Technical Summary
This document specifies how to use the existing X.509 certificate
Subject Alternative Name extension (with the otherName syntax) to
carry a reference to a DNS SRV record. The intent is to link a
certificate to the service named in the DNS record.
The document notes that the problem being solved here is not the
typical server authentication problem. Instead, an authorization
problem is being solved. The question being answered here is whether
the server that holds the private key is authorized to provide a
particular service. This mechanism fills a gap that otherwise would
exist if the server is provisioned with typical server certificate
that attests just to the name of the server. A server holding a
certificate with this extension has been certified by the issuer of
the certificate to offer the service expressed in the corresponding
SRV RR record. The cited example in the document is that of a
Kerberos server (e.g., a KDC).
When DNSSEC is fully deployed, this extension may not be needed, as
signed DNS records (SRV RR and others) should be able to provide the
same form of authentic authorization information. (This extension
does not represent competition with DNSSEC as the only binding
provided is to SRV RR records, a subset of overall DNSSEC
functionality.)
Working Group Summary
The PKIX WG expressed consensus to advance the draft to Proposed
Standard.
Protocol Quality
This document was reviewed by Russ Housley for the IESG.