Transport Layer Security B. Zhou Internet-Draft Independent Obsoletes: 8446 (if approved) 2 October 2025 Updates: 5705, 6066, 7627, 8422 (if approved) Intended status: Standards Track Expires: 5 April 2026 The Transport Layer Security (TLS) Protocol Version 1.4 draft-zhou-tls-tls14-04 Abstract This contribution has been withdrawn. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 4 April 2026. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction 1.1. Conventions and Terminology 2. Protocol Overview 2.1. Incorrect DHE Share 2.2. Resumption and Pre-Shared Key (PSK) 2.3. 0-RTT Data 3. Presentation Language 3.1. Basic Block Size 3.2. Miscellaneous 3.3. Numbers 3.4. Vectors 3.5. Enumerateds 3.6. Constructed Types 3.7. Constants 3.8. Variants 4. Handshake Protocol 4.1. Key Exchange Messages 4.1.1. Cryptographic Negotiation 4.1.2. Client Hello 4.1.3. Server Hello 4.1.4. Hello Retry Request 4.2. Extensions 4.2.1. Supported Versions 4.2.2. Cookie 4.2.3. Signature Algorithms 4.2.4. Certificate Authorities 4.2.5. OID Filters 4.2.6. Post-Handshake Certificate-Based Client Authentication 4.2.7. Supported Groups 4.2.8. Key Share 4.2.9. Pre-Shared Key Exchange Modes 4.2.10. Early Data Indication 4.2.11. Pre-Shared Key Extension 4.3. Server Parameters 4.3.1. Encrypted Extensions 4.3.2. Certificate Request 4.4. Authentication Messages 4.4.1. The Transcript Hash 4.4.2. Certificate 4.4.3. Certificate Verify 4.4.4. Finished 4.5. End of Early Data 4.6. Post-Handshake Messages 4.6.1. New Session Ticket Message 4.6.2. Post-Handshake Authentication 4.6.3. Key and Initialization Vector Update 5. Post-Quantum Protection 5.1. Extensions for Post-Quantum Protection 5.2. Extensions: Encoding Location, Ordering, Priority, and Conflict Handling 5.3. Hybrid and PQC-only Negotiation 5.4. Key Combination for TLS 1.4 Key Schedule 5.5. HKDF / Hash / PRF Selection Timing 5.6. Certificate and CertificateVerify: Hybrid Authentication 5.6.1. Certificate message 5.6.2. CertificateVerify message 5.7. Validation and Failure Modes 5.8. Error handling, HRR, and Immediate Abort 5.9. Downgrade detection and retry semantics 5.10. Serialization and Priorities Summary 5.11. Key Composition and HKDF-Extract Timing 5.12. Compatibility, Documentation, and Operational Recommendations 6. Record Protocol 6.1. Record Layer 6.2. Record Payload Protection 6.3. Per-Record Nonce 6.4. Record Padding 6.5. Limits on Key Usage 7. Alert Protocol 7.1. Closure Alerts 7.2. Error Alerts 8. Cryptographic Computations 8.1. Key Schedule 8.2. Updating Traffic Secrets 8.3. Traffic Key Calculation 8.4. (EC)DHE Shared Secret Calculation 8.4.1. Finite Field Diffie-Hellman 8.4.2. Elliptic Curve Diffie-Hellman 8.5. Exporters 9. 0-RTT and Anti-Replay 9.1. Single-Use Tickets 9.2. Client Hello Recording 9.3. Freshness Checks 10. Compliance Requirements 10.1. Mandatory-to-Implement Cipher Suites 10.2. Mandatory-to-Implement Extensions 10.3. Protocol Invariants 11. Security Considerations 12. IANA Considerations 12.1. 1. pqc_signature_algorithms 12.2. 2. supported_pqc_groups 12.3. 3. pqc_key_share 12.4. TLS "Named Group" Sub-registry 12.5. TLS "Signature Scheme" Sub-registry 13. References 13.1. Normative References 13.2. Informative References Appendix A. State Machine A.1. Client A.2. Server Appendix B. Protocol Data Structures and Constant Values B.1. Record Layer B.2. Alert Messages B.3. Handshake Protocol B.3.1. Key Exchange Messages B.3.2. Server Parameters Messages B.3.3. Authentication Messages B.3.4. Ticket Establishment B.3.5. Updating Keys B.4. Cipher Suites Appendix C. Implementation Notes C.1. Random Number Generation and Seeding C.2. Certificates and Authentication C.3. Implementation Pitfalls C.4. Client and Server Tracking Prevention C.5. Unauthenticated Operation Appendix D. Updates to TLS 1.2 Appendix E. Backward Compatibility E.1. Negotiating with an Older Server E.2. Negotiating with an Older Client E.3. 