Skip to content

Instantly share code, notes, and snippets.

@LucaBongiorni

LucaBongiorni/enhanced-tls.md

Forked from freddyb/enhanced-tls.md
Last active August 29, 2015 14:28
Show Gist options
  • Save LucaBongiorni/8377613f2a0eee314291 to your computer and use it in GitHub Desktop.
Save LucaBongiorni/8377613f2a0eee314291 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
enhanced-tls.md

Enhanced TLS Security for non-HTTP protocols

Goal

The goal is to transplant the concepts of HTTP Strict Transport Security (HSTS)1 and Public Key Pinning Extension for HTTP2 to other protocols that support TLS. We aim to do those for popular internet protocols like SMTP, POP, FTP, XMPP and IRC.

Strategy

  1. Identify status codes that are currently undefined and can be safely ignored by clients that do not support them
  2. In this status code, the server SHOULD send a list of tokens to describe it's Enhanced TLS Security settings. 2.1 foo

Enhanced TLS Security tokens

TODO: The actual grammar of the token is yet to be defined and might be different for the respective protocol, depending on the list of allowed characters.

Example, SMTP:

S: 220 smtp2.example.com ESMTP Postfix
C: EHLO bob.example.org
S: 250-smtp2.example.com Hello bob.example.org [192.0.2.201]
S: 250-SIZE 14680064
S: 250-PIPELINING
S: 250-ENHANCED-TLS STS: max-age=31536000; PKP: pin-sha256=abcd…;
S: 250 HELP

Footnotes

  1. https://tools.ietf.org/html/rfc6797

  2. https://tools.ietf.org/html/rfc7469

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment