Client Certificate URL extension

E258093

The Client Certificate URL extension is a Transport Layer Security (TLS) mechanism that allows a client to provide a URL from which its certificate can be retrieved, rather than sending the certificate directly in the handshake.

All labels observed (1)

Label Occurrences
Client Certificate URL extension canonical 2

How this entity was disambiguated

Statements (42)

Predicate Object
instanceOf TLS extension
Transport Layer Security mechanism
alsoKnownAs client_certificate_url TLS extension
appearsInMessage CertificateURL
ClientHello
benefit enables centralized certificate hosting
reduces handshake message size
supports clients with large certificate chains
category TLS client certificate handling
dataCarried one or more URLs referencing client certificate or certificate chain
definedBy Internet Engineering Task Force
definedIn RFC 6066
designGoal improve efficiency of client certificate transmission
support constrained clients or networks with limited bandwidth
extensionType TLS hello extension
introducedIn TLS 1.0
mayUse HTTP URL
HTTPS URL
mechanism client sends a URL reference instead of an X.509 certificate
messageType TLS extension in ClientHello
negotiation indicated by client in ClientHello extensions list
notApplicableTo server certificate delivery
purpose allow a client to provide a URL from which its certificate can be retrieved
avoid sending the client certificate directly in the TLS handshake
relatedTo TLS Certificate message
TLS CertificateURL message
TLS client authentication
X.509 certificates
surface form: X.509 client certificates
requires server ability to perform HTTP or other URL fetches
server support for client_certificate_url extension to be effective
retrievalMethod server dereferences the provided URL to obtain the client certificate
RFCSection RFC 6066
surface form: RFC 6066, Section 4
scope applies to client authentication only
securityConsideration URL dereferencing introduces additional trust and availability dependencies
URL should be protected against tampering and redirection attacks
server must validate the retrieved certificate as if it were sent directly
specifiedAs client_certificate_url extension
status optional TLS extension
usedIn TLS 1.0
TLS 1.1
TLS 1.2
TLS
surface form: Transport Layer Security

How these facts were elicited

Referenced by (2)

Full triples — surface form annotated when it differs from this entity's canonical label.

RFC 3546 defines Client Certificate URL extension
RFC 6066 defines Client Certificate URL extension