[Cryptography] Interesting new TLS RFC draft

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Apr 4 05:09:00 EDT 2017


In case anyone missed it:

   The Transport Layer Security (TLS) Extension to Support Code Execution
   draft-tls-yolo-rce

   https://mailarchive.ietf.org/arch/attach/tls/txtBOpyxc.txt

   Historically arbitrary code execution has been a TLS feature.  We can
   look to the openssl-too-open extension to the Secure Sockets Layer
   first introduced in 2002 as precedent, however more recently code
   execution was provided via Microsoft's SChannel library as documented
   in the [MS14-066] specification.  Other vendors have implemented code
   execution as an X.509 extension such as the [TALOS-2017-0296]
   specification which augments standard X.509 name constraints with
   code execution features.

   With the rapid adoption of TLS-based applications and rich history of
   vendor-specific code execution features implemented as library-
   specific point-solutions, we feel the TLS ecosystem could benefit
   from a standardized method for accepting a client-specified octet
   string of otherwise unspecified architecture-specific native code.

   [...]

Peter.


More information about the cryptography mailing list