TLS Extension for DANE Client Identity
draft-huque-tls-dane-clientid-02

Document Type Active Internet-Draft (individual)
Authors Shumon Huque  , Viktor Dukhovni 
Last updated 2020-10-10
Stream (None)
Intended RFC status (None)
Formats plain text html xml pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet Engineering Task Force                                 S. Huque
Internet-Draft                                                Salesforce
Intended status: Standards Track                             V. Dukhovni
Expires: 11 April 2021                                         Two Sigma
                                                          8 October 2020

                 TLS Extension for DANE Client Identity
                    draft-huque-tls-dane-clientid-02

Abstract

   This document specifies a TLS and DTLS extension to convey a DNS-
   Based Authentication of Named Entities (DANE) Client Identity to a
   TLS or DTLS server.  This is useful for applications that perform TLS
   client authentication via DANE TLSA records.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 11 April 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Huque & Dukhovni          Expires 11 April 2021                 [Page 1]
Internet-Draft         TLS DANE ClientID Extension          October 2020

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  DANE Client Identity Extension  . . . . . . . . . . . . . . .   3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   6.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   This document specifies a Transport Layer Security (TLS) extension
   [RFC6066] to convey a DANE [RFC6698] Client Identity to the TLS
   server.  This is useful for applications that perform TLS client
   authentication via DANE TLSA records, as described in [DANECLIENT].
   The extension could be empty to indicate to the server that the
   client has a DANE record and that the server can perform DANE
   authentication of the client with the identity extracted from the
   client certificate.  Or the extension can contain the full client
   identity, in the form of the DNS domain name that is expected to have
   a DANE TLSA record published for it.

   This extension supports both TLS [RFC5246] [RFC8446] and DTLS
   [RFC6347], and the term TLS in this document is used generically to
   describe both protocols.

2.  Overview

   When TLS clients use X.509 client certificates or raw public keys
   that are authenticated via DANE TLSA records, it is useful for them
   to convey their intent to be authenticated via DANE, or even to
   convey their complete DANE identity to the server.  The TLS extension
   defined in this document is used to accomplish this.

   In the case of X.509 client certificates, a TLS server can learn the
   client's identity by examining subject alternative names included in
   the certificate itself.  However, without a mechanism such as the one
   defined in this extension, the TLS server cannot know apriori that
   the client has a published TLSA record, and thus may unnecessarily
   issue DNS queries for DANE TLSA records in-band with the TLS
   handshake even in cases where the client has no TLSA record
   associated with it.  When multiple identities are present in the
   certificate, a client can use this extension to specify exactly which
   one the server should use.  An additional situation in which this
   extension helps is where some TLS servers may need to selectively
   prompt for client certificate credentials only for clients that are
   equipped to provide certificates.

Huque & Dukhovni          Expires 11 April 2021                 [Page 2]
Internet-Draft         TLS DANE ClientID Extension          October 2020
Show full document text