| draft-ietf-hip-cert-07.txt | draft-ietf-hip-cert-08.txt | |||
|---|---|---|---|---|
| Host Identity Protocol Heer | Host Identity Protocol Heer | |||
| Internet-Draft Distributed Systems Group, RWTH | Internet-Draft Distributed Systems Group, RWTH | |||
| Intended status: Experimental Aachen University | Intended status: Experimental Aachen University | |||
| Expires: July 16, 2011 Varjonen | Expires: July 22, 2011 Varjonen | |||
| Helsinki Institute for Information | Helsinki Institute for Information | |||
| Technology | Technology | |||
| January 12, 2011 | January 18, 2011 | |||
| Host Identity Protocol Certificates | Host Identity Protocol Certificates | |||
| draft-ietf-hip-cert-07 | draft-ietf-hip-cert-08 | |||
| Abstract | Abstract | |||
| The CERT parameter is a container for X.509.v3 certificates and | The CERT parameter is a container for X.509.v3 certificates and | |||
| Simple Public Key Infrastructure (SPKI) certificates. It is used for | Simple Public Key Infrastructure (SPKI) certificates. It is used for | |||
| carrying these certificates in Host Identity Protocol (HIP) control | carrying these certificates in Host Identity Protocol (HIP) control | |||
| packets. This document specifies the certificate parameter and the | packets. This document specifies the certificate parameter and the | |||
| error signaling in case of a failed verification. Additionally, this | error signaling in case of a failed verification. Additionally, this | |||
| document specifies the representations of Host Identity Tags in | document specifies the representations of Host Identity Tags in | |||
| X.509.v3 and SPKI certificates. | X.509.v3 and SPKI certificates. | |||
| skipping to change at page 2, line 9 | skipping to change at page 2, line 9 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on July 16, 2011. | This Internet-Draft will expire on July 22, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 4, line 43 | skipping to change at page 4, line 43 | |||
| | SPKI | 2 | | | SPKI | 2 | | |||
| | Hash and URL of X.509.v3 | 3 | | | Hash and URL of X.509.v3 | 3 | | |||
| | Hash and URL of SPKI | 4 | | | Hash and URL of SPKI | 4 | | |||
| | LDAP URL of X.509.v3 | 5 | | | LDAP URL of X.509.v3 | 5 | | |||
| | LDAP URL of SPKI | 6 | | | LDAP URL of SPKI | 6 | | |||
| | Distinguished Name of X.509.v3 | 7 | | | Distinguished Name of X.509.v3 | 7 | | |||
| | Distinguished Name of SPKI | 8 | | | Distinguished Name of SPKI | 8 | | |||
| +--------------------------------+-------------+ | +--------------------------------+-------------+ | |||
| The next sections outline the use of HITs in X.509.v3 and in SPKI | The next sections outline the use of HITs in X.509.v3 and in SPKI | |||
| certificates. X.509.v3 certificates are defined in [RFC3280]. The | certificates. X.509.v3 certificates are defined in [RFC5280]. The | |||
| wire format for X.509.v3 is Distinguished Encoding Rules format as | wire format for X.509.v3 is Distinguished Encoding Rules format as | |||
| defined in [X.690]. The SPKI and its formats are defined in | defined in [X.690]. The SPKI and its formats are defined in | |||
| [RFC2693]. | [RFC2693]. | |||
| Hash and URL encodings (3 and 4) are used as defined in [RFC4306] | Hash and URL encodings (3 and 4) are used as defined in [RFC5996] | |||
| Section 3.6. Using hash and URL encodings results in smaller HIP | Section 3.6. Using hash and URL encodings results in smaller HIP | |||
| control packets, but requires the receiver to resolve the URL or | control packets, but requires the receiver to resolve the URL or | |||
| check a local cache against the hash. | check a local cache against the hash. | |||
| LDAP URL encodings (5 and 6) are used as defined in [RFC2255]. Using | LDAP URL encodings (5 and 6) are used as defined in [RFC4516]. Using | |||
| LDAP URL encoding results in smaller HIP control packets but requires | LDAP URL encoding results in smaller HIP control packets but requires | |||
| the receiver to retrieve the certificate or check a local cache | the receiver to retrieve the certificate or check a local cache | |||
| against the URL. | against the URL. | |||
| Distinguished name (DN) encodings (7 and 8) are used as defined in | Distinguished name (DN) encodings (7 and 8) are used as defined in | |||
| [RFC1779]. Using the DN encoding results in smaller HIP control | [RFC4514]. Using the DN encoding results in smaller HIP control | |||
| packets, but requires the receiver to retrieve the certificate or | packets, but requires the receiver to retrieve the certificate or | |||
| check a local cache against the DN. | check a local cache against the DN. | |||
| 3. X.509.v3 Certificate Object and Host Identities | 3. X.509.v3 Certificate Object and Host Identities | |||
| When using X.509.v3 certificates to transmit information related to | When using X.509.v3 certificates to transmit information related to | |||
| HIP hosts, HITs MAY be enclosed within the certificates. HITs can | HIP hosts, HITs MAY be enclosed within the certificates. HITs can | |||
| represent an issuer, a subject, or both. In X.509.v3 HITs are | represent an issuer, a subject, or both. In X.509.v3 HITs are | |||
| represented as issuer or subject alternative name extensions as | represented as issuer or subject alternative name extensions as | |||
| defined in [RFC2459]. If only the HIT of the host is presented as | defined in [RFC5280]. If only the HIT of the host is presented as | |||
| either the issuer or the subject the respective HIT MUST be placed | either the issuer or the subject the respective HIT MUST be placed | |||
| into the respective entity's DN's Common Name (CN) section in a colon | into the respective entity's DN's Common Name (CN) section in a colon | |||
| delimited presentation format defined in [RFC5952]. Inclusion of CN | delimited presentation format defined in [RFC5952]. Inclusion of CN | |||
| is not necessary if DN contains any other naming information. It is | is not necessary if DN contains any other naming information. It is | |||
| RECOMMENDED to use the FQDN/NAI from the hosts HOST_ID parameter in | RECOMMENDED to use the FQDN/NAI from the hosts HOST_ID parameter in | |||
| the DN if one exists. The full HIs are presented in the public key | the DN if one exists. The full HIs are presented in the public key | |||
| entries of X.509.v3 certificates. | entries of X.509.v3 certificates. | |||
| The following examples illustrate how HITs are presented as issuer | The following examples illustrate how HITs are presented as issuer | |||
| and subject in the DN and in the X.509.v3 extension alternative | and subject in the DN and in the X.509.v3 extension alternative | |||
| skipping to change at page 7, line 26 | skipping to change at page 7, line 26 | |||
| follows: | follows: | |||
| Format: (hash hit hit-of-host) | Format: (hash hit hit-of-host) | |||
| Example: (hash hit 2001:13:724d:f3c0:6ff0:33c2:15d8:5f50) | Example: (hash hit 2001:13:724d:f3c0:6ff0:33c2:15d8:5f50) | |||
| Appendix A shows a full example SPKI certificate with HIP content. | Appendix A shows a full example SPKI certificate with HIP content. | |||
| 5. Revocation of Certificates | 5. Revocation of Certificates | |||
| Revocation of X.509.v3 certificates is handled as defined in Section | Revocation of X.509.v3 certificates is handled as defined in Section | |||
| 5 of [RFC2459]. Revocation of SPKI certificates is handled as | 5 of [RFC5280]. Revocation of SPKI certificates is handled as | |||
| defined in Section 5 of [RFC2693]. | defined in Section 5 of [RFC2693]. | |||
| 6. Error signaling | 6. Error signaling | |||
| If the Initiator does not send the certificate that the Responder | If the Initiator does not send the certificate that the Responder | |||
| requires the Responder may take actions (e.g. reject the connection). | requires the Responder may take actions (e.g. reject the connection). | |||
| The Responder MAY signal this to the Initiator by sending a HIP | The Responder MAY signal this to the Initiator by sending a HIP | |||
| NOTIFY message with NOTIFICATION parameter error type | NOTIFY message with NOTIFICATION parameter error type | |||
| CREDENTIALS_NEEDED. | CREDENTIALS_NEEDED. | |||
| skipping to change at page 9, line 9 | skipping to change at page 9, line 9 | |||
| 9. Acknowledgements | 9. Acknowledgements | |||
| The authors would like to thank A. Keranen, D. Mattes, M. Komu and T. | The authors would like to thank A. Keranen, D. Mattes, M. Komu and T. | |||
| Henderson for the fruitful conversations on the subject. D. Mattes | Henderson for the fruitful conversations on the subject. D. Mattes | |||
| most notably contributed the non-HIP aware use case in Section 3. | most notably contributed the non-HIP aware use case in Section 3. | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [RFC1779] Kille, S., "A String Representation of Distinguished | ||||
| Names", RFC 1779, March 1995. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255, | ||||
| December 1997. | ||||
| [RFC2459] Housley, R., Ford, W., Polk, T., and D. Solo, "Internet | ||||
| X.509 Public Key Infrastructure Certificate and CRL | ||||
| Profile", RFC 2459, January 1999. | ||||
| [RFC2693] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, | [RFC2693] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, | |||
| B., and T. Ylonen, "SPKI Certificate Theory", RFC 2693, | B., and T. Ylonen, "SPKI Certificate Theory", RFC 2693, | |||
| September 1999. | September 1999. | |||
| [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet | [RFC4514] Zeilenga, K., "Lightweight Directory Access Protocol | |||
| X.509 Public Key Infrastructure Certificate and | (LDAP): String Representation of Distinguished Names", | |||
| Certificate Revocation List (CRL) Profile", RFC 3280, | RFC 4514, June 2006. | |||
| April 2002. | ||||
| [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", | [RFC4516] Smith, M. and T. Howes, "Lightweight Directory Access | |||
| RFC 4306, December 2005. | Protocol (LDAP): Uniform Resource Locator", RFC 4516, | |||
| June 2006. | ||||
| [RFC5201] Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson, | [RFC5201] Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson, | |||
| "Host Identity Protocol", RFC 5201, April 2008. | "Host Identity Protocol", RFC 5201, April 2008. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | ||||
| Housley, R., and W. Polk, "Internet X.509 Public Key | ||||
| Infrastructure Certificate and Certificate Revocation List | ||||
| (CRL) Profile", RFC 5280, May 2008. | ||||
| [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 | [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 | |||
| Address Text Representation", RFC 5952, August 2010. | Address Text Representation", RFC 5952, August 2010. | |||
| [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, | ||||
| "Internet Key Exchange Protocol Version 2 (IKEv2)", | ||||
| RFC 5996, September 2010. | ||||
| 10.2. Informative References | 10.2. Informative References | |||
| [X.690] ITU-T, "Recommendation X.690 Information Technology - | [X.690] ITU-T, "Recommendation X.690 Information Technology - | |||
| ASN.1 encoding rules: Specification of Basic Encoding | ASN.1 encoding rules: Specification of Basic Encoding | |||
| Rules (BER), Canonical Encoding Rules (CER) and | Rules (BER), Canonical Encoding Rules (CER) and | |||
| Distinguished Encoding Rules (DER)", July 2002, <http:// | Distinguished Encoding Rules (DER)", July 2002, <http:// | |||
| www.itu.int/ITU-T/studygroups/com17/languages/ | www.itu.int/ITU-T/studygroups/com17/languages/ | |||
| X.690-0207.pdf>. | X.690-0207.pdf>. | |||
| Appendix A. SPKI certificate example | Appendix A. SPKI certificate example | |||
| skipping to change at page 13, line 22 | skipping to change at page 13, line 22 | |||
| Changes from version 06 to 07: | Changes from version 06 to 07: | |||
| o Editorial changes. | o Editorial changes. | |||
| o Removed a the second paragraph in section 8. | o Removed a the second paragraph in section 8. | |||
| o Changed the example in Appendix A (Cert created without the | o Changed the example in Appendix A (Cert created without the | |||
| leading zeroes in HITs). | leading zeroes in HITs). | |||
| Changes from version 07 to 08: | ||||
| o Updated and checked the references. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Tobias Heer | Tobias Heer | |||
| Distributed Systems Group, RWTH Aachen University | Distributed Systems Group, RWTH Aachen University | |||
| Ahornstrasse 55 | Ahornstrasse 55 | |||
| Aachen | Aachen | |||
| Germany | Germany | |||
| Phone: +49 241 80 214 36 | Phone: +49 241 80 214 36 | |||
| Email: heer@cs.rwth-aachen.de | Email: heer@cs.rwth-aachen.de | |||
| End of changes. 17 change blocks. | ||||
| 26 lines changed or deleted | 29 lines changed or added | |||
This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||