draft-ietf-dnsext-rfc2538bis.txt | rfc4398.txt | |||
---|---|---|---|---|
Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
Request for Comments: 4398 March 2006 | ||||
Obsoletes: 2538 (if approved) | Obsoletes: 2538 | |||
Expires: September 2, 2006 | Category: Standards Track | |||
Storing Certificates in the Domain Name System (DNS) | Storing Certificates in the Domain Name System (DNS) | |||
draft-ietf-dnsext-rfc2538bis-10 | ||||
Status of this Memo | ||||
By submitting this Internet-Draft, each author represents that any | Status of This Memo | |||
applicable patent or other IPR claims of which he or she is aware | ||||
have been or will be disclosed, and any of which he or she becomes | ||||
aware will be disclosed, in accordance with Section 6 of BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF), its areas, and its working groups. Note that | ||||
other groups may also distribute working documents as Internet- | ||||
Drafts. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | ||||
and may be updated, replaced, or obsoleted by other documents at any | ||||
time. It is inappropriate to use Internet-Drafts as reference | ||||
material or to cite them other than as "work in progress." | ||||
The list of current Internet-Drafts can be accessed at | ||||
http://www.ietf.org/ietf/1id-abstracts.txt. | ||||
The list of Internet-Draft Shadow Directories can be accessed at | ||||
http://www.ietf.org/shadow.html. | ||||
This Internet-Draft will expire on September 2, 2006. | This document specifies an Internet standards track protocol for the | |||
Internet community, and requests discussion and suggestions for | ||||
improvements. Please refer to the current edition of the "Internet | ||||
Official Protocol Standards" (STD 1) for the standardization state | ||||
and status of this protocol. Distribution of this memo is unlimited. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (C) The Internet Society (2006). | Copyright (C) The Internet Society (2006). | |||
Abstract | Abstract | |||
Cryptographic public keys are frequently published, and their | Cryptographic public keys are frequently published, and their | |||
authenticity is demonstrated by certificates. A CERT resource record | authenticity is demonstrated by certificates. A CERT resource record | |||
(RR) is defined so that such certificates and related certificate | (RR) is defined so that such certificates and related certificate | |||
revocation lists can be stored in the Domain Name System (DNS). | revocation lists can be stored in the Domain Name System (DNS). | |||
This document obsoletes RFC 2538. | This document obsoletes RFC 2538. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction ....................................................3 | |||
2. The CERT Resource Record . . . . . . . . . . . . . . . . . . . 3 | 2. The CERT Resource Record ........................................3 | |||
2.1. Certificate Type Values . . . . . . . . . . . . . . . . . 4 | 2.1. Certificate Type Values ....................................4 | |||
2.2. Text Representation of CERT RRs . . . . . . . . . . . . . 6 | 2.2. Text Representation of CERT RRs ............................6 | |||
2.3. X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.3. X.509 OIDs .................................................6 | |||
3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . . 7 | 3. Appropriate Owner Names for CERT RRs ............................7 | |||
3.1. Content-Based X.509 CERT RR Names . . . . . . . . . . . . 8 | 3.1. Content-Based X.509 CERT RR Names ..........................8 | |||
3.2. Purpose-Based X.509 CERT RR Names . . . . . . . . . . . . 9 | 3.2. Purpose-Based X.509 CERT RR Names ..........................9 | |||
3.3. Content-Based OpenPGP CERT RR Names . . . . . . . . . . . 9 | 3.3. Content-Based OpenPGP CERT RR Names ........................9 | |||
3.4. Purpose-Based OpenPGP CERT RR Names . . . . . . . . . . . 10 | 3.4. Purpose-Based OpenPGP CERT RR Names .......................10 | |||
3.5. Owner Names for IPKIX, ISPKI, IPGP, and IACPKIX . . . . . 10 | 3.5. Owner Names for IPKIX, ISPKI, IPGP, and IACPKIX ...........10 | |||
4. Performance Considerations . . . . . . . . . . . . . . . . . . 10 | 4. Performance Considerations .....................................11 | |||
5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 5. Contributors ...................................................11 | |||
