draft-ietf-tls-ctls-04.txt   draft-ietf-tls-ctls-05.txt 
TLS Working Group E. Rescorla TLS Working Group E. Rescorla
Internet-Draft Mozilla Internet-Draft Mozilla
Intended status: Standards Track R. Barnes Intended status: Standards Track R. Barnes
Expires: 28 April 2022 Cisco Expires: 8 September 2022 Cisco
H. Tschofenig H. Tschofenig
Arm Limited Arm Limited
25 October 2021 7 March 2022
Compact TLS 1.3 Compact TLS 1.3
draft-ietf-tls-ctls-04 draft-ietf-tls-ctls-05
Abstract Abstract
This document specifies a "compact" version of TLS 1.3. It is This document specifies a "compact" version of TLS 1.3. It is
isomorphic to TLS 1.3 but saves space by trimming obsolete material, isomorphic to TLS 1.3 but saves space by trimming obsolete material,
tighter encoding, a template-based specialization technique, and tighter encoding, a template-based specialization technique, and
alternative cryptographic techniques. cTLS is not directly alternative cryptographic techniques. cTLS is not directly
interoperable with TLS 1.3, but it should eventually be possible for interoperable with TLS 1.3, but it should eventually be possible for
a cTLS/TLS 1.3 server to exist and successfully interoperate. a cTLS/TLS 1.3 server to exist and successfully interoperate.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 28 April 2022. This Internet-Draft will expire on 8 September 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Revised BSD License text as
as described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
2.1. Template-based Specialization . . . . . . . . . . . . . . 3 2.1. Template-based Specialization . . . . . . . . . . . . . . 3
2.1.1. Requirements on TLS Implementations . . . . . . . . . 6 2.1.1. Requirements on TLS Implementations . . . . . . . . . 7
2.1.2. Predefined Extensions . . . . . . . . . . . . . . . . 7 2.1.2. Predefined Extensions . . . . . . . . . . . . . . . . 7
2.1.3. Known Certificates . . . . . . . . . . . . . . . . . 8 2.1.3. Known Certificates . . . . . . . . . . . . . . . . . 8
2.2. Record Layer . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Record Layer . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Handshake Layer . . . . . . . . . . . . . . . . . . . . . 10 2.3. Handshake Layer . . . . . . . . . . . . . . . . . . . . . 10
3. Handshake Messages . . . . . . . . . . . . . . . . . . . . . 11 3. Handshake Messages . . . . . . . . . . . . . . . . . . . . . 11
3.1. ClientHello . . . . . . . . . . . . . . . . . . . . . . . 11 3.1. ClientHello . . . . . . . . . . . . . . . . . . . . . . . 11
3.2. ServerHello . . . . . . . . . . . . . . . . . . . . . . . 11 3.2. ServerHello . . . . . . . . . . . . . . . . . . . . . . . 12
3.3. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . 12 3.3. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . 12
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
7. Normative References . . . . . . . . . . . . . . . . . . . . 13 6.1. Adding a ContentType . . . . . . . . . . . . . . . . . . 13
Appendix A. Example Exchange . . . . . . . . . . . . . . . . . . 14 6.2. Template Keys . . . . . . . . . . . . . . . . . . . . . . 13
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16 7. Normative References . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 Appendix A. Example Exchange . . . . . . . . . . . . . . . . . . 15
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
DISCLAIMER: This is a work-in-progress draft of cTLS and has not yet DISCLAIMER: This is a work-in-progress draft of cTLS and has not yet
seen significant security analysis, so could contain major errors. seen significant security analysis, so could contain major errors.
It should not be used as a basis for building production systems. It should not be used as a basis for building production systems.
This document specifies a "compact" version of TLS 1.3 [RFC8446]. It This document specifies a "compact" version of TLS 1.3 [RFC8446]. It
is isomorphic to TLS 1.3 but designed to take up minimal bandwidth. is isomorphic to TLS 1.3 but designed to take up minimal bandwidth.