0-RTT Backward Compatibility E.4. Middlebox Compatibility Mode E.5. Security Restrictions Related to Backward Compatibility Appendix F. Overview of Security Properties F.1. Handshake F.1.1. Key Derivation and HKDF F.1.2. Certificate-Based Client Authentication F.1.3. 0-RTT F.1.4. Exporter Independence F.1.5. Post-Compromise Security F.1.6. External References F.2. Record Layer F.2.1. External References F.3. Traffic Analysis F.4. Side Channel Attacks F.5. Replay Attacks on 0-RTT F.5.1. Replay and Exporters F.6. PSK Identity Exposure F.7. Sharing PSKs Across Protocol Versions F.8. External PSKs and Rerouting F.9. Misbinding when using Self-Signed Certificates or Raw Public Keys F.10. Attacks on Static RSA Appendix G. Change Log Contributors Author's Address This contribution has been withdrawn. 13. References 13.1. Normative References [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", NIST Special Publication 800-38D, November 2007, . [KEYAGREEMENT] Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R. Davis, "Recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography", National Institute of Standards and Technology, DOI 10.6028/nist.sp.800-56ar3, April 2018, . [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, . [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . [RFC5705] Rescorla, E., "Keying Material Exporters for Transport Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, March 2010, . [RFC5756] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters", RFC 5756, DOI 10.17487/RFC5756, January 2010, . [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, . [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) Extensions: Extension Definitions", RFC 6066, DOI 10.17487/RFC6066, January 2011, . [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for Transport Layer Security (TLS)", RFC 6655, DOI 10.17487/RFC6655, July 2012, . [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 6960, DOI 10.17487/RFC6960, June 2013, . [RFC6961] Pettersen, Y., "The Transport Layer Security (TLS) Multiple Certificate Status Request Extension", RFC 6961, DOI 10.17487/RFC6961, June 2013, . [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013, . [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August 2013, . [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, "Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, July 2014, . [RFC7507] Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks", RFC 7507, DOI 10.17487/RFC7507, April 2015, . [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., Langley, A., and M. Ray, "Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension", RFC 7627, DOI 10.17487/RFC7627, September 2015, . [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, . [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)", RFC 7919, DOI 10.17487/RFC7919, August 2016, . [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, . [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, . [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8439] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC8996] Moriarty, K. and S. Farrell, "Deprecating TLS 1.0 and TLS 1.1", BCP 195, RFC 8996, DOI 10.17487/RFC8996, March 2021, . [SHS] "Secure hash standard", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.180-4, 2015, . [X690] ITU-T, "Information technology - ASN.1 encoding Rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T X.690 , February 2021, . 