X.509v3 Transport Layer Security Feature Extension
RFC 7633, “X.509v3 Transport Layer Security Feature Extension”, is a Proposed Standard document published in October 2015 by P. Hallam-Baker. The canonical text is published by the RFC Editor.
Abstract
The purpose of the TLS feature extension is to prevent downgrade attacks that are not otherwise prevented by the TLS protocol. In particular, the TLS feature extension may be used to mandate support for revocation checking features in the TLS protocol such as Online Certificate Status Protocol (OCSP) stapling. Informing clients that an OCSP status response will always be stapled permits an immediate failure in the case that the response is not stapled. This in turn prevents a denial-of-service attack that might otherwise be possible.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 7633 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 7632 Endpoint Security Posture Assessment: Enterprise Use Cases
- RFC 7634 ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol and IPsec
- RFC 7631 TLV Naming in the Mobile Ad Hoc Network Generalized Packet/Message Format
- RFC 7635 Session Traversal Utilities for NAT Extension for Third-Party Authorization
- RFC 7630 HMAC-SHA-2 Authentication Protocols in the User-based Security Model for SNMPv3
- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients
- RFC 7629 Flow-Binding Support for Mobile IP
- RFC 7637 NVGRE: Network Virtualization Using Generic Routing Encapsulation