rfc2538xml.txt | draft-josefsson-rfc2538bis-00.txt | |||
---|---|---|---|---|
Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
Expires: March 2, 2005 | Expires: April 14, 2005 | |||
Storing Certificates in the Domain Name System (DNS) | Storing Certificates in the Domain Name System (DNS) | |||
rfc2538 | draft-josefsson-rfc2538bis-00 | |||
Status of this Memo | Status of this Memo | |||
This document is an Internet-Draft and is subject to all provisions | This document is an Internet-Draft and is subject to all provisions | |||
of section 3 of RFC 3667. By submitting this Internet-Draft, each | of section 3 of RFC 3667. By submitting this Internet-Draft, each | |||
author represents that any applicable patent or other IPR claims of | author represents that any applicable patent or other IPR claims of | |||
which he or she is aware have been or will be disclosed, and any of | which he or she is aware have been or will be disclosed, and any of | |||
which he or she become aware will be disclosed, in accordance with | which he or she become aware will be disclosed, in accordance with | |||
RFC 3668. | RFC 3668. | |||
skipping to change at page 1, line 35 | skipping to change at page 1, line 35 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on March 2, 2005. | This Internet-Draft will expire on April 14, 2005. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The Internet Society (2004). | Copyright (C) The Internet Society (2004). | |||
Abstract | Abstract | |||
Cryptographic public key are frequently published and their | Cryptographic public key are frequently published and their | |||
authenticity demonstrated by certificates. A CERT resource record | authenticity demonstrated by certificates. A CERT resource record | |||
(RR) is defined so that such certificates and related certificate | (RR) is defined so that such certificates and related certificate | |||
revocation lists can be stored in the Domain Name System (DNS). | revocation lists can be stored in the Domain Name System (DNS). | |||
More information on this document, including rfcdiff output, may be | ||||
found at <http://josefsson.org/rfc2538bis/>. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2. The CERT Resource Record . . . . . . . . . . . . . . . . . . . 3 | 2. The CERT Resource Record . . . . . . . . . . . . . . . . . . . 3 | |||
2.1 Certificate Type Values . . . . . . . . . . . . . . . . . 4 | 2.1 Certificate Type Values . . . . . . . . . . . . . . . . . 4 | |||
2.2 Text Representation of CERT RRs . . . . . . . . . . . . . 5 | 2.2 Text Representation of CERT RRs . . . . . . . . . . . . . 5 | |||
2.3 X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.3 X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . . 6 | 3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . . 6 | |||
3.1 X.509 CERT RR Names . . . . . . . . . . . . . . . . . . . 6 | 3.1 X.509 CERT RR Names . . . . . . . . . . . . . . . . . . . 6 | |||
3.2 PGP CERT RR Names . . . . . . . . . . . . . . . . . . . . 7 | 3.2 PGP CERT RR Names . . . . . . . . . . . . . . . . . . . . 7 | |||
4. Performance Considerations . . . . . . . . . . . . . . . . . . 7 | 4. Performance Considerations . . . . . . . . . . . . . . . . . . 8 | |||
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 9 | |||
Intellectual Property and Copyright Statements . . . . . . . . 10 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | ||||
9.1 Normative References . . . . . . . . . . . . . . . . . . . . 9 | ||||
9.2 Informative References . . . . . . . . . . . . . . . . . . . 10 | ||||
A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | ||||
Intellectual Property and Copyright Statements . . . . . . . . 12 | ||||
1. Introduction | 1. Introduction | |||
Public keys are frequently published in the form of a certificate and | Public keys are frequently published in the form of a certificate and | |||
their authenticity is commonly demonstrated by certificates and | their authenticity is commonly demonstrated by certificates and | |||
related certificate revocation lists (CRLs). A certificate is a | related certificate revocation lists (CRLs). A certificate is a | |||
binding, through a cryptographic digital signature, of a public key, | binding, through a cryptographic digital signature, of a public key, | |||
a validity interval and/or conditions, and identity, authorization, | a validity interval and/or conditions, and identity, authorization, | |||
or other information. A certificate revocation list is a list of | or other information. A certificate revocation list is a list of | |||
certificates that are revoked, and incidental information, all signed | certificates that are revoked, and incidental information, all signed | |||
by the signer (issuer) of the revoked certificates. Examples are | by the signer (issuer) of the revoked certificates. Examples are | |||
X.509 certificates/CRLs in the X.500 directory system or PGP | X.509 certificates/CRLs in the X.500 directory system or OpenPGP | |||
certificates/revocations used by PGP software. | certificates/revocations used by OpenPGP software. | |||
Section 2 below specifies a CERT resource record (RR) for the storage | Section 2 below specifies a CERT resource record (RR) for the storage | |||
of certificates in the Domain Name System. | of certificates in the Domain Name System. | |||
Section 3 discusses appropriate owner names for CERT RRs. | Section 3 discusses appropriate owner names for CERT RRs. | |||
Sections 4, 5, and 6 below cover performance, IANA, and security | Sections 4, 5, and 6 below cover performance, IANA, and security | |||
considerations, respectively. | considerations, respectively. | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in [3]. | document are to be interpreted as described in [11]. | |||
2. The CERT Resource Record | 2. The CERT Resource Record | |||
The CERT resource record (RR) has the structure given below. Its RR | The CERT resource record (RR) has the structure given below. Its RR | |||
type code is 37. | type code is 37. | |||
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| type | key tag | | | type | key tag | | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| algorithm | / | | algorithm | / | |||
+---------------+ certificate or CRL / | +---------------+ certificate or CRL / | |||
/ / | / / | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | |||
The type field is the certificate type as define in section 2.1 | The type field is the certificate type as define in section 2.1 | |||
below. | below. | |||
The algorithm field has the same meaning as the algorithm field in | The algorithm field has the same meaning as the algorithm field in | |||
KEY and SIG RRs [8] except that a zero algorithm field indicates the | DNSKEY and RRSIG RRs [10] except that a zero algorithm field | |||
algorithm is unknown to a secure DNS, which may simply be the result | indicates the algorithm is unknown to a secure DNS, which may simply | |||
of the algorithm not having been standardized for secure DNS. | be the result of the algorithm not having been standardized for | |||
DNSSEC. | ||||
The key tag field is the 16 bit value computed for the key embedded | The key tag field is the 16 bit value computed for the key embedded | |||
in the certificate as specified in the DNSSEC Standard [8]. This | in the certificate, using the RRSIG Key Tag Algorithm described in | |||
field is used as an efficiency measure to pick which CERT RRs may be | Appendix B of [10]. This field is used as an efficiency measure to | |||
applicable to a particular key. The key tag can be calculated for | pick which CERT RRs may be applicable to a particular key. The key | |||
the key in question and then only CERT RRs with the same key tag need | tag can be calculated for the key in question and then only CERT RRs | |||
be examined. However, the key must always be transformed to the | with the same key tag need be examined. However, the key must always | |||
format it would have as the public key portion of a KEY RR before the | be transformed to the format it would have as the public key portion | |||
key tag is computed. This is only possible if the key is applicable | of a DNSKEY RR before the key tag is computed. This is only possible | |||
to an algorithm (and limits such as key size limits) defined for DNS | if the key is applicable to an algorithm (and limits such as key size | |||
security. If it is not, the algorithm field MUST BE zero and the tag | limits) defined for DNS security. If it is not, the algorithm field | |||
field is meaningless and SHOULD BE zero. | MUST BE zero and the tag field is meaningless and SHOULD BE zero. | |||
2.1 Certificate Type Values | 2.1 Certificate Type Values | |||
The following values are defined or reserved: | The following values are defined or reserved: | |||
Value Mnemonic Certificate Type | Value Mnemonic Certificate Type | |||
----- -------- ----------- ---- | ----- -------- ----------- ---- | |||
0 reserved | 0 reserved | |||
1 PKIX X.509 as per PKIX | 1 PKIX X.509 as per PKIX | |||
2 SPKI SPKI cert | 2 SPKI SPKI certificate | |||
3 PGP PGP cert | 3 PGP OpenPGP data packet | |||
4-252 available for IANA assignment | 4-252 available for IANA assignment | |||
253 URI URI private | 253 URI URI private | |||
254 OID OID private | 254 OID OID private | |||
255-65534 available for IANA assignment | 255-65534 available for IANA assignment | |||
65535 reserved | 65535 reserved | |||
The PKIX type is reserved to indicate an X.509 certificate conforming | The PKIX type is reserved to indicate an X.509 certificate conforming | |||
to the profile being defined by the IETF PKIX working group. The | to the profile being defined by the IETF PKIX working group. The | |||
certificate section will start with a one byte unsigned OID length | certificate section will start with a one byte unsigned OID length | |||
and then an X.500 OID indicating the nature of the remainder of the | and then an X.500 OID indicating the nature of the remainder of the | |||
certificate section (see 2.3 below). (NOTE: X.509 certificates do | certificate section (see 2.3 below). (NOTE: X.509 certificates do | |||
not include their X.500 directory type designating OID as a prefix.) | not include their X.500 directory type designating OID as a prefix.) | |||
The SPKI type is reserved to indicate a certificate formated as to be | The SPKI type is reserved to indicate a certificate formated as to be | |||
specified by the IETF SPKI working group. | specified by the IETF SPKI working group. | |||
The PGP type indicates a Pretty Good Privacy certificate as described | The PGP type indicates an OpenPGP data packet. Two uses are to | |||
in [6] and its extensions and successors. | transfer public key material and revocation signatures. The data is | |||
binary, and MUST NOT be encoded into an ASCII armor. Public keys can | ||||
use the OpenPGP public key packet (tag 6) or public subkey packet | ||||
(tag 14), as described in section 5.5 of [5]. Revocation signatures | ||||
can use an OpenPGP signature packet with a revocation signature type, | ||||
i.e., signature type 0x20, 0x28 or 0x30, as described in section 5.2 | ||||
of [5]. | ||||
The URI private type indicates a certificate format defined by an | The URI private type indicates a certificate format defined by an | |||
absolute URI. The certificate portion of the CERT RR MUST begin with | absolute URI. The certificate portion of the CERT RR MUST begin with | |||
a null terminated URI [5] and the data after the null is the private | a null terminated URI [4] and the data after the null is the private | |||
format certificate itself. The URI SHOULD be such that a retrieval | format certificate itself. The URI SHOULD be such that a retrieval | |||
from it will lead to documentation on the format of the certificate. | from it will lead to documentation on the format of the certificate. | |||
Recognition of private certificate types need not be based on URI | Recognition of private certificate types need not be based on URI | |||
equality but can use various forms of pattern matching so that, for | equality but can use various forms of pattern matching so that, for | |||
example, subtype or version information can also be encoded into the | example, subtype or version information can also be encoded into the | |||
URI. | URI. | |||
The OID private type indicates a private format certificate specified | The OID private type indicates a private format certificate specified | |||
by a an ISO OID prefix. The certificate section will start with a | by a an ISO OID prefix. The certificate section will start with a | |||
one byte unsigned OID length and then a BER encoded OID indicating | one byte unsigned OID length and then a BER encoded OID indicating | |||
the nature of the remainder of the certificate section. This can be | the nature of the remainder of the certificate section. This can be | |||
an X.509 certificate format or some other format. X.509 certificates | an X.509 certificate format or some other format. X.509 certificates | |||
that conform to the IETF PKIX profile SHOULD be indicated by the PKIX | that conform to the IETF PKIX profile SHOULD be indicated by the PKIX | |||
type, not the OID private type. Recognition of private certificate | type, not the OID private type. Recognition of private certificate | |||
types need not be based on OID equality but can use various forms of | types need not be based on OID equality but can use various forms of | |||
pattern matching such as OID prefix. | pattern matching such as OID prefix. | |||
2.2 Text Representation of CERT RRs | 2.2 Text Representation of CERT RRs | |||
The RDATA portion of a CERT RR has the type field as an unsigned | The RDATA portion of a CERT RR has the type field as an unsigned | |||
integer or as a mnemonic symbol as listed in section 2.1 above. | decimal integer or as a mnemonic symbol as listed in section 2.1 | |||
above. | ||||
The key tag field is represented as an unsigned integer. | The key tag field is represented as an unsigned decimal integer. | |||
The algorithm field is represented as an unsigned integer or a | The algorithm field is represented as an unsigned decimal integer or | |||
mnemonic symbol as listed in [8]. | a mnemonic symbol as listed in [10]. | |||
The certificate / CRL portion is represented in base 64 and may be | The certificate / CRL portion is represented in base 64 [8] and may | |||
divided up into any number of white space separated substrings, down | be divided up into any number of white space separated substrings, | |||
to single base 64 digits, which are concatenated to obtain the full | down to single base 64 digits, which are concatenated to obtain the | |||
signature. These substrings can span lines using the standard | full signature. These substrings can span lines using the standard | |||
parenthesis. | parenthesis. | |||
Note that the certificate / CRL portion may have internal sub-fields | Note that the certificate / CRL portion may have internal sub-fields | |||
but these do not appear in the master file representation. For | but these do not appear in the master file representation. For | |||
example, with type 254, there will be an OID size, an OID, and then | example, with type 254, there will be an OID size, an OID, and then | |||
the certificate / CRL proper. But only a single logical base 64 | the certificate / CRL proper. But only a single logical base 64 | |||
string will appear in the text representation. | string will appear in the text representation. | |||
2.3 X.509 OIDs | 2.3 X.509 OIDs | |||
skipping to change at page 7, line 16 | skipping to change at page 7, line 17 | |||
certificate or CRL, that should be used. | certificate or CRL, that should be used. | |||
2. If a domain name is not included but an IP address is included, | 2. If a domain name is not included but an IP address is included, | |||
then the translation of that IP address into the appropriate | then the translation of that IP address into the appropriate | |||
inverse domain name should be used. | inverse domain name should be used. | |||
3. If neither of the above it used but a URI containing a domain | 3. If neither of the above it used but a URI containing a domain | |||
name is present, that domain name should be used. | name is present, that domain name should be used. | |||
4. If none of the above is included but a character string name is | 4. If none of the above is included but a character string name is | |||
included, then it should be treated as described for PGP names in | included, then it should be treated as described for PGP names in | |||
3.2 below. | 3.2 below. | |||
5. If none of the above apply, then the distinguished name (DN) | 5. If none of the above apply, then the distinguished name (DN) | |||
should be mapped into a domain name as specified in [4]. | should be mapped into a domain name as specified in [3]. | |||
Example 1: Assume that an X.509v3 certificate is issued to /CN=John | Example 1: Assume that an X.509v3 certificate is issued to /CN=John | |||
Doe/DC=Doe/DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative | Doe/DC=Doe/DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative | |||
names of (a) string "John (the Man) Doe", (b) domain name john- | names of (a) string "John (the Man) Doe", (b) domain name john- | |||
doe.com, and (c) uri <https://www.secure.john-doe.com:8080/>. Then | doe.com, and (c) uri <https://www.secure.john-doe.com:8080/>. Then | |||
the storage locations recommended, in priority order, would be | the storage locations recommended, in priority order, would be | |||
1. john-doe.com, | 1. john-doe.com, | |||
2. www.secure.john-doe.com, and | 2. www.secure.john-doe.com, and | |||
3. Doe.com.xy. | 3. Doe.com.xy. | |||
skipping to change at page 7, line 39 | skipping to change at page 7, line 40 | |||
of (a) domain name widget.foo.example, (b) IPv4 address | of (a) domain name widget.foo.example, (b) IPv4 address | |||
10.251.13.201, and (c) string "James Hacker | 10.251.13.201, and (c) string "James Hacker | |||
<hacker@mail.widget.foo.example>". Then the storage locations | <hacker@mail.widget.foo.example>". Then the storage locations | |||
recommended, in priority order, would be | recommended, in priority order, would be | |||
1. widget.foo.example, | 1. widget.foo.example, | |||
2. 201.13.251.10.in-addr.arpa, and | 2. 201.13.251.10.in-addr.arpa, and | |||
3. hacker.mail.widget.foo.example. | 3. hacker.mail.widget.foo.example. | |||
3.2 PGP CERT RR Names | 3.2 PGP CERT RR Names | |||
PGP signed keys (certificates) use a general character string User ID | OpenPGP signed keys (certificates) use a general character string | |||
[6]. However, it is recommended by PGP that such names include the | User ID [5]. However, it is recommended by PGP that such names | |||
RFC 822 email address of the party, as in "Leslie Example | include the RFC 2822 [7] email address of the party, as in "Leslie | |||
<Leslie@host.example>". If such a format is used, the CERT should be | Example <Leslie@host.example>". If such a format is used, the CERT | |||
under the standard translation of the email address into a domain | should be under the standard translation of the email address into a | |||
name, which would be leslie.host.example in this case. If no RFC 822 | domain name, which would be leslie.host.example in this case. If no | |||
name can be extracted from the string name no specific domain name is | RFC 2822 name can be extracted from the string name no specific | |||
recommended. | domain name is recommended. | |||
If a user has more than one email address, the CNAME type can be used | ||||
to reduce the amount of data stored in the DNS. For example: | ||||
$ORIGIN example.org. | ||||
smith IN CERT PGP 0 0 <OpenPGP binary> | ||||
john.smith IN CNAME smith | ||||
js IN CNAME smith | ||||
For some applications, the above guidelines are not useful. | ||||
Applications that receive an OpenPGP packet but do not know the email | ||||
address of the sender will have difficulties guessing the correct | ||||
owner name. However, the OpenPGP packet typically contain the Key ID | ||||
of the key. Such applications can derive the owner name from the Key | ||||
ID using an Base 16 encoding [8]. For example: | ||||
$ORIGIN example.org. | ||||
F835EDA21E94B565716F IN CERT PGP ... | ||||
B565716F IN CNAME F835EDA21E94B565716F | ||||
Again, if the same key material is stored at several owner names, | ||||
using CNAME can be used to avoid data duplication. | ||||
4. Performance Considerations | 4. Performance Considerations | |||
Current Domain Name System (DNS) implementations are optimized for | Current Domain Name System (DNS) implementations are optimized for | |||
small transfers, typically not more than 512 bytes including | small transfers, typically not more than 512 bytes including | |||
overhead. While larger transfers will perform correctly and work is | overhead. While larger transfers will perform correctly and work is | |||
underway to make larger transfers more efficient, it is still | underway to make larger transfers more efficient, it is still | |||
advisable at this time to make every reasonable effort to minimize | advisable at this time to make every reasonable effort to minimize | |||
the size of certificates stored within the DNS. Steps that can be | the size of certificates stored within the DNS. Steps that can be | |||
taken may include using the fewest possible optional or extensions | taken may include using the fewest possible optional or extensions | |||
fields and using short field values for variable length fields that | fields and using short field values for variable length fields that | |||
must be included. | must be included. | |||
5. IANA Considerations | 5. IANA Considerations | |||
Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | |||
only be assigned by an IETF standards action [7] (and this document | only be assigned by an IETF standards action [6]. This document | |||
assigns 0x0001 through 0x0003 and 0x00FD and 0x00FE). Certificate | assigns 0x0001 through 0x0003 and 0x00FD and 0x00FE. Certificate | |||
types 0x0100 through 0xFEFF are assigned through IETF Consensus [7] | types 0x0100 through 0xFEFF are assigned through IETF Consensus [6] | |||
based on RFC documentation of the certificate type. The availability | based on RFC documentation of the certificate type. The availability | |||
of private types under 0x00FD and 0x00FE should satisfy most | of private types under 0x00FD and 0x00FE should satisfy most | |||
requirements for proprietary or private types. | requirements for proprietary or private types. | |||
6. Security Considerations | 6. Security Considerations | |||
By definition, certificates contain their own authenticating | By definition, certificates contain their own authenticating | |||
signature. Thus it is reasonable to store certificates in non-secure | signature. Thus it is reasonable to store certificates in non-secure | |||
DNS zones or to retrieve certificates from DNS with DNS security | DNS zones or to retrieve certificates from DNS with DNS security | |||
checking not implemented or deferred for efficiency. The results MAY | checking not implemented or deferred for efficiency. The results MAY | |||
skipping to change at page 8, line 40 | skipping to change at page 9, line 16 | |||
Alternatively, if certificates are retrieved from a secure DNS zone | Alternatively, if certificates are retrieved from a secure DNS zone | |||
with DNS security checking enabled and are verified by DNS security, | with DNS security checking enabled and are verified by DNS security, | |||
the key within the retrieved certificate MAY be trusted without | the key within the retrieved certificate MAY be trusted without | |||
verifying the certificate chain if this conforms with the user's | verifying the certificate chain if this conforms with the user's | |||
security policy. | security policy. | |||
CERT RRs are not used in connection with securing the DNS security | CERT RRs are not used in connection with securing the DNS security | |||
additions so there are no security considerations related to CERT RRs | additions so there are no security considerations related to CERT RRs | |||
and securing the DNS itself. | and securing the DNS itself. | |||
7 References | 7. Open Issues | |||
1. Not yet described: New DNSSEC Key Tag algorithm "OpenPGPKeyID" to | ||||
optimize PGP key retreival. Compare section 5 of | ||||
draft-josefsson-cert-openpgp. Not clear that it is needed. | ||||
2. How to handle PGP certificates larger than 64kb? In | ||||
draft-josefsson-cert-openpgp I outline one approach, but it may | ||||
not be the best one. | ||||
3. Should the document suggest use of both 8 and 4 byte OpenPGP key | ||||
id owner names? Perhaps only 8 byte version. | ||||
4. Any feedback on the X.509 data format and owner name guidelines | ||||
would be appreciated. Is anyone using this at all? They appear | ||||
as unnecessarily complex to me. | ||||
8. Changes since RFC 2538 | ||||
1. Editorial changes to conform with new document requirements, | ||||
including splitting reference section into two parts and updating | ||||
references to point at latest versions. | ||||
2. Improve terminology. For example replace "PGP" with "OpenPGP", | ||||
to align with RFC 2440. | ||||
3. Clarify that OpenPGP public key data are binary, not the ASCII | ||||
armored format. | ||||
4. Clarify that integers in the representation format are decimal. | ||||
5. Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis | ||||
terminology. | ||||
6. Suggest additional OpenPGP owner name guidelines. | ||||
9. References | ||||
9.1 Normative References | ||||
[1] Mockapetris, P., "Domain names - concepts and facilities", STD | [1] Mockapetris, P., "Domain names - concepts and facilities", STD | |||
13, RFC 1034, November 1987. | 13, RFC 1034, November 1987. | |||
[2] Mockapetris, P., "Domain names - implementation and | [2] Mockapetris, P., "Domain names - implementation and | |||
specification", STD 13, RFC 1035, November 1987. | specification", STD 13, RFC 1035, November 1987. | |||
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement | [3] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S. Sataluri, | |||
Levels", BCP 14, RFC 2119, March 1997. | ||||
[4] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S. Sataluri, | ||||
"Using Domains in LDAP/X.500 Distinguished Names", RFC 2247, | "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247, | |||
January 1998. | January 1998. | |||
[5] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource | [4] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform | |||
Identifiers (URI): Generic Syntax", RFC 2396, August 1998. | Resource Identifiers (URI): Generic Syntax", RFC 2396, August | |||
1998. | ||||
[6] Callas, J., Donnerhacke, L., Finney, H. and R. Thayer, "OpenPGP | [5] Callas, J., Donnerhacke, L., Finney, H. and R. Thayer, "OpenPGP | |||
Message Format", RFC 2440, November 1998. | Message Format", RFC 2440, November 1998. | |||
[7] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA | [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA | |||
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. | Considerations Section in RFCs", BCP 26, RFC 2434, October | |||
1998. | ||||
[8] Eastlake, D., "Domain Name System Security Extensions", RFC | [7] Resnick, P., "Internet Message Format", RFC 2822, April 2001. | |||
2535, March 1999. | ||||
[9] Housley, R., Ford, W., Polk, T. and D. Solo, "Internet X.509 | [8] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", | |||
Public Key Infrastructure Certificate and CRL Profile", RFC | RFC 3548, July 2003. | |||
2459, January 1999. | ||||
[9] Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose, | ||||
"DNS Security Introduction and Requirements", | ||||
draft-ietf-dnsext-dnssec-intro-13 (work in progress), October | ||||
2004. | ||||
[10] Arends, R., "Resource Records for the DNS Security Extensions", | ||||
draft-ietf-dnsext-dnssec-records-11 (work in progress), October | ||||
2004. | ||||
9.2 Informative References | ||||
[11] Bradner, S., "Key words for use in RFCs to Indicate Requirement | ||||
Levels", BCP 14, RFC 2119, March 1997. | ||||
Author's Address | Author's Address | |||
Simon Josefsson | Simon Josefsson | |||
EMail: simon@josefsson.org | EMail: simon@josefsson.org | |||
Appendix A. Acknowledgements | ||||
The majority of this document is copied verbatim from RFC 2538, by D. | ||||
Eastlake and O. Gudmundsson. | ||||
The author wishes to thank David Shaw and Michael Graff for their | ||||
contributions to draft-josefsson-cert-openpgp. | ||||
Intellectual Property Statement | Intellectual Property Statement | |||
The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
found in BCP 78 and BCP 79. | found in BCP 78 and BCP 79. | |||
End of changes. | ||||
This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |