TLS
Click on the red underlined text to get to the source
... TLS [RFC2246] was designed to provide channel-oriented security. TLS
standardizes SSL and may be used with any connection-oriented ...
... connection-oriented
service. TLS provides mechanisms for both one- and two-way
authentication, dynamic session keying ...
... integrity.
This document describes how to use COPS over TLS. "COPS over TLS" is
abbreviated COPS ...
... COPS Over TLS ...
... PEP to start the
TLS negotiation. This object should be included only in the Client-
Open or Client-Accept messages ...
... PEP or PDP does not support
TLS, the C-Num specified MUST be 16 and the C-Type MUST be 2. This
...
... C-Num specified MUST be 16 and the C-Type MUST be 2. This
demonstrates that the TLS version of the Integrity object is not
...
... security-related connection closure if it cannot support a TLS
connection for the COPS protocol.
...
... Client-Accept message.
Once the TLS connection is established, all COPS data MUST be sent as
TLS ...
... Client-Open message MUST have a
Client-Type of 0 and MUST include the Integrity-TLS object.
Upon receiving ...
... PDP SHOULD respond with a
Client-Accept message containing the Integrity-TLS object.
Note that in order to carry the Integrity-TLS object ...
... Integrity-TLS object.
Note that in order to carry the Integrity-TLS object, the contents of
the Client-Accept message defined in section 3.7 of [RFC2748 ...
...
A PEP requiring the Integrity-TLS object in a Client-Accept message
MUST close the connection ...
... Client-Accept message
MUST close the connection if the Integrity-TLS object is missing.
The ensuing Client-Close message MUST include the error code ...
... Upon receiving the Client-Accept message with the Integrity-TLS
object, the PEP SHOULD initiate the TLS handshake ...
... Client-Accept message with the Integrity-TLS
object, the PEP SHOULD initiate the TLS handshake. If for any reason
the PEP ...
... Client-Accept, the PEP MUST NOT send any messages
until the TLS handshake is complete. Upon receiving any message from
...
... closure alert assures an implementation that no further
data will arrive on that connection. The TLS specification requires
TLS implementations to initiate a closure alert ...
... connection. The TLS specification requires
TLS implementations to initiate a closure alert exchange before
closing a connection ...
... closure alert exchange before
closing a connection. It also permits TLS implementations to close
connections without waiting to receive closure alerts ...
... provided they send their own first. A connection closed in this way
is known as an "incomplete close". TLS allows implementations to
reuse the session in this case, but COPS ...
... security of the data already received, but simply
indicates that subsequent data might have been truncated. Because
TLS is oblivious to COPS message boundaries, it is necessary to
examine the COPS ...
... All PEP implementations of COPS/TLS MUST support an access control
mechanism to identify authorized PDPs. This requirement ...
... PEP deployments SHOULD require the use of this access control
mechanism for operation of COPS over TLS. When access control is
enabled, the PEP ...
... enabled, the PEP implementation MUST NOT initiate COPS/TLS
connections to systems not authorized as PDPs by the access control
mechanism.
...
... Similarly, PDP COPS/TLS implementations MUST support an access
control mechanism permitting them to restrict their services to
...
... PDP
implementation MUST terminate COPS/TLS connections from unauthorized
PEP systems and log an error if an auditable logging mechanism is
...
... PDP and PEP systems. COPS/TLS systems MUST
perform certificate verification processing conforming to [RFC3280 ...
... register with a certificate authority,
and COPS over TLS uses one-way authentication, of the PDP to the PEP ...
... end entity certificates [RFC3280]. In this case, COPS over TLS uses
two-way authentication, and the PDP ...
... PDP SHOULD be backward compatible with peers that have
not been modified to support COPS/TLS. They SHOULD handle errors
generated in response to the Integrity-TLS object.
...
... C-Num, C-Type combination for the
Integrity-TLS object to the registry at
http://www.iana.org/assignments/cops-parameters:
...
... Client-Type 0, the IANA has added the following Flags value for
the Integrity-TLS object:
0x01 = StartTLS
...
... COPS PDP and PEP MUST check the results of the TLS negotiation to
see whether an acceptable degree of authentication and privacy ...
... A man-in-the-middle attack can be launched by deleting the
Integrity-TLS object or altering the Client-Open or Client-Accept
messages. If security ...
... Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246prop(-> 4346prop), January 1999. ...