| draft-ietf-dnsext-rfc2538bis-07.txt | draft-ietf-dnsext-rfc2538bis-08.txt | |||
|---|---|---|---|---|
| Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
| Obsoletes: 2538 (if approved) | Obsoletes: 2538 (if approved) | |||
| Expires: March 27, 2006 | Expires: April 2, 2006 | |||
| Storing Certificates in the Domain Name System (DNS) | Storing Certificates in the Domain Name System (DNS) | |||
| draft-ietf-dnsext-rfc2538bis-07 | draft-ietf-dnsext-rfc2538bis-08 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on March 27, 2006. | This Internet-Draft will expire on April 2, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| Cryptographic public keys are frequently published and their | Cryptographic public keys are frequently published and their | |||
| authenticity demonstrated by certificates. A CERT resource record | authenticity demonstrated by certificates. A CERT resource record | |||
| (RR) is defined so that such certificates and related certificate | (RR) is defined so that such certificates and related certificate | |||
| skipping to change at page 4, line 36 | skipping to change at page 4, line 36 | |||
| 0 reserved | 0 reserved | |||
| 1 PKIX X.509 as per PKIX | 1 PKIX X.509 as per PKIX | |||
| 2 SPKI SPKI certificate | 2 SPKI SPKI certificate | |||
| 3 PGP OpenPGP packet | 3 PGP OpenPGP packet | |||
| 4 IPKIX The URL of an X.509 data object | 4 IPKIX The URL of an X.509 data object | |||
| 5 ISPKI The URL of an SPKI certificate | 5 ISPKI The URL of an SPKI certificate | |||
| 6 IPGP The URL of an OpenPGP packet | 6 IPGP The URL of an OpenPGP packet | |||
| 7-252 available for IANA assignment | 7-252 available for IANA assignment | |||
| 253 URI URI private | 253 URI URI private | |||
| 254 OID OID private | 254 OID OID private | |||
| 255-65534 available for IANA assignment | 255-65023 available for IANA assignment | |||
| 65024-65534 experimental | ||||
| 65535 reserved | 65535 reserved | |||
| The PKIX type is reserved to indicate an X.509 certificate conforming | The PKIX type is reserved to indicate an X.509 certificate conforming | |||
| to the profile defined by the IETF PKIX working group [9]. The | to the profile defined by the IETF PKIX working group [9]. The | |||
| certificate section will start with a one-byte unsigned OID length | certificate section will start with a one-byte unsigned OID length | |||
| and then an X.500 OID indicating the nature of the remainder of the | and then an X.500 OID indicating the nature of the remainder of the | |||
| certificate section (see 2.3 below). (NOTE: X.509 certificates do | certificate section (see 2.3 below). (NOTE: X.509 certificates do | |||
| not include their X.500 directory type designating OID as a prefix.) | not include their X.500 directory type designating OID as a prefix.) | |||
| The SPKI type is reserved to indicate the SPKI certificate format | The SPKI type is reserved to indicate the SPKI certificate format | |||
| skipping to change at page 11, line 13 | skipping to change at page 11, line 13 | |||
| Donald Eastlake 3rd and Olafur Gudmundsson. | Donald Eastlake 3rd and Olafur Gudmundsson. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| Thanks to David Shaw and Michael Graff for their contributions to | Thanks to David Shaw and Michael Graff for their contributions to | |||
| earlier works that motivated, and served as inspiration for, this | earlier works that motivated, and served as inspiration for, this | |||
| document. | document. | |||
| This document was improved by suggestions and comments from Olivier | This document was improved by suggestions and comments from Olivier | |||
| Dubuisson, Peter Koch, Olaf M. Kolkman, Ben Laurie, Edward Lewis, | Dubuisson, Peter Koch, Olaf M. Kolkman, Ben Laurie, Edward Lewis, | |||
| Douglas Otis, Marcos Sanz, Jason Sloderbeck, Samuel Weiler, and | Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel | |||
| Florian Weimer. No doubt the list is incomplete. We apologize to | Weiler, and Florian Weimer. No doubt the list is incomplete. We | |||
| anyone we left out. | apologize to anyone we left out. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| By definition, certificates contain their own authenticating | By definition, certificates contain their own authenticating | |||
| signature. Thus, it is reasonable to store certificates in non- | signature. Thus, it is reasonable to store certificates in non- | |||
| secure DNS zones or to retrieve certificates from DNS with DNS | secure DNS zones or to retrieve certificates from DNS with DNS | |||
| security checking not implemented or deferred for efficiency. The | security checking not implemented or deferred for efficiency. The | |||
| results may be trusted if the certificate chain is verified back to a | results may be trusted if the certificate chain is verified back to a | |||
| known trusted key and this conforms with the user's security policy. | known trusted key and this conforms with the user's security policy. | |||
| skipping to change at page 12, line 5 | skipping to change at page 12, line 5 | |||
| If DNSSEC is used, then the non-existence of a CERT RR and, | If DNSSEC is used, then the non-existence of a CERT RR and, | |||
| consequently, certificates or revocation lists can be securely | consequently, certificates or revocation lists can be securely | |||
| asserted. Without DNSSEC, this is not possible. | asserted. Without DNSSEC, this is not possible. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| IANA needs to create a new registry for CERT RR, certificate types. | IANA needs to create a new registry for CERT RR, certificate types. | |||
| The initial contents of this registry is: | The initial contents of this registry is: | |||
| 0 reserved | [[RFC Editor: Replace xxxx below with the number of this RFC.]] | |||
| 1 PKIX X.509 as per PKIX | ||||
| 2 SPKI SPKI certificate | Decimal Type Meaning Reference | |||
| 3 PGP OpenPGP packet | ------- ---- ------- --------- | |||
| 4 IPKIX The URL of an X.509 data object | 0 Reserved RFC xxxx | |||
| 5 ISPKI The URL of an SPKI certificate | 1 PKIX X.509 as per PKIX RFC xxxx | |||
| 6 IPGP The URL of an OpenPGP packet | 2 SPKI SPKI certificate RFC xxxx | |||
| 7-252 available for IANA assignment | 3 PGP OpenPGP packet RFC xxxx | |||
| 4 IPKIX The URL of an X.509 data object RFC xxxx | ||||
| 5 ISPKI The URL of an SPKI certificate RFC xxxx | ||||
| 6 IPGP The URL of an OpenPGP packet RFC xxxx | ||||
| 7-252 Available for IANA assignment | ||||
| by IETF Standards action | by IETF Standards action | |||
| 253 URI URI private | 253 URI URI private RFC xxxx | |||
| 254 OID OID private | 254 OID OID private RFC xxxx | |||
| 255-65023 available for IANA assignment | 255-65023 Available for IANA assignment | |||
| by IETF Consensus. | by IETF Consensus | |||
| 65024-65534 experimental | 65024-65534 Experimental RFC xxxx | |||
| 65535 reserved | 65535 Reserved RFC xxxx | |||
| Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can | |||
| only be assigned by an IETF standards action [7]. This document | only be assigned by an IETF standards action [7]. This document | |||
| assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE. Certificate | assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE. Certificate | |||
| types 0x0100 through 0xFEFF are assigned through IETF Consensus [7] | types 0x0100 through 0xFEFF are assigned through IETF Consensus [7] | |||
| based on RFC documentation of the certificate type. The availability | based on RFC documentation of the certificate type. The availability | |||
| of private types under 0x00FD and 0x00FE ought to satisfy most | of private types under 0x00FD and 0x00FE ought to satisfy most | |||
| requirements for proprietary or private types. | requirements for proprietary or private types. | |||
| The CERT RR reuses the DNS Security Algorithm Numbers registry. In | The CERT RR reuses the DNS Security Algorithm Numbers registry. In | |||
| End of changes. | ||||
This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||