| draft-ietf-dnsext-rfc2538bis-08.txt | draft-ietf-dnsext-rfc2538bis-09.txt | |||
|---|---|---|---|---|
| Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
| Obsoletes: 2538 (if approved) | Obsoletes: 2538 (if approved) | |||
| Expires: April 2, 2006 | Expires: April 21, 2006 | |||
| Storing Certificates in the Domain Name System (DNS) | Storing Certificates in the Domain Name System (DNS) | |||
| draft-ietf-dnsext-rfc2538bis-08 | draft-ietf-dnsext-rfc2538bis-09 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on April 2, 2006. | This Internet-Draft will expire on April 21, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| Cryptographic public keys are frequently published and their | Cryptographic public keys are frequently published and their | |||
| authenticity demonstrated by certificates. A CERT resource record | authenticity demonstrated by certificates. A CERT resource record | |||
| (RR) is defined so that such certificates and related certificate | (RR) is defined so that such certificates and related certificate | |||
| skipping to change at page 2, line 17 | skipping to change at page 2, line 17 | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. The CERT Resource Record . . . . . . . . . . . . . . . . . . . 3 | 2. The CERT Resource Record . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. Certificate Type Values . . . . . . . . . . . . . . . . . 4 | 2.1. Certificate Type Values . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. Text Representation of CERT RRs . . . . . . . . . . . . . 5 | 2.2. Text Representation of CERT RRs . . . . . . . . . . . . . 5 | |||
| 2.3. X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.3. X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . . 6 | 3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . . 6 | |||
| 3.1. Content-based X.509 CERT RR Names . . . . . . . . . . . . 7 | 3.1. Content-based X.509 CERT RR Names . . . . . . . . . . . . 7 | |||
| 3.2. Purpose-based X.509 CERT RR Names . . . . . . . . . . . . 8 | 3.2. Purpose-based X.509 CERT RR Names . . . . . . . . . . . . 8 | |||
| 3.3. Content-based OpenPGP CERT RR Names . . . . . . . . . . . 9 | 3.3. Content-based OpenPGP CERT RR Names . . . . . . . . . . . 9 | |||
| 3.4. Purpose-based OpenPGP CERT RR Names . . . . . . . . . . . 9 | 3.4. Purpose-based OpenPGP CERT RR Names . . . . . . . . . . . 9 | |||
| 3.5. Owner names for IPKIX, ISPKI, and IPGP . . . . . . . . . . 10 | 3.5. Owner names for IPKIX, ISPKI, IPGP, and IACPKIX . . . . . 10 | |||
| 4. Performance Considerations . . . . . . . . . . . . . . . . . . 10 | 4. Performance Considerations . . . . . . . . . . . . . . . . . . 10 | |||
| 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 9. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 12 | 9. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 12 | |||
| Appendix A. Copying conditions . . . . . . . . . . . . . . . . . 13 | Appendix A. Copying conditions . . . . . . . . . . . . . . . . . 13 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 | 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 14 | 10.2. Informative References . . . . . . . . . . . . . . . . . . 14 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 16 | Intellectual Property and Copyright Statements . . . . . . . . . . 17 | |||
| 1. Introduction | 1. Introduction | |||
| Public keys are frequently published in the form of a certificate and | Public keys are frequently published in the form of a certificate and | |||
| their authenticity is commonly demonstrated by certificates and | their authenticity is commonly demonstrated by certificates and | |||
| related certificate revocation lists (CRLs). A certificate is a | related certificate revocation lists (CRLs). A certificate is a | |||
| binding, through a cryptographic digital signature, of a public key, | binding, through a cryptographic digital signature, of a public key, | |||
| a validity interval and/or conditions, and identity, authorization, | a validity interval and/or conditions, and identity, authorization, | |||
| or other information. A certificate revocation list is a list of | or other information. A certificate revocation list is a list of | |||
| certificates that are revoked, and incidental information, all signed | certificates that are revoked, and incidental information, all signed | |||
| skipping to change at page 3, line 26 | skipping to change at page 3, line 26 | |||
