| rfc7633v3.txt | rfc7633.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) P. Hallam-Baker | Internet Engineering Task Force (IETF) P. Hallam-Baker | |||
| Request for Comments: 7633 Comodo Group Inc. | Request for Comments: 7633 Comodo Group Inc. | |||
| Category: Standards Track September 2015 | Category: Standards Track October 2015 | |||
| ISSN: 2070-1721 | ISSN: 2070-1721 | |||
| X.509v3 Transport Layer Security (TLS) Feature Extension | X.509v3 Transport Layer Security (TLS) Feature Extension | |||
| Abstract | Abstract | |||
| The purpose of the TLS feature extension is to prevent downgrade | The purpose of the TLS feature extension is to prevent downgrade | |||
| attacks that are not otherwise prevented by the TLS protocol. In | attacks that are not otherwise prevented by the TLS protocol. In | |||
| particular, the TLS feature extension may be used to mandate support | particular, the TLS feature extension may be used to mandate support | |||
| for revocation checking features in the TLS protocol such as Online | for revocation checking features in the TLS protocol such as Online | |||
| skipping to change at page 2, line 27 | skipping to change at page 2, line 27 | |||
| 4.2.3. End-Entity Certificate . . . . . . . . . . . . . . . 5 | 4.2.3. End-Entity Certificate . . . . . . . . . . . . . . . 5 | |||
| 4.3. Processing . . . . . . . . . . . . . . . . . . . . . . . 6 | 4.3. Processing . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.3.1. Certification Authority . . . . . . . . . . . . . . . 6 | 4.3.1. Certification Authority . . . . . . . . . . . . . . . 6 | |||
| 4.3.2. Server . . . . . . . . . . . . . . . . . . . . . . . 6 | 4.3.2. Server . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.3.3. Client . . . . . . . . . . . . . . . . . . . . . . . 7 | 4.3.3. Client . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 5.1. Alternative Certificates and Certificate Issuers . . . . 7 | 5.1. Alternative Certificates and Certificate Issuers . . . . 7 | |||
| 5.2. Denial of Service . . . . . . . . . . . . . . . . . . . . 7 | 5.2. Denial of Service . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5.3. Cipher Suite Downgrade Attack . . . . . . . . . . . . . . 8 | 5.3. Cipher Suite Downgrade Attack . . . . . . . . . . . . . . 8 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Normative References . . . . . . . . . . . . . . . . . . . . 8 | 7. Normative References . . . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 10 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 1. Introduction | 1. Introduction | |||
| The Transport Layer Security (TLS) feature extension provides a means | The Transport Layer Security (TLS) feature extension provides a means | |||
| of preventing downgrade attacks that are not otherwise prevented by | of preventing downgrade attacks that are not otherwise prevented by | |||
| the TLS protocol. | the TLS protocol. | |||
| Since the TLS protocol itself provides strong protection against most | Since the TLS protocol itself provides strong protection against most | |||
| forms of downgrade attack including downgrade attacks against cipher | forms of downgrade attack including downgrade attacks against cipher | |||
| skipping to change at page 8, line 36 | skipping to change at page 9, line 8 | |||
| Module Identifier" (1.3.6.1.5.5.7.0) registry: | Module Identifier" (1.3.6.1.5.5.7.0) registry: | |||
| Decimal Description References | Decimal Description References | |||
| ------- ------------------------------ --------------------- | ------- ------------------------------ --------------------- | |||
| 86 id-mod-tls-feature-2015 this document (RFC 7633) | 86 id-mod-tls-feature-2015 this document (RFC 7633) | |||
| 7. Normative References | 7. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | Requirement Levels", BCP 14, RFC 2119, | |||
| RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | |||
| Request Syntax Specification Version 1.7", RFC 2986, DOI | Request Syntax Specification Version 1.7", RFC 2986, | |||
| 10.17487/RFC2986, November 2000, | DOI 10.17487/RFC2986, November 2000, | |||
| <http://www.rfc-editor.org/info/rfc2986>. | <http://www.rfc-editor.org/info/rfc2986>. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/ | (TLS) Protocol Version 1.2", RFC 5246, | |||
| RFC5246, August 2008, | DOI 10.17487/RFC5246, August 2008, | |||
| <http://www.rfc-editor.org/info/rfc5246>. | <http://www.rfc-editor.org/info/rfc5246>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <http://www.rfc-editor.org/info/rfc5280>. | <http://www.rfc-editor.org/info/rfc5280>. | |||
| [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) | [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) | |||
| Extensions: Extension Definitions", RFC 6066, DOI | Extensions: Extension Definitions", RFC 6066, | |||
| 10.17487/RFC6066, January 2011, | DOI 10.17487/RFC6066, January 2011, | |||
| <http://www.rfc-editor.org/info/rfc6066>. | <http://www.rfc-editor.org/info/rfc6066>. | |||
| [RFC6844] Hallam-Baker, P. and R. Stradling, "DNS Certification | [RFC6844] Hallam-Baker, P. and R. Stradling, "DNS Certification | |||
| Authority Authorization (CAA) Resource Record", RFC 6844, | Authority Authorization (CAA) Resource Record", RFC 6844, | |||
| DOI 10.17487/RFC6844, January 2013, | DOI 10.17487/RFC6844, January 2013, | |||
| <http://www.rfc-editor.org/info/rfc6844>. | <http://www.rfc-editor.org/info/rfc6844>. | |||
| [RFC6961] Pettersen, Y., "The Transport Layer Security (TLS) | [RFC6961] Pettersen, Y., "The Transport Layer Security (TLS) | |||
| Multiple Certificate Status Request Extension", RFC 6961, | Multiple Certificate Status Request Extension", RFC 6961, | |||
| DOI 10.17487/RFC6961, June 2013, | DOI 10.17487/RFC6961, June 2013, | |||
| End of changes. 6 change blocks. | ||||
| 12 lines changed or deleted | 12 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||