CA
Click on the red underlined text to get to the source
... TLS clients to indicate to TLS servers which CA root keys
they possess. This functionality is desirable in order to prevent
...
... TLS clients that are only
able to store a small number of CA root keys due to memory
limitations.
...
... Section 3.4 describes the extension that allows a client to indicate
which CA root keys it possesses. Section 3.5 describes the extension
that allows the use of truncated HMAC ...
... Trusted CA Indication ...
... Constrained clients that, due to memory limitations, possess only a
small number of CA root keys may wish to indicate to servers which
root ...
... DistinguishedName<1..2^16-1>;
Here "TrustedAuthorities" provides a list of CA root key identifiers
that the client ...
... either:
- "pre_agreed": no CA root key identity supplied.
...
... - "key_sha1_hash": contains the SHA-1 hash of the CA root key. For
Digital Signature Algorithm ...
...
Note that clients may include none, some, or all of the CA root keys
they possess in this extension.
...
... certificate issuer (for example, if
a particular CA has multiple key pairs). However, here we assume
this is the case following the use of Distinguished Names ...
... root keys is included to allow the client
to indicate possession of some pre-defined set of CA root keys.
...
... root keys a client possesses could be
regarded as confidential information. As a result, the CA root key
indication extension should be used with care.
...
... assessed for validity according to the relying party's existing
configuration of trusted CAs; it is not intended to be used to
specify any change to that configuration.
...