The space reduction is achieved by five basic techniques: The space reduction is achieved by five basic techniques:
skipping to change at page 5, line 28 skipping to change at page 5, line 28
list with the specified value. The server_hello.cipher_suite list with the specified value. The server_hello.cipher_suite
field is omitted and reconstructed in the transcript as the field is omitted and reconstructed in the transcript as the
specified value. specified value.
dhGroup (string): specifies a single DH group to use for key dhGroup (string): specifies a single DH group to use for key
establishment. The group is listed by the code point name in establishment. The group is listed by the code point name in
[RFC8446], Section 4.2.7. (e.g., x25519). This implies a literal [RFC8446], Section 4.2.7. (e.g., x25519). This implies a literal
"supported_groups" extension consisting solely of this group. "supported_groups" extension consisting solely of this group.
signatureAlgorithm (string): specifies a single signature scheme to signatureAlgorithm (string): specifies a single signature scheme to
use for authentication. The group is listed by the code point use for authentication. The signature algorithm is listed by the
name in [RFC8446], Section 4.2.7. (e.g., ed25519). This implies a code point name in [RFC8446], Section 4.2.3. (e.g.,
literal "signature_algorithms" extension consisting solely of this ecdsa_secp256r1_sha256). This implies a literal
group. "signature_algorithms" extension consisting solely of this group.
random (integer): indicates that the ClientHello.Random and random (integer): indicates that the ClientHello.Random and
ServerHello.Random values are truncated to the given length. When ServerHello.Random values are truncated to the given length. When
the transcript is reconstructed, the Random is padded to the right the transcript is reconstructed, the Random is padded to the right
with 0s and the anti-downgrade mechanism in [RFC8446], with 0s and the anti-downgrade mechanism in [RFC8446],
Section 4.1.3 is disabled. IMPORTANT: Using short Random values Section 4.1.3 is disabled. IMPORTANT: Using short Random values
can lead to potential attacks. The Random length MUST be less can lead to potential attacks. The Random length MUST be less
than or equal to 32 bytes. than or equal to 32 bytes.
[[Open Issue: Karthik Bhargavan suggested the idea of hashing [[Open Issue: Karthik Bhargavan suggested the idea of hashing
skipping to change at page 6, line 49 skipping to change at page 6, line 49
truncated to the given length. When the transcript is truncated to the given length. When the transcript is
reconstructed, the remainder of the Finished value is filled in by reconstructed, the remainder of the Finished value is filled in by
the receiving side. the receiving side.
[[OPEN ISSUE: How short should we allow this to be? TLS 1.3 uses the [[OPEN ISSUE: How short should we allow this to be? TLS 1.3 uses the
native hash and TLS 1.2 used 12 bytes. More analysis is needed to native hash and TLS 1.2 used 12 bytes. More analysis is needed to
know the minimum safe Finished size. See [RFC8446]; Section E.1 for know the minimum safe Finished size. See [RFC8446]; Section E.1 for
more on this, as well as https://mailarchive.ietf.org/arch/msg/tls/ more on this, as well as https://mailarchive.ietf.org/arch/msg/tls/
TugB5ddJu3nYg7chcyeIyUqWSbA.]] TugB5ddJu3nYg7chcyeIyUqWSbA.]]
optional (object): contains keys that are not required to be
understood by the client. Server operators MUST NOT place a key
in this section unless the server is able to determine whether the
key is in use based on the client data it receives. A key MUST
NOT appear in both the main template and the optional section.
2.1.1. Requirements on TLS Implementations 2.1.1. Requirements on TLS Implementations
To be compatible with the specializations described in this section, To be compatible with the specializations described in this section,
a TLS stack needs to provide the following features: a TLS stack needs to provide the following features:
* If specialization of extensions is to be used, then the TLS stack * If specialization of extensions is to be used, then the TLS stack
MUST order each vector of Extension values in ascending order MUST order each vector of Extension values in ascending order
according to the ExtensionType. This allows for a deterministic according to the ExtensionType. This allows for a deterministic
reconstruction of the extension list. reconstruction of the extension list.
skipping to change at page 9, line 16 skipping to change at page 9, line 21
whether a given cert_data value is compressed or uncompressed. Known whether a given cert_data value is compressed or uncompressed. Known
certificates objects SHOULD be constructed in such a way as to avoid certificates objects SHOULD be constructed in such a way as to avoid
a uncompressed object being mistaken for compressed one and a uncompressed object being mistaken for compressed one and
erroneously decompressed. For X.509, it is sufficient for the first erroneously decompressed. For X.509, it is sufficient for the first
byte of the compressed value (key) to have a value other than 0x30, byte of the compressed value (key) to have a value other than 0x30,
since every X.509 certificate starts with this byte. since every X.509 certificate starts with this byte.
