Bootstrapped TLS Authentication

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Authors Owen Friel  , Dan Harkins 
Last updated 2021-01-14 (latest revision 2020-07-13)
Stream (None)
Expired & archived
plain text pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document defines a TLS extension that enables a server to prove to a client that it has knowledge of the public key of a key pair where the client has knowledge of the private key of the key pair. Unlike standard TLS key exchanges, the public key is never exchanged in TLS protocol messages. Proof of knowledge of the public key is used by the client to bootstrap trust in the server. The use case outlined in this document is to establish trust in an EAP server.


Owen Friel (
Dan Harkins (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)