Is TLS1.3 support missing the "certificate_authorities" extension?

Andrew Leonard andrew_m_leonard at uk.ibm.com
Tue Jan 15 14:08:56 UTC 2019


Thanks for the feedback Sean,
Do we have a view on the "priority" for such an enhancement? While we 
don't support it, what won't work or is limited? Ajay?
Cheers
Andrew

Andrew Leonard
Java Runtimes Development
IBM Hursley
IBM United Kingdom Ltd
Phone internal: 245913, external: 01962 815913
internet email: andrew_m_leonard at uk.ibm.com 




From:   Sean Mullan <sean.mullan at oracle.com>
To:     Andrew Leonard <andrew_m_leonard at uk.ibm.com>, 
security-dev at openjdk.java.net
Cc:     Ajay Reddy <areddy at us.ibm.com>, Alaine DeMyers <alaine at us.ibm.com>
Date:   15/01/2019 13:39
Subject:        Re: Is TLS1.3 support missing the 
"certificate_authorities" extension?



Hello,

On 1/15/19 4:03 AM, Andrew Leonard wrote:
> Re-posting this question..
> 
> Isn't the "certificate_authorities" extension mandatory for TLS1.3?

The text in question says "SHOULD" and not "MUST" [1]. So while it is 
very desirable, I would not categorize this as a mandatory requirement.

> 
> 
_https://bugs.openjdk.java.net/browse/JDK-8206925_
> 
> See 
_https://tools.ietf.org/html/draft-ietf-tls-tls13-20#section-4.2.4_
> There's a known typo in
> 
_https://tools.ietf.org/html/draft-ietf-tls-tls13-20#section-4.4.2.2_
> which from this comment:
> 
_https://www.ietf.org/mail-archive/web/tls/current/msg23612.html_
> indicates section 4.4.2.2 was a typo and "certificate_authorities" 
should
> be used instead of "trusted_ca_keys"

Note that your links above are referencing the Internet Draft. This has 
been corrected in the RFC: 
https://tools.ietf.org/html/rfc8446#section-4.4.2.2


> Should JDK-8206925 be a "bug"? Thoughts?

It seems correct as an Enhancement.

--Sean

[1] 
https://tools.ietf.org/html/rfc2119


> 
> Many thanks
> Andrew
> 
> Andrew Leonard
> Java Runtimes Development
> IBM Hursley
> IBM United Kingdom Ltd
> Phone internal: 245913, external: 01962 815913
> internet email: andrew_m_leonard at uk.ibm.com
> 
> 
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number 

> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 
3AU





Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190115/512e1cee/attachment.htm>


More information about the security-dev mailing list