TLS Server Identity Pinning with Tickets
RFC 8672, “TLS Server Identity Pinning with Tickets”, is an Experimental document published in October 2019 by Y. Sheffer, D. Migault. The canonical text is published by the RFC Editor.
Abstract
Misissued public-key certificates can prevent TLS clients from appropriately authenticating the TLS server. Several alternatives have been proposed to detect this situation and prevent a client from establishing a TLS session with a TLS end point authenticated with an illegitimate public-key certificate. These mechanisms are either not widely deployed or limited to public web browsing.
This document proposes experimental extensions to TLS with opaque pinning tickets as a way to pin the server's identity. During an initial TLS session, the server provides an original encrypted pinning ticket. In subsequent TLS session establishment, upon receipt of the pinning ticket, the server proves its ability to decrypt the pinning ticket and thus the ownership of the pinning protection key. The client can now safely conclude that the TLS session is established with the same TLS server as the original TLS session. One of the important properties of this proposal is that no manual management actions are required.
What “Experimental” means
Describes a specification that is part of a research or development effort, published so the community can gain experience with it.
The canonical text of RFC 8672 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 8671 Support for Adj-RIB-Out in the BGP Monitoring Protocol
- RFC 8673 HTTP Random Access and Live Content
- RFC 8670 BGP Prefix Segment in Large-Scale Data Centers
- RFC 8674 The "safe" HTTP Preference
- RFC 8669 Segment Routing Prefix Segment Identifier Extensions for BGP
- RFC 8675 A YANG Data Model for Tunnel Interface Types
- RFC 8668 Advertising Layer 2 Bundle Member Link Attributes in IS-IS
- RFC 8676 YANG Modules for IPv4-in-IPv6 Address plus Port Softwires