Using a DNS SRV Record to Locate an X.509 Certificate Store
draft-bhjl-x509-srv-01
| The information below is for an old version of the document |
| Document |
Type |
|
Active Internet-Draft (individual)
|
|
Authors |
|
Brian Haberman
,
John Levine
|
|
Last updated |
|
2016-07-19
|
|
Stream |
|
(None)
|
|
Intended RFC status |
|
(None)
|
|
Formats |
|
pdf
htmlized (tools)
htmlized
bibtex
|
| Stream |
Stream state |
|
(No stream defined) |
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
| IESG |
IESG state |
|
I-D Exists
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
Network Working Group B. Haberman
Internet-Draft JHU APL
Intended status: Standards Track J. Levine
Expires: January 20, 2017 Taughannock Networks
July 19, 2016
Using a DNS SRV Record to Locate an X.509 Certificate Store
draft-bhjl-x509-srv-01
Abstract
This document describes a method to allow parties to locate X.509
certificate stores with Domain Name System Service records in order
to retrieve certificates and certificate revocation lists. The
primary purpose of such retrievals is to facilitate the association
of X.509 and PGP public keys with e-mail addresses to allow for
encrypted e-mail exchanges.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 20, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Haberman & Levine Expires January 20, 2017 [Page 1]
Internet-Draft Cert Store SRV Record July 2016
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Service Record Format . . . . . . . . . . . . . . . . . . . . 2
3. Certificate Store Queries . . . . . . . . . . . . . . . . . . 3
4. Name Matching . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Certificate Validation . . . . . . . . . . . . . . . . . . . 4
6. Certificate use and cacheing . . . . . . . . . . . . . . . . 4
7. Security Considerations . . . . . . . . . . . . . . . . . . . 5
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
8.1. Certificates service . . . . . . . . . . . . . . . . . . 5
8.2. Smimeca service . . . . . . . . . . . . . . . . . . . . . 6
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
10. Normative References . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
X.509 and PGP public keys can be used to encrypt or sign e-mail
messages. In order to verify a sender's signature or encrypt an
e-mail, the e-mail client needs to locate the appropriate public key.
The X.509-based Public Key Infrastructure (PKI) [RFC5280] provides
the necessary services to allow for the retrieval of certificates and
certificate revocation lists, but lacks the discovery mechanism
needed to associate e-mail domains with specific PKI servers.
This document specifies an approach that uses a Domain Name System
(DNS) Service Record (SRV) that allows mail service providers to
advertise the X.509 or PGP certificate store [RFC4387] that contains
certificates and certificate revocation lists for their e-mail users.
Additionally, this document specifies the appropriate query strings
to use when accessing the certificate store.
The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119].
2. Service Record Format
The general format of a DNS SRV record is documented in [RFC2782] as:
_Service._Proto.Name TTL Class SRV Priority Weight Port Target
Haberman & Levine Expires January 20, 2017 [Page 2]
Internet-Draft Cert Store SRV Record July 2016
To support the advertisement of an X.509 certificate store, service
providers will construct an SRV record with the appropriate
parameters, as described in [RFC4387], section 3.2. An example of
Show full document text