Internet Draft S. Boeyen PKIX Working Group Entrust Inc. Document: draft-ietf-pkix-pkixrep-04.txt P. Hallam-Baker Expires: Jan 2006 VeriSign Inc. Experimental September 2005 Internet X.509 Public Key Infrastructure Repository Locator Service <draft-ietf-pkix-pkixrep-04.txt> Status of this Memo Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire in Jan 2006. Comments should be sent to the PKIX mail list at: ietf-pkix@imc.org. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Abstract This document defines a PKI repository locator service. The service makes use of DNS SRV records defined in accordance with RFC 2782. The service enables certificate using systems to locate PKI repositories Conventions used in this document Boeyen & Hallam-Baker Expires Feb 2006 [Page 1]
PKIXREP September 2005 The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase, as shown) are to be interpreted as described in [RFC2119]. In examples, "C:" and "S:" indicate lines sent by the client and server respectively. Table of Contents 1. Overview.......................................................2 2. SRV RR definition..............................................2 2.1 Assignment of new protocol prefixes........................3 2.2 Use of multiple repositories...............................3 2.3 SRV RR example.............................................3 3. Security considerations........................................4 4. IANA Considerations............................................4 Copyright.........................................................4 References........................................................5 Author's Addresses................................................5 1. Overview Operational protocols have been specified for retrieval of PKI data, including public-key certificates and revocation information, from PKI repositories in a number of RFCs including RFC 2559, RFC 2560 and RFC 2585. These RFCs assume that a certificate using system has the knowledge information necessary to identify, locate and connect to the PKI repository with a specific protocol. Although there are some tools available in protocol-specific environments for this purpose, such as knowledge references in directory systems, these are restricted to use with a single protocol and do not share a common means of publication. This draft provides a solution to this problem through the use of SRV RRs in DNS. This solution is expected to be particularly useful in environments where only a domain name is available. In other situations (e.g. where a certificate is available that contains the required information), such a DNS lookup is not needed. RFC 2782 defines a DNS RR for specifying the location of services (SRV). This Internet-draft defines SRV records for a PKI repository locator service to enable PKI clients to obtain the necessary information to connect to a domain's PKI repository, including information about each protocol that is supported by that domain for access to its repository. This Internet-draft includes the definition of a SRV RR format for this service and an example of its potential use in an email environment. 2. SRV RR definition Boeyen & Hallam-Baker Expires Feb 2006 [Page 2]
PKIXREP September 2005 The format of the SRV RR, whose DNS type code is 33, is: _Service._Proto.Name TTL Class SRV Priority Weight Port Target For the PKI repository locator service, this draft uses the symbolic name "PKIXREP". Note that when used in an SRV RR, this name MUST be prepended with a "_" character. The protocols that can be included in PKIXREP SRV RRs are: Protocol SRV Prefix LDAP _LDAP HTTP _HTTP OCSP _OCSP 2.1 Assignment of new protocol prefixes Protocol prefix assignments for new PKIX repository protocols SHOULD be defined in the document that specifies the protocol. 2.2 Use of multiple repositories The existence of multiple repositories MAY be determined by making separate DNS queries for each of the protocols supported by the client. If this approach is found to be unacceptably inefficient due to a proliferation of repository protocols at a future date the service discovery protocol could be extended to allow the repository to advertise the protocols supported. 2.3 SRV RR example This example uses fictional domain "example.com" as an aid in understanding the use of SRV records by a certificate using system. Let an email client that needs a certificate for a recipient be Alice and assume that Alice's client system supports LDAP for certificate retrieval. Let the message recipient be Bob and let Bob's email address be bob@example.com. Assume that example.test maintains a "border directory" PKI repository and that Bob's certificate is available from that directory "border.example.com" via LDAP. Alice's client system retrieves, via DNS, the SRV record for _PKIXREP._LDAP.example.com. - the QNAME of the DNS query is _PKIXREP._LDAP.example.com - the QCLASS of the DNS query is IN Boeyen & Hallam-Baker Expires Feb 2006 [Page 3]
PKIXREP September 2005 - the QTYPE of the DNS query is SRV The result SHOULD include the host address for example.com's border directory system. Note that if example.com operated their service on a number of hosts, more than one SRV RR would be returned. In this case, RFC 2782 defines the procedure to be followed in determining which of these should be accessed first. 3. Security considerations Security issues regarding PKI repositories themselves are outside the scope of this specification. For LDAP repositories, for example, specific security considerations are addressed in RFC 2559. Security issues with respect to the use of SRV records in general are addressed in RFC 2782 and these issues apply to the use of SRV records in the context of the PKIXREP service defined here. 4. IANA Considerations This document reserves the use of "_PKIXREP" Service label. Since this relates to a service which may pass messages over a number of different message transports, they must be associated with a specific transport. In order to ensure that the association between "_PKIXREP" and their respective underlying services is deterministic, this document requests that IANA create a registry: The PKIX SRV Protocol Label. For this registry, an entry shall consist of a label name and a pointer to a specification describing how the protocol named in the label uses SRV. Specifications should conform to the requirements listed in RFC 2434 for "specification required". Copyright Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights." This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE Boeyen & Hallam-Baker Expires Feb 2006 [Page 4]
PKIXREP September 2005 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. References [RFC 2119] Bradner, S., "Keywords for use in RFCs to indicate requirement levels, March 1997. [RFC 2782] Gulbrandsen, A. Vixie, P. and Esibov, L., "A DNS RR for specifying the location of services (DNS SRV)", Feb 2000. [RFC 2559] Boeyen, S. Howes, T. and Richard, P., "Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2", April 1999. [RFC 2560] Myers, M. Ankney, R. Malpani, A. Galperin, S. and Adams, C. "Internet X.509 Public Key Infrastructure Online Certificate Status Protocol - OCSP", June 1999. RFC 2585] Housley, R. and Hoffman, P. "Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP", May, 1999. RFC 2434] Narten, T. and Alvestrand, H. "Guidelines for Writing an IANA Considerations Section in RFCs", RFC 2434, BCP 26, October 1998. Author's Addresses Sharon Boeyen Entrust 1000 Innovation Drive Ottawa, Ontario Canada K2K 3E7 email: sharon.boeyen@entrust.com Phillip M. Hallam-Baker VeriSign Inc. 401 Edgewater Place, Suite 280 Wakefield MA 01880 email: pbaker@VeriSign.com Boeyen & Hallam-Baker Expires Feb 2006 [Page 5]
