draft-josefsson-rfc2538bis-00.txt | draft-josefsson-rfc2538bis-01.txt | |||
---|---|---|---|---|
Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
Expires: April 14, 2005 | Expires: July 4, 2005 | |||
Storing Certificates in the Domain Name System (DNS) | Storing Certificates in the Domain Name System (DNS) | |||
draft-josefsson-rfc2538bis-00 | draft-josefsson-rfc2538bis-01 | |||
Status of this Memo | Status of this Memo | |||
This document is an Internet-Draft and is subject to all provisions | This document is an Internet-Draft and is subject to all provisions | |||
of section 3 of RFC 3667. By submitting this Internet-Draft, each | of section 3 of RFC 3667. By submitting this Internet-Draft, each | |||
author represents that any applicable patent or other IPR claims of | author represents that any applicable patent or other IPR claims of | |||
which he or she is aware have been or will be disclosed, and any of | which he or she is aware have been or will be disclosed, and any of | |||
which he or she become aware will be disclosed, in accordance with | which he or she become aware will be disclosed, in accordance with | |||
RFC 3668. | RFC 3668. | |||
skipping to change at page 1, line 35 | skipping to change at page 1, line 35 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on April 14, 2005. | This Internet-Draft will expire on July 4, 2005. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The Internet Society (2004). | Copyright (C) The Internet Society (2005). | |||
Abstract | Abstract | |||
Cryptographic public key are frequently published and their | Cryptographic public key are frequently published and their | |||
authenticity demonstrated by certificates. A CERT resource record | authenticity demonstrated by certificates. A CERT resource record | |||
(RR) is defined so that such certificates and related certificate | (RR) is defined so that such certificates and related certificate | |||
revocation lists can be stored in the Domain Name System (DNS). | revocation lists can be stored in the Domain Name System (DNS). | |||
More information on this document, including rfcdiff output, may be | More information on this document, including rfcdiff output, may be | |||
found at <http://josefsson.org/rfc2538bis/>. | found at <http://josefsson.org/rfc2538bis/>. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2. The CERT Resource Record . . . . . . . . . . . . . . . . . . . 3 | 2. The CERT Resource Record . . . . . . . . . . . . . . . . . . . 3 | |||
2.1 Certificate Type Values . . . . . . . . . . . . . . . . . 4 | 2.1 Certificate Type Values . . . . . . . . . . . . . . . . . 4 | |||
2.2 Text Representation of CERT RRs . . . . . . . . . . . . . 5 | 2.2 Text Representation of CERT RRs . . . . . . . . . . . . . 5 | |||
2.3 X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.3 X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . . 6 | 3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . . 6 | |||
3.1 X.509 CERT RR Names . . . . . . . . . . . . . . . . . . . 6 | 3.1 Content-based X.509 CERT RR Names . . . . . . . . . . . . 7 | |||
3.2 PGP CERT RR Names . . . . . . . . . . . . . . . . . . . . 7 | 3.2 Purpose-based X.509 CERT RR Names . . . . . . . . . . . . 8 | |||
4. Performance Considerations . . . . . . . . . . . . . . . . . . 8 | 3.3 Content-based PGP CERT RR Names . . . . . . . . . . . . . 8 | |||
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 3.4 Purpose-based PGP CERT RR Names . . . . . . . . . . . . . 9 | |||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 4. Performance Considerations . . . . . . . . . . . . . . . . . . 9 | |||
7. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
8. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 10 | 7. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 10 | |||
9.1 Normative References . . . . . . . . . . . . . . . . . . . . 9 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
9.2 Informative References . . . . . . . . . . . . . . . . . . . 10 | A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
Intellectual Property and Copyright Statements . . . . . . . . 12 | 9.1 Normative References . . . . . . . . . . . . . . . . . . . . 11 | |||
9.2 Informative References . . . . . . . . . . . . . . . . . . . 12 | ||||
B. Copying conditions . . . . . . . . . . . . . . . . . . . . . . 12 | ||||
