Internet DRAFT - draft-deutch-lamps-client-app-encrypt
draft-deutch-lamps-client-app-encrypt
Network Working Group B. Deutsch
INTERNET-DRAFT Independent Submitter
Intended status: Standards Track
Expires: February 25, 2019 August 24, 2018
Client Application Layer Encryption
draft-deutch-lamps-client-app-encrypt-00
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Status of This Memo
This document specifies an Experimental protocol for the Internet
community, and requests discussion and suggestions for improvements.
Please refer to the current edition of the "Internet Official
Protocol Standards" (STD 1) for the standardization state and status
of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the document
authors. All rights reserved.
Abstract
The protocol for Client Application Layer Encryption offers
organizations a method of securely providing users data with very
few authentication steps. This protocol makes use of X.509 public
key infrastructure and SHOULD NOT be implemented without transport
layer security. The protocol described below helps to ensure that
response messages may only be read by the intended recipient.
Deutsch Client Application Layer Encryption [Page 1]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
Table Of Contents
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4
1.6 Strengths and Weaknesses . . . . . . . . . . . . . . . . . 4
2. Security Considerations . . . . . . . . . . . . . . . . . . . 5
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
4. Communication Patterns . . . . . . . . . . . . . . . . . . . . 5
4.1 Initiation . . . . . . . . . . . . . . . . . . . . . . . . 5
4.2 Standard Request . . . . . . . . . . . . . . . . . . . . . 5
4.3 whoami Request . . .. . . . . . . . . . . . . . . . . . . . 7
4.4 Server Revocation . . . . . . . . . . . . . . . . . . . . . 8
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Normative . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Informative . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Appendix A: UML Flow Diagrams . . . . . . . . . . . . . . . . . . 9
A.1 Initiation . . . . . . . . . . . . . . . . . . . . . . . . 9
A.2 Standard Request . . . . . . . . . . . . . . . . . . . . . 10
A.3 whoami Request . . . . . . . . . . . . . . . . . . . . . . 11
Appendix B: Example Requests and Responses . . . . . . . . . . . . 12
B.1 Initiation . . . . . . . . . . . . . . . . . . . . . . . . 12
B.2 Standard Request . . . . . . . . . . . . . . . . . . . . . 15
B.3 whoami Request . . . . . . . . . . . . . . . . . . . . . . 20
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 22
Intellectual Property Statement . . . . . . . . . . . . . . . . . 22
Deutsch Client Application Layer Encryption [Page 2]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
1. Introduction
This protocol offers a way to reduce the number of network
communications that must occur for a system to have confidence in
the identity of the requester and reduces the risk in the case of
impersonation. This was designed with application programming
interfaces in mind.
1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
1.2 Abbreviations
CN: Common Name [RFC4514]
CSR: certificate signing request [RFC5280]
DN: Distinguished Name [RFC4514]
GUID: Globally Unique IDentifier [RFC4122]
IaaS: infrastructure as a Service
OU: Organizational Unit [RFC4514]
PaaS: Platform as a Service
SAN: subject alternative name [RFC4514]
SaaS: Software as a Service
TLS: transport layer security [RFC5246]
1.3 Roles
resource owner: The party with rights to the data.
resource server: The object housing the data.
authorization server: The server that fulfills certificate
signing requests and catalogs them for validation. All calls to
this device should be over TLS with mutual certificate exchange
[RFC5246].
client: The object requesting the data.
edge device: The object open to anonymous traffic, terminates TLS
[RFC5246], brokers authentication, performs authorization, then
forwards data.
origination server: The object that performs processing of the
request that results in the response.
Deutsch Client Application Layer Encryption [Page 3]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
1.4 Goals
Minimize exposure of client credentials and data. A client can be
authorized and returned a token or other sensitive information with
confidence that it cannot be intercepted, even by an internal bad
actor. To do this the authorization server must either be a signing
authority or have permission to submit certificate signing requests
to a signing authority [RFC5280]. The client certificate properties
may act as a vehicle for personally identifying information to be
passed to the origination server. The private key SHOULD NOT be
exported from the client device and therefore the CSR may contain
device properties.
1.5 Motivation
Organizations have increased the number of individuals with access
to subvert trusted systems with the increase in subcontracting
information services i.e. SaaS, PaaS, IaaS, etc; as well as contract
workers.
When users' information is unencrypted is it vulnerable to
exploitation. By reducing the occurrences of client data being
unencrypted we reduce the opportunity for attack.
1.6 Strengths and Weaknesses
This provides a mechanism for user credentials that may be valid
for an undefined period of time. Made possible because the
credentials themselves, the private key [RFC5280], never exists
outside the users' (resource owners') device.
The true proof of identity is in the ability of the client to read
the response message. Which makes this mechanism ideal for GET
requests but unsuitable for POST, PUT, or DELETE unless accompanied
by a secondary authentication mechanism.
If an attacker captured the CSR then they would be in a
position to build a response the client would accept, however the
attacker would also have to impersonate the edge device in order to
impersonate the authorization and origination servers. Conversely,
if an attacker impersonates the edge device without the CSR on file
then any response would appear malformed.
Because these certificates are not used in TLS negotiation the
client is not required to share it at the device layer. This
allows the credentials to be owned exclusively by the application
within the clients' device, reducing the opportunity for another
application running on the same device to steal the private key
or impersonate the organization's application to the authorization
server by reading their response.
To mitigate risk of attacks some error messages must simulate
successful responses reducing feedback to legitimate consumers with
malformed requests.
Deutsch Client Application Layer Encryption [Page 4]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
2. Security Considerations
This document defines a protocol for authenticating and authorizing
users for access to protected data and the secure delivery of
responses.
3. IANA Considerations
No IANA considerations
4. Communication Patterns
The following sections describe the various transactions that make
up this protocol.
4.1 Initiation
For this flow the client is also the resource owner, and the
authorization server is also both resource server and origination
server.
The client must use a method acceptable to the edge device to prove
their identity [RFC6749] [RFC7617], preferably initial registration.