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | 6. Acknowledgements ...............................................11 | |||
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 7. Security Considerations ........................................12 | |||
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | 8. IANA Considerations ............................................12 | |||
9. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 13 | 9. Changes since RFC 2538 .........................................13 | |||
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 10. References ....................................................14 | |||
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 | 10.1. Normative References .....................................14 | |||
10.2. Informative References . . . . . . . . . . . . . . . . . . 14 | 10.2. Informative References ...................................15 | |||
Appendix A. Copying Conditions . . . . . . . . . . . . . . . . . 15 | Appendix A. Copying Conditions ...................................16 | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16 | ||||
Intellectual Property and Copyright Statements . . . . . . . . . . 17 | ||||
1. Introduction | 1. Introduction | |||
Public keys are frequently published in the form of a certificate, | Public keys are frequently published in the form of a certificate, | |||
and their authenticity is commonly demonstrated by certificates and | and their authenticity is commonly demonstrated by certificates and | |||
related certificate revocation lists (CRLs). A certificate is a | related certificate revocation lists (CRLs). A certificate is a | |||
binding, through a cryptographic digital signature, of a public key, | binding, through a cryptographic digital signature, of a public key, | |||
a validity interval and/or conditions, and identity, authorization, | a validity interval and/or conditions, and identity, authorization, | |||
or other information. A certificate revocation list is a list of | or other information. A certificate revocation list is a list of | |||
certificates that are revoked, and of incidental information, all | certificates that are revoked, and of incidental information, all | |||
skipping to change at page 5, line 42 | skipping to change at page 5, line 43 | |||
and a zero-length URL are meaningless and invalid. | and a zero-length URL are meaningless and invalid. | |||
The IPKIX, ISPKI, IPGP, and IACPKIX types are known as "indirect". | The IPKIX, ISPKI, IPGP, and IACPKIX types are known as "indirect". | |||
These types MUST be used when the content is too large to fit in the | These types MUST be used when the content is too large to fit in the | |||
CERT RR and MAY be used at the implementer's discretion. They SHOULD | CERT RR and MAY be used at the implementer's discretion. They SHOULD | |||
NOT be used where the DNS message is 512 octets or smaller and could | NOT be used where the DNS message is 512 octets or smaller and could | |||
thus be expected to fit a UDP packet. | thus be expected to fit a UDP packet. | |||
The URI private type indicates a certificate format defined by an | The URI private type indicates a certificate format defined by an | |||
absolute URI. The certificate portion of the CERT RR MUST begin with | absolute URI. The certificate portion of the CERT RR MUST begin with | |||
a NUL-terminated URI [10] and the data after the NUL is the private | a null-terminated URI [10], and the data after the null is the | |||
format certificate itself. The URI SHOULD be such that a retrieval | private format certificate itself. The URI SHOULD be such that a | |||
from it will lead to documentation on the format of the certificate. | retrieval from it will lead to documentation on the format of the | |||
Recognition of private certificate types need not be based on URI | certificate. Recognition of private certificate types need not be | |||
equality but can use various forms of pattern matching so that, for | based on URI equality but can use various forms of pattern matching | |||
example, subtype or version information can also be encoded into the | so that, for example, subtype or version information can also be | |||
URI. | encoded into the URI. | |||
The OID private type indicates a private format certificate specified | The OID private type indicates a private format certificate specified | |||
