summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3546.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc3546.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc3546.txt')
-rw-r--r--doc/rfc/rfc3546.txt1627
1 files changed, 1627 insertions, 0 deletions
diff --git a/doc/rfc/rfc3546.txt b/doc/rfc/rfc3546.txt
new file mode 100644
index 0000000..4392449
--- /dev/null
+++ b/doc/rfc/rfc3546.txt
@@ -0,0 +1,1627 @@
+
+
+
+
+
+
+Network Working Group S. Blake-Wilson
+Request for Comments: 3546 BCI
+Updates: 2246 M. Nystrom
+Category: Standards Track RSA Security
+ D. Hopwood
+ Independent Consultant
+ J. Mikkelsen
+ Transactionware
+ T. Wright
+ Vodafone
+ June 2003
+
+
+ Transport Layer Security (TLS) Extensions
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ This document describes extensions that may be used to add
+ functionality to Transport Layer Security (TLS). It provides both
+ generic extension mechanisms for the TLS handshake client and server
+ hellos, and specific extensions using these generic mechanisms.
+
+ The extensions may be used by TLS clients and servers. The
+ extensions are backwards compatible - communication is possible
+ between TLS 1.0 clients that support the extensions and TLS 1.0
+ servers that do not support the extensions, and vice versa.
+
+Conventions used in this Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in BCP 14, RFC 2119
+ [KEYWORDS].
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 1]
+
+RFC 3546 TLS Extensions June 2003
+
+
+Table of Contents
+
+ 1. Introduction ............................................. 2
+ 2. General Extension Mechanisms ............................. 4
+ 2.1. Extended Client Hello ............................... 5
+ 2.2. Extended Server Hello ............................... 5
+ 2.3. Hello Extensions .................................... 6
+ 2.4. Extensions to the handshake protocol ................ 7
+ 3. Specific Extensions ...................................... 8
+ 3.1. Server Name Indication .............................. 8
+ 3.2. Maximum Fragment Length Negotiation ................. 10
+ 3.3. Client Certificate URLs ............................. 11
+ 3.4. Trusted CA Indication ............................... 14
+ 3.5. Truncated HMAC ...................................... 15
+ 3.6. Certificate Status Request........................... 16
+ 4. Error alerts .............................................. 18
+ 5. Procedure for Defining New Extensions...................... 20
+ 6. Security Considerations .................................. 21
+ 6.1. Security of server_name ............................. 21
+ 6.2. Security of max_fragment_length ..................... 21
+ 6.3. Security of client_certificate_url .................. 22
+ 6.4. Security of trusted_ca_keys ......................... 23
+ 6.5. Security of truncated_hmac .......................... 23
+ 6.6. Security of status_request .......................... 24
+ 7. Internationalization Considerations ...................... 24
+ 8. IANA Considerations ...................................... 24
+ 9. Intellectual Property Rights ............................. 26
+ 10. Acknowledgments .......................................... 26
+ 11. Normative References ..................................... 27
+ 12. Informative References ................................... 28
+ 13. Authors' Addresses ....................................... 28
+ 14. Full Copyright Statement ................................. 29
+
+1. Introduction
+
+ This document describes extensions that may be used to add
+ functionality to Transport Layer Security (TLS). It provides both
+ generic extension mechanisms for the TLS handshake client and server
+ hellos, and specific extensions using these generic mechanisms.
+
+ TLS is now used in an increasing variety of operational environments
+ - many of which were not envisioned when the original design criteria
+ for TLS were determined. The extensions introduced in this document
+ are designed to enable TLS to operate as effectively as possible in
+ new environments like wireless networks.
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 2]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ Wireless environments often suffer from a number of constraints not
+ commonly present in wired environments. These constraints may
+ include bandwidth limitations, computational power limitations,
+ memory limitations, and battery life limitations.
+
+ The extensions described here focus on extending the functionality
+ provided by the TLS protocol message formats. Other issues, such as
+ the addition of new cipher suites, are deferred.
+
+ Specifically, the extensions described in this document are designed
+ to:
+
+ - Allow TLS clients to provide to the TLS server the name of the
+ server they are contacting. This functionality is desirable to
+ facilitate secure connections to servers that host multiple
+ 'virtual' servers at a single underlying network address.
+
+ - Allow TLS clients and servers to negotiate the maximum fragment
+ length to be sent. This functionality is desirable as a result of
+ memory constraints among some clients, and bandwidth constraints
+ among some access networks.
+
+ - Allow TLS clients and servers to negotiate the use of client
+ certificate URLs. This functionality is desirable in order to
+ conserve memory on constrained clients.
+
+ - Allow TLS clients to indicate to TLS servers which CA root keys
+ they possess. This functionality is desirable in order to prevent
+ multiple handshake failures involving TLS clients that are only
+ able to store a small number of CA root keys due to memory
+ limitations.
+
+ - Allow TLS clients and servers to negotiate the use of truncated
+ MACs. This functionality is desirable in order to conserve
+ bandwidth in constrained access networks.
+
+ - Allow TLS clients and servers to negotiate that the server sends
+ the client certificate status information (e.g., an Online
+ Certificate Status Protocol (OCSP) [OCSP] response) during a TLS
+ handshake. This functionality is desirable in order to avoid
+ sending a Certificate Revocation List (CRL) over a constrained
+ access network and therefore save bandwidth.
+
+ In order to support the extensions above, general extension
+ mechanisms for the client hello message and the server hello message
+ are introduced.
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 3]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ The extensions described in this document may be used by TLS 1.0
+ clients and TLS 1.0 servers. The extensions are designed to be
+ backwards compatible - meaning that TLS 1.0 clients that support the
+ extensions can talk to TLS 1.0 servers that do not support the
+ extensions, and vice versa.
+
+ Backwards compatibility is primarily achieved via two considerations:
+
+ - Clients typically request the use of extensions via the extended
+ client hello message described in Section 2.1. TLS 1.0 [TLS]
+ requires servers to accept extended client hello messages, even if
+ the server does not "understand" the extension.
+
+ - For the specific extensions described here, no mandatory server
+ response is required when clients request extended functionality.
+
+ Note however, that although backwards compatibility is supported,
+ some constrained clients may be forced to reject communications with
+ servers that do not support the extensions as a result of the limited
+ capabilities of such clients.
+
+ The remainder of this document is organized as follows. Section 2
+ describes general extension mechanisms for the client hello and
+ server hello handshake messages. Section 3 describes specific
+ extensions to TLS 1.0. Section 4 describes new error alerts for use
+ with the TLS extensions. The final sections of the document address
+ IPR, security considerations, registration of the application/pkix-
+ pkipath MIME type, acknowledgements, and references.
+
+2. General Extension Mechanisms
+
+ This section presents general extension mechanisms for the TLS
+ handshake client hello and server hello messages.
+
+ These general extension mechanisms are necessary in order to enable
+ clients and servers to negotiate whether to use specific extensions,
+ and how to use specific extensions. The extension formats described
+ are based on [MAILING LIST].
+
+ Section 2.1 specifies the extended client hello message format,
+ Section 2.2 specifies the extended server hello message format, and
+ Section 2.3 describes the actual extension format used with the
+ extended client and server hellos.
+
+
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 4]
+
+RFC 3546 TLS Extensions June 2003
+
+
+2.1. Extended Client Hello
+
+ Clients MAY request extended functionality from servers by sending
+ the extended client hello message format in place of the client hello
+ message format. The extended client hello message format is:
+
+ struct {
+ ProtocolVersion client_version;
+ Random random;
+ SessionID session_id;
+ CipherSuite cipher_suites<2..2^16-1>;
+ CompressionMethod compression_methods<1..2^8-1>;
+ Extension client_hello_extension_list<0..2^16-1>;
+ } ClientHello;
+
+ Here the new "client_hello_extension_list" field contains a list of
+ extensions. The actual "Extension" format is defined in Section 2.3.
+
+ In the event that a client requests additional functionality using
+ the extended client hello, and this functionality is not supplied by
+ the server, the client MAY abort the handshake.
+
+ Note that [TLS], Section 7.4.1.2, allows additional information to be
+ added to the client hello message. Thus the use of the extended
+ client hello defined above should not "break" existing TLS 1.0
+ servers.
+
+ A server that supports the extensions mechanism MUST accept only
+ client hello messages in either the original or extended ClientHello
+ format, and (as for all other messages) MUST check that the amount of
+ data in the message precisely matches one of these formats; if not
+ then it MUST send a fatal "decode_error" alert. This overrides the
+ "Forward compatibility note" in [TLS].
+
+2.2. Extended Server Hello
+
+ The extended server hello message format MAY be sent in place of the
+ server hello message when the client has requested extended
+ functionality via the extended client hello message specified in
+ Section 2.1. The extended server hello message format is:
+
+
+
+
+
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 5]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ struct {
+ ProtocolVersion server_version;
+ Random random;
+ SessionID session_id;
+ CipherSuite cipher_suite;
+ CompressionMethod compression_method;
+ Extension server_hello_extension_list<0..2^16-1>;
+ } ServerHello;
+
+ Here the new "server_hello_extension_list" field contains a list of
+ extensions. The actual "Extension" format is defined in Section 2.3.
+
+ Note that the extended server hello message is only sent in response
+ to an extended client hello message. This prevents the possibility
+ that the extended server hello message could "break" existing TLS 1.0
+ clients.
+
+2.3. Hello Extensions
+
+ The extension format for extended client hellos and extended server
+ hellos is:
+
+ struct {
+ ExtensionType extension_type;
+ opaque extension_data<0..2^16-1>;
+ } Extension;
+
+ Here:
+
+ - "extension_type" identifies the particular extension type.
+
+ - "extension_data" contains information specific to the particular
+ extension type.
+
+ The extension types defined in this document are:
+
+ enum {
+ server_name(0), max_fragment_length(1),
+ client_certificate_url(2), trusted_ca_keys(3),
+ truncated_hmac(4), status_request(5), (65535)
+ } ExtensionType;
+
+ Note that for all extension types (including those defined in
+ future), the extension type MUST NOT appear in the extended server
+ hello unless the same extension type appeared in the corresponding
+ client hello. Thus clients MUST abort the handshake if they receive
+ an extension type in the extended server hello that they did not
+ request in the associated (extended) client hello.
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 6]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ Nonetheless "server initiated" extensions may be provided in the
+ future within this framework by requiring the client to first send an
+ empty extension to indicate that it supports a particular extension.
+
+ Also note that when multiple extensions of different types are
+ present in the extended client hello or the extended server hello,
+ the extensions may appear in any order. There MUST NOT be more than
+ one extension of the same type.
+
+ Finally note that all the extensions defined in this document are
+ relevant only when a session is initiated. However, a client that
+ requests resumption of a session does not in general know whether the
+ server will accept this request, and therefore it SHOULD send an
+ extended client hello if it would normally do so for a new session.
+ If the resumption request is denied, then a new set of extensions
+ will be negotiated as normal. If, on the other hand, the older
+ session is resumed, then the server MUST ignore extensions appearing
+ in the client hello, and send a server hello containing no
+ extensions; in this case the extension functionality negotiated
+ during the original session initiation is applied to the resumed
+ session.
+
+2.4. Extensions to the handshake protocol
+
+ This document suggests the use of two new handshake messages,
+ "CertificateURL" and "CertificateStatus". These messages are
+ described in Section 3.3 and Section 3.6, respectively. The new
+ handshake message structure therefore becomes:
+
+ enum {
+ hello_request(0), client_hello(1), server_hello(2),
+ certificate(11), server_key_exchange (12),
+ certificate_request(13), server_hello_done(14),
+ certificate_verify(15), client_key_exchange(16),
+ finished(20), certificate_url(21), certificate_status(22),
+ (255)
+ } HandshakeType;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 7]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ struct {
+ HandshakeType msg_type; /* handshake type */
+ uint24 length; /* bytes in message */
+ select (HandshakeType) {
+ case hello_request: HelloRequest;
+ case client_hello: ClientHello;
+ case server_hello: ServerHello;
+ case certificate: Certificate;
+ case server_key_exchange: ServerKeyExchange;
+ case certificate_request: CertificateRequest;
+ case server_hello_done: ServerHelloDone;
+ case certificate_verify: CertificateVerify;
+ case client_key_exchange: ClientKeyExchange;
+ case finished: Finished;
+ case certificate_url: CertificateURL;
+ case certificate_status: CertificateStatus;
+ } body;
+ } Handshake;
+
+3. Specific Extensions
+
+ This section describes the specific TLS extensions specified in this
+ document.
+
+ Note that any messages associated with these extensions that are sent
+ during the TLS handshake MUST be included in the hash calculations
+ involved in "Finished" messages.
+
+ Section 3.1 describes the extension of TLS to allow a client to
+ indicate which server it is contacting. Section 3.2 describes the
+ extension to provide maximum fragment length negotiation. Section
+ 3.3 describes the extension to allow client certificate URLs.
+ Section 3.4 describes the extension to allow a client to indicate
+ which CA root keys it possesses. Section 3.5 describes the extension
+ to allow the use of truncated HMAC. Section 3.6 describes the
+ extension to support integration of certificate status information
+ messages into TLS handshakes.
+
+3.1. Server Name Indication
+
+ [TLS] does not provide a mechanism for a client to tell a server the
+ name of the server it is contacting. It may be desirable for clients
+ to provide this information to facilitate secure connections to
+ servers that host multiple 'virtual' servers at a single underlying
+ network address.
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 8]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ In order to provide the server name, clients MAY include an extension
+ of type "server_name" in the (extended) client hello. The
+ "extension_data" field of this extension SHALL contain
+ "ServerNameList" where:
+
+ struct {
+ NameType name_type;
+ select (name_type) {
+ case host_name: HostName;
+ } name;
+ } ServerName;
+
+ enum {
+ host_name(0), (255)
+ } NameType;
+
+ opaque HostName<1..2^16-1>;
+
+ struct {
+ ServerName server_name_list<1..2^16-1>
+ } ServerNameList;
+
+ Currently the only server names supported are DNS hostnames, however
+ this does not imply any dependency of TLS on DNS, and other name
+ types may be added in the future (by an RFC that Updates this
+ document). TLS MAY treat provided server names as opaque data and
+ pass the names and types to the application.
+
+ "HostName" contains the fully qualified DNS hostname of the server,
+ as understood by the client. The hostname is represented as a byte
+ string using UTF-8 encoding [UTF8], without a trailing dot.
+
+ If the hostname labels contain only US-ASCII characters, then the
+ client MUST ensure that labels are separated only by the byte 0x2E,
+ representing the dot character U+002E (requirement 1 in section 3.1
+ of [IDNA] notwithstanding). If the server needs to match the HostName
+ against names that contain non-US-ASCII characters, it MUST perform
+ the conversion operation described in section 4 of [IDNA], treating
+ the HostName as a "query string" (i.e. the AllowUnassigned flag MUST
+ be set). Note that IDNA allows labels to be separated by any of the
+ Unicode characters U+002E, U+3002, U+FF0E, and U+FF61, therefore
+ servers MUST accept any of these characters as a label separator. If
+ the server only needs to match the HostName against names containing
+ exclusively ASCII characters, it MUST compare ASCII names case-
+ insensitively.
+
+ Literal IPv4 and IPv6 addresses are not permitted in "HostName".
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 9]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ It is RECOMMENDED that clients include an extension of type
+ "server_name" in the client hello whenever they locate a server by a
+ supported name type.
+
+ A server that receives a client hello containing the "server_name"
+ extension, MAY use the information contained in the extension to
+ guide its selection of an appropriate certificate to return to the
+ client, and/or other aspects of security policy. In this event, the
+ server SHALL include an extension of type "server_name" in the
+ (extended) server hello. The "extension_data" field of this
+ extension SHALL be empty.
+
+ If the server understood the client hello extension but does not
+ recognize the server name, it SHOULD send an "unrecognized_name"
+ alert (which MAY be fatal).
+
+ If an application negotiates a server name using an application
+ protocol, then upgrades to TLS, and a server_name extension is sent,
+ then the extension SHOULD contain the same name that was negotiated
+ in the application protocol. If the server_name is established in
+ the TLS session handshake, the client SHOULD NOT attempt to request a
+ different server name at the application layer.
+
+3.2. Maximum Fragment Length Negotiation
+
+ [TLS] specifies a fixed maximum plaintext fragment length of 2^14
+ bytes. It may be desirable for constrained clients to negotiate a
+ smaller maximum fragment length due to memory limitations or
+ bandwidth limitations.
+
+ In order to negotiate smaller maximum fragment lengths, clients MAY
+ include an extension of type "max_fragment_length" in the (extended)
+ client hello. The "extension_data" field of this extension SHALL
+ contain:
+
+ enum{
+ 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
+ } MaxFragmentLength;
+
+ whose value is the desired maximum fragment length. The allowed
+ values for this field are: 2^9, 2^10, 2^11, and 2^12.
+
+
+
+
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 10]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ Servers that receive an extended client hello containing a
+ "max_fragment_length" extension, MAY accept the requested maximum
+ fragment length by including an extension of type
+ "max_fragment_length" in the (extended) server hello. The
+ "extension_data" field of this extension SHALL contain
+ "MaxFragmentLength" whose value is the same as the requested maximum
+ fragment length.
+
+ If a server receives a maximum fragment length negotiation request
+ for a value other than the allowed values, it MUST abort the
+ handshake with an "illegal_parameter" alert. Similarly, if a client
+ receives a maximum fragment length negotiation response that differs
+ from the length it requested, it MUST also abort the handshake with
+ an "illegal_parameter" alert.
+
+ Once a maximum fragment length other than 2^14 has been successfully
+ negotiated, the client and server MUST immediately begin fragmenting
+ messages (including handshake messages), to ensure that no fragment
+ larger than the negotiated length is sent. Note that TLS already
+ requires clients and servers to support fragmentation of handshake
+ messages.
+
+ The negotiated length applies for the duration of the session
+ including session resumptions.
+
+ The negotiated length limits the input that the record layer may
+ process without fragmentation (that is, the maximum value of
+ TLSPlaintext.length; see [TLS] section 6.2.1). Note that the output
+ of the record layer may be larger. For example, if the negotiated
+ length is 2^9=512, then for currently defined cipher suites (those
+ defined in [TLS], [KERB], and [AESSUITES]), and when null compression
+ is used, the record layer output can be at most 793 bytes: 5 bytes of
+ headers, 512 bytes of application data, 256 bytes of padding, and 20
+ bytes of MAC. That means that in this event a TLS record layer peer
+ receiving a TLS record layer message larger than 793 bytes may
+ discard the message and send a "record_overflow" alert, without
+ decrypting the message.
+
+3.3. Client Certificate URLs
+
+ [TLS] specifies that when client authentication is performed, client
+ certificates are sent by clients to servers during the TLS handshake.
+ It may be desirable for constrained clients to send certificate URLs
+ in place of certificates, so that they do not need to store their
+ certificates and can therefore save memory.
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 11]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ In order to negotiate to send certificate URLs to a server, clients
+ MAY include an extension of type "client_certificate_url" in the
+ (extended) client hello. The "extension_data" field of this
+ extension SHALL be empty.
+
+ (Note that it is necessary to negotiate use of client certificate
+ URLs in order to avoid "breaking" existing TLS 1.0 servers.)
+
+ Servers that receive an extended client hello containing a
+ "client_certificate_url" extension, MAY indicate that they are
+ willing to accept certificate URLs by including an extension of type
+ "client_certificate_url" in the (extended) server hello. The
+ "extension_data" field of this extension SHALL be empty.
+
+ After negotiation of the use of client certificate URLs has been
+ successfully completed (by exchanging hellos including
+ "client_certificate_url" extensions), clients MAY send a
+ "CertificateURL" message in place of a "Certificate" message:
+
+ enum {
+ individual_certs(0), pkipath(1), (255)
+ } CertChainType;
+
+ enum {
+ false(0), true(1)
+ } Boolean;
+
+ struct {
+ CertChainType type;
+ URLAndOptionalHash url_and_hash_list<1..2^16-1>;
+ } CertificateURL;
+
+ struct {
+ opaque url<1..2^16-1>;
+ Boolean hash_present;
+ select (hash_present) {
+ case false: struct {};
+ case true: SHA1Hash;
+ } hash;
+ } URLAndOptionalHash;
+
+ opaque SHA1Hash[20];
+
+ Here "url_and_hash_list" contains a sequence of URLs and optional
+ hashes.
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 12]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ When X.509 certificates are used, there are two possibilities:
+
+ - if CertificateURL.type is "individual_certs", each URL refers to a
+ single DER-encoded X.509v3 certificate, with the URL for the
+ client's certificate first, or
+
+ - if CertificateURL.type is "pkipath", the list contains a single
+ URL referring to a DER-encoded certificate chain, using the type
+ PkiPath described in Section 8.
+
+ When any other certificate format is used, the specification that
+ describes use of that format in TLS should define the encoding format
+ of certificates or certificate chains, and any constraint on their
+ ordering.
+
+ The hash corresponding to each URL at the client's discretion is
+ either not present or is the SHA-1 hash of the certificate or
+ certificate chain (in the case of X.509 certificates, the DER-encoded
+ certificate or the DER-encoded PkiPath).
+
+ Note that when a list of URLs for X.509 certificates is used, the
+ ordering of URLs is the same as that used in the TLS Certificate
+ message (see [TLS] Section 7.4.2), but opposite to the order in which
+ certificates are encoded in PkiPath. In either case, the self-signed
+ root certificate MAY be omitted from the chain, under the assumption
+ that the server must already possess it in order to validate it.
+
+ Servers receiving "CertificateURL" SHALL attempt to retrieve the
+ client's certificate chain from the URLs, and then process the
+ certificate chain as usual. A cached copy of the content of any URL
+ in the chain MAY be used, provided that a SHA-1 hash is present for
+ that URL and it matches the hash of the cached copy.
+
+ Servers that support this extension MUST support the http: URL scheme
+ for certificate URLs, and MAY support other schemes.
+
+ If the protocol used to retrieve certificates or certificate chains
+ returns a MIME formatted response (as HTTP does), then the following
+ MIME Content-Types SHALL be used: when a single X.509v3 certificate
+ is returned, the Content-Type is "application/pkix-cert" [PKIOP], and
+ when a chain of X.509v3 certificates is returned, the Content-Type is
+ "application/pkix-pkipath" (see Section 8).
+
+
+
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 13]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ If a SHA-1 hash is present for an URL, then the server MUST check
+ that the SHA-1 hash of the contents of the object retrieved from that
+ URL (after decoding any MIME Content-Transfer-Encoding) matches the
+ given hash. If any retrieved object does not have the correct SHA-1
+ hash, the server MUST abort the handshake with a
+ "bad_certificate_hash_value" alert.
+
+ Note that clients may choose to send either "Certificate" or
+ "CertificateURL" after successfully negotiating the option to send
+ certificate URLs. The option to send a certificate is included to
+ provide flexibility to clients possessing multiple certificates.
+
+ If a server encounters an unreasonable delay in obtaining
+ certificates in a given CertificateURL, it SHOULD time out and signal
+ a "certificate_unobtainable" error alert.
+
+3.4. Trusted CA Indication
+
+ Constrained clients that, due to memory limitations, possess only a
+ small number of CA root keys, may wish to indicate to servers which
+ root keys they possess, in order to avoid repeated handshake
+ failures.
+
+ In order to indicate which CA root keys they possess, clients MAY
+ include an extension of type "trusted_ca_keys" in the (extended)
+ client hello. The "extension_data" field of this extension SHALL
+ contain "TrustedAuthorities" where:
+
+ struct {
+ TrustedAuthority trusted_authorities_list<0..2^16-1>;
+ } TrustedAuthorities;
+
+ struct {
+ IdentifierType identifier_type;
+ select (identifier_type) {
+ case pre_agreed: struct {};
+ case key_sha1_hash: SHA1Hash;
+ case x509_name: DistinguishedName;
+ case cert_sha1_hash: SHA1Hash;
+ } identifier;
+ } TrustedAuthority;
+
+ enum {
+ pre_agreed(0), key_sha1_hash(1), x509_name(2),
+ cert_sha1_hash(3), (255)
+ } IdentifierType;
+
+ opaque DistinguishedName<1..2^16-1>;
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 14]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ Here "TrustedAuthorities" provides a list of CA root key identifiers
+ that the client possesses. Each CA root key is identified via
+ either:
+
+ - "pre_agreed" - no CA root key identity supplied.