At the conclusion of this proving the client should have packaged
their CSR and sent it to the edge device.
The edge device shall then forward the identity information with the
CSR and the cipher used for the TLS to the authorization server.
The authorization server shall store the CSR in association with the
user identity and return a response of the GUID of the CSR record
encrypted by a certificate generated from the CSR using the cipher
negotiated between the client and the edge device. This cipher is
used to ensure it is one the client knows, to be sure it is one that
the resource server knows; the edge device and resource servers
should be configured to maintain the same list (remember in this
flow the resource server is also the authorization server).
The edge device shall then return the encrypted response to the
client.
The client must decrypt the response with their private key
[RFC5280] used to generate the CSR and store the GUID and key for
future use.
Deutsch Client Application Layer Encryption [Page 5]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
4.2 Standard Request
For this flow the client is also the resource owner. These
credentials are sufficient if this Request is a read only operation
or a create that produces data that is only usable after the client
has read the response (proving that they are the resource owner),
such as token generation where the token is returned in the response
payload body or a request to a processing queue which must be
followed by an execution call using the queue identifier from the
response. These credentials should be supplemented by a secondary
mechanism if this request is expected to result in any data changes.
The client shall send their GUID with the request to the edge
device.
The edge device should forward the GUID to the authorization
server in the form of a validation request. The edge device may
forward the request to the origination server without performing
this step, which would be bad practice because it increases the
opportunity for capture, message replay, and in that case the
origination server would need to call the authorization server
increasing its client list and therefore attack surface.
The authorization server shall reply to the validation request with
a client certificate generated by the CSR associated with the GUID.
The certificate should only be valid long enough to fulfill the
request.
If the edge device receives a response from the validation call to
the authorization server that is not a client certificate then the
edge device should return an object large enough to be mistaken for
an encrypted response to the untrusted client. If authentication is
successful then the edge device should then forward the client
request with the certificate and the negotiated cipher to the
origination server without the GUID.
If an internal bad actor captured a request with the client's
certificate or GUID and used it to send a request then they would be
unable to read the response. Additionally, the certificate should
have an extremely short validity period in which this request would
be valid.
The origination server should validate the certificate by issuer,
subject, and expiration. No CRL is required as the certificate
validity should only ever be long enough for one request. This
enables the origination server to perform fine grained
authentication with high confidence without any external calls. The
origination server may be or make calls to the resource server(s)
providing the certificate and not the cipher, aggregating data as
required. The identity of the certificate is taken from the SAN if
present; wherein the CN is the resource owner, the DC is the
organization of the servers, and any OUs represent allowed scope(s).
Deutsch Client Application Layer Encryption [Page 6]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
The absence of the cipher informs any resource server(s) that their
response should not be encrypted by the user's certificate. This
request should be over TLS and should use mutual certificate
exchange [RFC5246] because the client's certificate in this request
is not for authentication, it is present as a form of query. These
requests are from the origination server to the resource server(s)
as evidenced by the origination server's need to read the response.
The origination server shall encrypt the response intended for the
client using the client's certificate and the cipher provided by the
edge device ensuring that only the client is able to decrypt it. The
origination server then returns this response to the edge device.
The edge device shall forward the response to the client.
The client shall use their private key to decrypt the response.
If the request is captured between the client and the edge device
then a message replay is possible, however the response could only
be read by the real client. If a request is captured between the
edge device and the origination server then a message replay is
possible only until the certificate expires and again, could only
be read by the real client. The flow should use TLS throughout to
prevent the request from being read between hops.
4.3 whoami Request
For this flow the client is also the resource owner and the
authorization server is also both resource server and origination
server.
The client makes a request to the edge device using their GUID.
The edge device receives the request and forwards the GUID to the
authorization server with the negotiated cipher.
The authorization server generates a certificate for the client
that expires immediately, encrypts the certificate using itself
and the specified cipher, and then returns this as the response to
the edge device. If the GUID is not known then an response
consisting of a random salt large enough to be reasonably mistaken
for an encrypted payload should be returned to the edge device with
a HTTP 200 code [RFC7231], this is intended to prevent a dictionary
attack from mapping out valid GUIDs.
The edge device forwards the response to the client.
The resource owner must then decrypt the response to read it.
Deutsch Client Application Layer Encryption [Page 7]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
4.4 Server Revocation
In the event that a set of credentials are compromised then the
authorization server may be required to revoke them. The resource
owner may be required to perform a new initiation to regain access
to their account.
References
Normative
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Level", BCP 14, RFC 2119, March 1997.
[RFC5246] Dierks, T., "The Transport Layer Security (TLS) Protocol
Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., "Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL)
Profile", RFC 5280, May 2008.
Informative
[RFC4122] Leach, P., "A Universally Unique IDentifier (UUID) URN
Namespace", RFC 4122, July 2005.
[RFC4514] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): String Representation of Distinguished Names",
RFC 4514, June 2006.
[RFC5751] Ramsdell, B., "Secure/Multipurpose Internet Mail
Extensions (S/MIME) Version 3.2 Message Specification",
RFC 5751, January 2010.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework",
RFC 6749, October 2012.
[RFC7231] Fielding, R., "Hypertext Transfer Protocol (HTTP/1.1):
Semantics and Content", RFC 7231, June 2014.
[RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme",
RFC 7617, September 2015.
[WSD] WebSequenceDiagrams software is provided by Hanov
Solutions Inc., of Waterloo, Ontario, Canada.
<https://www.websequencediagrams.com>
Deutsch Client Application Layer Encryption [Page 8]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
Appendix A: UML Flow Diagrams
Each section of this appendix corresponds to the same numbered sub
section of this document under section 4. The text between the
section heading and the flow graphic represents the flow in
sudo-code [WSD]. The diagrams have been simplified from the
sudo-code in order to fit this document format.
A.1 Initiation
title Initiation
note over client:
generate key
generate CSR
end note
client->edge device: Registration+CSR
edge device->+authorization server: ID+CSR+cipher
note over authorization server:
store CSR
generate GUID
encrypt GUID
end note
authorization server-->-edge device: encrypted GUID
edge device-->+client: encrypted GUID
note over client:
decrypt response
store GUID
end note
[client]-------------------------------------------------------[client]
|| ^
registration :
and csr GUID
|| encrypted
\/ :
[edge device]---------------------------------------------[edge device]
|| ^
ID :
CSR GUID
cipher encrypted
|| :
\/ :
[authorization server]---------------------------[authorization server]
Deutsch Client Application Layer Encryption [Page 9]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
A.2 Standard Request
title Standard Request
client->edge device: request+GUID
edge device->authorization server: GUID
note over authorization server: generate certificate from GUID CSR
authorization server-->edge device: certificate
edge device->origination server: request+certificate+cipher
note over origination server:
certificate validation
authorization
end note
opt if origination server is not resource server
origination server->resource server: server request+certificate
resource server-->origination server: server response
end
note over origination server: encrypt response
origination server-->edge device: encrypted response
edge device-->client: encrypted response
note over client: decrypt response
[client]-------------------------------------------------------[client]
|| ^
Request :
GUID encrypted
|| response
\/ :
[edge device]---------------------------------------------[edge device]
|| ^ || ^
GUID : || :
|| certificate || :
\/ : || :
[authorization server]--------||-----------------[authorization server]
|| :
request :
certificate encrypted
cipher response
|| ___________________ :
|| |optional/ | :
|| |~~~~~~~~ | :
|| |if the origination | :
|| |server is not the | :
\/ |resource server | :
[origination server]-------------|-----------------[origination server]
| || ^ |
| server : |
| request+ : |
| certificate : |
| || encrypted |
| || response |
| \/ : |
[resource server]----------------|-------------------|[resource server]
|___________________|
Deutsch Client Application Layer Encryption [Page 10]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
A.3 whoami Request
title whoami Request
client->edge device: GUID
edge device->authorization server: GUID+cipher
note over authorization server:
generate certificate
encrypt response
end note
authorization server-->edge device: encrypted response
edge device-->client: encrypted response
note over client: decrypt response
[client]-------------------------------------------------------[client]
|| ^
GUID :
|| encrypted
|| response
\/ :
[edge device]---------------------------------------------[edge device]
|| ^
GUID :
cipher encrypted
|| response
\/ :
[authorization server]---------------------------[authorization server]
| ^
|_generate and_|
encrypt cert
Deutsch Client Application Layer Encryption [Page 11]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
Appendix B: Example Requests and Responses
Each section of this appendix corresponds to the same numbered sub
section of this document under section 4. These examples contain
elements which fulfill the requirements described above and may be
met by other means.
B.1 Initiation
The below private key is used to generate the below examples and can
be used to execute the client decryption commands:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7F58E7878FA4D4A8
98MDLxjgMW5W71ZADD1CG2VeAMG/vxmIqpF+2japv831iSh4WC5LJfPXfKXp+nQ5
L74+xDt1fRSKuPfnBqPnok1lZrMqK+WtW83FSxA0wm5Rvfsa9ECSoMJP24z5roAd
+ipyn3v47Vmlu6gjk1wmgj2hT2LnkrwvXh6CGKc2AjA3xQieGKyzB6/m2hMc6A5z
nVwhwJi4Fc4J/Zs9+J/4KUFbSdobrs5Ej4iexWWTGfzVDjOmRaObol6gxldiGDH3
1khUSpJutOjnisiWUVkjUos9AvFi8QISeodiQr5AMCrYGVY0N5BN35hv/mqJHT3g
AH25psCwaT1P44qYu6CQSRkRxOE2CmJIhPvsPjC9uOx8zois3ICwCUZLUpkwsL7o
DfnucGNPpS5aIJenno5Cy8aY5E0BXN/m5OxLfciWAp4Sv2Fg55TKDLaysIcHNy9G
J56SD2QJEoF7s9LbUykGutlBOI1ozWxyhMK2ku/DjB0lQTncUaibWJ5Y3Bw1uVVe
8GL3HAoR8G+aos8ESy/0vcaEHmTM4iqXKZcRELvlGJ+HqCSalLVgf8XaLMNPq+8l
qTEHPGPVpo5BQRLCavg21hd38nBmFHQFyB5X6jQcAhBuhf8Ns12Na72V4OHyXtKD
hB/qfrdQukkAhCRRGFbsc3iOwM/OkUwv/z/w1NikP6Z9jhTQIC/RF/86CGAEyfdQ
1FC+wsDgkbmKaQIWoyqdrHiXiLI2htMSJ4aeJufjFvH86PhZiEi0gUKpkFqi58ix
0kfoiUO3oAEPKAoZvGDlRN+/x89hjccqmOFoKDxckUaKphTzuJwepQDNaRkPSNKd
d6yjD4nB9Bjnbp1bwR/iy7OCA33lRangFuUFq6gsZsj54Ioi8MOZ8aox0GdrM8so
eWexF7od+L6/zBh43WHE0vMDjOUX8QgkCXWF1mhP0Yd13uLsddaUeYtjDJp44t2y
pb8FdnfA5IS7xMyNz2XIBZJOtqSGrWvPR9o/xloZiuNBOzmns6wmz3ZGznZddVex
s9nM2VoPdrPe8n4bxuTRXPyGvATDdY8czqZh8/STGX5PPmCvRA1ilWrN1sP844mq
QSv1swG+bnDIgAZS9D7DR5pq5Ed18Zby5g6l0uUwEDQeIonMsRwHErQtB2X3rMX+
lHg35WKHTRjPk6kcGWWcRuBkHmKSug4qDqjbQZLNaBA9v2XxB5CuoJ8yFMGRz8oO
phflxeJWA8w185UPQ9Sm8m/S6nP5NjdO4XUzzhJ7Ue/+Um2XrghRfY1+mGDo+B5a
