributeValue ::= ANY DEFINED BY AttributeType
-
- Implementers should note that the DER encoding (see [X.509-
- 1988],[X.208-1988]) of the SET OF values requires ordering of the
- encodings of the values. Though this issue arises with respect to
- distinguished names, and has to be handled by [PKIXPROF]
- implementations, its is much more significant in this context, since
- the inclusion of multiple values is much more common in ACs.
-
-4.2 Profile of Standard Fields
-
- For all GeneralName fields in this profile the otherName (except as
- noted below), x400Address, ediPartyName and registeredID options
- MUST NOT be used. The use of Kerberos [KRB] principal names,
- encoded into the otherName, SHOULD however, be supported using the
- krb5PrincipalName OID and the KerberosName syntax as defined in
- [PKINIT].
-
- Conforming implementations MUST be able to support the dNSName,
- directoryName, uniformResourceIdentifier, and iPAddress fields in
- all cases where GeneralName is used. This is compatible with the
- GeneralName requirements in [PKIXPROF] (mainly in section 4.2.1.7).
-
-4.2.1 Version
-
- The version field MUST be the default value of v1. That is, the
- version field is not present in the DER encoding, except when the
- holder is identified using the optional objectDigestInfo field, as
- specified in section 7.3.
-
-4.2.2 Holder
-
- For any environment where the AC is passed in an authenticated
- message or session and where the authentication is based on the use
- of an X.509 PKC, the holder field SHOULD use the baseCertificateID.
-
- With the baseCertificateID option, the holder's PKC serialNumber and
- issuer MUST be identical to the AC holder field. The PKC issuer MUST
- have a non-empty distinguished name which is to be present as the
- single value of the holder.baseCertificateID.issuer construct in the
- directoryName field. The AC holder.baseCertificateID.issuerUID field
- MUST only be used if the holder's PKC contains an issuerUniqueID
-
-Farrell & Housley [Page 10]
-
-INTERNET-DRAFT August 2000
-
-
- field. If both the AC holder.baseCertificateID.issuerUID and the PKC
- issuerUniqueID fields are present, then the same value MUST be
- present in both fields. Thus, the baseCertificateID is only usable
- with PKC profiles (like [PKIXPROF]) which mandate that the PKC
- issuer field contain a non-empty distinguished name value.
-
- Note: An empty distinguished name is a distinguished name where the
- SEQUENCE OF relative distinguished names is of zero length. In a DER
- encoding this has the value '3000'H.
-
- If the holder field uses the entityName option and the underlying
- authentication is based on a PKC, then the entityName MUST be the
- same as the PKC subject field, unless the PKC subject field contains
- an empty distinguished name. If the PKC subject field contains an
- empty distinguished name, then the entityName field MUST be
- identical to one of the values of the PKC subjectAltName field
- extension. Note that [PKIXPROF] mandates that the subjectAltNames
- extension be present if the PKC subject is an empty distinguished
- name. See the security consideration section which mentions some
- name collision problems that may arise when using the entityName
- option.
-
- In any other case where the holder field uses the entityName option,
- then only one name SHOULD be present.
-
- Implementations conforming to this profile are not required to
- support the use of the objectDigest field. However, section 7.3
- specifies how this optional feature MAY be used.
-
- Any protocol conforming to this profile SHOULD specify which AC
- holder option is to be used and how this fits with the supported
- authentication schemes defined in that protocol.
-
-4.2.3 Issuer
-
- ACs conforming to this profile MUST use the v1Form choice, which
- MUST contain one and only one GeneralName, which MUST contain a non-
- empty distinguished name in the directoryName field. This means that
- all AC issuers MUST have non-empty distinguished names.
-
- Part of the reason for the use of the v1Form field is that it means
- that the AC issuer does not have to know which PKC the AC verifier
- will use for it (the AC issuer). Using the baseCertificateID field
- to reference the AC issuer would mean that the AC verifier would
- have to trust the PKC that the AC issuer chose (for itself) at AC
- creation time.
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 11]
-
-INTERNET-DRAFT August 2000
-
-
-4.2.4 Signature
-
- Contains the algorithm identifier used to validate the AC signature.
-
- This MUST be one of the signing algorithms defined in [PKIXALGS].
-
- id-dsa-with-sha1 MUST be supported by all AC users. The other
- algorithms MAY be supported.
-
-4.2.5 Serial Number
-
- For any conforming AC, the issuer/serialNumber pair MUST form a
- unique combination, even if ACs are very short-lived.
-
- AC issuers MUST force the serialNumber to be a positive integer,
- that is, the sign bit in the DER encoding of the INTEGER value MUST
- be zero - this can be done by adding a leading (leftmost) '00'H
- octet if necessary. This removes a potential ambiguity in mapping
- between a string of octets and an integer value.
-
- Given the uniqueness and timing requirements above serial numbers
- can be expected to contain long integers. AC users MUST be able to
- handle serialNumber values longer than 4 octets. Conformant ACs MUST
- NOT contain serialNumber values longer than 20 octets.
-
- There is no requirement that the serial numbers used by any AC
- issuer follow any particular ordering, in particular, they need not
- be monotonically increasing with time. Each AC issuer MUST ensure
- that each AC that it issues contain a unique serial number.
-
-4.2.6 Validity Period
-
- The attrCertValidityPeriod (a.k.a. validity) field specifies the
- period for which the AC issuer certifies that the binding between
- the holder and the attributes fields will be valid.
-
- The generalized time type, GeneralizedTime, is a standard ASN.1 type
- for variable precision representation of time. The GeneralizedTime
- field can optionally include a representation of the time
- differential between the local time zone and Greenwich Mean Time.
-
- For the purposes of this profile, GeneralizedTime values MUST be
- expressed in Coordinated universal time (UTC) (also known as
- Greenwich Mean Time or Zulu)) and MUST include seconds (i.e., times
- are YYYYMMDDHHMMSSZ), even when the number of seconds is zero.
- GeneralizedTime values MUST NOT include fractional seconds.
- (Note: this is the same as specified in [PKIXPROF], section
- 4.1.2.5.2.)
-
- AC users MUST be able to handle an AC which, at the time of
- processing, has parts of its validity period or all its validity
- period in the past or in the future (a post-dated AC). This is valid
- for some applications, such as backup.
-
-Farrell & Housley [Page 12]
-
-INTERNET-DRAFT August 2000
-
-
-
-4.2.7 Attributes
-
- The attributes field gives information about the AC holder. When the
- AC is used for authorization this will often contain a set of
- privileges.
-
- The attributes field contains a SEQUENCE OF Attribute. Each
- Attribute MAY contain a SET OF values. For a given AC, each
- AttributeType OBJECT IDENTIFIER in the sequence MUST be unique. That
- is, only one instance of each attribute can occur in a single AC,
- but each instance can be multi-valued.
-
- AC users MUST be able to handle multiple values for all attribute
- types.
-
- An AC MUST contain at least one attribute. That is, the SEQUENCE OF
- Attributes MUST NOT be of zero length.
-
- Some standard attribute types are defined in section 4.5.
-
-4.2.8 Issuer Unique Identifier
-
- This field MUST NOT be used unless it is also used in the AC
- issuer's PKC, in which case it MUST be used. Note that [PKIXPROF]
- states that this field SHOULD NOT be used by conforming CAs, but
- that applications SHOULD be able to parse PKCs containing the field.
-
-4.2.9 Extensions
-
- The extensions field generally gives information about the AC as
- opposed to information about the AC holder.
-
- An AC that has no extensions conforms to the profile; however,
- section 4.3 defines the extensions that MAY be used with this
- profile, and whether or not they may be marked critical. If any
- other critical extension is used, then the AC does not conform to
- this profile. However, if any other non-critical extension is used,
- then the AC does conform to this profile.
-
- The extensions defined for ACs provide methods for associating
- additional attributes with holders. This profile also allows
- communities to define private extensions to carry information unique
- to those communities. Each extension in an AC may be designated as
- critical or non-critical. An AC using system MUST reject an AC if
- it encounters a critical extension it does not recognize; however, a
- non-critical extension may be ignored if it is not recognized.
- Section 4.3 presents recommended extensions used within Internet ACs
- and standard locations for information. Communities may elect to
- use additional extensions; however, caution should be exercised in
- adopting any critical extensions in ACs, which might prevent use in
- a general context.
-
-
-Farrell & Housley [Page 13]
-
-INTERNET-DRAFT August 2000
-
-
-4.3 Extensions
-
-4.3.1 Audit Identity
-
- In some circumstances it is required (e.g. by data protection/data
- privacy legislation) that audit trails do not contain records which
- directly identify individuals. This circumstance may make the use of
- the AC holder field unsuitable for use in audit trails.
-
- To allow for such cases, an AC MAY contain an audit identity
- extension. Ideally it SHOULD be infeasible to derive the AC holder's
- identity from the audit identity value without the co-operation of
- the AC issuer.
-
- The value of the audit identity along with the AC issuer/serial
- SHOULD then be used for audit/logging purposes. If the value of the
- audit identity is suitably chosen, then a server/service
- administrator can use audit trails to track the behavior of an AC
- holder without being able to identify the AC holder.
-
- The server/service administrator in combination with the AC issuer
- MUST be able to identify the AC holder in cases where misbehavior is
- detected. This means that the AC issuer MUST be able to determine
- the actual identity of the AC holder from the audit identity.
-
- Of course, auditing could be based on the AC issuer/serial pair;
- however, this method doesn't allow tracking the same AC holder with
- multiple ACs. Thus, an audit identity is only useful if it lasts for
- longer than the typical AC lifetime. Auditing could also be based on
- the AC holder's PKC issuer/serial; however, this will often allow
- the server/service administrator to identify the AC holder.
-
- As the AC verifier might otherwise use the AC holder or some other
- identifying value for audit purposes, this extension MUST be
- critical when used.
-
- Protocols that use ACs will often expose the identity of the AC
- holder in the bits on-the-wire. In such cases, an opaque audit
- identity does not make use of the AC anonymous, it simply ensures
- that the ensuing audit trails do not contain identifying
- information.
-
- The value of an audit identity MUST be longer than zero octets. The
- value of an audit identity MUST NOT be longer than 20 octets.
-
- name id-pe-ac-auditIdentity
- OID { id-pe 4 }
- syntax OCTET STRING
- criticality MUST be TRUE
-
-
-
-
-
-Farrell & Housley [Page 14]
-
-INTERNET-DRAFT August 2000
-
-
-4.3.2 AC Targeting
-
- To target an AC, the target information extension, imported from
- [X.509-2000], MAY be used to specify a number of servers/services.
- The intent is that the AC SHOULD only be usable at the specified
- servers/services. An (honest) AC verifier who is not amongst the
- named servers/services MUST reject the AC.
-
- If this extension is not present, then the AC is not targeted and
- may be accepted by any server.
-
- In this profile, the targeting information simply consists of a list
- of named targets or groups.
-
- The following syntax is used to represent the targeting information:
-
- Targets ::= SEQUENCE OF Target
-
- Target ::= CHOICE {
- targetName [0] GeneralName,
- targetGroup [1] GeneralName,
- targetCert [2] TargetCert
- }
-
- TargetCert ::= SEQUENCE {
- targetCertificate IssuerSerial,
- targetName GeneralName OPTIONAL,
- certDigestInfo ObjectDigestInfo OPTIONAL
- }
-
- The targetCert CHOICE within the Target structure is only present to
- allow future compatibility with [X.509-2000] and MUST NOT be used.
-
- The targets check passes if the current server (recipient) is one of
- the targetName fields in the Targets SEQUENCE, or if the current
- server is a member of one of the targetGroup fields in the Targets
- SEQUENCE. In this case, the current server is said to "match" the
- targeting extension.
-
- How the membership of a target within a targetGroup is determined is
- not defined here. It is assumed that any given target "knows" the
- names of the targetGroups to which it belongs or can otherwise
- determine its membership. For example, the targetGroup specifies a
- DNS domain, and the AC verifier knows the DNS domain to which it
- belongs. For another example, the targetGroup specifies "PRINTERS,"
- and the AC verifier knows whether or not it is a printer or print
- server.
-
- Note: [X.509-2000] defines the extension syntax as a "SEQUENCE OF
- Targets". Conforming AC issuer implementations MUST only produce one
- "Targets" element. Confirming AC users MUST be able to accept a
- "SEQUENCE OF Targets". If more than one Targets element is found in
-
-
-Farrell & Housley [Page 15]
-
-INTERNET-DRAFT August 2000
-
-
- an AC, then the extension MUST be treated as if all Target elements
- had been found within one Targets element.
-
- name id-ce-targetInformation
- OID { id-ce 55 }
- syntax SEQUENCE OF Targets
- criticality MUST be TRUE
-
-4.3.3 Authority Key Identifier
-
- The authorityKeyIdentifier extension, as profiled in [PKIXPROF], MAY
- be used to assist the AC verifier in checking the signature of the
- AC. The [PKIXPROF] description should be read as if "CA" meant "AC
- issuer." As with PKCs this extension SHOULD be included in ACs.
-
- Note: An AC where the issuer field used the baseCertificateID CHOICE
- would not need an authorityKeyIdentifier extension as it is
- explicitly linked to the key in the referred certificate. However,
- as this profile states (in section 4.2.3) that ACs MUST use the
- v1Form CHOICE, this duplication does not arise.
-
- name id-ce-authorityKeyIdentifier
- OID { id-ce 35 }
- syntax AuthorityKeyIdentifier
- criticality MUST be FALSE
-
-4.3.4 Authority Information Access
-
- The authorityInformationAccess extension, as defined in [PKIXPROF],
- MAY be used to assist the AC verifier in checking the revocation
- status of the AC. Support for the id-ad-caIssuers accessMethod is
- NOT REQUIRED by this profile since AC chains are not expected.
-
- The following accessMethod is used to indicate that revocation
- status checking is provided for this AC, using the OCSP protocol
- defined in [OCSP]:
-
- id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
-
- The accessLocation MUST contain a URI, and the URI MUST contain an
- HTTP URL [URL] that specifies the location of an OCSP responder. The
- AC issuer MUST, of course, maintain an OCSP responder at this
- location.
-
- name id-ce-authorityInfoAccess
- OID { id-pe 1 }
- syntax AuthorityInfoAccessSyntax
- criticality MUST be FALSE
-
-
-
-
-
-
-Farrell & Housley [Page 16]
-
-INTERNET-DRAFT August 2000
-
-
-4.3.5 CRL Distribution Points
-
- The crlDistributionPoints extension, as profiled in [PKIXPROF], MAY
- be used to assist the AC verifier in checking the revocation status
- of the AC. See section 6 for details on revocation.
-
- If the crlDistributionPoints extension is present, then exactly one
- distribution point MUST be present. The crlDistributionPoints
- extension MUST use the DistributionPointName option, which MUST
- contain a fullName, which MUST contain a single name form. That name
- MUST contain either a distinguished name or a URI. The URI MUST be
- either an HTTP URL or an LDAP URL [URL].
-
- name id-ce-cRLDistributionPoints
- OID { id-ce 31 }
- syntax CRLDistPointsSyntax
- criticality MUST be FALSE
-
-4.3.6 No Revocation Available
-
- The noRevAvail extension, defined in [X.509-2000], allows an AC
- issuer to indicate that no revocation information will be made
- available for this AC.
-
- This extension MUST be non-critical. An AC verifier that does not
- understand this extension might be able to find a revocation list
- from the AC issuer, but the revocation list will never include an
- entry for the AC.
-
- name id-ce-noRevAvail
- OID { id-ce 56 }
- syntax NULL (i.e. '0500'H is the DER encoding)
- criticality MUST be FALSE
-
-4.4 Attribute Types
-
- Some of the attribute types defined below make use of the
- IetfAttrSyntax type, also defined below. The reasons for using this
- type are:
-
- 1. It allows a separation between the AC issuer and the attribute
- policy authority. This is useful for situations where a single
- policy authority (e.g. an organization) allocates attribute
- values, but where multiple AC issuers are deployed for
- performance or other reasons.
- 2. The syntaxes allowed for values are restricted to OCTET STRING,
- OBJECT IDENTIFIER, and UTF8String, which significantly reduces
- the complexity associated with matching more general syntaxes.
- All multi-valued attributes using this syntax are restricted so
- that each value MUST use the same choice of value syntax. For
- example, AC issuers must not use one value with an oid and a
- second value with a string.
-
-
-Farrell & Housley [Page 17]
-
-INTERNET-DRAFT August 2000
-
-
- IetfAttrSyntax ::= SEQUENCE {
- policyAuthority [0] GeneralNames OPTIONAL,
- values SEQUENCE OF CHOICE {
- octets OCTET STRING,
- oid OBJECT IDENTIFIER,
- string UTF8String
- }
- }
-
- In the descriptions below, each attribute type is tagged as either
- "Multiple Allowed" or "One Attribute value only; multiple values
- within the IetfAttrSyntax". This refers to the SET OF
- AttributeValue, the AttributeType still only occurs once, as
- specified in section 4.2.7.
-
-4.4.1 Service Authentication Information
-
- The SvceAuthInfo attribute identifies the AC holder to the
- server/service by a name, and the attribute MAY include optional
- service specific authentication information. Typically this will
- contain a username/password pair for a "legacy" application.
-
- This attribute provides information that can be presented by the AC
- verifier to be interpreted and authenticated by a separate
- application within the target system. Note that this is a different
- use to that intended for the accessIdentity attribute in 4.4.2
- below.
-
- This attribute type will typically be encrypted when the authInfo
- field contains sensitive information, such as a password.
-
- name id-aca-authenticationInfo
- OID { id-aca 1 }
- Syntax SvceAuthInfo
- values: Multiple allowed
-
- SvceAuthInfo ::= SEQUENCE {
- service GeneralName,
- ident GeneralName,
- authInfo OCTET STRING OPTIONAL
- }
-
-4.4.2 Access Identity
-
- The accessIdentity attribute identifies the AC holder to the
- server/service. For this attribute the authInfo field MUST NOT be
- present.
-
- This attribute is intended to be used to provide information about
- the AC holder, that can be used by the AC verifier (or a larger
- system of which the AC verifier is a component) to authorize the
- actions of the AC holder within the AC verifier's system. Note that
-
-
-Farrell & Housley [Page 18]
-
-INTERNET-DRAFT August 2000
-
-
- this is a different use to that intended for the svceAuthInfo
- attribute described in 4.4.1 above.
-
- name id-aca-accessIdentity
- OID { id-aca 2 }
- syntax SvceAuthInfo
- values: Multiple allowed
-
-4.4.3 Charging Identity
-
- The chargingIdentity attribute identifies the AC holder for charging
- purposes. In general, the charging identity will be different from
- other identities of the holder. For example, the holder's company
- may be charged for service.
-
- name id-aca-chargingIdentity
- OID { id-aca 3 }
- syntax IetfAttrSyntax
- values: One Attribute value only; multiple values within the
- IetfAttrSyntax
-
-4.4.4 Group
-
- The group attribute carries information about group memberships of
- the AC holder.
-
- name id-aca-group
- OID { id-aca 4 }
- syntax IetfAttrSyntax
- values: One Attribute value only; multiple values within the
- IetfAttrSyntax
-
-4.4.5 Role
-
- The role attribute, specified in [X.509-2000], carries information
- about role allocations of the AC holder.
-
- The syntax used for this attribute is:
-
- RoleSyntax ::= SEQUENCE {
- roleAuthority [0] GeneralNames OPTIONAL,
- roleName [1] GeneralName
- }
-
- The roleAuthority field MAY be used to specify the issuing authority
- for the role specification certificate. There is no requirement that
- a role specification certificate necessarily exists for the
- roleAuthority. This differs from [X.500-2000], where the
- roleAuthority field is assumed to name the issuer of a role
- specification certificate. For example, to distinguish the
- administrator role as defined by "Baltimore" from that defined by
- "SPYRUS", one could put the value "administrator" in the roleName
-
-
-Farrell & Housley [Page 19]
-
-INTERNET-DRAFT August 2000
-
-
- field and the value "Baltimore" or "SPYRUS" in the roleAuthority
- field.