13.2. Informative References [AEAD-LIMITS] Luykx, A. and K. Paterson, "Limits on Authenticated Encryption Use in TLS", August 2017, . [BBFGKZ16] Bhargavan, K., Brzuska, C., Fournet, C., Green, M., Kohlweiss, M., and S. Zanella-Beguelin, "Downgrade Resilience in Key-Exchange Protocols", IEEE, 2016 IEEE Symposium on Security and Privacy (SP), DOI 10.1109/sp.2016.37, May 2016, . [BBK17] Bhargavan, K., Blanchet, B., and N. Kobeissi, "Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate", IEEE, 2017 IEEE Symposium on Security and Privacy (SP) pp. 483-502, DOI 10.1109/sp.2017.26, May 2017, . [BDFKPPRSZZ16] Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pan, J., Protzenko, J., Rastogi, A., Swamy, N., Zanella-Beguelin, S., and J. Zinzindohoue, "Implementing and Proving the TLS 1.3 Record Layer", Proceedings of IEEE Symposium on Security and Privacy (San Jose) 2017 , December 2016, . [Ben17a] Benjamin, D., "Presentation before the TLS WG at IETF 100", 2017, . [Ben17b] Benjamin, D., "Additional TLS 1.3 results from Chrome", 2017, . [Blei98] Bleichenbacher, D., "Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1", Proceedings of CRYPTO '98 , 1998. [BMMRT15] Badertscher, C., Matt, C., Maurer, U., Rogaway, P., and B. Tackmann, "Augmented Secure Channels and the Goal of the TLS 1.3 Record Layer", ProvSec 2015 , September 2015, . [BT16] Bellare, M. and B. Tackmann, "The Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3", Proceedings of CRYPTO 2016 , July 2016, . [CCG16] Cohn-Gordon, K., Cremers, C., and L. Garratt, "On Post- compromise Security", IEEE, 2016 IEEE 29th Computer Security Foundations Symposium (CSF) pp. 164-178, DOI 10.1109/csf.2016.19, June 2016, . [CHECKOWAY] Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R., Rescorla, E., and H. Shacham, "A Systematic Analysis of the Juniper Dual EC Incident", ACM, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security pp. 468-479, DOI 10.1145/2976749.2978395, October 2016, . [CHHSV17] Cremers, C., Horvat, M., Hoyland, J., van der Merwe, T., and S. Scott, "Awkward Handshake: Possible mismatch of client/server view on client authentication in post- handshake mode in Revision 18", message to the TLS mailing list , February 2017, . [CHSV16] Cremers, C., Horvat, M., Scott, S., and T. van der Merwe, "Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication", IEEE, 2016 IEEE Symposium on Security and Privacy (SP) pp. 470-485, DOI 10.1109/sp.2016.35, May 2016, . [CK01] Canetti, R. and H. Krawczyk, "Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels", Springer Berlin Heidelberg, Lecture Notes in Computer Science pp. 453-474, DOI 10.1007/3-540-44987-6_28, ISBN ["9783540420705", "9783540449874"], 2001, . [CLINIC] Miller, B., Huang, L., Joseph, A., and J. Tygar, "I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis", Springer International Publishing, Lecture Notes in Computer Science pp. 143-163, DOI 10.1007/978-3-319-08506-7_8, ISBN ["9783319085050", "9783319085067"], 2014, . [DFGS15] Dowling, B., Fischlin, M., Guenther, F., and D. Stebila, "A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol", Proceedings of ACM CCS 2015 , October 2016, . [DFGS16] Dowling, B., Fischlin, M., Guenther, F., and D. Stebila, "A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol", TRON 2016 , February 2016, . [DH76] Diffie, W. and M. Hellman, "New directions in cryptography", Institute of Electrical and Electronics Engineers (IEEE), IEEE Transactions on Information Theory vol. 22, no. 6, pp. 644-654, DOI 10.1109/tit.1976.1055638, November 1976, . [DOW92] Diffie, W., Van Oorschot, P., and M. Wiener, "Authentication and authenticated key exchanges", Springer Science and Business Media LLC, Designs, Codes and Cryptography vol. 2, no. 2, pp. 107-125, DOI 10.1007/bf00124891, June 1992, . [DSA-1571-1] The Debian Project, "openssl -- predictable random number generator", May 2008, . [DSS] "Digital Signature