PPvKf2VetChVXIpFew1fZWfQuZGluJTHdb1J7lG2Q9rKrLY7ty0P+gMQs8by8nwm
XYgJiqXnzr15u005JQpXhkfJ1B4x+0K5q1vVJNenlvLa40r+/wU8tNFEV9cgBtPm
B4+Zikt+FD2A1uU+9wCOBanXE/xCN95oTCH06FMiv8j/qzh9+c7DnNxPQ8rvCQf1
dH8A1kMxgOJ9zIfuZMmAUMQmI3t5qh4oGT8RycWa/e1JeMxiMqpOSY7cwH5UyzpM
/8ZrWLpPo7CYnTvK4LaMBzhvu6mxp348dNR8qmxIkmH7rcqXyPu+BVwTpt/2pXVe
-----END RSA PRIVATE KEY-----
Deutsch Client Application Layer Encryption [Page 12]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
B.1.1 Client Registration Request
The client generates a private key:
openssl genrsa -des3 -out privkey.key 2048
Then generate a certificate from the key to designate the expected
properties:
openssl req -key privkey.key -out client.crt -new -x509
Then generates a CSR from the key and certificate:
openssl x509 -x509toreq -in client.crt -out client.req -sha256
-signkey privkey.key
The request from the client to the Edge Device:
POST /registration HTTP/1.1
Host: server.example.com
Content-Type: application/pkcs10
-----BEGIN CERTIFICATE REQUEST-----
MIICrzCCAZcCAQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQH
DAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGTAX
BgNVBAMMEEJlbmphbWluIERldXRzY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCpJMQQY1gzANViIIreVQvIlp2mw1ASUixRJp4SGPHpsaNJfvHcZBWl
zBfVfh960OsC1NasUs69WQIPeuJAYELdOXYox2J+5DSN/g3X8p3CXMrVd7xpArpx
q6uxevEtMP1kx4X8VC7nJsEPJO1lFhwTixWuUQv5xWL5qGuATafmtRvbBWNBMRa8
55HCKIcQkx4i0/DMREm0P/7fYRfuwYUWf3KJfkuCnwhbmxvFI0PDQfw/q+UhpobV
arxZS++S6jlMdaKh7tHLOLpfHdrLr8uaNlOB3weF6C2EGDxlzB0v3xEmdxVL7Ch6
GBZ7y3amfydZ5FOK1SD3lgWWYMm/6E5tAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
AQEAUnKJBIenLImXFBl7J3GwL948KPbKnuc7HRex0TmSo4G7fN7RxIo+6uZEgFG0
met55u+5uepVyGYnph2tgwO7hYUnUA5Zl4fzJeNmXljBAfBUQ4DYhi6R5yCpzU1C
wJOSyWWujPPUvfsRnT5kbk7LBvHKqntZ8+s3mbUtVVb80VsaWvOzDZerS6K+OXnY
YpV4oqZOmhraYDDtFuGVWBYJNspZwjNHTXJjhgR0u+xhnX8PugIoULIan/SmFkt/
6pvIjgOBX1NbBQo4B8S1F+l6R9CShEX6UCALkd+9BhHXDDiTZZara1YshpOEFr9W
qMHUCVVDTcYZomsqQqU/wKF8Hg==
-----END CERTIFICATE REQUEST-----
Deutsch Client Application Layer Encryption [Page 13]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
B.1.2 Edge Registration Request
The request forwarded to the authorization server with the cipher:
POST /registration HTTP/1.1
Host: server.example.com
Content-Type: application/pkcs10
Cipher: ECDHE-RSA-AES256-SHA
-----BEGIN CERTIFICATE REQUEST-----
MIICrzCCAZcCAQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQH
DAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGTAX
BgNVBAMMEEJlbmphbWluIERldXRzY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCpJMQQY1gzANViIIreVQvIlp2mw1ASUixRJp4SGPHpsaNJfvHcZBWl
zBfVfh960OsC1NasUs69WQIPeuJAYELdOXYox2J+5DSN/g3X8p3CXMrVd7xpArpx
q6uxevEtMP1kx4X8VC7nJsEPJO1lFhwTixWuUQv5xWL5qGuATafmtRvbBWNBMRa8
55HCKIcQkx4i0/DMREm0P/7fYRfuwYUWf3KJfkuCnwhbmxvFI0PDQfw/q+UhpobV
arxZS++S6jlMdaKh7tHLOLpfHdrLr8uaNlOB3weF6C2EGDxlzB0v3xEmdxVL7Ch6
GBZ7y3amfydZ5FOK1SD3lgWWYMm/6E5tAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
AQEAUnKJBIenLImXFBl7J3GwL948KPbKnuc7HRex0TmSo4G7fN7RxIo+6uZEgFG0
met55u+5uepVyGYnph2tgwO7hYUnUA5Zl4fzJeNmXljBAfBUQ4DYhi6R5yCpzU1C
wJOSyWWujPPUvfsRnT5kbk7LBvHKqntZ8+s3mbUtVVb80VsaWvOzDZerS6K+OXnY
YpV4oqZOmhraYDDtFuGVWBYJNspZwjNHTXJjhgR0u+xhnX8PugIoULIan/SmFkt/
6pvIjgOBX1NbBQo4B8S1F+l6R9CShEX6UCALkd+9BhHXDDiTZZara1YshpOEFr9W
qMHUCVVDTcYZomsqQqU/wKF8Hg==
-----END CERTIFICATE REQUEST-----
Deutsch Client Application Layer Encryption [Page 14]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
B.1.3 Registration Response
After generating the GUID that identifies the record it shall be
encoded using the client certificate:
openssl smime -encrypt -binary -aes-256-cbc -in response.txt
client.crt
Resulting in the encrypted response [RFC5751]:
HTTP/1.1 200 OK
Content-Type: text/plain;charset=UTF-8
MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/x-pkcs7-mime;
smime-type=enveloped-data; name="smime.p7m"
Content-Transfer-Encoding: base64
MIICCwYJKoZIhvcNAQcDoIIB/DCCAfgCAQAxggGTMIIBjwIBADB3MGoxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYD
VQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRkwFwYDVQQDDBBCZW5qYW1pbiBEZXV0
c2NoAgkAondW3eFlchkwDQYJKoZIhvcNAQEBBQAEggEACddDSDsbQ5D+eMwSqpNa
XHQOI1nWEYBDTx294ub67XV8ZxKGnMi/zMlSvdsNTlhXhz5/TjN8vwGF7v30znXM
4fvUXQpCOps8APG5y3tWe8I7XPTKsTtaJymCDAoBokLIIFfjgMo6Yh3qDZ53PSdG
wN2WxDlhAFyob6lX2WTPzh5RlCSmbWwEt3AnZqshHxLs8uk7ci3BU9Coizw3lVBh
vcH5hH6A8ad1bE4y+s3SRrPqTag4/CXz/LXC9i5WrMbXqVz6yKnH1CgkX4k0NMbe
DqjHnsUV7M1TuHfb+NFI329bOQKofqIIVseq4S7rIzpbrEsDehPZt5kwMxTOttUX
YzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCZc4CRchSYISroxg0r6twPgDCK
WSrODqmsS8zckitZgLcftiZ2hsGbmCUiq5pUwZdEBmMzGJIIl4w+mLmTYuhKOHU=
The client decrypts the response:
openssl smime -decrypt -binary -aes-256-cbc -in response.enc -out
response.txt -inkey privkey.key
Enter pass phrase for privkey.key: password
bec6dc7e-6562-4b1c-b308-6c352e6f8404
B.2 Standard Request
A request to some other services with this added protection.