+
+ - "key_sha1_hash" - contains the SHA-1 hash of the CA root key. For
+ DSA and ECDSA keys, this is the hash of the "subjectPublicKey"
+ value. For RSA keys, the hash is of the big-endian byte string
+ representation of the modulus without any initial 0-valued bytes.
+ (This copies the key hash formats deployed in other environments.)
+
+ - "x509_name" - contains the DER-encoded X.509 DistinguishedName of
+ the CA.
+
+ - "cert_sha1_hash" - contains the SHA-1 hash of a DER-encoded
+ Certificate containing the CA root key.
+
+ Note that clients may include none, some, or all of the CA root keys
+ they possess in this extension.
+
+ Note also that it is possible that a key hash or a Distinguished Name
+ alone may not uniquely identify a certificate issuer - for example if
+ a particular CA has multiple key pairs - however here we assume this
+ is the case following the use of Distinguished Names to identify
+ certificate issuers in TLS.
+
+ The option to include no CA root keys is included to allow the client
+ to indicate possession of some pre-defined set of CA root keys.
+
+ Servers that receive a client hello containing the "trusted_ca_keys"
+ extension, MAY use the information contained in the extension to
+ guide their selection of an appropriate certificate chain to return
+ to the client. In this event, the server SHALL include an extension
+ of type "trusted_ca_keys" in the (extended) server hello. The
+ "extension_data" field of this extension SHALL be empty.
+
+3.5. Truncated HMAC
+
+ Currently defined TLS cipher suites use the MAC construction HMAC
+ with either MD5 or SHA-1 [HMAC] to authenticate record layer
+ communications. In TLS the entire output of the hash function is
+ used as the MAC tag. However it may be desirable in constrained
+ environments to save bandwidth by truncating the output of the hash
+ function to 80 bits when forming MAC tags.
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 15]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ In order to negotiate the use of 80-bit truncated HMAC, clients MAY
+ include an extension of type "truncated_hmac" in the extended client
+ hello. The "extension_data" field of this extension SHALL be empty.
+
+ Servers that receive an extended hello containing a "truncated_hmac"
+ extension, MAY agree to use a truncated HMAC by including an
+ extension of type "truncated_hmac", with empty "extension_data", in
+ the extended server hello.
+
+ Note that if new cipher suites are added that do not use HMAC, and
+ the session negotiates one of these cipher suites, this extension
+ will have no effect. It is strongly recommended that any new cipher
+ suites using other MACs consider the MAC size as an integral part of
+ the cipher suite definition, taking into account both security and
+ bandwidth considerations.
+
+ If HMAC truncation has been successfully negotiated during a TLS
+ handshake, and the negotiated cipher suite uses HMAC, both the client
+ and the server pass this fact to the TLS record layer along with the
+ other negotiated security parameters. Subsequently during the
+ session, clients and servers MUST use truncated HMACs, calculated as
+ specified in [HMAC]. That is, CipherSpec.hash_size is 10 bytes, and
+ only the first 10 bytes of the HMAC output are transmitted and
+ checked. Note that this extension does not affect the calculation of
+ the PRF as part of handshaking or key derivation.
+
+ The negotiated HMAC truncation size applies for the duration of the
+ session including session resumptions.
+
+3.6. Certificate Status Request
+
+ Constrained clients may wish to use a certificate-status protocol
+ such as OCSP [OCSP] to check the validity of server certificates, in
+ order to avoid transmission of CRLs and therefore save bandwidth on
+ constrained networks. This extension allows for such information to
+ be sent in the TLS handshake, saving roundtrips and resources.
+
+ In order to indicate their desire to receive certificate status
+ information, clients MAY include an extension of type
+ "status_request" in the (extended) client hello. The
+ "extension_data" field of this extension SHALL contain
+ "CertificateStatusRequest" where:
+
+
+
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 16]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ struct {
+ CertificateStatusType status_type;
+ select (status_type) {
+ case ocsp: OCSPStatusRequest;
+ } request;
+ } CertificateStatusRequest;
+
+ enum { ocsp(1), (255) } CertificateStatusType;
+
+ struct {
+ ResponderID responder_id_list<0..2^16-1>;
+ Extensions request_extensions;
+ } OCSPStatusRequest;
+
+ opaque ResponderID<1..2^16-1>;
+ opaque Extensions<0..2^16-1>;
+
+ In the OCSPStatusRequest, the "ResponderIDs" provides a list of OCSP
+ responders that the client trusts. A zero-length "responder_id_list"
+ sequence has the special meaning that the responders are implicitly
+ known to the server - e.g., by prior arrangement. "Extensions" is a
+ DER encoding of OCSP request extensions.
+
+ Both "ResponderID" and "Extensions" are DER-encoded ASN.1 types as
+ defined in [OCSP]. "Extensions" is imported from [PKIX]. A zero-
+ length "request_extensions" value means that there are no extensions
+ (as opposed to a zero-length ASN.1 SEQUENCE, which is not valid for
+ the "Extensions" type).
+
+ In the case of the "id-pkix-ocsp-nonce" OCSP extension, [OCSP] is
+ unclear about its encoding; for clarification, the nonce MUST be a
+ DER-encoded OCTET STRING, which is encapsulated as another OCTET
+ STRING (note that implementations based on an existing OCSP client
+ will need to be checked for conformance to this requirement).
+
+ Servers that receive a client hello containing the "status_request"
+ extension, MAY return a suitable certificate status response to the
+ client along with their certificate. If OCSP is requested, they
+ SHOULD use the information contained in the extension when selecting
+ an OCSP responder, and SHOULD include request_extensions in the OCSP
+ request.
+
+ Servers return a certificate response along with their certificate by
+ sending a "CertificateStatus" message immediately after the
+ "Certificate" message (and before any "ServerKeyExchange" or
+ "CertificateRequest" messages). If a server returns a
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 17]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ "CertificateStatus" message, then the server MUST have included an
+ extension of type "status_request" with empty "extension_data" in the
+ extended server hello.
