Network Working Group S. Boeyen
Request for Comments: 4386 Entrust Inc.
Category: Experimental P. Hallam-Baker
VeriSign Inc.
February 2006
Internet X.509 Public Key Infrastructure
Repository Locator Service
Status of This Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document defines a Public Key Infrastructure (PKI) repository
locator service. The service makes use of DNS SRV records defined in
accordance with RFC 2782. The service enables certificate-using
systems to locate PKI repositories.
Table of Contents
1. Overview ........................................................2
1.1. Conventions Used in This Document ..........................2
2. SRV RR Definition ...............................................2
2.1. Assignment of New Protocol Prefixes ........................3
2.2. Use of Multiple Repositories ...............................3
2.3. SRV RR Example .............................................3
3. Security Considerations .........................................4
4. IANA Considerations .............................................4
5. Informative References ..........................................4
Boeyen & Hallam-Baker Experimental [Page 1]
RFC 4386 PKIXREP February 2006
1. Overview
A number of RFCs (including [RFC2559], [RFC2560], and [RFC2585]) have
specified operational protocols for retrieval of PKI data, including
public-key certificates and revocation information, from PKI
repositories. These RFCs assume that a certificate-using system has
the information necessary to identify, locate, and connect to the PKI
repository with a specific protocol. Although some tools are
available in protocol-specific environments for this purpose, such as
knowledge references in directory systems, these are restricted for
use with a single protocol and do not share a common means of
publication. This document provides a solution to this problem
through the use of Service Record (SRV) Resource Records (RRs) in
DNS. This solution is expected to be particularly useful in
environments where only a domain name is available. In other
situations (e.g., where a certificate is available that contains the
required information), such a DNS lookup is not needed.
[RFC2782] defines a DNS RR for specifying the location of services
(SRV). This document defines SRV records for a PKI repository
locator service to enable PKI clients to obtain the necessary
information to connect to a domain's PKI repository, including
information about each protocol that is supported by that domain for
access to its repository. This document includes the definition of
an SRV RR format for this service and an example of its potential use
in an email environment.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase,
as shown) are to be interpreted as described in [RFC2119].
In examples, "C:" and "S:" indicate lines sent by the client and
server, respectively.
2. SRV RR Definition
The format of the SRV RR, whose DNS type code is 33, is:
_Service._Proto.Name TTL Class SRV Priority Weight Port Target
For the PKI repository locator service, this document uses the
symbolic name "PKIXREP". Note that when used in an SRV RR, this name
MUST be prepended with an "_" character.
Boeyen & Hallam-Baker Experimental [Page 2]
RFC 4386 PKIXREP February 2006
The protocols that can be included in PKIXREP SRV RRs are:
Protocol SRV Prefix
LDAP _LDAP
HTTP _HTTP
OCSP _OCSP
2.1. Assignment of New Protocol Prefixes
Protocol prefix assignments for new PKIX repository protocols SHOULD
be defined in the document that specifies the protocol.
datatracker.ietf.org