-
- The roleName field MUST be present, and roleName MUST use the
- uniformResourceIdentifier CHOICE of the GeneralName.
-
- name id-at-role
- OID { id-at 72 }
- syntax RoleSyntax
- values: Multiple allowed
-
-4.4.6 Clearance
-
- The clearance attribute, specified in [X.501-1993], carries
- clearance (associated with security labeling) information about the
- AC holder.
-
- The policyId field is used to identify the security policy to which
- the clearance relates. The policyId indicates the semantics of the
- classList and securityCategories fields.
-
- This specification includes the classList field exactly as is
- specified in [X.501-1993]. Additional security classification
- values, and their position in the classification hierarchy, may be
- defined by a security policy as a local matter or by bilateral
- agreement. The basic security classification hierarchy is, in
- ascending order: unmarked, unclassified, restricted, confidential,
- secret, and top-secret.
-
- An organization can develop its own security policy that defines
- security classification values and their meanings. However, the BIT
- STRING positions 0 through 5 are reserved for the basic security
- classification hierarchy.
-
- If present, the SecurityCategory field provides further
- authorization information. The security policy identified by the
- policyId field indicates the syntaxes that are allowed to be present
- in the securityCategories SET. An OBJECT IDENTIFIER identifies each
- of the allowed syntaxes. When one of these syntaxes is present in
- the securityCategories SET, the OBJECT IDENTIFIER associated with
- that syntax is carried in the SecurityCategory.type field.
-
- Clearance ::= SEQUENCE {
- policyId OBJECT IDENTIFIER,
- classList ClassList DEFAULT {unclassified},
- securityCategories
- SET OF SecurityCategory OPTIONAL
- }
-
- ClassList ::= BIT STRING {
- unmarked (0),
- unclassified (1),
- restricted (2)
-
-Farrell & Housley [Page 20]
-
-INTERNET-DRAFT August 2000
-
-
- confidential (3),
- secret (4),
- topSecret (5)
- }
-
- SecurityCategory ::= SEQUENCE {
- type [0] IMPLICIT OBJECT IDENTIFIER,
- value [1] ANY DEFINED BY type
- }
-
- -- This is the same as the original syntax which was defined
- -- using the MACRO construct, as follows:
- -- SecurityCategory ::= SEQUENCE {
- -- type [0] IMPLICIT SECURITY-CATEGORY,
- -- value [1] ANY DEFINED BY type
- -- }
- --
- -- SECURITY-CATEGORY MACRO ::=
- -- BEGIN
- -- TYPE NOTATION ::= type | empty
- -- VALUE NOTATION ::= value (VALUE OBJECT IDENTIFIER)
- -- END
-
-
-
- name { id-at-clearance }
- OID { joint-iso-ccitt(2) ds(5) module(1)
- selected-attribute-types(5) clearance (55) }
- syntax Clearance - imported from [X.501-1993]
- values Multiple allowed
-
-4.5 Profile of AC issuer's PKC
-
- The AC issuer's PKC MUST conform to [PKIXPROF], and the keyUsage
- extension in the PKC MUST NOT explicitly indicate that the AC
- issuer's public key cannot be used to validate a digital signature.
- In order to avoid confusion regarding serial numbers and
- revocations, an AC issuer MUST NOT also be a PKC Issuer. That is,
- an AC issuer cannot be a CA as well. So, the AC issuer's PKC MUST
- NOT have a basicConstraints extension with the cA BOOLEAN set to
- TRUE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 21]
-
-INTERNET-DRAFT August 2000
-
-
-5. Attribute Certificate Validation
-
- This section describes a basic set of rules that all valid ACs MUST
- satisfy. Some additional checks are also described which AC
- verifiers MAY choose to implement.
-
- To be valid an AC MUST satisfy all of the following:
-
- 1. The AC signature must be cryptographically correct, and the AC
- issuer's entire PKC certification path MUST be verified in
- accordance with [PKIXPROF].
- 2. The AC issuer's PKC MUST also conform to the profile specified
- in section 4.5 above.
- 3. The AC issuer MUST be directly trusted as an AC issuer (by
- configuration or otherwise).
- 4. The time for which the AC is being evaluated MUST be within the
- AC validity. If the evaluation time is equal to either
- notBeforeTime or notAfterTime, then the AC is timely and this
- check succeeds. Note that in some applications, the evaluation
- time MAY not be the same as the current time.
- 5. The AC targeting check MUST pass as specified in section 4.3.2.
- 6. If the AC contains an unsupported critical extension, then the
- AC MUST be rejected.
-
- Support for an extension in this context means:
-
- 1. The AC verifier MUST be able to parse the extension value.
- 2. Where the extension value SHOULD cause the AC to be rejected,
- the AC verifier MUST reject the AC.
-
- Additional Checks:
-
- 1. The AC MAY be rejected on the basis of further AC verifier
- configuration. For example, an AC verifier may be configured to
- reject ACs which contain or lack certain attributes.
- 2. If the AC verifier provides an interface that allows
- applications to query the contents of the AC, then the AC
- verifier MAY filter the attributes from the AC on the basis of
- configured information. For example, an AC verifier might be
- configured not to return certain attributes to certain servers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 22]
-
-INTERNET-DRAFT August 2000
-
-
-6. Revocation
-
- In many environments, the validity period of an AC is less than the
- time required to issue and distribute revocation information.
- Therefore, short-lived ACs typically do not require revocation
- support. However, long-lived ACs and environments where ACs enable
- high value transactions MAY require revocation support.
-
- Two revocation schemes are defined, and the AC issuer should elect
- the one that is best suited to the environment in which the AC will
- be employed.
-
- "Never revoke" scheme:
-
- ACs may be marked so that the relying party understands that no
- revocation status information will be made available. The
- noRevAvail extension is defined in section 4.3.6, and the
- noRevAvail extension MUST be present in the AC to indicate use
- of this scheme.
-
- Where no noRevAvail is not present, then the AC issuer is
- implicitly stating that revocation status checks are supported,
- and some revocation method MUST be provided to allow AC
- verifiers to establish the revocation status of the AC.
-
- "Pointer in AC" scheme:
-
- ACs may "point" to sources of revocation status information,
- using either an authorityInfoAccess extension or a
- crlDistributionPoints extension within the AC.
-
- For AC users, the "never revoke" scheme MUST be supported, and the
- "pointer in AC" scheme SHOULD be supported. If only the "never
- revoke" scheme is supported, then all ACs that do not contain a
- noRevAvail extension, MUST be rejected.
-
- For AC issuers, the "never revoke" scheme MUST be supported. If all
- ACs that will ever be issued by that AC issuer, will contain a
- noRevAvail extension, then the "pointer in AC" scheme need not be
- supported. If any AC can be issued that does not contain the
- noRevAvail extension, then the "pointer in AC" scheme MUST be
- supported.
-
-
- An AC verifier MAY use any source for AC revocation status
- information.
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 23]
-
-INTERNET-DRAFT August 2000
-
-
-7. Optional Features
-
- This section specifies features that MAY be implemented. Conformance
- to this profile does NOT require support for these features;
- however, if these features are offered, they MUST be offered as
- described below.
-
-7.1 Attribute Encryption
-
- Where an AC will be carried in clear within an application protocol
- or where an AC contains some sensitive information like a legacy
- application username/password, then encryption of AC attributes MAY
- be needed.
-
- When a set of attributes are to be encrypted within an AC, the
- Cryptographic Message Syntax, EnvelopedData structure [CMS] is used
- to carry the ciphertext and associated per-recipient keying
- information.
-
- This type of attribute encryption is targeted. Before the AC is
- signed, the attributes are encrypted for a set of predetermined
- recipients.
-
- The AC then contains the ciphertext inside its signed data. The
- EenvelopedData (id-envelopedData) ContentType is used, and the
- content field will contain the EnvelopedData type.
-
- The ciphertext is included in the AC as the value of an encAttrs
- attribute. Only one encAttrs attribute can be present in an AC;
- however, the encAttrs attribute MAY be multi-valued, and each of its
- values will contain an independent EnvelopedData.
-
- Each value can contain a set of attributes (each possibly a multi-
- valued attribute) encrypted for a set of predetermined recipients.
-
- The cleartext that is encrypted has the type:
-
- ACClearAttrs ::= SEQUENCE {
- acIssuer GeneralName,
- acSerial INTEGER,
- attrs SEQUENCE OF Attribute
- }
-
- The DER encoding of the ACClearAttrs structure is used as the
- encryptedContent field of the EnvelopedData. The DER encoding MUST
- be embedded in an OCTET STRING.
-
- The acIssuer and acSerial fields are present to prevent ciphertext
- stealing. When an AC verifier has successfully decrypted an
- encrypted attribute it MUST then check that the AC issuer and
- serialNumber fields contain the same values. This prevents a
- malicious AC issuer from copying ciphertext from another AC (without
- knowing its corresponding plaintext).
-
-Farrell & Housley [Page 24]
-
-INTERNET-DRAFT August 2000
-
-
-
- The procedure for an AC issuer when encrypting attributes is
- illustrated by the following (any other procedure that gives the
- same result MAY be used):
-
-
- 1. Identify the sets of attributes that are to be encrypted for
- each set of recipients.
- 2. For each attribute set which is to be encrypted:
- 2.1. Create an EnvelopedData structure for the data for this
- set of recipients.
- 2.2. Encode the ContentInfo containing the EnvelopedData as a
- value of the encAttrs attribute
- 2.3. Ensure the cleartext attributes are not present in the
- to-be-signed AC
- 3. Add the encAttrs (with its multiple values) to the AC
-
- Note that there may be more than one attribute of the same type (the
- same OBJECT IDENTIFIER) after decryption. That is, an AC MAY contain
- the same attribute type both in clear and in encrypted form (and
- indeed several times if the same recipient is associated with more
- than one EnvelopedData). One approach implementers may choose, would
- be to merge attributes values following decryption in order to re-
- establish the "once only" constraint.
-
- name id-aca-encAttrs
- OID { id-aca 6}
- Syntax ContentInfo
- values Multiple Allowed
-
- If an AC contains attributes apparently encrypted for the AC
- verifier, then the decryption process MUST not fail. If decryption
- does fail, then the AC MUST be rejected.
-
-7.2 Proxying
-
- When a server acts as a client for another server on behalf of the
- AC holder, the server MAY need to proxy an AC. Such proxying MAY
- have to be done under the AC issuer's control, so that not every AC
- is proxiable and so that a given proxiable AC can be proxied in a
- targeted fashion. Support for chains of proxies (with more than one
- intermediate server) MAY also be required. Note that this does not
- involve a chain of ACs.
-
- In order to meet this requirement we define another extension,
- ProxyInfo, similar to the targeting extension.
-
- When this extension is present, the AC verifier must check that the
- entity from which the AC was received was allowed to send it and
- that the AC is allowed to be used by this verifier.
-
- The proxying information consists of a set of proxy information,
- each of which is a set of targeting information. If the verifier and
-
-Farrell & Housley [Page 25]
-
-INTERNET-DRAFT August 2000
-
-
- the sender of the AC are both named in the same proxy set then the
- AC can be accepted (the exact rule is given below).
-
- The effect is that the AC holder can send the AC to any valid target
- which can then only proxy to targets which are in one of the same
- proxy sets as itself.
-
- The following data structure is used to represent the
- targeting/proxying information.
-
- ProxyInfo ::= SEQUENCE OF Targets
-
- As in the case of targeting, the targetCert CHOICE MUST NOT be used.
-
- A proxy check succeeds if either one of the conditions below is met:
-
- 1. The identity of the sender as established by the underlying
- authentication service matches the holder field of the AC, and the
- current server "matches" any one of the proxy sets. Recall that
- "matches" is as defined section 4.3.2.
-
- 2. The identity of the sender as established by the underlying
- authentication service "matches" one of the proxy sets (call it
- set "A"), and the current server is one of the targetName fields
- in the set "A", or the current server is a member of one of the
- targetGroup fields in set "A".
-
- When an AC is proxied more than once, a number of targets will be on
- the path from the original client, which is normally, but not
- always, the AC holder. In such cases, prevention of AC "stealing"
- requires that the AC verifier MUST check that all targets on the
- path are members of the same proxy set. It is the responsibility of
- the AC using protocol to ensure that a trustworthy list of targets
- on the path is available to the AC verifier.
-
- name id-pe-ac-proxying
- OID { id-pe 10 }
- syntax ProxyInfo
- criticality MUST be TRUE
-
-7.3 Use of ObjectDigestInfo
-
- In some environments, it may be required that the AC is not linked
- either to an identity (via entityName) or to a PKC (via
- baseCertificateID). The objectDigestInfo CHOICE in the holder field
- allows support for this requirement.
-
- If the holder is identified with the objectDigestInfo field, then
- the AC version field MUST contain v2 (the integer 1).
-
- The idea is to link the AC to an object by placing a hash of that
- object into the holder field of the AC. For example, this allows
- production of ACs that are linked to public keys rather than names.
-
-Farrell & Housley [Page 26]
-
-INTERNET-DRAFT August 2000
-
-
- It also allows production of ACs which contain privileges associated
- with an executable object such as a Java class. However, this
- profile only specifies how to use a hash over a public key or PKC.
- That is, conformant ACs MUST NOT use the otherObjectTypes value for
- the digestedObjectType.
-
- To link an AC to a public key, the hash must be calculated over the
- representation of that public key which would be present in a PKC,
- specifically, the input for the hash algorithm MUST be the DER
- encoding of a SubjectPublicKeyInfo representation of the key. Note:
- This includes the AlgorithmIdentifier as well as the BIT STRING. The
- rules given in [PKIXPROF] for encoding keys MUST be followed. In
- this case the digestedObjectType MUST be publicKey and the
- otherObjectTypeID field MUST NOT be present.
-
- Note that if the public key value used as input to the hash function
- has been extracted from a PKC, then it is possible that the
- SubjectPublicKeyInfo from that PKC is NOT the value which should be
- hashed. This can occur if DSA Dss-parms are inherited as described
- in section 7.3.3 of [PKIXPROF]. The correct input for hashing in
- this context will include the value of the parameters inherited from
- the CA's PKC, and thus may differ from the SubjectPublicKeyInfo
- present in the PKC.
-
- Implementations which support this feature MUST be able to handle
- the representations of public keys for the algorithms specified in
- section 7.3 of [PKIXPROF]. In this case the digestedObjectType MUST
- be publicKey and the otherObjectTypeID field MUST NOT be present.
-
- In order to link an AC to a PKC via a digest, the digest MUST be
- calculated over the DER encoding of the entire PKC, including the
- signature value. In this case the digestedObjectType MUST be
- publicKeyCert and the otherObjectTypeID field MUST NOT be present.
-
-7.4 AA Controls
-
- During AC validation a relying party has to answer the question: is
- this AC issuer trusted to issue ACs containing this attribute? The
- AAControls PKC extension MAY be used to help answer the question.
- The AAControls extension is intended to be used in CA and AC issuer
- PKCs.
-
- id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 }
-
- AAControls ::= SEQUENCE {
- pathLenConstraint INTEGER (0..MAX) OPTIONAL,
- permittedAttrs [0] AttrSpec OPTIONAL,
- excludedAttrs [1] AttrSpec OPTIONAL,
- permitUnSpecified BOOLEAN DEFAULT TRUE
- }
-
- AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER
-
-
-Farrell & Housley [Page 27]
-
-INTERNET-DRAFT August 2000
-
-
- The AAControls extension is used as follows:
-
- The pathLenConstraint, if present, is interpreted as in [PKIXPROF].
- It restricts the allowed distance between the AA CA, (a CA directly
- trusted to include AAControls in its PKCs), and the AC issuer.
-
- The permittedAttrs field specifies a set of attribute types that any
- AC issuer below this AA CA is allowed to include in ACs. If this
- field is not present, it means that no attribute types are
- explicitly allowed.
-
- The excludedAttrs field specifies a set of attribute types that no
- AC issuer is allowed to include in ACs. If this field is not
- present, it means that no attribute types are explicitly disallowed.
-
- The permitUnSpecified field specifies how to handle attribute types
- which are not present in either the permittedAttrs or excludedAttrs
- fields. TRUE (the default) means that any unspecified attribute type
- is allowed in ACs; FALSE means that no unspecified attribute type is
- allowed.
-
- When AAControls are used, the following additional checks on an AA's
- PKC chain MUST all succeed for the AC to be valid:
-
- 1. Some CA on the ACs certificate path MUST be directly trusted to
- issue PKCs which precede the AC issuer in the certification
- path, call this CA the "AA CA".
- 2. All PKCs on the path from the AA CA down to and including the
- AC issuer's PKC MUST contain an AAControls extension; however,
- the AA CA's PKC need not contain this extension.
- 3. Only those attributes in the AC which are allowed according to
- all of the AAControls extension values in all of the PKCs from
- the AA CA to the AC issuer, may be used for authorization
- decisions, all other attributes MUST be ignored. This check
- MUST be applied to the set of attributes following attribute
- decryption, and the id-aca-encAttrs type MUST also be checked.
-
- name id-pe-aaControls
- OID { id-pe 6 }
- syntax AAControls
- criticality MAY be TRUE
-
-
-
-
-
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 28]
-
-INTERNET-DRAFT August 2000
-
-
-8. Security Considerations
-
- The protection afforded for private keys is a critical factor in
- maintaining security. Failure of AC issuers to protect their
- private keys will permit an attacker to masquerade as them,
- potentially generating false ACs or revocation status. Existence of
- bogus ACs and revocation status will undermine confidence in the
- system. If the compromise is detected, all ACs issued by the AC
- issuer MUST be revoked. Rebuilding after such a compromise will be
- problematic, so AC issuers are advised to implement a combination of
- strong technical measures (e.g., tamper-resistant cryptographic
- modules) and appropriate management procedures (e.g., separation of
- duties) to avoid such an incident.
-
- Loss of an AC issuer's private signing key may also be problematic.
- The AC issuer would not be able to produce revocation status or
- perform AC renewal. AC issuers are advised to maintain secure backup
- for signing keys. The security of the key backup procedures is a
- critical factor in avoiding key compromise.
-
- The availability and freshness of revocation status will affect the
- degree of assurance that should be placed in a long-lived AC. While
- long-lived ACs expire naturally, events may occur during its natural
- lifetime which negate the binding between the AC holder and the
- attributes. If revocation status is untimely or unavailable, the
- assurance associated with the binding is clearly reduced.
-
- The binding between an AC holder and attributes cannot be stronger
- than the cryptographic module implementation and algorithms used to
- generate the signature. Short key lengths or weak hash algorithms
- will limit the utility of an AC. AC issuers are encouraged to note
- advances in cryptology so they can employ strong cryptographic
- techniques.
-
- Inconsistent application of name comparison rules may result in
- acceptance of invalid targeted or proxied ACs, or rejection of valid
- ones. The X.500 series of specifications defines rules for
- comparing distinguished names. These rules require comparison of
- strings without regard to case, character set, multi-character white
- space substrings, or leading and trailing white space. This
- specification and [PKIXPROF] relaxes these requirements, requiring
- support for binary comparison at a minimum.
-
- AC issuers MUST encode the distinguished name in the AC
- holder.entityName field identically to the distinguished name in the
- holder's PKC. If different encodings are used, implementations of
- this specification may fail to recognize that the AC and PKC belong
- to the same entity.
-
- Implementers MUST ensure that following validation of an AC, only
- attributes that the issuer is trusted to issue are used in
- authorization decisions. Other attributes, which MAY be present MUST
- be ignored. Given that the AA controls PKC extension is optional to
-
-Farrell & Housley [Page 29]
-
-INTERNET-DRAFT August 2000
-
-
- implement, AC verifiers MUST be provided with this information by
- other means. Configuration information is a likely alternative
- means. This becomes very important if an AC verifier trusts more
- than one AC issuer.
-
- There is often a requirement to map between the authentication
- supplied by a particular security protocol (e.g. TLS, S/MIME) and
- the AC holder's identity. If the authentication uses PKCs, then this
- mapping is straightforward. However, it is envisaged that ACs will
- also be used in environments where the holder may be authenticated
- using other means. Implementers SHOULD be very careful in mapping
- the authenticated identity to the AC holder.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 30]
-
-INTERNET-DRAFT August 2000
-
-
-9. References
-
- [CMC] Myers, M., et al. "Certificate Management Messages over
- CMS", RFC2797.
- [CMP] Adams, C., Farrell, S., "Internet X.509 Public Key
- Infrastructure - Certificate Management Protocols",
- RFC2510.
- [CMS] Housley, R., "Cryptographic Message Syntax", RFC 2630.
- [ESS] Hoffman, P., "Enhanced Security Services for S/MIME",
- RFC2634.
- [KRB] Kohl, J., Neuman, C., "The Kerberos Network
- Authentication Service (V5)", RFC 1510.
- [LDAP] Wahl, M., et al., "Lightweight Directory Access Protocol
- (v3)", RFC 2251.
- [OCSP] Myers, M., et al., " X.509 Internet Public Key
- Infrastructure - Online Certificate Status Protocol -
- OCSP", RFC 2560.
- [PKIXALGS] Polk, T., Bassham, L., "Internet X.509 Public Key
- Infrastructure Representation of Public Keys and Digital
- Signatures in Internet X.509 Public Key Infrastructure
- Certificates", draft-ietf-pkix-pkalgs-00.txt, work-in-
- progress.
- [PKINIT] Tung, B., et al., "Public Key Cryptography for Initial
- Authentication in Kerberos", draft-ietf-cat-kerberos-pk-
- init-11.txt, work-in-progress.
- [PKIXPROF] Housley, R., Ford, W., Polk, T, & Solo, D., "Internet
- Public Key Infrastructure - X.509 Certificate and CRL
- Profile", draft-ietf-pkix-new-part1-02.txt, work-in-
- progress.
- [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
- 3", RFC 2026, BCP 9, October 1996.
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", RFC 2119.
- [URL] Berners-Lee, T., Masinter L., and M. McCahill., "Uniform
- Resource Locators (URL)", RFC 1738.
- [X.208-1988]CCITT Recommendation X.208: Specification of Abstract
- Syntax Notation One (ASN.1). 1988.
- [X.209-88] CCITT Recommendation X.209: Specification of Basic
- Encoding Rules for Abstract Syntax Notation One (ASN.1).
- 1988.
- [X.501-88] CCITT Recommendation X.501: The Directory - Models.
- 1988.
- [X.501-1993]ITU-T Recommendation X.501 : Information Technology -
- Open Systems Interconnection - The Directory: Models,
- 1993.
- [X.509-1988]CCITT Recommendation X.509: The Directory -
- Authentication Framework. 1988.
- [X.509-1997]ITU-T Recommendation X.509: The Directory -
- Authentication Framework. 1997.
- [X.509-2000]ITU-T Recommendation X.509: The Directory - Public-Key
- and Attribute Certificate Frameworks. 2000
-
-
-
-Farrell & Housley [Page 31]
-
-INTERNET-DRAFT August 2000
-
-
-Author's Addresses
-
- Stephen Farrell
- Baltimore Technologies
- 61/62 Fitzwilliam Lane
- Dublin 2
- IRELAND
-
- tel: +353-1-647-3000
- email: stephen.farrell@baltimore.ie
-
- Russell Housley
- SPYRUS
- 381 Elden Street
- Suite 1120
- Herndon, VA 20170
- USA
-
- tel: +1-703-707-0696
- email: housley@spyrus.com
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (date). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph
- are included on all such copies and derivative works. In addition,
- the ASN.1 module presented in Appendix B may be used in whole or in
- part without inclusion of the copyright notice. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process shall be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns. This
- document and the information contained herein is provided on an "AS
- IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
- FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
- NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
- WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-Farrell & Housley [Page 32]
-
-INTERNET-DRAFT August 2000
-
-
-Appendix A: Object Identifiers
-
- This (normative) appendix lists the new object identifiers which are
- defined in this specification. Some of these are required only for
- support of optional features and are not required for conformance to
- this profile. This specification mandates support for OIDs which
- have arc elements with values that are less than 2^32, (i.e. they
- MUST be between 0 and 4,294,967,295 inclusive) and SHOULD be less
- than 2^31 (i.e. less than or equal to 2,147,483,647). This allows
- each arc element to be represented within a single 32 bit word.
- Implementations MUST also support OIDs where the length of the
- dotted decimal (see [LDAP], section 4.1.2) string representation can
- be up to 100 bytes (inclusive). Implementations MUST be able to
- handle OIDs with up to 20 elements (inclusive). AA's SHOULD NOT
- issue ACs which contain OIDs that breach these requirements.
-
- The following OIDs are imported from [PKIXPROF]:
-
- id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
- id-mod OBJECT IDENTIFIER ::= { id-pkix 0 }
- id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
- id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
- id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
- id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }
-
- The following new ASN.1 module OID is defined:
-
- id-mod-attribute-cert OBJECT IDENTIFIER ::= { id-mod 12 }
-
- The following AC extension OIDs are defined:
-
- id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 }
- id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 }
- id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 }
-
- The following PKC extension OIDs are defined:
-
- id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 }
-
- The following attribute OIDs are defined:
-
- id-aca OBJECT IDENTIFIER ::= { id-pkix 10 }
- id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 }
- id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 }
- id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 }
- id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 }
- id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 }
- id-at-role OBJECT IDENTIFIER ::= { id-at 72 }
- id-at-clearance OBJECT IDENTIFIER ::=
- { joint-iso-ccitt(2) ds(5) module(1)
- selected-attribute-types(5) clearance (55) }
-
-
-Farrell & Housley [Page 33]
-
-INTERNET-DRAFT August 2000
-
-
-Appendix B: ASN.1 Module
-
- PKIXAttributeCertificate {iso(1) identified-organization(3) dod(6)
- internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
- id-mod-attribute-cert(12)}
-
-
- DEFINITIONS EXPLICIT TAGS ::=
-
- BEGIN
-
- -- EXPORTS ALL --
-
- IMPORTS
-
- -- IMPORTed module OIDs MAY change if [PKIXPROF] changes
- -- PKIX Certificate Extensions
- Attribute, AlgorithmIdentifier, CertificateSerialNumber,
- Extensions, UniqueIdentifier,
- id-pkix, id-pe, id-kp, id-ad, id-at
- FROM PKIX1Explicit88 {iso(1) identified-organization(3)
- dod(6) internet(1) security(5) mechanisms(5)
- pkix(7) id-mod(0) id-pkix1-explicit-88(1)}
-
- GeneralName, GeneralNames, id-ce
- FROM PKIX1Implicit88 {iso(1) identified-organization(3)
- dod(6) internet(1) security(5) mechanisms(5)
- pkix(7) id-mod(0) id-pkix1-implicit-88(2)} ;
-
- id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 }
- id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 }
- id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 }
- id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 }
-
- id-aca OBJECT IDENTIFIER ::= { id-pkix 10 }
-
- id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 }
- id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 }
- id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 }
- id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 }
- -- { id-aca 5 } is reserved
- id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 }
-
- id-at-role OBJECT IDENTIFIER ::= { id-at 72}
- id-at-clearance OBJECT IDENTIFIER ::=
- { joint-iso-ccitt(2) ds(5) module(1)
- selected-attribute-types(5) clearance (55) }
-
- -- Uncomment this if using a 1988 level ASN.1 compiler
- -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
-
- AttributeCertificate ::= SEQUENCE {
- acinfo AttributeCertificateInfo,
-
-Farrell & Housley [Page 34]
-
-INTERNET-DRAFT August 2000
-
-
- signatureAlgorithm AlgorithmIdentifier,
- signatureValue BIT STRING
- }
-
- AttributeCertificateInfo ::= SEQUENCE {
- version AttCertVersion DEFAULT v1,
- holder Holder,
- issuer AttCertIssuer,
- signature AlgorithmIdentifier,
- serialNumber CertificateSerialNumber,
- attrCertValidityPeriod AttCertValidityPeriod,
- attributes SEQUENCE OF Attribute,
- issuerUniqueID UniqueIdentifier OPTIONAL,
- extensions Extensions OPTIONAL
- }
-
- AttCertVersion ::= INTEGER {v1(0), v2(1) }
-
- Holder ::= SEQUENCE {
- baseCertificateID [0] IssuerSerial OPTIONAL,
- -- the issuer and serial number of
- -- the holder's Public Key Certificate
- entityName [1] GeneralNames OPTIONAL,
- -- the name of the claimant or role
- objectDigestInfo [2] ObjectDigestInfo OPTIONAL
- -- if present, version must be v2
- }
-
- ObjectDigestInfo ::= SEQUENCE {
- digestedObjectType ENUMERATED {
- publicKey (0),
- publicKeyCert (1),
- otherObjectTypes (2) },
- -- otherObjectTypes MUST NOT
- -- MUST NOT be used in this profile
- otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
- digestAlgorithm AlgorithmIdentifier,
- objectDigest BIT STRING
- }
-
- AttCertIssuer ::= CHOICE {
- v1Form GeneralNames, -- v1 or v2
- v2Form [0] V2Form -- v2 only
- }
-
- V2Form ::= SEQUENCE {
- issuerName GeneralNames OPTIONAL,
- baseCertificateID [0] IssuerSerial OPTIONAL,
- objectDigestInfo [1] ObjectDigestInfo OPTIONAL
- -- at least one of issuerName, baseCertificateID
- -- or objectDigestInfo must be present
- }
-
-
-Farrell & Housley [Page 35]
-
-INTERNET-DRAFT August 2000
-
-
- IssuerSerial ::= SEQUENCE {
- issuer GeneralNames,
- serial CertificateSerialNumber,
- issuerUID UniqueIdentifier OPTIONAL
- }
-
- AttCertValidityPeriod ::= SEQUENCE {
- notBeforeTime GeneralizedTime,
- notAfterTime GeneralizedTime
- }
-
- Targets ::= SEQUENCE OF Target
-
- Target ::= CHOICE {
- targetName [0] GeneralName,
- targetGroup [1] GeneralName,
- targetCert [2] TargetCert
- }
-
- TargetCert ::= SEQUENCE {
- targetCertificate IssuerSerial,
- targetName GeneralName OPTIONAL,
- certDigestInfo ObjectDigestInfo OPTIONAL
- }
-
- IetfAttrSyntax ::= SEQUENCE {
- policyAuthority[0] GeneralNames OPTIONAL,
- values SEQUENCE OF CHOICE {
- octets OCTET STRING,
- oid OBJECT IDENTIFIER,
- string UTF8String
- }
- }
-
- SvceAuthInfo ::= SEQUENCE {
- service GeneralName,
- ident GeneralName,
- authInfo OCTET STRING OPTIONAL
- }
-
- RoleSyntax ::= SEQUENCE {
- roleAuthority [0] GeneralNames OPTIONAL,
- roleName [1] GeneralName
- }
-
- Clearance ::= SEQUENCE {
- policyId OBJECT IDENTIFIER,
- classList ClassList DEFAULT {unclassified},
- securityCategories
- SET OF SecurityCategory OPTIONAL
- }
-
- ClassList ::= BIT STRING {
-
-Farrell & Housley [Page 36]
-
-INTERNET-DRAFT August 2000
-
-
- unmarked (0),
- unclassified (1),
- restricted (2),
- confidential (3),
- secret (4),
- topSecret (5)
- }
-
- SecurityCategory ::= SEQUENCE {
- type [0] IMPLICIT OBJECT IDENTIFIER,
- value [1] ANY DEFINED BY type
- }
-
- AAControls ::= SEQUENCE {
- pathLenConstraint INTEGER (0..MAX) OPTIONAL,
- permittedAttrs [0] AttrSpec OPTIONAL,
- excludedAttrs [1] AttrSpec OPTIONAL,
- permitUnSpecified BOOLEAN DEFAULT TRUE
- }
-
- AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER
-
- ACClearAttrs ::= SEQUENCE {
- acIssuer GeneralName,
- acSerial INTEGER,
- attrs SEQUENCE OF Attribute
- }
-
- ProxyInfo ::= SEQUENCE OF Targets
-
- END
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Farrell & Housley [Page 37]
- \ No newline at end of file
diff --git a/doc/protocol/draft-ietf-tls-camellia-00.txt b/doc/protocol/draft-ietf-tls-camellia-00.txt
deleted file mode 100644
index 50b2137ba2..0000000000
--- a/doc/protocol/draft-ietf-tls-camellia-00.txt
+++ /dev/null
@@ -1,232 +0,0 @@
-INTERNET-DRAFT S. Moriai
-TLS Working Group Nippon Telegraph and Telephone Corporation
-Expires April 2001 October 2000
-
-
- Addition of the Camellia Encryption Algorithm to TLS
-
- <draft-ietf-tls-camellia-00.txt>
-
-Status of this Memo
-
- This document is an Internet-Draft and is NOT offered in accordance
- with Section 10 of RFC2026, and the author does not provide the IETF
- with any rights other than to publish as an Internet-Draft.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six
- months and may be updated, replaced, or obsoleted by other documents
- at any time. It is inappropriate to use Internet-Drafts as
- reference material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
-
-Abstract
-
- This document proposes the addition of new cipher suites to the TLS
- protocol 1.0 to support the Camellia encryption algorithm as a bulk
- cipher algorithm.
-
-
-1. Introduction
-
- The demands placed on cryptographic primitives are changing: the
- required level of security is increasing to match the progress made
- in computational power and cryptanalytic techniques, and more
- efficiency on a wide variety of platforms is required as they are
- being implemented in a wide variety of applications. However, the
- TLS Protocol Version 1.0 [4] currently does not support cipher
- suites including 128-bit block ciphers that offer a high level of
- security and performance.
-
-MORIAI [Page 1]
-
-INTERNET-DRAFT Addition of Camellia to TLS October 2000
-
-
- Camellia is a block cipher with 128-bit block size and 128-, 192-,
- and 256-bit key sizes, i.e. the same interface specifications as the
- Advanced Encryption Standard (AES). The algorithm description is in
- [1] or [3]. Efficiency on both software and hardware platforms is a
- remarkable characteristic of Camellia in addition to its high level
- of security. It is confirmed that Camellia provides strong security
- against differential and linear cryptanalysis. An optimized
- implementation of Camellia in assembly language can encrypt on a
- Pentium III (800MHz) at the rate of more than 276 Mbits per second,
- which is much faster than the speed of an optimized DES
- implementation. In addition, a distinguishing feature is its small
- hardware design. The hardware design, which includes the parts for
- key scheduling, encryption and decryption, occupies approximately
- 11K gates, which is the smallest among all existing 128-bit block
- ciphers as far as we know [2].
-
- This document proposes the addition of new cipher suites to the TLS
- protocol 1.0 [4] to support Camellia as a bulk cipher algorithm.
- The proposed change is minimal, just the addition of a new option
- for bulk cipher algorithms.
-
-
-2. The CipherSuites
-
- We propose the following new cipher suites.
-
- CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x2F };
- CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x30 };
- CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x31 };
- CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x32 };
- CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x33 };
- CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_128_SHA = { 0x00,0x34 };
-
- CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x35 };
- CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x36 };
- CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x37 };
- CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x38 };
- CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x39 };
- CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_192_SHA = { 0x00,0x3A };
-
- CipherSuite TLS_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3B };
- CipherSuite TLS_DH_DSS_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3C };
- CipherSuite TLS_DH_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3D };
- CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3E };
- CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x3F };
- CipherSuite TLS_DH_anon_WITH_CAMELLIA_CBC_256_SHA = { 0x00,0x40 };
-
- Note: The above numeric definitions for CipherSuites have not yet
- been registered. The numeric definitions follow the numbers given
- in the CipherSuite of TLS standard [4].
-
-
-3. CipherSuite Definitions
-
-MORIAI [Page 2]
-
-INTERNET-DRAFT Addition of Camellia to TLS October 2000
-
-
-CipherSuite Is Key Cipher Hash
- Exportable Exchange
-
-TLS_RSA_WITH_CAMELLIA_CBC_128_SHA RSA CAMELLIA_CBC_128 SHA
-TLS_DH_DSS_WITH_CAMELLIA_CBC_128_SHA DH_DSS CAMELLIA_CBC_128 SHA
-TLS_DH_RSA_WITH_CAMELLIA_CBC_128_SHA DH_RSA CAMELLIA_CBC_128 SHA
-TLS_DHE_DSS_WITH_CAMELLIA_CBC_128_SHA DHE_DSS CAMELLIA_CBC_128 SHA
-TLS_DHE_RSA_WITH_CAMELLIA_CBC_128_SHA DHE_RSA CAMELLIA_CBC_128 SHA
-TLS_DH_anon_WITH_CAMELLIA_CBC_128_SHA DH_anon CAMELLIA_CBC_128 SHA
-
-TLS_RSA_WITH_CAMELLIA_CBC_192_SHA RSA CAMELLIA_CBC_192 SHA
-TLS_DH_DSS_WITH_CAMELLIA_CBC_192_SHA DH_DSS CAMELLIA_CBC_192 SHA
-TLS_DH_RSA_WITH_CAMELLIA_CBC_192_SHA DH_RSA CAMELLIA_CBC_192 SHA
-TLS_DHE_DSS_WITH_CAMELLIA_CBC_192_SHA DHE_DSS CAMELLIA_CBC_192 SHA
-TLS_DHE_RSA_WITH_CAMELLIA_CBC_192_SHA DHE_RSA CAMELLIA_CBC_192 SHA
-TLS_DH_anon_WITH_CAMELLIA_CBC_192_SHA DH_anon CAMELLIA_CBC_192 SHA
-
-TLS_RSA_WITH_CAMELLIA_CBC_256_SHA RSA CAMELLIA_CBC_256 SHA
-TLS_DH_DSS_WITH_CAMELLIA_CBC_256_SHA DH_DSS CAMELLIA_CBC_256 SHA
-TLS_DH_RSA_WITH_CAMELLIA_CBC_256_SHA DH_RSA CAMELLIA_CBC_256 SHA
-TLS_DHE_DSS_WITH_CAMELLIA_CBC_256_SHA DHE_DSS CAMELLIA_CBC_256 SHA
-TLS_DHE_RSA_WITH_CAMELLIA_CBC_256_SHA DHE_RSA CAMELLIA_CBC_256 SHA
-TLS_DH_anon_WITH_CAMELLIA_CBC_256_SHA DH_anon CAMELLIA_CBC_256 SHA
-
- Key Expanded Effective IV Block
- Cipher Type Material Key Material Key Bits Size Size
-
- CAMELLIA_CBC_128 Block 16 16 128 16 16
- CAMELLIA_CBC_192 Block 24 24 192 16 16
- CAMELLIA_CBC_256 Block 32 32 256 16 16
-
- Note: Key Exchange Algorithms and Hash Functions are defined in TLS.
-
-
-4. Security Considerations
-
- The security of Camellia was evaluated by utilizing state-of-the-art
- cryptanalytic techniques. We confirmed that Camellia has no
- differential and linear characteristics that hold with probability
- more than 2^(-128), which means that it is extremely unlikely that
- differential and linear attacks will succeed against Camellia.
- Moreover, Camellia was designed to offer security against other
- advanced cryptanalytic attacks including higher order differential
- attacks, interpolation attacks, related-key attacks, truncated
- differential attacks, and so on [3].
-
-
-5. Intellectual Property Statement
-
- Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon
- Telegraph and Telephone Corporation (NTT) have filed patent
- applications on the techniques used in the block cipher Camellia.
- For more information, please contact MISTY@isl.melco.co.jp and/or
-
-MORIAI [Page 3]
-
-INTERNET-DRAFT Addition of Camellia to TLS October 2000
-
- camellia@isl.ntt.co.jp.
-
-
-References
-
- [1] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
- J. Nakajima, and T. Tokita
- ``Specification of Camellia --- a 128-bit Block Cipher'',
- 2000. http://info.isl.ntt.co.jp/camellia/
-
- [2] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
- J. Nakajima, and T. Tokita
- ``Camellia: A 128-Bit Block Cipher Suitable for Multiple
- Platforms'', 2000. http://info.isl.ntt.co.jp/camellia/
-
- [3] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
- J. Nakajima, and T. Tokita
- ``Camellia: A 128-Bit Block Cipher Suitable for Multiple
- Platforms --- Design and Analysis ---'', in Workshop Record
- of SAC 2000, Seventh Annual Workshop on Selected Areas in
- Cryptography, pp.41--54, 14-15 August 2000. (to appear in
- Lecture Notes in Computer Science of Spring-Verlag)
-
- [4] T. Dierks, and C. Allen, "The TLS Protocol Version 1.0", RFC
- 2246, January 1999.
-
-Author's Addresses
-
- Shiho Moriai
- Nippon Telegraph and Telephone Corporation
- 1-1 Hikarinooka, Yokosuka, 239-0847, Japan
- Phone: +81-468-59-2007
- FAX: +81-468-59-3858
- Email: shiho@isl.ntt.co.jp
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-MORIAI [Page 4]
-
-
-
-
-
diff --git a/doc/protocol/draft-ietf-tls-extensions-00.txt b/doc/protocol/draft-ietf-tls-extensions-00.txt
new file mode 100644
index 0000000000..38cd755b51
--- /dev/null
+++ b/doc/protocol/draft-ietf-tls-extensions-00.txt
@@ -0,0 +1,1176 @@
+
+
+
+
+TLS Working Group Simon Blake-Wilson, Certicom
+INTERNET-DRAFT Magnus Nystrom, RSA Security
+June 20, 2001 David Hopwood, Independent Consultant
+Expires December 20, 2001 Jan Mikkelsen, Transactionware
+Intended Category: Standards track Tim Wright, Vodafone
+
+
+ TLS Extensions
+
+ <draft-ietf-tls-extensions-00.txt>
+
+ Status of this Memo
+
+ This document is an Internet-Draft and is in full conformance with
+ all provisions of Section 10 of RFC2026. Internet-Drafts are working
+ documents of the Internet Engineering Task Force (IETF), its areas,
+ and its working groups. Note that other groups may also distribute
+ working documents as Internet-Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or made obsolete by other documents at
+ any time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as work in progress.
+
+ The list of current Internet-Drafts may be found at
+ http://www.ietf.org/ietf/1id-abstracts.txt
+
+ The list of Internet-Draft Shadow Directories may be found at
+ http://www.ietf.org/shadow.html.
+
+ Abstract
+
+ This document describes extensions that may be used to add
+ functionality to TLS. It provides both generic extension mechanisms
+ for the TLS handshake client and server hellos, and specific
+ extensions using these generic mechanisms.
+
+ The extensions may be used by TLS clients and servers. The extensions
+ are backwards compatible - communication is possible between TLS 1.0
+ clients that support the extensions and TLS 1.0 servers that do not
+ support the extensions, and vice versa.
+
+ This document is based on discussions within the TLS working group
+ and within the WAP security group.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [KEYWORDS].
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 1]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ Please send comments on this document to the TLS mailing list.
+
+ Table of Contents
+
+ 1. Introduction .............................................. 2
+ 2. General Extension Mechanisms .............................. 4
+ 2.1. Extended Client Hello ................................... 4
+ 2.2. Extended Server Hello ................................... 5
+ 2.3. Hello Extensions ........................................ 5
+ 2.4. Extensions to the handshake protocol .................... 6
+ 3. Specific Extensions ....................................... 7
+ 3.1. DNS Name Indication ..................................... 7
+ 3.2. Maximum Record Size Negotiation ......................... 8
+ 3.3. Client Certificate URLs ................................. 9
+ 3.4. Trusted CA Indication .................................. 11
+ 3.5. Truncated HMAC ......................................... 12
+ 3.6. OCSP Status Request..................................... 13
+ 4. Error alerts ............................................. 14
+ 5. Procedure for Defining New Extensions..................... 16
+ 6. Security Considerations .................................. 17
+ 6.1. Security of dns_name ................................... 17
+ 6.2. Security of max_record_size ............................ 17
+ 6.3. Security of client_certificate_url ..................... 18
+ 6.4. Security of trusted_ca_keys ............................ 18
+ 6.5. Security of truncated_hmac ............................. 19
+ 6.6. Security of status_request ............................. 19
+ 7. Internationalisation Considerations .......................19
+ 8. Intellectual Property Rights ............................. 20
+ 9. Acknowledgments .......................................... 20
+ 10. References ............................................... 20
+ 11. Authors' Addresses ....................................... 21
+
+1. Introduction
+
+ This document describes extensions that may be used to add
+ functionality to TLS. It provides both generic extension mechanisms
+ for the TLS handshake client and server hellos, and specific
+ extensions using these generic mechanisms.
+
+ TLS is now used in an increasing variety of operational environments
+ - many of which were not envisioned when the original design criteria
+ for TLS were determined. The extensions introduced in this document
+ are designed to enable TLS to operate as effectively as possible in
+ new environments like wireless networks.
+
+ Wireless environments often suffer from a number of constraints not
+ commonly present in wired environments - these constraints may
+ include bandwidth limitations, computational power limitations,
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 2]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ memory limitations, and battery life limitations.
+
+ The extensions described here focus on extending the functionality
+ provided by the TLS protocol message formats. Other issues, such as
+ the addition of new cipher suites, are deferred.
+
+ Specifically, the extensions described in this document are designed
+ to:
+
+ - Allow TLS clients to provide to the TLS server the DNS name of the
+ server they are contacting. This functionality is desirable to
+ facilitate secure connections to servers which host multiple
+ 'virtual' servers at a single underlying network address.
+
+ - Allow TLS clients and servers to negotiate the maximum record size
+ to be sent. This functionality is desirable as a result of memory
+ constraints among some clients, and bandwidth constraints among
+ some access networks.
+
+ - Allow TLS clients and servers to negotiate the use of client
+ certificate URLs. This functionality is desirable in order to
+ conserve memory on constrained clients.
+
+ - Allow TLS clients to indicate to TLS servers which CA root keys
+ they possess. This functionality is desirable in order to prevent
+ multiple handshake failures involving TLS clients which are only
+ able to store a small number of CA root keys due to memory
+ limitations.
+
+ - Allow TLS clients and servers to negotiate the use of truncated
+ MACs. This functionality is desirable in order to conserve
+ bandwidth in constrained access networks.
+
+ - Allow TLS clients and servers to negotiate that the server sends
+ the client an OCSP [OCSP] response during a TLS handshake. This
+ functionality is desirable in order to avoid sending a CRL over a
+ constrained access network and therefore save bandwidth.
+
+ In order to support the extensions above, general extension
+ mechanisms for the client hello message and the server hello message
+ are introduced.
+
+ The extensions described in this document may be used by TLS 1.0
+ clients and TLS 1.0 servers. The extensions are designed to be
+ backwards compatible - meaning that TLS 1.0 clients that support the
+ extensions can talk to TLS 1.0 servers that do not support the
+ extensions, and vice versa.
+
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 3]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ Backwards compatibility is primarily achieved via two considerations:
+
+ - Clients typically request the use of extensions via the extended
+ client hello message described in Section 2.1. TLS 1.0 [TLS]
+ requires servers to "accept" extended client hello messages, even
+ if the server does not "understand" the extension.
+
+ - For the specific extensions described here, no mandatory server
+ response is required when clients request extended functionality.
+
+ Note however, that although backwards compatibility is supported,
+ some constrained clients may be forced to reject communications with
+ servers that do not support the extensions as a result of the limited
+ capabilities of such clients.
+
+ The remainder of this document is organized as follows. Section 2
+ describes general extension mechanisms for the client hello and
+ server hello handshake messages. Section 3 describes specific
+ extensions to TLS 1.0. Section 4 describes new error alerts for use
+ with the TLS extensions. The final sections of the document address
+ IPR, security considerations, acknowledgements, and references.
+
+2. General Extension Mechanisms
+
+ This section presents general extension mechanisms for the TLS
+ handshake client hello and server hello messages.
+
+ These general extension mechanisms are necessary in order to enable
+ clients and servers to negotiate whether to use specific extensions,
+ and how to use specific extensions. The extension formats described
+ are based on [MAILING LIST].
+
+ Section 2.1 specifies the extended client hello message format,
+ Section 2.2 specifies the extended server hello message format, and
+ Section 2.3 describes the actual extension format used with the
+ extended client and server hellos.
+
+ 2.1. Extended Client Hello
+
+ The extended client hello message format MAY be sent in place of the
+ client hello message format when clients wish to request extended
+ functionality from servers. The extended client hello message format
+ is:
+
+ struct {
+ ProtocolVersion client_version;
+ Random random;
+ SessionID session_id;
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 4]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ CipherSuite cipher_suites<2..2^16-1>;
+ CompressionMethod compression_methods<1..2^8-1>;
+ Extension client_hello_extension_list<0..2^16-1>;
+ } ClientHello;
+
+ Here the new "client_hello_extension_list" field contains a list of
+ extensions. The actual "Extension" format is defined in Section 2.3.
+
+ In the event that clients request additional functionality using the
+ extended client hello, and this functionality is not supplied by the
+ server, clients MAY abort the handshake.
+
+ Note that TLS, Section 7.4.1.2, allows additional information to be
+ added to the client hello message. Thus the use of the extended
+ client hello defined above should not "break" existing TLS 1.0
+ servers.
+
+ 2.2. Extended Server Hello
+
+ The extended server hello message format MAY be sent in place of the
+ server hello message when the client has requested extended
+ functionality via the extended client hello message specified in
+ Section 2.1. The extended server hello message format is:
+
+ struct {
+ ProtocolVersion server_version;
+ Random random;
+ SessionID session_id;
+ CipherSuite cipher_suite;
+ CompressionMethod compression_method;
+ Extension server_hello_extension_list<0..2^16-1>;
+ } ServerHello;
+
+ Here the new "server_hello_extension_list" field contains a list of
+ extensions. The actual "Extension" format is defined in Section 2.3.
+
+ Note that the extended server hello message is only sent in response
+ to an extended client hello message. This prevents the possibility
+ that the extended server hello message could "break" existing TLS 1.0
+ clients.
+
+ 2.3. Hello Extensions
+
+ The extension format for extended client hellos and extended server
+ hellos is:
+
+ struct {
+ ExtensionType extensionType;
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 5]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ opaque extension_data<0..2^16-1>;
+ } Extension;
+
+ Here:
+
+ - "extensionType" identifies the particular extension type.
+
+ - "extension_data" contains information specific to the particular
+ extension type.
+
+ The extension types defined in this document are:
+
+ enum {
+ dns_name(0), max_record_size(1), client_certificate_url(2),
+ trusted_ca_keys(3), truncated_hmac(4), status_request(5),
+ (65535)
+ } ExtensionType;
+
+ Note that for all extension types (including those defined in
+ future), the extension type should appear in the extended server
+ hello only if the same extension type appeared in the corresponding
+ client hello. Thus clients MUST abort the handshake if they receive
+ an extension type in the extended server hello that they did not
+ request in the associated (extended) client hello.
+
+ Also note that when multiple extensions are present in the extended
+ client hello or the extended server hello, the extensions must appear
+ in the order identified in "ExtensionType". Thus clients and servers
+ MUST abort the handshake if they receive an extended hello message in
+ which the extensions are not in the correct order.
+
+ Finally note that all the extensions defined in this document are
+ relevant only when a session is initiated. Extensions appearing in
+ client and server hellos sent during session resumption MUST be
+ ignored, and the extension functionality negotiated during session
+ initiation applied to the resumed session.
+
+ 2.4. Extensions to the handshake protocol
+
+ This document suggests the use of two new handshake messages,
+ "CertificateURL" and "CertificateAndOCSPResponse". These messages are
+ described in Section 3.3 and Section 3.6, respectively. The new
+ handshake message structure therefore becomes:
+
+ enum {
+ hello_request(0), client_hello(1), server_hello(2),
+ certificate(11), server_key_exchange (12),
+ certificate_request(13), server_hello_done(14),
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 6]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ certificate_verify(15), client_key_exchange(16),
+ finished(20), certificate_url(21), ocsp_response(22), (255)
+ } HandshakeType;
+
+ struct {
+ HandshakeType msg_type; /* handshake type */
+ uint24 length; /* bytes in message */
+ select (HandshakeType) {
+ case hello_request: HelloRequest;
+ case client_hello: ClientHello;
+ case server_hello: ServerHello;
+ case certificate: Certificate;
+ case server_key_exchange: ServerKeyExchange;
+ case certificate_request: CertificateRequest;
+ case server_hello_done: ServerHelloDone;
+ case certificate_verify: CertificateVerify;
+ case client_key_exchange: ClientKeyExchange;
+ case finished: Finished;
+ case certificate_url: CertificateURL;
+ case ocsp_response: CertificateAndOCSPResponse;
+ } body;
+ } Handshake;
+
+3. Specific Extensions
+
+ This section describes the specific TLS extensions specified in this
+ document.
+
+ Note that any messages associated with these extensions that are sent
+ during the TLS handshake MUST be included in the hash calculations
+ involved in "Finished" messages.
+
+ Section 3.1 describes the extension of TLS to allow clients to
+ indicate which server they are contacting. Section 3.2 describes the
+ extension to provide maximum record size negotiation. Section 3.3
+ describes the extension to allow client certificate URLs. Section 3.4
+ describes the extension to allow clients to indicate which CA root
+ keys they possess. Section 3.5 describes the extension to allow the
+ use of truncated HMAC. Section 3.6 describes the extension to
+ support integration of OCSP into TLS handshakes.
+
+ 3.1. DNS Name Indication
+
+ TLS does not provide a mechanism for clients to tell servers the DNS
+ name of the server they are contacting. It may be desirable for
+ clients to provide this information to facilitate secure connections
+ to servers which host multiple 'virtual' servers at a single
+ underlying network address.
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 7]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ In order to provide the server DNS name, clients MAY include an
+ extension of type "dns_name" in the (extended) client hello. The
+ "extension_data" field of this extension shall contain:
+
+ opaque DNSName<1..2^16-1>;
+
+ "DNSName" contains the fully qualified domain name of the server, as
+ understood by the client. The domain name is represented as a byte
+ string using UTF-8 encoding [UTF8], without a trailing dot. (Note
+ that the use of UTF-8 here for encoding internationalized domain
+ names is independent of the choice of encoding for these names in the
+ DNS protocol. The latter has yet to be decided by the IETF
+ International Domain Name Working Group.)
+
+ Literal IPv4 and IPv6 addresses are not permitted.
+
+ It is RECOMMENDED that clients include an extension of type "DNSName"
+ in the client hello whenever they locate a server by its domain name.
+
+ Servers that receive a client hello containing the "dns_name"
+ extension, MAY use the information contained in the extension to
+ guide their selection of an appropriate certificate to return to the
+ client. In this event, the server shall include an extension of type
+ "dns_name" in the (extended) server hello. The "extension_data" field
+ of this extension shall be empty.
+
+ If the server understood the client hello extension but does not
+ recognize the DNS name as belonging to a domain it is responsible
+ for, it should send an unrecognised_domain alert (which may or may
+ not be fatal).
+
+ 3.2. Maximum Record Size Negotiation
+
+ TLS specifies a fixed maximum record size of 2^14 bytes. It may be
+ desirable for constrained clients to negotiate a smaller maximum
+ record size due to memory limitations or bandwidth limitations.
+
+ In order to negotiate smaller maximum record sizes, clients MAY
+ include an extension of type "max_record_size" in the (extended)
+ client hello. The "extension_data" field of this extension shall
+ contain:
+
+ enum{
+ 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
+ } MaxRecordSize;
+
+ whose value is the desired maximum record size. The allowed values
+ for this field are: 2^9, 2^10, 2^11, and 2^12.
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 8]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ Servers that receive an extended client hello containing a
+ "max_record_size" extension, MAY accept the requested maximum record
+ size by including an extension of type "max_record_size" in the
+ (extended) server hello. The "extension_data" field of this extension
+ shall contain "MaxRecordSize" whose value is the same as the
+ requested maximum record size.
+
+ Servers receiving maximum record size negotiation requests for values
+ other than the allowed values MUST abort the handshake with an
+ "illegal_parameter" alert. Similarly, clients receiving maximum
+ record size negotiation responses that differ from the size they
+ requested MUST also abort the handshake with an "illegal_parameter"
+ alert.
+
+ Once a maximum record size other than 2^14 has been successfully
+ negotiated, the client and server MUST immediately begin fragmenting
+ messages (including handshake messages), to ensure that no message
+ larger than the negotiated size is sent. Note that TLS already
+ requires clients and servers to support fragmentation of handshake
+ messages.
+
+ The negotiated size applies for the duration of the session including
+ session resumptions.
+
+ The negotiated size limits the input that the record layer may
+ process without fragmentation. Note that the output of the record
+ layer may be larger. For example, if the negotiated size is 2^9=512,
+ then for currently defined cipher suites (those defined in [TLS],
+ [KERB], and planned AES ciphersuites), the record layer output can be
+ at most 793 bytes: 5 bytes of headers, 512 bytes of application data,
+ 256 bytes of padding, and 20 bytes of MAC. This means that in this
+ event a TLS record layer peer receiving a TLS record layer message
+ larger than 793 bytes may discard the message and output an error
+ without decrypting the message. The exact error message sent will
+ depend on the size of the received message - either "record_overflow"
+ if the message is longer than 2^14+2048 bytes, or "decryption_failed"
+ otherwise.
+
+ 3.3. Client Certificate URLs
+
+ TLS specifies that when client authentication is performed, client
+ certificates are sent by clients to servers during the TLS handshake.
+ It may be desirable for constrained clients to send certificate URLs
+ in place of certificates so that they do not need to store their
+ certificates and can therefore save memory.
+
+ In order to negotiate to send certificate URLs to a server, clients
+ MAY include an extension of type "client_certificate_url" in the
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 9]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ (extended) client hello. The "extension_data" field of this extension
+ shall be empty.
+
+ (Note that it is necessary to negotiate use of client certificate
+ URLs in order to avoid "breaking" existing TLS 1.0 servers.)
+
+ Servers that receive an extended client hello containing a
+ "client_certificate_url" extension, MAY indicate that they are
+ willing to accept certificate URLs by including an extension of type
+ "client_certificate_url" in the (extended) server hello. The
+ "extension_data" field of this extension shall be empty.
+
+ After negotiation of the use of client certificate URLs has been
+ successfully completed (by exchanging hellos including
+ "client_certificate_url" extensions), clients MAY send a
+ "CertificateURL" message in place of a "Certificate" message:
+
+ struct {
+ URLAndHash url_and_hash_list<1..2^16-1>;
+ } CertificateURL;
+
+ struct {
+ opaque URL<1..2^16-1>;
+ CertHash certificate_hash;
+ } URLAndHash;
+
+ opaque CertHash[20];
+
+ Here "url_and_hash_list" contains a sequence of URLs and SHA-1
+ hashes, each URL referring to a single, DER-encoded X.509v3
+ certificate, and the SHA-1 hash of that certificate. The URLs should
+ occur in the list in the same order that the corresponding
+ certificates appear in the certificate chain.
+
+ Servers receiving "CertificateURL" shall attempt to retrieve the
+ client's certificate chain from the URLs, and then process the
+ certificate chain as usual. HTTP SHOULD be used to retrieve the
+ certificate chain from the URLs, and MUST be supported by servers
+ supporting this extension.
+
+ Servers MUST check that the SHA-1 hash of any certificates retrieved
+ from a CertificateURL matches the given hash, and then process the
+ certificate chain as usual.
+
+ If any retrieved certificate does not have the correct SHA-1 hash,
+ the server MUST abort the handshake with a bad_certificate alert.
+
+ Note that clients may choose to send either "Certificate" or
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 10]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ "CertificateURL" after successfully negotiating the option to send
+ certificate URLs. The option to send a certificate is included to
+ provide flexibility to clients possessing multiple certificates.
+
+ If a server encounters an unreasonable delay in obtaining
+ certificates in a given CertificateURL, it SHOULD time out and signal
+ a "certificate_unobtainable" error alert.
+
+ 3.4. Trusted CA Indication
+
+ Constrained clients which, due to memory limitations, possess only a
+ small number of CA root keys, may wish to indicate to servers which
+ root keys they possess, in order to avoid repeated handshake
+ failures.
+
+ In order to indicate which CA root keys they possess, clients MAY
+ include an extension of type "trusted_ca_keys" in the (extended)
+ client hello. The "extension_data" field of this extension shall
+ contain "TrustedAuthorities" where:
+
+ struct {
+ TrustedAuthority trusted_authorities_list<0..2^16-1>;
+ } TrustedAuthorities;
+
+ struct {
+ IdentifierType identifier_type;
+ select (identifier_type) {
+ case null: struct {};
+ case key_hash_sha: KeyHash;
+ case x509_name: DistinguishedName;
+ case cert_hash: CertHash;
+ } Identifier;
+ } TrustedAuthority;
+
+ enum { null(0), key_hash_sha(1), x509_name(2), cert_hash(3),
+ (255)}
+ IdentifierType;
+
+ opaque DistinguishedName<1..2^16-1>;
+
+ opaque KeyHash[20];
+
+ Here "TrustedAuthorities" provides a list of CA root key identifiers
+ that the client possesses. Each CA root key is identified via either:
+
+ - "null" - no CA root key identity supplied.
+
+ - "key_hash_sha" - contains the SHA-1 hash of the CA root key. For
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 11]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ DSA and ECDSA keys, this is the hash of the "subjectPublicKey"
+ value. For RSA keys, this is the hash of the byte string
+ representation of the modulus (without any initial 0-valued
+ bytes). (This copies the key hash formats deployed in other
+ environments.)
+
+ - "cert_hash" - contains the SHA-1 hash of a certificate containing
+ the CA root key.
+
+ - "x509_name" - contains the X.509 distinguished name of the CA.
+
+ Note that clients may include none, some, or all of the CA root keys
+ they possess in this extension.
+
+ Note also that it is possible that a key hash or a distinguished name
+ alone may not uniquely identify a certificate issuer - for example if
+ a particular CA has multiple key pairs - however here we assume this
+ is the case following the use of distinguish names to identify
+ certificate issuers in TLS.
+
+ The option to include no CA root keys is included to allow the client
+ to indicate possession of some pre-defined set of CA root keys.
+
+ Servers that receive a client hello containing the "trusted_ca_keys"
+ extension, MAY use the information contained in the extension to
+ guide their selection of an appropriate certificate chain to return
+ to the client.
+
+ 3.5. Truncated HMAC
+
+ Currently defined TLS ciphersuites use the MAC construction HMAC with
+ either MD5 or SHA-1 [HMAC] to authenticate record layer
+ communications. In TLS the entire output of the hash function is used
+ as the MAC tag. However it may be desirable in constrained
+ environments to save bandwidth by truncating the output of the hash
+ function to 80 bits when forming MAC tags.
+
+ In order to negotiate the use of 80-bit truncated HMAC, clients MAY
+ include an extension of type "truncated_hmac" in the extended client
+ hello. The "extension_data" field of this extension shall be empty.
+
+ Servers that receive an extended hello containing a "truncated_hmac"
+ extension, MAY agree to use a truncated HMAC by including an
+ extension of type "truncated_hmac" in the extended server hello.
+
+ Note that if new ciphersuites are added that do not use HMAC, and the
+ session negotiates one of these ciphersuites, this extension will
+ have no effect. It is strongly recommended that any new cipher suites
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 12]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ using other MACs consider the MAC size as an integral part of the
+ cipher suite definition, taking into account both security and
+ bandwidth considerations.
+
+ If HMAC truncation has been successfully negotiated during a TLS
+ handshake, and the negotiated ciphersuite uses HMAC, both the client
+ and the server pass this fact to the TLS record layer along with the
+ other negotiated security parameters. Subsequently during the
+ session, clients and servers MUST use truncated HMACs, calculated as
+ specified in [HMAC]. Note that this extension does not affect the
+ calculation of the PRF as part of handshaking or key derivation.
+
+ The negotiated HMAC truncation size applies for the duration of the
+ session including session resumptions.
+
+ 3.6. OCSP Status Request
+
+ Constrained clients may wish to use OCSP [OCSP] to check the validity
+ of server certificates, in order to avoid transmission of CRLs and
+ therefore save bandwidth on constrained networks.
+
+ In order to indicate their desire to use OCSP, clients MAY include an
+ extension of type "status_request" in the (extended) client hello.
+ The "extension_data" field of this extension shall contain
+ "StatusRequest" where:
+
+ struct {
+ ResponderID responder_id_list<0..2^16-1>;
+ Extensions request_extensions;
+ } StatusRequest;
+
+ opaque ResponderID<1..2^16-1>;
+ opaque Extensions<0..2^16-1>;
+
+ Here "ResponderIDs" provides a list of OCSP responders that the
+ client trusts. A zero-length "responder_id_list" sequence has the
+ special meaning that the responders are implicitly known to the
+ server - e.g. by prior arrangement. "Extensions" is a DER encoding of
+ the OCSP request extensions.
+
+ Both "ResponderID" and "Extensions" are DER-encoded ASN.1 types as
+ defined in [OCSP].
+
+ Servers that receive a client hello containing the "status_request"
+ extension, MAY return an OCSP response to the client along with their
+ certificate. If so, they SHOULD use the information contained in the
+ extension when selecting an OCSP responder, and SHOULD include
+ request_extensions in the OCSP request.
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 13]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ Servers return an OCSP response along with their certificate by
+ sending "CertificateAndOCSPResponse" in place of the "Certificate"
+ message. If a server returns an OCSP response, then the server MUST
+ have included an extension of type "status_request" with empty
+ "extension_data" in the extended server hello.
+
+ struct {
+ ASN.1Cert certificate_list<0..2^24-1>;
+ OCSPResponse ocsp_response;
+ } CertificateAndOCSPResponse;
+
+ opaque ASN.1Cert<1..2^24-1>;
+
+ opaque OCSPResponse<1..2^24-1>;
+
+ Here "ocsp_response" contains a complete, DER-encoded OCSP response
+ (using the ASN.1 type OCSPResponse defined in [OCSP]). Note that only
+ one OCSP response may be sent.
+
+ The "CertificateAndOCSPResponse" message is conveyed using the
+ handshake message type "ocsp_response".
+
+ Note that a server MAY also choose not to send the
+ "CertificateAndOCSPResponse" message, and instead send the
+ "Certificate" message, even if it receives a "status_request"
+ extension in the client hello message.
+
+ Note in addition that servers MUST NOT send the
+ "CertificateAndOCSPResponse" message unless it received a
+ "status_request" extension in the client hello message.
+
+ Clients requesting an OCSP response, and receiving an OCSP response
+ in a "CertificateAndOCSPResponse" field:
+
+ - MUST process the certificate as if it was received in a
+ "Certificate" message, and;
+
+ - SHOULD check the OCSP response and abort the handshake if the
+ response is not satisfactory.
+
+4. Error Alerts
+
+ This section defines new error alerts for use with the TLS extensions
+ defined in this document.
+
+ The following new error alerts are defined. To avoid "breaking"
+ existing clients and servers, these alerts MUST NOT be sent unless
+ the sending party has received an extended hello message from the
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 14]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ party they are communicating with.
+
+ - "unsupported_extension" - this alert is sent by clients that
+ receive an extended server hello containing an extension that
+ they did not put in the corresponding client hello (see Section
+ 2.3). This message is always fatal.
+
+ - "bad_extension_order" - this alert is sent by clients or servers
+ that receive an extended hello with the extensions in the wrong
+ order (see Section 2.3). This message is always fatal.
+
+ - "unrecognised_domain" - this alert is sent by servers that
+ receive a dns_name extension request, but do not recognize the
+ DNS name as belonging to a domain they are responsible for.
+ This message MAY be fatal.
+
+ - "certificate_unobtainable" - this alert is sent by servers who are
+ unable to retrieve a certificate chain from the URL supplied by
+ the client (see Section 3.3). This message is always fatal.
+
+ - "bad_ocsp_response" - this alert is sent by clients that receive
+ an invalid OCSP response (see Section 3.6). This message is always
+ fatal.
+
+ These error alerts are conveyed using the following syntax:
+
+ enum {
+ close_notify(0),
+ unexpected_message(10),
+ bad_record_mac(20),
+ decryption_failed(21),
+ record_overflow(22),
+ decompression_failure(30),
+ handshake_failure(40),
+ certificate_unobtainable(41), /* new */
+ bad_certificate(42),
+ unsupported_certificate(43),
+ certificate_revoked(44),
+ certificate_expired(45),
+ certificate_unknown(46),
+ illegal_parameter(47),
+ unknown_ca(48),
+ access_denied(49),
+ decode_error(50),
+ decrypt_error(51),
+ export_restriction(60),
+ protocol_version(70),
+ insufficient_security(71),
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 15]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ internal_error(80),
+ user_canceled(90),
+ no_renegotiation(100),
+ unsupported_extension(110), /* new */
+ bad_extension_order(111), /* new */
+ unrecognised_domain(112), /* new */
+ bad_ocsp_response(113), /* new */
+ (255)
+ } AlertDescription;
+
+5. Procedure for Defining New Extensions
+
+ Traditionally for Internet protocols, the Internet Assigned Numbers
+ Authority (IANA) handles the allocation of new values for future
+ expansion, and RFCs usually define the procedure to be used by the
+ IANA. However, there are subtle (and not so subtle) interactions that
+ may occur in this protocol between new features and existing features
+ which may result in a significant reduction in overall security.
+
+ Therefore, requests to define new extensions (including assigning
+ extension and error alert numbers) should be forwarded to the IETF
+ TLS Working Group for discussion.
+
+ The following considerations should be taken into account when
+ designing new extensions:
+
+ - All of the extensions defined in this document follow the
+ convention that for each extension that a client requests
+ and that the server understands, the server replies with an
+ extension of the same type.
+
+
+ - Some cases where a server does not agree to an extension are
+ error conditions, and some simply a refusal to support a
+ particular feature. In general error alerts should be used for
+ the former, and a field in the server extension response for
+ the latter.
+
+ - Extensions should as far as possible be designed to prevent
+ any attack that forces use (or non-use) of a particular feature
+ by manipulation of handshake messages. This principle should
+ be followed regardless of whether the feature is believed
+ to cause a security problem.
+
+ Often the fact that the extension fields are included in the
+ inputs to the Finished message hashes will be sufficient,
+ but extreme care is needed when the extension changes the
+ meaning of messages sent in the handshake phase.
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 16]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ Designers and implementors should be aware of the fact that
+ until the handshake has been authenticated, active attackers
+ can modify messages and insert, remove, or replace extensions.
+
+ - It would be technically possible to use extensions to change
+ major aspects of the design of TLS; for example the design of
+ ciphersuite negotiation. This is not recommended; it
+ would be more appropriate to define a new version of TLS -
+ particularly since the TLS handshake algorithms have specific
+ protection against version rollback attacks based on the
+ version number, and the possibility of version rollback
+ should be a significant consideration in any major design
+ change.
+
+6. Security Considerations
+
+ Security considerations for the extension mechanism in general, and
+ the design of new extensions, are described in the previous section.
+ A security analysis of each of the extensions defined in this
+ document is given below.
+
+ In general, implementers should continue to monitor the state of the
+ art, and address any weaknesses identified.
+
+ Additional security considerations are described in the TLS 1.0 RFC
+ [TLS].
+
+ 6.1. Security of dns_name
+
+ If a single server hosts several domains, then clearly it is
+ necessary for the owners of each domain to ensure that this satisfies
+ their security needs. Apart from this, dns_name does not appear to
+ introduce significant security issues.
+
+ The length of the domain name should be checked for buffer overflow
+ (note that RFC 1035 restricts domain names to 255 bytes).
+
+ 6.2. Security of max_record_size
+
+ The maximum record size takes effect immediately, including for
+ handshake messages. However, that does not introduce any security
+ complications that are not already present in TLS, since [TLS]
+ requires implementations to be able to handle fragmented handshake
+ messages.
+
+ Note that as described in section 3.2, once a non-null ciphersuite
+ has been activated, the effective maximum record size depends on the
+ ciphersuite, as well as on the negotiated max_record_size. This must
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 17]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ be taken into account when sizing buffers, and checking for buffer
+ overflow.
+
+ 6.3. Security of client_certificate_url
+
+ When client authentication is used *without* the
+ client_certificate_url extension, the client certificate chain is
+ covered by the Finished message hashes. The purpose of checking a
+ SHA-1 hash of the certificate chain contents, is to ensure that the
+ same property holds when this extension is used - i.e. that all of
+ the information in the certificate chain retrieved by the server is
+ as the client intended.
+
+ (The attack that this protects against is admittedly fairly
+ unrealistic: the attacker would have to get a valid certificate on
+ the client's key which is different from the client's certificate.
+ Nevertheless, including this hash guarantees that there can be no
+ unexpected problems due to the certificate chain not being directly
+ covered by the Finished hashes.)
+
+ A similar approach should also be taken if possible for any future
+ extensions that involve fetching information from external sources.
+
+ Note that although TLS uses both MD5 and SHA-1 hashes in several
+ other places, this was not believed to be necessary here. The
+ property required of SHA-1 is second pre-image resistance.
+
+ Support for client_certificate_url involves the server acting as a
+ client in another protocol (usually HTTP, but other URL schemes are
+ not prohibited). It is therefore subject to many of the same security
+ considerations that apply to a publically accessible HTTP proxy
+ server. This includes the possibility that an attacker might use the
+ server to indirectly attack another host that is vulnerable to some
+ security flaw. It also includes potentially increased exposure to
+ denial of service attacks: an attacker can make many connections,
+ each of which results in the server making an HTTP request.
+
+ It is recommended that the client_certificate_url extension should
+ have to be specifically enabled by a server administrator, rather
+ than being enabled by default.
+
+ As discussed in [URI], URLs that specify ports other than the default
+ may cause problems, as may very long URLs (which are more likely to
+ be useful in exploiting buffer overflow bugs).
+
+ 6.4. Security of trusted_ca_keys
+
+ It is possible that which CA root keys a client possesses could be
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 18]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+ regarded as confidential information. As a result, the CA root key
+ indication extension should be used with care.
+
+ The use of the SHA-1 certificate hash alternative ensures that each
+ certificate is specified unambiguously. As for the previous
+ extension, it was not believed necessary to use both MD5 and SHA-1
+ hashes.
+
+ 6.5. Security of truncated_hmac
+
+ It is possible that truncated MACs are weaker than "un-truncated"
+ MACs. However, no significant weaknesses are currently known or
+ expected to exist for HMAC with MD5 or SHA-1, truncated to 80 bits.
+ Note that the output length of a MAC need not be as long as the
+ length of a symmetric cipher key, since forging of MAC values cannot
+ be done off-line: in TLS, a single failed MAC guess will cause the
+ immediate termination of the TLS session.
+
+ Since the MAC algorithm only takes effect after the handshake
+ messages have been authenticated by the hashes in the Finished
+ messages, it is not possible for an active attacker to force
+ negotiation of the truncated HMAC extension where it would not
+ otherwise be used (to the extent that the handshake authentication is
+ secure). Therefore, in the event that any security problem were found
+ with truncated HMAC in future, if either the client or the server for
+ a given session have been updated to take into account the problem,
+ they would be able to veto use of this extension.
+
+ 6.6. Security of status_request
+
+ If a client requests an OCSP response, it must take into account that
+ an attacker's server using a compromised key could (and probably
+ would) pretend not to support the extension. A client that requires
+ OCSP validation of certificates SHOULD be prepared to contact the
+ OCSP server directly in this case.
+
+ Use of the OCSP nonce request extension (id-pkix-ocsp-nonce) may
+ improve security against attacks that attempt to replay OCSP
+ responses; see section 4.4.1 of [OCSP] for further details.
+
+7. Internationalisation Considerations
+
+ None of the extensions defined here directly use strings subject to
+ localisation. Domain names are encoded using UTF-8. If future
+ extensions use text strings, then internationalisation should be
+ considered in their design.
+
+
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 19]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+8. Intellectual Property Rights
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this document. Please address the information to the IETF Executive
+ Director.
+
+9. Acknowledgments
+
+ The authors wish to thank the TLS Working Group and the WAP Security
+ Group. This document is based on discussion within these groups.
+
+10. References
+
+ [HMAC] Krawczyk, H., Bellare, M., and Canetti, R. - HMAC: Keyed-
+ hashing for message authentication. IETF RFC 2104, February 1997.
+
+ [HTTP] J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T.
+ Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1," IETF RFC
+ 2616, June 1999.
+
+ [KERB] A. Medvinsky, M. Hur, "Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)," IETF RFC 2712, October 1999.
+
+ [KEYWORDS] S. Bradner, "Key words for use in RFCs to Indicate
+ Requirement Levels," IETF RFC 2119, March 1997.
+
+ [MAILING LIST] Mikkelsen, J. Eberhard, R., and J. Kistler, "General
+ ClientHello extension mechanism and virtual hosting," Ietf-tls
+ mailing list posting, August 14, 2000.
+
+ [OCSP] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
+ Adams, "Internet X.509 Public Key Infrastructure: Online Certificate
+ Status Protocol - OCSP," IETF RFC 2560, June 1999.
+
+ [TLS] Dierks, T., and C. Allen, "The TLS Protocol - Version 1.0,"
+ IETF RFC 2246, January 1999.
+
+ [URI] T. Berners-Lee, R. Fielding, L. Masinter, "Uniform Resource
+ Identifiers (URI): Generic Syntax," IETF RFC 2396, August 1998.
+
+ [UTF8] F. Yergeau, "UTF-8, a transformation format of ISO 10646,"
+ IETF RFC 2279, January 1998.
+
+
+
+
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 20]
+
+INTERNET-DRAFT TLS Extensions June 2001
+
+
+11. Authors' Addresses
+
+ Simon Blake-Wilson
+ Certicom Corp.
+ sblake-wilson@certicom.com
+
+ Magnus Nystrom
+ RSA Security
+ magnus@rsasecurity.com
+
+ David Hopwood
+ Independent Consultant
+ david.hopwood@zetnet.co.uk
+
+ Jan Mikkelsen
+ Transactionware
+ jam@transactionware.com
+
+ Tim Wright
+ Vodafone
+ timothy.wright@vf.vodafone.co.uk
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blake-Wilson et al. Expires: December 2001 [Page 21]
diff --git a/doc/protocol/draft-ietf-tls-https-04.txt b/doc/protocol/draft-ietf-tls-https-04.txt
deleted file mode 100644
index 2a4c40f94c..0000000000
--- a/doc/protocol/draft-ietf-tls-https-04.txt
+++ /dev/null
@@ -1,54 +0,0 @@
-A new Request for Comments is now available in online RFC libraries.
-
-
- RFC 2818
-
- Title: HTTP Over TLS
- Author(s): E. Rescorla
- Status: Informational
- Date: May 2000
- Mailbox: ekr@rtfm.com
- Pages: 8
- Characters: 15170
- Updates/Obsoletes/SeeAlso: None
-
- URL: ftp://ftp.isi.edu/in-notes/rfc2818.txt
-
-
-This memo describes how to use TLS to secure HTTP connections over
-the Internet. Current practice is to layer HTTP over SSL (the
-predecessor to TLS), distinguishing secured traffic from insecure
-traffic by the use of a different server port. This document documents
-that practice using TLS. A companion document describes a method for
-using HTTP/TLS over the same port as normal HTTP [RFC2817].
-
-This document is a product of the Transport Layer Security Working
-Group of the IETF.
-
-This memo provides information for the Internet community. It does
-not specify an Internet standard of any kind. Distribution of this
-memo is unlimited.
-
-This announcement is sent to the IETF list and the RFC-DIST list.
-Requests to be added to or deleted from the IETF distribution list
-should be sent to IETF-REQUEST@IETF.ORG. Requests to be
-added to or deleted from the RFC-DIST distribution list should
-be sent to RFC-DIST-REQUEST@RFC-EDITOR.ORG.
-
-Details on obtaining RFCs via FTP or EMAIL may be obtained by sending
-an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body
-help: ways_to_get_rfcs. For example:
-
- To: rfc-info@RFC-EDITOR.ORG
- Subject: getting rfcs
-
- help: ways_to_get_rfcs
-
-Requests for special distribution should be addressed to either the
-author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG. Unless
-specifically noted otherwise on the RFC itself, all RFCs are for
-unlimited distribution.echo
-Submissions for Requests for Comments should be sent to
-RFC-EDITOR@RFC-EDITOR.ORG. Please consult RFC 2223, Instructions to RFC
-Authors, for further information.
-
diff --git a/doc/protocol/draft-ietf-tls-misty1-00.txt b/doc/protocol/draft-ietf-tls-misty1-00.txt
deleted file mode 100644
index 8bb9b675ec..0000000000
--- a/doc/protocol/draft-ietf-tls-misty1-00.txt
+++ /dev/null
@@ -1,183 +0,0 @@
-
-
-
-
-
-
-INTERNET-DRAFT H. Ohta
-TLS Working Group H. Tsuji
-Expires March 2001 Mitsubishi Electric Corporation
- September 2000
-
-
- Addition of MISTY1 to TLS
-
- <draft-ietf-tls-misty1-00.txt>
-
-
-Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of RFC2026.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet- Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
-Abstract
-
- This document proposes the addition of new cipher suites to the TLS
- protocol version 1.0 to support the MISTY1 encryption algorithm as a
- bulk cipher algorithm.
-
-1. Introduction
-
- This document proposes the addition of new cipher suites to the TLS
- protocol version 1.0[2] to support MISTY1 encryption algorithm[1] as
- a bulk cipher algorithm. MISTY1 is a block cipher with a 128-bit key
- and a 64-bit block. It is designed on the basis of the theory of
- provable security against differential and linear cryptanalysis, and
- moreover it realizes high-speed encryption on hardware platforms as
- well as on software environments.
-
-
-
-
-Ohta, Tsuji Expires March 2001 [Page 1]
-
-
-
-
-
-
-Internet-Draft Addition of MISTY1 to TLS September 2000
-
-
- This document defines the additional cipher specification to the TLS
- protocol version 1.0.
-
-2. The Cipher Suites
-
- The following values define the CipherSuite codes for the cipher
- suites that use the MISTY1 CBC mode as a bulk cipher algorithm.
-
- CipherSuite TLS_RSA_WITH_MISTY1_CBC_SHA = { 0x00,0xXX };
- CipherSuite TLS_DH_DSS_WITH_MISTY1_CBC_SHA = { 0x00,0xXX };
- CipherSuite TLS_DH_RSA_WITH_MISTY1_CBC_SHA = { 0x00,0xXX };
- CipherSuite TLS_DHE_DSS_WITH_MISTY1_CBC_SHA = { 0x00,0xXX };
- CipherSuite TLS_DHE_RSA_WITH_MISTY1_CBC_SHA = { 0x00,0xXX };
- CipherSuite TLS_DH_anon_WITH_MISTY1_CBC_SHA = { 0x00,0xXX };
-
- Note: Above CipherSuite numbers should be assigned and registerd.
-
-3. CipherSuite Definitions
-
-CipherSuite Is Key Cipher Hash
- Exportable Exchange
-
-TLS_RSA_WITH_MISTY1_CBC_SHA RSA MISTY1_CBC SHA
-TLS_DH_DSS_WITH_MISTY1_CBC_SHA DH_DSS MISTY1_CBC SHA
-TLS_DH_RSA_WITH_MISTY1_CBC_SHA DH_RSA MISTY1_CBC SHA
-TLS_DHE_DSS_WITH_MISTY1_CBC_SHA DHE_DSS MISTY1_CBC SHA
-TLS_DHE_RSA_WITH_MISTY1_CBC_SHA DHE_RSA MISTY1_CBC SHA
-TLS_DH_anon_WITH_MISTY1_CBC_SHA DH_anon MISTY1_CBC SHA
-
- Key Expanded Effective IV Block
- Cipher Type Material Key Material Key Bits Size Size
-
- MISTY1_CBC Block 16 16 128 8 8
-
- Note: Key Exchange Algorithms and Hash Functions are defined in TLS.
-
-4. Security Considerations
-
- MISTY1 cipher suites are subject to the same security consideration
- as TLS. In addition, MISTY1 is designed in consideratin of the
- theory of provable security against differential and liner
- cryptanalysis.
-
-5. References
-
- [1] H. Ohta and M. Matsui, "A Description of the MISTY1 Encryption
- Algorithm", Internet-Draft <draft-ohta-misty1desc-02.txt>, July
- 2000
-
-
-
-Ohta, Tsuji Expires March 2001 [Page 2]
-
-
-
-
-
-
-Internet-Draft Addition of MISTY1 to TLS September 2000
-
-
- [2] T. Dierks and C. Allen, "The TLS Protocol Version 1.0", RFC
- 2246, January 1999
-
-6. Author's Addresses
-
- Hidenori Ohta
- Mitsubishi Electric Corporation, Information Technology R&D Center
- 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan
- Phone: +81-467-41-2183
- FAX: +81-467-41-2185
- EMail: hidenori@iss.isl.melco.co.jp
-
- Hirosato Tsuji
- Mitsubishi Electric Corporation, Information Technology R&D Center
- 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan
- Phone: +81-467-41-2183
- FAX: +81-467-41-2185
- EMail: hirosato@iss.isl.melco.co.jp
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ohta, Tsuji Expires March 2001 [Page 3]
-
-
-
diff --git a/doc/protocol/draft-ietf-tls-openpgp-00.txt b/doc/protocol/draft-ietf-tls-openpgp-01.txt
index 92e308b1f5..9dfd1866e9 100644
--- a/doc/protocol/draft-ietf-tls-openpgp-00.txt
+++ b/doc/protocol/draft-ietf-tls-openpgp-01.txt
@@ -1,9 +1,9 @@
TLS Working Group W. Price
INTERNET-DRAFT M. Elkins
Network Associates, Inc.
- 15 December 1999
+ 23 March 2001
-draft-ietf-tls-openpgp-00.txt
+draft-ietf-tls-openpgp-01.txt
Extensions to TLS for OpenPGP keys
@@ -52,9 +52,9 @@ Certificate
-Price Expires 15 June 2000 [Page 1]
-
-Internet-Draft Extensions to TLS for OpenPGP keys 15 December 1999
+Price Expires 23 September 2001 [Page 1]
+
+Internet-Draft Extensions to TLS for OpenPGP keys 23 March 2001
not be used in conjunction with OpenPGP keys. An implementation
@@ -108,9 +108,9 @@ Certificate Request
-Price Expires 15 June 2000 [Page 2]
-
-Internet-Draft Extensions to TLS for OpenPGP keys 15 December 1999
+Price Expires 23 September 2001 [Page 2]
+
+Internet-Draft Extensions to TLS for OpenPGP keys 23 March 2001
based on OpenPGP keys.
@@ -164,9 +164,9 @@ Cipher Suites
-Price Expires 15 June 2000 [Page 3]
-
-Internet-Draft Extensions to TLS for OpenPGP keys 15 December 1999
+Price Expires 23 September 2001 [Page 3]
+
+Internet-Draft Extensions to TLS for OpenPGP keys 23 March 2001
Note: The above numeric definitions for Cipher Suites have not
@@ -220,5 +220,5 @@ Authors
-Price Expires 15 June 2000 [Page 4]
-
+Price Expires 23 September 2001 [Page 4]
+
diff --git a/doc/protocol/draft-ietf-tls-seedhas-00.txt b/doc/protocol/draft-ietf-tls-seedhas-00.txt
deleted file mode 100644
index a662984118..0000000000
--- a/doc/protocol/draft-ietf-tls-seedhas-00.txt
+++ /dev/null
@@ -1,223 +0,0 @@
-TLS Working Group Joo-won Jung
-INTERNET-DRAFT ChangHee Lee
- INITECH, Inc.
- 12 July 2000
-
-
- TLS Extension for SEED and HAS-160
-
- draft-ietf-tls-seedhas-00.txt
-
-Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of RFC2026.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet- Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
-Introduction
-
- This document proposes the addition of new cipher suites to the TLS
- protocol 1.0 [TLS] to support SEED and HAS-160.
-
- The SEED algorithm is 128-bit symmetric block cipher algorithm.
- [SEED] The HAS-160 is 160-bit secure hash function, whose block size
- is 512 bit. [HAS] Both algorithms are developed in Korea since 1997
- for stronger communication security. Currently, SEED is widely used
- and is the mandatory cipher in banking and stock applications in
- Korea.
-
-HMAC of HAS-160
-
- HMAC of HAS160 can be defined like HMAC_MD5 or HMAC_SHA1. Since
- HAS-160 is 512-bit block, 160-bit output secure hash algorithm, B=64
- and L=20 as the notation of [HMAC].
-
- The test values of HMAC_HAS160 is provided as appendix of this
-
-
-
-Jung & Lee Expires in 12 January 2001 [Page 1]
-
-Internet-Draft TLS Extension for SEED and HAS-160 12 July 2000
-
-
- document.
-
- HMAC_HAS160 is used just for MAC of record layer. Adding HMAC_HAS160
- does not affect the definitions of PRF, Finished message and other
- definitions using HMAC_MD5 or HMAC_SHA1.
-
-Cipher Suites
-
- In spite of the existence of Korean digital signature algorithm,
- KCDSA, RSA algorithm is more widely used in Korea. Therefore, we
- define cipher suites with RSA key exchange.
-
- CipherSuite TLS_RSA_WITH_SEED_CBC_MD5 = { 0x00, 0x2C };
- CipherSuite TLS_RSA_WITH_SEED_CBC_SHA = { 0x00, 0x2D };
- CipherSuite TLS_RSA_WITH_SEED_CBC_HAS160 = { 0x00, 0x2E };
-
- Note: The above numeric definitions for Cipher Suites have not yet
- been registered. The numeric definitions are the following numbers
- of CipherSuite of TLS standard.[TLS]
-
-References
-
- [HAS] TTA.IS-10118, "Hash Function Standard - Part 2 : Hash
- Function Algorithm (HAS-160)", Telecommunications Technology
- Association, Republic of Korea, November, 1998.
-
- [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
- Hashing for Message Authentication," RFC 2104, February,
- 1997.
-
- [SEED] TTA.KO-12.0004, "128-bit Symmetric Block Cipher (SEED)",
- Telecommunications Technology Association, Republic of Korea,
- September 28, 1999.
-
- [TLS] T. Dierks, and C. Allen, "The TLS Protocol Version 1.0", RFC
- 2246, January 1999.
-
-
-Test Values of HMAC_HAS160
-
- test_case = 1
- key = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
- key_len = 20
- data = "Hi There"
- data_len = 8
- digest = 0xf5b44115a53f716b6f488de1098ee7c251418623
-
- test_case = 2
-
-
-
-Jung & Lee Expires in 12 January 2001 [Page 2]
-
-Internet-Draft TLS Extension for SEED and HAS-160 12 July 2000
-
-
- key = "Jefe"
- key_len = 4
- data = "what do ya want for nothing?"
- data_len = 28
- digest = 0xa74547c1ef0aa147c7428ab7e71664549be2a412
-
- test_case = 3
- key = 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
- key_len = 20
- data = 0xdd repeated 50 times
- data_len = 50
- digest = 0xe4c91bc71782fa44a56be1a34aae167e8ffc9734
-
- test_case = 4
- key = 0x0102030405060708090a0b0c0d0e0f10111213141516171819
- key_len = 25
- data = 0xcd repeated 50 times
- data_len = 50
- digest = 0x14d1055da875222053bf1180bbef8892eba3ac30
-
- test_case = 5
- key = 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
- key_len = 20
- data = "Test With Truncation"
- data_len = 20
- digest = 0x63750d67af40e3fde33526545d300972a1527053
-
- test_case = 6
- key = 0xaa repeated 80 times
- key_len = 80
- data = "Test Using Larger Than Block-Size Key - Hash Key First"
- data_len = 54
- digest = 0x63750d67af40e3fde33526545d300972a1527053
-
- test_case = 7
- key = 0xaa repeated 80 times
- key_len = 80
- data = "Test Using Larger Than Block-Size Key and Larger
- Than One Block-Size Data"
- data_len = 73
- digest = 0x1bdb821e399e208352c64f0655f6601e2a8a087c
-
-
- Note: These values are not cross-verified with other organization.
-
-Author's Address
-
- Joo-won Jung
-
-
-
-Jung & Lee Expires in 12 January 2001 [Page 3]
-
-Internet-Draft TLS Extension for SEED and HAS-160 12 July 2000
-
-
- INITECH, Inc.
- EMail: jwjung@initech.com
-
- ChangHee Lee
- INITECH, Inc.
- EMail: chlee@initech.com
-
- Phone: +82 2 3430 5700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jung & Lee Expires in 12 January 2001 [Page 4]
-
diff --git a/doc/protocol/draft-ietf-tls-wireless-00.txt b/doc/protocol/draft-ietf-tls-wireless-00.txt
deleted file mode 100644
index 77e59277d8..0000000000
--- a/doc/protocol/draft-ietf-tls-wireless-00.txt
+++ /dev/null
@@ -1,743 +0,0 @@
-
-
-
-
-TLS Working Group Simon Blake-Wilson, Certicom
-INTERNET-DRAFT Magnus Nystrom, RSA Security
-Expires May 16, 2001 November 17, 2000
-
- Wireless Extensions to TLS
- <draft-ietf-tls-wireless-00.txt>
-
- Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of RFC2026. Internet-Drafts are working
- documents of the Internet Engineering Task Force (IETF), its areas,
- and its working groups. Note that other groups may also distribute
- working documents as Internet-Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or made obsolete by other documents at
- any time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as work in progress.
-
- The list of current Internet-Drafts may be found at
- http://www.ietf.org/ietf/1id-abstracts.txt
-
- The list of Internet-Draft Shadow Directories may be found at
- http://www.ietf.org/shadow.html.
-
-
- Abstract
-
- This document suggests extensions to TLS designed to make TLS more
- amenable to use within wireless environments. The extensions may be
- used by TLS clients and servers. The extensions are backwards
- compatible - communication is possible between TLS 1.0 clients
- that support the extensions and TLS 1.0 servers that do not
- support the extensions, and vice versa.
-
- The document suggests extensions of two types: generic extension
- mechanisms for the TLS client and server hellos, and specific
- extensions using these generic mechanisms. It is hoped that the
- structure of the document will allow each suggested extension to be
- evaluated independently.
-
- This document is based on discussions at the TLS working group
- meeting during the Pittsburgh IETF meeting, and on discussions
- within the WAP security group.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119.
-
- Please send comments on this document to the TLS mailing list.
-
-
-Blake-Wilson, Nystrom [Page 1]
-
-INTERNET-DRAFT 17 November 2000
-
-
- Table of Contents
-
- 1. Introduction ............................................... 2
- 2. General Extension Mechanisms ............................... 4
- 2.1. Extended Client Hello .................................... 4
- 2.2. Extended Server Hello .................................... 4
- 2.3. Hello Extensions ......................................... 5
- 3. Wireless Extensions ........................................ 6
- 3.1. Maximum Record Size Negotiation .......................... 6
- 3.2. Client Certificate URLs .................................. 7
- 3.3. Trusted CA Indication .................................... 8
- 3.4. Small Session Identifiers ................................ 9
- 3.5. Truncated MACs .......................................... 10
- 3.6. OCSP .................................................... 11
- 4. Security Considerations ................................... 12
- 5. Intellectual Property Rights .............................. 12
- 6. Acknowledgments ........................................... 12
- 7. References ................................................ 12
- 8. Authors' Addresses ........................................ 13
-
-
-1. Introduction
-
-Wireless environments often suffer from a number of constraints not
-commonly present in wired environments - these constraints may include
-bandwidth limitations, computational power limitations, memory
-limitations, and battery life limitations.
-
-Use within wireless environments was not one of the initial design
-criteria of the TLS protocol. As a result, implementations of TLS
-within wireless environments face a number of challenges.
-
-This document specifies extensions to the TLS 1.0 protocol designed to
-make TLS more amenable to use within wireless environments. The
-extensions described here focus on extending the functionality provided
-by the TLS protocol message formats. Other issues, such as the addition
-of "wireless-friendly" cipher suites, are deferred.
-
-Specifically, the extensions described in this document are designed
-to:
-
-- Allow TLS clients and servers to negotiate the maximum record size to
- be sent. This functionality is desirable as a result of memory
- constraints common among wireless clients, and bandwidth constraints
- common among wireless networks.
-
-- Allow TLS clients and servers to negotiate the use of client
- certificate URLs. This functionality is desirable in order to
- conserve memory on wireless clients.
-
-
-Blake-Wilson, Nystrom [Page 2]
-
-INTERNET-DRAFT 17 November 2000
-
-
-- Allow TLS clients to indicate to TLS servers which CA root keys they
- possess. This functionality is desirable in order to prevent multiple
- handshake failures involving TLS clients which are only able to store
- a small number of CA root keys due to memory limitations.
-
-- Encourage TLS servers to use small session identifiers. This
- functionality is desirable in order to conserve memory on wireless
- clients.
-
-- Allow TLS clients and servers to negotiate the use of truncated MACs.
- This functionality is desirable in order to conserve bandwidth in
- wireless networks.
-
-- Allow TLS clients and servers to negotiate that the server sends the
- client an OCSP response during a TLS handshake. This functionality is
- desirable in order to avoid sending a CRL over a wireless network and
- therefore save bandwidth.
-
-In order to support the extensions above, general extension mechanisms
-for the client hello message and the server hello message are
-introduced.
-
-The extensions described in this document may be used by TLS 1.0
-clients and TLS 1.0 servers. The extensions are designed to be
-backwards compatible - meaning that TLS 1.0 clients that support the
-extensions can talk to TLS 1.0 servers that do not support the
-extensions, and vice versa.
-
-Backwards compatibility is primarily achieved via two considerations:
-
-- Clients typically request the use of extensions via the extended
- client hello message described in Section 2.1. TLS 1.0 [TLS] requires
- servers to "accept" extended client hello messages, even if the server
- does not "understand" the extension.
-
-- For the specific extensions described here, no mandatory server
- response is required when clients request extended functionality.
-
-Note however, that although backwards compatibility is supported, some
-wireless clients may be forced to reject communications with servers
-that do not support the extensions as a result of the limited
-capabilities of the wireless clients.
-
-The remainder of this document is organized as follows. Section 2
-describes general extension mechanisms for the client hello and server
-hello handshake messages. Section 3 describes specific extensions to
-TLS 1.0. The final sections of the document address IPR, security
-considerations, acknowledgements, and references.
-
-
-
-Blake-Wilson, Nystrom [Page 3]
-
-INTERNET-DRAFT 17 November 2000
-
-
-2. General Extension Mechanisms
-
-This section presents general extension mechanisms for the TLS
-handshake client hello and server hello messages.
-
-These general extension mechanisms are necessary in order to enable
-clients and servers to negotiate whether to use specific extensions,
-and how to use specific extensions. The extension formats described are
-based on [MAILING LIST].
-
-Section 2.1 specifies the extended client hello message format, Section
-2.2 specifies the extended server hello message format, and Section 2.3
-describes the actual extension format used with the extended client and
-server hellos.
-
-
-2.1. Extended Client Hello
-
-The extended client hello message format MAY be sent in place of the
-client hello message format when clients wish to request extended
-functionality from servers. The extended client hello message format is:
-
- struct {
- ProtocolVersion client_version;
- Random random;
- SessionID session_id;
- CipherSuite cipher_suites<2..2^16-1>;
- CompressionMethod compression_methods<1..2^8-1>;
- Extension client_hello_extension_list<0..2^16-1>;
- } ClientHello;
-
-Here the new "client_hello_extension_list" field contains a list of
-extensions. The actual "Extension" format is defined in Section 2.3.
-
-In the event that clients request additional functionality using the
-extended client hello, and this functionality is not supplied by the
-server, clients MAY abort the handshake.
-
-Note that TLS, Section 7.4.1.2, allows additional information to be
-added to the client hello message. Thus the use of the extended client
-hello defined above should not "break" existing TLS 1.0 servers.
-
-
-2.2. Extended Server Hello
-
-The extended server hello message format MAY be sent in place of the
-server hello message when the client has requested extended
-functionality via the extended client hello message specified in
-Section 2.1. The extended server hello message format is:
-
-
-Blake-Wilson, Nystrom [Page 4]
-
-INTERNET-DRAFT 17 November 2000
-
-
- struct {
- ProtocolVersion server_version;
- Random random;
- SessionID session_id;
- CipherSuite cipher_suite;
- CompressionMethod compression_method;
- Extension server_hello_extension_list<0..2^16-1>;
- } ServerHello;
-
-Here the new "server_hello_extension_list" field contains a list of
-extensions. The actual "Extension" format is defined in Section 2.3.
-
-Note that the extended server hello message is only sent in response to
-an extended client hello message. This prevents the possibility that
-the extended server hello message could "break" existing TLS 1.0
-clients.
-
-
-2.3. Hello Extensions
-
-The extension format for extended client hellos and extended server
-hellos is:
-
- struct {
- ExtensionType extensionType;
- opaque unknown_extension<0..2^16-1>;
- } Extension;
-
-Here:
-
-- "extensionType" identifies the particular extension type.
-
-- "unknown_extension" contains information specific to the particular
- extension type.
-
-The extension types defined in this document are:
-
- enum {
- reserved(0), max_record_size(1),
- client_certificate_url(2), trusted_key_ids(3),
- truncated_MAC(4), status_request(5), (65535)
- } ExtensionType;
-
-Note that for all the extension types defined in this document, the
-extension type should appear in the extended server hello only if the
-same extension type appeared in the corresponding client hello. Thus
-clients MUST abort the handshake if they receive an extension type in
-the extended server hello that they did not request in the associated
-(extended) client hello.
-
-
-Blake-Wilson, Nystrom [Page 5]
-
-INTERNET-DRAFT 17 November 2000
-
-
-Also note that when multiple extensions are present in the extended
-client hello or the extended server hello, the extensions must appear
-in the order identified in "ExtensionType". Thus clients and servers
-MUST abort the handshake if they receive an extended hello message in
-which the extensions are not in the correct order.
-
-Finally note that it is possible to alternatively define
-"unknown_extension" using a selection on "extensionType" (instead of
-just defining it as type "opaque"). This approach appears to have pros
-and cons - using a selection is more restrictive and thus less prone to
-implementation errors, but using "opaque" ensures inclusion of the
-length and thus ensures that users can skip extensions they don't
-understand. We would particularly welcome comments on this issue.
-
-
-3. Wireless Extensions
-
-This section describes the specific TLS extensions specified in this
-document.
-
-Note that any messages associated with these extensions that is sent
-during the TLS handshake MUST be included in the hash calculations
-involved in "Finished" messages.
-
-Section 3.1 describes the extension of TLS to provide maximum record
-size negotiation. Section 3.2 describes the extension to allow client
-certificate URLs. Section 3.3 describes the extension to allow clients
-to indicate which CA root keys they possess. Section 3.4 describes the
-extension to restrict the size of session identifiers. Section 3.5
-describes the extension to allow the use of truncated MACs. Section 3.6
-describes the extension to support integration of OCSP into TLS
-handshakes.
-
-
-3.1. Maximum Record Size Negotiation
-
-TLS specifies a fixed maximum record size of 2^14 bytes. It may be
-desirable for wireless clients to negotiate a smaller maximum record
-size due to memory limitations or bandwidth limitations.
-
-In order to negotiate smaller maximum record sizes, clients MAY include
-an extension of type "max_record_size" in the (extended) client hello.
-The "unknown-extension" field of this extension shall contain:
-
- enum{
- 2^8(1), 2^9(2), 2^10(3), 2^11(4), 2^12(5), (255)
- } Negotiated_max_record_size ;
-
-whose value is the desired maximum record size. The allowed values for
-this field are: 2^8, 2^9, 2^10, 2^11, and 2^12.
-
-Blake-Wilson, Nystrom [Page 6]
-
-INTERNET-DRAFT 17 November 2000
-
-
-
-Servers that receive an extended client hello containing a
-"max_record_size" extension, MAY accept the requested maximum record
-size by including an extension of type "max_record_size" in the
-(extended) server hello. The "unknown_extension" field of this
-extension shall contain "Negotiated_max_record_size" whose value is the
-same as the requested maximum record size.
-
-Servers receiving maximum record size negotiation requests for values
-other than the allowed values MUST abort the handshake. Similarly,
-clients receiving maximum record size negotiation responses that differ
-from the size they requested MUST also abort the handshake.
-
-Once a maximum record size other than 2^14 has been successfully
-negotiated during a TLS handshake, both the client and server pass the
-negotiated maximum record size value to the TLS record layer along with
-the negotiated security parameters. (Note that it may be desirable in
-the future to update the TLS security parameters to include the maximum
-record size value.) During the subsequent session after exchange of
-change cipher spec messages, the client and server MUST ensure that no
-messages larger than the negotiated size are sent.
-
-3.2. Client Certificate URLs
-
-TLS specifies that when client authentication is performed, client
-certificates are sent by clients to servers during the TLS handshake.
-It may be desirable for wireless clients to send a certificate URL in
-place of a certificate so that they do not need to store their
-certificate and can therefore save memory.
-
-In order to negotiate to send a certificate URL to a server, clients
-MAY include an extension of type "client_certificate_url" in the
-(extended) client hello. The "unknown_extension" field of this
-extension shall be empty.
-
-(Note that it is necessary to negotiate use of a client certificate URL
-in order to avoid "breaking" existing TLS 1.0 servers.)
-
-Servers that receive an extended client hello containing a
-"client_certificate_url" extension, MAY indicate that they are willing
-to accept a certificate URL by including an extension of type
-"client_certificate_url" in the (extended) server hello. The
-"unknown_extension" field of this extension shall be empty.
-
-After negotiation of the use of a client certificate URL has been
-successfully completed (by exchanging hellos including
-"client_certificate_url" extensions), clients send a "CertificateorURL"
-message in place of a "Certificate" message:
-
-
-
-
-Blake-Wilson, Nystrom [Page 7]
-
-INTERNET-DRAFT 17 November 2000
-
-
- struct{
- Certificate_or_URL certificate_transport_type;
- select (Certificate_or_URL) {
- case certificate:
- ASN.1Cert certificate_list<0..2^24-1>;
- case url:
- opaque url<0..2^8-1>;
- } certificate_transport_body;
- } CertificateorURL;
-
- enum{ certificate(1), url(2), (255) } Certificate_or_URL ;
-
-(Nevertheless, the handshake message is identified as being of type
-"certificate".)
-
-Here:
-
-- "certificate_transport_type" indicates whether a certificate chain or
- URL is being sent.
-
-- "certificate_transport_body" contains either a certificate chain, or
- a certificate URL.
-
-Servers receiving "CertificateorURL" shall attempt to retrieve the
-client's certificate chain from the URL (if necessary), and then process the
-certificate chain as usual.
-
-Note that "CertificateorURL" allows the client to send either a
-certificate or a URL. The option to send a certificate, even after
-successfully negotiating the possibility to send a URL, is included to
-provide flexibility to clients possessing multiple certificates.
-
-
-3.3. Trusted CA Indication
-
-Wireless clients which, due to memory limitations, possess only a small
-number of CA root keys, may wish to indicate to servers which root keys
-they possess, in order to avoid repeated handshake failures.
-
-In order to indicate which CA root keys they possess, clients MAY
-include an extension of type "trusted_key_ids" in the (extended) client
-hello. The "unknown_extension" field of this extension shall contain
-"TrustedAuthorities" where:
-
- TrustedAuthority TrustedAuthorities<0..2^16-1>;
-
-
-
-
-
-
-Blake-Wilson, Nystrom [Page 8]
-
-INTERNET-DRAFT 17 November 2000
-
-
- struct {
- IdentifierType identifier_type;
- select (identifier_type) {
- case null: struct {};
- case key_hash_sha: KeyHash;
- case x509_name: DistinguishedName;
- } identifier;
- } TrustedAuthority;
-
- enum { null(0), key_hash_sha(1), x509_name(2),(255)}
- IdentifierType;
-
- opaque DistinguishedName<1..2^16-1>;
-
- opaque KeyHash[20];
-
-Here "TrustedAuthorities" provides a list of CA root key identifiers
-that the client possesses. Each CA root key is identified via either:
-
-- "null" - no CA root key identity supplied.
-
-- "key_hash_sha" - contains the SHA-1 hash of the CA root key. (For DSA
- and ECDSA keys, this is the hash of the "subjectPublicKey" value. For
- RSA keys, this is the hash of the byte string representation of the
- modulus.)
-
-- "x509_name" - contains the X.509 distinguished name of the CA.
-
-Note that clients may include none, some, or all of the CA root keys
-they possess in this extension.
-
-(The option to include no CA root keys is included both to maintain
-syntactical similarity with Section 3.6, and to allow the client to
-indicate possession of some pre-defined set of CA root keys.)
-
-Servers that receive a client hello containing the "trusted_key_ids"
-extension, MAY use the information contained in the extension to guide
-their selection of an appropriate certificate chain to return to the
-client.
-
-
-3.4. Small Session Identifiers
-
-TLS specifies that session identifiers can be up to 32 bytes in length.
-In order to save memory, it is desirable to restrict the size of
-session identifiers which are stored by wireless clients.
-
-The syntax used by TLS for session identifiers is:
-
- opaque SessionID<0..32>;
-
-Blake-Wilson, Nystrom [Page 9]
-
-INTERNET-DRAFT 17 November 2000
-
-
-In order to encourage use of small session identifiers, servers SHOULD
-select session identifiers whose length is 8 bytes or less.
-
-
-3.5. Truncated MACs
-
-TLS uses the MAC construction HMAC with either MD5 or SHA-1 [HMAC] to
-authenticate record layer communications. In TLS the entire output of
-the hash function is used as the MAC tag. However it may be desirable
-in wireless environments to save bandwidth by truncating the output of
-the hash function when forming MAC tags.
-
-In order to negotiate the use of truncated MACs, clients MAY include an
-extension of type "truncated_MAC" in the extended client hello. The
-"unknown_extension" field of this extension shall contain
-"MACTruncations", where:
-
- MACTruncation MACTruncations<0..2^8-1>;
-
- struct {
- MACAlgorithm mac_type;
- uint16 trucation_size_in_bits
- } MACTruncation;
-
- enum { null(0), md5(1), sha1(2), (255) } MACAlgorithm;
-
-Here "MACTruncations" contains a list of MAC truncation sizes suggested
-by the client. Allowed values for suggested truncation sizes are: for
-HMAC-with-SHA1 ("sha1") - 80 bits; and for HMAC-with-MD5 ("md5") - 80
-bits.
-
-Servers that receive an extended hello containing a "truncated_MAC"
-extension, MAY agree to use a truncated MAC by including an extension
-of type "truncated_MAC" in the extended server hello. The
-"unknown_extension" field of this extension shall contain
-"MACTruncation". Here "MACTruncation" shall contain the agreed MAC
-truncation size, select from the list suggested by the client. Note
-that the "MACAlgorithm" identified in "MACTruncation" must match the
-MAC used by the established cipher suite.
-
-Servers receiving MAC truncation negotiation requests requesting values
-other than the allowed values, MUST abort the handshake. Similarly
-clients receiving MAC truncation negotiation responses that differ from
-the values they suggested, or that do not match the established cipher
-suite, MUST abort the handshake.
-
-Once MAC truncation has been successfully negotiated during a TLS
-handshake, both the client and the server pass the negotiated
-truncation size to the TLS record layer along with the other negotiated
-security parameters. Subsequently during the session, clients and
-
-Blake-Wilson, Nystrom [Page 10]
-
-INTERNET-DRAFT 17 November 2000
-
-servers MUST use truncated MACs. (Truncated MACs are calculated as
-specified in [HMAC].)
-
-3.6. OCSP
-
-Wireless clients may wish to use OCSP [OCSP] to check the validity of
-server certificates, in order to avoid transmission of CRLs and
-therefore save bandwidth on wireless networks.
-
-In order to indicate their desire to use OCSP, clients MAY include an
-extension of type "status_request" in the (extended) client hello. The
-"unknown_extension" field of this extension shall contain
-"TrustedAuthorities" as defined in Section 3.3.
-
-Here "TrustedAuthorities" provides a list of OCSP responders that the
-client trusts. The "null" alternative in "TrustedAuthorities" can be
-used to indicate that the responders are implicitly known to the server
-- e.g. by prior arrangement.
-
-Servers that receive a client hello containing the "status_request"
-extension, MAY return an OCSP response to the client along with their
-certificate, and MAY use the information contained in the extension
-when selecting an OCSP responder.
-
-Servers return an OCSP response along with their certificate by sending
-"CertificateAndOCSPResponse" in place of the "Certificate" message. If
-a server returns an OCSP response, then the server MUST include an
-extension of type "status_request" with empty "unknown_extensions" in the
-extended server hello.
-
- struct {
- ASN.1Cert certificate_list<0..2^24-1>;
- OCSPResponse ocsp_response;
- } CertificateAndOCSPResponse;
-
- opaque ASN.1Cert<1..2^24-1>;
-
- opaque OCSPResponse<1..2^24-1>;
-
-(Nevertheless, the handshake message is identified as being of type
-"certificate".)
-
-Here "ocsp_response" contains a complete, DER-encoded OCSP response.
-Note that only one OCSP response may be sent.
-
-Note that a server MAY also choose not to send the
-"CertificateAndOCSPResponse" message, and instead send the "Certificate"
-message, even if it receives a "status_request" extension in the
-client hello message.
-
-Note in addition that servers MUST NOT send the
-"CertificateAndOCSPResponse" message unless it received a
-"status_request" extension in the client hello message.
-
-Clients requesting an OCSP response, and receiving an OCSP response in
-a "CertificateAndOCSPResponse" field:
-
-- MUST process the certificate as if it was received in a "Certificate"
- message, and;
-
-- MAY check the OCSP response and abort the handshake if the response
- is not satisfactory.
-
-Blake-Wilson, Nystrom [Page 11]
-
-INTERNET-DRAFT 17 November 2000
-
-
-4. Security Considerations
-
-The use of the extensions specified in this document may introduce
-security concerns for TLS clients and servers.
-
-In particular, it is possible that truncated MACs are weaker than
-"un-truncated" MACs. No such weaknesses are currently known for the
-truncation sizes specified in this document.
-
-In addition, it is possible that which CA root keys a client possesses
-could be regarded as confidential information. As a result, the CA root
-key indication extension should be used with care.
-
-Also, TLS entities must be aware of the fact that until the handshake
-has been authenticated, active attackers can modify messages and
-insert, remove, or replace extensions.
-
-In general, implementers should continue to monitor the state of the
-art, and address any weaknesses identified.
-
-Additional security considerations are described in the TLS RFC [TLS].
-
-
-5. Intellectual Property Rights
-
-The IETF invites any interested party to bring to its attention any
-copyrights, patents or patent applications, or other proprietary rights
-which may cover technology that may be required to practice this
-document. Please address the information to the IETF Executive Director.
-
-
-6. Acknowledgments
-
-The authors wish to thank the WAP Security Group. This document is
-based on discussion within the WAP Security Group.
-
-
-7. References
-
-[HMAC] Krawczyk, H., Bellare, M., and Canetti, R. - HMAC: Keyed-hashing
- for message authentication. IETF RFC 2104, February 1997.
-
-[MAILING LIST] Mikkelsen, J. Eberhard, R., and J. Kistler, "General
- ClientHello extension mechanism and virtual hosting," Ietf-tls
- mailing list posting, August 14, 2000.
-
-[OCSP] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
- Adams, "Internet X.509 Public Key Infrastructure: Online Certificate
- Status Protocol - OCSP," IETF RFC 2560, June 1999.
-
-
-Blake-Wilson, Nystrom [Page 12]
-
-INTERNET-DRAFT 17 November 2000
-
-
-[TLS] Dierks, T., and C. Allen, "The TLS Protocol - Version 1.0,"
- IETF RFC 2246, January 1999.
-
-
-8. Authors' Addresses
-
- Simon Blake-Wilson
- Certicom Corp.
- sblake-wilson@certicom.com
-
- Magnus Nystrom
- RSA Security
- magnus@rsasecurity.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blake-Wilson, Nystrom [Page 13]
-
diff --git a/doc/protocol/rfc2817.txt b/doc/protocol/rfc2817.txt
new file mode 100644
index 0000000000..d7b7e703bb
--- /dev/null
+++ b/doc/protocol/rfc2817.txt
@@ -0,0 +1,731 @@
+
+
+
+
+
+
+Network Working Group R. Khare
+Request for Comments: 2817 4K Associates / UC Irvine
+Updates: 2616 S. Lawrence
+Category: Standards Track Agranat Systems, Inc.
+ May 2000
+
+
+ Upgrading to TLS Within HTTP/1.1
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+Abstract
+
+ This memo explains how to use the Upgrade mechanism in HTTP/1.1 to
+ initiate Transport Layer Security (TLS) over an existing TCP
+ connection. This allows unsecured and secured HTTP traffic to share
+ the same well known port (in this case, http: at 80 rather than
+ https: at 443). It also enables "virtual hosting", so a single HTTP +
+ TLS server can disambiguate traffic intended for several hostnames at
+ a single IP address.
+
+ Since HTTP/1.1 [1] defines Upgrade as a hop-by-hop mechanism, this
+ memo also documents the HTTP CONNECT method for establishing end-to-
+ end tunnels across HTTP proxies. Finally, this memo establishes new
+ IANA registries for public HTTP status codes, as well as public or
+ private Upgrade product tokens.
+
+ This memo does NOT affect the current definition of the 'https' URI
+ scheme, which already defines a separate namespace
+ (http://example.org/ and https://example.org/ are not equivalent).
+
+
+
+
+
+
+
+
+
+
+
+Khare & Lawrence Standards Track [Page 1]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+Table of Contents
+
+ 1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2.1 Requirements Terminology . . . . . . . . . . . . . . . . . . . 4
+ 3. Client Requested Upgrade to HTTP over TLS . . . . . . . . . . 4
+ 3.1 Optional Upgrade . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3.2 Mandatory Upgrade . . . . . . . . . . . . . . . . . . . . . . 4
+ 3.3 Server Acceptance of Upgrade Request . . . . . . . . . . . . . 4
+ 4. Server Requested Upgrade to HTTP over TLS . . . . . . . . . . 5
+ 4.1 Optional Advertisement . . . . . . . . . . . . . . . . . . . . 5
+ 4.2 Mandatory Advertisement . . . . . . . . . . . . . . . . . . . 5
+ 5. Upgrade across Proxies . . . . . . . . . . . . . . . . . . . . 6
+ 5.1 Implications of Hop By Hop Upgrade . . . . . . . . . . . . . . 6
+ 5.2 Requesting a Tunnel with CONNECT . . . . . . . . . . . . . . . 6
+ 5.3 Establishing a Tunnel with CONNECT . . . . . . . . . . . . . . 7
+ 6. Rationale for the use of a 4xx (client error) Status Code . . 7
+ 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
+ 7.1 HTTP Status Code Registry . . . . . . . . . . . . . . . . . . 8
+ 7.2 HTTP Upgrade Token Registry . . . . . . . . . . . . . . . . . 8
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
+ 8.1 Implications for the https: URI Scheme . . . . . . . . . . . . 10
+ 8.2 Security Considerations for CONNECT . . . . . . . . . . . . . 10
+ References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 11
+ A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
+ Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13
+
+1. Motivation
+
+ The historical practice of deploying HTTP over SSL3 [3] has
+ distinguished the combination from HTTP alone by a unique URI scheme
+ and the TCP port number. The scheme 'http' meant the HTTP protocol
+ alone on port 80, while 'https' meant the HTTP protocol over SSL on
+ port 443. Parallel well-known port numbers have similarly been
+ requested -- and in some cases, granted -- to distinguish between
+ secured and unsecured use of other application protocols (e.g.
