draft-ietf-dnsext-rfc2538bis-08.txt | draft-ietf-dnsext-rfc2538bis-09.txt | |||
---|---|---|---|---|
Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
Obsoletes: 2538 (if approved) | Obsoletes: 2538 (if approved) | |||
Expires: April 2, 2006 | Expires: April 21, 2006 | |||
Storing Certificates in the Domain Name System (DNS) | Storing Certificates in the Domain Name System (DNS) | |||
draft-ietf-dnsext-rfc2538bis-08 | draft-ietf-dnsext-rfc2538bis-09 | |||
Status of this Memo | Status of this Memo | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on April 2, 2006. | This Internet-Draft will expire on April 21, 2006. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
Abstract | Abstract | |||
Cryptographic public keys are frequently published and their | Cryptographic public keys are frequently published and their | |||
authenticity demonstrated by certificates. A CERT resource record | authenticity demonstrated by certificates. A CERT resource record | |||
(RR) is defined so that such certificates and related certificate | (RR) is defined so that such certificates and related certificate | |||
skipping to change at page 2, line 17 | skipping to change at page 2, line 17 | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2. The CERT Resource Record . . . . . . . . . . . . . . . . . . . 3 | 2. The CERT Resource Record . . . . . . . . . . . . . . . . . . . 3 | |||
2.1. Certificate Type Values . . . . . . . . . . . . . . . . . 4 | 2.1. Certificate Type Values . . . . . . . . . . . . . . . . . 4 | |||
2.2. Text Representation of CERT RRs . . . . . . . . . . . . . 5 | 2.2. Text Representation of CERT RRs . . . . . . . . . . . . . 5 | |||
2.3. X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.3. X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . . 6 | 3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . . 6 | |||
3.1. Content-based X.509 CERT RR Names . . . . . . . . . . . . 7 | 3.1. Content-based X.509 CERT RR Names . . . . . . . . . . . . 7 | |||
3.2. Purpose-based X.509 CERT RR Names . . . . . . . . . . . . 8 | 3.2. Purpose-based X.509 CERT RR Names . . . . . . . . . . . . 8 | |||
3.3. Content-based OpenPGP CERT RR Names . . . . . . . . . . . 9 | 3.3. Content-based OpenPGP CERT RR Names . . . . . . . . . . . 9 | |||
3.4. Purpose-based OpenPGP CERT RR Names . . . . . . . . . . . 9 | 3.4. Purpose-based OpenPGP CERT RR Names . . . . . . . . . . . 9 | |||
3.5. Owner names for IPKIX, ISPKI, and IPGP . . . . . . . . . . 10 | 3.5. Owner names for IPKIX, ISPKI, IPGP, and IACPKIX . . . . . 10 | |||
4. Performance Considerations . . . . . . . . . . . . . . . . . . 10 | 4. Performance Considerations . . . . . . . . . . . . . . . . . . 10 | |||
5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
9. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 12 | 9. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 12 | |||
Appendix A. Copying conditions . . . . . . . . . . . . . . . . . 13 | Appendix A. Copying conditions . . . . . . . . . . . . . . . . . 13 | |||
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 | 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 | |||
10.2. Informative References . . . . . . . . . . . . . . . . . . 14 | 10.2. Informative References . . . . . . . . . . . . . . . . . . 14 | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
Intellectual Property and Copyright Statements . . . . . . . . . . 16 | Intellectual Property and Copyright Statements . . . . . . . . . . 17 | |||
1. Introduction | 1. Introduction | |||
Public keys are frequently published in the form of a certificate and | Public keys are frequently published in the form of a certificate and | |||
their authenticity is commonly demonstrated by certificates and | their authenticity is commonly demonstrated by certificates and | |||
related certificate revocation lists (CRLs). A certificate is a | related certificate revocation lists (CRLs). A certificate is a | |||
binding, through a cryptographic digital signature, of a public key, | binding, through a cryptographic digital signature, of a public key, | |||
a validity interval and/or conditions, and identity, authorization, | a validity interval and/or conditions, and identity, authorization, | |||
or other information. A certificate revocation list is a list of | or other information. A certificate revocation list is a list of | |||
certificates that are revoked, and incidental information, all signed | certificates that are revoked, and incidental information, all signed | |||
skipping to change at page 3, line 26 | skipping to change at page 3, line 26 | |||
certificates/revocations used by OpenPGP software. | certificates/revocations used by OpenPGP software. | |||
Section 2 below specifies a CERT resource record (RR) for the storage | Section 2 below specifies a CERT resource record (RR) for the storage | |||
of certificates in the Domain Name System [1] [2]. | of certificates in the Domain Name System [1] [2]. | |||
Section 3 discusses appropriate owner names for CERT RRs. | Section 3 discusses appropriate owner names for CERT RRs. | |||
Sections 4, 5, and 6 below cover performance, IANA, and security | Sections 4, 5, and 6 below cover performance, IANA, and security | |||
considerations, respectively. | considerations, respectively. | |||
Section 9 explain the changes in this document compared to RFC 2538. | ||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in [3]. | document are to be interpreted as described in [3]. | |||
2. The CERT Resource Record | 2. The CERT Resource Record | |||
The CERT resource record (RR) has the structure given below. Its RR | The CERT resource record (RR) has the structure given below. Its RR | |||
type code is 37. | type code is 37. | |||
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||
skipping to change at page 3, line 50 | skipping to change at page 4, line 4 | |||
| algorithm | / | | algorithm | / | |||
+---------------+ certificate or CRL / | +---------------+ certificate or CRL / | |||
/ / | / / | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | |||
The type field is the certificate type as defined in section 2.1 | The type field is the certificate type as defined in section 2.1 | |||
below. | below. | |||
The key tag field is the 16 bit value computed for the key embedded | The key tag field is the 16 bit value computed for the key embedded | |||
in the certificate, using the RRSIG Key Tag algorithm described in | in the certificate, using the RRSIG Key Tag algorithm described in | |||
Appendix B of [11]. This field is used as an efficiency measure to | Appendix B of [12]. This field is used as an efficiency measure to | |||
pick which CERT RRs may be applicable to a particular key. The key | pick which CERT RRs may be applicable to a particular key. The key | |||
tag can be calculated for the key in question and then only CERT RRs | tag can be calculated for the key in question and then only CERT RRs | |||
with the same key tag need be examined. Note that two different keys | with the same key tag need be examined. Note that two different keys | |||
may have the same key tag. However, the key must always be | can have the same key tag. However, the key MUST be transformed to | |||
transformed to the format it would have as the public key portion of | the format it would have as the public key portion of a DNSKEY RR | |||
a DNSKEY RR before the key tag is computed. This is only possible if | before the key tag is computed. This is only possible if the key is | |||
the key is applicable to an algorithm and complies to limits (such as | applicable to an algorithm and complies to limits (such as key size) | |||
key size) defined for DNS security. If it is not, the algorithm | defined for DNS security. If it is not, the algorithm field MUST be | |||
field MUST be zero and the tag field is meaningless and SHOULD be | zero and the tag field is meaningless and SHOULD be zero. | |||
zero. | ||||
The algorithm field has the same meaning as the algorithm field in | The algorithm field has the same meaning as the algorithm field in | |||
DNSKEY and RRSIG RRs [11], except that a zero algorithm field | DNSKEY and RRSIG RRs [12], except that a zero algorithm field | |||
indicates the algorithm is unknown to a secure DNS, which may simply | indicates the algorithm is unknown to a secure DNS, which may simply | |||
be the result of the algorithm not having been standardized for | be the result of the algorithm not having been standardized for | |||
DNSSEC [10]. | DNSSEC [11]. | |||
2.1. Certificate Type Values | 2.1. Certificate Type Values | |||
The following values are defined or reserved: | The following values are defined or reserved: | |||
Value Mnemonic Certificate Type | Value Mnemonic Certificate Type | |||
----- -------- ---------------- | ----- -------- ---------------- | |||
0 reserved | 0 reserved | |||
1 PKIX X.509 as per PKIX | 1 PKIX X.509 as per PKIX | |||
2 SPKI SPKI certificate | 2 SPKI SPKI certificate | |||
3 PGP OpenPGP packet | 3 PGP OpenPGP packet | |||
4 IPKIX The URL of an X.509 data object | 4 IPKIX The URL of an X.509 data object | |||
5 ISPKI The URL of an SPKI certificate | 5 ISPKI The URL of an SPKI certificate | |||
6 IPGP The URL of an OpenPGP packet | 6 IPGP The URL of an OpenPGP packet | |||
7-252 available for IANA assignment | 7 ACPKIX Attribute Certificate | |||
8 IACPKIX The URL of an Attribute Certificate | ||||
9-252 available for IANA assignment | ||||
253 URI URI private | 253 URI URI private | |||
254 OID OID private | 254 OID OID private | |||
255-65023 available for IANA assignment | 255-65023 available for IANA assignment | |||
65024-65534 experimental | 65024-65534 experimental | |||
65535 reserved | 65535 reserved | |||
These values represent the initial content of the IANA registry, see | ||||
section 8. | ||||
The PKIX type is reserved to indicate an X.509 certificate conforming | The PKIX type is reserved to indicate an X.509 certificate conforming | |||
to the profile defined by the IETF PKIX working group [9]. The | to the profile defined by the IETF PKIX working group [9]. The | |||
certificate section will start with a one-byte unsigned OID length | certificate section will start with a one-octet unsigned OID length | |||
and then an X.500 OID indicating the nature of the remainder of the | and then an X.500 OID indicating the nature of the remainder of the | |||
certificate section (see 2.3 below). (NOTE: X.509 certificates do | certificate section (see 2.3 below). (NOTE: X.509 certificates do | |||
not include their X.500 directory type designating OID as a prefix.) | not include their X.500 directory type designating OID as a prefix.) | |||
The SPKI type is reserved to indicate the SPKI certificate format | The SPKI type is reserved to indicate the SPKI certificate format | |||
[14], for use when the SPKI documents are moved from experimental | [15], for use when the SPKI documents are moved from experimental | |||
status. | status. | |||
The PGP type indicates an OpenPGP packet as described in [6] and its | The PGP type indicates an OpenPGP packet as described in [6] and its | |||
extensions and successors. Two uses are to transfer public key | extensions and successors. Two uses are to transfer public key | |||
material and revocation signatures. The data is binary, and MUST NOT | material and revocation signatures. The data is binary, and MUST NOT | |||
be encoded into an ASCII armor. An implementation SHOULD process | be encoded into an ASCII armor. An implementation SHOULD process | |||
transferable public keys as described in section 10.1 of [6], but it | transferable public keys as described in section 10.1 of [6], but it | |||
MAY handle additional OpenPGP packets. | MAY handle additional OpenPGP packets. | |||
The IPKIX, ISPKI and IPGP types indicate a URL which will serve the | The ACPKIX type indicate an Attribute Certificate format [10]. | |||
content that would have been in the "certificate, CRL or URL" field | ||||
of the corresponding types; PKIX, SPKI or PGP, respectively. The | The IPKIX, ISPKI, IPGP, IACPKIX types indicate a URL which will serve | |||
IPKIX, ISPKI and IPGP types are known as "indirect". These types | the content that would have been in the "certificate, CRL or URL" | |||
MUST be used when the content is too large to fit in the CERT RR, and | field of the corresponding types; PKIX, SPKI, PGP, or ACPKIX | |||
MAY be used at the implementer's discretion. They SHOULD NOT be used | respectively. The IPKIX, ISPKI, IPGP and IACPKIX types are known as | |||
where the DNS message is 512 bytes or smaller, and could thus be | "indirect". These types MUST be used when the content is too large | |||
expected to fit a UDP packet. | to fit in the CERT RR, and MAY be used at the implementer's | |||
discretion. They SHOULD NOT be used where the DNS message is 512 | ||||
octets or smaller, and could thus be expected to fit a UDP packet. | ||||
The URI private type indicates a certificate format defined by an | The URI private type indicates a certificate format defined by an | |||
absolute URI. The certificate portion of the CERT RR MUST begin with | absolute URI. The certificate portion of the CERT RR MUST begin with | |||
a null terminated URI [5] and the data after the null is the private | a null terminated URI [5] and the data after the null is the private | |||
format certificate itself. The URI SHOULD be such that a retrieval | format certificate itself. The URI SHOULD be such that a retrieval | |||
from it will lead to documentation on the format of the certificate. | from it will lead to documentation on the format of the certificate. | |||
Recognition of private certificate types need not be based on URI | Recognition of private certificate types need not be based on URI | |||
equality but can use various forms of pattern matching so that, for | equality but can use various forms of pattern matching so that, for | |||
example, subtype or version information can also be encoded into the | example, subtype or version information can also be encoded into the | |||
URI. | URI. | |||
The OID private type indicates a private format certificate specified | The OID private type indicates a private format certificate specified | |||
by an ISO OID prefix. The certificate section will start with a one- | by an ISO OID prefix. The certificate section will start with a one- | |||
byte unsigned OID length and then a BER encoded OID indicating the | octet unsigned OID length and then a BER encoded OID indicating the | |||
nature of the remainder of the certificate section. This can be an | nature of the remainder of the certificate section. This can be an | |||
X.509 certificate format or some other format. X.509 certificates | X.509 certificate format or some other format. X.509 certificates | |||
that conform to the IETF PKIX profile SHOULD be indicated by the PKIX | that conform to the IETF PKIX profile SHOULD be indicated by the PKIX | |||
type, not the OID private type. Recognition of private certificate | type, not the OID private type. Recognition of private certificate | |||
types need not be based on OID equality but can use various forms of | types need not be based on OID equality but can use various forms of | |||
pattern matching such as OID prefix. | pattern matching such as OID prefix. | |||
2.2. Text Representation of CERT RRs | 2.2. Text Representation of CERT RRs | |||
The RDATA portion of a CERT RR has the type field as an unsigned | The RDATA portion of a CERT RR has the type field as an unsigned | |||
decimal integer or as a mnemonic symbol as listed in section 2.1 | decimal integer or as a mnemonic symbol as listed in section 2.1 | |||
above. | above. | |||
The key tag field is represented as an unsigned decimal integer. | The key tag field is represented as an unsigned decimal integer. | |||
The algorithm field is represented as an unsigned decimal integer or | The algorithm field is represented as an unsigned decimal integer or | |||
a mnemonic symbol as listed in [11]. | a mnemonic symbol as listed in [12]. | |||
The certificate / CRL portion is represented in base 64 [15] and may | The certificate / CRL portion is represented in base 64 [16] and may | |||
be divided up into any number of white space separated substrings, | be divided up into any number of white space separated substrings, | |||
down to single base 64 digits, which are concatenated to obtain the | down to single base 64 digits, which are concatenated to obtain the | |||
full signature. These substrings can span lines using the standard | full signature. These substrings can span lines using the standard | |||
parenthesis. | parenthesis. | |||
Note that the certificate / CRL portion may have internal sub-fields, | Note that the certificate / CRL portion may have internal sub-fields, | |||
but these do not appear in the master file representation. For | but these do not appear in the master file representation. For | |||
example, with type 254, there will be an OID size, an OID, and then | example, with type 254, there will be an OID size, an OID, and then | |||
the certificate / CRL proper. But only a single logical base 64 | the certificate / CRL proper. But only a single logical base 64 | |||
string will appear in the text representation. | string will appear in the text representation. | |||
skipping to change at page 8, line 43 | skipping to change at page 9, line 7 | |||
2. 201.13.251.10.in-addr.arpa, and | 2. 201.13.251.10.in-addr.arpa, and | |||
3. hacker.mail.widget.foo.example. | 3. hacker.mail.widget.foo.example. | |||
3.2. Purpose-based X.509 CERT RR Names | 3.2. Purpose-based X.509 CERT RR Names | |||
Due to the difficulty for clients that do not already possess a | Due to the difficulty for clients that do not already possess a | |||
certificate to reconstruct the content-based owner name, purpose- | certificate to reconstruct the content-based owner name, purpose- | |||
based owner names are recommended in this section. Recommendations | based owner names are recommended in this section. Recommendations | |||
for purpose-based owner names vary per scenario. The following table | for purpose-based owner names vary per scenario. The following table | |||
summarizes the purpose-based X.509 CERT RR owner name guidelines for | summarizes the purpose-based X.509 CERT RR owner name guidelines for | |||
use with S/MIME [16], SSL/TLS [12], and IPSEC [13]: | use with S/MIME [17], SSL/TLS [13], and IPsec [14]: | |||
Scenario Owner name | Scenario Owner name | |||
------------------ ---------------------------------------------- | ------------------ ---------------------------------------------- | |||
S/MIME Certificate Standard translation of an RFC 2822 email | S/MIME Certificate Standard translation of an RFC 2822 email | |||
address. Example: An S/MIME certificate for | address. Example: An S/MIME certificate for | |||
"postmaster@example.org" will use a standard | "postmaster@example.org" will use a standard | |||
hostname translation of the owner name, | hostname translation of the owner name, | |||
"postmaster.example.org". | "postmaster.example.org". | |||
TLS Certificate Hostname of the TLS server. | TLS Certificate Hostname of the TLS server. | |||
IPSEC Certificate Hostname of the IPSEC machine and/or, for IPv4 | IPsec Certificate Hostname of the IPsec machine and/or, for IPv4 | |||
or IPv6 addresses, the fully qualified domain | or IPv6 addresses, the fully qualified domain | |||
name in the appropriate reverse domain. | name in the appropriate reverse domain. | |||
An alternate approach for IPSEC is to store raw public keys [17]. | An alternate approach for IPsec is to store raw public keys [18]. | |||
3.3. Content-based OpenPGP CERT RR Names | 3.3. Content-based OpenPGP CERT RR Names | |||
OpenPGP signed keys (certificates) use a general character string | OpenPGP signed keys (certificates) use a general character string | |||
User ID [6]. However, it is recommended by OpenPGP that such names | User ID [6]. However, it is recommended by OpenPGP that such names | |||
include the RFC 2822 [8] email address of the party, as in "Leslie | include the RFC 2822 [8] email address of the party, as in "Leslie | |||
Example <Leslie@host.example>". If such a format is used, the CERT | Example <Leslie@host.example>". If such a format is used, the CERT | |||
ought to be under the standard translation of the email address into | ought to be under the standard translation of the email address into | |||
a domain name, which would be leslie.host.example in this case. If | a domain name, which would be leslie.host.example in this case. If | |||
no RFC 2822 name can be extracted from the string name, no specific | no RFC 2822 name can be extracted from the string name, no specific | |||
skipping to change at page 9, line 50 | skipping to change at page 10, line 6 | |||
3.4. Purpose-based OpenPGP CERT RR Names | 3.4. Purpose-based OpenPGP CERT RR Names | |||
Applications that receive an OpenPGP packet containing encrypted or | Applications that receive an OpenPGP packet containing encrypted or | |||
signed data but do not know the email address of the sender will have | signed data but do not know the email address of the sender will have | |||
difficulties constructing the correct owner name and cannot use the | difficulties constructing the correct owner name and cannot use the | |||
content-based owner name guidelines. However, these clients commonly | content-based owner name guidelines. However, these clients commonly | |||
know the key fingerprint or the Key ID. The key ID is found in | know the key fingerprint or the Key ID. The key ID is found in | |||
OpenPGP packets, and the key fingerprint is commonly found in | OpenPGP packets, and the key fingerprint is commonly found in | |||
auxiliary data that may be available. In this case, use of an owner | auxiliary data that may be available. In this case, use of an owner | |||
name identical to the key fingerprint and the key ID expressed in | name identical to the key fingerprint and the key ID expressed in | |||
hexadecimal [15] is recommended. Example: | hexadecimal [16] is recommended. Example: | |||
$ORIGIN example.org. | $ORIGIN example.org. | |||
0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ... | 0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ... | |||
F835EDA21E94B565716F IN CERT PGP ... | F835EDA21E94B565716F IN CERT PGP ... | |||
B565716F IN CERT PGP ... | B565716F IN CERT PGP ... | |||
If the same key material is stored for several owner names, the use | If the same key material is stored for several owner names, the use | |||
of CNAME may help to avoid data duplication. Note that CNAME is not | of CNAME may help to avoid data duplication. Note that CNAME is not | |||
always applicable, because it maps one owner name to the other for | always applicable, because it maps one owner name to the other for | |||
all purposes, which may be sub-optimal when two keys with the same | all purposes, which may be sub-optimal when two keys with the same | |||
Key ID are stored. | Key ID are stored. | |||
3.5. Owner names for IPKIX, ISPKI, and IPGP | 3.5. Owner names for IPKIX, ISPKI, IPGP, and IACPKIX | |||
These types are stored under the same owner names, both purpose- and | These types are stored under the same owner names, both purpose- and | |||
content-based, as the PKIX, SPKI and PGP types. | content-based, as the PKIX, SPKI, PGP and ACPKIX types. | |||
4. Performance Considerations | 4. Performance Considerations | |||
The Domain Name System (DNS) protocol was designed for small | The Domain Name System (DNS) protocol was designed for small | |||
transfers, typically below 512 bytes. While larger transfers will | transfers, typically below 512 octets. While larger transfers will | |||
perform correctly and work is underway to make larger transfers more | perform correctly and work is underway to make larger transfers more | |||
efficient, it is still advisable at this time to make every | efficient, it is still advisable at this time to make every | |||
reasonable effort to minimize the size of certificates stored within | reasonable effort to minimize the size of certificates stored within | |||
the DNS. Steps that can be taken may include using the fewest | the DNS. Steps that can be taken may include using the fewest | |||
possible optional or extension fields and using short field values | possible optional or extension fields and using short field values | |||
for necessary variable length fields. | for necessary variable length fields. | |||
The RDATA field in the DNS protocol may only hold data of size 65535 | The RDATA field in the DNS protocol may only hold data of size 65535 | |||
octets (64kb) or less. This means that each CERT RR MUST NOT contain | octets (64kb) or less. This means that each CERT RR MUST NOT contain | |||
more than 64kb of payload, even if the corresponding certificate or | more than 64kb of payload, even if the corresponding certificate or | |||
skipping to change at page 11, line 12 | skipping to change at page 11, line 17 | |||
The majority of this document is copied verbatim from RFC 2538, by | The majority of this document is copied verbatim from RFC 2538, by | |||
Donald Eastlake 3rd and Olafur Gudmundsson. | Donald Eastlake 3rd and Olafur Gudmundsson. | |||
6. Acknowledgements | 6. Acknowledgements | |||
Thanks to David Shaw and Michael Graff for their contributions to | Thanks to David Shaw and Michael Graff for their contributions to | |||
earlier works that motivated, and served as inspiration for, this | earlier works that motivated, and served as inspiration for, this | |||
document. | document. | |||
This document was improved by suggestions and comments from Olivier | This document was improved by suggestions and comments from Olivier | |||
Dubuisson, Peter Koch, Olaf M. Kolkman, Ben Laurie, Edward Lewis, | Dubuisson, Scott Hollenbeck, Russ Housley, Peter Koch, Olaf M. | |||
Kolkman, Ben Laurie, Edward Lewis, John Loughney, Allison Mankin, | ||||
Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel | Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel | |||
Weiler, and Florian Weimer. No doubt the list is incomplete. We | Weiler, and Florian Weimer. No doubt the list is incomplete. We | |||
apologize to anyone we left out. | apologize to anyone we left out. | |||
7. Security Considerations | 7. Security Considerations | |||
By definition, certificates contain their own authenticating | By definition, certificates contain their own authenticating | |||
signature. Thus, it is reasonable to store certificates in non- | signature. Thus, it is reasonable to store certificates in non- | |||
secure DNS zones or to retrieve certificates from DNS with DNS | secure DNS zones or to retrieve certificates from DNS with DNS | |||
security checking not implemented or deferred for efficiency. The | security checking not implemented or deferred for efficiency. The | |||
skipping to change at page 12, line 16 | skipping to change at page 12, line 22 | |||
Decimal Type Meaning Reference | Decimal Type Meaning Reference | |||
------- ---- ------- --------- | ------- ---- ------- --------- | |||
0 Reserved RFC xxxx | 0 Reserved RFC xxxx | |||
1 PKIX X.509 as per PKIX RFC xxxx | 1 PKIX X.509 as per PKIX RFC xxxx | |||
2 SPKI SPKI certificate RFC xxxx | 2 SPKI SPKI certificate RFC xxxx | |||
3 PGP OpenPGP packet RFC xxxx | 3 PGP OpenPGP packet RFC xxxx | |||
4 IPKIX The URL of an X.509 data object RFC xxxx | 4 IPKIX The URL of an X.509 data object RFC xxxx | |||
5 ISPKI The URL of an SPKI certificate RFC xxxx | 5 ISPKI The URL of an SPKI certificate RFC xxxx | |||
6 IPGP The URL of an OpenPGP packet RFC xxxx | 6 IPGP The URL of an OpenPGP packet RFC xxxx | |||
7-252 Available for IANA assignment | 7 ACPKIX Attribute Certificate RFC xxxx | |||
8 IACPKIX The URL of an Attribute Certificate RFC xxxx | ||||
9-252 Available for IANA assignment | ||||
by IETF Standards action | by IETF Standards action | |||
253 URI URI private RFC xxxx | 253 URI URI private RFC xxxx | |||
254 OID OID private RFC xxxx | 254 OID OID private RFC xxxx | |||
255-65023 Available for IANA assignment | 255-65023 Available for IANA assignment | |||
by IETF Consensus | by IETF Consensus | |||
65024-65534 Experimental RFC xxxx | 65024-65534 Experimental RFC xxxx | |||
65535 Reserved RFC xxxx | 65535 Reserved RFC xxxx | |||
Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | |||
only be assigned by an IETF standards action [7]. This document | only be assigned by an IETF standards action [7]. This document | |||
assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE. Certificate | assigns 0x0001 through 0x0008 and 0x00FD and 0x00FE. Certificate | |||
types 0x0100 through 0xFEFF are assigned through IETF Consensus [7] | types 0x0100 through 0xFEFF are assigned through IETF Consensus [7] | |||
based on RFC documentation of the certificate type. The availability | based on RFC documentation of the certificate type. The availability | |||
of private types under 0x00FD and 0x00FE ought to satisfy most | of private types under 0x00FD and 0x00FE ought to satisfy most | |||
requirements for proprietary or private types. | requirements for proprietary or private types. | |||
The CERT RR reuses the DNS Security Algorithm Numbers registry. In | The CERT RR reuses the DNS Security Algorithm Numbers registry. In | |||
particular, the CERT RR requires that algorithm number 0 remain | particular, the CERT RR requires that algorithm number 0 remain | |||
reserved, as described in Section 2. The IANA is directed to | reserved, as described in Section 2. The IANA is directed to | |||
reference the CERT RR as a user of this registry and value 0, in | reference the CERT RR as a user of this registry and value 0, in | |||
particular. | particular. | |||
skipping to change at page 13, line 17 | skipping to change at page 13, line 26 | |||
terminology. Improve reference for Key Tag Algorithm | terminology. Improve reference for Key Tag Algorithm | |||
calculations. | calculations. | |||
6. Add examples that suggest use of CNAME to reduce bandwidth. | 6. Add examples that suggest use of CNAME to reduce bandwidth. | |||
7. In section 3, appended the last paragraphs that discuss | 7. In section 3, appended the last paragraphs that discuss | |||
"content-based" vs "purpose-based" owner names. Add section 3.2 | "content-based" vs "purpose-based" owner names. Add section 3.2 | |||
for purpose-based X.509 CERT owner names, and section 3.4 for | for purpose-based X.509 CERT owner names, and section 3.4 for | |||
purpose-based OpenPGP CERT owner names. | purpose-based OpenPGP CERT owner names. | |||
8. Added size considerations. | 8. Added size considerations. | |||
9. The SPKI types has been reserved, until RFC 2692/2693 is moved | 9. The SPKI types has been reserved, until RFC 2692/2693 is moved | |||
from the experimental status. | from the experimental status. | |||
10. Added indirect types IPKIX, ISPKI, and IPGP. | 10. Added indirect types IPKIX, ISPKI, IPGP, and IACPKIX. | |||
11. An IANA registry of CERT type values was created. | ||||
Appendix A. Copying conditions | Appendix A. Copying conditions | |||
Regarding the portion of this document that was written by Simon | Regarding the portion of this document that was written by Simon | |||
Josefsson ("the author", for the remainder of this section), the | Josefsson ("the author", for the remainder of this section), the | |||
author makes no guarantees and is not responsible for any damage | author makes no guarantees and is not responsible for any damage | |||
resulting from its use. The author grants irrevocable permission to | resulting from its use. The author grants irrevocable permission to | |||
anyone to use, modify, and distribute it in any way that does not | anyone to use, modify, and distribute it in any way that does not | |||
diminish the rights of anyone else to use, modify, and distribute it, | diminish the rights of anyone else to use, modify, and distribute it, | |||
provided that redistributed derivative works do not contain | provided that redistributed derivative works do not contain | |||
skipping to change at page 14, line 18 | skipping to change at page 14, line 29 | |||
[7] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA | [7] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA | |||
Considerations Section in RFCs", BCP 26, RFC 2434, | Considerations Section in RFCs", BCP 26, RFC 2434, | |||
October 1998. | October 1998. | |||
[8] Resnick, P., "Internet Message Format", RFC 2822, April 2001. | [8] Resnick, P., "Internet Message Format", RFC 2822, April 2001. | |||
[9] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 | [9] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 | |||
Public Key Infrastructure Certificate and Certificate | Public Key Infrastructure Certificate and Certificate | |||
Revocation List (CRL) Profile", RFC 3280, April 2002. | Revocation List (CRL) Profile", RFC 3280, April 2002. | |||
[10] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | [10] Farrell, S. and R. Housley, "An Internet Attribute Certificate | |||
Profile for Authorization", RFC 3281, April 2002. | ||||
[11] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | ||||
"DNS Security Introduction and Requirements", RFC 4033, | "DNS Security Introduction and Requirements", RFC 4033, | |||
March 2005. | March 2005. | |||
[11] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | [12] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | |||
"Resource Records for the DNS Security Extensions", RFC 4034, | "Resource Records for the DNS Security Extensions", RFC 4034, | |||
March 2005. | March 2005. | |||
10.2. Informative References | 10.2. Informative References | |||
[12] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | [13] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | |||
RFC 2246, January 1999. | RFC 2246, January 1999. | |||
[13] Kent, S. and R. Atkinson, "Security Architecture for the | [14] Kent, S. and R. Atkinson, "Security Architecture for the | |||
Internet Protocol", RFC 2401, November 1998. | Internet Protocol", RFC 2401, November 1998. | |||
[14] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., | [15] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., | |||
and T. Ylonen, "SPKI Certificate Theory", RFC 2693, | and T. Ylonen, "SPKI Certificate Theory", RFC 2693, | |||
September 1999. | September 1999. | |||
[15] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", | [16] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", | |||
RFC 3548, July 2003. | RFC 3548, July 2003. | |||
[16] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions | [17] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions | |||
(S/MIME) Version 3.1 Message Specification", RFC 3851, | (S/MIME) Version 3.1 Message Specification", RFC 3851, | |||
July 2004. | July 2004. | |||
[17] Richardson, M., "A Method for Storing IPsec Keying Material in | [18] Richardson, M., "A Method for Storing IPsec Keying Material in | |||
DNS", RFC 4025, March 2005. | DNS", RFC 4025, March 2005. | |||
Author's Address | Author's Address | |||
Simon Josefsson | Simon Josefsson | |||
Email: simon@josefsson.org | Email: simon@josefsson.org | |||
Intellectual Property Statement | Intellectual Property Statement | |||
End of changes. | ||||
This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |