[rfc-dist] RFC 8672 on TLS Server Identity Pinning with Tickets

rfc-editor@rfc-editor.org Thu, 31 October 2019 21:24 UTC

Return-Path: <rfc-dist-bounces@rfc-editor.org>
X-Original-To: ietfarch-rfc-dist-archive@ietfa.amsl.com
Delivered-To: ietfarch-rfc-dist-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23A5C120145 for <ietfarch-rfc-dist-archive@ietfa.amsl.com>; Thu, 31 Oct 2019 14:24:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.2
X-Spam-Level:
X-Spam-Status: No, score=-5.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F-fsY320Tz3m for <ietfarch-rfc-dist-archive@ietfa.amsl.com>; Thu, 31 Oct 2019 14:24:45 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4021812085F for <rfc-dist-archive-yuw6Xa6hiena@ietf.org>; Thu, 31 Oct 2019 14:24:45 -0700 (PDT)
Received: from rfcpa.amsl.com (localhost [IPv6:::1]) by rfc-editor.org (Postfix) with ESMTP id E1E00F406D7; Thu, 31 Oct 2019 14:24:34 -0700 (PDT)
X-Original-To: rfc-dist@rfc-editor.org
Delivered-To: rfc-dist@rfc-editor.org
Received: by rfc-editor.org (Postfix, from userid 30) id DA7CFF406D3; Thu, 31 Oct 2019 14:24:33 -0700 (PDT)
To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org
X-PHP-Originating-Script: 1005:ams_util_lib.php
From: rfc-editor@rfc-editor.org
Message-Id: <20191031212433.DA7CFF406D3@rfc-editor.org>
Date: Thu, 31 Oct 2019 14:24:33 -0700 (PDT)
Subject: [rfc-dist] =?utf-8?q?RFC_8672_on_TLS_Server_Identity_Pinning_wit?= =?utf-8?q?h_Tickets?=
X-BeenThere: rfc-dist@rfc-editor.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RFC Announcements <rfc-dist.rfc-editor.org>
List-Unsubscribe: <https://www.rfc-editor.org/mailman/options/rfc-dist>, <mailto:rfc-dist-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <http://www.rfc-editor.org/pipermail/rfc-dist/>
List-Post: <mailto:rfc-dist@rfc-editor.org>
List-Help: <mailto:rfc-dist-request@rfc-editor.org?subject=help>
List-Subscribe: <https://www.rfc-editor.org/mailman/listinfo/rfc-dist>, <mailto:rfc-dist-request@rfc-editor.org?subject=subscribe>
Cc: drafts-update-ref@iana.org, rfc-editor@rfc-editor.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: rfc-dist-bounces@rfc-editor.org
Sender: "rfc-dist" <rfc-dist-bounces@rfc-editor.org>

A new Request for Comments is now available in online RFC libraries.

        
        RFC 8672

        Title:      TLS Server Identity Pinning with Tickets 
        Author:     Y. Sheffer,
                    D. Migault
        Status:     Experimental
        Stream:     Independent
        Date:       October 2019
        Mailbox:    yaronf.ietf@gmail.com, 
                    daniel.migault@ericsson.com
        Pages:      22
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-sheffer-tls-pinning-ticket-12.txt

        URL:        https://www.rfc-editor.org/info/rfc8672

        DOI:        10.17487/RFC8672

Misissued public-key certificates can prevent TLS clients from
appropriately authenticating the TLS server. Several alternatives
have been proposed to detect this situation and prevent a client from
establishing a TLS session with a TLS end point authenticated with an
illegitimate public-key certificate. These mechanisms are either not
widely deployed or limited to public web browsing.

This document proposes experimental extensions to TLS with opaque
pinning tickets as a way to pin the server's identity. During an
initial TLS session, the server provides an original encrypted
pinning ticket. In subsequent TLS session establishment, upon receipt
of the pinning ticket, the server proves its ability to decrypt the
pinning ticket and thus the ownership of the pinning protection key.
The client can now safely conclude that the TLS session is
established with the same TLS server as the original TLS session. One
of the important properties of this proposal is that no manual
management actions are required.


EXPERIMENTAL: This memo defines an Experimental Protocol for the
Internet community.  It does not specify an Internet standard of any
kind. Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
  https://www.ietf.org/mailman/listinfo/ietf-announce
  https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist

For searching the RFC series, see https://www.rfc-editor.org/search
For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor@rfc-editor.org.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.


The RFC Editor Team
Association Management Solutions, LLC


_______________________________________________
rfc-dist mailing list
rfc-dist@rfc-editor.org
https://www.rfc-editor.org/mailman/listinfo/rfc-dist
http://www.rfc-editor.org