Hi everyone, This draft extends TLS 1.3 to provide pinning of the TLS server using a stateless ticket. This is similar to public-key pinning but not quite, and our goal was to overcome the deployment issues that prevent widespread deployment of HPKP.
Version -02 of the draft incorporates learnings from my proof-of-concept implementation at https://github.com/yaronf/mint. Thanks to the authors on the Mint TLS 1.3 implementation from which my code was forked. Best, Yaron -------- Forwarded Message -------- Subject: New Version Notification for draft-sheffer-tls-pinning-ticket-02.txt Date: Fri, 08 Jul 2016 06:42:25 -0700 From: internet-dra...@ietf.org To: Yaron Sheffer <yaronf.i...@gmail.com> A new version of I-D, draft-sheffer-tls-pinning-ticket-02.txt has been successfully submitted by Yaron Sheffer and posted to the IETF repository. Name: draft-sheffer-tls-pinning-ticket Revision: 02 Title: TLS Server Identity Pinning with Tickets Document date: 2016-07-08 Group: Individual Submission Pages: 18 URL: https://www.ietf.org/internet-drafts/draft-sheffer-tls-pinning-ticket-02.txt Status: https://datatracker.ietf.org/doc/draft-sheffer-tls-pinning-ticket/ Htmlized: https://tools.ietf.org/html/draft-sheffer-tls-pinning-ticket-02 Diff: https://www.ietf.org/rfcdiff?url2=draft-sheffer-tls-pinning-ticket-02 Abstract: Fake public-key certificates are an ongoing problem for users of TLS. Several solutions have been proposed, but none is currently in wide use. This document proposes to extend TLS with opaque tickets, similar to those being used for TLS session resumption, as a way to pin the server's identity. That is, to ensure the client that it is connecting to the right server even in the presence of corrupt certificate authorities and fake certificates. The main advantage of this solution is that no manual management actions are required. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
