Network Working Group A. Newton
Internet-Draft VeriSign, Inc.
Expires: April 23, 2004 October 24, 2003
IRIS - Using the Internet Registry Information Service (IRIS) over
the Blocks Extensible Exchange Protocol (BEEP)
draft-ietf-crisp-iris-beep-04
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 23, 2004.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This document specifies how to use the Blocks Extensible Exchange
Protocol (BEEP) as the application transport substrate for the
Internet Registry Information Service (IRIS).
Newton Expires April 23, 2004 [Page 1]
Internet-Draft iris-beep October 2003
Table of Contents
1. Introduction and Motivations . . . . . . . . . . . . . . . . . 3
2. Document Terminology . . . . . . . . . . . . . . . . . . . . . 4
3. BEEP Profile Identification . . . . . . . . . . . . . . . . . 5
4. IRIS Message Packages . . . . . . . . . . . . . . . . . . . . 6
5. IRIS Message Patterns . . . . . . . . . . . . . . . . . . . . 7
5.1 Registry Dependent Patterns . . . . . . . . . . . . . . . . . 7
5.2 Default Pattern . . . . . . . . . . . . . . . . . . . . . . . 7
6. Server Authentication Methods . . . . . . . . . . . . . . . . 8
6.1 Registry Dependent Methods . . . . . . . . . . . . . . . . . . 8
6.2 Default Authentication Method . . . . . . . . . . . . . . . . 8
7. IRIS Transport Mapping Definitions . . . . . . . . . . . . . . 9
7.1 URI Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.2 Application Protocol Label . . . . . . . . . . . . . . . . . . 9
7.3 BEEP Mapping . . . . . . . . . . . . . . . . . . . . . . . . . 9
8. Registrations . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1 BEEP Profile Registration . . . . . . . . . . . . . . . . . . 10
8.2 URI Scheme Registration . . . . . . . . . . . . . . . . . . . 10
8.3 Well-known TCP Port Registration . . . . . . . . . . . . . . . 10
8.4 NAPSTR Registration . . . . . . . . . . . . . . . . . . . . . 11
9. Registry Definition Checklist . . . . . . . . . . . . . . . . 12
10. Internationalization Considerations . . . . . . . . . . . . . 13
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
12. Security Considerations . . . . . . . . . . . . . . . . . . . 15
References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 17
Intellectual Property and Copyright Statements . . . . . . . . 18
Newton Expires April 23, 2004 [Page 2]
Internet-Draft iris-beep October 2003
1. Introduction and Motivations
The proposal in this document describes the IRIS [9] application
transport binding using BEEP [2]. Requirements for IRIS and the
specification in this document are outlined in CRISP [15].
The choice of BEEP as the transport substrate is primarily driven by
the need to re-use an existing, well-understood protocol with all the
necessary features to support the requirements. This gives
implementers a wealth of toolkits and debugging gear for use in
constructing both servers and clients and allows operators to apply
existing experience in issues of deployment. It is also felt that
the construction of a simple application transport for the specific
purpose of IRIS would yield a similar, though likely smaller and
probably less complete, standard after taking into consideration such
matters as framing, authentication, etc.
Precedents for using other transport mechanisms in layered
applications do not seem to fit with the design goals of IRIS. HTTP
[6] offers many features employed for use by similar applications.
However, it is not the intention of IRIS to be put to such uses as
by-passing fire-walls, co-mingling URI schemes, or any other such
methods which might lead to confusion between IRIS and traditional
World Wide Webb applications. Beyond adhering to the guidelines
spelled out in RFC3205 [7], the use of HTTP also offers many other
challenges that quickly erode its appeal. For example, the
appropriate use of TLS [5] with HTTP is defined by RFC2817 [4], but
the common use as described in RFC2818 [11] is usually the only
method in most implementations.
Finally, the straight use of TCP such as that specified by EPP-TCP
[10] does not offer the client negotiation characteristics needed by
a referral application where a single client, in the act of
processing a query, may traverse multiple servers operating with
different parameters.