+
+ struct {
+ CertificateStatusType status_type;
+ select (status_type) {
+ case ocsp: OCSPResponse;
+ } response;
+ } CertificateStatus;
+
+ opaque OCSPResponse<1..2^24-1>;
+
+ An "ocsp_response" contains a complete, DER-encoded OCSP response
+ (using the ASN.1 type OCSPResponse defined in [OCSP]). Note that
+ only one OCSP response may be sent.
+
+ The "CertificateStatus" message is conveyed using the handshake
+ message type "certificate_status".
+
+ Note that a server MAY also choose not to send a "CertificateStatus"
+ message, even if it receives a "status_request" extension in the
+ client hello message.
+
+ Note in addition that servers MUST NOT send the "CertificateStatus"
+ message unless it received a "status_request" extension in the client
+ hello message.
+
+ Clients requesting an OCSP response, and receiving an OCSP response
+ in a "CertificateStatus" message MUST check the OCSP response and
+ abort the handshake if the response is not satisfactory.
+
+4. Error Alerts
+
+ This section defines new error alerts for use with the TLS extensions
+ defined in this document.
+
+ The following new error alerts are defined. To avoid "breaking"
+ existing clients and servers, these alerts MUST NOT be sent unless
+ the sending party has received an extended hello message from the
+ party they are communicating with.
+
+ - "unsupported_extension" - this alert is sent by clients that
+ receive an extended server hello containing an extension that they
+ did not put in the corresponding client hello (see Section 2.3).
+ This message is always fatal.
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 18]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ - "unrecognized_name" - this alert is sent by servers that receive a
+ server_name extension request, but do not recognize the server
+ name. This message MAY be fatal.
+
+ - "certificate_unobtainable" - this alert is sent by servers who are
+ unable to retrieve a certificate chain from the URL supplied by
+ the client (see Section 3.3). This message MAY be fatal - for
+ example if client authentication is required by the server for the
+ handshake to continue and the server is unable to retrieve the
+ certificate chain, it may send a fatal alert.
+
+ - "bad_certificate_status_response" - this alert is sent by clients
+ that receive an invalid certificate status response (see Section
+ 3.6). This message is always fatal.
+
+ - "bad_certificate_hash_value" - this alert is sent by servers when
+ a certificate hash does not match a client provided
+ certificate_hash. This message is always fatal.
+
+ These error alerts are conveyed using the following syntax:
+
+ enum {
+ close_notify(0),
+ unexpected_message(10),
+ bad_record_mac(20),
+ decryption_failed(21),
+ record_overflow(22),
+ decompression_failure(30),
+ handshake_failure(40),
+ /* 41 is not defined, for historical reasons */
+ bad_certificate(42),
+ unsupported_certificate(43),
+ certificate_revoked(44),
+ certificate_expired(45),
+ certificate_unknown(46),
+ illegal_parameter(47),
+ unknown_ca(48),
+ access_denied(49),
+ decode_error(50),
+ decrypt_error(51),
+ export_restriction(60),
+ protocol_version(70),
+ insufficient_security(71),
+ internal_error(80),
+ user_canceled(90),
+ no_renegotiation(100),
+ unsupported_extension(110), /* new */
+ certificate_unobtainable(111), /* new */
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 19]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ unrecognized_name(112), /* new */
+ bad_certificate_status_response(113), /* new */
+ bad_certificate_hash_value(114), /* new */
+ (255)
+ } AlertDescription;
+
+5. Procedure for Defining New Extensions
+
+ Traditionally for Internet protocols, the Internet Assigned Numbers
+ Authority (IANA) handles the allocation of new values for future
+ expansion, and RFCs usually define the procedure to be used by the
+ IANA. However, there are subtle (and not so subtle) interactions
+ that may occur in this protocol between new features and existing
+ features which may result in a significant reduction in overall
+ security.
+
+ Therefore, requests to define new extensions (including assigning
+ extension and error alert numbers) must be approved by IETF Standards
+ Action.
+
+ The following considerations should be taken into account when
+ designing new extensions:
+
+ - All of the extensions defined in this document follow the
+ convention that for each extension that a client requests and that
+ the server understands, the server replies with an extension of
+ the same type.
+
+ - Some cases where a server does not agree to an extension are error
+ conditions, and some simply a refusal to support a particular
+ feature. In general error alerts should be used for the former,
+ and a field in the server extension response for the latter.
+
+ - Extensions should as far as possible be designed to prevent any
+ attack that forces use (or non-use) of a particular feature by
+ manipulation of handshake messages. This principle should be
+ followed regardless of whether the feature is believed to cause a
+ security problem.
+
+ Often the fact that the extension fields are included in the
+ inputs to the Finished message hashes will be sufficient, but
+ extreme care is needed when the extension changes the meaning of
+ messages sent in the handshake phase. Designers and implementors
+ should be aware of the fact that until the handshake has been
+ authenticated, active attackers can modify messages and insert,
+ remove, or replace extensions.
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 20]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ - It would be technically possible to use extensions to change major
+ aspects of the design of TLS; for example the design of cipher
+ suite negotiation. This is not recommended; it would be more
+ appropriate to define a new version of TLS - particularly since
+ the TLS handshake algorithms have specific protection against
+ version rollback attacks based on the version number, and the
+ possibility of version rollback should be a significant
+ consideration in any major design change.
+
+6. Security Considerations
+
+ Security considerations for the extension mechanism in general, and
+ the design of new extensions, are described in the previous section.
+ A security analysis of each of the extensions defined in this
+ document is given below.
+
+ In general, implementers should continue to monitor the state of the
+ art, and address any weaknesses identified.
+
+ Additional security considerations are described in the TLS 1.0 RFC
+ [TLS].
+
+6.1. Security of server_name
+
+ If a single server hosts several domains, then clearly it is
+ necessary for the owners of each domain to ensure that this satisfies
+ their security needs. Apart from this, server_name does not appear
+ to introduce significant security issues.
+
+ Implementations MUST ensure that a buffer overflow does not occur
+ whatever the values of the length fields in server_name.
+
+ Although this document specifies an encoding for internationalized
+ hostnames in the server_name extension, it does not address any
+ security issues associated with the use of internationalized
+ hostnames in TLS - in particular, the consequences of "spoofed" names
+ that are indistinguishable from another name when displayed or
+ printed. It is recommended that server certificates not be issued
+ for internationalized hostnames unless procedures are in place to
+ mitigate the risk of spoofed hostnames.
+
+6.2. Security of max_fragment_length
+
+ The maximum fragment length takes effect immediately, including for
+ handshake messages. However, that does not introduce any security
+ complications that are not already present in TLS, since [TLS]
+ requires implementations to be able to handle fragmented handshake
+ messages.
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 21]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ Note that as described in section 3.2, once a non-null cipher suite
+ has been activated, the effective maximum fragment length depends on
+ the cipher suite and compression method, as well as on the negotiated
+ max_fragment_length. This must be taken into account when sizing
+ buffers, and checking for buffer overflow.
+
+6.3. Security of client_certificate_url
+
+ There are two major issues with this extension.
+
+ The first major issue is whether or not clients should include
+ certificate hashes when they send certificate URLs.
+
+ When client authentication is used *without* the
+ client_certificate_url extension, the client certificate chain is
+ covered by the Finished message hashes. The purpose of including
+ hashes and checking them against the retrieved certificate chain, is
+ to ensure that the same property holds when this extension is used -
+ i.e., that all of the information in the certificate chain retrieved
+ by the server is as the client intended.
+
+ On the other hand, omitting certificate hashes enables functionality
+ that is desirable in some circumstances - for example clients can be
+ issued daily certificates that are stored at a fixed URL and need not
+ be provided to the client. Clients that choose to omit certificate
+ hashes should be aware of the possibility of an attack in which the
+ attacker obtains a valid certificate on the client's key that is
+ different from the certificate the client intended to provide.
+ Although TLS uses both MD5 and SHA-1 hashes in several other places,
+ this was not believed to be necessary here. The property required of
+ SHA-1 is second pre-image resistance.
+
+ The second major issue is that support for client_certificate_url
+ involves the server acting as a client in another URL protocol. The
+ server therefore becomes subject to many of the same security
+ concerns that clients of the URL scheme are subject to, with the
+ added concern that the client can attempt to prompt the server to
+ connect to some, possibly weird-looking URL.
+
+ In general this issue means that an attacker might use the server to
+ indirectly attack another host that is vulnerable to some security
+ flaw. It also introduces the possibility of denial of service
+ attacks in which an attacker makes many connections to the server,
+ each of which results in the server attempting a connection to the
+ target of the attack.
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 22]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ Note that the server may be behind a firewall or otherwise able to
+ access hosts that would not be directly accessible from the public
+ Internet; this could exacerbate the potential security and denial of
+ service problems described above, as well as allowing the existence
+ of internal hosts to be confirmed when they would otherwise be
+ hidden.
+
+ The detailed security concerns involved will depend on the URL
+ schemes supported by the server. In the case of HTTP, the concerns
+ are similar to those that apply to a publicly accessible HTTP proxy
+ server. In the case of HTTPS, the possibility for loops and
+ deadlocks to be created exists and should be addressed. In the case
+ of FTP, attacks similar to FTP bounce attacks arise.
+
+ As a result of this issue, it is RECOMMENDED that the
+ client_certificate_url extension should have to be specifically
+ enabled by a server administrator, rather than being enabled by
+ default. It is also RECOMMENDED that URI protocols be enabled by the
+ administrator individually, and only a minimal set of protocols be
+ enabled, with unusual protocols offering limited security or whose
+ security is not well-understood being avoided.
+
+ As discussed in [URI], URLs that specify ports other than the default
+ may cause problems, as may very long URLs (which are more likely to
+ be useful in exploiting buffer overflow bugs).
+
+ Also note that HTTP caching proxies are common on the Internet, and
+ some proxies do not check for the latest version of an object
+ correctly. If a request using HTTP (or another caching protocol)
+ goes through a misconfigured or otherwise broken proxy, the proxy may
+ return an out-of-date response.
+
+6.4. Security of trusted_ca_keys
+
+ It is possible that which CA root keys a client possesses could be
+ regarded as confidential information. As a result, the CA root key
+ indication extension should be used with care.
+
+ The use of the SHA-1 certificate hash alternative ensures that each
+ certificate is specified unambiguously. As for the previous
+ extension, it was not believed necessary to use both MD5 and SHA-1
+ hashes.
+
+6.5. Security of truncated_hmac
+
+ It is possible that truncated MACs are weaker than "un-truncated"
+ MACs. However, no significant weaknesses are currently known or
+ expected to exist for HMAC with MD5 or SHA-1, truncated to 80 bits.
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 23]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ Note that the output length of a MAC need not be as long as the
+ length of a symmetric cipher key, since forging of MAC values cannot
+ be done off-line: in TLS, a single failed MAC guess will cause the
+ immediate termination of the TLS session.
+
+ Since the MAC algorithm only takes effect after the handshake
+ messages have been authenticated by the hashes in the Finished
+ messages, it is not possible for an active attacker to force
+ negotiation of the truncated HMAC extension where it would not
+ otherwise be used (to the extent that the handshake authentication is
+ secure). Therefore, in the event that any security problem were
+ found with truncated HMAC in future, if either the client or the
+ server for a given session were updated to take into account the
+ problem, they would be able to veto use of this extension.
+
+6.6. Security of status_request
+
+ If a client requests an OCSP response, it must take into account that
+ an attacker's server using a compromised key could (and probably
+ would) pretend not to support the extension. A client that requires
+ OCSP validation of certificates SHOULD either contact the OCSP server
+ directly in this case, or abort the handshake.
+
+ Use of the OCSP nonce request extension (id-pkix-ocsp-nonce) may
+ improve security against attacks that attempt to replay OCSP
+ responses; see section 4.4.1 of [OCSP] for further details.
+
+7. Internationalization Considerations
+
+ None of the extensions defined here directly use strings subject to
+ localization. Domain Name System (DNS) hostnames are encoded using
+ UTF-8. If future extensions use text strings, then
+ internationalization should be considered in their design.
