Skip to main content

8. TLS Requirements

8. TLS Requirements

Client implementations supporting the Request Object URI method MUST support TLS, following "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)" [RFC7525].

To protect against information disclosure and tampering, confidentiality protection MUST be applied using TLS with a cipher suite that provides confidentiality and integrity protection.

HTTP clients MUST also verify the TLS server certificate, using DNS-ID [RFC6125], to avoid man-in-the-middle attacks. The rules and guidelines defined in [RFC6125] apply here, with the following considerations:

  • Support for DNS-ID identifier type (that is, the dNSName identity in the subjectAltName extension) is REQUIRED. Certification authorities that issue server certificates MUST support the DNS-ID identifier type, and the DNS-ID identifier type MUST be present in server certificates.

  • DNS names in server certificates MAY contain the wildcard character *.

  • Clients MUST NOT use CN-ID identifiers; a Common Name field (CN field) may be present in the server certificate's subject name but MUST NOT be used for authentication within the rules described in [RFC7525].

  • SRV-ID and URI-ID as described in Section 6.5 of [RFC6125] MUST NOT be used for comparison.

Last updated on