Newton Expires April 23, 2004 [Page 3]
Internet-Draft iris-beep October 2003
2. Document Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC2119 [8].
Newton Expires April 23, 2004 [Page 4]
Internet-Draft iris-beep October 2003
3. BEEP Profile Identification
The BEEP profile identifier for IRIS is a URI composed of the IRIS
schema URN, followed by a slash, followed by an IRIS registry type
(which is a URN).
Since the IRIS schema URN is compliant with XML_URN [17], it may be
abbreviated according to the rules of IRIS. To simplify matters, it
MUST be abbreviated in the use of this profile identifier.
The registry type URN maybe abbreviated according to the rules of
IRIS (see [9]). To simplify matters, it MUST be abbreviated in the
use of this profile identifier.
The following is an example of an IRIS profile identifier for BEEP.
It identifies the version of IRIS to match that specified by
"urn:iana:params:xml:ns:iris1" with a registry type URN of
"urn:iana:params:xml:ns:dreg1".
http://iana.org/beep/transient/crisp/iris1/dreg1
The full ABNF [13] with certain values included from IRIS [9]
follows.
profile = profile-uri "/" iris-urn "/" registry-urn
profile-uri = "http://iana.org/beep/transient/crisp/"
iris-urn = // as specified by IRIS
registry-urn = // as specified by IRIS
This URI is used in the "profile" element in BEEP during channel
creation. According to the rules of BEEP, multiple "profile"
elements may be offered thus allowing for a negotiation of the
version of IRIS to be used for every registry type being served.
Once this profile is accepted and the channel is created, the state
of the channel is considered ready to exchange IRIS messages.
Newton Expires April 23, 2004 [Page 5]
Internet-Draft iris-beep October 2003
4. IRIS Message Packages
The BEEP profile for IRIS transmits XML [1] containing the requests
and responses for IRIS registries. These XML instances MUST be
encoded as UTF-8 [14] using the media-type of "application/xml"
according to RFC3023 [18]. A registry type MAY define other message
packages that are not IRIS XML instances (e.g. binary images
referenced by an IRIS response).
Newton Expires April 23, 2004 [Page 6]
Internet-Draft iris-beep October 2003
5. IRIS Message Patterns
5.1 Registry Dependent Patterns
Because each registry type is defined by a separate BEEP profile,
each registry type MAY define a separate message pattern. These
patterns MUST be within the allowable scope of BEEP [2]. If a
registry type does not explicitly define a message pattern, the
default pattern is used (see Section 5.2
However, each registry type MUST be capable of supporting the default
pattern (Section 5.2) for use with the <lookupEntity> query in IRIS.
5.2 Default Pattern
The default BEEP profile for IRIS only has a one-to-one request/
response message pattern. This exchange involves sending an IRIS XML
instance, which results in a response of an IRIS XML instance.
The request is sent by the client using an "MSG" message containing a
valid IRIS XML instance. The server responds with an "RPY" message
containing a valid IRIS XML instance. The "ERR" message is used for
sending fault codes. The list of allowable fault codes is listed in
BEEP [2].
Newton Expires April 23, 2004 [Page 7]
Internet-Draft iris-beep October 2003
6. Server Authentication Methods
6.1 Registry Dependent Methods
When using the TLS [5] tuning profile in BEEP, it is possible to
verify the authenticity of the server. However, a convention is
needed to conduct this authentication. This convention dictates the
name of the authority used by a client to ask for authentication
credentials so that the server knows which set of credentials to pass
back. Because this is dependent on the authority component of the
URI, each registry type must define a server authentication method.
If a registry type does not explicitly define a server authentication
method, the default method is used (see Section 6.2.
6.2 Default Authentication Method
The default server authentication method is as follows:
1. When connecting to a server, the client MUST present the name of
the authority to the server using the BEEP [2] serverName
mechanism. For instance, if the URI "iris:com/dreg/domain/
example.com" is being resolved, the client would use the
serverName="com" attribute during the BEEP session instantiation.
