| rfc9934.original | rfc9934.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) S. Farrell | Internet Engineering Task Force (IETF) S. Farrell | |||
| Internet-Draft Trinity College Dublin | Request for Comments: 9934 Trinity College Dublin | |||
| Intended status: Standards Track 23 January 2026 | Category: Standards Track February 2026 | |||
| Expires: 27 July 2026 | ISSN: 2070-1721 | |||
| PEM file format for ECH | Privacy-Enhanced Mail (PEM) File Format for Encrypted ClientHello (ECH) | |||
| draft-farrell-tls-pemesni-13 | ||||
| Abstract | Abstract | |||
| Encrypted ClientHello (ECH) key pairs need to be configured into TLS | Encrypted ClientHello (ECH) key pairs need to be configured into TLS | |||
| servers, which can be built using different TLS libraries. This | servers, which can be built using different TLS libraries. This | |||
| document specifies a file format to use, similar to how RFC 7468 | document specifies a standard file format for this purpose, similar | |||
| defines other PEM file formats. | to how RFC 7468 defines other Privacy-Enhanced Mail (PEM) file | |||
| formats. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 27 July 2026. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9934. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2026 IETF Trust and the persons identified as the | Copyright (c) 2026 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 2. Terminology | |||
| 3. ECHConfig file . . . . . . . . . . . . . . . . . . . . . . . 2 | 3. ECHConfig File | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 4. Security Considerations | |||
| 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 | 5. IANA Considerations | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 6. References | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 6.1. Normative References | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 4 | 6.2. Informative References | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 5 | Acknowledgements | |||
| Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 5 | Author's Address | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 1. Introduction | 1. Introduction | |||
| Encrypted ClientHello (ECH) [I-D.ietf-tls-esni] for TLS1.3 [RFC8446] | Encrypted ClientHello (ECH) [RFC9849] for TLS1.3 [RFC8446] defines a | |||
| defines a confidentiality mechanism for server names and other | confidentiality mechanism for server names and other ClientHello | |||
| ClientHello content in TLS. That requires publication of an | content in TLS. That requires publication of an ECHConfigList data | |||
| ECHConfigList data structure in an HTTPS or SVCB RR [RFC9460] in the | structure in an HTTPS or SVCB RR [RFC9460] in the DNS. An | |||
| DNS. An ECHConfigList can contain one or more ECHConfig values. An | ECHConfigList can contain one or more ECHConfig values. An ECHConfig | |||
| ECHConfig structure contains the public component of a key pair that | structure contains the public component of a key pair that will | |||
| will typically be periodically (re-)generated by some key manager for | typically be periodically (re-)generated by some key manager for a | |||
| a TLS server. TLS servers then need to be configured to use these | TLS server. TLS servers then need to be configured to use these key | |||
| key pairs, and given that various TLS servers can be built with | pairs, and given that various TLS servers can be built with different | |||
| different TLS libraries, there is a benefit in having a standard | TLS libraries, there is a benefit in having a standard format for ECH | |||
| format for ECH key pairs and configs, just as was done with | key pairs and configs, just as was done with [RFC7468]. | |||
| [RFC7468]. | ||||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. ECHConfig file | 3. ECHConfig File | |||
| A PEM ECH file contains zero or one private key and one encoded | A PEM ECH file contains zero or one private key and one encoded | |||
| ECHConfigList. | ECHConfigList. | |||
| The public and private keys MUST both be PEM encoded [RFC7468]. The | The public and private keys MUST both be PEM encoded [RFC7468]. The | |||
| file contains the concatenation of the PEM encoding of the private | file contains the concatenation of the PEM encoding of the private | |||
| key (if present) followed by the PEM encoding of the public key(s) as | key (if present) followed by the PEM encoding of the public key(s) as | |||
| an ECHConfigList. When a private key is present, the ECHConfigList | an ECHConfigList. When a private key is present, the ECHConfigList | |||
| MUST contain an ECHConfig that matches the private key. The private | MUST contain an ECHConfig that matches the private key. The private | |||
| key MUST be encoded as a PKCS#8 PrivateKey [RFC7468]. The public | key MUST be encoded as a PKCS#8 PrivateKey [RFC7468]. The public | |||
| key(s) MUST be the base64 encoded (see Section 4 of [RFC4648]) form | key(s) MUST be the base64-encoded form (see Section 4 of [RFC4648]) | |||
| of an ECHConfigList value that can be published in the DNS using an | of an ECHConfigList value that can be published in the DNS using an | |||
| HTTPS RR as described in [I-D.ietf-tls-svcb-ech]. The string | HTTPS RR as described in [RFC9848]. The string "ECHCONFIG" MUST be | |||
| "ECHCONFIG" MUST be used in the PEM file delimiter for the public | used in the PEM file delimiter for the public key. | |||
| key. | ||||
| Any content after the PEM encoded ECHConfigList SHOULD be ignored. | Any content after the PEM encoded ECHConfigList SHOULD be ignored. | |||
| Figure 1 shows an example ECHConfig PEM File | Figure 1 shows an example ECHConfig PEM File | |||
| -----BEGIN PRIVATE KEY----- | -----BEGIN PRIVATE KEY----- | |||
| MC4CAQAwBQYDK2VuBCIEICjd4yGRdsoP9gU7YT7My8DHx1Tjme8GYDXrOMCi8v1V | MC4CAQAwBQYDK2VuBCIEICjd4yGRdsoP9gU7YT7My8DHx1Tjme8GYDXrOMCi8v1V | |||
| -----END PRIVATE KEY----- | -----END PRIVATE KEY----- | |||
| -----BEGIN ECHCONFIG----- | -----BEGIN ECHCONFIG----- | |||
| AD7+DQA65wAgACA8wVN2BtscOl3vQheUzHeIkVmKIiydUhDCliA4iyQRCwAEAAEA | AD7+DQA65wAgACA8wVN2BtscOl3vQheUzHeIkVmKIiydUhDCliA4iyQRCwAEAAEA | |||
| AQALZXhhbXBsZS5jb20AAA== | AQALZXhhbXBsZS5jb20AAA== | |||
| -----END ECHCONFIG----- | -----END ECHCONFIG----- | |||
| Figure 1: Example ECHConfig PEM file | Figure 1: Example ECHConfig PEM File | |||
| If the above ECHConfigList were published in the DNS for | If the above ECHConfigList were published in the DNS for | |||
| foo.example.com, then one could access that as shown in Figure 2. | foo.example.com, then one could access that as shown in Figure 2. | |||
| $ dig +short HTTPS foo.example.com | $ dig +short HTTPS foo.example.com | |||
| 1 . ech=AD7+DQA65wAgACA8wVN2BtscOl3vQheUzHeIkVmKIiydUhDCliA4iyQR | 1 . ech=AD7+DQA65wAgACA8wVN2BtscOl3vQheUzHeIkVmKIiydUhDCliA4iyQR | |||
| wAEAAEAAQALZXhhbXBsZS5jb20AAA== | wAEAAEAAQALZXhhbXBsZS5jb20AAA== | |||
| Figure 2: Use of dig to get the ECHConfigList from DNS | Figure 2: Use of Dig to Get the ECHConfigList from DNS | |||
| TLS servers using this file format might configure multiple file | TLS servers using this file format might configure multiple file | |||
| names as part of their overall configuration, if, for example, only | names as part of their overall configuration, if, for example, only | |||
| the ECHConfigList values from a subset of those files are to be used | the ECHConfigList values from a subset of those files are to be used | |||
| as the value for retry_configs in the ECH fallback scenario. | as the value for retry_configs in the ECH fallback scenario. | |||
| The ECHConfigList in a PEM file might contain more than one ECHConfig | The ECHConfigList in a PEM file might contain more than one ECHConfig | |||
| if, for example, those ECHConfig values contain different extensions | if, for example, those ECHConfig values contain different extensions | |||
| or different public_name values. Consistent with | or different public_name values. Consistent with [RFC9849], the | |||
| [I-D.ietf-tls-esni], the ECHConfig values within an ECHConfigList | ECHConfig values within an ECHConfigList appear in decreasing order | |||
| appear in decreasing order of preference. If the ECHConfigList value | of preference. If the ECHConfigList value is to be used as the | |||
| is to be used as the retry_configs value, then that might contain | retry_configs value, then that might contain different public keys. | |||
| different public keys. (Nonetheless, when a private key is present, | (Nonetheless, when a private key is present, that MUST match the | |||
| that MUST match the public key from one of the ECHConfig values.) | public key from one of the ECHConfig values.) | |||
| 4. Security Considerations | 4. Security Considerations | |||
| Storing cryptographic keys in files leaves them vulnerable should | Storing cryptographic keys in files leaves them vulnerable should | |||
| anyone get read access to the filesystem on which they are stored. | anyone get read access to the filesystem on which they are stored. | |||
| The same protection mechanisms that would be used for a server's PEM | The same protection mechanisms that would be used for a server's PEM- | |||
| encoded HTTPS certificate private key should be used for the PEM ECH | encoded HTTPS certificate private key should be used for the PEM ECH | |||
| configuration. | configuration. | |||
| The security considerations of [I-D.ietf-tls-svcb-ech] apply when | The security considerations of [RFC9848] apply when retrieving an | |||
| retrieving an ECHConfigList from the DNS. | ECHConfigList from the DNS. | |||
| For clarity, only the ECHConfigList is to be published in the DNS - | For clarity, only the ECHConfigList is to be published in the DNS - | |||
| the private key from an ECH PEM file MUST NOT be published in the | the private key from an ECH PEM file MUST NOT be published in the | |||
| DNS. | DNS. | |||
| 5. Acknowledgements | 5. IANA Considerations | |||
| Thanks to Daniel McCarney, Jim Reid and Peter Yee for comments. | ||||
| 6. IANA Considerations | ||||
| This document contains no IANA considerations. | This document has no IANA actions. | |||
| 7. References | 6. References | |||
| 7.1. Normative References | 6.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
| Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | |||
| <https://www.rfc-editor.org/info/rfc4648>. | <https://www.rfc-editor.org/info/rfc4648>. | |||
| skipping to change at page 5, line 5 ¶ | skipping to change at line 178 ¶ | |||
| April 2015, <https://www.rfc-editor.org/info/rfc7468>. | April 2015, <https://www.rfc-editor.org/info/rfc7468>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [I-D.ietf-tls-esni] | [RFC9849] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | |||
| Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | Encrypted Client Hello", RFC 9849, DOI 10.17487/RFC9849, | |||
| Encrypted Client Hello", Work in Progress, Internet-Draft, | February 2026, <https://www.rfc-editor.org/info/rfc9849>. | |||
| draft-ietf-tls-esni-25, 14 June 2025, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-tls- | ||||
| esni-25>. | ||||
| 7.2. Informative References | 6.2. Informative References | |||
| [RFC9460] Schwartz, B., Bishop, M., and E. Nygren, "Service Binding | [RFC9460] Schwartz, B., Bishop, M., and E. Nygren, "Service Binding | |||
| and Parameter Specification via the DNS (SVCB and HTTPS | and Parameter Specification via the DNS (SVCB and HTTPS | |||
| Resource Records)", RFC 9460, DOI 10.17487/RFC9460, | Resource Records)", RFC 9460, DOI 10.17487/RFC9460, | |||
| November 2023, <https://www.rfc-editor.org/info/rfc9460>. | November 2023, <https://www.rfc-editor.org/info/rfc9460>. | |||
| [I-D.ietf-tls-svcb-ech] | [RFC9848] Schwartz, B. M., Bishop, M., and E. Nygren, "Bootstrapping | |||
| Schwartz, B. M., Bishop, M., and E. Nygren, "Bootstrapping | TLS Encrypted ClientHello with DNS Service Bindings", | |||
| TLS Encrypted ClientHello with DNS Service Bindings", Work | RFC 9848, February 2026, | |||
| in Progress, Internet-Draft, draft-ietf-tls-svcb-ech-08, | <https://www.rfc-editor.org/info/rfc9848>. | |||
| 16 June 2025, <https://datatracker.ietf.org/doc/html/ | ||||
| draft-ietf-tls-svcb-ech-08>. | ||||
| Appendix A. Changes | ||||
| From -12 to -13: | ||||
| * Changes resulting from IESG review. | ||||
| From -11 to -12: | ||||
| * Changes resulting from IETF last call reviews. | ||||
| From -10 to -11: | ||||
| * Change to standards track as agreed with shepherd/AD. | ||||
| From -09 to -10: | ||||
| * Tweaks to fit being AD sponsored. | ||||
| From -08 to -09: | ||||
| * Minor clarification of encoding based on current OpenSSL ECH | ||||
| feature branch code. | ||||
| From -07 to -08: | ||||
| * Processed some github comments | ||||
| From -06 to -07: | ||||
| * Refresh due to expiry. | ||||
| From -05 to -06: | ||||
| * Refresh due to expiry. | ||||
| From -04 to -05: | ||||
| * Refresh due to expiry. | ||||
| From -03 to -04: | ||||
| * Refresh due to expiry. | ||||
| From -02 to -03: | ||||
| * Refresh due to expiry and not possible ISE destination | ||||
| From -01 to -02: | ||||
| * ECHO -> ECH | ||||
| From -00 to -01: | Acknowledgements | |||
| * ESNI -> ECHO | Thanks to Daniel McCarney, Jim Reid, and Peter Yee for comments. | |||
| Author's Address | Author's Address | |||
| Stephen Farrell | Stephen Farrell | |||
| Trinity College Dublin | Trinity College Dublin | |||
| Dublin | Dublin | |||
| 2 | 2 | |||
| Ireland | Ireland | |||
| Phone: +353-1-896-2354 | Phone: +353-1-896-2354 | |||
| Email: stephen.farrell@cs.tcd.ie | Email: stephen.farrell@cs.tcd.ie | |||
| End of changes. 27 change blocks. | ||||
| 140 lines changed or deleted | 76 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||