TLS Extension for DANE Client Identity
draft-huque-tls-dane-clientid-01
|
| Document |
Type |
|
Active Internet-Draft (individual)
|
|
Last updated |
|
2017-02-19
|
|
Stream |
|
(None)
|
|
Intended RFC status |
|
(None)
|
|
Formats |
|
plain text
pdf
html
bibtex
|
| Stream |
Stream state |
|
(No stream defined) |
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
| IESG |
IESG state |
|
I-D Exists
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
Internet Engineering Task Force S. Huque
Internet-Draft Salesforce
Intended status: Standards Track V. Dukhovni
Expires: August 23, 2017 Two Sigma
February 19, 2017
TLS Extension for DANE Client Identity
draft-huque-tls-dane-clientid-01
Abstract
This document specifies a TLS and DTLS extension to convey a DNS-
Based Authentication of Named Entities (DANE) Client Identity to a
TLS or DTLS server. This is useful for applications that perform TLS
client authentication via DANE TLSA records.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 23, 2017.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Huque & Dukhovni Expires August 23, 2017 [Page 1]
Internet-Draft TLS DANE ClientID Extension February 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. DANE Client Identity Extension . . . . . . . . . . . . . . . 3
4. Open Questions . . . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 4
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1. Normative References . . . . . . . . . . . . . . . . . . 5
7.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
This document specifies a Transport Layer Security (TLS) extension
[RFC6066] to convey a DANE [RFC6698] Client Identity to the TLS
server. This is useful for applications that perform TLS client
authentication via DANE TLSA records, as described in [DANECLIENT].
The conveyed identity is in the form of a domain name associated with
the client that is expected to have a corresponding DANE TLSA record
published in the DNS.
This extension supports both TLS and DTLS [RFC6347], and the term TLS
in this document is used generically to describe both protocols.
2. Overview
When TLS clients use X.509 client certificates or raw public keys
that are authenticated via DANE TLSA records, they need a mechanism
to convey their DANE identity to the server. The TLS extension
defined in this document is used to accomplish this. Upon receipt of
this extension, a TLS server learns the client's identity and the
fact that the client expects that the server can authenticate it via
a corresponding DNSSEC-validated TLSA record.
Huque & Dukhovni Expires August 23, 2017 [Page 2]
Internet-Draft TLS DANE ClientID Extension February 2017
In the case of X.509 client certificates, a TLS server can learn the
client's identity by examining subject alternative names included in
the certificate itself. However, without a mechanism such as the one
defined in this extension, the TLS server cannot know apriori that
the client has a published TLSA record, and thus may unnecessarily
issue DNS queries for DANE TLSA records in-band with the TLS
Show full document text