2.2. Record Layer 2.2. Record Layer
The only cTLS records that are sent in plaintext are handshake The only cTLS records that are sent in plaintext are handshake
records (ClientHello and ServerHello/HRR). The content type is records (ClientHello and ServerHello/HRR) and alerts. cTLS alerts are
therefore constant (it is always handshake), so we instead set the the same as TLS alerts and use the same content types. For handshake
content_type field to a fixed cTLS-specific value to distinguish cTLS records, we set the content_type field to a fixed cTLS-specific value
plaintext records from encrypted records, TLS/DTLS records, and other to distinguish cTLS plaintext records from encrypted records, TLS/
protocols using the same 5-tuple. DTLS records, and other protocols using the same 5-tuple.
The profile_id field allows the client and server to agree on which
compression profile should be used for this session (see
Section 2.1). This field MUST be set to zero if and only if no
compression profile is used. Non-zero values are negotiated out of
band between the client and server, as part of the specification of
the compression profile.
struct { struct {
ContentType content_type = ctls_handshake; ContentType content_type = ctls_handshake;
opaque profile_id<0..2^8-1>; opaque fragment<0..2^16-1>;
opaque fragment<0..V>;
} CTLSPlaintext; } CTLSPlaintext;
[[OPEN ISSUE: The profile_id is needed in the ClientHello to inform [[OPEN ISSUE: The profile_id is needed in the ClientHello to inform
the server what compression profile to use. For a ServerHello this the server what compression profile to use. For a ServerHello this
field is not required. Should we make this field optional?]] field is not required. Should we make this field optional?]]
Encrypted records use DTLS 1.3 record framing, comprising a Encrypted records use DTLS [I-D.draft-ietf-tls-dtls] 1.3 record
configuration octet followed by optional connection ID, sequence framing, comprising a configuration octet followed by optional
number, and length fields. connection ID, sequence number, and length fields. The encryption
process and additional data are also as described in DTLS.
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
|0|0|1|C|S|L|E E| |0|0|1|C|S|L|E E|
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
| Connection ID | Legend: | Connection ID | Legend:
| (if any, | | (if any, |
/ length as / C - Connection ID (CID) present / length as / C - Connection ID (CID) present
| negotiated) | S - Sequence number length | negotiated) | S - Sequence number length
+-+-+-+-+-+-+-+-+ L - Length present +-+-+-+-+-+-+-+-+ L - Length present
skipping to change at page 10, line 39 skipping to change at page 10, line 39
As with DTLS, the length field MAY be omitted by clearing the L bit, As with DTLS, the length field MAY be omitted by clearing the L bit,
which means that the record consumes the entire rest of the data in which means that the record consumes the entire rest of the data in
the lower level transport. In this case it is not possible to have the lower level transport. In this case it is not possible to have
multiple DTLSCiphertext format records without length fields in the multiple DTLSCiphertext format records without length fields in the
same datagram. In stream-oriented transports (e.g., TCP), the length same datagram. In stream-oriented transports (e.g., TCP), the length
field MUST be present. For use over other transports length field MUST be present. For use over other transports length
information may be inferred from the underlying layer. information may be inferred from the underlying layer.
Normal DTLS does not provide a mechanism for suppressing the sequence Normal DTLS does not provide a mechanism for suppressing the sequence
number field entirely. In cases where a sequence number is not number field entirely. When a reliable, ordered transport (e.g.,
required (e.g., when a reliable transport is in use), a cTLS TCP) is in use, the S bit in the configuration octet MUST be cleared
implementation may suppress it by setting the suppressSequenceNumber and the sequence number MUST be omitted. When an unreliable
flag in the compression profile being used (see Section 2.1). When transport is in use, the S bit has its usual meaning and the sequence
this flag is enabled, the S bit in the configuration octet MUST be number MUST be included.
cleared.
2.3. Handshake Layer 2.3. Handshake Layer
The cTLS handshake framing is same as the TLS 1.3 handshake framing, The cTLS handshake framing is same as the TLS 1.3 handshake framing,
except for two changes: except for two changes:
* The length field is omitted. * The length field is omitted.
* The HelloRetryRequest message is a true handshake message instead * The HelloRetryRequest message is a true handshake message instead
of a specialization of ServerHello. of a specialization of ServerHello.
skipping to change at page 11, line 39 skipping to change at page 11, line 39
been modified for space reduction and cleaned up to remove pre-TLS been modified for space reduction and cleaned up to remove pre-TLS
1.3 baggage. 1.3 baggage.
3.1. ClientHello 3.1. ClientHello
The cTLS ClientHello is defined as follows. The cTLS ClientHello is defined as follows.
opaque Random[RandomLength]; // variable length opaque Random[RandomLength]; // variable length
struct { struct {
opaque profile_id<0..2^8-1>;
Random random; Random random;
CipherSuite cipher_suites<1..V>; CipherSuite cipher_suites<1..2^16-1>;
Extension extensions<1..V>; Extension extensions<1..2^16-1>;
} ClientHello; } ClientHello;
The client uses the profile_id field to inform the server about the
compression profile being used (see Section 2.1). This field MUST be
set to a zero-length value and only if no compression profile is
used. Non zero-length values are agreed out of band between the
client and server, as part of the specification of the compression
profile.
3.2. ServerHello 3.2. ServerHello
We redefine ServerHello in the following way. We redefine ServerHello in the following way.
struct { struct {
Random random; Random random;
CipherSuite cipher_suite; CipherSuite cipher_suite;
Extension extensions<1..V>; Extension extensions<1..2^16-1>;
} ServerHello; } ServerHello;
3.3. HelloRetryRequest 3.3. HelloRetryRequest
The HelloRetryRequest has the following format. The HelloRetryRequest has the following format.
struct { struct {
CipherSuite cipher_suite; CipherSuite cipher_suite;
Extension extensions<2..V>; Extension extensions<2..2^16-1>;
} HelloRetryRequest; } HelloRetryRequest;
The HelloRetryRequest is the same as the ServerHello above but The HelloRetryRequest is the same as the ServerHello above but
without the unnecessary sentinel Random value. without the unnecessary sentinel Random value.
4. Examples 4. Examples
This section provides some example specializations. This section provides some example specializations.
For this example we use TLS 1.3 only with AES_GCM, X25519, ALPN h2, For this example we use TLS 1.3 only with AES_GCM, X25519, ALPN h2,
short random values, and everything else is ordinary TLS 1.3. short random values, and everything else is ordinary TLS 1.3.
{ {
"Version" : 0x0304 "profile" : 1,
"Profile" : 1, "version" : 772,
"Version" : 772, "random": 16,
"Random": 16, "cipherSuite" : "TLS_AES_128_GCM_SHA256",
"CipherSuite" : "TLS_AES_128_GCM_SHA256", "dhGroup": "X25519",
"DHGroup": "X25519", "clientHelloExtensions": {
"Extensions": {
"named_groups": 29, "named_groups": 29,
"application_layer_protocol_negotiation" : "030016832", "application_layer_protocol_negotiation" : "030016832",
"..." : null "..." : null
} }
} }
Version 772 corresponds to the hex representation 0x0304, named group Version 772 corresponds to the hex representation 0x0304, named group
"29" (0x001D) represents X25519. "29" (0x001D) represents X25519.
[[OPEN ISSUE: Should we have a registry of well-known profiles?]] [[OPEN ISSUE: Should we have a registry of well-known profiles?]]
skipping to change at page 13, line 11 skipping to change at page 13, line 22
which requires some analysis, especially as it looks like a potential which requires some analysis, especially as it looks like a potential
source of identity misbinding. This is, however, entirely separable source of identity misbinding. This is, however, entirely separable
from the rest of the specification. from the rest of the specification.
Transcript expansion also needs some analysis and we need to Transcript expansion also needs some analysis and we need to
determine whether we need an extension to indicate that cTLS is in determine whether we need an extension to indicate that cTLS is in
use and with which profile. use and with which profile.
6. IANA Considerations 6. IANA Considerations
6.1. Adding a ContentType
This document requests that a code point be allocated from the "TLS This document requests that a code point be allocated from the "TLS
ContentType registry. This value must be in the range 0-31 ContentType registry. This value must be in the range 0-31
(inclusive). The row to be added in the registry has the following (inclusive). The row to be added in the registry has the following
form: form:
+=======+=============+=========+===========+ +=======+================+=========+===========+
| Value | Description | DTLS-OK | Reference | | Value | Description | DTLS-OK | Reference |
+=======+=============+=========+===========+ +=======+================+=========+===========+
| TBD | ctls | N | RFCXXXX | | TBD | ctls | Y | RFCXXXX |
+-------+-------------+---------+-----------+ +-------+----------------+---------+-----------+
| TBD | ctls_handshake | Y | RFCXXXX |
+-------+----------------+---------+-----------+
Table 1 Table 1
[[ RFC EDITOR: Please replace the value TBD with the value assigned [[ RFC EDITOR: Please replace the value TBD with the value assigned
by IANA, and the value XXXX to the RFC number assigned for this by IANA, and the value XXXX to the RFC number assigned for this
document. ]] document. ]]
[[OPEN ISSUE: Should we require standards action for all profile IDs [[OPEN ISSUE: Should we require standards action for all profile IDs
that would fit in 2 octets.]] that would fit in 2 octets.]]
