PKI-Authenticated Certificate Discovery Using DANE TLSA records
draft-wilson-dane-pkix-cd-00

Document Type Active Internet-Draft (individual)
Authors Ash Wilson  , Shumon Huque 
Last updated 2021-03-08
Stream (None)
Intended RFC status (None)
Formats plain text html xml pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet Engineering Task Force                                A. Wilson
Internet-Draft                                                  Valimail
Updates: 6698, 7671 (if approved)                               S. Huque
Intended status: Standards Track                              Salesforce
Expires: 9 September 2021                                   8 March 2021

    PKI-Authenticated Certificate Discovery Using DANE TLSA records
                      draft-wilson-dane-pkix-cd-00

Abstract

   The DNS-Based Authentication of Named Entities (DANE) TLSA
   specification [RFC6698] and The DNS-Based Authentication of Named
   Entities (DANE) Protocol: Updates and Operational Guidance [RFC7671]
   describe how to publish Transport Layer Security (TLS) server
   certificates or public keys in the DNS.  This document updates
   [RFC6698] and [RFC7671].  It describes how to use the TLSA record to
   enable entity and CA certificate discovery for object security and
   trust chain discovery use cases, and how to use PKIX validation for
   TLSA records queried without the benefit of DNSSEC.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 9 September 2021.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights

Wilson & Huque          Expires 9 September 2021                [Page 1]
Internet-Draft       DANE PKIX Certificate Discovery          March 2021

   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Background and Motivation . . . . . . . . . . . . . . . . . .   2
     1.1.  Background  . . . . . . . . . . . . . . . . . . . . . . .   2
     1.2.  Motivation  . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Authentication Model  . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Object Signing And Encryption . . . . . . . . . . . . . .   3
     3.2.  Trust Anchors . . . . . . . . . . . . . . . . . . . . . .   3
     3.3.  Trust Model For DNS-Based Identities  . . . . . . . . . .   4
     3.4.  DNS Naming Convention Or Labeling Format  . . . . . . . .   4
     3.5.  Trust Anchor Discovery  . . . . . . . . . . . . . . . . .   5
   4.  Update to DANE  . . . . . . . . . . . . . . . . . . . . . . .   6
   5.  PKIX Constraints  . . . . . . . . . . . . . . . . . . . . . .   6
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Background and Motivation

1.1.  Background

   A digital identity consists of at least two essential elements: a
   name, and a method for proving ownership of the name.  Digital
   identities are often represented using X.509 certificates [RFC5280],
   which bind a name to a public key under a certificate authority's
   signature.  This allows all entities which trust the certificate
   authority to trust that the public key associated with the name in
   the certificate is authentic and unaltered.  The public key may be
   used for authentication, in the establishment of a secure session
   between two entities using a protocol like TLS or DTLS.  The public
   key in the certificate may also be used to provide object security
   mechanisms like cryptographic signature verification or payload
   encryption.  The certificate discovery process for object security
   usually relies on either in-band transmission of the certificate by
   the sender (IEEE 802.11p DSRC), or out-of-band via a proprietary API
   presented by the certificate authority.

Show full document text