Network Working Group P. Hoffman
Internet-Draft VPN Consortium
Intended status: Standards Track J. Schlyter
Expires: December 5, 2011 Kirei AB
June 3, 2011
Using Secure DNS to Associate Certificates with Domain Names For TLS
draft-ietf-dane-protocol-07
Abstract
TLS and DTLS use PKIX certificates for authenticating the server.
Users want their applications to verify that the certificate provided
by the TLS server is in fact associated with the domain name they
expect. TLSA provides bindings of keys to domains that are asserted
not by external entities, but by the entities that operate the DNS.
This document describes how to use secure DNS to associate the TLS
server's certificate with the intended domain name.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 5, 2011.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Hoffman & Schlyter Expires December 5, 2011 [Page 1]
Internet-Draft DNS Cert Linkage for TLS June 2011
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Certificate Associations . . . . . . . . . . . . . . . . . 3
1.2. Securing Certificate Associations . . . . . . . . . . . . 4
1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 5
2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 5
2.1.1. The Certificate Type Field . . . . . . . . . . . . . . 5
2.1.2. The Reference Type Field . . . . . . . . . . . . . . . 6
2.1.3. The Certificate for Association Field . . . . . . . . 6
2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 6
2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 7
3. Domain Names for TLS Certificate Associations . . . . . . . . 7
4. Semantics and Features of TLSA Certificate Types . . . . . . . 7
4.1. End Entity Certificate . . . . . . . . . . . . . . . . . . 8
4.2. Certification Authority Certificate . . . . . . . . . . . 8
4.3. Certificate Public Key . . . . . . . . . . . . . . . . . . 8
4.4. Use of TLS Certificate Associations in TLS . . . . . . . . 9
5. TLSA and Use Cases and Requirements . . . . . . . . . . . . . 10
6. Mandatory-to-Implement Algorithms . . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 11
7.2. TLSA Certificate Types . . . . . . . . . . . . . . . . . . 11
7.3. TLSA Hash Types . . . . . . . . . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
Hoffman & Schlyter Expires December 5, 2011 [Page 2]
Internet-Draft DNS Cert Linkage for TLS June 2011
1. Introduction
The first response from the server in TLS may contain a certificate.
In order for the TLS client to authenticate that it is talking to the
expected TLS server, the client must validate that this certificate
is associated with the domain name used by the client to get to the
server. Currently, the client must extract the domain name from the
certificate, must trust a trust anchor upon which the server's
certificate is rooted, and must successfully validate the
certificate.
Some people want a different way to authenticate the association of
the server's certificate with the intended domain name without
trusting an external certificate authority (CA). Given that the DNS
administrator for a domain name is authorized to give identifying
information about the zone, it makes sense to allow that
administrator to also make an authoritative binding between the
domain name and a certificate that might be used by a host at that
domain name. The easiest way to do this is to use the DNS.
There are many use cases for such functionality. [DANEUSECASES]
lists the ones that the protocol in this document is meant to apply
to. [DANEUSECASES] also lists many requirements, most of which the
protocol in this document is believed to meet.
This document applies to both TLS [RFC5246] and DTLS [4347bis]. In
order to make the document more readable, it mostly only talks about
"TLS", but in all cases, it means "TLS or DTLS". This document only
relates to securely associating certificates for TLS and DTLS with
host names; other security protocols and other forms of
identification of TLS servers (such as IP addresses) are handled in
other documents. For example, keys for IPsec are covered in
[RFC4025] and keys for SSH are covered in [RFC4255].
1.1. Certificate Associations
In this document, a certificate association is based on a
cryptographic hash of a certificate (sometimes called a
"fingerprint"), a public key, or on the certificate itself. For a
fingerprint, a hash is taken of the binary, DER-encoded certificate
or public key, and that hash is the certificate association; the type
of hash function used can be chosen by the DNS administrator. When
using the certificate itself in the certificate association, the
entire certificate in the normal format is used. This document only
applies to PKIX [RFC5280] certificates.
Certificate associations are made between a certificate or public key
and a domain name. Server software that is running TLS that is found
Hoffman & Schlyter Expires December 5, 2011 [Page 3]
Internet-Draft DNS Cert Linkage for TLS June 2011
at that domain name would use a certificate that has a certificate
association given in the DNS, as described in this document. A DNS
query can return multiple certificate associations, such as in the
case of different server software on a single host using different
certificates, or in the case that a server is changing from one
certificate to another.
1.2. Securing Certificate Associations
This document defines a secure method to associate the certificate
that is obtained from the TLS server with a domain name using DNS;
the DNS information may need to be be protected by DNSSEC. Because
the certificate association was retrieved based on a DNS query, the
domain name in the query is by definition associated with the
certificate.
[[ IMPORTANT NOTE FOR THIS DRAFT: There is still confusing and likely
wrong wording about DNSSEC. The editors acknowledge that we have not
completely specified where DNSSEC is and is not needed. We solicit
wording that will make this clearer. ]]
DNSSEC, which is defined in RFCs 4033, 4034, and 4035 ([RFC4033],
[RFC4034], and [RFC4035]), uses cryptographic keys and digital
signatures to provide authentication of DNS data. Information
retrieved from the DNS and that is validated using DNSSEC is thereby
proved to be the authoritative data. The DNSSEC signature MUST be
validated on all responses that use DNSSEC in order to assure the
proof of origin of the data. More detail is given in this document
when DNSSEC is and is not required for securing certificate
associations.
This document only relates to securely getting the DNS information
for the certificate association using DNSSEC; other secure DNS
mechanisms are out of scope.
1.3. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
A note on terminology: Some people have said that this protocol is a
form of "certificate exclusion". This is true, but only in the sense
that a DNS reply that contains the certificate types defined here
inherently excludes every other possible certificate in the universe
(other than those found with a pre-image attack against one of those
two). The certificate type defined here is better thought of as
"enumeration" of a small number of certificate associations, not
Hoffman & Schlyter Expires December 5, 2011 [Page 4]
Internet-Draft DNS Cert Linkage for TLS June 2011
"exclusion" of a near-infinite number of other certificates.
2. The TLSA Resource Record
The TLSA DNS resource record (RR) is used to associate a certificate
with the domain name where the record is found. The semantics of how
the TLSA RR is interpreted are given later in this document.
The type value for the TLSA RR type is TBD.
The TLSA RR is class independent.
The TLSA RR has no special TTL requirements.
2.1. TLSA RDATA Wire Format
The RDATA for a TLSA RR consists of a one octet certificate type
field, a one octet reference type field and the certificate for
association field.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cert type | Ref type | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /
/ /
/ Certificate for association /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2.1.1. The Certificate Type Field
A one-octet value, called "certificate type", specifying the provided
association that will be used to match the target certificate. This
will be an IANA registry in order to make it easier to add additional
certificate types in the future. The types defined in this document
are:
1 -- A PKIX certificate that identifies an end entity
2 -- A PKIX certification authority's certificate
3 -- A public key expressed as a PKIX SubjectPublicKeyInfo
structure
All three types are structured using the RFC 5280 formatting rules
and use the DER encoding.
Hoffman & Schlyter Expires December 5, 2011 [Page 5]
Internet-Draft DNS Cert Linkage for TLS June 2011
The three certificate types defined in this document explicitly only
apply to PKIX-formatted certificates. If TLS allows other formats
later, or if extensions to this protocol are made that accept other
formats for certificates, those certificates will need their own
certificate types.
2.1.2. The Reference Type Field
A one-octet value, called "reference type", specifying how the
certificate association is presented. This value is defined in a new
IANA registry. The types defined in this document are:
0 -- Full certificate
1 -- SHA-256 hash of the certificate
2 -- SHA-512 hash of the certificate
Using the same hash algorithm as is used in the signature in the
certificate will make it more likely that the TLS client will
understand this TLSA data.
2.1.3. The Certificate for Association Field
The "certificate for association". This is the bytes containing the
full certificate, SubjectPublicKeyInfo or the hash of the associated
certificate or SubjectPublicKeyInfo. For certificate types 1 and 2,
this is the certificate or the hash of the certificate itself, not of
the TLS ASN.1Cert object.
2.2. TLSA RR Presentation Format
The presentation format of the RDATA portion is as follows:
o The certificate type field MUST be represented as an unsigned
decimal integer.
o The reference type field MUST be represented as an unsigned
decimal integer.
o The certificate for association field MUST be represented as a
string of hexadecimal characters. Whitespace is allowed within
the string of hexadecimal characters.
Hoffman & Schlyter Expires December 5, 2011 [Page 6]
Internet-Draft DNS Cert Linkage for TLS June 2011
2.3. TLSA RR Examples
An example of a SHA-256 hash (type 1) of an end entity certificate
(type 1) would be:
_443._tcp.www.example.com. IN TLSA (
1 1 5c1502a6549c423be0a0aa9d9a16904de5ef0f5c98
c735fcca79f09230aa7141 )
An example of an unhashed CA certificate (type 2) would be:
_443._tcp.www.example.com. IN TLSA (
2 0 308202c5308201ada00302010202090... )
3. Domain Names for TLS Certificate Associations
TLSA resource records are stored at a prefixed DNS domain name. The
prefix is prepared in the following manner:
1. The decimal representation of the port number on which a TLS-
based service is assumed to exist is prepended with an underscore
character ("_") to become the left-most label in the prepared
domain name. This number has no leading zeros.
2. The protocol name of the transport on which a TLS-based service
is assumed to exist is prepended with an underscore character
("_") to become the second left-most label in the prepared domain
name. The transport names defined for this protocol are "tcp",
"udp" and "sctp".
3. The domain name is appended to the result of step 2 to complete
the prepared domain name.
For example, to request a TLSA resource record for an HTTP server
running TLS on port 443 at "www.example.com", you would use
"_443._tcp.www.example.com" in the request. To request a TLSA
resource record for an SMTP server running the STARTTLS protocol on
port 25 at "mail.example.com", you would use
"_25._tcp.mail.example.com".
4. Semantics and Features of TLSA Certificate Types
The three certificate types have very different semantics, but also
have features common to all three types.
Hoffman & Schlyter Expires December 5, 2011 [Page 7]
Internet-Draft DNS Cert Linkage for TLS June 2011
4.1. End Entity Certificate
Certificate type 1 (a certificate that identifies an end entity) is
matched against the first certificate offered by the TLS server. The
certificate for association is used only for exact matching, not for
chained validation. With reference type 0, the certificate
association is valid if the certificate in the TLSA data matches to
the first certificate offered by TLS. With reference types other
than 0, the certificate association is valid if the hash of the first
certificate offered by the TLS server matches the value from the TLSA
data.
4.2. Certification Authority Certificate
Certificate type 2 (certification authority's certificate) can be
used in one of two ways. With reference type 0, the certificate in
the TLSA resource record is used in chaining from the end entity
given in TLS. The certificate association is valid if the first
certificate in the certificate bundle can be validly chained to the
trust anchor from the TLSA data. With reference types other than 0,
if the hash of any certificate past the first in the certificate
bundle from TLS matches the trust anchor from the TLSA data, and the
chain in the certificate bundle is valid up to that TLSA trust
anchor, then the certificate association is valid. Alternately, if
the first certificate offered chains to an existing trust anchor in
the TLS client's trust anchor repository, and the hash of that trust
anchor matches the value from the TLSA data, then the certificate
association is valid.
4.3. Certificate Public Key
Certificate type 3 (public key expressed as a PKIX
SubjectPublicKeyInfo structure) is used to assert that the public key
will appear in one of the certificates received from the server. A
server might choose this type for many reasons, including (but not
limited to):
o the trust anchor to which TLS server's certificate chains might
change without the trust anchor's public key changing
o the TLS server is using a self-signed certificate that is not
marked as a CA certificate
A TLS client conforming to this protocol that receives a public key
in a type 3 certificate for association must be able to extract the
SubjectPublicKeyInfo from each of the certificates presented to it by
the TLS server. It then does a bit-for-bit comparison between the
certificate for association and the SubjectPublicKeyInfos in the
Hoffman & Schlyter Expires December 5, 2011 [Page 8]
Internet-Draft DNS Cert Linkage for TLS June 2011
certificates; if it does not find a match, the client aborts the TLS
handshake.
4.4. Use of TLS Certificate Associations in TLS
A TLS client conforming to this protocol receiving a certificate for
association of type 1 MUST compare it for equality, using the
specified reference type, with the end entity certificate received in
TLS. A TLS client conforming to this protocol receiving a
certificate for association of type 2 MUST treat it as a trust anchor
for that domain name. A TLS client conforming to this protocol
receiving a certificate for association of type 3 MUST find a
matching SubjectPublicKeyInfo structure in one of the certificates
offered by the TLS server.