+
+8. IANA Considerations
+
+ The MIME type "application/pkix-pkipath" has been registered by the
+ IANA with the following template:
+
+ To: ietf-types@iana.org Subject: Registration of MIME media type
+ application/pkix-pkipath
+
+ MIME media type name: application
+
+ MIME subtype name: pkix-pkipath
+
+ Required parameters: none
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 24]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ Optional parameters: version (default value is "1")
+
+ Encoding considerations:
+ This MIME type is a DER encoding of the ASN.1 type PkiPath,
+ defined as follows:
+ PkiPath ::= SEQUENCE OF Certificate
+ PkiPath is used to represent a certification path. Within the
+ sequence, the order of certificates is such that the subject of
+ the first certificate is the issuer of the second certificate,
+ etc.
+
+ This is identical to the definition that will be published in
+ [X509-4th-TC1]; note that it is different from that in [X509-4th].
+
+ All Certificates MUST conform to [PKIX]. (This should be
+ interpreted as a requirement to encode only PKIX-conformant
+ certificates using this type. It does not necessarily require
+ that all certificates that are not strictly PKIX-conformant must
+ be rejected by relying parties, although the security consequences
+ of accepting any such certificates should be considered
+ carefully.)
+
+ DER (as opposed to BER) encoding MUST be used. If this type is
+ sent over a 7-bit transport, base64 encoding SHOULD be used.
+
+ Security considerations:
+ The security considerations of [X509-4th] and [PKIX] (or any
+ updates to them) apply, as well as those of any protocol that uses
+ this type (e.g., TLS).
+
+ Note that this type only specifies a certificate chain that can be
+ assessed for validity according to the relying party's existing
+ configuration of trusted CAs; it is not intended to be used to
+ specify any change to that configuration.
+
+ Interoperability considerations:
+ No specific interoperability problems are known with this type,
+ but for recommendations relating to X.509 certificates in general,
+ see [PKIX].
+
+ Published specification: this memo, and [PKIX].
+
+ Applications which use this media type: TLS. It may also be used by
+ other protocols, or for general interchange of PKIX certificate
+ chains.
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 25]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ Additional information:
+ Magic number(s): DER-encoded ASN.1 can be easily recognized.
+ Further parsing is required to distinguish from other ASN.1
+ types.
+ File extension(s): .pkipath
+ Macintosh File Type Code(s): not specified
+
+ Person & email address to contact for further information:
+ Magnus Nystrom <magnus@rsasecurity.com>
+
+ Intended usage: COMMON
+
+ Author/Change controller:
+ Magnus Nystrom <magnus@rsasecurity.com>
+
+9. Intellectual Property Rights
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards-related documentation can be found in RFC 2028. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such
+ proprietary rights by implementors or users of this specification can
+ be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this document. Please address the information to the IETF Executive
+ Director.
+
+10. Acknowledgments
+
+ The authors wish to thank the TLS Working Group and the WAP Security
+ Group. This document is based on discussion within these groups.
+
+
+
+
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 26]
+
+RFC 3546 TLS Extensions June 2003
+
+
+11. Normative References
+
+ [HMAC] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
+ Keyed-hashing for message authentication", RFC 2104,
+ February 1997.
+
+ [HTTP] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
+ Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext
+ Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
+
+ [IDNA] Faltstrom, P., Hoffman, P. and A. Costello,
+ "Internationalizing Domain Names in Applications
+ (IDNA)", RFC 3490, March 2003.
+
+ [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [OCSP] Myers, M., Ankney, R., Malpani, A., Galperin, S. and
+ C. Adams, "Internet X.509 Public Key Infrastructure:
+ Online Certificate Status Protocol - OCSP", RFC 2560,
+ June 1999.
+
+ [PKIOP] Housley, R. and P. Hoffman, "Internet X.509 Public Key
+ Infrastructure - Operation Protocols: FTP and HTTP",
+ RFC 2585, May 1999.
+
+ [PKIX] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet
+ Public Key Infrastructure - Certificate and
+ Certificate Revocation List (CRL) Profile", RFC 3280,
+ April 2002.
+
+ [TLS] Dierks, T. and C. Allen, "The TLS Protocol Version
+ 1.0", RFC 2246, January 1999.
+
+ [URI] Berners-Lee, T., Fielding, R. and L. Masinter,
+ "Uniform Resource Identifiers (URI): Generic Syntax",
+ RFC 2396, August 1998.
+
+ [UTF8] Yergeau, F., "UTF-8, a transformation format of ISO
+ 10646", RFC 2279, January 1998.
+
+ [X509-4th] ITU-T Recommendation X.509 (2000) | ISO/IEC 9594-
+ 8:2001, "Information Systems - Open Systems
+ Interconnection - The Directory: Public key and
+ attribute certificate frameworks."
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 27]
+
+RFC 3546 TLS Extensions June 2003
+
+
+ [X509-4th-TC1] ITU-T Recommendation X.509(2000) Corrigendum 1(2001) |
+ ISO/IEC 9594-8:2001/Cor.1:2002, Technical Corrigendum
+ 1 to ISO/IEC 9594:8:2001.
+
+12. Informative References
+
+ [KERB] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher
+ Suites to Transport Layer Security (TLS)", RFC 2712,
+ October 1999.
+
+ [MAILING LIST] J. Mikkelsen, R. Eberhard, and J. Kistler, "General
+ ClientHello extension mechanism and virtual hosting,"
+ ietf-tls mailing list posting, August 14, 2000.
+
+ [AESSUITES] Chown, P., "Advanced Encryption Standard (AES)
+ Ciphersuites for Transport Layer Security (TLS)", RFC
+ 3268, June 2002.
+
+13. Authors' Addresses
+
+ Simon Blake-Wilson
+ BCI
+ EMail: sblakewilson@bcisse.com
+
+ Magnus Nystrom
+ RSA Security
+ EMail: magnus@rsasecurity.com
+
+ David Hopwood
+ Independent Consultant
+ EMail: david.hopwood@zetnet.co.uk
+
+ Jan Mikkelsen
+ Transactionware
+ EMail: janm@transactionware.com
+
+ Tim Wright
+ Vodafone
+ EMail: timothy.wright@vodafone.com
+
+
+
+
+
+
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 28]
+
+RFC 3546 TLS Extensions June 2003
+
+
+14. Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blake-Wilson, et. al. Standards Track [Page 29]
+