Is TLS1.3 support missing the "certificate_authorities" extension?

Sean Mullan sean.mullan at oracle.com
Tue Jan 15 13:39:27 UTC 2019


Hello,

On 1/15/19 4:03 AM, Andrew Leonard wrote:
> Re-posting this question..
> 
> Isn't the "certificate_authorities" extension mandatory for TLS1.3?

The text in question says "SHOULD" and not "MUST" [1]. So while it is 
very desirable, I would not categorize this as a mandatory requirement.

> 
> _https://bugs.openjdk.java.net/browse/JDK-8206925_
> 
> See _https://tools.ietf.org/html/draft-ietf-tls-tls13-20#section-4.2.4_
> There's a known typo in
> _https://tools.ietf.org/html/draft-ietf-tls-tls13-20#section-4.4.2.2_
> which from this comment:
> _https://www.ietf.org/mail-archive/web/tls/current/msg23612.html_
> indicates section 4.4.2.2 was a typo and "certificate_authorities" should
> be used instead of "trusted_ca_keys"

Note that your links above are referencing the Internet Draft. This has 
been corrected in the RFC: 
https://tools.ietf.org/html/rfc8446#section-4.4.2.2

> Should JDK-8206925 be a "bug"? Thoughts?

It seems correct as an Enhancement.

--Sean

[1] https://tools.ietf.org/html/rfc2119

> 
> Many thanks
> Andrew
> 
> Andrew Leonard
> Java Runtimes Development
> IBM Hursley
> IBM United Kingdom Ltd
> Phone internal: 245913, external: 01962 815913
> internet email: andrew_m_leonard at uk.ibm.com
> 
> 
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number 
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU



More information about the security-dev mailing list