| draft-ietf-dnsext-rfc2538bis-02.txt | draft-ietf-dnsext-rfc2538bis-03.txt | |||
|---|---|---|---|---|
| Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
| Expires: November 26, 2005 | Expires: December 12, 2005 | |||
| Storing Certificates in the Domain Name System (DNS) | Storing Certificates in the Domain Name System (DNS) | |||
| draft-ietf-dnsext-rfc2538bis-02 | draft-ietf-dnsext-rfc2538bis-03 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 33 | skipping to change at page 1, line 33 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on November 26, 2005. | This Internet-Draft will expire on December 12, 2005. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| Cryptographic public key are frequently published and their | Cryptographic public key are frequently published and their | |||
| authenticity demonstrated by certificates. A CERT resource record | authenticity demonstrated by certificates. A CERT resource record | |||
| (RR) is defined so that such certificates and related certificate | (RR) is defined so that such certificates and related certificate | |||
| revocation lists can be stored in the Domain Name System (DNS). | revocation lists can be stored in the Domain Name System (DNS). | |||
| See <http://josefsson.org/rfc2538bis/> for more information. | This document obsolete RFC 2538. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. The CERT Resource Record . . . . . . . . . . . . . . . . . . 3 | 2. The CERT Resource Record . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1 Certificate Type Values . . . . . . . . . . . . . . . . . 4 | 2.1 Certificate Type Values . . . . . . . . . . . . . . . . . 4 | |||
| 2.2 Text Representation of CERT RRs . . . . . . . . . . . . . 5 | 2.2 Text Representation of CERT RRs . . . . . . . . . . . . . 5 | |||
| 2.3 X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.3 X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . 6 | 3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . 6 | |||
| 3.1 Content-based X.509 CERT RR Names . . . . . . . . . . . . 7 | 3.1 Content-based X.509 CERT RR Names . . . . . . . . . . . . 7 | |||
| skipping to change at page 3, line 28 | skipping to change at page 3, line 28 | |||
| Section 2 below specifies a CERT resource record (RR) for the storage | Section 2 below specifies a CERT resource record (RR) for the storage | |||
| of certificates in the Domain Name System. | of certificates in the Domain Name System. | |||
| Section 3 discusses appropriate owner names for CERT RRs. | Section 3 discusses appropriate owner names for CERT RRs. | |||
| Sections 4, 5, and 6 below cover performance, IANA, and security | Sections 4, 5, and 6 below cover performance, IANA, and security | |||
| considerations, respectively. | considerations, respectively. | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [10]. | document are to be interpreted as described in [3]. | |||
| 2. The CERT Resource Record | 2. The CERT Resource Record | |||
| The CERT resource record (RR) has the structure given below. Its RR | The CERT resource record (RR) has the structure given below. Its RR | |||
| type code is 37. | type code is 37. | |||
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | type | key tag | | | type | key tag | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | algorithm | / | | algorithm | / | |||
| +---------------+ certificate or CRL / | +---------------+ certificate or CRL / | |||
| / / | / / | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | |||
| The type field is the certificate type as define in section 2.1 | The type field is the certificate type as define in section 2.1 | |||
| below. | below. | |||
| The algorithm field has the same meaning as the algorithm field in | The algorithm field has the same meaning as the algorithm field in | |||
| DNSKEY and RRSIG RRs [9] except that a zero algorithm field indicates | DNSKEY and RRSIG RRs [10] except that a zero algorithm field | |||
| the algorithm is unknown to a secure DNS, which may simply be the | indicates the algorithm is unknown to a secure DNS, which may simply | |||
| result of the algorithm not having been standardized for DNSSEC. | be the result of the algorithm not having been standardized for | |||
| DNSSEC. | ||||
| The key tag field is the 16 bit value computed for the key embedded | The key tag field is the 16 bit value computed for the key embedded | |||
| in the certificate, using the RRSIG Key Tag Algorithm described in | in the certificate, using the RRSIG Key Tag algorithm described in | |||
| Appendix B of [9]. This field is used as an efficiency measure to | Appendix B of [10]. This field is used as an efficiency measure to | |||
| pick which CERT RRs may be applicable to a particular key. The key | pick which CERT RRs may be applicable to a particular key. The key | |||
| tag can be calculated for the key in question and then only CERT RRs | tag can be calculated for the key in question and then only CERT RRs | |||
| with the same key tag need be examined. However, the key must always | with the same key tag need be examined. However, the key must always | |||
| be transformed to the format it would have as the public key portion | be transformed to the format it would have as the public key portion | |||
| of a DNSKEY RR before the key tag is computed. This is only possible | of a DNSKEY RR before the key tag is computed. This is only possible | |||
| if the key is applicable to an algorithm (and limits such as key size | if the key is applicable to an algorithm (and limits such as key size | |||
| limits) defined for DNS security. If it is not, the algorithm field | limits) defined for DNS security. If it is not, the algorithm field | |||
| MUST BE zero and the tag field is meaningless and SHOULD BE zero. | MUST BE zero and the tag field is meaningless and SHOULD BE zero. | |||
| 2.1 Certificate Type Values | 2.1 Certificate Type Values | |||
| skipping to change at page 4, line 47 | skipping to change at page 4, line 47 | |||
| to the profile being defined by the IETF PKIX working group. The | to the profile being defined by the IETF PKIX working group. The | |||
| certificate section will start with a one byte unsigned OID length | certificate section will start with a one byte unsigned OID length | |||
| and then an X.500 OID indicating the nature of the remainder of the | and then an X.500 OID indicating the nature of the remainder of the | |||
| certificate section (see 2.3 below). (NOTE: X.509 certificates do | certificate section (see 2.3 below). (NOTE: X.509 certificates do | |||
| not include their X.500 directory type designating OID as a prefix.) | not include their X.500 directory type designating OID as a prefix.) | |||
| The SPKI type is reserved to indicate the SPKI certificate format | The SPKI type is reserved to indicate the SPKI certificate format | |||
| [13], for use when the SPKI documents are moved from experimental | [13], for use when the SPKI documents are moved from experimental | |||
| status. | status. | |||
| The PGP type indicates an OpenPGP packet as described in [5] and its | The PGP type indicates an OpenPGP packet as described in [6] and its | |||
| extensions and successors. Two uses are to transfer public key | extensions and successors. Two uses are to transfer public key | |||
| material and revocation signatures. The data is binary, and MUST NOT | material and revocation signatures. The data is binary, and MUST NOT | |||
| be encoded into an ASCII armor. An implementation SHOULD process | be encoded into an ASCII armor. An implementation SHOULD process | |||
| transferable public keys as described in section 10.1 of [5], but it | transferable public keys as described in section 10.1 of [5], but it | |||
| MAY handle additional OpenPGP packets. | MAY handle additional OpenPGP packets. | |||
| The IPKIX, ISPKI and IPGP types indicate a URL which will serve the | The IPKIX, ISPKI and IPGP types indicate a URL which will serve the | |||
| content that would have been in the "certificate, CRL or URL" field | content that would have been in the "certificate, CRL or URL" field | |||
| of the corresponding (PKIX, SPKI or PGP) packet types. These types | of the corresponding (PKIX, SPKI or PGP) packet types. These types | |||
| are known as "indirect". These packet types MUST be used when the | are known as "indirect". These packet types MUST be used when the | |||
| content is too large to fit in the CERT RR, and MAY be used at the | content is too large to fit in the CERT RR, and MAY be used at the | |||
| implementations discretion. They SHOULD NOT be used where the entire | implementations discretion. They SHOULD NOT be used where the entire | |||
| UDP packet would have fit in 512 bytes. | UDP packet would have fit in 512 bytes. | |||
| The URI private type indicates a certificate format defined by an | The URI private type indicates a certificate format defined by an | |||
| absolute URI. The certificate portion of the CERT RR MUST begin with | absolute URI. The certificate portion of the CERT RR MUST begin with | |||
| a null terminated URI [4] and the data after the null is the private | a null terminated URI [5] and the data after the null is the private | |||
| format certificate itself. The URI SHOULD be such that a retrieval | format certificate itself. The URI SHOULD be such that a retrieval | |||
| from it will lead to documentation on the format of the certificate. | from it will lead to documentation on the format of the certificate. | |||
| Recognition of private certificate types need not be based on URI | Recognition of private certificate types need not be based on URI | |||
| equality but can use various forms of pattern matching so that, for | equality but can use various forms of pattern matching so that, for | |||
| example, subtype or version information can also be encoded into the | example, subtype or version information can also be encoded into the | |||
| URI. | URI. | |||
| The OID private type indicates a private format certificate specified | The OID private type indicates a private format certificate specified | |||
| by a an ISO OID prefix. The certificate section will start with a | by a an ISO OID prefix. The certificate section will start with a | |||
| one byte unsigned OID length and then a BER encoded OID indicating | one byte unsigned OID length and then a BER encoded OID indicating | |||
| skipping to change at page 5, line 42 | skipping to change at page 5, line 42 | |||
| 2.2 Text Representation of CERT RRs | 2.2 Text Representation of CERT RRs | |||
| The RDATA portion of a CERT RR has the type field as an unsigned | The RDATA portion of a CERT RR has the type field as an unsigned | |||
| decimal integer or as a mnemonic symbol as listed in section 2.1 | decimal integer or as a mnemonic symbol as listed in section 2.1 | |||
| above. | above. | |||
| The key tag field is represented as an unsigned decimal integer. | The key tag field is represented as an unsigned decimal integer. | |||
| The algorithm field is represented as an unsigned decimal integer or | The algorithm field is represented as an unsigned decimal integer or | |||
| a mnemonic symbol as listed in [9]. | a mnemonic symbol as listed in [10]. | |||
| The certificate / CRL portion is represented in base 64 [14] and may | The certificate / CRL portion is represented in base 64 [14] and may | |||
| be divided up into any number of white space separated substrings, | be divided up into any number of white space separated substrings, | |||
| down to single base 64 digits, which are concatenated to obtain the | down to single base 64 digits, which are concatenated to obtain the | |||
| full signature. These substrings can span lines using the standard | full signature. These substrings can span lines using the standard | |||
| parenthesis. | parenthesis. | |||
| Note that the certificate / CRL portion may have internal sub-fields | Note that the certificate / CRL portion may have internal sub-fields | |||
| but these do not appear in the master file representation. For | but these do not appear in the master file representation. For | |||
| example, with type 254, there will be an OID size, an OID, and then | example, with type 254, there will be an OID size, an OID, and then | |||
| skipping to change at page 7, line 50 | skipping to change at page 7, line 50 | |||
| certificate or CRL, that should be used. | certificate or CRL, that should be used. | |||
| 2. If a domain name is not included but an IP address is included, | 2. If a domain name is not included but an IP address is included, | |||
| then the translation of that IP address into the appropriate | then the translation of that IP address into the appropriate | |||
| inverse domain name should be used. | inverse domain name should be used. | |||
| 3. If neither of the above it used but a URI containing a domain | 3. If neither of the above it used but a URI containing a domain | |||
| name is present, that domain name should be used. | name is present, that domain name should be used. | |||
| 4. If none of the above is included but a character string name is | 4. If none of the above is included but a character string name is | |||
| included, then it should be treated as described for OpenPGP | included, then it should be treated as described for OpenPGP | |||
| names below. | names below. | |||
| 5. If none of the above apply, then the distinguished name (DN) | 5. If none of the above apply, then the distinguished name (DN) | |||
| should be mapped into a domain name as specified in [3]. | should be mapped into a domain name as specified in [4]. | |||
| Example 1: Assume that an X.509v3 certificate is issued to /CN=John | Example 1: Assume that an X.509v3 certificate is issued to /CN=John | |||
| Doe/DC=Doe/DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative | Doe/DC=Doe/DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative | |||
| names of (a) string "John (the Man) Doe", (b) domain name john- | names of (a) string "John (the Man) Doe", (b) domain name john- | |||
| doe.com, and (c) uri <https://www.secure.john-doe.com:8080/>. Then | doe.com, and (c) uri <https://www.secure.john-doe.com:8080/>. Then | |||
| the storage locations recommended, in priority order, would be | the storage locations recommended, in priority order, would be | |||
| 1. john-doe.com, | 1. john-doe.com, | |||
| 2. www.secure.john-doe.com, and | 2. www.secure.john-doe.com, and | |||
| 3. Doe.com.xy. | 3. Doe.com.xy. | |||
| skipping to change at page 8, line 46 | skipping to change at page 8, line 46 | |||
| Scenario Owner name | Scenario Owner name | |||
| ------------------------------------------------------------------- | ------------------------------------------------------------------- | |||
| S/MIME Certificate Standard translation of RFC 822 email address. | S/MIME Certificate Standard translation of RFC 822 email address. | |||
| Example: A S/MIME certificate for | Example: A S/MIME certificate for | |||
| "[email protected]" will use a standard | "[email protected]" will use a standard | |||
| hostname translation of the owner name, | hostname translation of the owner name, | |||
| i.e. "postmaster.example.org". | i.e. "postmaster.example.org". | |||
| TLS Certificate Hostname of the TLS server. | TLS Certificate Hostname of the TLS server. | |||
| IPSEC Certificate Hostname of the IPSEC machine, and/or | IPSEC Certificate Hostname of the IPSEC machine, and/or for | |||
| for the in-addr.arpa reverse lookup IP address. | IPv4 or IPv6 addresses the fully qualified | |||
| domain name in the appropriate reverse domain. | ||||
| An alternative approach for IPSEC is to store raw public keys [15]. | An alternative approach for IPSEC is to store raw public keys [15]. | |||
| 3.3 Content-based OpenPGP CERT RR Names | 3.3 Content-based OpenPGP CERT RR Names | |||
| OpenPGP signed keys (certificates) use a general character string | OpenPGP signed keys (certificates) use a general character string | |||
| User ID [5]. However, it is recommended by OpenPGP that such names | User ID [6]. However, it is recommended by OpenPGP that such names | |||
| include the RFC 2822 [7] email address of the party, as in "Leslie | include the RFC 2822 [8] email address of the party, as in "Leslie | |||
| Example <[email protected]>". If such a format is used, the CERT | Example <[email protected]>". If such a format is used, the CERT | |||
| should be under the standard translation of the email address into a | should be under the standard translation of the email address into a | |||
| domain name, which would be leslie.host.example in this case. If no | domain name, which would be leslie.host.example in this case. If no | |||
| RFC 2822 name can be extracted from the string name no specific | RFC 2822 name can be extracted from the string name no specific | |||
| domain name is recommended. | domain name is recommended. | |||
| If a user has more than one email address, the CNAME type can be used | If a user has more than one email address, the CNAME type can be used | |||
| to reduce the amount of data stored in the DNS. For example: | to reduce the amount of data stored in the DNS. For example: | |||
| $ORIGIN example.org. | $ORIGIN example.org. | |||
| skipping to change at page 10, line 35 | skipping to change at page 10, line 35 | |||
| The majority of this document is copied verbatim from RFC 2538, by | The majority of this document is copied verbatim from RFC 2538, by | |||
| Donald Eastlake 3rd and Olafur Gudmundsson. | Donald Eastlake 3rd and Olafur Gudmundsson. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| Thanks to David Shaw and Michael Graff for their contributions to | Thanks to David Shaw and Michael Graff for their contributions to | |||
| earlier works that motivated, and served as inspiration for, this | earlier works that motivated, and served as inspiration for, this | |||
| document. | document. | |||
| This document was improved by suggestions and comments from Olivier | This document was improved by suggestions and comments from Olivier | |||
| Dubuisson, Ben Laurie, Samuel Weiler, and Florian Weimer. No doubt | Dubuisson, Olaf M. Kolkman, Ben Laurie, Samuel Weiler, and Florian | |||
| the list is incomplete. We apologize to anyone we left out. | Weimer. No doubt the list is incomplete. We apologize to anyone we | |||
| left out. | ||||
| 7. Security Considerations | 7. Security Considerations | |||
| By definition, certificates contain their own authenticating | By definition, certificates contain their own authenticating | |||
| signature. Thus it is reasonable to store certificates in non-secure | signature. Thus it is reasonable to store certificates in non-secure | |||
| DNS zones or to retrieve certificates from DNS with DNS security | DNS zones or to retrieve certificates from DNS with DNS security | |||
| checking not implemented or deferred for efficiency. The results MAY | checking not implemented or deferred for efficiency. The results MAY | |||
| be trusted if the certificate chain is verified back to a known | be trusted if the certificate chain is verified back to a known | |||
| trusted key and this conforms with the user's security policy. | trusted key and this conforms with the user's security policy. | |||
| skipping to change at page 11, line 10 | skipping to change at page 11, line 10 | |||
| with DNS security checking enabled and are verified by DNS security, | with DNS security checking enabled and are verified by DNS security, | |||
| the key within the retrieved certificate MAY be trusted without | the key within the retrieved certificate MAY be trusted without | |||
| verifying the certificate chain if this conforms with the user's | verifying the certificate chain if this conforms with the user's | |||
| security policy. | security policy. | |||
| When the URI type is used, it should be understood that it introduces | When the URI type is used, it should be understood that it introduces | |||
| an additional indirection that may allow for a new attack vector. | an additional indirection that may allow for a new attack vector. | |||
| One method to secure that indirection is to include a hash of the | One method to secure that indirection is to include a hash of the | |||
| certificate in the URI itself. | certificate in the URI itself. | |||
| CERT RRs are not used by DNSSEC [8] so there are no security | CERT RRs are not used by DNSSEC [9] so there are no security | |||
| considerations related to CERT RRs and securing the DNS itself. | considerations related to CERT RRs and securing the DNS itself. | |||
| If DNSSEC [8] is used then the non-existence of a CERT RR, and | If DNSSEC is used then the non-existence of a CERT RR, and | |||
| consequently certificates or revocation lists, can be securely | consequently certificates or revocation lists, can be securely | |||
| asserted. Without DNSSEC, this is not possible. | asserted. Without DNSSEC, this is not possible. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | |||
| only be assigned by an IETF standards action [6]. This document | only be assigned by an IETF standards action [7]. This document | |||
| assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE. Certificate | assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE. Certificate | |||
| types 0x0100 through 0xFEFF are assigned through IETF Consensus [6] | types 0x0100 through 0xFEFF are assigned through IETF Consensus [7] | |||
| based on RFC documentation of the certificate type. The availability | based on RFC documentation of the certificate type. The availability | |||
| of private types under 0x00FD and 0x00FE should satisfy most | of private types under 0x00FD and 0x00FE should satisfy most | |||
| requirements for proprietary or private types. | requirements for proprietary or private types. | |||
| The CERT RR reuses the DNS Security Algorithm Numbers registry. In | The CERT RR reuses the DNS Security Algorithm Numbers registry. In | |||
| particular, the CERT RR requires that algorithm number 0 remain | particular, the CERT RR requires that algorithm number 0 remain | |||
| reserved, as described in Section 2. The IANA is directed to | reserved, as described in Section 2. The IANA is directed to | |||
| reference the CERT RR as a user of this registry and value 0, in | reference the CERT RR as a user of this registry and value 0, in | |||
| particular. | particular. | |||
| skipping to change at page 12, line 20 | skipping to change at page 12, line 20 | |||
| 10. References | 10. References | |||
| 10.1 Normative References | 10.1 Normative References | |||
| [1] Mockapetris, P., "Domain names - concepts and facilities", | [1] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, November 1987. | STD 13, RFC 1034, November 1987. | |||
| [2] Mockapetris, P., "Domain names - implementation and | [2] Mockapetris, P., "Domain names - implementation and | |||
| specification", STD 13, RFC 1035, November 1987. | specification", STD 13, RFC 1035, November 1987. | |||
| [3] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri, | [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement | |||
| Levels", BCP 14, RFC 2119, March 1997. | ||||
| [4] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri, | ||||
| "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247, | "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247, | |||
| January 1998. | January 1998. | |||
| [4] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [5] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifiers (URI): Generic Syntax", RFC 2396, | Resource Identifiers (URI): Generic Syntax", RFC 2396, | |||
| August 1998. | August 1998. | |||
| [5] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer, "OpenPGP | [6] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer, | |||
| Message Format", RFC 2440, November 1998. | "OpenPGP Message Format", RFC 2440, November 1998. | |||
| [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA | [7] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA | |||
| Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. | Considerations Section in RFCs", BCP 26, RFC 2434, | |||
| October 1998. | ||||
| [7] Resnick, P., "Internet Message Format", RFC 2822, April 2001. | [8] Resnick, P., "Internet Message Format", RFC 2822, April 2001. | |||
| [8] Arends, R., Austein, R., Massey, D., Larson, M., and S. Rose, | [9] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | |||
| "DNS Security Introduction and Requirements", | "DNS Security Introduction and Requirements", RFC 4033, | |||
| draft-ietf-dnsext-dnssec-intro-13 (work in progress), | March 2005. | |||
| October 2004. | ||||
| [9] Arends, R., "Resource Records for the DNS Security Extensions", | [10] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | |||
| draft-ietf-dnsext-dnssec-records-11 (work in progress), | "Resource Records for the DNS Security Extensions", RFC 4034, | |||
| October 2004. | March 2005. | |||
| 10.2 Informative References | 10.2 Informative References | |||
| [10] Bradner, S., "Key words for use in RFCs to Indicate Requirement | ||||
| Levels", BCP 14, RFC 2119, March 1997. | ||||
| [11] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | [11] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | |||
| RFC 2246, January 1999. | RFC 2246, January 1999. | |||
| [12] Kent, S. and R. Atkinson, "Security Architecture for the | [12] Kent, S. and R. Atkinson, "Security Architecture for the | |||
| Internet Protocol", RFC 2401, November 1998. | Internet Protocol", RFC 2401, November 1998. | |||
| [13] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., | [13] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., | |||
| and T. Ylonen, "SPKI Certificate Theory", RFC 2693, | and T. Ylonen, "SPKI Certificate Theory", RFC 2693, | |||
| September 1999. | September 1999. | |||
| [14] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", | [14] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", | |||
| RFC 3548, July 2003. | RFC 3548, July 2003. | |||
| [15] Richardson, M., "A method for storing IPsec keying material in | [15] Richardson, M., "A Method for Storing IPsec Keying Material in | |||
| DNS", draft-ietf-ipseckey-rr-11 (work in progress), July 2004. | DNS", RFC 4025, March 2005. | |||
| [16] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions | [16] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions | |||
| (S/MIME) Version 3.1 Message Specification", RFC 3851, | (S/MIME) Version 3.1 Message Specification", RFC 3851, | |||
| July 2004. | July 2004. | |||
| Author's Address | Author's Address | |||
| Simon Josefsson | Simon Josefsson | |||
| Email: [email protected] | Email: [email protected] | |||
| End of changes. | ||||
This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||