| rfc9847v1.txt | rfc9847.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) J. Salowey | Internet Engineering Task Force (IETF) J. Salowey | |||
| Request for Comments: 9847 Venafi | Request for Comments: 9847 CyberArk | |||
| Updates: 8447 S. Turner | Updates: 8447 S. Turner | |||
| Category: Standards Track sn3rd | Category: Standards Track sn3rd | |||
| ISSN: 2070-1721 October 2025 | ISSN: 2070-1721 December 2025 | |||
| IANA Registry Updates for TLS and DTLS | IANA Registry Updates for TLS and DTLS | |||
| Abstract | Abstract | |||
| This document updates the changes to the TLS and DTLS IANA registries | This document updates the changes to the TLS and DTLS IANA registries | |||
| made in RFC 8447. It adds a new value, "D" for discouraged, to the | made in RFC 8447. It adds a new value, "D" for discouraged, to the | |||
| "Recommended" column of the selected TLS registries and adds a | "Recommended" column of the selected TLS registries and adds a | |||
| "Comment" column to all active registries that do not already have a | "Comment" column to all active registries that do not already have a | |||
| "Comment" column. Finally, it updates the registration request | "Comment" column. Finally, it updates the registration request | |||
| skipping to change at line 93 ¶ | skipping to change at line 93 ¶ | |||
| "Comment" column to all active registries that do not already have a | "Comment" column to all active registries that do not already have a | |||
| "Comment" column. | "Comment" column. | |||
| This specification also updates the registration request | This specification also updates the registration request | |||
| instructions. | instructions. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. Updating "Recommended" Column's Values | 3. Updating "Recommended" Column's Values | |||
| The instructions in this document update the "Recommended" column, | The instructions in this document update the "Recommended" column, | |||
| originally added in [RFC8447] to add a third value, "D", indicating | originally added in [RFC8447] to add a third value, "D", indicating | |||
| that a value is discouraged. The permitted values of the | that a value is discouraged. The permitted values of the | |||
| "Recommended" column are: | "Recommended" column are: | |||
| Y: Indicates that the IETF has consensus that the item is | Y: Indicates that the IETF has consensus that the item is | |||
| skipping to change at line 117 ¶ | skipping to change at line 117 ¶ | |||
| documentation for the mechanism is necessary to understand the | documentation for the mechanism is necessary to understand the | |||
| applicability of that mechanism. The IETF could recommend | applicability of that mechanism. The IETF could recommend | |||
| mechanisms that have limited applicability but will provide | mechanisms that have limited applicability but will provide | |||
| applicability statements that describe any limitations of the | applicability statements that describe any limitations of the | |||
| mechanism or necessary constraints on its use. | mechanism or necessary constraints on its use. | |||
| N: Indicates that the item has not been evaluated by the IETF and | N: Indicates that the item has not been evaluated by the IETF and | |||
| that the IETF has made no statement about the suitability of the | that the IETF has made no statement about the suitability of the | |||
| associated mechanism. This does not necessarily mean that the | associated mechanism. This does not necessarily mean that the | |||
| mechanism is flawed, only that no consensus exists. The IETF | mechanism is flawed, only that no consensus exists. The IETF | |||
| might have consensus to leave an items marked as "N" on the basis | might have consensus to leave an item marked as "N" on the basis | |||
| of its having limited applicability or usage constraints. | of the item having limited applicability or usage constraints. | |||
| D: Indicates that the item is discouraged. This marking could be | D: Indicates that the item is discouraged. This marking could be | |||
| used to identify mechanisms that might result in problems if they | used to identify mechanisms that might result in problems if they | |||
| are used, such as a weak cryptographic algorithm or a mechanism | are used, such as a weak cryptographic algorithm or a mechanism | |||
| that might cause interoperability problems in deployment. When | that might cause interoperability problems in deployment. When | |||
| marking a registry entry as "D", either the "Reference" or the | marking a registry entry as "D", either the "Reference" or the | |||
| "Comment" column MUST include sufficient information to determine | "Comment" column MUST include sufficient information to determine | |||
| why the marking has been applied. Implementers and users SHOULD | why the marking has been applied. Implementers and users SHOULD | |||
| consult the linked references associated with the item to | consult the linked references associated with the item to | |||
| determine the conditions under which the item SHOULD NOT or MUST | determine the conditions under which the item SHOULD NOT or MUST | |||
| skipping to change at line 192 ¶ | skipping to change at line 192 ¶ | |||
| | 53 | connection_id (deprecated) | D | | | 53 | connection_id (deprecated) | D | | |||
| +-------+----------------------------+-------------+ | +-------+----------------------------+-------------+ | |||
| Table 1 | Table 1 | |||
| * Updated the note on the "Recommended" column with text in | * Updated the note on the "Recommended" column with text in | |||
| Section 3.1. | Section 3.1. | |||
| * For the truncated_hmac, added the following link to the | * For the truncated_hmac, added the following link to the | |||
| "Reference" column: https://www.iacr.org/archive/ | "Reference" column: https://www.iacr.org/archive/ | |||
| asiacrypt2011/70730368/70730368.pdf | asiacrypt2011/70730368/70730368.pdf. | |||
| * For the two Reserved values above, added the following link in the | * For the two Reserved values above, added the following link in the | |||
| "Reference" column: https://mailarchive.ietf.org/arch/msg/tls-reg- | "Reference" column: https://mailarchive.ietf.org/arch/msg/tls-reg- | |||
| review/5BD62HBFjo_AsW-Y8ohVuWEe1gI/ | review/5BD62HBFjo_AsW-Y8ohVuWEe1gI/. | |||
| 5. TLS Cipher Suites Registry | 5. TLS Cipher Suites Registry | |||
| Several categories of cipher suites are discouraged for general use | Several categories of cipher suites are discouraged for general use | |||
| and are marked as "D". | and are marked as "D". | |||
| Cipher suites that use NULL encryption do not provide the | Cipher suites that use NULL encryption do not provide the | |||
| confidentiality normally expected of TLS. Protocols and applications | confidentiality normally expected of TLS. Protocols and applications | |||
| are often designed to require confidentiality as a security property. | are often designed to require confidentiality as a security property. | |||
| These cipher suites MUST NOT be used in those cases. | These cipher suites MUST NOT be used in those cases. | |||
| skipping to change at line 366 ¶ | skipping to change at line 366 ¶ | |||
| * Updated the note on the "Recommended" column with text in | * Updated the note on the "Recommended" column with text in | |||
| Section 3.1. | Section 3.1. | |||
| * Removed the "Elliptic curve groups" note from the registration | * Removed the "Elliptic curve groups" note from the registration | |||
| procedures table. | procedures table. | |||
| * For each of the entries above, added the following link to the | * For each of the entries above, added the following link to the | |||
| "Comment" column: | "Comment" column: | |||
| https://datatracker.ietf.org/meeting/118/materials/slides-118-tls- | https://datatracker.ietf.org/meeting/118/materials/slides-118-tls- | |||
| rfc8447bis-00 | rfc8447bis-00. | |||
| 7. TLS Exporter Labels Registry | 7. TLS Exporter Labels Registry | |||
| This document updates the registration procedure for the "TLS | This document updates the registration procedure for the "TLS | |||
| Exporter Labels" registry and updates the "Recommended" column | Exporter Labels" registry and updates the "Recommended" column | |||
| allocation. IANA has updated the "TLS Exporter Labels" registry as | allocation. IANA has updated the "TLS Exporter Labels" registry as | |||
| follows: | follows: | |||
| * Changed the registration procedure from Specification Required to | * Changed the registration procedure from Specification Required to | |||
| Expert Review and updated it to include: | Expert Review and updated it to include: | |||
| skipping to change at line 392 ¶ | skipping to change at line 392 ¶ | |||
| * Added a reference to this document under the reference heading. | * Added a reference to this document under the reference heading. | |||
| * Entries kept their existing "Recommended" column "Y" and "N" | * Entries kept their existing "Recommended" column "Y" and "N" | |||
| entries. | entries. | |||
| * Updated the note on the "Recommended" column with text in | * Updated the note on the "Recommended" column with text in | |||
| Section 3.1. | Section 3.1. | |||
| * Updated the note on the role of the expert reviewer as follows. | * Updated the note on the role of the expert reviewer as follows. | |||
| | Note: The role of the designated expert is described in [RFC8447], | | Note: The role of the designated expert is described in Section 17 | |||
| | Section 17. Even though this registry does not require a | | of [RFC8447]. Even though this registry does not require a | |||
| | specification, the designated expert [RFC8126] will strongly | | specification, the designated expert [RFC8126] will strongly | |||
| | encourage registrants to provide a link to a publicly available | | encourage registrants to provide a link to a publicly available | |||
| | specification. An Internet-Draft (that is posted and never | | specification. An Internet-Draft (that is posted and never | |||
| | published as an RFC) or a document from another standards body, | | published as an RFC) or a document from another standards body, | |||
| | industry consortium, university site, etc. is suitable for these | | industry consortium, university site, etc. is suitable for these | |||
| | purposes. The expert may provide more in-depth reviews, but their | | purposes. The expert may provide more in-depth reviews, but their | |||
| | approval should not be taken as an endorsement of the exporter | | approval should not be taken as an endorsement of the exporter | |||
| | label. The expert also verifies that the label is a string | | label. The expert also verifies that the label is a string | |||
| | consisting of printable ASCII characters beginning with | | consisting of printable ASCII characters beginning with | |||
| | "EXPORTER". IANA MUST also verify that one label is not a prefix | | "EXPORTER". IANA MUST also verify that one label is not a prefix | |||
| skipping to change at line 432 ¶ | skipping to change at line 432 ¶ | |||
| * Added a reference to this document under the reference heading. | * Added a reference to this document under the reference heading. | |||
| * Entries kept their existing "Recommended" column "Y" and "N" | * Entries kept their existing "Recommended" column "Y" and "N" | |||
| entries. | entries. | |||
| * Updated the note on the "Recommended" column with text in | * Updated the note on the "Recommended" column with text in | |||
| Section 3.1. | Section 3.1. | |||
| 9. TLS HashAlgorithm Registry | 9. TLS HashAlgorithm Registry | |||
| TLS 1.0 and TLS 1.1 were deprecated [RFC8996], TLS 1.2 will be in use | TLS 1.0 and TLS 1.1 were deprecated [RFC8996]; TLS 1.2 will be in use | |||
| for some time. In order to reflect the changes in the "Recommended" | for some time. In order to reflect the changes in the "Recommended" | |||
| column allocation, IANA has updated the "TLS HashAlgorithm" registry | column allocation, IANA has updated the "TLS HashAlgorithm" registry | |||
| as follows: | as follows: | |||
| * Updated the registration procedure to include: | * Updated the registration procedure to include: | |||
| Setting a value to "Y" or "D" or transitioning the value from "Y" | Setting a value to "Y" or "D" or transitioning the value from "Y" | |||
| or "D" in the "Recommended" column requires IETF Standards Action | or "D" in the "Recommended" column requires IETF Standards Action | |||
| with Expert Review or IESG Approval [RFC8126]. | with Expert Review or IESG Approval [RFC8126]. | |||
| skipping to change at line 649 ¶ | skipping to change at line 649 ¶ | |||
| * TLS PskKeyExchangeMode | * TLS PskKeyExchangeMode | |||
| * TLS KDF Identifiers | * TLS KDF Identifiers | |||
| * TLS SSLKEYLOGFILE Labels | * TLS SSLKEYLOGFILE Labels | |||
| This list of registries is all registries that do not already have a | This list of registries is all registries that do not already have a | |||
| "Comment" or "Note" column or that were not orphaned by TLS 1.3. | "Comment" or "Note" column or that were not orphaned by TLS 1.3. | |||
| IANA has renamed the "Note" column to "Comment" in the "TLS Exporter | ||||
| Labels" registry. | ||||
| 15. Expert Review of Current and Potential IETF and IRTF Documents | 15. Expert Review of Current and Potential IETF and IRTF Documents | |||
| The intent of the Specification Required choice for TLS codepoints is | The intent of the Specification Required choice for TLS codepoints is | |||
| to allow for easy registration for codepoints associated with | to allow for easy registration for codepoints associated with | |||
| protocols and algorithms that are not being actively developed inside | protocols and algorithms that are not being actively developed inside | |||
| the IETF or IRTF. When TLS-based technologies are being developed | the IETF or IRTF. When TLS-based technologies are being developed | |||
| inside the IETF or IRTF, they should be done in coordination with the | inside the IETF or IRTF, they should be done in coordination with the | |||
| TLS WG in order to provide appropriate review. For this reason, | TLS WG in order to provide appropriate review. For this reason, | |||
| unless the TLS WG Chairs indicate otherwise via email, designated | unless the TLS WG Chairs indicate otherwise via email, designated | |||
| experts should decline codepoint registrations for documents that | experts should decline codepoint registrations for documents that | |||
| skipping to change at line 702 ¶ | skipping to change at line 699 ¶ | |||
| Designated experts ensure the specification is publicly available. | Designated experts ensure the specification is publicly available. | |||
| They may provide more in-depth reviews. Their review should not be | They may provide more in-depth reviews. Their review should not be | |||
| taken as an endorsement of the cipher suite, extension, supported | taken as an endorsement of the cipher suite, extension, supported | |||
| group, etc. | group, etc. | |||
| 18. IANA Considerations | 18. IANA Considerations | |||
| This document is entirely about changes to TLS-related IANA | This document is entirely about changes to TLS-related IANA | |||
| registries. | registries. | |||
| IANA has modified the note applied to all TLS Specification Required | ||||
| registries instructing where to send registration requests as | ||||
| follows: | ||||
| | Note: Requests for registration in the "Specification Required" | ||||
| | [RFC8126] range should be sent to iana@iana.org or submitted via | ||||
| | IANA's application form, per [RFC 9847]. IANA will forward the | ||||
| | request to the expert mailing list described in [RFC8447], | ||||
| | Section 17 and track its progress. See the registration procedure | ||||
| | table below for more information. | ||||
| 19. Normative References | 19. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.1", RFC 4346, | (TLS) Protocol Version 1.1", RFC 4346, | |||
| DOI 10.17487/RFC4346, April 2006, | DOI 10.17487/RFC4346, April 2006, | |||
| skipping to change at line 758 ¶ | skipping to change at line 744 ¶ | |||
| <https://www.rfc-editor.org/info/rfc8996>. | <https://www.rfc-editor.org/info/rfc8996>. | |||
| [RFC9155] Velvindron, L., Moriarty, K., and A. Ghedini, "Deprecating | [RFC9155] Velvindron, L., Moriarty, K., and A. Ghedini, "Deprecating | |||
| MD5 and SHA-1 Signature Hashes in TLS 1.2 and DTLS 1.2", | MD5 and SHA-1 Signature Hashes in TLS 1.2 and DTLS 1.2", | |||
| RFC 9155, DOI 10.17487/RFC9155, December 2021, | RFC 9155, DOI 10.17487/RFC9155, December 2021, | |||
| <https://www.rfc-editor.org/info/rfc9155>. | <https://www.rfc-editor.org/info/rfc9155>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Joe Salowey | Joe Salowey | |||
| Venafi | CyberArk | |||
| Email: joe@salowey.net | Email: joe@salowey.net | |||
| Sean Turner | Sean Turner | |||
| sn3rd | sn3rd | |||
| Email: sean@sn3rd.com | Email: sean@sn3rd.com | |||
| End of changes. 12 change blocks. | ||||
| 27 lines changed or deleted | 13 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||