File: rfc8773.html

package info (click to toggle)
doc-rfc 20230121-1
links: PTS, VCS
area: non-free
in suites: bookworm, forky, sid, trixie
size: 1,609,944 kB
file content (1823 lines) | stat: -rw-r--r-- 73,151 bytes
parent folder | download | duplicates (2)
<!DOCTYPE html>
<html lang="en" class="RFC">
<head>
<meta charset="utf-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>RFC 8773: TLS 1.3 Extension for Certificate-Based Authentication with an External Pre-Shared Key</title>
<meta content="Russ Housley" name="author">
<meta content="
       
        This document specifies a TLS 1.3 extension that allows a server to
        authenticate with a combination of a certificate and an external
        pre-shared key (PSK).
       
    " name="description">
<meta content="xml2rfc 2.41.0" name="generator">
<meta content="cryptography" name="keyword">
<meta content="8773" name="rfc.number">
<link href="rfc8773.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
<style type="text/css">/*

  NOTE: Changes at the bottom of this file overrides some earlier settings.

  Once the style has stabilized and has been adopted as an official RFC style,
  this can be consolidated so that style settings occur only in one place, but
  for now the contents of this file consists first of the initial CSS work as
  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
  commented changes found necssary during the development of the v3
  formatters.

*/

/* fonts */
@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */

@viewport {
  zoom: 1.0;
  width: extend-to-zoom;
}
@-ms-viewport {
  width: extend-to-zoom;
  zoom: 1.0;
}
/* general and mobile first */
html {
}
body {
  max-width: 90%;
  margin: 1.5em auto;
  color: #222;
  background-color: #fff;
  font-size: 14px;
  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
  line-height: 1.6;
  scroll-behavior: smooth;
}
.ears {
  display: none;
}

/* headings */
#title, h1, h2, h3, h4, h5, h6 {
  margin: 1em 0 0.5em;
  font-weight: bold;
  line-height: 1.3;
}
#title {
  clear: both;
  border-bottom: 1px solid #ddd;
  margin: 0 0 0.5em 0;
  padding: 1em 0 0.5em;
}
.author {
  padding-bottom: 4px;
}
h1 {
  font-size: 26px;
  margin: 1em 0;
}
h2 {
  font-size: 22px;
  margin-top: -20px;  /* provide offset for in-page anchors */
  padding-top: 33px;
}
h3 {
  font-size: 18px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h4 {
  font-size: 16px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h5, h6 {
  font-size: 14px;
}
#n-copyright-notice {
  border-bottom: 1px solid #ddd;
  padding-bottom: 1em;
  margin-bottom: 1em;
}
/* general structure */
p {
  padding: 0;
  margin: 0 0 1em 0;
  text-align: left;
}
div, span {
  position: relative;
}
div {
  margin: 0;
}
.alignRight.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignRight.art-text pre {
  padding: 0;
}
.alignRight {
  margin: 1em 0;
}
.alignRight > *:first-child {
  border: none;
  margin: 0;
  float: right;
  clear: both;
}
.alignRight > *:nth-child(2) {
  clear: both;
  display: block;
  border: none;
}
svg {
  display: block;
}
.alignCenter.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignCenter.art-text pre {
  padding: 0;
}
.alignCenter {
  margin: 1em 0;
}
.alignCenter > *:first-child {
  border: none;
  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
     support flexbox yet.
  */
  display: table;
  margin: 0 auto;
}

/* lists */
ol, ul {
  padding: 0;
  margin: 0 0 1em 2em;
}
ol ol, ul ul, ol ul, ul ol {
  margin-left: 1em;
}
li {
  margin: 0 0 0.25em 0;
}
.ulCompact li {
  margin: 0;
}
ul.empty, .ulEmpty {
  list-style-type: none;
}
ul.empty li, .ulEmpty li {
  margin-top: 0.5em;
}
ul.compact, .ulCompact,
ol.compact, .olCompact {
  line-height: 100%;
  margin: 0 0 0 2em;
}

/* definition lists */
dl {
}
dl > dt {
  float: left;
  margin-right: 1em;
}
/* 
dl.nohang > dt {
  float: none;
}
*/
dl > dd {
  margin-bottom: .8em;
  min-height: 1.3em;
}
dl.compact > dd, .dlCompact > dd {
  margin-bottom: 0em;
}
dl > dd > dl {
  margin-top: 0.5em;
  margin-bottom: 0em;
}

/* links */
a {
  text-decoration: none;
}
a[href] {
  color: #22e; /* Arlen: WCAG 2019 */
}
a[href]:hover {
  background-color: #f2f2f2;
}
figcaption a[href],
a[href].selfRef {
  color: #222;
}
/* XXX probably not this:
a.selfRef:hover {
  background-color: transparent;
  cursor: default;
} */

/* Figures */
tt, code, pre, code {
  background-color: #f9f9f9;
  font-family: 'Roboto Mono', monospace;
}
pre {
  border: 1px solid #eee;
  margin: 0;
  padding: 1em;
}
img {
  max-width: 100%;
}
figure {
  margin: 0;
}
figure blockquote {
  margin: 0.8em 0.4em 0.4em;
}
figcaption {
  font-style: italic;
  margin: 0 0 1em 0;
}
@media screen {
  pre {
    overflow-x: auto;
    max-width: 100%;
    max-width: calc(100% - 22px);
  }
}

/* aside, blockquote */
aside, blockquote {
  margin-left: 0;
  padding: 1.2em 2em;
}
blockquote {
  background-color: #f9f9f9;
  color: #111; /* Arlen: WCAG 2019 */
  border: 1px solid #ddd;
  border-radius: 3px;
  margin: 1em 0;
}
cite {
  display: block;
  text-align: right;
  font-style: italic;
}

/* tables */
table {
  width: 100%;
  margin: 0 0 1em;
  border-collapse: collapse;
  border: 1px solid #eee;
}
th, td {
  text-align: left;
  vertical-align: top;
  padding: 0.5em 0.75em;
}
th {
  text-align: left;
  background-color: #e9e9e9;
}
tr:nth-child(2n+1) > td {
  background-color: #f5f5f5;
}
table caption {
  font-style: italic;
  margin: 0;
  padding: 0;
  text-align: left;
}
table p {
  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
     be allowed within tables more generally, it would be far better to select on a class. */
  margin: 0;
}

/* pilcrow */
a.pilcrow {
  color: #666; /* Arlen: AHDJ 2019 */
  text-decoration: none;
  visibility: hidden;
  user-select: none;
  -ms-user-select: none;
  -o-user-select:none;
  -moz-user-select: none;
  -khtml-user-select: none;
  -webkit-user-select: none;
  -webkit-touch-callout: none;
}
@media screen {
  aside:hover > a.pilcrow,
  p:hover > a.pilcrow,
  blockquote:hover > a.pilcrow,
  div:hover > a.pilcrow,
  li:hover > a.pilcrow,
  pre:hover > a.pilcrow {
    visibility: visible;
  }
  a.pilcrow:hover {
    background-color: transparent;
  }
}

/* misc */
hr {
  border: 0;
  border-top: 1px solid #eee;
}
.bcp14 {
  font-variant: small-caps;
}

.role {
  font-variant: all-small-caps;
}

/* info block */
#identifiers {
  margin: 0;
  font-size: 0.9em;
}
#identifiers dt {
  width: 3em;
  clear: left;
}
#identifiers dd {
  float: left;
  margin-bottom: 0;
}
#identifiers .authors .author {
  display: inline-block;
  margin-right: 1.5em;
}
#identifiers .authors .org {
  font-style: italic;
}

/* The prepared/rendered info at the very bottom of the page */
.docInfo {
  color: #666; /* Arlen: WCAG 2019 */
  font-size: 0.9em;
  font-style: italic;
  margin-top: 2em;
}
.docInfo .prepared {
  float: left;
}
.docInfo .prepared {
  float: right;
}

/* table of contents */
#toc  {
  padding: 0.75em 0 2em 0;
  margin-bottom: 1em;
}
nav.toc ul {
  margin: 0 0.5em 0 0;
  padding: 0;
  list-style: none;
}
nav.toc li {
  line-height: 1.3em;
  margin: 0.75em 0;
  padding-left: 1.2em;
  text-indent: -1.2em;
}
/* references */
.references dt {
  text-align: right;
  font-weight: bold;
  min-width: 7em;
}
.references dd {
  margin-left: 8em;
  overflow: auto;
}

.refInstance {
  margin-bottom: 1.25em;
}

.references .ascii {
  margin-bottom: 0.25em;
}

/* index */
.index ul {
  margin: 0 0 0 1em;
  padding: 0;
  list-style: none;
}
.index ul ul {
  margin: 0;
}
.index li {
  margin: 0;
  text-indent: -2em;
  padding-left: 2em;
  padding-bottom: 5px;
}
.indexIndex {
  margin: 0.5em 0 1em;
}
.index a {
  font-weight: 700;
}
/* make the index two-column on all but the smallest screens */
@media (min-width: 600px) {
  .index ul {
    -moz-column-count: 2;
    -moz-column-gap: 20px;
  }
  .index ul ul {
    -moz-column-count: 1;
    -moz-column-gap: 0;
  }
}

/* authors */
address.vcard {
  font-style: normal;
  margin: 1em 0;
}

address.vcard .nameRole {
  font-weight: 700;
  margin-left: 0;
}
address.vcard .label {
  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
  margin: 0.5em 0;
}
address.vcard .type {
  display: none;
}
.alternative-contact {
  margin: 1.5em 0 1em;
}
hr.addr {
  border-top: 1px dashed;
  margin: 0;
  color: #ddd;
  max-width: calc(100% - 16px);
}

/* temporary notes */
.rfcEditorRemove::before {
  position: absolute;
  top: 0.2em;
  right: 0.2em;
  padding: 0.2em;
  content: "The RFC Editor will remove this note";
  color: #9e2a00; /* Arlen: WCAG 2019 */
  background-color: #ffd; /* Arlen: WCAG 2019 */
}
.rfcEditorRemove {
  position: relative;
  padding-top: 1.8em;
  background-color: #ffd; /* Arlen: WCAG 2019 */
  border-radius: 3px;
}
.cref {
  background-color: #ffd; /* Arlen: WCAG 2019 */
  padding: 2px 4px;
}
.crefSource {
  font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 1023px) {
  body {
    padding-top: 2em;
  }
  #title {
    padding: 1em 0;
  }
  h1 {
    font-size: 24px;
  }
  h2 {
    font-size: 20px;
    margin-top: -18px;  /* provide offset for in-page anchors */
    padding-top: 38px;
  }
  #identifiers dd {
    max-width: 60%;
  }
  #toc {
    position: fixed;
    z-index: 2;
    top: 0;
    right: 0;
    padding: 0;
    margin: 0;
    background-color: inherit;
    border-bottom: 1px solid #ccc;
  }
  #toc h2 {
    margin: -1px 0 0 0;
    padding: 4px 0 4px 6px;
    padding-right: 1em;
    min-width: 190px;
    font-size: 1.1em;
    text-align: right;
    background-color: #444;
    color: white;
    cursor: pointer;
  }
  #toc h2::before { /* css hamburger */
    float: right;
    position: relative;
    width: 1em;
    height: 1px;
    left: -164px;
    margin: 6px 0 0 0;
    background: white none repeat scroll 0 0;
    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
    content: "";
  }
  #toc nav {
    display: none;
    padding: 0.5em 1em 1em;
    overflow: auto;
    height: calc(100vh - 48px);
    border-left: 1px solid #ddd;
  }
}

/* alternative layout for wide screens */
@media screen and (min-width: 1024px) {
  body {
    max-width: 724px;
    margin: 42px auto;
    padding-left: 1.5em;
    padding-right: 29em;
  }
  #toc {
    position: fixed;
    top: 42px;
    right: 42px;
    width: 25%;
    margin: 0;
    padding: 0 1em;
    z-index: 1;
  }
  #toc h2 {
    border-top: none;
    border-bottom: 1px solid #ddd;
    font-size: 1em;
    font-weight: normal;
    margin: 0;
    padding: 0.25em 1em 1em 0;
  }
  #toc nav {
    display: block;
    height: calc(90vh - 84px);
    bottom: 0;
    padding: 0.5em 0 0;
    overflow: auto;
  }
  img { /* future proofing */
    max-width: 100%;
    height: auto;
  }
}

/* pagination */
@media print {
  body {

    width: 100%;
  }
  p {
    orphans: 3;
    widows: 3;
  }
  #n-copyright-notice {
    border-bottom: none;
  }
  #toc, #n-introduction {
    page-break-before: always;
  }
  #toc {
    border-top: none;
    padding-top: 0;
  }
  figure, pre {
    page-break-inside: avoid;
  }
  figure {
    overflow: scroll;
  }
  h1, h2, h3, h4, h5, h6 {
    page-break-after: avoid;
  }
  h2+*, h3+*, h4+*, h5+*, h6+* {
    page-break-before: avoid;
  }
  pre {
    white-space: pre-wrap;
    word-wrap: break-word;
    font-size: 10pt;
  }
  table {
    border: 1px solid #ddd;
  }
  td {
    border-top: 1px solid #ddd;
  }
}

/* This is commented out here, as the string-set: doesn't
   pass W3C validation currently */
/*
.ears thead .left {
  string-set: ears-top-left content();
}

.ears thead .center {
  string-set: ears-top-center content();
}

.ears thead .right {
  string-set: ears-top-right content();
}

.ears tfoot .left {
  string-set: ears-bottom-left content();
}

.ears tfoot .center {
  string-set: ears-bottom-center content();
}

.ears tfoot .right {
  string-set: ears-bottom-right content();
}
*/

@page :first {
  padding-top: 0;
  @top-left {
    content: normal;
    border: none;
  }
  @top-center {
    content: normal;
    border: none;
  }
  @top-right {
    content: normal;
    border: none;
  }
}

@page {
  size: A4;
  margin-bottom: 45mm;
  padding-top: 20px;
  /* The follwing is commented out here, but set appropriately by in code, as
     the content depends on the document */
  /*
  @top-left {
    content: 'Internet-Draft';
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-left {
    content: string(ears-top-left);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-center {
    content: string(ears-top-center);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-right {
    content: string(ears-top-right);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @bottom-left {
    content: string(ears-bottom-left);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-center {
    content: string(ears-bottom-center);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-right {
      content: '[Page ' counter(page) ']';
      vertical-align: top;
      border-top: solid 1px #ccc;
  }
  */

}

/* Changes introduced to fix issues found during implementation */
/* Make sure links are clickable even if overlapped by following H* */
a {
  z-index: 2;
}
/* Separate body from document info even without intervening H1 */
section {
  clear: both;
}


/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
  vertical-align: top;
}

/* Leave room in document info to show Internet-Draft on one line */
#identifiers dt {
  width: 8em;
}

/* Don't waste quite as much whitespace between label and value in doc info */
#identifiers dd {
  margin-left: 1em;
}

/* Give floating toc a background color (needed when it's a div inside section */
#toc {
  background-color: white;
}

/* Make the collapsed ToC header render white on gray also when it's a link */
@media screen and (max-width: 1023px) {
  #toc h2 a,
  #toc h2 a:link,
  #toc h2 a:focus,
  #toc h2 a:hover,
  #toc a.toplink,
  #toc a.toplink:hover {
    color: white;
    background-color: #444;
    text-decoration: none;
  }
}

/* Give the bottom of the ToC some whitespace */
@media screen and (min-width: 1024px) {
  #toc {
    padding: 0 0 1em 1em;
  }
}

/* Style section numbers with more space between number and title */
.section-number {
  padding-right: 0.5em;
}

/* prevent monospace from becoming overly large */
tt, code, pre, code {
  font-size: 95%;
}

/* Fix the height/width aspect for ascii art*/
pre.sourcecode,
.art-text pre {
  line-height: 1.12;
}


/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
  float: right;
  margin-right: 0.5em;
}

/* Fix the dl styling to match the RFC 7992 attributes */
dl > dt,
dl.dlParallel > dt {
  float: left;
  margin-right: 1em;
}
dl.dlNewline > dt {
  float: none;
}

/* Provide styling for table cell text alignment */
table td.text-left,
table th.text-left {
  text-align: left;
}
table td.text-center,
table th.text-center {
  text-align: center;
}
table td.text-right,
table th.text-right {
  text-align: right;
}

/* Make the alternative author contact informatio look less like just another
   author, and group it closer with the primary author contact information */
.alternative-contact {
  margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
  margin: 0 0 0 2em;
}

/* With it being possible to set tables with alignment
  left, center, and right, { width: 100%; } does not make sense */
table {
  width: auto;
}

/* Avoid reference text that sits in a block with very wide left margin,
   because of a long floating dt label.*/
.references dd {
  overflow: visible;
}

/* Control caption placement */
caption {
  caption-side: bottom;
}

/* Limit the width of the author address vcard, so names in right-to-left
   script don't end up on the other side of the page. */

address.vcard {
  max-width: 30em;
  margin-right: auto;
}

/* For address alignment dependent on LTR or RTL scripts */
address div.left {
  text-align: left;
}
address div.right {
  text-align: right;
}

/* Provide table alignment support.  We can't use the alignX classes above
   since they do unwanted things with caption and other styling. */
table.right {
 margin-left: auto;
 margin-right: 0;
}
table.center {
 margin-left: auto;
 margin-right: auto;
}
table.left {
 margin-left: 0;
 margin-right: auto;
}

/* Give the table caption label the same styling as the figcaption */
caption a[href] {
  color: #222;
}

@media print {
  .toplink {
    display: none;
  }

  /* avoid overwriting the top border line with the ToC header */
  #toc {
    padding-top: 1px;
  }

  /* Avoid page breaks inside dl and author address entries */
  .vcard {
    page-break-inside: avoid;
  }

}
/* Avoid wrapping of URLs in references */
@media screen {
  .references a {
    white-space: nowrap;
  }
}
/* Tweak the bcp14 keyword presentation */
.bcp14 {
  font-variant: small-caps;
  font-weight: bold;
  font-size: 0.9em;
}
/* Tweak the invisible space above H* in order not to overlay links in text above */
 h2 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 31px;
 }
 h3 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
 h4 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
/* Float artwork pilcrow to the right */
@media screen {
  .artwork a.pilcrow {
    display: block;
    line-height: 0.7;
    margin-top: 0.15em;
  }
}
/* Make pilcrows on dd visible */
@media screen {
  dd:hover > a.pilcrow {
    visibility: visible;
  }
}
/* Make the placement of figcaption match that of a table's caption
   by removing the figure's added bottom margin */
.alignLeft.art-text,
.alignCenter.art-text,
.alignRight.art-text {
   margin-bottom: 0;
}
.alignLeft,
.alignCenter,
.alignRight {
  margin: 1em 0 0 0;
}
/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
   possibly even requiring a new line */
@media print {
  a.pilcrow {
    display: none;
  }
}
/* Styling for the external metadata */
div#external-metadata {
  background-color: #eee;
  padding: 0.5em;
  margin-bottom: 0.5em;
  display: none;
}
div#internal-metadata {
  padding: 0.5em;                       /* to match the external-metadata padding */
}
/* Styling for title RFC Number */
h1#rfcnum {
  clear: both;
  margin: 0 0 -1em;
  padding: 1em 0 0 0;
}
/* Make .olPercent look the same as <ol><li> */
dl.olPercent > dd {
  margin-bottom: 0.25em;
  min-height: initial;
}
/* Give aside some styling to set it apart */
aside {
  border-left: 1px solid #ddd;
  margin: 1em 0 1em 2em;
  padding: 0.2em 2em;
}
aside > dl,
aside > ol,
aside > ul,
aside > table,
aside > p {
  margin-bottom: 0.5em;
}
/* Additional page break settings */
@media print {
  figcaption, table caption {
    page-break-before: avoid;
  }
}
/* Font size adjustments for print */
@media print {
  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
  h4    { font-size: 1em;       padding-top: 1.5em; }
  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
}
/* Sourcecode margin in print, when there's no pilcrow */
@media print {
  .artwork,
  .sourcecode {
    margin-bottom: 1em;
  }
}
/* Avoid narrow tables forcing too narrow table captions, which may render badly */
table {
  min-width: 20em;
}
/* ol type a */
ol.type-a { list-style-type: lower-alpha; }
ol.type-A { list-style-type: upper-alpha; }
ol.type-i { list-style-type: lower-roman; }
ol.type-I { list-style-type: lower-roman; }
/* Apply the print table and row borders in general, on request from the RPC,
and increase the contrast between border and odd row background sligthtly */
table {
  border: 1px solid #ddd;
}
td {
  border-top: 1px solid #ddd;
}
tr:nth-child(2n+1) > td {
  background-color: #f8f8f8;
}
/* Use style rules to govern display of the TOC. */
@media screen and (max-width: 1023px) {
  #toc nav { display: none; }
  #toc.active nav { display: block; }
}
</style>
<link href="rfc-local.css" rel="stylesheet" type="text/css">
<link href="https://dx.doi.org/10.17487/rfc8773" rel="alternate">
  <link href="urn:issn:2070-1721" rel="alternate">
  <link href="https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-cert-with-extern-psk-07" rel="prev">
  </head>
<body>
<script src="https://www.rfc-editor.org/js/metadata.min.js"></script>
<table class="ears">
<thead><tr>
<td class="left">RFC 8773</td>
<td class="center">Certificate with External PSK</td>
<td class="right">March 2020</td>
</tr></thead>
<tfoot><tr>
<td class="left">Housley</td>
<td class="center">Experimental</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-stream">Stream:</dt>
<dd class="stream">Internet Engineering Task Force (IETF)</dd>
<dt class="label-rfc">RFC:</dt>
<dd class="rfc"><a href="https://www.rfc-editor.org/rfc/rfc8773" class="eref">8773</a></dd>
<dt class="label-category">Category:</dt>
<dd class="category">Experimental</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2020-03" class="published">March 2020</time>
    </dd>
<dt class="label-issn">ISSN:</dt>
<dd class="issn">2070-1721</dd>
<dt class="label-authors">Author:</dt>
<dd class="authors">
<div class="author">
      <div class="author-name">R. Housley</div>
<div class="org">Vigil Security</div>
</div>
</dd>
</dl>
</div>
<h1 id="rfcnum">RFC 8773</h1>
<h1 id="title">TLS 1.3 Extension for Certificate-Based Authentication with an External Pre-Shared Key</h1>
<section id="section-abstract">
      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">
        This document specifies a TLS 1.3 extension that allows a server to
        authenticate with a combination of a certificate and an external
        pre-shared key (PSK).<a href="#section-abstract-1" class="pilcrow">¶</a></p>
</section>
<div id="status-of-memo">
<section id="section-boilerplate.1">
        <h2 id="name-status-of-this-memo">
<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
        </h2>
<p id="section-boilerplate.1-1">
            This document is not an Internet Standards Track specification; it is
            published for examination, experimental implementation, and
            evaluation.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-2">
            This document defines an Experimental Protocol for the Internet
            community.  This document is a product of the Internet Engineering
            Task Force (IETF).  It represents the consensus of the IETF community.
            It has received public review and has been approved for publication
            by the Internet Engineering Steering Group (IESG).  Not all documents
            approved by the IESG are candidates for any level of Internet
            Standard; see Section 2 of RFC 7841.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <span><a href="https://www.rfc-editor.org/info/rfc8773">https://www.rfc-editor.org/info/rfc8773</a></span>.<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="copyright">
<section id="section-boilerplate.2">
        <h2 id="name-copyright-notice">
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
        </h2>
<p id="section-boilerplate.2-1">
            Copyright (c) 2020 IETF Trust and the persons identified as the
            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Simplified BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Simplified BSD License.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="toc">
<section id="section-toc.1">
        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
        </h2>
<nav class="toc"><ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.1">
            <p id="section-toc.1-1.1.1"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a><a href="#section-toc.1-1.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.2">
            <p id="section-toc.1-1.2.1"><a href="#section-2" class="xref">2</a>.  <a href="#name-terminology" class="xref">Terminology</a><a href="#section-toc.1-1.2.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.3">
            <p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-motivation-and-design-ratio" class="xref">Motivation and Design Rationale</a><a href="#section-toc.1-1.3.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.4">
            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-extension-overview" class="xref">Extension Overview</a><a href="#section-toc.1-1.4.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.5">
            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-certificate-with-external-p" class="xref">Certificate with External PSK Extension</a><a href="#section-toc.1-1.5.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.5.2.1">
                <p id="section-toc.1-1.5.2.1.1"><a href="#section-5.1" class="xref">5.1</a>.  <a href="#name-companion-extensions" class="xref">Companion Extensions</a><a href="#section-toc.1-1.5.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.5.2.2">
                <p id="section-toc.1-1.5.2.2.1"><a href="#section-5.2" class="xref">5.2</a>.  <a href="#name-authentication" class="xref">Authentication</a><a href="#section-toc.1-1.5.2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.5.2.3">
                <p id="section-toc.1-1.5.2.3.1"><a href="#section-5.3" class="xref">5.3</a>.  <a href="#name-keying-material" class="xref">Keying Material</a><a href="#section-toc.1-1.5.2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.6">
            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-iana-considerations" class="xref">IANA Considerations</a><a href="#section-toc.1-1.6.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.7">
            <p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>.  <a href="#name-security-considerations" class="xref">Security Considerations</a><a href="#section-toc.1-1.7.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.8">
            <p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>.  <a href="#name-privacy-considerations" class="xref">Privacy Considerations</a><a href="#section-toc.1-1.8.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.9">
            <p id="section-toc.1-1.9.1"><a href="#section-9" class="xref">9</a>.  <a href="#name-references" class="xref">References</a><a href="#section-toc.1-1.9.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.9.2.1">
                <p id="section-toc.1-1.9.2.1.1"><a href="#section-9.1" class="xref">9.1</a>.  <a href="#name-normative-references" class="xref">Normative References</a><a href="#section-toc.1-1.9.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.9.2.2">
                <p id="section-toc.1-1.9.2.2.1"><a href="#section-9.2" class="xref">9.2</a>.  <a href="#name-informative-references" class="xref">Informative References</a><a href="#section-toc.1-1.9.2.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.10">
            <p id="section-toc.1-1.10.1"><a href="#section-appendix.a" class="xref"></a><a href="#name-acknowledgments" class="xref">Acknowledgments</a><a href="#section-toc.1-1.10.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.11">
            <p id="section-toc.1-1.11.1"><a href="#section-appendix.b" class="xref"></a><a href="#name-authors-address" class="xref">Author's Address</a><a href="#section-toc.1-1.11.1" class="pilcrow">¶</a></p>
</li>
</ul>
</nav>
</section>
</div>
<div id="intro">
<section id="section-1">
      <h2 id="name-introduction">
<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
      </h2>
<p id="section-1-1">
        The TLS 1.3 <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span> handshake
        protocol provides two mutually exclusive forms of server
        authentication.  First, the server can be authenticated by
        providing a signature certificate and creating a valid digital
        signature to demonstrate that it possesses the corresponding
        private key.  Second, the server can be authenticated
        by demonstrating that it possesses a pre-shared key (PSK) that
        was established by a previous handshake.  A PSK that
        is established in this fashion is called a resumption PSK.  A
        PSK that is established by any other means is called an external
        PSK.  This document specifies a TLS 1.3 extension permitting
        certificate-based server authentication to be combined with
        an external PSK as an input to the TLS 1.3 key schedule.<a href="#section-1-1" class="pilcrow">¶</a></p>
<p id="section-1-2">
        Several implementors wanted to gain more experience with this
        specification before producing a Standards Track RFC.  As a
        result, this specification is being published as an Experimental
        RFC to enable interoperable implementations and gain deployment
        and operational experience.<a href="#section-1-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="term">
<section id="section-2">
      <h2 id="name-terminology">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-terminology" class="section-name selfRef">Terminology</a>
      </h2>
<p id="section-2-1">
    The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>",
    "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>", "<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>",
    "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">NOT RECOMMENDED</span>",
    "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this document are to be interpreted as
    described in BCP 14 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="xref">RFC8174</a>]</span> 
    when, and only when, they appear in all capitals, as shown here.<a href="#section-2-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="motive">
<section id="section-3">
      <h2 id="name-motivation-and-design-ratio">
<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-motivation-and-design-ratio" class="section-name selfRef">Motivation and Design Rationale</a>
      </h2>
<p id="section-3-1">
        The development of a large-scale quantum computer would pose a serious
        challenge for the cryptographic algorithms that are widely deployed
        today, including the digital signature algorithms that are used
        to authenticate the server in the TLS 1.3 handshake protocol.  It
        is an open question whether or not it is feasible to build
        a large-scale quantum computer, and if so, when that might
        happen.  However, if such a quantum computer is invented, many
        of the cryptographic algorithms and the security protocols that
        use them would become vulnerable.<a href="#section-3-1" class="pilcrow">¶</a></p>
<p id="section-3-2">
 The TLS 1.3 handshake protocol employs key agreement algorithms
 and digital signature algorithms that could be broken by the
 development of a large-scale quantum computer
 <span>[<a href="#I-D.hoffman-c2pq" class="xref">TRANSITION</a>]</span>.  The key agreement algorithms
 include Diffie-Hellman (DH) <span>[<a href="#DH1976" class="xref">DH1976</a>]</span> and
 Elliptic Curve Diffie-Hellman (ECDH) <span>[<a href="#IEEE1363" class="xref">IEEE1363</a>]</span>;
 the digital signature algorithms include RSA <span>[<a href="#RFC8017" class="xref">RFC8017</a>]</span>
 and the Elliptic Curve Digital Signature Algorithm (ECDSA)
 <span>[<a href="#FIPS186" class="xref">FIPS186</a>]</span>.  As a result, an adversary that
 stores a TLS 1.3 handshake protocol exchange today could
 decrypt the associated encrypted communications in the
 future when a large-scale quantum computer becomes
 available.<a href="#section-3-2" class="pilcrow">¶</a></p>
<p id="section-3-3">
        In the near term, this document describes a TLS 1.3 extension to protect
        today's communications from the future invention of a large-scale
        quantum computer by providing a strong external PSK as an input to
        the TLS 1.3 key schedule while preserving the authentication provided
        by the existing certificate and digital signature mechanisms.<a href="#section-3-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="over">
<section id="section-4">
      <h2 id="name-extension-overview">
<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-extension-overview" class="section-name selfRef">Extension Overview</a>
      </h2>
<p id="section-4-1">
        This section provides a brief overview of the
        "tls_cert_with_extern_psk" extension.<a href="#section-4-1" class="pilcrow">¶</a></p>
<p id="section-4-2">
        The client includes the "tls_cert_with_extern_psk" extension in the
        ClientHello message.  The "tls_cert_with_extern_psk" extension <span class="bcp14">MUST</span>
        be accompanied by the "key_share", "psk_key_exchange_modes", and
        "pre_shared_key" extensions.  The client <span class="bcp14">MAY</span> also find it useful
        to include the "supported_groups" extension.  Since the
        "tls_cert_with_extern_psk" extension is intended to be used only
        with initial handshakes, it <span class="bcp14">MUST NOT</span> be sent alongside the
        "early_data" extension.  These extensions are all described in
        <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.2" class="relref">Section 4.2</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span>, which also requires
        the "pre_shared_key" extension to be the last extension in the
        ClientHello message.<a href="#section-4-2" class="pilcrow">¶</a></p>
<p id="section-4-3">
        If the client includes both the "tls_cert_with_extern_psk" extension
        and the "early_data" extension, then the server <span class="bcp14">MUST</span> terminate the
        connection with an "illegal_parameter" alert.<a href="#section-4-3" class="pilcrow">¶</a></p>
<p id="section-4-4">
        If the server is willing to use one of the external PSKs listed in the
        "pre_shared_key" extension and perform certificate-based authentication,
        then the server includes the "tls_cert_with_extern_psk" extension in the
        ServerHello message.  The "tls_cert_with_extern_psk" extension <span class="bcp14">MUST</span> be
        accompanied by the "key_share" and "pre_shared_key" extensions.  If none
        of the external PSKs in the list provided by the client is acceptable
        to the server, then the "tls_cert_with_extern_psk" extension is
        omitted from the ServerHello message.<a href="#section-4-4" class="pilcrow">¶</a></p>
<p id="section-4-5">
        When the "tls_cert_with_extern_psk" extension is successfully
        negotiated, the TLS 1.3 key schedule processing includes
        both the selected external PSK and the (EC)DHE shared secret
        value.  (EC)DHE refers to Diffie-Hellman over either finite fields
        or elliptic curves.  As a result, the Early Secret, Handshake
        Secret, and Master Secret values all depend upon the value of the
        selected external PSK.  Of course, the Early Secret does not
        depend upon the (EC)DHE shared secret.<a href="#section-4-5" class="pilcrow">¶</a></p>
<p id="section-4-6">
        The authentication of the server and optional authentication of
        the client depend upon the ability to generate a signature that
        can be validated with the public key in their certificates.  The
        authentication processing is not changed in any way by the
        selected external PSK.<a href="#section-4-6" class="pilcrow">¶</a></p>
<p id="section-4-7">
        Each external PSK is associated with a single hash algorithm, which
        is required by <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11" class="relref">Section 4.2.11</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span>.  The
        hash algorithm <span class="bcp14">MUST</span> be set when the PSK is established, with a
        default of SHA-256.<a href="#section-4-7" class="pilcrow">¶</a></p>
</section>
</div>
<div id="extn">
<section id="section-5">
      <h2 id="name-certificate-with-external-p">
<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-certificate-with-external-p" class="section-name selfRef">Certificate with External PSK Extension</a>
      </h2>
<p id="section-5-1">
        This section specifies the "tls_cert_with_extern_psk" extension,
        which <span class="bcp14">MAY</span> appear in the ClientHello message and ServerHello message.  It
        <span class="bcp14">MUST NOT</span> appear in any other messages.  The "tls_cert_with_extern_psk"
        extension <span class="bcp14">MUST NOT</span> appear in the ServerHello message unless the
        "tls_cert_with_extern_psk" extension appeared in the preceding
        ClientHello message.  If an implementation recognizes the
        "tls_cert_with_extern_psk" extension and receives it in any other
        message, then the implementation <span class="bcp14">MUST</span> abort the handshake with an
        "illegal_parameter" alert.<a href="#section-5-1" class="pilcrow">¶</a></p>
<p id="section-5-2">
        The general extension mechanisms enable clients and servers to
        negotiate the use of specific extensions.  Clients request
        extended functionality from servers with the extensions field
        in the ClientHello message.  If the server responds with a
        HelloRetryRequest message, then the client sends another
        ClientHello message as described in <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.1.2" class="relref">Section 4.1.2</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span>, including the same
        "tls_cert_with_extern_psk" extension as the original
        ClientHello message, or aborts the handshake.<a href="#section-5-2" class="pilcrow">¶</a></p>
<p id="section-5-3">
        Many server extensions are carried in the EncryptedExtensions
        message; however, the "tls_cert_with_extern_psk" extension is
        carried in the ServerHello message.  Successful negotiation of
        the "tls_cert_with_extern_psk" extension affects the key used for
        encryption, so it cannot be carried in the EncryptedExtensions
        message.  Therefore, the "tls_cert_with_extern_psk" extension
        is only present in the ServerHello message if the server
        recognizes the "tls_cert_with_extern_psk" extension and the
        server possesses one of the external PSKs offered by the client
        in the "pre_shared_key" extension in the ClientHello message.<a href="#section-5-3" class="pilcrow">¶</a></p>
<p id="section-5-4">
        The Extension structure is defined in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>;
        it is repeated here for convenience.<a href="#section-5-4" class="pilcrow">¶</a></p>
<div id="section-5-5">
<pre class="sourcecode lang-tls-presentation">  struct {
      ExtensionType extension_type;
      opaque extension_data&lt;0..2^16-1&gt;;
  } Extension;
</pre><a href="#section-5-5" class="pilcrow">¶</a>
</div>
<p id="section-5-6">
        The "extension_type" identifies the particular extension type,
        and the "extension_data" contains information specific to the
        particular extension type.<a href="#section-5-6" class="pilcrow">¶</a></p>
<p id="section-5-7">
        This document specifies the "tls_cert_with_extern_psk" extension,
        adding one new type to ExtensionType:<a href="#section-5-7" class="pilcrow">¶</a></p>
<div id="section-5-8">
<pre class="sourcecode lang-tls-presentation">  enum {
      tls_cert_with_extern_psk(33), (65535)
  } ExtensionType;
</pre><a href="#section-5-8" class="pilcrow">¶</a>
</div>
<p id="section-5-9">
        The "tls_cert_with_extern_psk" extension is relevant when the
        client and server possess an external PSK in common that can be
        used as an input to the TLS 1.3 key schedule.  The
        "tls_cert_with_extern_psk" extension is essentially a flag to
        use the external PSK in the key schedule, and it has the
        following syntax:<a href="#section-5-9" class="pilcrow">¶</a></p>
<div id="section-5-10">
<pre class="sourcecode lang-tls-presentation">  struct {
      select (Handshake.msg_type) {
          case client_hello: Empty;
          case server_hello: Empty;
      };
  } CertWithExternPSK;
</pre><a href="#section-5-10" class="pilcrow">¶</a>
</div>
<div id="other-extns">
<section id="section-5.1">
        <h3 id="name-companion-extensions">
<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-companion-extensions" class="section-name selfRef">Companion Extensions</a>
        </h3>
<p id="section-5.1-1">
        <a href="#over" class="xref">Section 4</a> lists the extensions that are required to accompany the
        "tls_cert_with_extern_psk" extension.  Most of those extensions 
        are not impacted in any way by this specification.  However, this
        section discusses the extensions that require additional consideration.<a href="#section-5.1-1" class="pilcrow">¶</a></p>
<p id="section-5.1-2">
        The "psk_key_exchange_modes" extension is defined in
        of <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.2.9" class="relref">Section 4.2.9</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span>.  The
 "psk_key_exchange_modes"
        extension restricts the use of both the PSKs offered in this
        ClientHello and those that the server might supply via a subsequent
        NewSessionTicket.  As a result, when the "psk_key_exchange_modes"
        extension is included in the ClientHello message, clients <span class="bcp14">MUST</span>
        include psk_dhe_ke mode.  In addition, clients <span class="bcp14">MAY</span> also include
        psk_ke mode to support a subsequent NewSessionTicket.  When the
        "psk_key_exchange_modes" extension is included in the ServerHello
        message, servers <span class="bcp14">MUST</span> select the psk_dhe_ke mode for the initial
        handshake.  Servers <span class="bcp14">MUST</span> select a key exchange mode that is listed
        by the client for subsequent handshakes that include the resumption
        PSK from the initial handshake.<a href="#section-5.1-2" class="pilcrow">¶</a></p>
<p id="section-5.1-3">
        The "pre_shared_key" extension is defined in <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11" class="relref">Section 4.2.11</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span>.  The
 syntax is repeated below for
        convenience.  All of the listed PSKs <span class="bcp14">MUST</span> be external PSKs.  If a
        resumption PSK is listed along with the "tls_cert_with_extern_psk"
        extension, the server <span class="bcp14">MUST</span> abort the handshake with an
        "illegal_parameter" alert.<a href="#section-5.1-3" class="pilcrow">¶</a></p>
<div id="section-5.1-4">
<pre class="sourcecode lang-tls-presentation">  struct {
      opaque identity&lt;1..2^16-1&gt;;
      uint32 obfuscated_ticket_age;
  } PskIdentity;

  opaque PskBinderEntry&lt;32..255&gt;;

  struct {
      PskIdentity identities&lt;7..2^16-1&gt;;
      PskBinderEntry binders&lt;33..2^16-1&gt;;
  } OfferedPsks;

  struct {
      select (Handshake.msg_type) {
          case client_hello: OfferedPsks;
          case server_hello: uint16 selected_identity;
      };
  } PreSharedKeyExtension;
</pre><a href="#section-5.1-4" class="pilcrow">¶</a>
</div>
<p id="section-5.1-5">
        "OfferedPsks" contains the list of PSK identities and
        associated binders for the external PSKs that the client is
        willing to use with the server.<a href="#section-5.1-5" class="pilcrow">¶</a></p>
<p id="section-5.1-6">
        The identities are a list of external PSK identities that the
        client is willing to negotiate with the server.  Each external
        PSK has an associated identity that is known to the client
        and the server; the associated identities may be known to other
        parties as well.  In addition, the binder validation (see below)
        confirms that the client and server have the same key associated
        with the identity.<a href="#section-5.1-6" class="pilcrow">¶</a></p>
<p id="section-5.1-7">
        The "obfuscated_ticket_age" is not used for external PSKs.  As
        stated in <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11" class="relref">Section 4.2.11</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span>, clients
        <span class="bcp14">SHOULD</span> set this value to 0, and servers <span class="bcp14">MUST</span> ignore the value.<a href="#section-5.1-7" class="pilcrow">¶</a></p>
<p id="section-5.1-8">
        The binders are a series of HMAC <span>[<a href="#RFC2104" class="xref">RFC2104</a>]</span> values, one
        for each external PSK offered by the client, in the same order as the
        identities list.  The HMAC value is computed using the binder_key, which
        is derived from the external PSK, and a partial transcript of the current
        handshake.  Generation of the binder_key from the external PSK is
        described in <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-7.1" class="relref">Section 7.1</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span>.  The
        partial transcript of the current handshake includes a partial
        ClientHello up to and including the PreSharedKeyExtension.identities
        field, as described in <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11.2" class="relref">Section 4.2.11.2</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span>.<a href="#section-5.1-8" class="pilcrow">¶</a></p>
<p id="section-5.1-9">
        The "selected_identity" contains the index of the external PSK
        identity that the server selected from the list offered by the
        client.  As described in <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11" class="relref">Section 4.2.11</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span>,
        the server <span class="bcp14">MUST</span> validate the binder value that corresponds to the
        selected external PSK, and if the binder does not validate, the
        server <span class="bcp14">MUST</span> abort the handshake with an "illegal_parameter" alert.<a href="#section-5.1-9" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authn">
<section id="section-5.2">
        <h3 id="name-authentication">
<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-authentication" class="section-name selfRef">Authentication</a>
        </h3>
<p id="section-5.2-1">
        When the "tls_cert_with_extern_psk" extension is successfully
        negotiated, authentication of the server depends upon the ability to
        generate a signature that can be validated with the public key in 
        the server's certificate.  This is accomplished by the server
        sending the Certificate and CertificateVerify messages, as described
        in Sections <a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.4.2" class="relref">4.4.2</a> and <a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.4.3" class="relref">4.4.3</a> of <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>.<a href="#section-5.2-1" class="pilcrow">¶</a></p>
<p id="section-5.2-2">
        TLS 1.3 does not permit the server to send a CertificateRequest message
        when a PSK is being used.  This restriction is removed when the
        "tls_cert_with_extern_psk" extension is negotiated, allowing
        certificate-based authentication for both the client and the server.  If
        certificate-based client authentication is desired, this is accomplished
        by the client sending the Certificate and CertificateVerify messages as
        described in Sections <a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.4.2" class="relref">4.4.2</a> and <a href="https://www.rfc-editor.org/rfc/rfc8446#section-4.4.3" class="relref">4.4.3</a> of <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>.<a href="#section-5.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="keying">
<section id="section-5.3">
        <h3 id="name-keying-material">
<a href="#section-5.3" class="section-number selfRef">5.3. </a><a href="#name-keying-material" class="section-name selfRef">Keying Material</a>
        </h3>
<p id="section-5.3-1">
        <span><a href="https://www.rfc-editor.org/rfc/rfc8446#section-7.1" class="relref">Section 7.1</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span> specifies the
        TLS 1.3 key schedule.  The successful negotiation of the
        "tls_cert_with_extern_psk" extension requires the key schedule
        processing to include both the external PSK and the (EC)DHE
 shared secret value.<a href="#section-5.3-1" class="pilcrow">¶</a></p>
<p id="section-5.3-2">
        If the client and the server have different values associated
        with the selected external PSK identifier, then the client and
        the server will compute different values for every entry in the
        key schedule, which will lead to the client aborting the
        handshake with a "decrypt_error" alert.<a href="#section-5.3-2" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="IANA-con">
<section id="section-6">
      <h2 id="name-iana-considerations">
<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
      </h2>
<p id="section-6-1">
        IANA has updated the "TLS ExtensionType Values" registry
 <span>[<a href="#IANA" class="xref">IANA</a>]</span>
        to include "tls_cert_with_extern_psk" with a value of 33 and the list of
        messages "CH, SH" in which the "tls_cert_with_extern_psk" extension may
        appear.<a href="#section-6-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="security">
<section id="section-7">
      <h2 id="name-security-considerations">
<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
      </h2>
<p id="section-7-1">
        The Security Considerations in <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span>
        remain relevant.<a href="#section-7-1" class="pilcrow">¶</a></p>
<p id="section-7-2">
        TLS 1.3 <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span> does not permit
        the server to send a CertificateRequest message when a PSK
        is being used.  This restriction is removed when the
        "tls_cert_with_extern_psk" extension is offered by the client
        and accepted by the server.  However, TLS 1.3 does not
        permit an external PSK to be used in the same fashion as a
        resumption PSK, and this extension does not alter those
        restrictions.  Thus, a certificate <span class="bcp14">MUST NOT</span> be used with
        a resumption PSK.<a href="#section-7-2" class="pilcrow">¶</a></p>
<p id="section-7-3">
        Implementations must protect the external pre-shared key (PSK).
        Compromise of the external PSK will make the encrypted session
        content vulnerable to the future development of a large-scale
        quantum computer.  However, the generation, distribution, and
        management of the external PSKs is out of scope for this
        specification.<a href="#section-7-3" class="pilcrow">¶</a></p>
<p id="section-7-4">
        Implementers should not transmit the same content on a connection
        that is protected with an external PSK and a connection that is
        not.  Doing so may allow an eavesdropper to correlate the
        connections, making the content vulnerable to the future
        invention of a large-scale quantum computer.<a href="#section-7-4" class="pilcrow">¶</a></p>
<p id="section-7-5">
        Implementations must generate external PSKs with a secure key-management
        technique, such as pseudorandom generation of the key or derivation of
        the key from one or more other secure keys.  The use of inadequate
        pseudorandom number generators (PRNGs) to generate external PSKs can
        result in little or no security.  An attacker may find it much easier
        to reproduce the PRNG environment that produced the external PSKs and
        search the resulting small set of possibilities, rather than brute-force
        searching the whole key space.  The generation of quality random
        numbers is difficult.  <span>[<a href="#RFC4086" class="xref">RFC4086</a>]</span> offers important
        guidance in this area.<a href="#section-7-5" class="pilcrow">¶</a></p>
<p id="section-7-6">
        If the external PSK is known to any party other than the client and
        the server, then the external PSK <span class="bcp14">MUST NOT</span> be the sole basis for
        authentication.  The reasoning is explained in Section 4.2 of
        <span>[<a href="#K2016" class="xref">K2016</a>]</span>.  When this extension is used, authentication
        is based on certificates, not the external PSK.<a href="#section-7-6" class="pilcrow">¶</a></p>
<p id="section-7-7">
        In this extension, the external PSK preserves confidentiality if the
        (EC)DH key agreement is ever broken by cryptanalysis or the future
        invention of a large-scale quantum computer.  As long as the attacker
        does not know the PSK and the key derivation algorithm remains
        unbroken, the attacker cannot derive the session secrets, even if they
        are able to compute the (EC)DH shared secret.  Should the attacker be
        able compute the (EC)DH shared secret, the forward-secrecy advantages
        traditionally associated with ephemeral (EC)DH keys will no longer be
        relevant. Although the ephemeral private keys used during a given TLS
        session are destroyed at the end of a session, preventing the attacker
        from later accessing them, these private keys would nevertheless be
        recoverable due to the break in the algorithm.  However, a more
        general notion of "secrecy after key material is destroyed" would still
        be achievable using external PSKs, if they are managed in a way that
        ensures their destruction when they are no longer needed, and with
        the assumption that the algorithms that use the external PSKs remain
        quantum-safe.<a href="#section-7-7" class="pilcrow">¶</a></p>
<p id="section-7-8">
        TLS 1.3 key derivation makes use of the HMAC-based Key Derivation
 Function (HKDF) algorithm, which depends
        upon the HMAC <span>[<a href="#RFC2104" class="xref">RFC2104</a>]</span> construction and a hash
        function.  This extension provides the desired protection for the
        session secrets, as long as HMAC with the selected hash function is
         a pseudorandom function (PRF) <span>[<a href="#GGM1986" class="xref">GGM1986</a>]</span>.<a href="#section-7-8" class="pilcrow">¶</a></p>
<p id="section-7-9">
        This specification does not require that the external PSK is known only by
        the client and server.  The external PSK may be known to a group.  Since
        authentication depends on the public key in a certificate, knowledge of
        the external PSK by other parties does not enable impersonation.  Since
        confidentiality depends on the shared secret from (EC)DH, knowledge of
        the external PSK by other parties does not enable eavesdropping.  However,
        group members can record the traffic of other members and then decrypt it
        if they ever gain access to a large-scale quantum computer.  Also, when
        many parties know the external PSK, there are many opportunities for theft
        of the external PSK by an attacker.  Once an attacker has the external PSK,
        they can decrypt stored traffic if they ever gain access to a large-scale
        quantum computer, in the same manner as a legitimate group member.<a href="#section-7-9" class="pilcrow">¶</a></p>
<p id="section-7-10">

        TLS 1.3 <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span> takes a conservative approach to PSKs;
        they are bound to a specific hash function and KDF.  By contrast,
        TLS 1.2 <span>[<a href="#RFC5246" class="xref">RFC5246</a>]</span> allows PSKs to be used with any hash
        function and the TLS 1.2 PRF.  Thus, the safest approach is to use a PSK
        exclusively with TLS 1.2 or exclusively with TLS 1.3.  Given one PSK,
        one can derive a PSK for exclusive use with TLS 1.2 and derive another
        PSK for exclusive use with TLS 1.3 using the mechanism specified in
        <span>[<a href="#I-D.ietf-tls-external-psk-importer" class="xref">IMPORT</a>]</span>.<a href="#section-7-10" class="pilcrow">¶</a></p>
<p id="section-7-11">
        TLS 1.3 <span>[<a href="#RFC8446" class="xref">RFC8446</a>]</span> has received careful security analysis,
        and the following informal reasoning shows that the addition of this
        extension does not introduce any security defects.  This extension
        requires the use of certificates for authentication, but the processing
        of certificates is unchanged by this extension.  This extension places
        an external PSK in the key schedule as part of the computation of the
        Early Secret.  In the initial handshake without this extension, the
        Early Secret is computed as:<a href="#section-7-11" class="pilcrow">¶</a></p>
<div id="section-7-12">
<pre class="sourcecode">
   Early Secret = HKDF-Extract(0, 0)
</pre><a href="#section-7-12" class="pilcrow">¶</a>
</div>
<p id="section-7-13">
        With this extension, the Early Secret is computed as:<a href="#section-7-13" class="pilcrow">¶</a></p>
<div id="section-7-14">
<pre class="sourcecode">
   Early Secret = HKDF-Extract(External PSK, 0)
</pre><a href="#section-7-14" class="pilcrow">¶</a>
</div>
<p id="section-7-15">
        Any entropy contributed by the external PSK can only make the Early
        Secret better; the External PSK cannot make it worse.  For these two
        reasons, TLS 1.3 continues to meet its security goals when this extension
        is used.<a href="#section-7-15" class="pilcrow">¶</a></p>
</section>
</div>
<div id="privacy">
<section id="section-8">
      <h2 id="name-privacy-considerations">
<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-privacy-considerations" class="section-name selfRef">Privacy Considerations</a>
      </h2>
<p id="section-8-1">
        <span><a href="https://www.rfc-editor.org/rfc/rfc8446#appendix-E.6" class="relref">Appendix E.6</a> of [<a href="#RFC8446" class="xref">RFC8446</a>]</span> discusses identity-exposure
        attacks on PSKs.  The guidance in this section remains relevant.<a href="#section-8-1" class="pilcrow">¶</a></p>
<p id="section-8-2">
        This extension makes use of external PSKs to improve resilience against
        attackers that gain access to a large-scale quantum computer in the
        future.  This extension is always accompanied by the "pre_shared_key"
        extension to provide the PSK identities in plaintext in the ClientHello
        message.  Passive observation of the these PSK identities will aid an
        attacker in tracking users of this extension.<a href="#section-8-2" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-9">
      <h2 id="name-references">
<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-references" class="section-name selfRef">References</a>
      </h2>
<section id="section-9.1">
        <h3 id="name-normative-references">
<a href="#section-9.1" class="section-number selfRef">9.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
        </h3>
<dl class="references">
<dt id="RFC2119">[RFC2119]</dt>
<dd>
<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
<dt id="RFC8174">[RFC8174]</dt>
<dd>
<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>&gt;</span>. </dd>
<dt id="RFC8446">[RFC8446]</dt>
<dd>
<span class="refAuthor">Rescorla, E.</span>, <span class="refTitle">"The Transport Layer Security (TLS) Protocol Version 1.3"</span>, <span class="seriesInfo">RFC 8446</span>, <span class="seriesInfo">DOI 10.17487/RFC8446</span>, <time datetime="2018-08">August 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8446">https://www.rfc-editor.org/info/rfc8446</a>&gt;</span>. </dd>
</dl>
</section>
<section id="section-9.2">
        <h3 id="name-informative-references">
<a href="#section-9.2" class="section-number selfRef">9.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
        </h3>
<dl class="references">
<dt id="DH1976">[DH1976]</dt>
<dd>
<span class="refAuthor">Diffie, W.</span><span class="refAuthor"> and M. Hellman</span>, <span class="refTitle">"New Directions in Cryptography"</span>, <span class="refContent">IEEE Transactions on Information Theory</span>, <span class="refContent">Vol. 22, No. 6</span>, <span class="seriesInfo">DOI 10.1109/TIT.1976.1055638</span>, <time datetime="1976-11">November 1976</time>, <span>&lt;<a href="https://ieeexplore.ieee.org/document/1055638">https://ieeexplore.ieee.org/document/1055638</a>&gt;</span>. </dd>
<dt id="FIPS186">[FIPS186]</dt>
<dd>
<span class="refAuthor">NIST</span>, <span class="refTitle">"Digital Signature Standard (DSS)"</span>, <span class="seriesInfo">Federal Information Processing Standards Publication (FIPS) 186-4</span>, <span class="seriesInfo">DOI 10.6028/NIST.FIPS.186-4</span>, <time datetime="2013-07">July 2013</time>, <span>&lt;<a href="https://doi.org/10.6028/NIST.FIPS.186-4">https://doi.org/10.6028/NIST.FIPS.186-4</a>&gt;</span>. </dd>
<dt id="GGM1986">[GGM1986]</dt>
<dd>
<span class="refAuthor">Goldreich, O.</span><span class="refAuthor">, Goldwasser, S.</span><span class="refAuthor">, and S. Micali</span>, <span class="refTitle">"How to construct random functions"</span>, <span class="refContent">Journal of the ACM</span>, <span class="refContent">Vol. 33, No. 4</span>, <span class="refContent">pp. 792-807</span>, <span class="seriesInfo">DOI 10.1145/6490.6503</span>, <time datetime="1986-08">August 1986</time>, <span>&lt;<a href="https://doi.org/10.1145/6490.6503">https://doi.org/10.1145/6490.6503</a>&gt;</span>. </dd>
<dt id="IANA">[IANA]</dt>
<dd>
<span class="refAuthor">IANA</span>, <span class="refTitle">"TLS ExtensionType Values"</span>, <span>&lt;<a href="https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml">https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml</a>&gt;</span>. </dd>
<dt id="IEEE1363">[IEEE1363]</dt>
<dd>
<span class="refAuthor">IEEE</span>, <span class="refTitle">"IEEE Standard Specifications for Public-Key Cryptography"</span>, <span class="seriesInfo">IEEE Std 1363-2000</span>, <span class="seriesInfo">DOI 10.1109/IEEESTD.2000.92292</span>, <time datetime="2000-08">August 2000</time>, <span>&lt;<a href="https://ieeexplore.ieee.org/document/891000">https://ieeexplore.ieee.org/document/891000</a>&gt;</span>. </dd>
<dt id="I-D.ietf-tls-external-psk-importer">[IMPORT]</dt>
<dd>
<span class="refAuthor">Benjamin, D.</span><span class="refAuthor"> and C. Wood</span>, <span class="refTitle">"Importing External PSKs for TLS"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-tls-external-psk-importer-03</span>, <time datetime="2020-02-15">15 February 2020</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-ietf-tls-external-psk-importer-03">https://tools.ietf.org/html/draft-ietf-tls-external-psk-importer-03</a>&gt;</span>. </dd>
<dt id="K2016">[K2016]</dt>
<dd>
<span class="refAuthor">Krawczyk, H.</span>, <span class="refTitle">"A Unilateral-to-Mutual Authentication Compiler for Key Exchange (with Applications to Client Authentication in TLS 1.3)"</span>, <span class="refContent">CCS '16: Proceedings of the 2016 ACM Communications Security</span>, <span class="refContent">pp. 1438-50</span>, <span class="seriesInfo">DOI 10.1145/2976749.2978325</span>, <time datetime="2016-10">October 2016</time>, <span>&lt;<a href="https://dl.acm.org/doi/10.1145/2976749.2978325">https://dl.acm.org/doi/10.1145/2976749.2978325</a>&gt;</span>. </dd>
<dt id="RFC2104">[RFC2104]</dt>
<dd>
<span class="refAuthor">Krawczyk, H.</span><span class="refAuthor">, Bellare, M.</span><span class="refAuthor">, and R. Canetti</span>, <span class="refTitle">"HMAC: Keyed-Hashing for Message Authentication"</span>, <span class="seriesInfo">RFC 2104</span>, <span class="seriesInfo">DOI 10.17487/RFC2104</span>, <time datetime="1997-02">February 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2104">https://www.rfc-editor.org/info/rfc2104</a>&gt;</span>. </dd>
<dt id="RFC4086">[RFC4086]</dt>
<dd>
<span class="refAuthor">Eastlake 3rd, D.</span><span class="refAuthor">, Schiller, J.</span><span class="refAuthor">, and S. Crocker</span>, <span class="refTitle">"Randomness Requirements for Security"</span>, <span class="seriesInfo">BCP 106</span>, <span class="seriesInfo">RFC 4086</span>, <span class="seriesInfo">DOI 10.17487/RFC4086</span>, <time datetime="2005-06">June 2005</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc4086">https://www.rfc-editor.org/info/rfc4086</a>&gt;</span>. </dd>
<dt id="RFC5246">[RFC5246]</dt>
<dd>
<span class="refAuthor">Dierks, T.</span><span class="refAuthor"> and E. Rescorla</span>, <span class="refTitle">"The Transport Layer Security (TLS) Protocol Version 1.2"</span>, <span class="seriesInfo">RFC 5246</span>, <span class="seriesInfo">DOI 10.17487/RFC5246</span>, <time datetime="2008-08">August 2008</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc5246">https://www.rfc-editor.org/info/rfc5246</a>&gt;</span>. </dd>
<dt id="RFC8017">[RFC8017]</dt>
<dd>
<span class="refAuthor">Moriarty, K., Ed.</span><span class="refAuthor">, Kaliski, B.</span><span class="refAuthor">, Jonsson, J.</span><span class="refAuthor">, and A. Rusch</span>, <span class="refTitle">"PKCS #1: RSA Cryptography Specifications Version 2.2"</span>, <span class="seriesInfo">RFC 8017</span>, <span class="seriesInfo">DOI 10.17487/RFC8017</span>, <time datetime="2016-11">November 2016</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8017">https://www.rfc-editor.org/info/rfc8017</a>&gt;</span>. </dd>
<dt id="I-D.hoffman-c2pq">[TRANSITION]</dt>
<dd>
<span class="refAuthor">Hoffman, P.</span>, <span class="refTitle">"The Transition from Classical to Post-Quantum Cryptography"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-hoffman-c2pq-06</span>, <time datetime="2019-11-25">25 November 2019</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-hoffman-c2pq-06">https://tools.ietf.org/html/draft-hoffman-c2pq-06</a>&gt;</span>. </dd>
</dl>
</section>
</section>
<div id="acks">
<section id="section-appendix.a">
      <h2 id="name-acknowledgments">
<a href="#name-acknowledgments" class="section-name selfRef">Acknowledgments</a>
      </h2>
<p id="section-appendix.a-1">
        Many thanks to
        <span class="contact-name">Liliya Akhmetzyanova</span>,
        <span class="contact-name">Roman Danyliw</span>,
        <span class="contact-name">Christian Huitema</span>,
        <span class="contact-name">Ben Kaduk</span>,
 <span class="contact-name">Geoffrey Keating</span>,
 <span class="contact-name">Hugo Krawczyk</span>,
 <span class="contact-name">Mirja Kühlewind</span>,
 <span class="contact-name">Nikos Mavrogiannopoulos</span>,
 <span class="contact-name">Nick Sullivan</span>, 
        <span class="contact-name">Martin Thomson</span>, and
        <span class="contact-name">Peter Yee</span>
        for their review and comments; their efforts have improved this document.<a href="#section-appendix.a-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authors-addresses">
<section id="section-appendix.b">
      <h2 id="name-authors-address">
<a href="#name-authors-address" class="section-name selfRef">Author's Address</a>
      </h2>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Russ Housley</span></div>
<div dir="auto" class="left"><span class="org">Vigil Security, LLC</span></div>
<div dir="auto" class="left"><span class="street-address">516 Dranesville Road</span></div>
<div dir="auto" class="left">
<span class="locality">Herndon</span>, <span class="region">VA</span> <span class="postal-code">20170</span>
</div>
<div dir="auto" class="left"><span class="country-name">United States of America</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:housley@vigilsec.com" class="email">housley@vigilsec.com</a>
</div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
  toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
  toc.classList.remove("active");
});
</script>
</body>
</html>