+ snews, ftps). This approach effectively halves the number of
+ available well known ports.
+
+ At the Washington DC IETF meeting in December 1997, the Applications
+ Area Directors and the IESG reaffirmed that the practice of issuing
+ parallel "secure" port numbers should be deprecated. The HTTP/1.1
+ Upgrade mechanism can apply Transport Layer Security [6] to an open
+ HTTP connection.
+
+
+
+
+
+
+Khare & Lawrence Standards Track [Page 2]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+ In the nearly two years since, there has been broad acceptance of the
+ concept behind this proposal, but little interest in implementing
+ alternatives to port 443 for generic Web browsing. In fact, nothing
+ in this memo affects the current interpretation of https: URIs.
+ However, new application protocols built atop HTTP, such as the
+ Internet Printing Protocol [7], call for just such a mechanism in
+ order to move ahead in the IETF standards process.
+
+ The Upgrade mechanism also solves the "virtual hosting" problem.
+ Rather than allocating multiple IP addresses to a single host, an
+ HTTP/1.1 server will use the Host: header to disambiguate the
+ intended web service. As HTTP/1.1 usage has grown more prevalent,
+ more ISPs are offering name-based virtual hosting, thus delaying IP
+ address space exhaustion.
+
+ TLS (and SSL) have been hobbled by the same limitation as earlier
+ versions of HTTP: the initial handshake does not specify the intended
+ hostname, relying exclusively on the IP address. Using a cleartext
+ HTTP/1.1 Upgrade: preamble to the TLS handshake -- choosing the
+ certificates based on the initial Host: header -- will allow ISPs to
+ provide secure name-based virtual hosting as well.
+
+2. Introduction
+
+ TLS, a.k.a., SSL (Secure Sockets Layer), establishes a private end-
+ to-end connection, optionally including strong mutual authentication,
+ using a variety of cryptosystems. Initially, a handshake phase uses
+ three subprotocols to set up a record layer, authenticate endpoints,
+ set parameters, as well as report errors. Then, there is an ongoing
+ layered record protocol that handles encryption, compression, and
+ reassembly for the remainder of the connection. The latter is
+ intended to be completely transparent. For example, there is no
+ dependency between TLS's record markers and or certificates and
+ HTTP/1.1's chunked encoding or authentication.
+
+ Either the client or server can use the HTTP/1.1 [1] Upgrade
+ mechanism (Section 14.42) to indicate that a TLS-secured connection
+ is desired or necessary. This memo defines the "TLS/1.0" Upgrade
+ token, and a new HTTP Status Code, "426 Upgrade Required".
+
+ Section 3 and Section 4 describe the operation of a directly
+ connected client and server. Intermediate proxies must establish an
+ end-to-end tunnel before applying those operations, as explained in
+ Section 5.
+
+
+
+
+
+
+
+Khare & Lawrence Standards Track [Page 3]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+2.1 Requirements Terminology
+
+ Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
+ "MAY" that appear in this document are to be interpreted as described
+ in RFC 2119 [11].
+
+3. Client Requested Upgrade to HTTP over TLS
+
+ When the client sends an HTTP/1.1 request with an Upgrade header
+ field containing the token "TLS/1.0", it is requesting the server to
+ complete the current HTTP/1.1 request after switching to TLS/1.0.
+
+3.1 Optional Upgrade
+
+ A client MAY offer to switch to secured operation during any clear
+ HTTP request when an unsecured response would be acceptable:
+
+ GET http://example.bank.com/acct_stat.html?749394889300 HTTP/1.1
+ Host: example.bank.com
+ Upgrade: TLS/1.0
+ Connection: Upgrade
+
+ In this case, the server MAY respond to the clear HTTP operation
+ normally, OR switch to secured operation (as detailed in the next
+ section).
+
+ Note that HTTP/1.1 [1] specifies "the upgrade keyword MUST be
+ supplied within a Connection header field (section 14.10) whenever
+ Upgrade is present in an HTTP/1.1 message".
+
+3.2 Mandatory Upgrade
+
+ If an unsecured response would be unacceptable, a client MUST send an
+ OPTIONS request first to complete the switch to TLS/1.0 (if
+ possible).
+
+ OPTIONS * HTTP/1.1
+ Host: example.bank.com
+ Upgrade: TLS/1.0
+ Connection: Upgrade
+
+3.3 Server Acceptance of Upgrade Request
+
+ As specified in HTTP/1.1 [1], if the server is prepared to initiate
+ the TLS handshake, it MUST send the intermediate "101 Switching
+ Protocol" and MUST include an Upgrade response header specifying the
+ tokens of the protocol stack it is switching to:
+
+
+
+
+Khare & Lawrence Standards Track [Page 4]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+ HTTP/1.1 101 Switching Protocols
+ Upgrade: TLS/1.0, HTTP/1.1
+ Connection: Upgrade
+
+ Note that the protocol tokens listed in the Upgrade header of a 101
+ Switching Protocols response specify an ordered 'bottom-up' stack.
+
+ As specified in HTTP/1.1 [1], Section 10.1.2: "The server will
+ switch protocols to those defined by the response's Upgrade header
+ field immediately after the empty line which terminates the 101
+ response".
+
+ Once the TLS handshake completes successfully, the server MUST
+ continue with the response to the original request. Any TLS handshake
+ failure MUST lead to disconnection, per the TLS error alert
+ specification.
+
+4. Server Requested Upgrade to HTTP over TLS
+
+ The Upgrade response header field advertises possible protocol
+ upgrades a server MAY accept. In conjunction with the "426 Upgrade
+ Required" status code, a server can advertise the exact protocol
+ upgrade(s) that a client MUST accept to complete the request.
+
+4.1 Optional Advertisement
+
+ As specified in HTTP/1.1 [1], the server MAY include an Upgrade
+ header in any response other than 101 or 426 to indicate a
+ willingness to switch to any (combination) of the protocols listed.
+
+4.2 Mandatory Advertisement
+
+ A server MAY indicate that a client request can not be completed
+ without TLS using the "426 Upgrade Required" status code, which MUST
+ include an an Upgrade header field specifying the token of the
+ required TLS version.
+
+ HTTP/1.1 426 Upgrade Required
+ Upgrade: TLS/1.0, HTTP/1.1
+ Connection: Upgrade
+
+ The server SHOULD include a message body in the 426 response which
+ indicates in human readable form the reason for the error and
+ describes any alternative courses which may be available to the user.
+
+ Note that even if a client is willing to use TLS, it must use the
+ operations in Section 3 to proceed; the TLS handshake cannot begin
+ immediately after the 426 response.
+
+
+
+Khare & Lawrence Standards Track [Page 5]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+5. Upgrade across Proxies
+
+ As a hop-by-hop header, Upgrade is negotiated between each pair of
+ HTTP counterparties. If a User Agent sends a request with an Upgrade
+ header to a proxy, it is requesting a change to the protocol between
+ itself and the proxy, not an end-to-end change.
+
+ Since TLS, in particular, requires end-to-end connectivity to provide
+ authentication and prevent man-in-the-middle attacks, this memo
+ specifies the CONNECT method to establish a tunnel across proxies.
+
+ Once a tunnel is established, any of the operations in Section 3 can
+ be used to establish a TLS connection.
+
+5.1 Implications of Hop By Hop Upgrade
+
+ If an origin server receives an Upgrade header from a proxy and
+ responds with a 101 Switching Protocols response, it is changing the
+ protocol only on the connection between the proxy and itself.
+ Similarly, a proxy might return a 101 response to its client to
+ change the protocol on that connection independently of the protocols
+ it is using to communicate toward the origin server.
+
+ These scenarios also complicate diagnosis of a 426 response. Since
+ Upgrade is a hop-by-hop header, a proxy that does not recognize 426
+ might remove the accompanying Upgrade header and prevent the client
+ from determining the required protocol switch. If a client receives
+ a 426 status without an accompanying Upgrade header, it will need to
+ request an end to end tunnel connection as described in Section 5.2
+ and repeat the request in order to obtain the required upgrade
+ information.
+
+ This hop-by-hop definition of Upgrade was a deliberate choice. It
+ allows for incremental deployment on either side of proxies, and for
+ optimized protocols between cascaded proxies without the knowledge of
+ the parties that are not a part of the change.
+
+5.2 Requesting a Tunnel with CONNECT
+
+ A CONNECT method requests that a proxy establish a tunnel connection
+ on its behalf. The Request-URI portion of the Request-Line is always
+ an 'authority' as defined by URI Generic Syntax [2], which is to say
+ the host name and port number destination of the requested connection
+ separated by a colon:
+
+ CONNECT server.example.com:80 HTTP/1.1
+ Host: server.example.com:80
+
+
+
+
+Khare & Lawrence Standards Track [Page 6]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+ Other HTTP mechanisms can be used normally with the CONNECT method --
+ except end-to-end protocol Upgrade requests, of course, since the
+ tunnel must be established first.
+
+ For example, proxy authentication might be used to establish the
+ authority to create a tunnel:
+
+ CONNECT server.example.com:80 HTTP/1.1
+ Host: server.example.com:80
+ Proxy-Authorization: basic aGVsbG86d29ybGQ=
+
+ Like any other pipelined HTTP/1.1 request, data to be tunneled may be
+ sent immediately after the blank line. The usual caveats also apply:
+ data may be discarded if the eventual response is negative, and the
+ connection may be reset with no response if more than one TCP segment
+ is outstanding.
+
+5.3 Establishing a Tunnel with CONNECT
+
+ Any successful (2xx) response to a CONNECT request indicates that the
+ proxy has established a connection to the requested host and port,
+ and has switched to tunneling the current connection to that server
+ connection.
+
+ It may be the case that the proxy itself can only reach the requested
+ origin server through another proxy. In this case, the first proxy
+ SHOULD make a CONNECT request of that next proxy, requesting a tunnel
+ to the authority. A proxy MUST NOT respond with any 2xx status code
+ unless it has either a direct or tunnel connection established to the
+ authority.
+
+ An origin server which receives a CONNECT request for itself MAY
+ respond with a 2xx status code to indicate that a connection is
+ established.
+
+ If at any point either one of the peers gets disconnected, any
+ outstanding data that came from that peer will be passed to the other
+ one, and after that also the other connection will be terminated by
+ the proxy. If there is outstanding data to that peer undelivered,
+ that data will be discarded.
+
+6. Rationale for the use of a 4xx (client error) Status Code
+
+ Reliable, interoperable negotiation of Upgrade features requires an
+ unambiguous failure signal. The 426 Upgrade Required status code
+ allows a server to definitively state the precise protocol extensions
+ a given resource must be served with.
+
+
+
+
+Khare & Lawrence Standards Track [Page 7]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+ It might at first appear that the response should have been some form
+ of redirection (a 3xx code), by analogy to an old-style redirection
+ to an https: URI. User agents that do not understand Upgrade:
+ preclude this.
+
+ Suppose that a 3xx code had been assigned for "Upgrade Required"; a
+ user agent that did not recognize it would treat it as 300. It would
+ then properly look for a "Location" header in the response and
+ attempt to repeat the request at the URL in that header field. Since
+ it did not know to Upgrade to incorporate the TLS layer, it would at
+ best fail again at the new URL.
+
+7. IANA Considerations
+
+ IANA shall create registries for two name spaces, as described in BCP
+ 26 [10]:
+
+ o HTTP Status Codes
+ o HTTP Upgrade Tokens
+
+7.1 HTTP Status Code Registry
+
+ The HTTP Status Code Registry defines the name space for the Status-
+ Code token in the Status line of an HTTP response. The initial
+ values for this name space are those specified by:
+
+ 1. Draft Standard for HTTP/1.1 [1]
+ 2. Web Distributed Authoring and Versioning [4] [defines 420-424]
+ 3. WebDAV Advanced Collections [5] (Work in Progress) [defines 425]
+ 4. Section 6 [defines 426]
+
+ Values to be added to this name space SHOULD be subject to review in
+ the form of a standards track document within the IETF Applications
+ Area. Any such document SHOULD be traceable through statuses of
+ either 'Obsoletes' or 'Updates' to the Draft Standard for
+ HTTP/1.1 [1].
+
+7.2 HTTP Upgrade Token Registry
+
+ The HTTP Upgrade Token Registry defines the name space for product
+ tokens used to identify protocols in the Upgrade HTTP header field.
+ Each registered token should be associated with one or a set of
+ specifications, and with contact information.
+
+ The Draft Standard for HTTP/1.1 [1] specifies that these tokens obey
+ the production for 'product':
+
+
+
+
+
+Khare & Lawrence Standards Track [Page 8]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+ product = token ["/" product-version]
+ product-version = token
+
+ Registrations should be allowed on a First Come First Served basis as
+ described in BCP 26 [10]. These specifications need not be IETF
+ documents or be subject to IESG review, but should obey the following
+ rules:
+
+ 1. A token, once registered, stays registered forever.
+ 2. The registration MUST name a responsible party for the
+ registration.
+ 3. The registration MUST name a point of contact.
+ 4. The registration MAY name the documentation required for the
+ token.
+ 5. The responsible party MAY change the registration at any time.
+ The IANA will keep a record of all such changes, and make them
+ available upon request.
+ 6. The responsible party for the first registration of a "product"
+ token MUST approve later registrations of a "version" token
+ together with that "product" token before they can be registered.
+ 7. If absolutely required, the IESG MAY reassign the responsibility
+ for a token. This will normally only be used in the case when a
+ responsible party cannot be contacted.
+
+ This specification defines the protocol token "TLS/1.0" as the
+ identifier for the protocol specified by The TLS Protocol [6].
+
+ It is NOT required that specifications for upgrade tokens be made
+ publicly available, but the contact information for the registration
+ SHOULD be.
+
+8. Security Considerations
+
+ The potential for a man-in-the-middle attack (deleting the Upgrade
+ header) remains the same as current, mixed http/https practice:
+
+ o Removing the Upgrade header is similar to rewriting web pages to
+ change https:// links to http:// links.
+ o The risk is only present if the server is willing to vend such
+ information over both a secure and an insecure channel in the
+ first place.
+ o If the client knows for a fact that a server is TLS-compliant, it
+ can insist on it by only sending an Upgrade request with a no-op
+ method like OPTIONS.
+ o Finally, as the https: specification warns, "users should
+ carefully examine the certificate presented by the server to
+ determine if it meets their expectations".
+
+
+
+
+Khare & Lawrence Standards Track [Page 9]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+ Furthermore, for clients that do not explicitly try to invoke TLS,
+ servers can use the Upgrade header in any response other than 101 or
+ 426 to advertise TLS compliance. Since TLS compliance should be
+ considered a feature of the server and not the resource at hand, it
+ should be sufficient to send it once, and let clients cache that
+ fact.
+
+8.1 Implications for the https: URI Scheme
+
+ While nothing in this memo affects the definition of the 'https' URI
+ scheme, widespread adoption of this mechanism for HyperText content
+ could use 'http' to identify both secure and non-secure resources.
+
+ The choice of what security characteristics are required on the
+ connection is left to the client and server. This allows either
+ party to use any information available in making this determination.
+ For example, user agents may rely on user preference settings or
+ information about the security of the network such as 'TLS required
+ on all POST operations not on my local net', or servers may apply
+ resource access rules such as 'the FORM on this page must be served
+ and submitted using TLS'.
+
+8.2 Security Considerations for CONNECT
+
+ A generic TCP tunnel is fraught with security risks. First, such
+ authorization should be limited to a small number of known ports.
+ The Upgrade: mechanism defined here only requires onward tunneling at
+ port 80. Second, since tunneled data is opaque to the proxy, there
+ are additional risks to tunneling to other well-known or reserved
+ ports. A putative HTTP client CONNECTing to port 25 could relay spam
+ via SMTP, for example.
+
+References
+
+ [1] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
+ Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol --
+ HTTP/1.1", RFC 2616, June 1999.
+
+ [2] Berners-Lee, T., Fielding, R. and L. Masinter, "URI Generic
+ Syntax", RFC 2396, August 1998.
+
+ [3] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
+
+ [4] Goland, Y., Whitehead, E., Faizi, A., Carter, S. and D. Jensen,
+ "Web Distributed Authoring and Versioning", RFC 2518, February
+ 1999.
+
+
+
+
+
+Khare & Lawrence Standards Track [Page 10]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+ [5] Slein, J., Whitehead, E.J., et al., "WebDAV Advanced Collections
+ Protocol", Work In Progress.
+
+ [6] Dierks, T. and C. Allen, "The TLS Protocol", RFC 2246, January
+ 1999.
+
+ [7] Herriot, R., Butler, S., Moore, P. and R. Turner, "Internet
+ Printing Protocol/1.0: Encoding and Transport", RFC 2565, April
+ 1999.
+
+ [8] Luotonen, A., "Tunneling TCP based protocols through Web proxy
+ servers", Work In Progress. (Also available in: Luotonen, Ari.
+ Web Proxy Servers, Prentice-Hall, 1997 ISBN:0136806120.)
+
+ [9] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June
+ 1999.
+
+ [10] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+ Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+ [11] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+Authors' Addresses
+
+ Rohit Khare
+ 4K Associates / UC Irvine
+ 3207 Palo Verde
+ Irvine, CA 92612
+ US
+
+ Phone: +1 626 806 7574
+ EMail: rohit@4K-associates.com
+ URI: http://www.4K-associates.com/
+
+
+ Scott Lawrence
+ Agranat Systems, Inc.
+ 5 Clocktower Place
+ Suite 400
+ Maynard, MA 01754
+ US
+
+ Phone: +1 978 461 0888
+ EMail: lawrence@agranat.com
+ URI: http://www.agranat.com/
+
+
+
+
+
+Khare & Lawrence Standards Track [Page 11]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+Appendix A. Acknowledgments
+
+ The CONNECT method was originally described in a Work in Progress
+ titled, "Tunneling TCP based protocols through Web proxy servers",
+ [8] by Ari Luotonen of Netscape Communications Corporation. It was
+ widely implemented by HTTP proxies, but was never made a part of any
+ IETF Standards Track document. The method name CONNECT was reserved,
+ but not defined in [1].
+
+ The definition provided here is derived directly from that earlier
+ memo, with some editorial changes and conformance to the stylistic
+ conventions since established in other HTTP specifications.
+
+ Additional Thanks to:
+
+ o Paul Hoffman for his work on the STARTTLS command extension for
+ ESMTP.
+ o Roy Fielding for assistance with the rationale behind Upgrade:
+ and its interaction with OPTIONS.
+ o Eric Rescorla for his work on standardizing the existing https:
+ practice to compare with.
+ o Marshall Rose, for the xml2rfc document type description and tools
+ [9].
+ o Jim Whitehead, for sorting out the current range of available HTTP
+ status codes.
+ o Henrik Frystyk Nielsen, whose work on the Mandatory extension
+ mechanism pointed out a hop-by-hop Upgrade still requires
+ tunneling.
+ o Harald Alvestrand for improvements to the token registration
+ rules.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Khare & Lawrence Standards Track [Page 12]
+
+RFC 2817 HTTP Upgrade to TLS May 2000
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Khare & Lawrence Standards Track [Page 13]
+
View Lorry Controller Status