[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 RFC 4386

Internet Draft                                          S. Boeyen
PKIX Working Group                                      Entrust Inc.
Feb.2005                                                P. Hallam-Baker
Expires in Aug 2005                                     VeriSign Inc.

                Internet X.509 Public Key Infrastructure
                        Repository Locator Service
                   <draft-ietf-pkix-pkixrep-03.txt>

   Status of this Memo

   This document is an Internet-Draft and is subject to all
   provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire in Aug 2005. Comments should
   be sent to the PKIX mail list at:  ietf-pkix@imc.org.

   By submitting this Internet-Draft, I certify that any applicable
   patent or other IPR claims of which I am aware have been disclosed,
   or will be disclosed, and any of which I become aware will be
   disclosed, in accordance with RFC 3668.

   Copyright (C) The Internet Society (2005). This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights."

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

   Abstract

   This document defines a PKI repository locator service. The service
   makes use of DNS SRV records defined in accordance with RFC 2782. The
   service enables certificate using systems to locate PKI repositories

Boeyen & Hallam-Baker            Expires Aug 2005      [Page 1]

   based on a domain name, identify the protocols that can be used to
   access the repository, and obtain addresses for the servers that host
   the repository service.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
   "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase,
   as shown) are to be interpreted as described in [RFC2119].

1  Overview

   Operational protocols have been specified for retrieval of PKI data,
   including public-key certificates and revocation information, from
   PKI repositories in a number of RFCs including RFC 2559, RFC 2560
   and RFC 2585. These RFCs assume that a certificate using system has
   the knowledge information necessary to identify, locate and connect
   to the PKI repository with a specific protocol. Although there are
   some tools available in protocol-specific environments for this
   purpose, such as knowledge references in directory systems, these
   are restricted to use with a single protocol and do not share a
   common means of publication. This draft provides a solution to
   this problem through the use of SRV RRs in DNS. This solution is
   expected to be particularly useful in environments where only a
   domain name is available. In other situations (e.g. where a
   certificate is available that contains the required information),
   such a DNS lookup is not needed.

   RFC 2782 defines a DNS RR for specifying the location of services
   (SRV). This Internet-draft defines SRV records for a PKI
   repository locator service to enable PKI clients to obtain the
   necessary information to connect to a domain's PKI repository,
   including information about each protocol that is supported by
   that domain for access to its repository. This Internet-draft
   includes the defininition of a  SRV RR format for this service
   and an example of its potential use in an email environment.

2  SRV RR definition

   The format of the SRV RR, whose DNS type code is 33, is:

   _Service._Proto.Name TTL Class SRV Priority Weight Port Target

   For the PKI repository locator service, this draft uses the symbolic
   name "PKIXREP". Note that when used in an SRV RR, this name MUST
   be prepended with a "_" character.

   The protocols that can be included in PKIXREP SRV RRs are:
   LDAP
   HTTP
   OCSP

   Note that when these protocol names appear in SRV records, they
   MUST be prepended by a "_" character.

   Other protocols could be added in future.

   Boeyen & Hallam-Baker            Expires Aug 2005       [Page 2]

   System administrators SHOULD create at least one PKIXREP SRV RR for
   each protocol that can be used to access their service. If the
   service is operated on a number of hosts, additional records can
   be created, as described in RFC 2782.

2.1 SRV RR example

   This example uses fictional domain "example.com" as an aid in
   understanding the use of SRV records by a certificate using system.

   Let an email client that needs a certificate for a recipient be
   Alice and assume that Alice's client system supports LDAP for
   certificate retrieval. Let the message recipient be Bob and let
   Bob's email address be bob@example.com. Assume that example.test
   maintains a "border directory" PKI repository and that Bob's
   certificate is available from that directory "border.example.com"
   via LDAP.

   Alice's client system retrieves, via DNS, the SRV record for
   _PKIXREP._LDAP.example.com.

        - the QNAME of the DNS query is _PKIXREP._LDAP.example.com
        - the QCLASS of the DNS query is IN
        - the QTYPE of the DNS query is SRV

   The result SHOULD include the host address for example.com's
   border directory system.

   Note that if example.com operated their service on a number of
   hosts, more than one SRV RR would be returned. In this case,
   RFC 2782 defines the procedure to be followed in determining which
   of these should be accessed first.

3  Security considerations

   Security issues regarding PKI repositories themselves are outside
   the scope of this specification. For LDAP repositories, for example,
   specific security considerations are addressed in RFC 2559.

   Security issues with respect to the use of SRV records in general
   are addressed in RFC 2782 and these issues apply to the use of SRV
   records in the context of the PKIXREP service defined here.

4  IANA Considerations

   This document reserves the use of "_PKIXREP" Service label.
   Since this relates to a service which may pass messages over a number
   of different message transports, they must be associated with a
   specific transport.

   In order to ensure that the association between "_PKIXREP" and
   their respective underlying services is deterministic, this document
   requests that IANA create a registry: The PKIX SRV Protocol Label.
   For this registry, an entry shall consist of a label name and a

   Boeyen & Hallam-Baker            Expires Aug 2005       [Page 3]

   pointer to a specification describing how the protocol named in the
   label uses SRV. Specifications should conform to the requirements
   listed in RFC 2434 for "specification required".

4  References

   [RFC 2119] Bradner, S., "Keywords for use in RFCs to indicate
              requirement levels, March 1997.

   [RFC 2782] Gulbrandsen, A. Vixie, P. and Esibov, L., "A DNS RR for
              specifying the location of services (DNS SRV)", Feb 2000.

   [RFC 2559] Boeyen, S. Howes, T. and Richard, P., "Internet X.509
              Public Key Infrastructure Operational Protocols - LDAPv2",
              April 1999.

   [RFC 2560] Myers, M. Ankney, R. Malpani, A. Galperin, S. and Adams, C.
              "Internet X.509 Public Key Infrastructure Online Certificate
              Status Protocol - OCSP", June 1999.

   [RFC 2585] Housley, R. and Hoffman, P. "Internet X.509 Public Key
              Infrastructure Operational Protocols: FTP and HTTP",
              May, 1999.

   [RFC 2434] Narten, T. and Alvestrand, H. "Guidelines for Writing an
              IANA Considerations Section in RFCs", RFC 2434, BCP 26,
              October 1998.

7  Authors' Addresses

   Sharon Boeyen
   Entrust
   1000 Innovation Drive
   Ottawa, Ontario
   Canada K2K 3E7
   email: sharon.boeyen@entrust.com

   Phillip M. Hallam-Baker
   VeriSign Inc.
   401 Edgewater Place, Suite 280
   Wakefield MA 01880
   email: pbaker@VeriSign.com







Boeyen & Hallam-Baker            Expires Aug 2005       [Page 4]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/