by an ISO OID prefix. The certificate section will start with a one- | by an ISO OID prefix. The certificate section will start with a | |||
octet unsigned OID length and then a BER-encoded OID indicating the | one-octet unsigned OID length and then a BER-encoded OID indicating | |||
nature of the remainder of the certificate section. This can be an | the nature of the remainder of the certificate section. This can be | |||
X.509 certificate format or some other format. X.509 certificates | an X.509 certificate format or some other format. X.509 certificates | |||
that conform to the IETF PKIX profile SHOULD be indicated by the PKIX | that conform to the IETF PKIX profile SHOULD be indicated by the PKIX | |||
type, not the OID private type. Recognition of private certificate | type, not the OID private type. Recognition of private certificate | |||
types need not be based on OID equality but can use various forms of | types need not be based on OID equality but can use various forms of | |||
pattern matching such as OID prefix. | pattern matching such as OID prefix. | |||
2.2. Text Representation of CERT RRs | 2.2. Text Representation of CERT RRs | |||
The RDATA portion of a CERT RR has the type field as an unsigned | The RDATA portion of a CERT RR has the type field as an unsigned | |||
decimal integer or as a mnemonic symbol as listed in Section 2.1, | decimal integer or as a mnemonic symbol as listed in Section 2.1, | |||
above. | above. | |||
skipping to change at page 9, line 14 | skipping to change at page 9, line 13 | |||
recommended, in priority order, would be | recommended, in priority order, would be | |||
1. john-doe.com, | 1. john-doe.com, | |||
2. www.secure.john-doe.com, and | 2. www.secure.john-doe.com, and | |||
3. Doe.com.xy. | 3. Doe.com.xy. | |||
Example 2: An X.509v3 certificate is issued to /CN=James Hacker/ | Example 2: An X.509v3 certificate is issued to /CN=James Hacker/ | |||
L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names of (a) | L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names of (a) | |||
domain name widget.foo.example, (b) IPv4 address 10.251.13.201, and | domain name widget.foo.example, (b) IPv4 address 10.251.13.201, and | |||
(c) string "James Hacker <hacker@mail.widget.foo.example>". The | (c) string "James Hacker <hacker@mail.widget.foo.example>". The | |||
storage locations recommended, in priority order, would be | storage locations recommended, in priority order, would be | |||
1. widget.foo.example, | 1. widget.foo.example, | |||
2. 201.13.251.10.in-addr.arpa, and | 2. 201.13.251.10.in-addr.arpa, and | |||
3. hacker.mail.widget.foo.example. | 3. hacker.mail.widget.foo.example. | |||
3.2. Purpose-Based X.509 CERT RR Names | 3.2. Purpose-Based X.509 CERT RR Names | |||
Due to the difficulty for clients that do not already possess a | Due to the difficulty for clients that do not already possess a | |||
certificate to reconstruct the content-based owner name, purpose- | certificate to reconstruct the content-based owner name, | |||
based owner names are recommended in this section. Recommendations | purpose-based owner names are recommended in this section. | |||
for purpose-based owner names vary per scenario. The following table | Recommendations for purpose-based owner names vary per scenario. The | |||
summarizes the purpose-based X.509 CERT RR owner name guidelines for | following table summarizes the purpose-based X.509 CERT RR owner name | |||
use with S/MIME [17], SSL/TLS [13], and IPsec [14]: | guidelines for use with S/MIME [17], SSL/TLS [13], and IPsec [14]: | |||
Scenario Owner name | Scenario Owner name | |||
------------------ ---------------------------------------------- | ------------------ ---------------------------------------------- | |||
S/MIME Certificate Standard translation of an RFC 2822 email | S/MIME Certificate Standard translation of an RFC 2822 email | |||
address. Example: An S/MIME certificate for | address. Example: An S/MIME certificate for | |||
"postmaster@example.org" will use a standard | "postmaster@example.org" will use a standard | |||
hostname translation of the owner name, | hostname translation of the owner name, | |||
"postmaster.example.org". | "postmaster.example.org". | |||
TLS Certificate Hostname of the TLS server. | TLS Certificate Hostname of the TLS server. | |||
skipping to change at page 11, line 34 | skipping to change at page 11, line 44 | |||
6. Acknowledgements | 6. Acknowledgements | |||
Thanks to David Shaw and Michael Graff for their contributions to | Thanks to David Shaw and Michael Graff for their contributions to | |||
earlier works that motivated, and served as inspiration for, this | earlier works that motivated, and served as inspiration for, this | |||
document. | document. | |||
This document was improved by suggestions and comments from Olivier | This document was improved by suggestions and comments from Olivier | |||
Dubuisson, Scott Hollenbeck, Russ Housley, Peter Koch, Olaf M. | Dubuisson, Scott Hollenbeck, Russ Housley, Peter Koch, Olaf M. | |||
Kolkman, Ben Laurie, Edward Lewis, John Loughney, Allison Mankin, | Kolkman, Ben Laurie, Edward Lewis, John Loughney, Allison Mankin, | |||
Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel | Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel | |||
Weiler, Florian Weimer, and the IANA. No doubt the list is | Weiler, and Florian Weimer. No doubt the list is incomplete. We | |||
incomplete. We apologize to anyone we left out. | apologize to anyone we left out. | |||
7. Security Considerations | 7. Security Considerations | |||
By definition, certificates contain their own authenticating | By definition, certificates contain their own authenticating | |||
signatures. Thus, it is reasonable to store certificates in non- | signatures. Thus, it is reasonable to store certificates in | |||
secure DNS zones or to retrieve certificates from DNS with DNS | non-secure DNS zones or to retrieve certificates from DNS with DNS | |||
security checking not implemented or deferred for efficiency. The | security checking not implemented or deferred for efficiency. The | |||
results may be trusted if the certificate chain is verified back to a | results may be trusted if the certificate chain is verified back to a | |||
known trusted key and this conforms with the user's security policy. | known trusted key and this conforms with the user's security policy. | |||
Alternatively, if certificates are retrieved from a secure DNS zone | Alternatively, if certificates are retrieved from a secure DNS zone | |||
with DNS security checking enabled and are verified by DNS security, | with DNS security checking enabled and are verified by DNS security, | |||
the key within the retrieved certificate may be trusted without | the key within the retrieved certificate may be trusted without | |||
verifying the certificate chain if this conforms with the user's | verifying the certificate chain if this conforms with the user's | |||
security policy. | security policy. | |||
If an organization chooses to issue certificates for its employees, | If an organization chooses to issue certificates for its employees, | |||
placing CERT RR's in the DNS by owner name, and if DNSSEC (with NSEC) | placing CERT RRs in the DNS by owner name, and if DNSSEC (with NSEC) | |||
is in use, it is possible for someone to enumerate all employees of | is in use, it is possible for someone to enumerate all employees of | |||
the organization. This is usually not considered desirable, for the | the organization. This is usually not considered desirable, for the | |||
same reason that enterprise phone listings are not often publicly | same reason that enterprise phone listings are not often publicly | |||
published and are even marked confidential. | published and are even marked confidential. | |||
Using the URI type introduces another level of indirection that may | Using the URI type introduces another level of indirection that may | |||
open a new vulnerability. One method of securing that indirection is | open a new vulnerability. One method of securing that indirection is | |||
to include a hash of the certificate in the URI itself. | to include a hash of the certificate in the URI itself. | |||
If DNSSEC is used, then the non-existence of a CERT RR and, | If DNSSEC is used, then the non-existence of a CERT RR and, | |||
skipping to change at page 12, line 50 | skipping to change at page 13, line 14 | |||
9-252 Available for IANA assignment | 9-252 Available for IANA assignment | |||
by IETF Standards action | by IETF Standards action | |||
253 URI URI private RFC 4398 | 253 URI URI private RFC 4398 | |||
254 OID OID private RFC 4398 | 254 OID OID private RFC 4398 | |||
255 Reserved RFC 4398 | 255 Reserved RFC 4398 | |||
256-65279 Available for IANA assignment | 256-65279 Available for IANA assignment | |||
by IETF Consensus | by IETF Consensus | |||
65280-65534 Experimental RFC 4398 | 65280-65534 Experimental RFC 4398 | |||
65535 Reserved RFC 4398 | 65535 Reserved RFC 4398 | |||
Certificate types 0x0000 through 0x00FF (255) and 0xFF00 (65280) | Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | |||
through 0xFFFF (65535) can only be assigned by an IETF standards | only be assigned by an IETF standards action [6]. This document | |||
action [6]. This document assigns 0x0001 through 0x0008 and 0x00FD | assigns 0x0001 through 0x0008 and 0x00FD and 0x00FE. Certificate | |||
(253) and 0x00FE (254). Certificate types 0x0100 (256) through | types 0x0100 through 0xFEFF are assigned through IETF Consensus [6] | |||
0xFEFF (65279) are assigned through IETF Consensus [6] based on RFC | based on RFC documentation of the certificate type. The availability | |||
documentation of the certificate type. The availability of private | of private types under 0x00FD and 0x00FE ought to satisfy most | |||
types under 0x00FD (253) and 0x00FE (254) ought to satisfy most | ||||
requirements for proprietary or private types. | requirements for proprietary or private types. | |||
The CERT RR reuses the DNS Security Algorithm Numbers registry. In | The CERT RR reuses the DNS Security Algorithm Numbers registry. In | |||
particular, the CERT RR requires that algorithm number 0 remain | particular, the CERT RR requires that algorithm number 0 remain | |||
reserved, as described in Section 2. The IANA will reference the | reserved, as described in Section 2. The IANA will reference the | |||
CERT RR as a user of this registry and value 0, in particular. | CERT RR as a user of this registry and value 0, in particular. | |||
9. Changes since RFC 2538 | 9. Changes since RFC 2538 | |||
1. Editorial changes to conform with new document requirements, | 1. Editorial changes to conform with new document requirements, | |||
skipping to change at page 16, line 9 | skipping to change at page 16, line 21 | |||
anyone to use, modify, and distribute it in any way that does not | anyone to use, modify, and distribute it in any way that does not | |||
diminish the rights of anyone else to use, modify, and distribute it, | diminish the rights of anyone else to use, modify, and distribute it, | |||
provided that redistributed derivative works do not contain | provided that redistributed derivative works do not contain | |||
misleading author or version information. Derivative works need not | misleading author or version information. Derivative works need not | |||
be licensed under similar terms. | be licensed under similar terms. | |||
Author's Address | Author's Address | |||
Simon Josefsson | Simon Josefsson | |||
Email: simon@josefsson.org | EMail: simon@josefsson.org | |||
Intellectual Property Statement | Full Copyright Statement | |||
Copyright (C) The Internet Society (2006). | ||||
This document is subject to the rights, licenses and restrictions | ||||
contained in BCP 78, and except as set forth therein, the authors | ||||
retain all their rights. | ||||
This document and the information contained herein are provided on an | ||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
Intellectual Property | ||||
The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
found in BCP 78 and BCP 79. | found in BCP 78 and BCP 79. | |||
skipping to change at page 17, line 29 | skipping to change at page 17, line 45 | |||
such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
this standard. Please address the information to the IETF at | this standard. Please address the information to the IETF at | |||
ietf-ipr@ietf.org. | ietf-ipr@ietf.org. | |||
Disclaimer of Validity | Acknowledgement | |||
This document and the information contained herein are provided on an | ||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
Copyright Statement | ||||
Copyright (C) The Internet Society (2006). This document is subject | ||||
to the rights, licenses and restrictions contained in BCP 78, and | ||||
except as set forth therein, the authors retain all their rights. | ||||
Acknowledgment | ||||
Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is provided by the IETF | |||
Internet Society. | Administrative Support Activity (IASA). | |||
End of changes. 17 change blocks. | ||||
97 lines changed or deleted | 77 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |