draft-ietf-dnsext-rfc2538bis-07.txt   draft-ietf-dnsext-rfc2538bis-08.txt 
Network Working Group S. Josefsson Network Working Group S. Josefsson
Obsoletes: 2538 (if approved) Obsoletes: 2538 (if approved)
Expires: March 27, 2006 Expires: April 2, 2006
Storing Certificates in the Domain Name System (DNS) Storing Certificates in the Domain Name System (DNS)
draft-ietf-dnsext-rfc2538bis-07 draft-ietf-dnsext-rfc2538bis-08
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 27, 2006. This Internet-Draft will expire on April 2, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
Cryptographic public keys are frequently published and their Cryptographic public keys are frequently published and their
authenticity demonstrated by certificates. A CERT resource record authenticity demonstrated by certificates. A CERT resource record
(RR) is defined so that such certificates and related certificate (RR) is defined so that such certificates and related certificate
skipping to change at page 4, line 36 skipping to change at page 4, line 36
0 reserved 0 reserved
1 PKIX X.509 as per PKIX 1 PKIX X.509 as per PKIX
2 SPKI SPKI certificate 2 SPKI SPKI certificate
3 PGP OpenPGP packet 3 PGP OpenPGP packet
4 IPKIX The URL of an X.509 data object 4 IPKIX The URL of an X.509 data object
5 ISPKI The URL of an SPKI certificate 5 ISPKI The URL of an SPKI certificate
6 IPGP The URL of an OpenPGP packet 6 IPGP The URL of an OpenPGP packet
7-252 available for IANA assignment 7-252 available for IANA assignment
253 URI URI private 253 URI URI private
254 OID OID private 254 OID OID private
255-65534 available for IANA assignment 255-65023 available for IANA assignment
65024-65534 experimental
65535 reserved 65535 reserved
The PKIX type is reserved to indicate an X.509 certificate conforming The PKIX type is reserved to indicate an X.509 certificate conforming
to the profile defined by the IETF PKIX working group [9]. The to the profile defined by the IETF PKIX working group [9]. The
certificate section will start with a one-byte unsigned OID length certificate section will start with a one-byte unsigned OID length
and then an X.500 OID indicating the nature of the remainder of the and then an X.500 OID indicating the nature of the remainder of the
certificate section (see 2.3 below). (NOTE: X.509 certificates do certificate section (see 2.3 below). (NOTE: X.509 certificates do
not include their X.500 directory type designating OID as a prefix.) not include their X.500 directory type designating OID as a prefix.)
The SPKI type is reserved to indicate the SPKI certificate format The SPKI type is reserved to indicate the SPKI certificate format
skipping to change at page 11, line 13 skipping to change at page 11, line 13
Donald Eastlake 3rd and Olafur Gudmundsson. Donald Eastlake 3rd and Olafur Gudmundsson.
6. Acknowledgements 6. Acknowledgements
Thanks to David Shaw and Michael Graff for their contributions to Thanks to David Shaw and Michael Graff for their contributions to
earlier works that motivated, and served as inspiration for, this earlier works that motivated, and served as inspiration for, this
document. document.
This document was improved by suggestions and comments from Olivier This document was improved by suggestions and comments from Olivier
Dubuisson, Peter Koch, Olaf M. Kolkman, Ben Laurie, Edward Lewis, Dubuisson, Peter Koch, Olaf M. Kolkman, Ben Laurie, Edward Lewis,
Douglas Otis, Marcos Sanz, Jason Sloderbeck, Samuel Weiler, and Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel
Florian Weimer. No doubt the list is incomplete. We apologize to Weiler, and Florian Weimer. No doubt the list is incomplete. We
anyone we left out. apologize to anyone we left out.
7. Security Considerations 7. Security Considerations
By definition, certificates contain their own authenticating By definition, certificates contain their own authenticating
signature. Thus, it is reasonable to store certificates in non- signature. Thus, it is reasonable to store certificates in non-
secure DNS zones or to retrieve certificates from DNS with DNS secure DNS zones or to retrieve certificates from DNS with DNS
security checking not implemented or deferred for efficiency. The security checking not implemented or deferred for efficiency. The
results may be trusted if the certificate chain is verified back to a results may be trusted if the certificate chain is verified back to a
known trusted key and this conforms with the user's security policy. known trusted key and this conforms with the user's security policy.
skipping to change at page 12, line 5 skipping to change at page 12, line 5
If DNSSEC is used, then the non-existence of a CERT RR and, If DNSSEC is used, then the non-existence of a CERT RR and,
consequently, certificates or revocation lists can be securely consequently, certificates or revocation lists can be securely
asserted. Without DNSSEC, this is not possible. asserted. Without DNSSEC, this is not possible.
8. IANA Considerations 8. IANA Considerations
IANA needs to create a new registry for CERT RR, certificate types. IANA needs to create a new registry for CERT RR, certificate types.
The initial contents of this registry is: The initial contents of this registry is:
0 reserved [[RFC Editor: Replace xxxx below with the number of this RFC.]]
1 PKIX X.509 as per PKIX
2 SPKI SPKI certificate Decimal Type Meaning Reference
3 PGP OpenPGP packet ------- ---- ------- ---------
4 IPKIX The URL of an X.509 data object 0 Reserved RFC xxxx
5 ISPKI The URL of an SPKI certificate 1 PKIX X.509 as per PKIX RFC xxxx
6 IPGP The URL of an OpenPGP packet 2 SPKI SPKI certificate RFC xxxx
7-252 available for IANA assignment 3 PGP OpenPGP packet RFC xxxx
4 IPKIX The URL of an X.509 data object RFC xxxx
5 ISPKI The URL of an SPKI certificate RFC xxxx
6 IPGP The URL of an OpenPGP packet RFC xxxx
7-252 Available for IANA assignment
by IETF Standards action by IETF Standards action
253 URI URI private 253 URI URI private RFC xxxx
254 OID OID private 254 OID OID private RFC xxxx
255-65023 available for IANA assignment 255-65023 Available for IANA assignment
by IETF Consensus. by IETF Consensus
65024-65534 experimental 65024-65534 Experimental RFC xxxx
65535 reserved 65535 Reserved RFC xxxx
Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
only be assigned by an IETF standards action [7]. This document only be assigned by an IETF standards action [7]. This document
assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE. Certificate assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE. Certificate
types 0x0100 through 0xFEFF are assigned through IETF Consensus [7] types 0x0100 through 0xFEFF are assigned through IETF Consensus [7]
based on RFC documentation of the certificate type. The availability based on RFC documentation of the certificate type. The availability
of private types under 0x00FD and 0x00FE ought to satisfy most of private types under 0x00FD and 0x00FE ought to satisfy most
requirements for proprietary or private types. requirements for proprietary or private types.
The CERT RR reuses the DNS Security Algorithm Numbers registry. In The CERT RR reuses the DNS Security Algorithm Numbers registry. In
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/