| certificates/revocations used by OpenPGP software. | certificates/revocations used by OpenPGP software. | |||
| Section 2 below specifies a CERT resource record (RR) for the storage | Section 2 below specifies a CERT resource record (RR) for the storage | |||
| of certificates in the Domain Name System [1] [2]. | of certificates in the Domain Name System [1] [2]. | |||
| Section 3 discusses appropriate owner names for CERT RRs. | Section 3 discusses appropriate owner names for CERT RRs. | |||
| Sections 4, 5, and 6 below cover performance, IANA, and security | Sections 4, 5, and 6 below cover performance, IANA, and security | |||
| considerations, respectively. | considerations, respectively. | |||
| Section 9 explain the changes in this document compared to RFC 2538. | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [3]. | document are to be interpreted as described in [3]. | |||
| 2. The CERT Resource Record | 2. The CERT Resource Record | |||
| The CERT resource record (RR) has the structure given below. Its RR | The CERT resource record (RR) has the structure given below. Its RR | |||
| type code is 37. | type code is 37. | |||
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||
| skipping to change at page 3, line 50 | skipping to change at page 4, line 4 | |||
| | algorithm | / | | algorithm | / | |||
| +---------------+ certificate or CRL / | +---------------+ certificate or CRL / | |||
| / / | / / | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | |||
| The type field is the certificate type as defined in section 2.1 | The type field is the certificate type as defined in section 2.1 | |||
| below. | below. | |||
| The key tag field is the 16 bit value computed for the key embedded | The key tag field is the 16 bit value computed for the key embedded | |||
| in the certificate, using the RRSIG Key Tag algorithm described in | in the certificate, using the RRSIG Key Tag algorithm described in | |||
| Appendix B of [11]. This field is used as an efficiency measure to | Appendix B of [12]. This field is used as an efficiency measure to | |||
| pick which CERT RRs may be applicable to a particular key. The key | pick which CERT RRs may be applicable to a particular key. The key | |||
| tag can be calculated for the key in question and then only CERT RRs | tag can be calculated for the key in question and then only CERT RRs | |||
| with the same key tag need be examined. Note that two different keys | with the same key tag need be examined. Note that two different keys | |||
| may have the same key tag. However, the key must always be | can have the same key tag. However, the key MUST be transformed to | |||
| transformed to the format it would have as the public key portion of | the format it would have as the public key portion of a DNSKEY RR | |||
| a DNSKEY RR before the key tag is computed. This is only possible if | before the key tag is computed. This is only possible if the key is | |||
| the key is applicable to an algorithm and complies to limits (such as | applicable to an algorithm and complies to limits (such as key size) | |||
| key size) defined for DNS security. If it is not, the algorithm | defined for DNS security. If it is not, the algorithm field MUST be | |||
| field MUST be zero and the tag field is meaningless and SHOULD be | zero and the tag field is meaningless and SHOULD be zero. | |||
| zero. | ||||
| The algorithm field has the same meaning as the algorithm field in | The algorithm field has the same meaning as the algorithm field in | |||
| DNSKEY and RRSIG RRs [11], except that a zero algorithm field | DNSKEY and RRSIG RRs [12], except that a zero algorithm field | |||
| indicates the algorithm is unknown to a secure DNS, which may simply | indicates the algorithm is unknown to a secure DNS, which may simply | |||
| be the result of the algorithm not having been standardized for | be the result of the algorithm not having been standardized for | |||
| DNSSEC [10]. | DNSSEC [11]. | |||
| 2.1. Certificate Type Values | 2.1. Certificate Type Values | |||
| The following values are defined or reserved: | The following values are defined or reserved: | |||
| Value Mnemonic Certificate Type | Value Mnemonic Certificate Type | |||
| ----- -------- ---------------- | ----- -------- ---------------- | |||
| 0 reserved | 0 reserved | |||
| 1 PKIX X.509 as per PKIX | 1 PKIX X.509 as per PKIX | |||
| 2 SPKI SPKI certificate | 2 SPKI SPKI certificate | |||
| 3 PGP OpenPGP packet | 3 PGP OpenPGP packet | |||
| 4 IPKIX The URL of an X.509 data object | 4 IPKIX The URL of an X.509 data object | |||
| 5 ISPKI The URL of an SPKI certificate | 5 ISPKI The URL of an SPKI certificate | |||
| 6 IPGP The URL of an OpenPGP packet | 6 IPGP The URL of an OpenPGP packet | |||
| 7-252 available for IANA assignment | 7 ACPKIX Attribute Certificate | |||
| 8 IACPKIX The URL of an Attribute Certificate | ||||
| 9-252 available for IANA assignment | ||||
| 253 URI URI private | 253 URI URI private | |||
| 254 OID OID private | 254 OID OID private | |||
| 255-65023 available for IANA assignment | 255-65023 available for IANA assignment | |||
| 65024-65534 experimental | 65024-65534 experimental | |||
| 65535 reserved | 65535 reserved | |||
| These values represent the initial content of the IANA registry, see | ||||
| section 8. | ||||
| The PKIX type is reserved to indicate an X.509 certificate conforming | The PKIX type is reserved to indicate an X.509 certificate conforming | |||
| to the profile defined by the IETF PKIX working group [9]. The | to the profile defined by the IETF PKIX working group [9]. The | |||
| certificate section will start with a one-byte unsigned OID length | certificate section will start with a one-octet unsigned OID length | |||
| and then an X.500 OID indicating the nature of the remainder of the | and then an X.500 OID indicating the nature of the remainder of the | |||
| certificate section (see 2.3 below). (NOTE: X.509 certificates do | certificate section (see 2.3 below). (NOTE: X.509 certificates do | |||
| not include their X.500 directory type designating OID as a prefix.) | not include their X.500 directory type designating OID as a prefix.) | |||
| The SPKI type is reserved to indicate the SPKI certificate format | The SPKI type is reserved to indicate the SPKI certificate format | |||
| [14], for use when the SPKI documents are moved from experimental | [15], for use when the SPKI documents are moved from experimental | |||
| status. | status. | |||
| The PGP type indicates an OpenPGP packet as described in [6] and its | The PGP type indicates an OpenPGP packet as described in [6] and its | |||
| extensions and successors. Two uses are to transfer public key | extensions and successors. Two uses are to transfer public key | |||
| material and revocation signatures. The data is binary, and MUST NOT | material and revocation signatures. The data is binary, and MUST NOT | |||
| be encoded into an ASCII armor. An implementation SHOULD process | be encoded into an ASCII armor. An implementation SHOULD process | |||
| transferable public keys as described in section 10.1 of [6], but it | transferable public keys as described in section 10.1 of [6], but it | |||
| MAY handle additional OpenPGP packets. | MAY handle additional OpenPGP packets. | |||
| The IPKIX, ISPKI and IPGP types indicate a URL which will serve the | The ACPKIX type indicate an Attribute Certificate format [10]. | |||
| content that would have been in the "certificate, CRL or URL" field | ||||
| of the corresponding types; PKIX, SPKI or PGP, respectively. The | The IPKIX, ISPKI, IPGP, IACPKIX types indicate a URL which will serve | |||
| IPKIX, ISPKI and IPGP types are known as "indirect". These types | the content that would have been in the "certificate, CRL or URL" | |||
| MUST be used when the content is too large to fit in the CERT RR, and | field of the corresponding types; PKIX, SPKI, PGP, or ACPKIX | |||
| MAY be used at the implementer's discretion. They SHOULD NOT be used | respectively. The IPKIX, ISPKI, IPGP and IACPKIX types are known as | |||
| where the DNS message is 512 bytes or smaller, and could thus be | "indirect". These types MUST be used when the content is too large | |||
| expected to fit a UDP packet. | to fit in the CERT RR, and MAY be used at the implementer's | |||
| discretion. They SHOULD NOT be used where the DNS message is 512 | ||||
| octets or smaller, and could thus be expected to fit a UDP packet. | ||||
| The URI private type indicates a certificate format defined by an | The URI private type indicates a certificate format defined by an | |||
| absolute URI. The certificate portion of the CERT RR MUST begin with | absolute URI. The certificate portion of the CERT RR MUST begin with | |||
| a null terminated URI [5] and the data after the null is the private | a null terminated URI [5] and the data after the null is the private | |||