The end entity certificate from TLS, regardless of whether it was
matched with a TLSA type 1 certificate or chained to a TLSA type 2 CA
certificate, might have at least one identifier in the subject or
subjectAltName field of the matched certificates that matches the
expected identifier for the TLS server. Some specifications for
applications that run under TLS, such as [RFC2818] for HTTP, requires
the server's certificate have a domain name that matches the host
name expected by the client. Further, the TLS session that is to be
set up MUST be for the specific port number and transport name that
was given in the TLSA query. The matching or chaining MUST be done
within the life of the TTL on the TLSA record.
In order to use one or more TLS certificate associations described in
this document obtained from the DNS, an application MUST assure that
the certificates were obtained using DNS protected by DNSSEC. TLSA
records must only be trusted if they were obtained from a trusted
source. This could be a localhost DNS resolver answer with the AD
bit set, an inline validating resolver library primed with the proper
trust anchors, or obtained from a remote nameserver to which one has
a secured channel of communication.
If a certificate association contains a reference type that is not
understood by the TLS client, that certificate association MUST be
marked as unusable.
An application that requests TLS certificate associations using the
method described in this document obtains zero or more usable
certificate associations. If the application receives zero usable
certificate associations, it processes TLS in the normal fashion.
If a match between one of the certificate association(s) and the
server's end entity certificate in TLS is found, the TLS client
continues the TLS handshake. If no match between the usable
Hoffman & Schlyter Expires December 5, 2011 [Page 9]
Internet-Draft DNS Cert Linkage for TLS June 2011
certificate association(s) and the server's end entity certificate in
TLS is found, the TLS client MUST abort the handshake with an
"access_denied" error.
5. TLSA and Use Cases and Requirements
The different types of certificates for association defined in TLSA
are matched with various sections of [DANEUSECASES]. [[ IMPORTANT
NOTICE, DANGER OF MOVING PARTS: this draft of the protocol is based
on the -02 version of [DANEUSECASES]. As that document changes in
the WG and IETF Last Call, this protocol might change as well. ]]
Certificate type 1 (end entity certificate) is used for "certificate
constraints". Certificate type 2 (CA certificate) is used for "CA
constraints". Certificate type 3 (public key structure) is used for
"CA constraints" and "certificate constraints", depending on which
certificate the public key is extracted from. All three types are
also used for "domain-issued certificates if the domain owner creates
its own CA certificate and then issues and end entity certificate
from that CA. Note that [DANEUSECASES] discusses "CA constraints"
and "certificate constraints" in terms of a "well-known CA"; TLSA
extends this in some cases to allow domain-issued (not-well-known)
CAs.
As described in [DANEUSECASES], when TLSA is deployed for CA
constraints, DNSSEC is not required. Both type 2 and type 3 can be
used for CA constraints, but because type 3 is only used for CA
constraints in some cases. This can easily be confusing in
deployments, so this particular lack of need for DNSSEC is not
emphasized in the rest of this document.
TLSA allows delegated services. It also supports opportunistic
security and web services if the domain uses a certificate that
chains to a well-known CA that is trusted in the "legacy" TLS
application. It also meets all the requirements listed except for
being compatible with DNS wildcards.
6. Mandatory-to-Implement Algorithms
DNS systems conforming to this specification MUST be able to create
TLSA records containing certificate types 1 and 2. DNS systems
conforming to this specification MUST be able to create TLSA records
using reference type 0 (no hash used) and reference type 1 (SHA-256),
and SHOULD be able to create TLSA records using reference type 2
(SHA-512).
Hoffman & Schlyter Expires December 5, 2011 [Page 10]
Internet-Draft DNS Cert Linkage for TLS June 2011
TLS clients conforming to this specification MUST be able to
correctly interpret TLSA records containing certificate types 1 and
2. TLS clients conforming to this specification MUST be able to
compare a certificate for association with a certificate from TLS
using reference type 0 (no hash used) and reference type 1 (SHA-256),
and SHOULD be able to make such comparisons with reference type 2
(SHA-512).
At the time this is written, it is expected that there will be a new
family of hash algorithms called SHA-3 within the next few years. It
is expected that some of the SHA-3 algorithms will be mandatory
and/or recommended for TLSA records after the algorithms are fully
defined. At that time, this specification will be updated.
7. IANA Considerations
7.1. TLSA RRtype
This document uses a new DNS RR type, TLSA, whose value is TBD. A
separate request for the RR type will be submitted to the expert
reviewer, and future versions of this document will have that value
instead of TBD.
7.2. TLSA Certificate Types
This document creates a new registry, "Certificate Types for TLSA
Resource Records". The registry policy is "RFC Required". The
initial entries in the registry are:
Value Short description Reference
----------------------------------------------------------
0 Reserved [This]
1 Certificate to identify an end entity [This]
2 CA's certificate [This]
3 Public key as SubjectPublicKeyInfo [This]
3-254 Unassigned
255 Private use
Applications to the registry can request specific values that have
yet to be assigned.
7.3. TLSA Hash Types
This document creates a new registry, "Hash Types for TLSA Resource
Records". The registry policy is "Specification Required". The
initial entries in the registry are:
Hoffman & Schlyter Expires December 5, 2011 [Page 11]
Internet-Draft DNS Cert Linkage for TLS June 2011
Value Short description Reference
---------------------------------------------
0 No hash used [This]
1 SHA-256 NIST FIPS 180-3
2 SHA-512 NIST FIPS 180-3
3-254 Unassigned
255 Private use
Applications to the registry can request specific values that have
yet to be assigned.
8. Security Considerations
[[ NOTE: Some of the text here is wrong in that DNSSEC does not need
to be used in all cases. This will be much better delineated and
described in a future version of the spec. ]]
The security of the protocols described in this document relies on
the security of DNSSEC as used by the client requesting A/AAAA and
TLSA records.
A DNS administrator who goes rogue and changes both the A/AAAA and
TLSA records for a domain name can cause the user to go to an
unauthorized server that will appear authorized, unless the client
performs certificate validation and rejects the certificate. That
administrator could probably get a certificate issued anyway, so this
is not an additional threat.
If the authentication mechanism for adding or changing TLSA data in a
zone is weaker than the authentication mechanism for changing the
A/AAAA records, a man-in-the-middle who can redirect traffic to their
site may be able to impersonate the attacked host in TLS if they can
use the weaker authentication mechanism. A better design for
authenticating DNS would be to have the same level of authentication
used for all DNS additions and changes for a particular host.
SSL proxies can sometimes act as a man-in-the-middle for TLS clients.
In these scenarios, the clients add a new trust anchor whose private
key is kept on the SSL proxy; the proxy intercepts TLS requests,
creates a new TLS session with the intended host, and sets up a TLS
session with the client using a certificate that chains to the trust
anchor installed in the client by the proxy. In such environments,
the TLSA protocol will prevent the SSL proxy from functioning as
expected because the TLS client will get a certificate association
from the DNS that will not match the certificate that the SSL proxy
uses with the client. The client, seeing the proxy's new certificate
for the supposed destination will not set up a TLS session. Thus,
Hoffman & Schlyter Expires December 5, 2011 [Page 12]
Internet-Draft DNS Cert Linkage for TLS June 2011
such proxies might choose to aggressively block TLSA requests and/or
responses.
Client treatment of any information included in the trust anchor is a
matter of local policy. This specification does not mandate that
such information be inspected or validated by the domain name
administrator.
9. Acknowledgements
Many of the ideas in this document have been discussed over many
years. More recently, the ideas have been discussed by the authors
and others in a more focused fashion. In particular, some of the
ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges,
Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley, Ben
Laurie, Ilari Liusvaara, Scott Schmit, and Ondrej Sury.
This document has also been greatly helped by many active
participants of the DANE Working Group.
10. References
10.1. Normative References
[4347bis] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security version 1.2", draft-ietf-tls-rfc4347-bis (work in
progress), July 2010.
[DANEUSECASES]
Barnes, R., "Use Cases and Requirements for DNS-based
Authentication of Named Entities (DANE)",
draft-ietf-dane-use-cases (work in progress), 2011.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Hoffman & Schlyter Expires December 5, 2011 [Page 13]
Internet-Draft DNS Cert Linkage for TLS June 2011
Extensions", RFC 4035, March 2005.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
10.2. Informative References
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC4025] Richardson, M., "A Method for Storing IPsec Keying
Material in DNS", RFC 4025, March 2005.
[RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely
Publish Secure Shell (SSH) Key Fingerprints", RFC 4255,
January 2006.
Authors' Addresses
Paul Hoffman
VPN Consortium
Email: paul.hoffman@vpnc.org
Jakob Schlyter
Kirei AB
Email: jakob@kirei.se
Hoffman & Schlyter Expires December 5, 2011 [Page 14]
