1 / 7

Updates on TLS Extensions: Enhancements and Challenges Ahead

This document summarizes recent updates and discussions on TLS extensions, focusing on issues raised, advancements made, and the path forward. Key topics include the introduction of DNS name extensions for multiple server hosting, clarified session resumption processes, and new error alerts regarding unsupported extensions and certificate issues. With contributions from industry experts, this report aims to address the complexities of implementing these changes while ensuring security and usability in TLS protocols.

hyatt-sutton
Télécharger la présentation

Updates on TLS Extensions: Enhancements and Challenges Ahead

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extensions to TLS Simon Blake-Wilson Certicom David Hopwood Independent Consultant Jan Mikkelsen Transactionware Magnus Nystrom RSA Security Tim Wright Vodafone

  2. Content • Updates from “wireless extensions” • Issues raised • The way forward?

  3. DNS name extension • New to the draft • Allows a single “machine” to host multiple “servers” • Client tells server DNS name of server being contacted • Server may use info to help produce response

  4. Other Extensions • Clarified session resumption - extensions ignored during session resumption • Short session IDs - removed • Client cert urls - client supplies a list, one url = one cert • Client cert urls - both cert hash and url supplied • Truncated MACs - restricted to HMAC with MD5 and SHA-1 • Trusted root indication - cert hash option added

  5. New Error Alerts • Be careful when new error alerts get sent! • Unsupported extension • Bad extension order • Unrecognized domain • Certificate unobtainable • Bad OCSP response

  6. Issues • How serious is “certificate unobtainable” alert? • Do we need to require client driven extensions? • How/where do DNS names get canonicalized? • Generalize OCSP status request? • Tie extensions with TLS version rev?

  7. The Way Forward? • Update based on comments and known issues • WG last call?

More Related