2. During TLS negotiation, the server presents to the client a
certificate for the authority given in serverName. This
certificate MUST be an X509 [16] certificate. This certificate
MUST contain the authority in either the subjectDN or the
subjectAltName extension of type dNSName.
3. The certificate MUST cryptographically verify according to the
procedures of TLS.
4. The client then checks the content of the subjectDN or dNSName.
Matching for both the types is case insensitive. A wildcard
character ('*') MAY be used as the left-most component of the
name. If more than one dNSName is present, a match on any one is
acceptable.
Newton Expires April 23, 2004 [Page 8]
Internet-Draft iris-beep October 2003
7. IRIS Transport Mapping Definitions
This section lists the definitions required by IRIS [9] for transport
mappings.
7.1 URI Scheme
The URI scheme name specific to BEEP over IRIS MUST be "iris.beep".
7.2 Application Protocol Label
The application protocol label MUST be "iris.beep".
7.3 BEEP Mapping
The mapping of IRIS in this document is specific to RFC 3080 [2].
This mapping MUST use TCP as specified by RFC 3081 [3].
Newton Expires April 23, 2004 [Page 9]
Internet-Draft iris-beep October 2003
8. Registrations
8.1 BEEP Profile Registration
Profile Identification: http://iana.org/beep/transient/crisp/iris/0.2
Messages exchanged during Channel Creation: none
Messages starting one-to-one exchanges: IRIS XML instance
Messages in positive replies: IRIS XML instance
Messages in negative replies: none
Messages in one-to-many exchanges: none
Message Syntax: IRIS XML instances as defined by IRIS [9].
Message Semantics: request/response exchanges as defined by IRIS [9].
Contact Information: Andrew Newton <anewton@ecotroph.net>
8.2 URI Scheme Registration
URL scheme name: iris.beep
URL scheme syntax: defined in Section 7.1 and [9].
Character encoding considerations: as defined in RFC2396 [12].
Intended usage: identifies an IRIS entity made available using the
BEEP profile for IRIS
Applications using this scheme: defined in IRIS [9].
Interoperability considerations: n/a
Security Considerations: defined in Section 12.
Relevant Publications: BEEP [2] and IRIS [9].
Contact Information: Andrew Newton <anewton@ecotroph.net>
Author/Change controller: the IESG
8.3 Well-known TCP Port Registration
Protocol Number: TCP
Newton Expires April 23, 2004 [Page 10]
Internet-Draft iris-beep October 2003
Message Formats, Types, Opcodes, and Sequences: defined in Section 3,
Section 4, and Section 5.
Functions: defined in IRIS [9].
Use of Broadcast/Multicast: none
Proposed Name: IRIS over BEEP
Short name: iris.beep
Contact Information: Andrew Newton <anewton@ecotroph.net>
8.4 NAPSTR Registration
Application Protocol Label: iris.beep
Intended usage: identifies an IRIS server using BEEP
Interoperability considerations: n/a
Security Considerations: defined in Section 12.
Relevant Publications: BEEP [2] and IRIS [9].
Contact Information: Andrew Newton <anewton@ecotroph.net>
Author/Change controller: the IESG
Newton Expires April 23, 2004 [Page 11]
Internet-Draft iris-beep October 2003
9. Registry Definition Checklist
Specifications of registry types MUST include the following explicit
definitions:
o message pattern - A definition of the message pattern for use with
BEEP or a declaration to use the default message pattern in
Section 5.2.
o server authentication method - A definition of the method to use
for server authentication with TLS or a declaration to use the
default server authentication method in Section 6.2.
Newton Expires April 23, 2004 [Page 12]
Internet-Draft iris-beep October 2003
10. Internationalization Considerations
IRIS XML instances using this transport MUST use UTF-8. See Section
5.
Newton Expires April 23, 2004 [Page 13]
Internet-Draft iris-beep October 2003
11. IANA Considerations
Registrations with the IANA are described in Section 8.
Newton Expires April 23, 2004 [Page 14]
Internet-Draft iris-beep October 2003
12. Security Considerations
Implementers should be fully aware of the security considerations
given by IRIS [9], BEEP [2], and TLS [5]. With respect to server
authentication with the use of TLS, see .
Clients SHOULD be prepared to use the following BEEP tuning profiles:
o http://iana.org/beep/SASL/DIGEST-MD5 - for user authentication
without the need of session encryption.
o http://iana.org/beep/SASL/OTP - for user authentication without
the need of session encryption.
o http://iana.org/beep/TLS using the TLS_RSA_WITH_3DES_EDE_CBC_SHA
cipher - for encryption.
o http://iana.org/beep/TLS using the TLS_RSA_WITH_3DES_EDE_CBC_SHA
cipher with client-side certificates - for encryption and user
authentication.
Anonymous client access should be considered in one of two methods:
1. When no authentication tuning profile has been used.
2. Using the SASL anonymous profile: http://iana.org/beep/SASL/
ANONYMOUS
IRIS contains a referral mechanism as a standard course of operation.
However, care should be taken that user authentication mechanisms do
not hand user credentials to untrusted servers. Therefore, clients
SHOULD NOT use the http://iana.org/beep/SASL/PLAIN tuning profile.
Newton Expires April 23, 2004 [Page 15]
Internet-Draft iris-beep October 2003
References
[1] World Wide Web Consortium, "Extensible Markup Language (XML)
1.0", W3C XML, February 1998, <http://www.w3.org/TR/1998/
REC-xml-19980210>.
[2] Rose, M., "The Blocks Extensible Exchange Protocol Core", RFC
3080, March 2001.
[3] Rose, M., "Mapping the BEEP Core onto TCP", RFC 3081, March
2001.
[4] Khare, R. and S. Lawrence, "Upgrading to TLS Within HTTP/1.1",
RFC 2817, May 2000.
[5] Dierks, T., Allen, C., Treese, W., Karlton, P., Freier, A. and
P. Kocher, "The TLS Protocol Version 1.0", RFC 2246, January
1999.
[6] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L.,
Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol --
HTTP/1.1", RFC 2616, June 1999.
[7] Moore, K., "On the use of HTTP as a Substrate", BCP 56, RFC
3205, February 2002.
[8] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, BCP 14, March 1997.
[9] Newton, A., "Internet Registry Information Service",
draft-ietf-crisp-iris-core-01 (work in progress), November
2002.
[10] Hollenbeck, S., "EPP TCP Transport", Internet Draft, a work
in-progress., January 2002.
[11] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[12] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 2396, August
1998.
[13] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[14] The Unicode Consortium, "The Unicode Standard, Version 2.0",
ISBN 0-201-48345-9 ISBN 0-201-48345-9, January 1988, <The
Unicode Standard, Version 2.0>.
Newton Expires April 23, 2004 [Page 16]
Internet-Draft iris-beep October 2003
[15] Newton, A., "Cross Registry Internet Service Protocol (CRISP)
Requirements", draft-ietf-crisp-requirements-02 (work in
progress), October 2002.
[16] Housley, R., Ford, W., Polk, T. and D. Solo, "Internet X.509
Public Key Infrastructure Certificate and CRL Profile", RFC
2459, January 1999.
[17] Mealling, M., "The IETF XML Registry",
draft-mealling-iana-xmlns-registry-04 (work in progress), July
2002.
[18] Murata, M., St.Laurent, S. and D. Kohn, "XML Media Types", RFC
3023, January 2001.
[19] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
Author's Address
Andrew L. Newton
VeriSign, Inc.
21345 Ridgetop Circle
Sterling, VA 20166
USA
Phone: +1 703 948 3382
EMail: anewton@verisignlabs.com; anewton@ecotroph.net
URI: http://www.verisignlabs.com/
Newton Expires April 23, 2004 [Page 17]
Internet-Draft iris-beep October 2003
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
Newton Expires April 23, 2004 [Page 18]
Internet-Draft iris-beep October 2003
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Newton Expires April 23, 2004 [Page 19]