Intellectual Property and Copyright Statements . . . . . . . . 13 | ||||
1. Introduction | 1. Introduction | |||
Public keys are frequently published in the form of a certificate and | Public keys are frequently published in the form of a certificate and | |||
their authenticity is commonly demonstrated by certificates and | their authenticity is commonly demonstrated by certificates and | |||
related certificate revocation lists (CRLs). A certificate is a | related certificate revocation lists (CRLs). A certificate is a | |||
binding, through a cryptographic digital signature, of a public key, | binding, through a cryptographic digital signature, of a public key, | |||
a validity interval and/or conditions, and identity, authorization, | a validity interval and/or conditions, and identity, authorization, | |||
or other information. A certificate revocation list is a list of | or other information. A certificate revocation list is a list of | |||
certificates that are revoked, and incidental information, all signed | certificates that are revoked, and incidental information, all signed | |||
skipping to change at page 4, line 26 | skipping to change at page 4, line 26 | |||
2.1 Certificate Type Values | 2.1 Certificate Type Values | |||
The following values are defined or reserved: | The following values are defined or reserved: | |||
Value Mnemonic Certificate Type | Value Mnemonic Certificate Type | |||
----- -------- ----------- ---- | ----- -------- ----------- ---- | |||
0 reserved | 0 reserved | |||
1 PKIX X.509 as per PKIX | 1 PKIX X.509 as per PKIX | |||
2 SPKI SPKI certificate | 2 SPKI SPKI certificate | |||
3 PGP OpenPGP data packet | 3 PGP OpenPGP packet | |||
4-252 available for IANA assignment | 4-252 available for IANA assignment | |||
253 URI URI private | 253 URI URI private | |||
254 OID OID private | 254 OID OID private | |||
255-65534 available for IANA assignment | 255-65534 available for IANA assignment | |||
65535 reserved | 65535 reserved | |||
The PKIX type is reserved to indicate an X.509 certificate conforming | The PKIX type is reserved to indicate an X.509 certificate conforming | |||
to the profile being defined by the IETF PKIX working group. The | to the profile being defined by the IETF PKIX working group. The | |||
certificate section will start with a one byte unsigned OID length | certificate section will start with a one byte unsigned OID length | |||
and then an X.500 OID indicating the nature of the remainder of the | and then an X.500 OID indicating the nature of the remainder of the | |||
certificate section (see 2.3 below). (NOTE: X.509 certificates do | certificate section (see 2.3 below). (NOTE: X.509 certificates do | |||
not include their X.500 directory type designating OID as a prefix.) | not include their X.500 directory type designating OID as a prefix.) | |||
The SPKI type is reserved to indicate a certificate formated as to be | The SPKI type is reserved to indicate a certificate formated as to be | |||
specified by the IETF SPKI working group. | specified by the IETF SPKI working group. | |||
The PGP type indicates an OpenPGP data packet. Two uses are to | The PGP type indicates an OpenPGP packet as described in [5] and its | |||
transfer public key material and revocation signatures. The data is | extensions and successors. Two uses are to transfer public key | |||
binary, and MUST NOT be encoded into an ASCII armor. Public keys can | material and revocation signatures. The data is binary, and MUST NOT | |||
use the OpenPGP public key packet (tag 6) or public subkey packet | be encoded into an ASCII armor. An implementation SHOULD process | |||
(tag 14), as described in section 5.5 of [5]. Revocation signatures | transferable public keys as described in section 10.1 of [5], but it | |||
can use an OpenPGP signature packet with a revocation signature type, | MAY handle additional OpenPGP packets. | |||
i.e., signature type 0x20, 0x28 or 0x30, as described in section 5.2 | ||||
of [5]. | ||||
The URI private type indicates a certificate format defined by an | The URI private type indicates a certificate format defined by an | |||
absolute URI. The certificate portion of the CERT RR MUST begin with | absolute URI. The certificate portion of the CERT RR MUST begin with | |||
a null terminated URI [4] and the data after the null is the private | a null terminated URI [4] and the data after the null is the private | |||
format certificate itself. The URI SHOULD be such that a retrieval | format certificate itself. The URI SHOULD be such that a retrieval | |||
from it will lead to documentation on the format of the certificate. | from it will lead to documentation on the format of the certificate. | |||
Recognition of private certificate types need not be based on URI | Recognition of private certificate types need not be based on URI | |||
equality but can use various forms of pattern matching so that, for | equality but can use various forms of pattern matching so that, for | |||
example, subtype or version information can also be encoded into the | example, subtype or version information can also be encoded into the | |||
URI. | URI. | |||
skipping to change at page 6, line 32 | skipping to change at page 6, line 31 | |||
name related to their subject, i.e., the name of the entity intended | name related to their subject, i.e., the name of the entity intended | |||
to control the private key corresponding to the public key being | to control the private key corresponding to the public key being | |||
certified. It is recommended that certificate revocation list CERT | certified. It is recommended that certificate revocation list CERT | |||
RRs be stored under a domain name related to their issuer. | RRs be stored under a domain name related to their issuer. | |||
Following some of the guidelines below may result in the use in DNS | Following some of the guidelines below may result in the use in DNS | |||
names of characters that require DNS quoting which is to use a | names of characters that require DNS quoting which is to use a | |||
backslash followed by the octal representation of the ASCII code for | backslash followed by the octal representation of the ASCII code for | |||
the character such as \000 for NULL. | the character such as \000 for NULL. | |||
3.1 X.509 CERT RR Names | The choice of name under which CERT RRs are stored is important to | |||
clients that perform CERT queries. In some situations, the client | ||||
may not know all information about the CERT RR object it wishes to | ||||
retrieve. For example, a client may not know the subject name of an | ||||
X.509 certificate, or the e-mail address of the owner of an OpenPGP | ||||
key. Further, the client may only know the hostname of a service | ||||
that uses X.509 certificates or the OpenPGP key id of an OpenPGP key. | ||||
This motivate describing two different owner name guidelines. We | ||||
call the two rules content-based owner names and purpose-based owner | ||||
names. A content-based owner name is derived from the content of the | ||||
CERT RR data; for example the Subject field in an X.509 certificate | ||||
or the User ID field in OpenPGP keys. A purpose-based owner name is | ||||
selected to be a name that clients that wishes to retrieve CERT RRs | ||||
knows; for example the host name of a X.509 protected service or a | ||||
OpenPGP key id of an OpenPGP key. Note that in some situations, the | ||||
content-based and purpose-based owner name can be the same; for | ||||
example when a client look up keys based on e-mail addresses for | ||||
incoming e-mail. | ||||
[Editorial note: Purpose-based owner name guidelines were introduced | ||||
in RFC 2538bis. Earlier, in RFC 2538, only content-based owner name | ||||
guidelines were described. Implementation experience suggested that | ||||
the content-based owner name guidelines were not generally | ||||
applicable. It was realized that purpose-based owner name guidelines | ||||
were required to use CERT RRs in some ways.] | ||||
3.1 Content-based X.509 CERT RR Names | ||||
Some X.509 versions permit multiple names to be associated with | Some X.509 versions permit multiple names to be associated with | |||
subjects and issuers under "Subject Alternate Name" and "Issuer | subjects and issuers under "Subject Alternate Name" and "Issuer | |||
Alternate Name". For example, x.509v3 has such Alternate Names with | Alternate Name". For example, x.509v3 has such Alternate Names with | |||
an ASN.1 specification as follows: | an ASN.1 specification as follows: | |||
GeneralName ::= CHOICE { | GeneralName ::= CHOICE { | |||
otherName [0] INSTANCE OF OTHER-NAME, | otherName [0] INSTANCE OF OTHER-NAME, | |||
rfc822Name [1] IA5String, | rfc822Name [1] IA5String, | |||
dNSName [2] IA5String, | dNSName [2] IA5String, | |||
skipping to change at page 7, line 38 | skipping to change at page 8, line 16 | |||
Example 2: Assume that an X.509v3 certificate is issued to /CN=James | Example 2: Assume that an X.509v3 certificate is issued to /CN=James | |||
Hacker/L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names | Hacker/L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names | |||
of (a) domain name widget.foo.example, (b) IPv4 address | of (a) domain name widget.foo.example, (b) IPv4 address | |||
10.251.13.201, and (c) string "James Hacker | 10.251.13.201, and (c) string "James Hacker | |||
<hacker@mail.widget.foo.example>". Then the storage locations | <hacker@mail.widget.foo.example>". Then the storage locations | |||
recommended, in priority order, would be | recommended, in priority order, would be | |||
1. widget.foo.example, | 1. widget.foo.example, | |||
2. 201.13.251.10.in-addr.arpa, and | 2. 201.13.251.10.in-addr.arpa, and | |||
3. hacker.mail.widget.foo.example. | 3. hacker.mail.widget.foo.example. | |||
3.2 PGP CERT RR Names | 3.2 Purpose-based X.509 CERT RR Names | |||
It is difficult for clients that do not already posses a certificate | ||||
to reconstruct the content-based owner name that should be used to | ||||
retrieve the certificate. For this reason, purpose-based owner names | ||||
are recommended in this section. Because purpose-based owner names | ||||
by nature depend on the specific scenario, or purpose, for which the | ||||
certificate will be used, there are more than one recommendation. | ||||
The following table summarize the purpose-based X.509 CERT RR owner | ||||
name guidelines. | ||||
Scenario Owner name | ||||
------------------------------------------------------------------- | ||||
S/MIME Certificate Standard translation of RFC 822 email address. | ||||
Example: A S/MIME certificate for | ||||
"postmaster@example.org" will use a standard | ||||
hostname translation of the owner name, | ||||
i.e. "postmaster.example.org". | ||||
SSL Certificate Hostname of the SSL server. | ||||
IPSEC Certificate Hostname of the IPSEC machine, and/or | ||||
for the in-addr.arpa reverse lookup IP address. | ||||
CRLs Hostname of the issuing CA. | ||||
3.3 Content-based PGP CERT RR Names | ||||
OpenPGP signed keys (certificates) use a general character string | OpenPGP signed keys (certificates) use a general character string | |||
User ID [5]. However, it is recommended by PGP that such names | User ID [5]. However, it is recommended by PGP that such names | |||
include the RFC 2822 [7] email address of the party, as in "Leslie | include the RFC 2822 [7] email address of the party, as in "Leslie | |||
Example <Leslie@host.example>". If such a format is used, the CERT | Example <Leslie@host.example>". If such a format is used, the CERT | |||
should be under the standard translation of the email address into a | should be under the standard translation of the email address into a | |||
domain name, which would be leslie.host.example in this case. If no | domain name, which would be leslie.host.example in this case. If no | |||
RFC 2822 name can be extracted from the string name no specific | RFC 2822 name can be extracted from the string name no specific | |||
domain name is recommended. | domain name is recommended. | |||
If a user has more than one email address, the CNAME type can be used | If a user has more than one email address, the CNAME type can be used | |||
to reduce the amount of data stored in the DNS. For example: | to reduce the amount of data stored in the DNS. For example: | |||
$ORIGIN example.org. | $ORIGIN example.org. | |||
smith IN CERT PGP 0 0 <OpenPGP binary> | smith IN CERT PGP 0 0 <OpenPGP binary> | |||
john.smith IN CNAME smith | john.smith IN CNAME smith | |||
js IN CNAME smith | js IN CNAME smith | |||
For some applications, the above guidelines are not useful. | 3.4 Purpose-based PGP CERT RR Names | |||
Applications that receive an OpenPGP packet but do not know the email | Applications that receive an OpenPGP packet but do not know the email | |||
address of the sender will have difficulties guessing the correct | address of the sender will have difficulties guessing the correct | |||
owner name. However, the OpenPGP packet typically contain the Key ID | owner name, and cannot use the content-based owner name guidelines. | |||
of the key. Such applications can derive the owner name from the Key | However, the OpenPGP packet typically contain the Key ID of the key. | |||
ID using an Base 16 encoding [8]. For example: | In these situations, it is recommended to use an owner name derived | |||
from the Key ID. For example: | ||||
$ORIGIN example.org. | $ORIGIN example.org. | |||
F835EDA21E94B565716F IN CERT PGP ... | F835EDA21E94B565716F IN CERT PGP ... | |||
B565716F IN CNAME F835EDA21E94B565716F | B565716F IN CNAME F835EDA21E94B565716F | |||
Again, if the same key material is stored at several owner names, | As before, if the same key material is stored at several owner names, | |||
using CNAME can be used to avoid data duplication. | using CNAME can be used to avoid data duplication. | |||
4. Performance Considerations | 4. Performance Considerations | |||
Current Domain Name System (DNS) implementations are optimized for | Current Domain Name System (DNS) implementations are optimized for | |||
small transfers, typically not more than 512 bytes including | small transfers, typically not more than 512 bytes including | |||
overhead. While larger transfers will perform correctly and work is | overhead. While larger transfers will perform correctly and work is | |||
underway to make larger transfers more efficient, it is still | underway to make larger transfers more efficient, it is still | |||
advisable at this time to make every reasonable effort to minimize | advisable at this time to make every reasonable effort to minimize | |||
the size of certificates stored within the DNS. Steps that can be | the size of certificates stored within the DNS. Steps that can be | |||
skipping to change at page 9, line 18 | skipping to change at page 10, line 26 | |||
the key within the retrieved certificate MAY be trusted without | the key within the retrieved certificate MAY be trusted without | |||
verifying the certificate chain if this conforms with the user's | verifying the certificate chain if this conforms with the user's | |||
security policy. | security policy. | |||
CERT RRs are not used in connection with securing the DNS security | CERT RRs are not used in connection with securing the DNS security | |||
additions so there are no security considerations related to CERT RRs | additions so there are no security considerations related to CERT RRs | |||
and securing the DNS itself. | and securing the DNS itself. | |||
7. Open Issues | 7. Open Issues | |||
1. Not yet described: New DNSSEC Key Tag algorithm "OpenPGPKeyID" to | 1. How to handle PGP certificates larger than 64kb? In | |||
optimize PGP key retreival. Compare section 5 of | ||||
draft-josefsson-cert-openpgp. Not clear that it is needed. | ||||
2. How to handle PGP certificates larger than 64kb? In | ||||
draft-josefsson-cert-openpgp I outline one approach, but it may | draft-josefsson-cert-openpgp I outline one approach, but it may | |||
not be the best one. | not be the best one. | |||
3. Should the document suggest use of both 8 and 4 byte OpenPGP key | 2. Whether to enforce owner name guidelines with SHOULD/MUST. From | |||
id owner names? Perhaps only 8 byte version. | David Shaw (on OpenPGP): "One of the things that struck me when | |||
4. Any feedback on the X.509 data format and owner name guidelines | reading this draft is that while there are several suggested ways | |||
would be appreciated. Is anyone using this at all? They appear | to name keys in DNS, there is no one canonical name as a SHOULD | |||
as unnecessarily complex to me. | or MUST. I suggest that the key fingerprint be the canonical | |||
name, and all others be CNAMEs pointing to the fingerprint | ||||
name.". From Sean P. Turner (on PKIX): "Should "recommended" be | ||||
"RECOMMENDED" in the 1st and 2nd sentences?" referring to the | ||||
text in section 3 that recommend appropriate owner names. | ||||
3. Should the document suggest use of both full fingerprints, 4/8 | ||||
byte OpenPGP key id owner names? Perhaps only fingerprint | ||||
version. | ||||
8. Changes since RFC 2538 | 8. Changes since RFC 2538 | |||
1. Editorial changes to conform with new document requirements, | 1. Editorial changes to conform with new document requirements, | |||
including splitting reference section into two parts and updating | including splitting reference section into two parts and updating | |||
