]> OpenSSL

beck@openssl.org

Google LLC

davidben@google.com

devon.obrien@gmail.com

Meta

knekritz@meta.com

Security Transport Layer Security This document defines the TLS Trust Anchors extension, a mechanism for relying parties to convey trusted certification authorities. It describes individual certification authorities more succinctly than the TLS Certificate Authorities extension. Additionally, to support TLS clients with many trusted certification authorities, it supports a mode where servers describe their available certification paths and the client selects from them. Servers may describe this during connection setup, or in DNS for lower latency. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Transport Layer Security Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction TLS authentication uses X.509 certificates to associate the authenticating party's TLS key with its application identifiers, such as DNS names. These associations are signed by some certification authority (CA). The peer, or relying party, curates a set of CAs that are trusted to only sign correct associations, which allows it to rely on the TLS to authenticate application identifiers. Typically the authenticating party is the server and the relying party is the client. An authenticating party may need to interoperate with relying parties that trust different sets of CAs. defines the certificate_authorities extension to accommodate this. It allows the authenticating party to provision multiple certificates and select the one that will allow the relying party to accept its TLS key. This is analogous to parameter negotiation elsewhere in TLS. However, certificate_authorities's size is impractical for some applications. Existing PKIs may have many CAs, and existing CAs may have long X.509 names. As of August 2023, the Mozilla CA Certificate Program contained 144 CAs, with an average name length of around 100 bytes. Such TLS deployments often do not use trust anchor negotiation at all. Without a negotiation mechanism, the authenticating party must obtain a single certificate that simultaneously satisfies all relying parties. This is challenging when relying parties are diverse. PKI transitions, including those necessary for user security, naturally lead to relying party diversity, so the result is that service availability conflicts with security and overall PKI evolution:

• For an authenticating party to use a CA in its single certificate, all supported relying parties must trust the CA. PKI transitions then become difficult when authenticating parties support older, unupdated relying parties. This impacts both new keys from existing CA operators and new CA operators.
• When a relying party must update its policies to meet new security requirements, it adds to relying party diversity and the challenges that authenticating parties and CAs face. The relying party must then choose between compromising on user security or burdening the rest of the ecosystem, potentially impacting availability in the process.

To address this, this document introduces Trust Anchor Identifiers (Trust Anchor IDs). There are several parts to this mechanism:

1. defines trust anchor IDs, which are short, unique identifiers for X.509 trust anchors, or groups of trust anchors.
2. defines a TLS extension that communicates the relying party's requested trust anchors using trust anchor IDs. IDs that represent individual trust anchors can mitigate long X.509 names. IDs that represent groups of trust anchors can mitigate large trust anchor lists.
3. defines a retry mechanism that, when the relying party is a TLS client, can mitigate signaling failures. The server provides its available trust anchors alongside its certificate, so that the client can retry on mismatch. This can further mitigate large trust anchor lists by allowing the client to initially omit some trust anchors or use an otherwise too broad trust anchor group. However, this mitigation can come at the cost of additional round trips in some cases.
4. , finally, allows TLS servers to advertise their available trust anchors in HTTPS or SVCB DNS records. When the above options are insufficient, TLS clients can request an accurate initial subset and avoid a retry penalty.

Together, they reduce the size costs of trust anchor negotiation, supporting flexible and robust PKIs for more applications.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document additionally uses the TLS presentation language, defined in , and ASN.1, defined in .

Terminology and Roles This document discusses three roles:

Authenticating party:

The party authenticating itself in the protocol. In TLS, this is the side sending the Certificate and CertificateVerify message.

Relying party:

The party whom the authenticating party presents its identity to. In TLS, this is the side that validates a Certificate and CertificateVerify message.

Certification authority (CA):

The service issuing certificates to the authenticating party.

Additionally, there are several terms used throughout this document to describe this proposal:

Trust anchor:

A pre-distributed X.509 name and public key that relying parties use to determine whether a certification path is trusted. See . Trust anchors are sometimes configured as self-signed certificates.

Certification path:

An ordered list of X.509 certificates starting with the target certificate. Each certificate is issued by the next certificate, except the last, which is issued by a trust anchor.

Trust Anchor Identifiers This section defines trust anchor IDs, which are short, unique identifiers that represent either a trust anchor, or a group of trust anchors. When a trust anchor ID represents a group of trust anchors, it is known as a trust anchor group. A trust anchor ID is an object identifier (OID) under the OID arc of some IANA-registered Private Enterprise Number (PEN) . For compactness, they are represented as relative object identifiers (see Section 33 of ), relative to the OID prefix 1.3.6.1.4.1. For example, an organization with PEN 32473 might define a trust anchor ID with the OID 1.3.6.1.4.1.32473.1. As a relative object identifier, it would be the OID 32473.1. Depending on the protocol, trust anchor IDs may be represented in one of three ways:

• For use in ASN.1-based protocols, a trust anchor ID's ASN.1 representation is the relative object identifier described above. This may be encoded in DER , or some other ASN.1 encoding. The example ID's DER encoding is the six-octet sequence {0x0d, 0x04, 0x81, 0xfd, 0x59, 0x01}.
• For use in binary protocols such as TLS, a trust anchor ID's binary representation consists of the contents octets of the relative object identifier's DER encoding, as described in Section 8.20 of . Note this omits the tag and length portion of the encoding. The example ID's binary representation is the four-octet sequence {0x81, 0xfd, 0x59, 0x01}.
• For use in ASCII-compatible text protocols, a trust anchor ID's ASCII representation is the relative object identifier in dotted decimal notation. The example ID's ASCII representation is 32473.1.

The length of a trust anchor ID's binary representation MUST NOT exceed 255 bytes. It SHOULD be significantly shorter, for bandwidth efficiency. A trust anchor ID representing a single trust anchor SHOULD be allocated by the CA operator and be common among relying parties that trust the CA. They MAY be allocated by another party, e.g. when bootstrapping an existing ecosystem, if all parties agree on the ID. In particular, the protocol requires authenticating and relying parties to agree, and the authenticating party's configuration typically comes from the CA. A trust anchor ID representing a trust anchor group MAY be allocated by any party. However, to be useful, the group requires agreement between relying parties and authenticating parties. discusses defining trust anchor groups in more detail.

Trust Anchor Ranges Related trust anchor IDs can be allocated from a single OID arc, such as in the versioning construction described in . This section defines a trust anchor range, which describes a series of such IDs. Concretely, a trust anchor range is defined by three properties:

• A trust anchor ID base
• Two non-negative, 64-bit integers min and max

A trust anchor range is said to contain some trust anchor ID, id if the id, as a relative OID, is the concatenation of base and some integer component between min and max, inclusive. max can be set to 2⁶⁴-1 if there is no upper bound. The following procedure can be used to perform this check. It succeeds if the range contains id and fails otherwise:

1. Check that base does not end in the middle of an OID component. That is, check that the most-significant bit of the last byte of base is unset. If it is set, fail the procedure.
2. Check that base is a prefix of id. If not, fail the procedure. Let rest be id with the base prefix removed.
3. Decode rest as a minimally-encoded, big-endian, base-128 OID component as follows:
   1. If rest is empty, fail the procedure.
   2. If the most-significant bit of the last byte of rest is set, fail the procedure.
   3. If the most-significant bit of any other byte of rest is unset, fail the procedure.
   4. If the first byte of rest is 0x80, fail the procedure.
   5. Set v to zero. Throughout this procedure, v will be less than 2⁶⁴.
   6. For each byte b of rest:
      1. If v is greater than or equal to 2⁵⁷, fail the procedure.
      2. Set v to (v << 7) + (b & 127).
4. Check if min <= v <= max. If this is not true, fail the procedure. Otherwise, the procedure succeeds.

Authenticating Party Configuration Authenticating parties are configured with one or more candidate certification paths to present in TLS, in some preference order. This preference order is used when multiple candidate paths are usable for a connection. For example, the authenticating party may prefer candidates that minimize message size or have more performant private keys. Each candidate path that participates in this protocol must be configured with two properties:

• The trust anchor ID for its corresponding trust anchor.
• Optionally, a list of trust anchor group inclusions. A trust anchor group inclusion is a trust anchor range () that describes some trust anchor groups also containing the path's trust anchor.

These properties allow certificate selection (see ) to consider this path when a relying party advertises a matching trust anchor ID. It is RECOMMENDED, though not required, that this information come from the CA. defines a RECOMMENDED format for this information, along with an optional ACME extension for CAs to send it. Authenticating parties MAY have candidate certification paths without these associated properties. Such paths will not participate in this protocol. They MAY participate in other trust anchor negotiation protocols, such as the certificate_authorities extension.

Relying Party Configuration Relying parties are configured with one or more supported trust anchors. Each trust anchor that participates in this protocol must have an associated trust anchor ID. When trust anchors are represented as X.509 certificates, the X.509 trust anchor ID extension MAY be used to carry this ID. The trust anchor ID extension has an extnID of id-pe-trustAnchorID and an extnValue containing a DER-encoded TrustAnchorID structure, defined below. The TrustAnchorID is the trust anchor ID's ASN.1 representation, described in . This extension MUST be non-critical. Relying parties MAY instead or additionally configure trust anchor IDs via some application-specific out-of-band information. Relying parties MAY additionally be configured with trust anchor groups that include their trust anchors. When authenticating parties are known to be configured with corresponding inclusion lists (), this can further reduce the size of messages sent by the relying party. Relying parties MAY support trust anchors without associated trust anchor IDs, but such trust anchors will not participate in this protocol. Those trust anchors MAY participate in other trust anchor negotiation protocols, such as the certificate_authorities extension.

TLS Extension This section defines the trust_anchors extension, which is sent in the ClientHello, EncryptedExtensions, CertificateRequest, and Certificate messages in TLS 1.3 or later.

Overview The trust_anchors extension is defined using the structures below: ; /* These types differ in whether they may be empty. */ TrustAnchorID RequestedTrustAnchorList<0..2^16-1>; TrustAnchorID AvailableTrustAnchorList<1..2^16-1>; ]]> When the extension is sent in the ClientHello or CertificateRequest messages, the extension_data is a RequestedTrustAnchorList and indicates that the sender supports the specified trust anchors or trust anchor groups. The list is unordered, and MAY be empty. Each TrustAnchorID uses the binary representation, as described in . When the extension is sent in EncryptedExtensions, the extension_data is an AvailableTrustAnchorList containing the list of individual trust anchors for which the server has a candidate path. This list is ordered matching the server's candidate path preference order, and MUST NOT be empty. When the extension is sent in Certificate, the extension_data MUST be empty and indicates that the sender sent the certificate because the certificate matched a trust anchor ID sent by the peer. When used in this form, the extension may only be sent in the first CertificateEntry. It MUST NOT be sent in subsequent ones.

Certificate Selection A trust_anchors extension in the ClientHello or CertificateRequest is processed similarly to the certificate_authorities extension. The relying party indicates some set of supported trust anchors in the ClientHello or CertificateRequest trust_anchors extension. The authenticating party then selects a certificate from its candidate certification paths (see ), as described in and . This process is extended as follows: If the ClientHello or CertificateRequest contains a trust_anchors extension, the authenticating party SHOULD send a certification path such that either:

• The path's trust anchor ID appears in the relying party's trust_anchors extension.
• One of the path's trust anchor group inclusions contains some ID in the relying party's trust_anchors extension.

If the ClientHello or CertificateRequest contains both trust_anchors and certificate_authorities, certification paths that satisfy either extension's criteria may be used. This additionally applies to future extensions which play a similar role. If no certification paths satisfy either extension, the authenticating party MAY return a handshake_failure alert, or choose among fallback certification paths without considering trust_anchors or certification_authorities. See for additional guidance on selecting a fallback when the ClientHello contains trust_anchors. Sending a fallback allows the authenticating party to retain support for relying parties that do not implement any form of trust anchor negotiation. In this case, the authenticating party must find a sufficiently ubiquitous trust anchor, if one exists. However, only those relying parties need to be considered in this ubiquity determination. Updated relying parties may continue to evolve without restricting fallback certificate selection. If the authenticating party sends a certification path that matches the relying party's trust_anchors extension, as described in , the authenticating party MUST send an empty trust_anchors extension in the first CertificateEntry of the Certificate message. In this case, the certificate_list flexibility described in no longer applies. The certificate_list MUST contain a complete certification path, issued by the matching trust anchor, correctly ordered and with no extraneous certificates. That is, each certificate MUST certify the one immediately preceding it, and the trust anchor MUST certify the final certificate. The authenticating party MUST NOT send the trust_anchors extension in the Certificate message in other situations. If a relying party receives this extension in the Certificate message, it MAY choose to disable path building and validate the peer's certificate list as pre-built certification path. Doing so avoids the unpredictable behavior of path-building, and helps ensure CAs and authenticating parties do not inadvertently provision incorrect paths.

Retry Mechanism When the relying party is a client, it may choose not to send its full trust anchor ID list due to fingerprinting risks (see ), or because the list is too large. The client MAY send a subset of supported trust anchors, or an empty list. This subset may be determined by, possibly outdated, prior knowledge about the server, such as or past connections. To accommodate this, when receiving a ClientHello with trust_anchors, the server collects all candidate certification paths which:

• Have a trust anchor ID, and
• Satisfy the conditions in , with the exception of certification_authorities, and any future extensions that play a similar role

If this collection is non-empty, the server sends a trust_anchors extension in EncryptedExtensions, containing the corresponding trust anchor IDs in preference order. When a client sends a subset or empty list in trust_anchors, it SHOULD implement the following retry mechanism: If the client receives either a connection error or an untrusted certificate, the client looks in server's EncryptedExtensions for a trust anchor ID that it trusts. If there are multiple, it selects an option based on the server's preference order and its local preferences. It then makes a new connection to the same endpoint, sending only the selected trust anchor ID in the ClientHello trust_anchors extension. If the EncryptedExtensions had no trust_anchor extension, or no match was found, the client returns the error to the application. Clients SHOULD retry at most once per connection attempt. [[TODO: Retrying in a new connection is expensive and cannot be done from within the TLS stack in most implementations. Consider handshake modifications to instead retry within the same connection. https://github.com/tlswg/tls-trust-anchor-ids/issues/53 ]] This mechanism allows the connection to recover from a certificate selection failure, e.g. due to the client not revealing its full preference list, at additional latency cost. describes an optimization which can avoid this cost. This mechanism also allows servers to safely send fallback certificates that may not be as ubiquitously acceptable. Without some form of trust anchor negotiation, servers are limited to selecting certification paths that are ubiquitously trusted in all supported clients. This often means sending extra cross-certificates to target the lowest common denominator at a bandwidth cost. If the ClientHello contains trust_anchors, the server MAY opportunistically send a less ubiquitous, more bandwidth-efficient path based on local heuristics, with the expectation that the client will retry when the heuristics fail.

Trust Anchor Groups A trust anchor ID is typically much smaller than the corresponding X.509 name. Depending on the number of trust anchors, this can be sufficient to efficiently represent relying party state. PKIs where further size savings are needed can use trust anchor groups (). Trust anchor groups require additional coordination within a PKI, but they can further reduce relying party message sizes by allowing one ID to signal multiple trust anchors. To be usable, a trust anchor group must:

• be known to and sent by relying parties (see ); and
• configured with candidate paths in authenticating parties (see ), ideally provided by the CA during issuance (see ).

This document does not prescribe how to define trust anchor groups, but gives some general guidance: A trust anchor group specifies a collection of trust anchors, which a relying party can send to represent the contents. For example:

• A set of root CAs (or intermediate CAs, as in ) operated by a CA operator.
• A set of trust anchors common to large set of relying parties.
• A set of related application-specific trust anchors, such as a range of Merkle Tree Certificate landmarks .

Different group definitions trade off size savings, applicability, and coordination overhead. A group that reflects a single CA operator will cover fewer trust anchors, so a relying party might combine several operators' IDs to describe its trust anchors. However, it is generally usable by relying parties that trust this CA operator. Such a group also requires minimal coordination for the CA operator to provide group inclusion information () with the certificate. Conversely, a group that reflects a single relying party vendor can potentially be the only ID sent. However, it may be less generally usable when relying parties differ. Groups reflecting multiple relying party vendors are more broadly usable, but may need to be combined with other IDs in a given relying party. For example, a relying party might send a group containing established CAs common to its ecosystem, and individual IDs for its remaining, not yet as common CAs. A client relying party MAY send a group containing CAs it does not trust, however it SHOULD then be prepared to retry (see ) in case of signaling failure. The authenticating party selection process described in can implemented generically for any trust anchor group. This allows deployments to tailor their group allocation based on their needs, without requiring software updates in authenticating parties. Where feasible, deployments SHOULD use groups that are more broadly applicable and require lower coordination overhead.

Versioned Groups Over time, a group may become out-of-date, making it describe current relying parties less effectively. For example, a CA operator may deploy or turn down a CA instance, or a relying party may trust a new CA or distrust an existing CA. Existing trust anchor groups SHOULD NOT be redefined, but the following versioning scheme MAY be used to define updated groups: A versioned sequence of trust anchor groups is identified by a OID arc. Each group has an ID of this OID arc, with a non-negative integer version number component appended. For example, versioned groups using the OID arc 32473.2 would have IDs 32473.2.0, 32473.2.1, 32473.2.2, and so on. When defining a new group version, the version component is incremented. The trust anchor group inclusion for a candidate path is a trust anchor range () determined as follows:

• At issuance, if the trust anchor is no longer in the latest group version, the range's min and max values are the first and last version that include the trust anchor, respectively.
• At issuance, if the trust anchor is in the latest group version, the range's min value is the first version that includes the trust anchor, and its max value is 2⁶⁴-1.

In the second case, the range contains not-yet-defined group versions, so there is a potential signaling error. Suppose, after issuance, a new group version is defined without the trust anchor. The unlimited upper bound is now incorrect. A relying party might not trust this trust anchor, while sending this new group version. However, the authenticating party will misinterpret the certificate as compatible based on its stale information. Such signaling errors may result in the wrong certificate being selected. This can be mitigated in one several ways:

• Only pre-existing certificates are impacted. Newly-issued certificates postdate this version and will have the correct upper bound. When the certificate is renewed, group inclusions will be corrected.
• describes a trust anchor removal strategy that only impacts newly-issued certificates. In this case, no renewal is needed. Pre-existing group inclusions remain accurate under this strategy.
• If the authenticating party's preferences place the correct candidate path (issued by a newer trust anchor) ahead of misinterpreted one (issued by the removed trust anchor), the correct candidate will still be chosen.
• When the relying party is a client, any remaining signaling errors can be corrected with the retry mechanism described in .

DNS Service Parameter This section defines the tls-trust-anchors SvcParamKey . TLS servers can use this to advertise their available trust anchors in DNS, and aid the client in formulating its trust_anchors extension (see ). This allows TLS deployments to support clients with many trust anchors without incurring the overhead of a reconnect.

Syntax The tls-trust-anchors parameter contains an ordered list of one or more trust anchor IDs, in server preference order. The presentation value of the SvcParamValue is a non-empty comma-separated list (). Each element of the list is a trust anchor ID in the ASCII representation defined in . Any other value is a syntax error. To enable simpler parsing, this SvcParam MUST NOT contain escape sequences. The wire format of the SvcParamValue is determined by prefixing each trust anchor ID with its length as a single octet, then concatenating each of these length-value pairs to form the SvcParamValue. These pairs MUST exactly fill the SvcParamValue; otherwise, the SvcParamValue is malformed. For example, if a TLS server has three available certification paths issued by 32473.1, 32473.2.1, and 32473.2.2, respectively, the DNS record in presentation syntax may be: The wire format of the SvcParamValue would be the 17 octets below. In the example, the octets comprising each trust anchor ID are placed on separate lines for clarity

Configuring Services Services SHOULD include the trust anchor ID for each of their available certification paths, in preference order, in the tls-trust-anchors of their HTTPS or SVCB endpoints. As TLS configuration is updated, services SHOULD update the DNS record to match. The mechanism for this is out of scope for this document, but services are RECOMMENDED to automate this process. Services MAY have certification paths without trust anchor IDs, but those paths will not participate in this mechanism.

Client Behavior When connecting to a service endpoint whose HTTPS or SVCB record contains the tls-trust-anchors parameter, the client first computes the intersection between its configured trust anchors and the server's provided list. If this intersection is non-empty, the client MAY use it to determine the trust_anchors extension in the ClientHello (see ). If doing so, the client MAY send a subset of this intersection to meet size constraints, but SHOULD offer multiple options. This reduces the chance of a reconnection if, for example, the first option in the intersection uses a signature algorithm that the client doesn't support, or if the TLS server and DNS configuration are out of sync. Although this service parameter is intended to reduce trust anchor mismatches, mismatches may still occur in some scenarios. Clients and servers MUST continue to implement the provisions described in , even when using this service parameter.

Certificate Properties As described in , certification paths participating in this mechanism must be configured with a trust anchor ID. This section introduces a RECOMMENDED extensible CertificatePropertyList structure for representing this and other additional properties of a certification path. CertificatePropertyLists may be used as part of authenticating party configuration, and for CAs to communicate additional properties during certificate issuance. The extensibility aims to simplify application deployment as PKI mechanisms evolve. When certificate issuance and application software is updated to pass this structure to the underlying TLS implementation, new properties may be transparently defined without changes to certificate and configuration management. A CertificatePropertyList is defined using the TLS presentation language () below: ; } CertificateProperty; CertificateProperty CertificatePropertyList<0..2^16-1>; ]]> The entries in a CertificatePropertyList MUST be sorted numerically by type and MUST NOT contain values with a duplicate type. Inputs that do not satisfy these invariants are syntax errors and MUST be rejected by parsers. This document defines two properties:

• trust_anchor_id, defined in
• trust_anchor_group_inclusions, defined in

Future documents MAY define other properties for use with other mechanisms. Such a document MUST define the format of the data field and how authenticating parties interpret the property. Authenticating parties MUST ignore properties with unrecognized CertificatePropertyType values.

Trust Anchor ID Property The trust_anchor_id property's data field contains the binary representation of the trust anchor ID of the certification path's trust anchor, as described in .

Trust Anchor Group Inclusions Property The trust_anchor_group_inclusions property's data field contains the certification path's trust anchor group inclusions, as described in . Each trust anchor group inclusion is described in a TrustAnchorRangeList structure, defined below. Each TrustAnchorRange structure describes a trust anchor range, as defined in . ; ]]>

Media Type A certification path with its associated CertificatePropertyList may be represented in a PEM structure in a file of type "application/pem-certificate-chain-with-properties". Files of this type MUST use the strict encoding and MUST NOT include explanatory text. The ABNF for this format is as follows, where "stricttextualmsg" and "eol" are as defined in : The first element MUST be the encoded CertificatePropertyList. The second element MUST be an end-entity certificate. Each following certificate MUST directly certify the one preceding it. The certificate representing the trust anchor MUST be omitted from the path. CertificatePropertyLists are encoded using the "CERTIFICATE PROPERTIES" label. The encoded data is a serialized CertificatePropertyList, defined in . Certificates are encoded as in , except DER MUST be used. The following is an example file with a certification path containing an end-entity certificate and an intermediate certificate. The IANA registration for this media type is described in .

ACME Extension The format defined in can be used with ACME's alternate format mechanism (see ) as follows. When downloading certificates, a supporting client SHOULD include "application/pem-certificate-chain-with-properties" in its HTTP Accept header (). When a supporting server sees such a header, it MAY then respond with that format to include a CertificatePropertyList with the certification path. This CertificatePropertyList MAY include trust_anchor_id and trust_anchor_group_inclusions properties for use with this protocol, or other properties defined in another document. When used with ACME's alternate certificate chain mechanism (see ), this protocol removes the need for heuristics in determining which path to serve to which relying party. The authenticating party MAY combine the resulting certification paths with those from other ACME orders, or other sources, for a complete set of candidate paths to serve.

Use Cases trust_anchors, like certificate_authorities, implements trust anchor negotiation. That is, it allows an authenticating party to incorporate relying party trust anchors into certificate selection. trust_anchors allows a wider range of TLS applications to use trust anchor negotiation, notably those that would be unable to use certificate_authorities due to size or privacy limitations. Without trust anchor negotiation, authenticating parties are limited to CAs in the intersection of all supported relying parties. However, trust anchors can vary significantly between different relying party implementations and different versions of a single relying party implementation, particularly as PKIs evolve to meet user security needs. As security-positive PKI changes increase variance, this intersection shrinks. This leads to a conflict between user security and service availability. When the authenticating party cannot serve a certificate in the intersection, either the relying party must risk user security by not changing the PKI, or the authenticating party must degrade service availability by dropping support for some relying parties. The rest of this section discusses uses cases for trust anchor negotiation.

Making Use of Newly-Trusted CAs When one relying party trusts a new CA, other relying parties, such as older ones, may not yet trust it. Trust anchor negotiation allows an authenticating party to negotiate a certificate from the newer CA with relying parties that do trust it, while continuing to negotiate another certificate with relying parties that do not. This allows PKI transitions to progress smoothly. Connections can make use of, for example, a new CA's stronger signature algorithms, stronger validation practices, better automation, or more efficient certificate sizes, without interruptions to other connections. Without negotiation, the authenticating party is limited to its relying parties' intersection and must wait for every supported relying party to be updated before the transition even begins. This wait could often take many years. In some cases, such as with IoT devices, relying parties may never receive updates. In some contexts, other fields can provide a partial signal. For example, post-quantum-capable relying parties may be detected with the signature_algorithms and signature_algorithms_cert extensions. However, this relies on all post-quantum CAs being added at roughly the same time and that they are sufficiently interchangeable to be negotiated with these extensions. Trust anchor negotiation directly addresses this problem and allows for both gradual and possibly heterogeneous deployment of post-quantum CAs across relying parties.

Removing Untrustworthy CAs When CAs are determined to be untrustworthy, relying parties must remove them to mitigate the risk to user security. Over time, this shrinks their intersection with older relying parties. Without negotiation, the result is authenticating parties have fewer and fewer CA choices available. Even determining the intersecting CAs can be difficult. Often, the only option is to try the new certificate and monitor errors. For authenticating parties that serve many diverse relying parties, this is a disruptive and risky process. Trust anchor negotiation removes this constraint. If an authenticating party's CA is distrusted, it can use a new CA in addition to the existing one. The addition does not risk outages for older relying parties and may be chosen from a wider set of CAs, as it only needs to be compatible with the relying parties that distrusted the other CA. Over time, the authenticating party can monitor which certificates it serves, and re-evaluate which CA or CAs to use. For example, it may find the new CA was sufficient, or that older relying parties have since all been updated. However, user security depends on the relying party's trust anchors, not the authenticating party's choice of CA, so this can occur asynchronously, based on serving needs and costs, rather than delay the response to a security incident.

Key Rotation Despite the severity of root CA private key compromise and the benefits of routinely rotating cryptographic key material, such rotation in PKIs is often very rare. In 2023, the oldest root in and was 25 years old, dating to 1998. Key rotation in PKIs used in TLS is challenging, as it combines the challenges described in both and . Without trust anchor negotiation, authenticating parties cannot switch to the new root as long as any supported older relying party requires the old root. That, in turn, means relying parties cannot distrust the old root, leaving them vulnerable. Trust anchor negotiation offers a smooth transition for CA key rotation. The CA can provide certification paths for the old and new roots. The authenticating party can then serve both paths without impacting older relying parties. New relying parties can then distrust the old root.

Other Root Transitions The mechanisms in this document can aid PKI transitions beyond key rotation. For example, a CA operator may generate a postquantum root CA and issue from the classical and postquantum roots concurrently. The authenticating party will then, transparently and with no configuration change, serve both. As in , newer relying parties can then remove the classical roots, while older relying parties continue to function. This same procedure may also be used to transition between newer, more size-efficient signature algorithms, as they are developed.

Intermediate Elision In my PKIs, root CAs issue shorter-lived intermediate certificates which, in turn, issue end-entity certificates. This comes at a bandwidth cost: the TLS handshake includes an extra certificate, which includes a public key, signature, and X.509 metadata. Post-quantum signature algorithms will dramatically increase this cost. ML-DSA-65 , for example, has a total public key and signature size of 5,261 bytes. predistributes a specific set of intermediate CA certificates to relying parties so that these certificates can be omitted from TLS connections, as a compression scheme. Negotiating intermediate CAs as short-lived trust anchors also achieves this effect, but is usable by more relying parties than the specific intermediate set accommodates. In this model, a CA operator provides authenticating parties with two certification paths: a longer path ending at a long-lived root and shorter path the other ending at a short-lived root. Relying parties trust both the long-lived root and the most recent short-lived root. The authenticating party sends the shorter path when possible, falling back to the longer path when the relying party’s short-lived root is stale. This achieves the same effect with a simpler and more flexible, general-purpose mechanism.

Conflicting Relying Party Requirements An authenticating party may need to support relying parties with different, potentially conflicting requirements. For example, in contexts where online revocation checks are expensive, unreliable, or privacy-sensitive, user security is best served by short-lived certificates. In other contexts, long-lived certificates may be more appropriate for, e.g., systems that are offline for long periods of time or have unreliable clocks. Trust anchor negotiation allows these conflicts to be resolved by different trust anchors where necessary. This avoids the need to compromise on user security or service availability.

Backup Certificates An authenticating party may obtain certification paths from multiple CAs for redundancy. If one CA is compromised and removed from newer relying parties, the TLS server software will be able to gracefully serve a backup certification path, avoiding the immediate breakage that would otherwise be caused by this removal.

Public Key Pinning To reduce security risk from misissued certificates, relying parties sometimes employ public key pinning . Pinning effectively reduces a relying party's trust anchor list to a subset of the original set. As other relying parties in the PKI evolve, the pinning relying party limits the authenticating party to satisfy both the pinning constraint and newer constraints in the PKI. This can lead to conflicts if, for example, the pinned CA is distrusted by a newer relying party. The authenticating party is then forced to either break the pinning relying party, or break the newer ones. Trust anchor negotiation reduces this conflict, provided the pinning relying party negotiates with its reduced trust anchor list. The authenticating party can then use a certificate from the pinned CA with the pinning relying party, and another CA with other relying parties.

Privacy Considerations

Relying Parties The trust_anchors extension is analogous to the certificate_authorities extension (), but more size-efficient. Like certificate_authorities, trust_anchors reveals some information about the relying party's trust anchors. However, unlike certificate_authorities, trust_anchors allows a relying party to only reveal a trust anchor in response to the authenticating party's list, which reduces the fingerprinting exposure. This section provides guidance for a relying party to configure this mechanism, based on its privacy goals. When using this extension, a relying party's trust anchors may be divided into three categories:

1. Trust anchors whose IDs the relying party never sends, but still trusts. These are trust anchors that do not participate in this mechanism.
2. Trust anchors whose IDs the relying party sends conditionally, i.e. only if the server offers them. For example, the relying party may indicate support for a trust anchor if its ID is listed in the server's HTTPS/SVCB record or trust anchor list in EncryptedExtensions.
3. Trust anchors whose IDs the relying party sends unconditionally, i.e. independently of the authenticating party's behavior.

Each of these categories carries a different fingerprinting exposure: Trust anchors that do not participate are not revealed by this extension. However, they have some fingerprinting exposure due to being trusted. Given a certification path, an authenticating party can probe whether the relying party trusts the trust anchor by seeing if the relying party accepts it. Trust anchor IDs sent in response to the authenticating party can only be observed actively. That is, the authenticating party could vary its list and observe how the client responds, in order to probe for the client's trust anchor list. This is similar to the exposure of trust anchors not participating in this extension, except that the trust anchor can be probed by only knowing the trust anchor ID. Trust anchor IDs sent unconditionally can be observed passively. This mode is analogous to the certificate_authorities extension. Relying parties SHOULD NOT unconditionally advertise trust anchor lists that are unique to an individual user. Rather, unconditionally-advertised lists SHOULD be empty or computed only from the trust anchors common to the relying party's anonymity set (). Relying parties SHOULD determine which trust anchors participate in this mechanism, and whether to advertise them unconditionally or conditionally, based on their privacy goals. PKIs that reliably use the DNS service parameter () can rely on conditional advertisement for stronger privacy properties without a round-trip penalty. Additionally, a relying party that computes the trust_anchors extension based on prior state may allow observers to correlate across connections. Relying parties SHOULD NOT maintain such state across connections that are intended to be uncorrelated. As above, implementing the DNS service parameter can avoid a round-trip penalty without such state.

Authenticating Parties If the authenticating party is a server, the mechanisms in and enumerate the trust anchors for the server's available certification paths. This mechanism assumes they are not sensitive. Servers SHOULD NOT use this mechanism to negotiate certification paths with sensitive trust anchors. In servers that host multiple services, this protocol only enumerates certification paths for the requested service. If, for example, a server uses the server_name extension to select services, the addition to EncryptedExtensions in is expected to be filtered by server_name. Likewise, the DNS parameter in only contains information for the corresponding service. In both cases, co-located services are not revealed. The above does not apply if the authenticating party is a client. This protocol does not enumerate the available certification paths for a client.

Security Considerations

Incorrect Selection Metadata If the authenticating party has provisioned certification paths with incorrect trust anchor IDs, it may negotiate inaccurately and send an untrusted path to the relying party when another candidate would have been trusted. This will not result in the untrusted path becoming trusted, but the connection will fail.

Trust Anchor Negotiation Both the trust_anchors and certificate_authorities () extensions implement trust anchor negotiation, so security considerations are largely unchanged from certificate_authorities. This section discusses security considerations for trust anchor negotiation in general.

Relying Party Policies PKI-based TLS authentication depends on the relying party's certificate policies. If the relying party trusts an untrustworthy CA, that CA can intercept TLS connections made by that relying party by issuing certificates associating the target name with the wrong TLS key. This attack vector is available with or without trust anchor negotiation. The negotiation mechanism described in this document allows certificate selection to reflect a relying party's certificate policies. It does not determine the certificate policies themselves. Relying parties remain responsible for trusting only trustworthy CAs, and untrustworthy CAs remain a security risk when trusted.

Agility As with other TLS parameters, negotiation reduces a conflict between availability and security, which allows PKIs to better mitigate security risks to users. When relying parties in an existing TLS ecosystem improve their certificate policies, trust anchor negotiation helps authenticating parties navigate differences between those relying parties and existing relying parties. Each set of requirements may be satisfied without compatibility risk to the other. discusses such scenarios in more detail. Negotiation also reduces pressures on relying parties to sacrifice user security for compatibility. If a relying party does not trust an authenticating party's current CA, connections between the two will fail until either the relying party trusts the CA or the authenticating party uses an already trusted CA. Without trust anchor negotiation, the authenticating party is limited to one certificate, and therefore switching CAs risks compatibility problems with other relying parties. The relying party then faces compatibility pressure to add this CA, even if it deems the CA a security risk. With trust anchor negotiation, the authenticating party can use its existing CA in addition to another CA trusted by the relying party. This allows the ecosystem to improve interoperability without sacrificing user security.

Serving Multiple Certificates Trust anchor negotiation reduces compatibility pressures against authenticating parties serving certificates from a less common CA, as they can be served with other certificates. In some cases, the CA may have been distrusted, but still used to support older relying parties. As discussed in and , this capability aids PKI transitions that mitigate security risks to users. Even if the CA is untrustworthy, these certificates do not enable the CA to decrypt or intercept the connection. If a certificate asserts the correct information about the authenticating party, notably the correct public key, the authenticating party can safely present it. Issuing a certificate for the authenticating party's public key does not grant the CA access to the corresponding private key. Conversely, if the attacker already has access to the authenticating party's private key, they do not need to be in control of a CA to intercept a connection. Rather, it is the relying party's choice of trusted CAs that determines susceptibility to interception. If the relying party trusts a misbehaving or attacker-controlled CA, the attacker can intercept the connection with a public key certified by that CA, regardless of which CA is used by the intended authenticating party. Conversely, if the relying party does not trust the attacker's CA, the attacker cannot successfully intercept the connection using a public key certified by this CA. Choosing trusted CAs is a complex, security-critical process, the full considerations of which are outside the scope of this document. Relying parties thus SHOULD NOT interpret the authenticating party's choice of CA as an endorsement of the CA. Trusting a CA means trusting all certificates issued by that CA, so it is not enough to observe correct certificates from an authenticating party. An untrustworthy CA may sign one correct certificate, but also sign incorrect certificates, possibly in the future, that can attack the relying party.

Targeting TLS Interception A network attacker in possession of a misissued certificate could use trust anchor negotiation to differentiate clients and only enable TLS interception with clients that accept the certificate. The network attacker may wish to do this to reduce the odds of detection. However, trust anchor negotiation only impacts detection where this differentiation was not already possible. In TLS, the client offers all its available TLS features, including cipher suites and other extensions, in the TLS ClientHello. Any variation in client TLS policies, related or unrelated to trust anchors, may be used as a fingerprint. Transport properties, such as IP geolocation, may also be used. While fingerprinting's heuristic nature makes broad, legitimate use difficult, a network attacker's single interception service can easily use it for targeted attacks. If the attacker targets any clients that enforce Certificate Transparency , the misissued certificates will need to be publicly logged. In this case, detection is more robust, and client differentiation, with or without trust anchor negotiation, has no significant impact.

IANA Considerations

TLS ExtensionType Updates IANA is requested to create the following entry in the TLS ExtensionType Values registry, defined by :

Value	Extension Name	TLS 1.3	DTLS-Only	Recommended	Reference
TBD	trust_anchors	CH, EE, CR, CT	N	Y	[this-RFC]

Media Type Updates IANA is requested to create the following entry in the "Media Types" registry, defined in :

Type name:

application

Subtype name:

pem-certificate-chain-with-properties

Required parameters:

None

Optional parameters:

None

Encoding considerations:

7bit

Security considerations:

Carries a cryptographic certificate and its associated certificate chain and additional properties. This media type carries no active content.

Interoperability considerations:

None

Published specification:

[this-RFC, ]

Applications that use this media type:

ACME clients and servers, HTTP servers, other applications that need to be configured with a certificate chain

Additional information:

Deprecated alias names for this type:

n/a

Magic number(s):

n/a

File extension(s):

.pem

Macintosh file type code(s):

n/a

Person & email address to contact for further information:

See Authors' Addresses section.

Intended usage:

COMMON

Restrictions on usage:

n/a

Author:

See Authors' Addresses section.

Change controller:

IETF

PKIX Registry Updates IANA is requested to create the following entry in the SMI Security for PKIX Module Identifier registry, defined by :

Decimal	Description	References
TBD	id-mod-trustAnchorIDs-2025	[this-RFC]

IANA is requested to create the following entry in the SMI Security for PKIX Certificate Extension registry, defined by :

Decimal	Description	References
TBD	id-pe-trustAnchorID	[this-RFC]

CertificatePropertyType Registry [[TODO: Establish a CertificatePropertyType registry.]]

References Normative References ITU-T ITU-T This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document describes how Private Enterprise Numbers (PENs) are registered by IANA. It shows how to request a new PEN and how to modify a current PEN. It also gives a brief overview of PEN uses. Public Key Infrastructure using X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certification authorities (CAs) in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. As of this writing, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation. This document provides guidance and recommendations to developers building X.509 public-key certification paths within their applications. By following the guidance and recommendations defined in this document, an application developer is more likely to develop a robust X.509 certificate-enabled application that can build valid certification paths across a wide range of PKI environments. This memo provides information for the Internet community. This document describes and discusses the textual encodings of the Public-Key Infrastructure X.509 (PKIX), Public-Key Cryptography Standards (PKCS), and Cryptographic Message Syntax (CMS). The textual encodings are well-known, are implemented by several applications and libraries, and are widely deployed. This document articulates the de facto rules by which existing implementations operate and defines them so that future implementations can interoperate. Internet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK] The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. This document offers guidance for developing privacy considerations for inclusion in protocol specifications. It aims to make designers, implementers, and users of Internet protocols aware of privacy-related design choices. It suggests that whether any individual RFC warrants a specific privacy considerations section will depend on the document's content. This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice. When the Public-Key Infrastructure using X.509 (PKIX) Working Group was chartered, an object identifier arc was allocated by IANA for use by that working group. This document describes the object identifiers that were assigned in that arc, returns control of that arc to IANA, and establishes IANA allocation policies for any future assignments within that arc. Informative References Chromium Mozilla National Institute of Standards and Technology (NIST) Google LLC Apple Inc. Cloudflare Cloudflare Geomys This document describes Merkle Tree certificates, a new form of X.509 certificates which integrate public logging of the certificate, in the style of Certificate Transparency. The integrated design reduces logging overhead in the face of both shorter-lived certificates and large post-quantum signature algorithms, while still achieving comparable security properties to traditional X.509 and Certificate Transparency. Merkle Tree certificates additionally admit an optional size optimization that avoids signatures altogether, at the cost of only applying to up-to-date relying parties and older certificates. Mozilla This draft defines a new TLS Certificate Compression scheme which uses a shared dictionary of root and intermediate WebPKI certificates. The scheme smooths the transition to post-quantum certificates by eliminating the root and intermediate certificates from the TLS certificate chain without impacting trust negotiation. It also delivers better compression than alternative proposals whilst ensuring fair treatment for both CAs and website operators. It may also be useful in other applications which store certificate chains, e.g. Certificate Transparency logs. This document defines a new HTTP header that allows web host operators to instruct user agents to remember ("pin") the hosts' cryptographic identities over a period of time. During that time, user agents (UAs) will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities. This document describes an experimental protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit certificate authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. The intent is that eventually clients would refuse to honor certificates that do not appear in a log, effectively forcing CAs to add all issued certificates to the logs. Logs are network services that implement the protocol operations for submissions and queries that are defined in this document.

ASN.1 Module

Acknowledgements The authors thank Nick Harper, and Emily Stark for many valuable discussions and insights which led to this document. Thanks also to Aaron Gable for providing feedback on ACME extensions.