6.2. Template Keys
This document requests that IANA open a new registry entitled "cTLS
Template Keys", on the Transport Layer Security (TLS) Parameters
page, with a "Specification Required" registration policy and the
following initial contents:
+=======================+============+=================+
| Key | JSON Type | Reference |
+=======================+============+=================+
| profile | number | (This document) |
+-----------------------+------------+-----------------+
| version | number | (This document) |
+-----------------------+------------+-----------------+
| cipherSuite | string | (This document) |
+-----------------------+------------+-----------------+
| dhGroup | string | (This document) |
+-----------------------+------------+-----------------+
| signatureAlgorithm | string | (This document) |
+-----------------------+------------+-----------------+
| random | number | (This document) |
+-----------------------+------------+-----------------+
| mutualAuth | true/false | (This document) |
+-----------------------+------------+-----------------+
| extension_order | object | (This document) |
+-----------------------+------------+-----------------+
| clientHelloExtensions | object | (This document) |
+-----------------------+------------+-----------------+
| serverHelloExtensions | object | (This document) |
+-----------------------+------------+-----------------+
| encryptedExtensions | object | (This document) |
+-----------------------+------------+-----------------+
| certRequestExtensions | object | (This document) |
+-----------------------+------------+-----------------+
| knownCertificates | object | (This document) |
+-----------------------+------------+-----------------+
| finishedSize | number | (This document) |
+-----------------------+------------+-----------------+
| optional | object | (This document) |
+-----------------------+------------+-----------------+
Table 2
7. Normative References 7. Normative References
[I-D.draft-ietf-tls-dtls]
"*** BROKEN REFERENCE ***".
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
skipping to change at page 15, line 10 skipping to change at page 16, line 10
================================== ==================================
Total 1158 232 22 Total 1158 232 22
The following compression profile was used in this example: The following compression profile was used in this example:
{ {
"profile": 1, "profile": 1,
"version": 772, "version": 772,
"cipherSuite": "TLS_AES_128_CCM_8_SHA256", "cipherSuite": "TLS_AES_128_CCM_8_SHA256",
"dhGroup": "X25519", "dhGroup": "X25519",
"signatureAlgorithm": "ECDSA_P256_SHA256", "signatureAlgorithm": "ecdsa_secp256r1_sha256",
"finishedSize": 8, "finishedSize": 8,
"clientHelloExtensions": { "clientHelloExtensions": {
"server_name": "000e00000b6578616d706c652e636f6d", "server_name": "000e00000b6578616d706c652e636f6d",
}, },
"certificateRequestExtensions": { "certificateRequestExtensions": {
"certificate_request_context": 0, "certificate_request_context": 0,
"signature_algorithms": "00020403" "signature_algorithms": "00020403"
}, },
"mutualAuth": true, "mutualAuth": true,
"extension-order": { "extension-order": {
"clientHelloExtensions": { "clientHelloExtensions": [
Key_share "key_share"
}, ],
"ServerHelloExtensions": { "ServerHelloExtensions": [
Key_share "key_share"
}, ],
}, },
"knownCertificates": { "knownCertificates": {
"61": "3082...", "61": "3082...",
"62": "3082...", "62": "3082...",
"63": "...", "63": "...",
"64": "...", "64": "...",
... ...
} }
} }
skipping to change at page 16, line 36 skipping to change at page 17, line 36
0f // CertificateVerify 0f // CertificateVerify
4064 // Signature.length 4064 // Signature.length
3045...f60e // Signature 3045...f60e // Signature
14 // Finished 14 // Finished
35e9c34eec2c5dc1 // VerifyData 35e9c34eec2c5dc1 // VerifyData
Acknowledgments Acknowledgments
We would like to thank Karthikeyan Bhargavan, Owen Friel, Sean We would like to thank Karthikeyan Bhargavan, Owen Friel, Sean
Turner, Martin Thomson and Chris Wood. Turner, Benjamin Schwartz, Martin Thomson, and Chris Wood.
Authors' Addresses Authors' Addresses
Eric Rescorla Eric Rescorla
Mozilla Mozilla
Email: ekr@rtfm.com Email: ekr@rtfm.com
Richard Barnes Richard Barnes
Cisco Cisco
Email: rlb@ipv.sx Email: rlb@ipv.sx
Hannes Tschofenig Hannes Tschofenig
Arm Limited Arm Limited
Email: hannes.tschofenig@arm.com Email: hannes.tschofenig@arm.com
 End of changes. 33 change blocks. 
70 lines changed or deleted 124 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/