references to point at latest versions. | references to point at latest versions. | |||
2. Improve terminology. For example replace "PGP" with "OpenPGP", | 2. Improve terminology. For example replace "PGP" with "OpenPGP", | |||
to align with RFC 2440. | to align with RFC 2440. | |||
3. Clarify that OpenPGP public key data are binary, not the ASCII | 3. In section 2.1, clarify that OpenPGP public key data are binary, | |||
armored format. | not the ASCII armored format, and reference 10.1 in RFC 2440 on | |||
how to deal with OpenPGP keys, and acknowledge that | ||||
implementations may handle additional packet types. | ||||
4. Clarify that integers in the representation format are decimal. | 4. Clarify that integers in the representation format are decimal. | |||
5. Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis | 5. Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis | |||
terminology. | terminology. | |||
6. Suggest additional OpenPGP owner name guidelines. | 6. Add examples that suggest use of CNAME to reduce bandwidth. | |||
7. In section 3, add three paragraphs that discuss "content-based" | ||||
vs "purpose-based" owner names. Add section 3.2 for | ||||
purpose-based X.509 CERT owner names, and section 3.4 for | ||||
purpose-based OpenPGP CERT owner names. | ||||
9. References | 9. References | |||
9.1 Normative References | 9.1 Normative References | |||
[1] Mockapetris, P., "Domain names - concepts and facilities", STD | [1] Mockapetris, P., "Domain names - concepts and facilities", STD | |||
13, RFC 1034, November 1987. | 13, RFC 1034, November 1987. | |||
[2] Mockapetris, P., "Domain names - implementation and | [2] Mockapetris, P., "Domain names - implementation and | |||
specification", STD 13, RFC 1035, November 1987. | specification", STD 13, RFC 1035, November 1987. | |||
skipping to change at page 10, line 48 | skipping to change at page 12, line 18 | |||
Levels", BCP 14, RFC 2119, March 1997. | Levels", BCP 14, RFC 2119, March 1997. | |||
Author's Address | Author's Address | |||
Simon Josefsson | Simon Josefsson | |||
EMail: simon@josefsson.org | EMail: simon@josefsson.org | |||
Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
The majority of this document is copied verbatim from RFC 2538, by D. | The majority of this document is copied verbatim from RFC 2538, by | |||
Eastlake and O. Gudmundsson. | Donald Eastlake 3rd and Olafur Gudmundsson. | |||
The author wishes to thank David Shaw and Michael Graff for their | The author wishes to thank David Shaw and Michael Graff for their | |||
contributions to draft-josefsson-cert-openpgp. | contributions to the earlier work that motivated this revised | |||
document. | ||||
Florian Weimer suggested to clarify wording regarding what data can | ||||
be stored in RRDATA portion of OpenPGP CERT RRs. Olivier Dubuisson | ||||
confirmed that the X.509 OID were indeed correct. | ||||
Appendix B. Copying conditions | ||||
In addition to the IETF/ISOC copying conditions, the following | ||||
statement grant third parties further rights to the parts of this | ||||
document ("the work") that were written by Simon Josefsson. | ||||
Copyright (C) 2004, 2005 Simon Josefsson | ||||
Copying and distribution of the work, with or without | ||||
modification, are permitted in any medium without royalty | ||||
provided the copyright notice and this notice are preserved. | ||||
Intellectual Property Statement | Intellectual Property Statement | |||
The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
skipping to change at page 12, line 41 | skipping to change at page 13, line 41 | |||
This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
Copyright Statement | Copyright Statement | |||
Copyright (C) The Internet Society (2004). This document is subject | Copyright (C) The Internet Society (2005). This document is subject | |||
to the rights, licenses and restrictions contained in BCP 78, and | to the rights, licenses and restrictions contained in BCP 78, and | |||
except as set forth therein, the authors retain all their rights. | except as set forth therein, the authors retain all their rights. | |||
Acknowledgment | Acknowledgment | |||
Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
Internet Society. | Internet Society. | |||
End of changes. | ||||
This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |