draft-ietf-tls-oob-pubkey-00.txt   draft-ietf-tls-oob-pubkey-01.txt 
skipping to change at page 1, line 13 skipping to change at page 1, line 13
IETF P. Wouters IETF P. Wouters
Internet-Draft No Hats Corporation Internet-Draft No Hats Corporation
Intended status: Standards Track J. Gilmore Intended status: Standards Track J. Gilmore
Expires: July 10, 2012 Expires: July 10, 2012
S. Weiler S. Weiler
SPARTA, Inc. SPARTA, Inc.
T. Kivinen T. Kivinen
AuthenTec AuthenTec
H. Tschofenig H. Tschofenig
Nokia Siemens Networks Nokia Siemens Networks
January 7, 2012 January 20, 2012
TLS Out-of-Band Public Key Validation TLS Out-of-Band Public Key Validation
draft-ietf-tls-oob-pubkey-00.txt draft-ietf-tls-oob-pubkey-01.txt
Abstract Abstract
This document specifies a new TLS certificate type for exchanging raw This document specifies a new TLS certificate type for exchanging raw
public keys in Transport Layer Security (TLS) and Datagram Transport public keys in Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS) for use with out-of-band authentication. Layer Security (DTLS) for use with out-of-band authentication.
Currently, TLS authentication can only occur via PKIX or OpenPGP Currently, TLS authentication can only occur via PKIX or OpenPGP
certificates. By specifying a minimum resource for raw public key certificates. By specifying a minimum resource for raw public key
exchange, implementations can use alternative authentication methods. exchange, implementations can use alternative authentication methods.
skipping to change at page 6, line 30 skipping to change at page 6, line 30
<- change_cipher_spec, <- change_cipher_spec,
finished finished
Application Data <-------> Application Data Application Data <-------> Application Data
Figure 1: Example Message Flow Figure 1: Example Message Flow
2.1. Client Hello 2.1. Client Hello
In order to indicate the support of out-of-bound raw public keys, In order to indicate the support of out-of-band raw public keys,
clients MUST include an extension of type "cert_type" to the extended clients MUST include an extension of type "cert_type" to the extended
client hello message. The "cert_type" TLS extension, which is client hello message. The "cert_type" TLS extension, which is
defined in [RFC6091], is assigned the value of 9 from the TLS defined in [RFC6091], is assigned the value of 9 from the TLS
ExtensionType registry. This value is used as the extension number ExtensionType registry. This value is used as the extension number
for the extensions in both the client hello message and the server for the extensions in both the client hello message and the server
hello message. The hello extension mechanism is described in hello message. The hello extension mechanism is described in
[RFC5246]. [RFC5246].
The "cert_type" TLS extension carries a list of supported certificate The "cert_type" TLS extension carries a list of supported certificate
types the client can use, sorted by client preference. This types the client can use, sorted by client preference. This
skipping to change at page 9, line 32 skipping to change at page 9, line 32
RFC 4949, August 2007. RFC 4949, August 2007.
7.2. Informative References 7.2. Informative References
[CoAP] Shelby, Z., Hartke, K., Bormann, C., and B. Frank, [CoAP] Shelby, Z., Hartke, K., Bormann, C., and B. Frank,
"Constrained Application Protocol", "Constrained Application Protocol",
draft-ietf-core-coap-07 (work in progress), July 2011. draft-ietf-core-coap-07 (work in progress), July 2011.
[DANE] Hoffman, P. and J. Schlyter, "Using Secure DNS to [DANE] Hoffman, P. and J. Schlyter, "Using Secure DNS to
Associate Certificates with Domain Names For TLS", Associate Certificates with Domain Names For TLS",
draft-ietf-dane-protocol-12 (work in progress), draft-ietf-dane-protocol-14 (work in progress),
September 2011. September 2011.
[Defeating-SSL] [Defeating-SSL]
Marlinspike, M., "New Tricks for Defeating SSL in Marlinspike, M., "New Tricks for Defeating SSL in
Practice", February 2009, <http://www.blackhat.com/ Practice", February 2009, <http://www.blackhat.com/
presentations/bh-dc-09/Marlinspike/ presentations/bh-dc-09/Marlinspike/
BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf>. BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf>.
[LDAP] Sermersheim, J., "Lightweight Directory Access Protocol [LDAP] Sermersheim, J., "Lightweight Directory Access Protocol
(LDAP): The Protocol", RFC 4511, June 2006. (LDAP): The Protocol", RFC 4511, June 2006.
 End of changes. 4 change blocks. 
4 lines changed or deleted 4 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/