RFC 9966 - Bootstrapped TLS Authentication with Proof of Knowledge
- Status: Proposed Standard
- Published: May 2026
- Stream: IETF
- Errata: No Errata
Abstract
This document defines a mechanism that enables a bootstrapping device to establish trust and mutually authenticate against a TLS server. Bootstrapping devices have a public/private key pair; this mechanism enables a TLS server to prove to the device that it knows the public key and enables the device to prove to the TLS server that it knows the private key. The mechanism leverages existing Device Provisioning Profile (DPP) and TLS standards and can be used in an Extensible Authentication Protocol (EAP) exchange with an EAP server.
Related Resources
- Official Text: RFC 9966
- Official Page: RFC 9966 DataTracker
- Errata: RFC Editor Errata