RFC 5878 - Transport Layer Security (TLS) Authorization Extensions

Metadata

• RFC Number: 5878
• Title: Transport Layer Security (TLS) Authorization Extensions
• Authors: M. Brown (RedPhone Security), R. Housley (Vigil Security)
• Date: May 2010
• Category: Experimental
• Updates: RFC 5246
• Status: Experimental Protocol

Abstract

This document specifies authorization extensions to the Transport Layer Security (TLS) Handshake Protocol. Extensions are carried in the client and server hello messages to confirm that both parties support the desired authorization data types. Then, if supported by both the client and the server, authorization information, such as attribute certificates (ACs) or Security Assertion Markup Language (SAML) assertions, is exchanged in the supplemental data handshake message.

Status of This Memo

This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation.

This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5878.

Copyright Notice

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

• 1. Introduction
  • 1.1. Conventions
  • 1.2. Overview
• 2. Authorization Extension Types
  • 2.1. The client_authz and server_authz Extensions
  • 2.2. Client Hello
• 3. Authorization Data Formats
  • 3.1. AttributeCertificateURL Format
  • 3.2. SAML Assertion
  • 3.3. Using SAML Assertions for Authorization Decisions
• 4. Error Alerts
• 5. IANA Considerations
• 6. Security Considerations
• 7. Acknowledgement
• 8. References
  • 8.1. Normative References
  • 8.2. Informative References
• Authors' Addresses

Quick Navigation

Section	Title
1	Introduction
2	Authorization Extension Types
3	Authorization Data Formats
4	Error Alerts
5	IANA Considerations
6	Security Considerations
7	Acknowledgement
8	References