certificate
Click on the red underlined text to get to the source
... - Allow TLS clients and servers to negotiate the use of client
certificate URLs. This functionality is desirable in order to
conserve memory on constrained clients.
...
... TLS clients and servers to negotiate that the server sends
the client certificate status information (e.g., an Online
Certificate Status Protocol (OCSP ...
... the client certificate status information (e.g., an Online
Certificate Status Protocol (OCSP) [OCSP] response) during a TLS ...
... handshake. This functionality is desirable in order to avoid
sending a Certificate Revocation List (CRL) over a constrained
access network ...
... fragment_length(1),
client_certificate_url(2), trusted_ca_keys(3),
truncated_hmac(4), status_request ...
... hello_request(0), client_hello(1), server_hello(2),
certificate(11), server_key_exchange (12),
certificate_request(13), server_hello_done(14),
...
... certificate(11), server_key_exchange (12),
certificate_request(13), server_hello_done(14),
certificate_verify(15), client ...
... certificate_request(13), server_hello_done(14),
certificate_verify(15), client_key_exchange(16),
finished(20), certificate ...
... certificate_verify(15), client_key_exchange(16),
finished(20), certificate_url(21), certificate_status(22),
(255)
...
... client_key_exchange(16),
finished(20), certificate_url(21), certificate_status(22),
(255)
} HandshakeType;
...
... client_hello: ClientHello;
case server_hello: ServerHello;
case certificate: Certificate;
case server_key_exchange: ServerKeyExchange ...
... case server_hello: ServerHello;
case certificate: Certificate;
case server_key_exchange: ServerKeyExchange;
...
... case server_key_exchange: ServerKeyExchange;
case certificate_request: CertificateRequest;
case server_hello_done: ServerHelloDone;
...
... CertificateRequest;
case server_hello_done: ServerHelloDone;
case certificate_verify: CertificateVerify;
case client_key_exchange: ClientKeyExchange;
...
... client_key_exchange: ClientKeyExchange;
case finished: Finished;
case certificate_url: CertificateURL;
case certificate_status: CertificateStatus;
...
... case certificate_url: CertificateURL;
case certificate_status: CertificateStatus;
} body;
} Handshake ...
... extension that provides maximum fragment length negotiation. Section
3.3 describes the extension that allows client certificate URLs.
Section 3.4 describes the extension that allows a client to indicate
...
... that allows the use of truncated HMAC. Section 3.6 describes the
extension that supports integration of certificate status information
messages into TLS handshakes ...
... server_name"
extension MAY use the information contained in the extension to guide
its selection of an appropriate certificate to return to the client,
and/or other aspects of security policy ...
... Client Certificate URLs ...
... client authentication
is performed, client certificates are sent by clients to servers
during the TLS ...
... handshake. It may be desirable for constrained
clients to send certificate URLs in place of certificates, so that
they do not need to store their certificates ...
... clients to send certificate URLs in place of certificates, so that
they do not need to store their certificates and can therefore save
...
... certificate URLs in place of certificates, so that
they do not need to store their certificates and can therefore save
memory.
...
... memory.
In order to negotiate sending certificate URLs to a server, clients
MAY include an extension of type "client ...
... clients
MAY include an extension of type "client_certificate_url" in the
(extended) client hello. The "extension_data" field of this
...
... extension SHALL be empty.
(Note that it is necessary to negotiate use of client certificate
URLs in order to avoid "breaking" existing TLS servers.)
...
... client hello containing a
"client_certificate_url" extension MAY indicate that they are willing
to accept certificate URLs by including an extension of type
...
... client_certificate_url" extension MAY indicate that they are willing
to accept certificate URLs by including an extension of type
"client_certificate ...
... certificate URLs by including an extension of type
"client_certificate_url" in the (extended) server hello. The
"extension_data" field of this extension SHALL be empty.
...
...
After negotiation of the use of client certificate URLs has been
successfully completed (by exchanging hellos including
"client ...
... successfully completed (by exchanging hellos including
"client_certificate_url" extensions), clients MAY send a
"CertificateURL" message in place of a "Certificate ...
... certificate_url" extensions), clients MAY send a
"CertificateURL" message in place of a "Certificate" message:
enum {
...
... hashes.
When X.509 certificates are used, there are two possibilities:
- If CertificateURL.type is "individual_certs", each URL ...
... URL for the
client's certificate first.
- If CertificateURL.type is "pkipath", the list contains a single
...
... URL referring to a DER-encoded certificate chain, using the type
PkiPath described in Section 8.
...
... PkiPath described in Section 8.
When any other certificate format is used, the specification that
describes use of that format in TLS should define the encoding ...
... TLS should define the encoding format
of certificates or certificate chains, and any constraint on their
...
... encoding format
of certificates or certificate chains, and any constraint on their
ordering.
...
... client's discretion either
is not present or is the SHA-1 hash of the certificate or certificate
chain (in the case of X.509 certificates, the DER-encoded ...
... is not present or is the SHA-1 hash of the certificate or certificate
chain (in the case of X.509 certificates, the DER-encoded certificate ...
... SHA-1 hash of the certificate or certificate
chain (in the case of X.509 certificates, the DER-encoded certificate
...
... certificate
chain (in the case of X.509 certificates, the DER-encoded certificate
or the DER-encoded PkiPath).
...
...
Note that when a list of URLs for X.509 certificates is used, the
ordering of URLs is the same as that used in the TLS Certificate
message ...
... X.509 certificates is used, the
ordering of URLs is the same as that used in the TLS Certificate
message (see [TLS], Section 7.4.2), but opposite to the order in
which certificates ...
... TLS Certificate
message (see [TLS], Section 7.4.2), but opposite to the order in
which certificates are encoded in PkiPath. In either case, the
self-signed root certificate ...
... certificates are encoded in PkiPath. In either case, the
self-signed root certificate MAY be omitted from the chain, under the
assumption that the server must already possess it in order to
validate ...
... receiving "CertificateURL" SHALL attempt to retrieve the
client's certificate chain from the URLs and then process the
certificate chain ...
... certificate chain from the URLs and then process the
certificate chain as usual. A cached copy of the content of any URL
in the chain MAY be used, provided that a SHA-1 hash ...
... Servers that support this extension MUST support the http: URL scheme
for certificate URLs, and MAY support other schemes. Use of other
schemes than "http", "https", or "ftp" may create unexpected
...
... Cache-Control and Expires directives described in [HTTP]
to specify whether and for how long certificates or certificate
chains should be cached.
...
... HTTP]
to specify whether and for how long certificates or certificate
chains should be cached.
The TLS ...
... TLS server is not required to follow HTTP redirects when
retrieving the certificates or certificate chain. The URLs used in
...
... HTTP redirects when
retrieving the certificates or certificate chain. The URLs used in
this extension SHOULD therefore be chosen not to depend on such
...
... redirects.
If the protocol used to retrieve certificates or certificate chains
returns a MIME ...
...
If the protocol used to retrieve certificates or certificate chains
returns a MIME-formatted response (as HTTP ...
... MIME Content-Types SHALL be used: when a single X.509v3 certificate
is returned, the Content-Type is "application/pkix-cert" [PKIOP ...
... PKIOP], and
when a chain of X.509v3 certificates is returned, the Content-Type is
"application/pkix-pkipath" (see Section 8).
...
...
Note that clients may choose to send either "Certificate" or
"CertificateURL" after successfully negotiating the option to send
certificate URLs ...
... Certificate" or
"CertificateURL" after successfully negotiating the option to send
certificate URLs. The option to send a certificate is included to
provide flexibility to clients ...
... "CertificateURL" after successfully negotiating the option to send
certificate URLs. The option to send a certificate is included to
provide flexibility to clients possessing multiple certificates ...
... certificate is included to
provide flexibility to clients possessing multiple certificates.
If a server encounters an unreasonable delay in obtaining
...
...
If a server encounters an unreasonable delay in obtaining
certificates in a given CertificateURL, it SHOULD time out and signal
a "certificate_unobtainable" error alert ...
... certificates in a given CertificateURL, it SHOULD time out and signal
a "certificate_unobtainable" error alert.
...
... hash or a Distinguished Name
alone may not uniquely identify a certificate issuer (for example, if
a particular CA ...
... this is the case following the use of Distinguished Names to identify
certificate issuers in TLS.
...
... client hello containing the "trusted_ca_keys"
extension MAY use the information contained in the extension to guide
their selection of an appropriate certificate chain to return to the
client. In this event, the server SHALL include an extension of type
...
... Certificate Status Request ...
... OCSP [OCSP] to check the validity of server certificates, in
order to avoid transmission of CRLs and therefore save bandwidth ...
... handshake, saving roundtrips and resources.
In order to indicate their desire to receive certificate status
information, clients MAY include an extension of type
...
... client hello containing the "status_request"
extension MAY return a suitable certificate status response to the
client along with their certificate ...
... certificate status response to the
client along with their certificate. If OCSP is requested, they
SHOULD use the information contained in the extension when selecting
...
... request.
Servers return a certificate response along with their certificate by
sending a "CertificateStatus" message immediately after the
...
...
Servers return a certificate response along with their certificate by
sending a "CertificateStatus" message immediately after the
"Certificate ...
... certificate by
sending a "CertificateStatus" message immediately after the
"Certificate" message (and before any "ServerKeyExchange" or
"CertificateRequest ...
... handshake
message type "certificate_status".
Note that a server MAY also choose not to send a "CertificateStatus"
...
... server
name. This message MAY be fatal.
- "certificate_unobtainable": this alert is sent by servers who are
unable to retrieve a certificate chain ...
... certificate_unobtainable": this alert is sent by servers who are
unable to retrieve a certificate chain from the URL supplied by
the client (see Section 3.3). This message MAY be fatal; for
...
... the handshake to continue and the server is unable to retrieve the
certificate chain, it may send a fatal alert.
...
... alert is sent by clients
that receive an invalid certificate status response (see Section
3.6). This message is always fatal.
...
... 3.6). This message is always fatal.
- "bad_certificate_hash_value": this alert is sent by servers when a
...
... hash_value": this alert is sent by servers when a
certificate hash does not match a client-provided
...
... handshake_failure(40),
/* 41 is not defined, for historical reasons */
bad_certificate(42),
unsupported_certificate(43),
...
... certificate_expired(45),
certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
...
... no_renegotiation(100),
unsupported_extension(110), /* new */
certificate_unobtainable(111), /* new */
unrecognized_name(112), /* new */
bad_certificate ...
... certificate_unobtainable(111), /* new */
unrecognized_name(112), /* new */
bad_certificate_status_response(113), /* new */
bad_certificate_hash ...
... bad_certificate_status_response(113), /* new */
bad_certificate_hash_value(114), /* new */
(255)
...
... TLS (in particular, the consequences of "spoofed" names
that are indistinguishable from another name when displayed or
printed). It is recommended that server certificates not be issued
for internationalized hostnames unless procedures are in place to
mitigate the risk of spoofed hostnames.
...
... The first major issue is whether or not clients should include
certificate hashes when they send certificate URLs.
...
... client authentication is used *without* the
client_certificate_url extension, the client certificate chain is
covered by the Finished message ...
... client_certificate_url extension, the client certificate chain is
covered by the Finished message hashes ...
... hashes. The purpose of including
hashes and checking them against the retrieved certificate chain is
to ensure that the same property holds when this extension is used,
i.e., that all of the information in the certificate chain ...
... certificate chain is
to ensure that the same property holds when this extension is used,
i.e., that all of the information in the certificate chain retrieved
by the server is as the client ...
... client intended.
On the other hand, omitting certificate hashes enables functionality
that is desirable in some circumstances; for example, clients ...
... that is desirable in some circumstances; for example, clients can be
issued daily certificates that are stored at a fixed URL and need not
be provided to the client ...
... be provided to the client. Clients that choose to omit certificate
hashes should be aware of the possibility of an attack ...
... attacker obtains a valid certificate on the client's key that is
different from the certificate ...
... certificate on the client's key that is
different from the certificate the client intended to provide.
Although TLS ...
...
The second major issue is that support for client_certificate_url
involves the server's acting as a client in another URL ...
... As a result of this issue, it is RECOMMENDED that the
client_certificate_url extension should have to be specifically
enabled by a server administrator, rather than be enabled by default.
...
... certificate hash alternative ensures that each
certificate is specified unambiguously. As for the previous
extension, it was not believed necessary to use both MD5 and SHA-1 ...
... that requires OCSP validation of certificates SHOULD either contact
the OCSP server directly or abort the handshake ...
... ASN.1 type PkiPath,
defined as follows:
PkiPath ::= SEQUENCE OF Certificate
PkiPath is used to represent a certification path. Within the
...
... PkiPath ::= SEQUENCE OF Certificate
PkiPath is used to represent a certification path. Within the
sequence, the order of certificates is such that the subject ...
... PkiPath is used to represent a certification path. Within the
sequence, the order of certificates is such that the subject of
the first certificate ...
... certificates is such that the subject of
the first certificate is the issuer of the second certificate,
...
... X509-4th].
All Certificates MUST conform to [PKIX]. (This should be
interpreted as a requirement ...
... requirement to encode only PKIX-conformant
certificates using this type. It does not necessarily require
that all certificates that are not strictly PKIX ...
... certificates using this type. It does not necessarily require
that all certificates that are not strictly PKIX-conformant must
be rejected by relying parties, although the security ...
... be rejected by relying parties, although the security consequences
of accepting any such certificates should be considered
carefully.)
...
... TLS).
Note that this type only specifies a certificate chain that can be
assessed for validity according to the relying party's existing
...
... No specific interoperability problems are known with this type,
but for recommendations relating to X.509 certificates in general,
see [PKIX].
...
... TLS. It may also be used by
other protocols, or for general interchange of PKIX certificate
chains.
Additional information:
...
... X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 2560prop, June 1999. ...
... Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile ...
... X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280prop ...
... ISO/IEC 9594-8:2001, "Information Systems - Open Systems Interconnection - The Directory: Public key and attribute certificate frameworks." ...