B.2.1 Standard Client Request
The request to some service:
GET /resource HTTP/1.1
Host: server.example.com
CALE-GUID: bec6dc7e-6562-4b1c-b308-6c352e6f8404
Deutsch Client Application Layer Encryption [Page 15]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
B.2.2 Edge Validation Request
The authentication request to the authorization server:
GET /validate HTTP/1.1
Host: authority.example.com
CALE-GUID: bec6dc7e-6562-4b1c-b308-6c352e6f8404
B.2.3a Authorization Validation Response
Create the signed certificate with minimally applicable validity:
openssl ca -config openssl.cnf -startdate 180731190800Z -enddate
180731190810Z -keyfile ca.key -cert ca.crt -in client.req -out
./client.crt -notext
A successful response from the authorization server:
HTTP/1.1 200 OK
Content-Type: application/x509
-----BEGIN CERTIFICATE-----
MIIEfDCCA2SgAwIBAgIRAOaxLLnaTZDrituxMDU+EwowDQYJKoZIhvcNAQELBQAw
czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxEZWZhdWx0IENp
dHkxFDASBgNVBAoMC2V4YW1wbGUuY29tMQswCQYDVQQLDAJJVDEdMBsGA1UEAwwU
YXV0aG9yaXphdGlvbiBzZXJ2ZXIwHhcNMTgwNzMxMTkwODAwWhcNMTgwNzMxMTkw
ODEwWjBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFTATBgNVBAcMDERlZmF1
bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEZMBcGA1UEAwwQ
QmVuamFtaW4gRGV1dHNjaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKkkxBBjWDMA1WIgit5VC8iWnabDUBJSLFEmnhIY8emxo0l+8dxkFaXMF9V+H3rQ
6wLU1qxSzr1ZAg964kBgQt05dijHYn7kNI3+DdfyncJcytV3vGkCunGrq7F68S0w
/WTHhfxULucmwQ8k7WUWHBOLFa5RC/nFYvmoa4BNp+a1G9sFY0ExFrznkcIohxCT
HiLT8MxESbQ//t9hF+7BhRZ/col+S4KfCFubG8UjQ8NB/D+r5SGmhtVqvFlL75Lq
OUx1oqHu0cs4ul8d2suvy5o2U4HfB4XoLYQYPGXMHS/fESZ3FUvsKHoYFnvLdqZ/
J1nkU4rVIPeWBZZgyb/oTm0CAwEAAaOCARIwggEOMAkGA1UdEwQCMAAwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4E
FgQUSxqn9ioM+4Im9NWszrg3xvB3Xt4wHwYDVR0jBBgwFoAU8/02wa7539I+EYiE
mgMYyLFLHfwwZAYIKwYBBQUHAQEEWDBWMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu
c2FtcGxlLmxhbi9jYS5odG1sMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5jYS5z
YW1wbGUubGFuOjkwODAwLAYDVR0fBCUwIzAhoB+gHYYbaHR0cDovL2NhLnNhbXBs
ZS5sYW4vY2EuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQDM1uhIypvCU+w0ZyW4fTXg
Zmpp/S3HoFvthVYVfnI5fhUumntFtRQHGyi468qH1Q79UGXW3wnx4Mz//2xQamRu
ACv16+pDXlMxrNJPk5udSHyweqESiaQS1wYqkMsVKx7Sk2AMH8c8cWoUZkBB62ZG
rQMAT0XHP9l/b7qnqNmgS/YkFNfl7uK1FTWLSzGUfVSoFD6YAtLpP0jfgZy+hy69
eG5dRrkagxT22tK9+o+DFSGMhsIQI++UDMypCRjyFQgmWXMj4DW1olZz7u90eQCT
WfSkZ+Elpp19Xmboki4KVriVJm2zMZN/1+sxcWpLe2BHAxb3V+erkwNMt+wog/kS
-----END CERTIFICATE-----
B.2.3b authentication Validation Error
An unsuccessful response from the authorization server:
HTTP/1.1 403 Forbidden
Deutsch Client Application Layer Encryption [Page 16]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
B.2.3c Edge Device Erroneous Response
A successful appearing response designed to prevent dictionary
attack from mapping real user GUIDs (mocking B.2.7).
HTTP/1.1 200 OK
Content-Type: text/plain;charset=UTF-8
MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/x-pkcs7-mime;
smime-type=enveloped-data; name="smime.p7m"
Content-Transfer-Encoding: base64
QXQgdmVybyBlb3MgZXQgYWNjdXNhbXVzIGV0IGl1c3RvIG9kaW8gZGlnbmlzc2lt
b3MgZHVjaW11cyBxdWkgYmxhbmRpdGlpcyBwcmFlc2VudGl1bSB2b2x1cHRhdHVt
IGRlbGVuaXRpIGF0cXVlIGNvcnJ1cHRpIHF1b3MgZG9sb3JlcyBldCBxdWFzIG1v
bGVzdGlhcyBleGNlcHR1cmkgc2ludCBvY2NhZWNhdGkgY3VwaWRpdGF0ZSBub24g
cHJvdmlkZW50LCBzaW1pbGlxdWUgc3VudCBpbiBjdWxwYSBxdWkgb2ZmaWNpYSBk
ZXNlcnVudCBtb2xsaXRpYSBhbmltaSwgaWQgZXN0IGxhYm9ydW0gZXQgZG9sb3J1
bSBmdWdhLiBFdCBoYXJ1bSBxdWlkZW0gcmVydW0gZmFjaWxpcyBlc3QgZXQgZXhw
ZWRpdGEgZGlzdGluY3Rpby4gTmFtIGxpYmVybyB0ZW1wb3JlLCBjdW0gc29sdXRh
IG5vYmlzIGVzdCBlbGlnZW5kaSBvcHRpbyBjdW1xdWUgbmloaWwgaW1wZWRpdCBx
dW8gbWludXMgaWQgcXVvZCBtYXhpbWUgcGxhY2VhdCBmYWNlcmUgcG9zc2ltdXMs
IG9tbmlzIHZvbHVwdGFzIGFzc3VtZW5kYSBlc3QsIG9tbmlzIGRvbG9yIHJlcGVs
bGVuZHVzLiBUZW1wb3JpYnVzIGF1dGVtIHF1aWJ1c2RhbSBldCBhdXQgb2ZmaWNp
aXMgZGViaXRpcyBhdXQgcmVydW0gbmVjZXNzaXRhdGlidXMgc2FlcGUgZXZlbmll
dCB1dCBldCB2b2x1cHRhdGVzIHJlcHVkaWFuZGFlIHNpbnQgZXQgbW9sZXN0aWFl
IG5vbiByZWN1c2FuZGFlLiBJdGFxdWUgZWFydW0gcmVydW0gaGljIHRlbmV0dXIg
YSBzYXBpZW50ZSBkZWxlY3R1cywgdXQgYXV0IHJlaWNpZW5kaXMgdm9sdXB0YXRp
YnVzIG1haW9yZXMgYWxpYXMgY29uc2VxdWF0dXIgYXV0IHBlcmZlcmVuZGlzIGRv
bG9yaWJ1cyBhc3BlcmlvcmVzIHJlcGVsbGF0Lg==
Deutsch Client Application Layer Encryption [Page 17]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
B.2.4 Edge Forwarded Request
The request to some service:
GET /resource HTTP/1.1
Host: server.example.com
CALE-PEM: "MIIEfDCCA2SgAwIBAgIRAOaxLLnaTZDrituxMDU+EwowDQYJKoZIhvc
NAQELBQAwczELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxEZWZhd
Wx0IENpdHkxFDASBgNVBAoMC2V4YW1wbGUuY29tMQswCQYDVQQLDAJJVDEdMBsGA1U
EAwwUYXV0aG9yaXphdGlvbiBzZXJ2ZXIwHhcNMTgwNzMxMTkwODAwWhcNMTgwNzMxM
TkwODEwWjBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFTATBgNVBAcMDERlZmF
1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEZMBcGA1UEAwwQQ
mVuamFtaW4gRGV1dHNjaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk
kxBBjWDMA1WIgit5VC8iWnabDUBJSLFEmnhIY8emxo0l+8dxkFaXMF9V+H3rQ6wLU1
qxSzr1ZAg964kBgQt05dijHYn7kNI3+DdfyncJcytV3vGkCunGrq7F68S0w/WTHhfx
ULucmwQ8k7WUWHBOLFa5RC/nFYvmoa4BNp+a1G9sFY0ExFrznkcIohxCTHiLT8MxES
bQ//t9hF+7BhRZ/col+S4KfCFubG8UjQ8NB/D+r5SGmhtVqvFlL75LqOUx1oqHu0cs
4ul8d2suvy5o2U4HfB4XoLYQYPGXMHS/fESZ3FUvsKHoYFnvLdqZ/J1nkU4rVIPeWB
ZZgyb/oTm0CAwEAAaOCARIwggEOMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0
GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUSxqn9ioM+4Im9
NWszrg3xvB3Xt4wHwYDVR0jBBgwFoAU8/02wa7539I+EYiEmgMYyLFLHfwwZAYIKwY
BBQUHAQEEWDBWMCgGCCsGAQUFBzAChhxodHRwOi8vY2Euc2FtcGxlLmxhbi9jYS5od
G1sMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5jYS5zYW1wbGUubGFuOjkwODAwLAY
DVR0fBCUwIzAhoB+gHYYbaHR0cDovL2NhLnNhbXBsZS5sYW4vY2EuY3JsMA0GCSqGS
Ib3DQEBCwUAA4IBAQDM1uhIypvCU+w0ZyW4fTXgZmpp/S3HoFvthVYVfnI5fhUumnt
FtRQHGyi468qH1Q79UGXW3wnx4Mz//2xQamRuACv16+pDXlMxrNJPk5udSHyweqESi
aQS1wYqkMsVKx7Sk2AMH8c8cWoUZkBB62ZGrQMAT0XHP9l/b7qnqNmgS/YkFNfl7uK
1FTWLSzGUfVSoFD6YAtLpP0jfgZy+hy69eG5dRrkagxT22tK9+o+DFSGMhsIQI++UD
MypCRjyFQgmWXMj4DW1olZz7u90eQCTWfSkZ+Elpp19Xmboki4KVriVJm2zMZN/1+s
xcWpLe2BHAxb3V+erkwNMt+wog/kS"
Cipher: ECDHE-RSA-AES256-SHA
Deutsch Client Application Layer Encryption [Page 18]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
B.2.5 Aggregation Request
