PKIX over Secure HTTP
RFC 7711, “PKIX over Secure HTTP”, is a Proposed Standard document published in November 2015 by M. Miller, P. Saint-Andre. The canonical text is published by the RFC Editor.
Abstract
Experience has shown that it is difficult to deploy proper PKIX certificates for Transport Layer Security (TLS) in multi-tenanted environments. As a result, domains hosted in such environments often deploy applications using certificates that identify the hosting service, not the hosted domain. Such deployments force end users and peer services to accept a certificate with an improper identifier, resulting in degraded security. This document defines methods that make it easier to deploy certificates for proper server identity checking in non-HTTP application protocols. Although these methods were developed for use in the Extensible Messaging and Presence Protocol (XMPP) as a Domain Name Association (DNA) prooftype, they might also be usable in other non-HTTP application protocols.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 7711 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 7710 Captive-Portal Identification Using DHCP or Router Advertisements
- RFC 7712 Domain Name Associations in the Extensible Messaging and Presence Protocol
- RFC 7709 Requirements for Very Fast Setup of GMPLS Label Switched Paths
- RFC 7713 Congestion Exposure Concepts, Abstract Mechanism, and Requirements
- RFC 7708 Using a Generic Associated Channel Label as a Virtual Circuit Connectivity Verification Channel Indicator
- RFC 7714 AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol
- RFC 7706 Decreasing Access Time to Root Servers by Running One on Loopback
- RFC 7716 Global Table Multicast with BGP Multicast VPN Procedures