Standard (DSS)", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.186-5, February 2023, . [ECDP] Chen, L., Moody, D., Regenscheid, A., Robinson, A., and K. Randall, "Recommendations for Discrete Logarithm-based Cryptography:: Elliptic Curve Domain Parameters", National Institute of Standards and Technology, DOI 10.6028/nist.sp.800-186, February 2023, . [FETCH] WHATWG, "Fetch Standard", October 2025, . [FG17] Fischlin, M. and F. Guenther, "Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates", Proceedings of Euro S&P 2017 , 2017, . [FGSW16] Fischlin, M., Guenther, F., Schmidt, B., and B. Warinschi, "Key Confirmation in Key Exchange: A Formal Treatment and Implications for TLS 1.3", Proceedings of IEEE Symposium on Security and Privacy (Oakland) 2016 , 2016, . [FW15] Weimer, F., "Factoring RSA Keys With TLS Perfect Forward Secrecy", September 2015. [HCJC16] Husák, M., Čermák, M., Jirsík, T., and P. Čeleda, "HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting", Springer Science and Business Media LLC, EURASIP Journal on Information Security vol. 2016, no. 1, DOI 10.1186/s13635-016-0030-7, February 2016, . [HGFS15] Hlauschek, C., Gruber, M., Fankhauser, F., and C. Schanes, "Prying Open Pandora's Box: KCI Attacks against TLS", Proceedings of USENIX Workshop on Offensive Technologies , 2015. [I-D.ietf-tls-esni] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS Encrypted Client Hello", Work in Progress, Internet-Draft, draft-ietf-tls-esni-25, 14 June 2025, . [JSS15] Jager, T., Schwenk, J., and J. Somorovsky, "On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption", ACM, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security pp. 1185-1196, DOI 10.1145/2810103.2813657, October 2015, . [Kraw10] Krawczyk, H., "Cryptographic Extraction and Key Derivation: The HKDF Scheme", Proceedings of CRYPTO 2010 , August 2010, . [Kraw16] Krawczyk, H., "A Unilateral-to-Mutual Authentication Compiler for Key Exchange (with Applications to Client Authentication in TLS 1.3", Proceedings of ACM CCS 2016 , October 2016, . [KW16] Krawczyk, H. and H. Wee, "The OPTLS Protocol and TLS 1.3", Proceedings of Euro S&P 2016 , 2016, . [LXZFH16] Li, X., Xu, J., Zhang, Z., Feng, D., and H. Hu, "Multiple Handshakes Security of TLS 1.3 Candidates", IEEE, 2016 IEEE Symposium on Security and Privacy (SP) pp. 486-505, DOI 10.1109/sp.2016.36, May 2016, . [Mac17] MacCarthaigh, C., "Security Review of TLS1.3 0-RTT", March 2017, . [MM24] Moustafa, M., Sethi, M., and T. Aura, "Misbinding Raw Public Keys to Identities in TLS", 2024, . [PS18] Patton, C. and T. Shrimpton, "Partially specified channels: The TLS 1.3 record layer without elision", 2018, . [PSK-FINISHED] Cremers, C., Horvat, M., van der Merwe, T., and S. Scott, "Revision 10: possible attack if client authentication is allowed during PSK", message to the TLS mailing list, , 2015, . [REKEY] Abdalla, M. and M. Bellare, "Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques", Springer Berlin Heidelberg, Lecture Notes in Computer Science pp. 546-559, DOI 10.1007/3-540-44448-3_42, ISBN ["9783540414049", "9783540444480"], 2000, . [Res17a] Rescorla, E., "Preliminary data on Firefox TLS 1.3 Middlebox experiment", message to the TLS mailing list , 2017, . [Res17b] Rescorla, E., "More compatibility measurement results", message to the TLS mailing list , December 2017, . [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, DOI 10.17487/RFC2246, January 1999, . [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, . [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005, . [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, DOI 10.17487/RFC4346, April 2006, . [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, "Transport Layer Security (TLS) Extensions", RFC 4366, DOI 10.17487/RFC4366, April 2006, . [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, DOI 10.17487/RFC4492, May 2006, . [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, "Transport Layer Security (TLS) Session Resumption without Server-Side State", RFC 5077, DOI 10.17487/RFC5077, January 2008, . [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, . [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 2010, . [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)", RFC 5764, DOI 10.17487/RFC5764, May 2010, . [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings for TLS", RFC 5929, DOI 10.17487/RFC5929, July 2010, . [RFC6091] Mavrogiannopoulos, N. and D. Gillmor, "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication", RFC 6091, DOI 10.17487/RFC6091, February 2011, . [RFC6101] Freier, A., Karlton, P., and P. Kocher, "The Secure Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, DOI 10.17487/RFC6101, August 2011, . [RFC6176] Turner, S. and T. Polk, "Prohibiting Secure Sockets Layer (SSL) Version 2.0", RFC 6176, DOI 10.17487/RFC6176, March 2011, . [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, . [RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension", RFC 6520, DOI 10.17487/RFC6520, February 2012, . [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., Weiler, S., and T. Kivinen, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, June 2014, . [RFC7465] Popov, A., "Prohibiting RC4 Cipher Suites", RFC 7465, DOI 10.17487/RFC7465, February 2015, . [RFC7568] Barnes, R., Thomson, M., Pironti, A., and A. Langley, "Deprecating Secure Sockets Layer Version 3.0", RFC 7568, DOI 10.17487/RFC7568, June 2015, . [RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T., Trammell, B., Huitema, C., and D. Borkmann, "Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement", RFC 7624, DOI 10.17487/RFC7624, August 2015, . [RFC7685] Langley, A., "A Transport Layer Security (TLS) ClientHello Padding Extension", RFC 7685, DOI 10.17487/RFC7685, October 2015, . [RFC7924] Santesson, S. and H. Tschofenig, "Transport Layer Security (TLS) Cached Information Extension", RFC 7924, DOI 10.17487/RFC7924, July 2016, . [RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2: Better Connectivity Using Concurrency", RFC 8305, DOI 10.17487/RFC8305, December 2017, . [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier", RFC 8422, DOI 10.17487/RFC8422, August 2018, . [RFC8448] Thomson, M., "Example Handshake Traces for TLS 1.3", RFC 8448, DOI 10.17487/RFC8448, January 2019, . [RFC8449] Thomson, M., "Record Size Limit Extension for TLS", RFC 8449, DOI 10.17487/RFC8449, August 2018, . [RFC8773] Housley, R., "TLS 1.3 Extension for Certificate-Based Authentication with an External Pre-Shared Key", RFC 8773, DOI 10.17487/RFC8773, March 2020, . [RFC8844] Thomson, M. and E. Rescorla, "Unknown Key-Share Attacks on Uses of TLS with the Session Description Protocol (SDP)", RFC 8844, DOI 10.17487/RFC8844, January 2021, . [RFC8849] Even, R. and J. Lennox, "Mapping RTP Streams to Controlling Multiple Streams for Telepresence (CLUE) Media Captures", RFC 8849, DOI 10.17487/RFC8849, January 2021, . [RFC8870] Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F. Andreasen, "Encrypted Key Transport for DTLS and Secure RTP", RFC 8870, DOI 10.17487/RFC8870, January 2021, . [RFC8879] Ghedini, A. and V. Vasiliev, "TLS Certificate Compression", RFC 8879, DOI 10.17487/RFC8879, December 2020, . [RFC8937] Cremers, C., Garratt, L., Smyshlyaev, S., Sullivan, N., and C. Wood, "Randomness Improvements for Security Protocols", RFC 8937, DOI 10.17487/RFC8937, October 2020, . [RFC9001] Thomson, M., Ed. and S. Turner, Ed., "Using TLS to Secure QUIC", RFC 9001, DOI 10.17487/RFC9001, May 2021, . [RFC9112] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1", STD 99, RFC 9112, DOI 10.17487/RFC9112, June 2022, . [RFC9146] Rescorla, E., Ed., Tschofenig, H., Ed., Fossati, T., and A. Kraus, "Connection Identifier for DTLS 1.2", RFC 9146, DOI 10.17487/RFC9146, March 2022, . [RFC9147] Rescorla, E., Tschofenig, H., and N. Modadugu, "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3", RFC 9147, DOI 10.17487/RFC9147, April 2022, . [RFC9149] Pauly, T., Schinazi, D., and C.A. Wood, "TLS Ticket Requests", RFC 9149, DOI 10.17487/RFC9149, April 2022, . [RFC9162] Laurie, B., Messeri, E., and R. Stradling, "Certificate Transparency Version 2.0", RFC 9162, DOI 10.17487/RFC9162, December 2021, . [RFC9257] Housley, R., Hoyland, J., Sethi, M., and C. A. Wood, "Guidance for External Pre-Shared Key (PSK) Usage in TLS", RFC 9257, DOI 10.17487/RFC9257, July 2022, . [RFC9258] Benjamin, D. and C. A. Wood, "Importing External Pre- Shared Keys (PSKs) for TLS 1.3", RFC 9258, DOI 10.17487/RFC9258, July 2022, . [RFC9345] Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla, "Delegated Credentials for TLS and DTLS", RFC 9345, DOI 10.17487/RFC9345, July 2023, . [RFC9525] Saint-Andre, P. and R. Salz, "Service Identity in TLS", RFC 9525, DOI 10.17487/RFC9525, November 2023, . [RSA] Rivest, R., Shamir, A., and L. Adleman, "A method for obtaining digital signatures and public-key cryptosystems", Association for Computing Machinery (ACM), Communications of the ACM vol. 21, no. 2, pp. 120-126, DOI 10.1145/359340.359342, February 1978, . [Selfie] Drucker, N. and S. Gueron, "Selfie: reflections on TLS 1.3 with PSK", 2019, . [SIGMA] Krawczyk, H., "SIGMA: The ‘SIGn-and-MAc’ Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols", Springer Berlin Heidelberg, Lecture Notes in Computer Science pp. 400-425, DOI 10.1007/978-3-540-45146-4_24, ISBN ["9783540406747", "9783540451464"], 2003, . [SLOTH] Bhargavan, K. and G. Leurent, "Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH", Internet Society, Proceedings 2016 Network and Distributed System Security Symposium, DOI 10.14722/ndss.2016.23418, 2016, . [SSL2] Hickman, K., "The SSL Protocol", 9 February 1995. [TIMING] Boneh, D. and D. Brumley, "Remote Timing Attacks Are Practical", USENIX Security Symposium, 2003. [X501] ITU-T, "Information Technology - Open Systems Interconnection - The Directory: Models", ISO/IEC 9594-2:2020 , October 2019. Contributors Eric Rescorla Independent ekr@rtfm.com Martin Abadi University of California, Santa Cruz abadi@cs.ucsc.edu Christopher Allen (co-editor of TLS 1.0) Alacrity Ventures ChristopherA@AlacrityManagement.com Nimrod Aviram Tel Aviv University nimrod.aviram@gmail.com Richard Barnes Cisco rlb@ipv.sx Steven M. Bellovin Columbia University smb@cs.columbia.edu David Benjamin Google davidben@google.com Benjamin Beurdouche INRIA & Microsoft Research benjamin.beurdouche@ens.fr Karthikeyan Bhargavan (editor of [RFC7627]) INRIA karthikeyan.bhargavan@inria.fr Simon Blake-Wilson (co-author of [RFC4492]) BCI sblakewilson@bcisse.com Nelson Bolyard (co-author of [RFC4492]) Sun Microsystems, Inc. nelson@bolyard.com Ran Canetti IBM canetti@watson.ibm.com Matt Caswell OpenSSL matt@openssl.org Stephen Checkoway University of Illinois at Chicago sfc@uic.edu Pete Chown Skygate Technology Ltd pc@skygate.co.uk Katriel Cohn-Gordon University of Oxford me@katriel.co.uk Cas Cremers University of Oxford cas.cremers@cs.ox.ac.uk Antoine Delignat-Lavaud (co-author of [RFC7627]) INRIA antdl@microsoft.com Tim Dierks (co-author of TLS 1.0, co-editor of TLS 1.1 and 1.2) Independent tim@dierks.org Roelof DuToit Symantec Corporation roelof_dutoit@symantec.com Taher Elgamal Securify taher@securify.com Pasi Eronen Nokia pasi.eronen@nokia.com Cedric Fournet Microsoft fournet@microsoft.com Anil Gangolli anil@busybuddha.org David M. Garrett dave@nulldereference.com Illya Gerasymchuk Independent illya@iluxonchik.me Alessandro Ghedini Cloudflare Inc. alessandro@cloudflare.com Daniel Kahn Gillmor ACLU dkg@fifthhorseman.net Matthew Green Johns Hopkins University mgreen@cs.jhu.edu Jens Guballa ETAS jens.guballa@etas.com Felix Guenther TU Darmstadt mail@felixguenther.info Vipul Gupta (co-author of [RFC4492]) Sun Microsystems Laboratories vipul.gupta@sun.com Chris Hawk (co-author of [RFC4492]) Corriente Networks LLC chris@corriente.net Kipp Hickman Alfred Hoenes David Hopwood Independent Consultant david.hopwood@blueyonder.co.uk Marko Horvat MPI-SWS mhorvat@mpi-sws.org Jonathan Hoyland Royal Holloway, University of London jonathan.hoyland@gmail.com Subodh Iyengar Facebook subodh@fb.com Benjamin Kaduk Akamai Technologies kaduk@mit.edu Hubert Kario Red Hat Inc. hkario@redhat.com Phil Karlton (co-author of SSL 3.0) Leon Klingele Independent mail@leonklingele.de Paul Kocher (co-author of SSL 3.0) Cryptography Research paul@cryptography.com Hugo Krawczyk IBM hugokraw@us.ibm.com Adam Langley (co-author of [RFC7627]) Google agl@google.com Olivier Levillain ANSSI olivier.levillain@ssi.gouv.fr Xiaoyin Liu University of North Carolina at Chapel Hill xiaoyin.l@outlook.com Ilari Liusvaara Independent ilariliusvaara@welho.com Atul Luykx K.U. Leuven atul.luykx@kuleuven.be Colm MacCarthaigh Amazon Web Services colm@allcosts.net Carl Mehner USAA carl.mehner@usaa.com Jan Mikkelsen Transactionware janm@transactionware.com Bodo Moeller (co-author of [RFC4492]) Google bodo@acm.org Kyle Nekritz Facebook knekritz@fb.com Erik Nygren Akamai Technologies erik+ietf@nygren.org Magnus Nystrom Microsoft mnystrom@microsoft.com Kazuho Oku DeNA Co., Ltd. kazuhooku@gmail.com Kenny Paterson Royal Holloway, University of London kenny.paterson@rhul.ac.uk Christopher Patton University of Florida cjpatton@ufl.edu Alfredo Pironti (co-author of [RFC7627]) INRIA alfredo.pironti@inria.fr Andrei Popov Microsoft andrei.popov@microsoft.com John {{{Preuß Mattsson}}} Ericsson john.mattsson@ericsson.com Marsh Ray (co-author of [RFC7627]) Microsoft maray@microsoft.com Robert Relyea Netscape Communications relyea@netscape.com Kyle Rose Akamai Technologies krose@krose.org Jim Roskind Amazon jroskind@amazon.com Michael Sabin Joe Salowey Tableau Software joe@salowey.net Rich Salz Akamai rsalz@akamai.com David Schinazi Apple Inc. dschinazi@apple.com Sam Scott Royal Holloway, University of London me@samjs.co.uk Mohit Sethi Aalto University mohit@iki.fi Thomas Shrimpton University of Florida teshrim@ufl.edu Dan Simon Microsoft, Inc. dansimon@microsoft.com Brian Smith Independent brian@briansmith.org Ben Smyth Ampersand www.bensmyth.com Brian Sniffen Akamai Technologies ietf@bts.evenmere.org Nick Sullivan Cloudflare Inc. nick@cloudflare.com Bjoern Tackmann University of California, San Diego btackmann@eng.ucsd.edu Tim Taubert Mozilla ttaubert@mozilla.com Martin Thomson Mozilla mt@mozilla.com Hannes Tschofenig Arm Limited Hannes.Tschofenig@arm.com Sean Turner sn3rd sean@sn3rd.com Steven Valdez Google svaldez@google.com Filippo Valsorda Cloudflare Inc. filippo@cloudflare.com Thyla van der Merwe Royal Holloway, University of London tjvdmerwe@gmail.com Victor Vasiliev Google vasilvv@google.com Loganaden Velvindron cyberstorm.mu logan@cyberstorm.mu Hoeteck Wee Ecole Normale Superieure, Paris hoeteck@alum.mit.edu Tom Weinstein David Wong NCC Group david.wong@nccgroup.trust Christopher A. Wood Apple Inc. cawood@apple.com Tim Wright Vodafone timothy.wright@vodafone.com Peter Wu Independent peter@lekensteyn.nl Kazu Yamamoto Internet Initiative Japan Inc. kazu@iij.ad.jp Author's Address Bocai Zhou Independent Email: draft-ietf-tls-tls14@proton.me