draft-ietf-dnsext-rfc2538bis-06.txt   draft-ietf-dnsext-rfc2538bis-07.txt 
Network Working Group S. Josefsson Network Working Group S. Josefsson
Obsoletes: 2538 (if approved) Obsoletes: 2538 (if approved)
Expires: March 19, 2006 Expires: March 27, 2006
Storing Certificates in the Domain Name System (DNS) Storing Certificates in the Domain Name System (DNS)
draft-ietf-dnsext-rfc2538bis-06 draft-ietf-dnsext-rfc2538bis-07
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 19, 2006. This Internet-Draft will expire on March 27, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
Cryptographic public keys are frequently published and their Cryptographic public keys are frequently published and their
authenticity demonstrated by certificates. A CERT resource record authenticity demonstrated by certificates. A CERT resource record
(RR) is defined so that such certificates and related certificate (RR) is defined so that such certificates and related certificate
skipping to change at page 2, line 24 skipping to change at page 2, line 24
3.2. Purpose-based X.509 CERT RR Names . . . . . . . . . . . . 8 3.2. Purpose-based X.509 CERT RR Names . . . . . . . . . . . . 8
3.3. Content-based OpenPGP CERT RR Names . . . . . . . . . . . 9 3.3. Content-based OpenPGP CERT RR Names . . . . . . . . . . . 9
3.4. Purpose-based OpenPGP CERT RR Names . . . . . . . . . . . 9 3.4. Purpose-based OpenPGP CERT RR Names . . . . . . . . . . . 9
3.5. Owner names for IPKIX, ISPKI, and IPGP . . . . . . . . . . 10 3.5. Owner names for IPKIX, ISPKI, and IPGP . . . . . . . . . . 10
4. Performance Considerations . . . . . . . . . . . . . . . . . . 10 4. Performance Considerations . . . . . . . . . . . . . . . . . . 10
5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
9. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 12 9. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 12
Appendix A. Copying conditions . . . . . . . . . . . . . . . . . 12 Appendix A. Copying conditions . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . . 14 10.2. Informative References . . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15
Intellectual Property and Copyright Statements . . . . . . . . . . 16 Intellectual Property and Copyright Statements . . . . . . . . . . 16
1. Introduction 1. Introduction
Public keys are frequently published in the form of a certificate and Public keys are frequently published in the form of a certificate and
their authenticity is commonly demonstrated by certificates and their authenticity is commonly demonstrated by certificates and
skipping to change at page 11, line 49 skipping to change at page 11, line 49
Using the URI type introduces another level of indirection that may Using the URI type introduces another level of indirection that may
open a new vulnerability. One method to secure that indirection is open a new vulnerability. One method to secure that indirection is
to include a hash of the certificate in the URI itself. to include a hash of the certificate in the URI itself.
If DNSSEC is used, then the non-existence of a CERT RR and, If DNSSEC is used, then the non-existence of a CERT RR and,
consequently, certificates or revocation lists can be securely consequently, certificates or revocation lists can be securely
asserted. Without DNSSEC, this is not possible. asserted. Without DNSSEC, this is not possible.
8. IANA Considerations 8. IANA Considerations
IANA needs to create a new registry for CERT RR, certificate types.
The initial contents of this registry is:
0 reserved
1 PKIX X.509 as per PKIX
2 SPKI SPKI certificate
3 PGP OpenPGP packet
4 IPKIX The URL of an X.509 data object
5 ISPKI The URL of an SPKI certificate
6 IPGP The URL of an OpenPGP packet
7-252 available for IANA assignment
by IETF Standards action
253 URI URI private
254 OID OID private
255-65023 available for IANA assignment
by IETF Consensus.
65024-65534 experimental
65535 reserved
Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
only be assigned by an IETF standards action [7]. This document only be assigned by an IETF standards action [7]. This document
assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE. Certificate assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE. Certificate
types 0x0100 through 0xFEFF are assigned through IETF Consensus [7] types 0x0100 through 0xFEFF are assigned through IETF Consensus [7]
based on RFC documentation of the certificate type. The availability based on RFC documentation of the certificate type. The availability
of private types under 0x00FD and 0x00FE ought to satisfy most of private types under 0x00FD and 0x00FE ought to satisfy most
requirements for proprietary or private types. requirements for proprietary or private types.
The CERT RR reuses the DNS Security Algorithm Numbers registry. In The CERT RR reuses the DNS Security Algorithm Numbers registry. In
particular, the CERT RR requires that algorithm number 0 remain particular, the CERT RR requires that algorithm number 0 remain
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/