1 / 7

Extensions to TLS

Extensions to TLS. Simon Blake-Wilson Certicom David Hopwood Independent Consultant Jan Mikkelsen Transactionware Magnus Nystrom RSA Security Tim Wright Vodafone. Content. Updates from “wireless extensions” Issues raised The way forward?. DNS name extension. New to the draft

hyatt-sutton
Download Presentation

Extensions to TLS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extensions to TLS Simon Blake-Wilson Certicom David Hopwood Independent Consultant Jan Mikkelsen Transactionware Magnus Nystrom RSA Security Tim Wright Vodafone

  2. Content • Updates from “wireless extensions” • Issues raised • The way forward?

  3. DNS name extension • New to the draft • Allows a single “machine” to host multiple “servers” • Client tells server DNS name of server being contacted • Server may use info to help produce response

  4. Other Extensions • Clarified session resumption - extensions ignored during session resumption • Short session IDs - removed • Client cert urls - client supplies a list, one url = one cert • Client cert urls - both cert hash and url supplied • Truncated MACs - restricted to HMAC with MD5 and SHA-1 • Trusted root indication - cert hash option added

  5. New Error Alerts • Be careful when new error alerts get sent! • Unsupported extension • Bad extension order • Unrecognized domain • Certificate unobtainable • Bad OCSP response

  6. Issues • How serious is “certificate unobtainable” alert? • Do we need to require client driven extensions? • How/where do DNS names get canonicalized? • Generalize OCSP status request? • Tie extensions with TLS version rev?

  7. The Way Forward? • Update based on comments and known issues • WG last call?

More Related