I-D Action: draft-asmithee-tls-dnssec-downprot-00.txt
internet-drafts@ietf.org Tue, 15 May 2018 18:47 UTC
Return-Path: <internet-drafts@ietf.org>
X-Original-To: i-d-announce@ietf.org
Delivered-To: i-d-announce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E8158124205 for <i-d-announce@ietf.org>; Tue, 15 May 2018 11:47:17 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
Subject: I-D Action: draft-asmithee-tls-dnssec-downprot-00.txt
X-Test-IDTracker: no
X-IETF-IDTracker: 6.80.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152641003786.3907.1456267472610457704@ietfa.amsl.com>
Date: Tue, 15 May 2018 11:47:17 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/i-d-announce/CTJCWp-KTFUAiZRcE44igriVub0>
X-BeenThere: i-d-announce@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Internet Draft Announcements only <i-d-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i-d-announce>, <mailto:i-d-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i-d-announce/>
List-Post: <mailto:i-d-announce@ietf.org>
List-Help: <mailto:i-d-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i-d-announce>, <mailto:i-d-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2018 18:47:18 -0000
A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : TLS Downgrade protection extension for TLS DNSSEC Authentication Chain Extension
Authors : Alan Smithee
Alan Smithee
Filename : draft-asmithee-tls-dnssec-downprot-00.txt
Pages : 5
Date : 2018-05-15
Abstract:
This draft specifies a TLS extension that adds downgrade protection
for another TLS extension, [dnssec-chain-extension]. Without the
downgrade protection specified in this TLS extension, the only effect
of deploying [dnssec-chain-extension] is to reduce TLS security from
the standard "WebPKI security" to "WebPKI or DANE, whichever is
weaker".
This draft dictates that [dnssec-chain-extension] MUST only be used
in combination with this TLS extension, whose only content is a two
octet SupportLifetime value. A value of 0 prohibits the TLS client
from unilaterally requiring ongoing use of both TLS extensions based
on prior observation of their use (pinning). A non-zero value is the
value in hours for which this TLS extension as well as
[dnssec-chain-extension] MUST appear in subsequent TLS handshakes to
the same TLS hostname and port. If this TLS extention or
[dnssec-chain-extension] is missing from the TLS handshake within
this observed pinning time, the TLS client MUST assume it is under
attack and abort the TLS connection.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-asmithee-tls-dnssec-downprot/
There are also htmlized versions available at:
https://tools.ietf.org/html/draft-asmithee-tls-dnssec-downprot-00
https://datatracker.ietf.org/doc/html/draft-asmithee-tls-dnssec-downprot-00
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
- I-D Action: draft-asmithee-tls-dnssec-downprot-00… internet-drafts