| format certificate itself. The URI SHOULD be such that a retrieval | format certificate itself. The URI SHOULD be such that a retrieval | |||
| from it will lead to documentation on the format of the certificate. | from it will lead to documentation on the format of the certificate. | |||
| Recognition of private certificate types need not be based on URI | Recognition of private certificate types need not be based on URI | |||
| equality but can use various forms of pattern matching so that, for | equality but can use various forms of pattern matching so that, for | |||
| example, subtype or version information can also be encoded into the | example, subtype or version information can also be encoded into the | |||
| URI. | URI. | |||
| The OID private type indicates a private format certificate specified | The OID private type indicates a private format certificate specified | |||
| by an ISO OID prefix. The certificate section will start with a one- | by an ISO OID prefix. The certificate section will start with a one- | |||
| byte unsigned OID length and then a BER encoded OID indicating the | octet unsigned OID length and then a BER encoded OID indicating the | |||
| nature of the remainder of the certificate section. This can be an | nature of the remainder of the certificate section. This can be an | |||
| X.509 certificate format or some other format. X.509 certificates | X.509 certificate format or some other format. X.509 certificates | |||
| that conform to the IETF PKIX profile SHOULD be indicated by the PKIX | that conform to the IETF PKIX profile SHOULD be indicated by the PKIX | |||
| type, not the OID private type. Recognition of private certificate | type, not the OID private type. Recognition of private certificate | |||
| types need not be based on OID equality but can use various forms of | types need not be based on OID equality but can use various forms of | |||
| pattern matching such as OID prefix. | pattern matching such as OID prefix. | |||
| 2.2. Text Representation of CERT RRs | 2.2. Text Representation of CERT RRs | |||
| The RDATA portion of a CERT RR has the type field as an unsigned | The RDATA portion of a CERT RR has the type field as an unsigned | |||
| decimal integer or as a mnemonic symbol as listed in section 2.1 | decimal integer or as a mnemonic symbol as listed in section 2.1 | |||
| above. | above. | |||
| The key tag field is represented as an unsigned decimal integer. | The key tag field is represented as an unsigned decimal integer. | |||
| The algorithm field is represented as an unsigned decimal integer or | The algorithm field is represented as an unsigned decimal integer or | |||
| a mnemonic symbol as listed in [11]. | a mnemonic symbol as listed in [12]. | |||
| The certificate / CRL portion is represented in base 64 [15] and may | The certificate / CRL portion is represented in base 64 [16] and may | |||
| be divided up into any number of white space separated substrings, | be divided up into any number of white space separated substrings, | |||
| down to single base 64 digits, which are concatenated to obtain the | down to single base 64 digits, which are concatenated to obtain the | |||
| full signature. These substrings can span lines using the standard | full signature. These substrings can span lines using the standard | |||
| parenthesis. | parenthesis. | |||
| Note that the certificate / CRL portion may have internal sub-fields, | Note that the certificate / CRL portion may have internal sub-fields, | |||
| but these do not appear in the master file representation. For | but these do not appear in the master file representation. For | |||
| example, with type 254, there will be an OID size, an OID, and then | example, with type 254, there will be an OID size, an OID, and then | |||
| the certificate / CRL proper. But only a single logical base 64 | the certificate / CRL proper. But only a single logical base 64 | |||
| string will appear in the text representation. | string will appear in the text representation. | |||
| skipping to change at page 8, line 43 | skipping to change at page 9, line 7 | |||
| 2. 201.13.251.10.in-addr.arpa, and | 2. 201.13.251.10.in-addr.arpa, and | |||
| 3. hacker.mail.widget.foo.example. | 3. hacker.mail.widget.foo.example. | |||
| 3.2. Purpose-based X.509 CERT RR Names | 3.2. Purpose-based X.509 CERT RR Names | |||
| Due to the difficulty for clients that do not already possess a | Due to the difficulty for clients that do not already possess a | |||
| certificate to reconstruct the content-based owner name, purpose- | certificate to reconstruct the content-based owner name, purpose- | |||
| based owner names are recommended in this section. Recommendations | based owner names are recommended in this section. Recommendations | |||
| for purpose-based owner names vary per scenario. The following table | for purpose-based owner names vary per scenario. The following table | |||
| summarizes the purpose-based X.509 CERT RR owner name guidelines for | summarizes the purpose-based X.509 CERT RR owner name guidelines for | |||
| use with S/MIME [16], SSL/TLS [12], and IPSEC [13]: | use with S/MIME [17], SSL/TLS [13], and IPsec [14]: | |||
| Scenario Owner name | Scenario Owner name | |||
| ------------------ ---------------------------------------------- | ------------------ ---------------------------------------------- | |||
| S/MIME Certificate Standard translation of an RFC 2822 email | S/MIME Certificate Standard translation of an RFC 2822 email | |||
| address. Example: An S/MIME certificate for | address. Example: An S/MIME certificate for | |||
| "postmaster@example.org" will use a standard | "postmaster@example.org" will use a standard | |||
| hostname translation of the owner name, | hostname translation of the owner name, | |||
| "postmaster.example.org". | "postmaster.example.org". | |||
| TLS Certificate Hostname of the TLS server. | TLS Certificate Hostname of the TLS server. | |||
| IPSEC Certificate Hostname of the IPSEC machine and/or, for IPv4 | IPsec Certificate Hostname of the IPsec machine and/or, for IPv4 | |||
| or IPv6 addresses, the fully qualified domain | or IPv6 addresses, the fully qualified domain | |||
| name in the appropriate reverse domain. | name in the appropriate reverse domain. | |||
| An alternate approach for IPSEC is to store raw public keys [17]. | An alternate approach for IPsec is to store raw public keys [18]. | |||
| 3.3. Content-based OpenPGP CERT RR Names | 3.3. Content-based OpenPGP CERT RR Names | |||
| OpenPGP signed keys (certificates) use a general character string | OpenPGP signed keys (certificates) use a general character string | |||
| User ID [6]. However, it is recommended by OpenPGP that such names | User ID [6]. However, it is recommended by OpenPGP that such names | |||
| include the RFC 2822 [8] email address of the party, as in "Leslie | include the RFC 2822 [8] email address of the party, as in "Leslie | |||
| Example <Leslie@host.example>". If such a format is used, the CERT | Example <Leslie@host.example>". If such a format is used, the CERT | |||
| ought to be under the standard translation of the email address into | ought to be under the standard translation of the email address into | |||
| a domain name, which would be leslie.host.example in this case. If | a domain name, which would be leslie.host.example in this case. If | |||
| no RFC 2822 name can be extracted from the string name, no specific | no RFC 2822 name can be extracted from the string name, no specific | |||
| skipping to change at page 9, line 50 | skipping to change at page 10, line 6 | |||
| 3.4. Purpose-based OpenPGP CERT RR Names | 3.4. Purpose-based OpenPGP CERT RR Names | |||
| Applications that receive an OpenPGP packet containing encrypted or | Applications that receive an OpenPGP packet containing encrypted or | |||
| signed data but do not know the email address of the sender will have | signed data but do not know the email address of the sender will have | |||
| difficulties constructing the correct owner name and cannot use the | difficulties constructing the correct owner name and cannot use the | |||
| content-based owner name guidelines. However, these clients commonly | content-based owner name guidelines. However, these clients commonly | |||
| know the key fingerprint or the Key ID. The key ID is found in | know the key fingerprint or the Key ID. The key ID is found in | |||
| OpenPGP packets, and the key fingerprint is commonly found in | OpenPGP packets, and the key fingerprint is commonly found in | |||
| auxiliary data that may be available. In this case, use of an owner | auxiliary data that may be available. In this case, use of an owner | |||
| name identical to the key fingerprint and the key ID expressed in | name identical to the key fingerprint and the key ID expressed in | |||
| hexadecimal [15] is recommended. Example: | hexadecimal [16] is recommended. Example: | |||
| $ORIGIN example.org. | $ORIGIN example.org. | |||
| 0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ... | 0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ... | |||
| F835EDA21E94B565716F IN CERT PGP ... | F835EDA21E94B565716F IN CERT PGP ... | |||
| B565716F IN CERT PGP ... | B565716F IN CERT PGP ... | |||
| If the same key material is stored for several owner names, the use | If the same key material is stored for several owner names, the use | |||
| of CNAME may help to avoid data duplication. Note that CNAME is not | of CNAME may help to avoid data duplication. Note that CNAME is not | |||
| always applicable, because it maps one owner name to the other for | always applicable, because it maps one owner name to the other for | |||
| all purposes, which may be sub-optimal when two keys with the same | all purposes, which may be sub-optimal when two keys with the same | |||
| Key ID are stored. | Key ID are stored. | |||
| 3.5. Owner names for IPKIX, ISPKI, and IPGP | 3.5. Owner names for IPKIX, ISPKI, IPGP, and IACPKIX | |||
| These types are stored under the same owner names, both purpose- and | These types are stored under the same owner names, both purpose- and | |||
| content-based, as the PKIX, SPKI and PGP types. | content-based, as the PKIX, SPKI, PGP and ACPKIX types. | |||
| 4. Performance Considerations | 4. Performance Considerations | |||
| The Domain Name System (DNS) protocol was designed for small | The Domain Name System (DNS) protocol was designed for small | |||
| transfers, typically below 512 bytes. While larger transfers will | transfers, typically below 512 octets. While larger transfers will | |||
| perform correctly and work is underway to make larger transfers more | perform correctly and work is underway to make larger transfers more | |||
| efficient, it is still advisable at this time to make every | efficient, it is still advisable at this time to make every | |||
| reasonable effort to minimize the size of certificates stored within | reasonable effort to minimize the size of certificates stored within | |||
| the DNS. Steps that can be taken may include using the fewest | the DNS. Steps that can be taken may include using the fewest | |||
| possible optional or extension fields and using short field values | possible optional or extension fields and using short field values | |||
| for necessary variable length fields. | for necessary variable length fields. | |||
| The RDATA field in the DNS protocol may only hold data of size 65535 | The RDATA field in the DNS protocol may only hold data of size 65535 | |||
| octets (64kb) or less. This means that each CERT RR MUST NOT contain | octets (64kb) or less. This means that each CERT RR MUST NOT contain | |||
| more than 64kb of payload, even if the corresponding certificate or | more than 64kb of payload, even if the corresponding certificate or | |||
| skipping to change at page 11, line 12 | skipping to change at page 11, line 17 | |||
| The majority of this document is copied verbatim from RFC 2538, by | The majority of this document is copied verbatim from RFC 2538, by | |||
| Donald Eastlake 3rd and Olafur Gudmundsson. | Donald Eastlake 3rd and Olafur Gudmundsson. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| Thanks to David Shaw and Michael Graff for their contributions to | Thanks to David Shaw and Michael Graff for their contributions to | |||
| earlier works that motivated, and served as inspiration for, this | earlier works that motivated, and served as inspiration for, this | |||
| document. | document. | |||
| This document was improved by suggestions and comments from Olivier | This document was improved by suggestions and comments from Olivier | |||
| Dubuisson, Peter Koch, Olaf M. Kolkman, Ben Laurie, Edward Lewis, | Dubuisson, Scott Hollenbeck, Russ Housley, Peter Koch, Olaf M. | |||
| Kolkman, Ben Laurie, Edward Lewis, John Loughney, Allison Mankin, | ||||
| Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel | Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel | |||
| Weiler, and Florian Weimer. No doubt the list is incomplete. We | Weiler, and Florian Weimer. No doubt the list is incomplete. We | |||
| apologize to anyone we left out. | apologize to anyone we left out. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| By definition, certificates contain their own authenticating | By definition, certificates contain their own authenticating | |||
| signature. Thus, it is reasonable to store certificates in non- | signature. Thus, it is reasonable to store certificates in non- | |||
| secure DNS zones or to retrieve certificates from DNS with DNS | secure DNS zones or to retrieve certificates from DNS with DNS | |||
| security checking not implemented or deferred for efficiency. The | security checking not implemented or deferred for efficiency. The | |||
| skipping to change at page 12, line 16 | skipping to change at page 12, line 22 | |||
| Decimal Type Meaning Reference | Decimal Type Meaning Reference | |||
| ------- ---- ------- --------- | ------- ---- ------- --------- | |||
| 0 Reserved RFC xxxx | 0 Reserved RFC xxxx | |||
| 1 PKIX X.509 as per PKIX RFC xxxx | 1 PKIX X.509 as per PKIX RFC xxxx | |||
| 2 SPKI SPKI certificate RFC xxxx | 2 SPKI SPKI certificate RFC xxxx | |||
| 3 PGP OpenPGP packet RFC xxxx | 3 PGP OpenPGP packet RFC xxxx | |||
| 4 IPKIX The URL of an X.509 data object RFC xxxx | 4 IPKIX The URL of an X.509 data object RFC xxxx | |||
| 5 ISPKI The URL of an SPKI certificate RFC xxxx | 5 ISPKI The URL of an SPKI certificate RFC xxxx | |||
| 6 IPGP The URL of an OpenPGP packet RFC xxxx | 6 IPGP The URL of an OpenPGP packet RFC xxxx | |||
| 7-252 Available for IANA assignment | 7 ACPKIX Attribute Certificate RFC xxxx | |||
| 8 IACPKIX The URL of an Attribute Certificate RFC xxxx | ||||
| 9-252 Available for IANA assignment | ||||
| by IETF Standards action | by IETF Standards action | |||
| 253 URI URI private RFC xxxx | 253 URI URI private RFC xxxx | |||
| 254 OID OID private RFC xxxx | 254 OID OID private RFC xxxx | |||
| 255-65023 Available for IANA assignment | 255-65023 Available for IANA assignment | |||
| by IETF Consensus | by IETF Consensus | |||
| 65024-65534 Experimental RFC xxxx | 65024-65534 Experimental RFC xxxx | |||
| 65535 Reserved RFC xxxx | 65535 Reserved RFC xxxx | |||
| Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | |||
| only be assigned by an IETF standards action [7]. This document | only be assigned by an IETF standards action [7]. This document | |||
| assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE. Certificate | assigns 0x0001 through 0x0008 and 0x00FD and 0x00FE. Certificate | |||
| types 0x0100 through 0xFEFF are assigned through IETF Consensus [7] | types 0x0100 through 0xFEFF are assigned through IETF Consensus [7] | |||
| based on RFC documentation of the certificate type. The availability | based on RFC documentation of the certificate type. The availability | |||
| of private types under 0x00FD and 0x00FE ought to satisfy most | of private types under 0x00FD and 0x00FE ought to satisfy most | |||
| requirements for proprietary or private types. | requirements for proprietary or private types. | |||
| The CERT RR reuses the DNS Security Algorithm Numbers registry. In | The CERT RR reuses the DNS Security Algorithm Numbers registry. In | |||
| particular, the CERT RR requires that algorithm number 0 remain | particular, the CERT RR requires that algorithm number 0 remain | |||
| reserved, as described in Section 2. The IANA is directed to | reserved, as described in Section 2. The IANA is directed to | |||
| reference the CERT RR as a user of this registry and value 0, in | reference the CERT RR as a user of this registry and value 0, in | |||
| particular. | particular. | |||
| skipping to change at page 13, line 17 | skipping to change at page 13, line 26 | |||
| terminology. Improve reference for Key Tag Algorithm | terminology. Improve reference for Key Tag Algorithm | |||
| calculations. | calculations. | |||
| 6. Add examples that suggest use of CNAME to reduce bandwidth. | 6. Add examples that suggest use of CNAME to reduce bandwidth. | |||
| 7. In section 3, appended the last paragraphs that discuss | 7. In section 3, appended the last paragraphs that discuss | |||
| "content-based" vs "purpose-based" owner names. Add section 3.2 | "content-based" vs "purpose-based" owner names. Add section 3.2 | |||
| for purpose-based X.509 CERT owner names, and section 3.4 for | for purpose-based X.509 CERT owner names, and section 3.4 for | |||
| purpose-based OpenPGP CERT owner names. | purpose-based OpenPGP CERT owner names. | |||
| 8. Added size considerations. | 8. Added size considerations. | |||
| 9. The SPKI types has been reserved, until RFC 2692/2693 is moved | 9. The SPKI types has been reserved, until RFC 2692/2693 is moved | |||
| from the experimental status. | from the experimental status. | |||
| 10. Added indirect types IPKIX, ISPKI, and IPGP. | 10. Added indirect types IPKIX, ISPKI, IPGP, and IACPKIX. | |||
| 11. An IANA registry of CERT type values was created. | ||||
| Appendix A. Copying conditions | Appendix A. Copying conditions | |||
| Regarding the portion of this document that was written by Simon | Regarding the portion of this document that was written by Simon | |||
| Josefsson ("the author", for the remainder of this section), the | Josefsson ("the author", for the remainder of this section), the | |||
| author makes no guarantees and is not responsible for any damage | author makes no guarantees and is not responsible for any damage | |||
| resulting from its use. The author grants irrevocable permission to | resulting from its use. The author grants irrevocable permission to | |||
| anyone to use, modify, and distribute it in any way that does not | anyone to use, modify, and distribute it in any way that does not | |||
| diminish the rights of anyone else to use, modify, and distribute it, | diminish the rights of anyone else to use, modify, and distribute it, | |||
| provided that redistributed derivative works do not contain | provided that redistributed derivative works do not contain | |||
| skipping to change at page 14, line 18 | skipping to change at page 14, line 29 | |||
| [7] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA | [7] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA | |||
| Considerations Section in RFCs", BCP 26, RFC 2434, | Considerations Section in RFCs", BCP 26, RFC 2434, | |||
| October 1998. | October 1998. | |||
| [8] Resnick, P., "Internet Message Format", RFC 2822, April 2001. | [8] Resnick, P., "Internet Message Format", RFC 2822, April 2001. | |||
| [9] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 | [9] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 | |||
| Public Key Infrastructure Certificate and Certificate | Public Key Infrastructure Certificate and Certificate | |||
| Revocation List (CRL) Profile", RFC 3280, April 2002. | Revocation List (CRL) Profile", RFC 3280, April 2002. | |||
| [10] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | [10] Farrell, S. and R. Housley, "An Internet Attribute Certificate | |||
| Profile for Authorization", RFC 3281, April 2002. | ||||
| [11] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | ||||
| "DNS Security Introduction and Requirements", RFC 4033, | "DNS Security Introduction and Requirements", RFC 4033, | |||
| March 2005. | March 2005. | |||
| [11] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | [12] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | |||
| "Resource Records for the DNS Security Extensions", RFC 4034, | "Resource Records for the DNS Security Extensions", RFC 4034, | |||
| March 2005. | March 2005. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [12] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | [13] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | |||
| RFC 2246, January 1999. | RFC 2246, January 1999. | |||
| [13] Kent, S. and R. Atkinson, "Security Architecture for the | [14] Kent, S. and R. Atkinson, "Security Architecture for the | |||
| Internet Protocol", RFC 2401, November 1998. | Internet Protocol", RFC 2401, November 1998. | |||
| [14] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., | [15] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., | |||
| and T. Ylonen, "SPKI Certificate Theory", RFC 2693, | and T. Ylonen, "SPKI Certificate Theory", RFC 2693, | |||
| September 1999. | September 1999. | |||
| [15] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", | [16] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", | |||
| RFC 3548, July 2003. | RFC 3548, July 2003. | |||
| [16] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions | [17] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions | |||
| (S/MIME) Version 3.1 Message Specification", RFC 3851, | (S/MIME) Version 3.1 Message Specification", RFC 3851, | |||
| July 2004. | July 2004. | |||
| [17] Richardson, M., "A Method for Storing IPsec Keying Material in | [18] Richardson, M., "A Method for Storing IPsec Keying Material in | |||
| DNS", RFC 4025, March 2005. | DNS", RFC 4025, March 2005. | |||
| Author's Address | Author's Address | |||
| Simon Josefsson | Simon Josefsson | |||
| Email: simon@josefsson.org | Email: simon@josefsson.org | |||
| Intellectual Property Statement | Intellectual Property Statement | |||
| End of changes. | ||||
This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||