A request from the origin server to another resource server:
GET /aggregate HTTP/1.1
Host: origin.example.com
CALE-PEM: "MIIEfDCCA2SgAwIBAgIRAOaxLLnaTZDrituxMDU+EwowDQYJKoZIhvc
NAQELBQAwczELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxEZWZhd
Wx0IENpdHkxFDASBgNVBAoMC2V4YW1wbGUuY29tMQswCQYDVQQLDAJJVDEdMBsGA1U
EAwwUYXV0aG9yaXphdGlvbiBzZXJ2ZXIwHhcNMTgwNzMxMTkwODAwWhcNMTgwNzMxM
TkwODEwWjBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFTATBgNVBAcMDERlZmF
1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEZMBcGA1UEAwwQQ
mVuamFtaW4gRGV1dHNjaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk
kxBBjWDMA1WIgit5VC8iWnabDUBJSLFEmnhIY8emxo0l+8dxkFaXMF9V+H3rQ6wLU1
qxSzr1ZAg964kBgQt05dijHYn7kNI3+DdfyncJcytV3vGkCunGrq7F68S0w/WTHhfx
ULucmwQ8k7WUWHBOLFa5RC/nFYvmoa4BNp+a1G9sFY0ExFrznkcIohxCTHiLT8MxES
bQ//t9hF+7BhRZ/col+S4KfCFubG8UjQ8NB/D+r5SGmhtVqvFlL75LqOUx1oqHu0cs
4ul8d2suvy5o2U4HfB4XoLYQYPGXMHS/fESZ3FUvsKHoYFnvLdqZ/J1nkU4rVIPeWB
ZZgyb/oTm0CAwEAAaOCARIwggEOMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0
GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUSxqn9ioM+4Im9
NWszrg3xvB3Xt4wHwYDVR0jBBgwFoAU8/02wa7539I+EYiEmgMYyLFLHfwwZAYIKwY
BBQUHAQEEWDBWMCgGCCsGAQUFBzAChhxodHRwOi8vY2Euc2FtcGxlLmxhbi9jYS5od
G1sMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5jYS5zYW1wbGUubGFuOjkwODAwLAY
DVR0fBCUwIzAhoB+gHYYbaHR0cDovL2NhLnNhbXBsZS5sYW4vY2EuY3JsMA0GCSqGS
Ib3DQEBCwUAA4IBAQDM1uhIypvCU+w0ZyW4fTXgZmpp/S3HoFvthVYVfnI5fhUumnt
FtRQHGyi468qH1Q79UGXW3wnx4Mz//2xQamRuACv16+pDXlMxrNJPk5udSHyweqESi
aQS1wYqkMsVKx7Sk2AMH8c8cWoUZkBB62ZGrQMAT0XHP9l/b7qnqNmgS/YkFNfl7uK
1FTWLSzGUfVSoFD6YAtLpP0jfgZy+hy69eG5dRrkagxT22tK9+o+DFSGMhsIQI++UD
MypCRjyFQgmWXMj4DW1olZz7u90eQCTWfSkZ+Elpp19Xmboki4KVriVJm2zMZN/1+s
xcWpLe2BHAxb3V+erkwNMt+wog/kS"
B.2.6 Aggregation Response
A response from a resource server to the origin server:
HTTP/1.1 200 OK
{"foo": "bar"}
Deutsch Client Application Layer Encryption [Page 19]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
B.2.7 Origination Response
The encrypted response from the origination server that will be
passed back to the client by the edge device:
HTTP/1.1 200 OK
Content-Type: text/plain;charset=UTF-8
MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/x-pkcs7-mime;
smime-type=enveloped-data; name="smime.p7m"
Content-Transfer-Encoding: base64
MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggGTMIIBjwIBADB3MGoxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYD
VQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRkwFwYDVQQDDBBCZW5qYW1pbiBEZXV0
c2NoAgkAondW3eFlchkwDQYJKoZIhvcNAQEBBQAEggEAJYwQ+oFA8nm4sp/crwHi
BY1+oVwqnygrXu4aZibJBA5qXQPYYVKGmjgZ1HnvtgWPdV4EW0b3FHbhI71fvalQ
HI3g7Jl9bcyNP0kSt4XmuAZzKrVRktBcEbhP9ePqAoH5S0u4vhwtKMZ/rt0BUPwY
ZQxVAQo7HQDL00+LHu2nGAbVinszn/5bQrJ7CTHO72ecs7m9DBJmaOT+ZT8toEpI
9zOvE4Z6AsqbbrthvIAApWfNBLYxm6fgy+5XeYPdwNnaAOMC0XXEWolp1/Suchzf
f84z7ayH8Xx6cP5mZQe/LH5KT4CvfxwsfhzVkMJkUOKyU7uxA+6B6lqm3t1mgIwy
EjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA7pyAHv3GrWkoZc5fiYkBLgBBL
JQYQttSM00rzK3y5X/sA
B.3 whoami Request
B.3.1 Client whoami Request
The request to some service:
GET /whoami HTTP/1.1
Host: server.example.com
CALE-GUID: bec6dc7e-6562-4b1c-b308-6c352e6f8404
B.3.2 Edge whoami Request
The request forwarded to the authorization server with the cipher:
GET /whoami HTTP/1.1
Host: server.example.com
CALE-GUID: bec6dc7e-6562-4b1c-b308-6c352e6f8404
Cipher: ECDHE-RSA-AES256-SHA
Deutsch Client Application Layer Encryption [Page 20]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
B.3.3 Authorization whoami Response
Generate the certificate that expires immediately:
openssl x509 -req -days 0 -in client.req -CA ca.crt -CAkey
ca.key -CAserial file.srl -out client.pem
The certificate is encrypted with itself using the cipher:
openssl smime -encrypt -binary -aes-256-cbc -in client.pem
client.pem
HTTP/1.1 200 OK
MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/x-pkcs7-mime;
smime-type=enveloped-data; name="smime.p7m"
Content-Transfer-Encoding: base64
MIIGogYJKoZIhvcNAQcDoIIGkzCCBo8CAQAxggGWMIIBkgIBADB6MHMxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRQwEgYD
VQQKDAtleGFtcGxlLmNvbTELMAkGA1UECwwCSVQxHTAbBgNVBAMMFGF1dGhvcml6
YXRpb24gc2VydmVyAgMAhkkwDQYJKoZIhvcNAQEBBQAEggEAGbGnIDFMlf28nPpc
lN7RPb8Ok03T+wESUVDi3Pl9WEiE5BlV00jFPPZYJtatelJt7HOjK0b6Irz5ZHJ6
nzZ3xUN1nOOGPl8E/zffxfmVwBX6mh9jLZSZcPoorM58vUT1a0ci4euMH8pLQ+lZ
t1K+iV9bLm7Bg/xqumyhjrMq+lb5+0a3ZanhLk1LVNG6FrgG7a15pKX+t7hzWtjA
uLSqovn4Jr3tOGGyB9nDoRoWxBYqMlluNenqBgNiLD22DlTMD1iD/NCDEOGq5h5v
3v+LD1NV8yrbRF/dx/GWkH3hl8uiiBaZkGqRI09D10CpuIK2lTsrrqcJyMmiG+8n
gqKikDCCBO4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEMN3AKX128vExYesH/M/
yzSAggTA9ak1ngvEX38Jv3hlx0Jel99rFou3EqBvZw4VvZ7y3B0ZycNu+Yk39XSn
yDrGBZ84K6sIF/n2DJTz8dZfLxy1iTtZRZ+f9zsbAqtKzz2JTLH4fYJSyTnAC3lU
38z6cLVnMyhZliU/zmE0kU+b0CGoI71ubQhJvYtyMraC5Z94/VHkeYyn1fR8YMHU
OCoJLtjK2Kz5VPuSZNLrBLQXSOEzLhR/QhTv8x+/nW6t1WnHjFGgq3yYyNysQgZw
qlkfOuYtEpLEZM3kBxY/Hbb7hhN4g2UIx3IiYxCOC97mxWfM1YbyaHmt2fuZYW+V
JVqiOqHyVyYI6an5z6FsrSfdFN4hSLFowL44ky669i2JlkROQ//CcCV30+gL8VvK
c6BvYRskuvvUDttmzVhsciugvCI5HuP3PLNGFejDqENX2nkJatPQwJv+rDsnHMN6
M0fh+fVbJ3vJosR22QBLF+kopxj6xD725PUQh36GyoHq3V1aT7VtH7HIqR1PMOsn
wZRK+lUT1Jj0Yqv2gkOM4XWMx3vL5ZJ7c7qc95i3uzUhSj8fr6TKkYMcVYQROYJd
GD6EODcw3jmocDx7I4uvGGnb2GP3N8QmNJrBeJnBQCZtmsgiOeFnV1QHvqoFCG/m
+aHrv6a6drK5bOlzK2pelUar6O/XaKcVr7ZWjgFWG6Wbudd3DVBU7muVUCiBbrqJ
G3aT/z+qDK1AcBe2QdUfuk0v+QTa8jDatbypor0bv/wpfSQ81yl40edMyyXv6ZxY
ZKBcZKGfeSn5cF3h1gt0hSrpVZIGscb/Xehx8unBl4bjzfGkaUhu7kFo5WD3fVKr
PKAC8GtCVa3vDFAI5d1B8PFz1DaT1QTQhlHSVmXNpsjIGZujqR1sLGQU+XWyy3qu
gDYZEFcK1BjUhtMG4uVKz2Cm3AVOWZU/EzVpiBnxDLirE9z6YdoXZjhiMCnOpAps
C8UDAqMvxRLYqadJz67qt6yaY7xFLqcihz0uME46midfMbdI94ztkLXt6D70ML15
Q6Q3QbHS8NKgXKJ1NZeo6CGFgagj9OoaJjr400cFz/dAhgDVvE8AAKQTZHUCIvAr
iKy/Y/VS1WySNETNKeUgj4uOpZqwVvhGkQYYeZVjYXrrWlyN6B4pmFXLNl5hoOsM
6zWm5zaKY2gQJzTbHnCqkeqxkhfZeRXpkYqiTT86hzy+AsaXGnQXJcTHROlwrkbU
9gxlduIKOVd0uFbpwlBp+304JsuXOfCwyAWt4y3DmCfO7rJxAr1EoCZL2wRkk+xK
di08gMehw8YD4rERNsxg/5kuX1VevfYBR+94cVpg+u6dJtMM1EWazmnGGxnNvItb
vfDAVEgFkFTRn/aLM7nzMgQkythzJS46S878HJ18plTpRJTARtpW9uqllNwh6LnL
NC1z1eYl5dS/s0ErVOxERwaDKx6x3vxaa5hniW8e+yABgSqunrTdnQoQ0dha2Cpr
uXOmwlJyBuclZSEgsgMVVswn/R8x0pIiVW96YU5H+P59bguP5hLnSFvFhLhDades
bG8sRC7dAW87ZHFOGO315872wVsUw0fjGwgLcF6BJ4CtDM/DD2dhV090225gXVCT
HOlRqS6MekpUqBmw1nooGvR1hCqeQA==
Deutsch Client Application Layer Encryption [Page 21]�
INTERNET-DRAFT Expires: 17/02/2019 Aug 2018
Author's Address
Benjamin Deutsch
Email: spreakenze@gmail.com
Full Copyright Statement
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document.
Intellectual Property Statement
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as
"work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Deutsch Client Application Layer Encryption [Page 22]�
