RFC 7711

PKIX over Secure HTTP (POSH), November 2015

Canonical URL:
https://www.rfc-editor.org/rfc/rfc7711.txt
File formats:
Plain TextPDF
Status:
PROPOSED STANDARD
Authors:
M. Miller
P. Saint-Andre
Stream:
IETF
Source:
xmpp (art)

Cite this RFC: TXT  |  XML

DOI:  http://dx.doi.org/10.17487/RFC7711

Discuss this RFC: Send questions or comments to xmpp@ietf.org

Other actions: Find Errata (if any)  |  Submit Errata  |  Find IPR Disclosures from the IETF


Abstract

Experience has shown that it is difficult to deploy proper PKIX certificates for Transport Layer Security (TLS) in multi-tenanted environments. As a result, domains hosted in such environments often deploy applications using certificates that identify the hosting service, not the hosted domain. Such deployments force end users and peer services to accept a certificate with an improper identifier, resulting in degraded security. This document defines methods that make it easier to deploy certificates for proper server identity checking in non-HTTP application protocols. Although these methods were developed for use in the Extensible Messaging and Presence Protocol (XMPP) as a Domain Name Association (DNA) prooftype, they might also be usable in other non-HTTP application protocols.


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 4844.


Download PDF Reader



Search RFCs
Advanced Search
×