Is TLS1.3 support missing the "certificate_authorities" extension?
Andrew Leonard
andrew_m_leonard at uk.ibm.com
Tue Jan 15 14:08:56 UTC 2019
Thanks for the feedback Sean,
Do we have a view on the "priority" for such an enhancement? While we
don't support it, what won't work or is limited? Ajay?
Cheers
Andrew
Andrew Leonard
Java Runtimes Development
IBM Hursley
IBM United Kingdom Ltd
Phone internal: 245913, external: 01962 815913
internet email: andrew_m_leonard at uk.ibm.com
From: Sean Mullan <sean.mullan at oracle.com>
To: Andrew Leonard <andrew_m_leonard at uk.ibm.com>,
security-dev at openjdk.java.net
Cc: Ajay Reddy <areddy at us.ibm.com>, Alaine DeMyers <alaine at us.ibm.com>
Date: 15/01/2019 13:39
Subject: Re: Is TLS1.3 support missing the
"certificate_authorities" extension?
Hello,
On 1/15/19 4:03 AM, Andrew Leonard wrote:
> Re-posting this question..
>
> Isn't the "certificate_authorities" extension mandatory for TLS1.3?
The text in question says "SHOULD" and not "MUST" [1]. So while it is
very desirable, I would not categorize this as a mandatory requirement.
>
>
_https://bugs.openjdk.java.net/browse/JDK-8206925_
>
> See
_https://tools.ietf.org/html/draft-ietf-tls-tls13-20#section-4.2.4_
> There's a known typo in
>
_https://tools.ietf.org/html/draft-ietf-tls-tls13-20#section-4.4.2.2_
> which from this comment:
>
_https://www.ietf.org/mail-archive/web/tls/current/msg23612.html_
> indicates section 4.4.2.2 was a typo and "certificate_authorities"
should
> be used instead of "trusted_ca_keys"
Note that your links above are referencing the Internet Draft. This has
been corrected in the RFC:
https://tools.ietf.org/html/rfc8446#section-4.4.2.2
> Should JDK-8206925 be a "bug"? Thoughts?
It seems correct as an Enhancement.
--Sean
[1]
https://tools.ietf.org/html/rfc2119
>
> Many thanks
> Andrew
>
> Andrew Leonard
> Java Runtimes Development
> IBM Hursley
> IBM United Kingdom Ltd
> Phone internal: 245913, external: 01962 815913
> internet email: andrew_m_leonard at uk.ibm.com
>
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190115/512e1cee/attachment.htm>
More information about the security-dev
mailing list