draft-ietf-xmpp-dna-06.txt   draft-ietf-xmpp-dna-07.txt 
Network Working Group P. Saint-Andre Network Working Group P. Saint-Andre
Internet-Draft &yet Internet-Draft &yet
Intended status: Standards Track M. Miller Intended status: Standards Track M. Miller
Expires: December 23, 2014 Cisco Systems, Inc. Expires: April 14, 2015 Cisco Systems, Inc.
June 21, 2014 October 11, 2014
Domain Name Associations (DNA) in the Extensible Messaging and Presence Domain Name Associations (DNA) in the Extensible Messaging and Presence
Protocol (XMPP) Protocol (XMPP)
draft-ietf-xmpp-dna-06 draft-ietf-xmpp-dna-07
Abstract Abstract
This document improves the security of the Extensible Messaging and This document improves the security of the Extensible Messaging and
Presence Protocol (XMPP) in two ways. First, it specifies how Presence Protocol (XMPP) in two ways. First, it specifies how to
"prooftypes" can establish a strong association between a domain name establish a strong association between a domain name and an XML
and an XML stream. Second, it describes how to securely delegate a stream, using the concept of "prooftypes". Second, it describes how
source domain to a derived domain, which is especially important in to securely delegate a service domain name (e.g., example.com) to a
multi-tenanted environments. target server host name (e.g., hosting.example.net), which is
especially important in multi-tenanted environments where the same
target server hosts a large number of service associated with
different domains.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 23, 2014. This Internet-Draft will expire on April 14, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 13 skipping to change at page 2, line 16
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Client-to-Server (C2S) DNA . . . . . . . . . . . . . . . . . 3 3. Client-to-Server (C2S) DNA . . . . . . . . . . . . . . . . . 3
3.1. C2S Flow . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. C2S Flow . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. C2S Description . . . . . . . . . . . . . . . . . . . . . 4 3.2. C2S Description . . . . . . . . . . . . . . . . . . . . . 4
4. Server-to-Server (S2S) DNA . . . . . . . . . . . . . . . . . 5 4. Server-to-Server (S2S) DNA . . . . . . . . . . . . . . . . . 5
4.1. S2S Flow Chart . . . . . . . . . . . . . . . . . . . . . 5 4.1. S2S Flow Chart . . . . . . . . . . . . . . . . . . . . . 5
4.2. A Simple S2S Scenario . . . . . . . . . . . . . . . . . . 7 4.2. A Simple S2S Scenario . . . . . . . . . . . . . . . . . . 7
4.3. One-Way Authentication . . . . . . . . . . . . . . . . . 8 4.3. One-Way Authentication . . . . . . . . . . . . . . . . . 8
4.4. Piggybacking . . . . . . . . . . . . . . . . . . . . . . 9 4.4. Piggybacking . . . . . . . . . . . . . . . . . . . . . . 9
4.4.1. Assertion . . . . . . . . . . . . . . . . . . . . . . 9 4.4.1. Assertion . . . . . . . . . . . . . . . . . . . . . . 9
4.4.2. Supposition . . . . . . . . . . . . . . . . . . . . . 10 4.4.2. Supposition . . . . . . . . . . . . . . . . . . . . . 11
5. Alternative Prooftypes . . . . . . . . . . . . . . . . . . . 12 5. Alternative Prooftypes . . . . . . . . . . . . . . . . . . . 12
5.1. DANE . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.1. DANE . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.2. POSH . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.2. POSH . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6. Secure Delegation and Multi-Tenancy . . . . . . . . . . . . . 13 6. Secure Delegation and Multi-Tenancy . . . . . . . . . . . . . 13
7. Prooftype Model . . . . . . . . . . . . . . . . . . . . . . . 14 7. Prooftype Model . . . . . . . . . . . . . . . . . . . . . . . 14
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
8.1. Well-Known URI for xmpp-client Service . . . . . . . . . 14 8.1. Well-Known URI for xmpp-client Service . . . . . . . . . 14
8.2. Well-Known URI for xmpp-server Service . . . . . . . . . 14 8.2. Well-Known URI for xmpp-server Service . . . . . . . . . 15
9. Security Considerations . . . . . . . . . . . . . . . . . . . 15 9. Security Considerations . . . . . . . . . . . . . . . . . . . 15
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.1. Normative References . . . . . . . . . . . . . . . . . . 15 10.1. Normative References . . . . . . . . . . . . . . . . . . 15
10.2. Informative References . . . . . . . . . . . . . . . . . 16 10.2. Informative References . . . . . . . . . . . . . . . . . 16
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 16 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
The need to establish a strong association between a domain name and In systems that use the Extensible Messaging and Presence Protocol
an XML stream arises in both client-to-server and server-to-server (XMPP) [RFC6120], it is important to establish a strong association
communication using the Extensible Messaging and Presence Protocol between the DNS domain name of an XMPP service (e.g., example.com)
(XMPP) [RFC6120]. Because XMPP servers are typically identified by and the XML stream that a client or peer server initiates with that
DNS domain names, a client or peer server needs to verify the service. In other words, the client or peer server needs to verify
identity of a server to which it connects. the identity of the server to which it connects.
To date, such verification has been established based on information To date, such verification has been established based on information
obtained from the Domain Name System (DNS), the Public Key obtained from the Domain Name System (DNS), the Public Key
Infrastructure (PKI), or similar sources. In relation to such Infrastructure (PKI), or similar sources. In relation to such
associations, this document does the following: associations, this document does the following:
1. Generalizes the model currently in use so that additional 1. Generalizes the model currently in use so that additional
prooftypes can be defined prooftypes can be defined if needed.
2. Provides a basis for modernizing some prooftypes to reflect 2. Provides a basis for modernizing some prooftypes to reflect
progress in underlying technologies such as DNS Security progress in underlying technologies such as DNS Security
[RFC4033] [RFC4033].
3. Describes the flow of operations for establishing a domain name 3. Describes the flow of operations for establishing a domain name
association (DNA) association (DNA).
This document also provides guidelines for secure delegation. The This document also provides guidelines for secure delegation of a
need for secure delegation arises because the process for resolving service domain name (e.g., example.com) to a target server host name
the domain name of an XMPP service into the IP address at which an (e.g., hosting.example.net). The need for secure delegation arises
XML stream will be negotiated (see [RFC6120]) can involve delegation because the process for resolving the domain name of an XMPP service
of a source domain (say, example.com) to a derived domain (say, into the IP address at which an XML stream will be negotiated (see
hosting.example.net) using technologies such as DNS SRV records [RFC6120]) can involve delegation of a service domain name to a
[RFC2782]. If such delegation is not done in a secure manner, then target server host name using technologies such as DNS SRV records
the domain name association cannot be authenticated. [RFC2782]. A more detailed description of the delegation problem can
be found in [I-D.ietf-xmpp-posh]. If such delegation is not done in
a secure manner, then the domain name association cannot be verified.
2. Terminology 2. Terminology
This document inherits XMPP terminology from [RFC6120] and This document inherits XMPP terminology from [RFC6120] and
[XEP-0220], DNS terminology from [RFC1034], [RFC1035], [RFC2782] and [XEP-0220], DNS terminology from [RFC1034], [RFC1035], [RFC2782] and
[RFC4033], and security terminology from [RFC4949] and [RFC5280]. [RFC4033], and security terminology from [RFC4949] and [RFC5280].
The terms "source domain", "derived domain", "reference identity", The terms "reference identity", and "presented identity" are used as
and "presented identity" are used as defined in the "CertID" defined in the "CertID" specification [RFC6125]. For the sake of
specification [RFC6125]. consistency with [I-D.ietf-dane-srv], this document uses the terms
"service domain name" and "target server host name" to refer to the
same entities identified by the terms "source domain" and "derived
domain" from [RFC6125].
3. Client-to-Server (C2S) DNA 3. Client-to-Server (C2S) DNA
The client-to-server case is much simpler than the server-to-server The client-to-server case is much simpler than the server-to-server
case (the client does not assert a domain name, only the server's case because the client does not assert a domain name, the only
domain name needs to be verified, etc.). Therefore we describe it domain name that needs to be verified is that of the server, etc.
first to help the reader understand domain name associations in XMPP. Therefore we describe this case first to help the reader understand
domain name associations in XMPP.
3.1. C2S Flow 3.1. C2S Flow
The following flow chart illustrates the protocol flow for The following flow chart illustrates the protocol flow for
establishing a domain name association for an XML stream from a establishing a domain name association for an XML stream from a
client to a server. client to a server using the standard PKIX prooftype specified in
[RFC6120].
| |
DNS RESOLUTION ETC. DNS RESOLUTION ETC.
| |
+-----------------STREAM HEADERS---------------------+ +-----------------STREAM HEADERS---------------------+
| | | |
| A: <stream from='user@a.example' to='a.example'> | | A: <stream from='user@a.example' to='a.example'> |
| | | |
| B: <stream from='a.example' to='user@a.example'> | | B: <stream from='a.example' to='user@a.example'> |
| | | |
skipping to change at page 4, line 51 skipping to change at page 5, line 12
<stream:stream from='a.example' to='user@a.example'> <stream:stream from='a.example' to='user@a.example'>
5. The parties attempt TLS negotiation, during which the XMPP server 5. The parties attempt TLS negotiation, during which the XMPP server
(acting as a TLS server) presents a PKIX certificate proving that (acting as a TLS server) presents a PKIX certificate proving that
it is a.example. it is a.example.
6. The client checks the PKIX certificate that the server provided; 6. The client checks the PKIX certificate that the server provided;
if the proof is consistent with the XMPP profile of the matching if the proof is consistent with the XMPP profile of the matching
rules from [RFC6125], the client accepts that there is a strong rules from [RFC6125], the client accepts that there is a strong
domain name association between its stream to the server and the domain name association between its stream to the target server
DNS domain name of the server. and the DNS domain name of the XMPP service.
4. Server-to-Server (S2S) DNA 4. Server-to-Server (S2S) DNA
The server-to-server case is much more complex than the client-to- The server-to-server case is significantly more complex than the
server case, and involves checking of domain name associations in client-to-server case, and involves checking of domain name
both directions along with other "wrinkles" described in the associations in both directions along with other "wrinkles" described
following sections. in the following sections.
4.1. S2S Flow Chart 4.1. S2S Flow Chart
The following flow chart illustrates the protocol flow for The following flow chart illustrates the protocol flow for
establishing domain name associations between Server 1 and Server 2, establishing domain name associations between Server 1 and Server 2,
as described in the remaining sections of this document. as described in the remaining sections of this document.
| |
(Section 4.2: A Simple Scenario) (Section 4.2: A Simple Scenario)
| |
skipping to change at page 12, line 16 skipping to change at page 12, line 24
The foregoing protocol flows assumed that domain name associations The foregoing protocol flows assumed that domain name associations
were proved using the standard PKI prooftype specified in [RFC6120]: were proved using the standard PKI prooftype specified in [RFC6120]:
that is, the server's proof consists of a PKIX certificate that is that is, the server's proof consists of a PKIX certificate that is
checked according to the XMPP profile [RFC6120] of the matching rules checked according to the XMPP profile [RFC6120] of the matching rules
from [RFC6125], the client's verification material is obtained out of from [RFC6125], the client's verification material is obtained out of
band in the form of a trusted root, and secure DNS is not necessary. band in the form of a trusted root, and secure DNS is not necessary.
However, sometimes XMPP server administrators are unable or unwilling However, sometimes XMPP server administrators are unable or unwilling
to obtain valid PKIX certificates for their servers. As one example, to obtain valid PKIX certificates for their servers. As one example,
a certificate authority (CA) might try to send email messages to in order to issue a PKIX certificate a certification authority (CA)
authoritative mailbox names [RFC2142], but the administrator of a might try to send email messages to authoritative mailbox names
subsidiary service such as im.cs.podunk.example can't receive email [RFC2142], but the administrator of a subsidiary service such as
sent to mailto:hostmaster@podunk.example. As another example, a im.cs.podunk.example cannot receive email sent to
hosting provider such as hosting.example.net might not want to take mailto:hostmaster@podunk.example. As another example, a hosting
on the liability of holding the certificate and private key for a provider such as hosting.example.net might not want to take on the
tenant such as example.com (or the tenant might not want the hosting liability of holding the certificate and private key for a tenant
such as example.com (or the tenant might not want the hosting
provider to hold its certificate and private key). In these provider to hold its certificate and private key). In these
circumstances, prooftypes other than PKIX are desirable. As circumstances, prooftypes other than PKIX are desirable. As
described below, two alternatives have been defined so far: DNS-Based described below, two alternatives have been defined so far: DNS-Based
Authentication of Named Entities (DANE) and and PKIX Over Secure HTTP Authentication of Named Entities (DANE) and PKIX Over Secure HTTP
(POSH). (POSH).
5.1. DANE 5.1. DANE
In the DANE prooftype, the server's proof consists of a PKIX In the DANE prooftype, the server's proof consists of either a
certificate that is compared as an exact match or a hash of either service certificate or domain-issued certificate (TLSA usage PKIX-EE
the SubjectPublicKeyInfo or the full certificate, and the client's or DANE-EE, see [RFC6698] and [RFC7218]) that is compared as an exact
verification material is obtained via secure DNS. match or a hash of either the SubjectPublicKeyInfo or the full
certificate, and the client's verification material is obtained via
secure DNS.
The DANE prooftype makes use of the DNS-Based Authentication of Named The DANE prooftype makes use of the DNS-Based Authentication of Named
Entities [RFC6698], specifically the use of DANE with DNS SRV records Entities [RFC6698], specifically the use of DANE with DNS SRV records
[I-D.ietf-dane-srv]. For XMPP purposes, the following rules apply: [I-D.ietf-dane-srv]. For XMPP purposes, the following rules apply:
o If there is no SRV resource record, pursue the fallback methods o If there is no SRV resource record, pursue the fallback methods
described in [RFC6120]. described in [RFC6120].
o Use the 'to' address of the initial stream header to determine the o Use the 'to' address of the initial stream header to determine the
domain name of the TLS client's reference identifier (since use of domain name of the TLS client's reference identifier (since use of
the TLS Server Name Indication is purely discretionary in XMPP, as the TLS Server Name Indication is purely discretionary in XMPP, as
mentioned in [RFC6120]). mentioned in [RFC6120]).
5.2. POSH 5.2. POSH
In the POSH prooftype, the server's proof consists of a PKIX In the POSH prooftype, the server's proof consists of a PKIX
certificate that is checked according to the rules from [RFC6120] and certificate that is checked according to the rules from [RFC6120] and
[RFC6125], the client's verification material is obtained by [RFC6125], the client's verification material is obtained by
retrieving the PKIK certificate over HTTPS at a well-known URI retrieving the PKIX certificate over HTTPS at a well-known URI
[RFC5785], and secure DNS is not necessary since the HTTPS retrieval [RFC5785], and secure DNS is not necessary since the HTTPS retrieval
mechanism relies on the chain of trust from the public key mechanism relies on the chain of trust from the public key
infrastructure. infrastructure.
POSH is defined in [I-D.ietf-xmpp-posh]. For XMPP purposes, the POSH is defined in [I-D.ietf-xmpp-posh]. For XMPP purposes, the
well-known URIs [RFC5785] to be used are: well-known URIs [RFC5785] to be used are:
o "/.well-known/posh._xmpp-client._tcp.json" for client-to-server o "/.well-known/posh._xmpp-client._tcp.json" for client-to-server
connections connections
o "/.well-known/posh._xmpp-server._tcp.json" for server-to-server o "/.well-known/posh._xmpp-server._tcp.json" for server-to-server
connections connections
6. Secure Delegation and Multi-Tenancy 6. Secure Delegation and Multi-Tenancy
One common method for deploying XMPP services is multi-tenancy: e.g., One common method for deploying XMPP services is multi-tenancy: e.g.,
the XMPP service for example.com is actually hosted at the XMPP service for example.com is actually hosted at
hosting.example.net. Such an arrangement is relatively convenient in hosting.example.net. Such an arrangement is relatively convenient in
XMPP given the use of DNS SRV records [RFC2782], such as the XMPP given the use of DNS SRV records [RFC2782], such as the
following pointer from example.com to hosting.example.net: following delegation from example.com to hosting.example.net:
_xmpp-server._tcp.example.com. 0 IN SRV 0 0 5269 hosting.example.net _xmpp-server._tcp.example.com. 0 IN SRV 0 0 5269 hosting.example.net
Secure connections with multi-tenancy can work using the PKIX Secure connections with multi-tenancy can work using the PKIX
prooftype on a small scale if the provider itself wishes to host prooftype on a small scale if the provider itself wishes to host
several domains (e.g., several related domains such as jabber- several domains (e.g., several related domains such as jabber-
de.example and jabber-ch.example). However, in practice the security de.example and jabber-ch.example). However, in practice the security
of multi-tenancy has been found to be unwieldy when the provider of multi-tenancy has been found to be unwieldy when the provider
hosts large numbers of XMPP services on behalf of multiple tenants. hosts large numbers of XMPP services on behalf of multiple tenants
Typically there are two main reasons for this state of affairs: the (see [I-D.ietf-xmpp-posh] for a detailed description). Typically
service provider (say, hosting.example.net) wishes to limit its there are two main reasons for this state of affairs: the service
liability and therefore does not wish to hold the certificate and provider (say, hosting.example.net) wishes to limit its liability and
private key for the tenant (say, example.com) and the tenant wishes therefore does not wish to hold the certificate and private key for
to improve the security of the service and therefore does not wish to the tenant (say, example.com) and the tenant wishes to improve the
share its certificate and private key with service provider. As a security of the service and therefore does not wish to share its
result, server-to-server communications to example.com go unencrypted certificate and private key with service provider. As a result,
or the communications are TLS-encrypted but the certificates are not server-to-server communications to example.com go unencrypted or the
checked (which is functionally equivalent to a connection using an communications are TLS-encrypted but the certificates are not checked
anonymous key exchange). This is also true of client-to-server (which is functionally equivalent to a connection using an anonymous
communications, forcing end users to override certificate warnings or key exchange). This is also true of client-to-server communications,
configure their clients to accept certificates for forcing end users to override certificate warnings or configure their
hosting.example.net instead of example.com. The fundamental problem clients to accept certificates for hosting.example.net instead of
here is that if DNSSEC is not used then the act of delegation via DNS example.com. The fundamental problem here is that if DNSSEC is not
SRV records is inherently insecure. used then the act of delegation via DNS SRV records is inherently
insecure.
The specification for use of SRV and MX records with DANE The specification for use of SRV records with DANE
[I-D.ietf-dane-srv] explains how to use DNSSEC for secure delegation [I-D.ietf-dane-srv] explains how to use DNSSEC for secure delegation
with the DANE prooftype, and the POSH specification with the DANE prooftype, and the POSH specification
[I-D.ietf-xmpp-posh] explains how to use HTTPS redirects for secure [I-D.ietf-xmpp-posh] explains how to use HTTPS redirects for secure
delegation with the POSH prooftype. delegation with the POSH prooftype.
7. Prooftype Model 7. Prooftype Model
In general, a domain name association (DNA) prooftype conforms to the In general, a domain name association (DNA) prooftype conforms to the
following definition: following definition:
prooftype: A mechanism for proving an association between a domain prooftype: A mechanism for proving an association between a domain
name and an XML stream, where the mechanism defines (1) the nature name and an XML stream, where the mechanism defines (1) the nature
of the server's proof, (2) the matching rules for comparing the of the server's proof, (2) the matching rules for comparing the
client's verification material against the server's proof, (3) how client's verification material against the server's proof, (3) how
the client obtains its verification material, and (4) whether the the client obtains its verification material, and (4) whether the
mechanism depends on secure DNS. mechanism depends on secure DNS.
The PKI, DANE, and POSH prooftypes adhere to this model. In The PKIX, DANE, and POSH prooftypes adhere to this model. In
addition, other prooftypes are possible (examples might include PGP addition, other prooftypes are possible (examples might include PGP
keys rather than PKIX certificates, or a token mechanism such as keys rather than PKIX certificates, or a token mechanism such as
Kerberos or OAuth). Kerberos or OAuth).
Some prooftypes depend on (or are enhanced by) secure DNS and thus Some prooftypes depend on (or are enhanced by) secure DNS and thus
also need to describe how they ensure secure delegation. also need to describe how they ensure secure delegation.
8. IANA Considerations 8. IANA Considerations
The POSH specification [I-D.ietf-xmpp-posh] provides guidelines for The POSH specification [I-D.ietf-xmpp-posh] provides guidelines for
skipping to change at page 15, line 25 skipping to change at page 15, line 37
considerations can also be found in [I-D.ietf-dane-srv] and considerations can also be found in [I-D.ietf-dane-srv] and
[I-D.ietf-xmpp-posh]. [I-D.ietf-xmpp-posh].
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-dane-srv] [I-D.ietf-dane-srv]
Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
Based Authentication of Named Entities (DANE) TLSA records Based Authentication of Named Entities (DANE) TLSA records
with SRV and MX records.", draft-ietf-dane-srv-06 (work in with SRV and MX records.", draft-ietf-dane-srv-07 (work in
progress), June 2014. progress), July 2014.
[I-D.ietf-xmpp-posh] [I-D.ietf-xmpp-posh]
Miller, M. and P. Saint-Andre, "PKIX over Secure HTTP Miller, M. and P. Saint-Andre, "PKIX over Secure HTTP
(POSH)", draft-ietf-xmpp-posh-01 (work in progress), June (POSH)", draft-ietf-xmpp-posh-02 (work in progress),
2014. October 2014.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
February 2000. February 2000.
skipping to change at page 16, line 27 skipping to change at page 16, line 38
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011. Security (TLS)", RFC 6125, March 2011.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS) of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", RFC 6698, August 2012. Protocol: TLSA", RFC 6698, August 2012.
[RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify
Conversations about DNS-Based Authentication of Named
Entities (DANE)", RFC 7218, April 2014.
[XEP-0220] [XEP-0220]
Miller, J., Saint-Andre, P., and P. Hancke, "Server Miller, J., Saint-Andre, P., and P. Hancke, "Server
Dialback", XSF XEP 0220, September 2013. Dialback", XSF XEP 0220, September 2013.
10.2. Informative References 10.2. Informative References
[RFC2142] Crocker, D., "MAILBOX NAMES FOR COMMON SERVICES, ROLES AND [RFC2142] Crocker, D., "MAILBOX NAMES FOR COMMON SERVICES, ROLES AND
FUNCTIONS", RFC 2142, May 1997. FUNCTIONS", RFC 2142, May 1997.
[RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
skipping to change at page 17, line 9 skipping to change at page 17, line 21
Server Connections", XSF XEP 0288, September 2013. Server Connections", XSF XEP 0288, September 2013.
Appendix A. Acknowledgements Appendix A. Acknowledgements
Thanks to Philipp Hancke for his feedback. Thanks to Philipp Hancke for his feedback.
Authors' Addresses Authors' Addresses
Peter Saint-Andre Peter Saint-Andre
&yet &yet
P.O. Box 787
Parker, CO 80134
USA
Email: peter@andyet.com Email: peter@andyet.com
URI: https://andyet.com/
Matthew Miller Matthew Miller
Cisco Systems, Inc. Cisco Systems, Inc.
1899 Wynkoop Street, Suite 600 1899 Wynkoop Street, Suite 600
Denver, CO 80202 Denver, CO 80202
USA USA
Email: mamille2@cisco.com Email: mamille2@cisco.com
 End of changes. 32 change blocks. 
83 lines changed or deleted 99 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/