archive-org.com » ORG » J » JOSEFSSON.ORG

Total: 236

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Diff: rfc2538xml.txt - draft-josefsson-rfc2538bis-00.txt
    defined by an The URI private type indicates a certificate format defined by an absolute URI The certificate portion of the CERT RR MUST begin with absolute URI The certificate portion of the CERT RR MUST begin with a null terminated URI 5 and the data after the null is the private a null terminated URI 4 and the data after the null is the private format certificate itself The URI SHOULD be such that a retrieval format certificate itself The URI SHOULD be such that a retrieval from it will lead to documentation on the format of the certificate from it will lead to documentation on the format of the certificate Recognition of private certificate types need not be based on URI Recognition of private certificate types need not be based on URI equality but can use various forms of pattern matching so that for equality but can use various forms of pattern matching so that for example subtype or version information can also be encoded into the example subtype or version information can also be encoded into the URI URI The OID private type indicates a private format certificate specified The OID private type indicates a private format certificate specified by a an ISO OID prefix The certificate section will start with a by a an ISO OID prefix The certificate section will start with a one byte unsigned OID length and then a BER encoded OID indicating one byte unsigned OID length and then a BER encoded OID indicating the nature of the remainder of the certificate section This can be the nature of the remainder of the certificate section This can be an X 509 certificate format or some other format X 509 certificates an X 509 certificate format or some other format X 509 certificates that conform to the IETF PKIX profile SHOULD be indicated by the PKIX that conform to the IETF PKIX profile SHOULD be indicated by the PKIX type not the OID private type Recognition of private certificate type not the OID private type Recognition of private certificate types need not be based on OID equality but can use various forms of types need not be based on OID equality but can use various forms of pattern matching such as OID prefix pattern matching such as OID prefix 2 2 Text Representation of CERT RRs 2 2 Text Representation of CERT RRs The RDATA portion of a CERT RR has the type field as an unsigned The RDATA portion of a CERT RR has the type field as an unsigned integer or as a mnemonic symbol as listed in section 2 1 above decimal integer or as a mnemonic symbol as listed in section 2 1 above The key tag field is represented as an unsigned integer The key tag field is represented as an unsigned decimal integer The algorithm field is represented as an unsigned integer or a The algorithm field is represented as an unsigned decimal integer or mnemonic symbol as listed in 8 a mnemonic symbol as listed in 10 The certificate CRL portion is represented in base 64 and may be The certificate CRL portion is represented in base 64 8 and may divided up into any number of white space separated substrings down be divided up into any number of white space separated substrings to single base 64 digits which are concatenated to obtain the full down to single base 64 digits which are concatenated to obtain the signature These substrings can span lines using the standard full signature These substrings can span lines using the standard parenthesis parenthesis Note that the certificate CRL portion may have internal sub fields Note that the certificate CRL portion may have internal sub fields but these do not appear in the master file representation For but these do not appear in the master file representation For example with type 254 there will be an OID size an OID and then example with type 254 there will be an OID size an OID and then the certificate CRL proper But only a single logical base 64 the certificate CRL proper But only a single logical base 64 string will appear in the text representation string will appear in the text representation 2 3 X 509 OIDs 2 3 X 509 OIDs skipping to change at page 7 line 16 skipping to change at page 7 line 17 certificate or CRL that should be used certificate or CRL that should be used 2 If a domain name is not included but an IP address is included 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate then the translation of that IP address into the appropriate inverse domain name should be used inverse domain name should be used 3 If neither of the above it used but a URI containing a domain 3 If neither of the above it used but a URI containing a domain name is present that domain name should be used name is present that domain name should be used 4 If none of the above is included but a character string name is 4 If none of the above is included but a character string name is included then it should be treated as described for PGP names in included then it should be treated as described for PGP names in 3 2 below 3 2 below 5 If none of the above apply then the distinguished name DN 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 4 should be mapped into a domain name as specified in 3 Example 1 Assume that an X 509v3 certificate is issued to CN John Example 1 Assume that an X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-josefsson-rfc2538bis-00-from-rfc2538xml.diff.html (2016-04-30)
    Open archived version from archive


  • 4 37 0x 03 55 04 25 id at authorityRevocationList joint iso ccitt 2 ds 5 at 4 38 0x 03 55 04 26 id at certificateRevocationList joint iso ccitt 2 ds 5 at 4 39 0x 03 55 04 27 3 Appropriate Owner Names for CERT RRs It is recommended that certificate CERT RRs be stored under a domain name related to their subject i e the name of the entity intended to control the private key corresponding to the public key being certified It is recommended that certificate revocation list CERT RRs be stored under a domain name related to their issuer Following some of the guidelines below may result in the use in DNS names of characters that require DNS quoting which is to use a backslash followed by the octal representation of the ASCII code for the character such as 000 for NULL The choice of name under which CERT RRs are stored is important to clients that perform CERT queries In some situations the client may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client may only know the hostname of a service that uses X 509 certificates or the OpenPGP key id of an OpenPGP key This motivate describing two different owner name guidelines We call the two rules content based owner names and purpose based owner names A content based owner name is derived from the content of the CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is selected to be a name that clients that wishes to retrieve CERT RRs knows for example the host name of a X 509 protected service or a OpenPGP key id of an OpenPGP key Note that in some situations the content based and purpose based owner name can be the same for example when a client look up keys based on e mail addresses for incoming e mail Editorial note Purpose based owner name guidelines were introduced Josefsson Expires July 4 2005 Page 6 Internet Draft Storing Certificates in the DNS January 2005 in RFC 2538bis Earlier in RFC 2538 only content based owner name guidelines were described Implementation experience suggested that the content based owner name guidelines were not generally applicable It was realized that purpose based owner name guidelines were required to use CERT RRs in some ways 3 1 Content based X 509 CERT RR Names Some X 509 versions permit multiple names to be associated with subjects and issuers under Subject Alternate Name and Issuer Alternate Name For example x 509v3 has such Alternate Names with an ASN 1 specification as follows GeneralName CHOICE otherName 0 INSTANCE OF OTHER NAME rfc822Name 1 IA5String dNSName 2 IA5String x400Address 3 EXPLICIT OR ADDRESS Type directoryName 4 EXPLICIT Name ediPartyName 5 EDIPartyName uniformResourceIdentifier 6 IA5String iPAddress 7 OCTET STRING registeredID 8 OBJECT IDENTIFIER The recommended locations of CERT storage are as follows in priority order 1 If a domain name is included in the identification in the certificate or CRL that should be used 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate inverse domain name should be used 3 If neither of the above it used but a URI containing a domain name is present that domain name should be used 4 If none of the above is included but a character string name is included then it should be treated as described for PGP names in 3 2 below 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 3 Example 1 Assume that an X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative names of a string John the Man Doe b domain name john doe com and c uri Then the storage locations recommended in priority order would be 1 john doe com 2 www secure john doe com and Josefsson Expires July 4 2005 Page 7 Internet Draft Storing Certificates in the DNS January 2005 3 Doe com xy Example 2 Assume that an X 509v3 certificate is issued to CN James Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names of a domain name widget foo example b IPv4 address 10 251 13 201 and c string James Hacker Then the storage locations recommended in priority order would be 1 widget foo example 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 2 Purpose based X 509 CERT RR Names It is difficult for clients that do not already posses a certificate to reconstruct the content based owner name that should be used to retrieve the certificate For this reason purpose based owner names are recommended in this section Because purpose based owner names by nature depend on the specific scenario or purpose for which the certificate will be used there are more than one recommendation The following table summarize the purpose based X 509 CERT RR owner name guidelines Scenario Owner name S MIME Certificate Standard translation of RFC 822 email address Example A S MIME certificate for postmaster example org will use a standard hostname translation of the owner name i e postmaster example org SSL Certificate Hostname of the SSL server IPSEC Certificate Hostname of the IPSEC machine and or for the in addr arpa reverse lookup IP address CRLs Hostname of the issuing CA 3 3 Content based PGP CERT RR Names OpenPGP signed keys certificates use a general character string User ID 5 However it is recommended by PGP that

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-josefsson-rfc2538bis-01.txt (2016-04-30)
    Open archived version from archive

  • Diff: draft-josefsson-rfc2538bis-00.txt - draft-josefsson-rfc2538bis-01.txt
    for NULL 3 1 X 509 CERT RR Names The choice of name under which CERT RRs are stored is important to clients that perform CERT queries In some situations the client may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client may only know the hostname of a service that uses X 509 certificates or the OpenPGP key id of an OpenPGP key This motivate describing two different owner name guidelines We call the two rules content based owner names and purpose based owner names A content based owner name is derived from the content of the CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is selected to be a name that clients that wishes to retrieve CERT RRs knows for example the host name of a X 509 protected service or a OpenPGP key id of an OpenPGP key Note that in some situations the content based and purpose based owner name can be the same for example when a client look up keys based on e mail addresses for incoming e mail Editorial note Purpose based owner name guidelines were introduced in RFC 2538bis Earlier in RFC 2538 only content based owner name guidelines were described Implementation experience suggested that the content based owner name guidelines were not generally applicable It was realized that purpose based owner name guidelines were required to use CERT RRs in some ways 3 1 Content based X 509 CERT RR Names Some X 509 versions permit multiple names to be associated with Some X 509 versions permit multiple names to be associated with subjects and issuers under Subject Alternate Name and Issuer subjects and issuers under Subject Alternate Name and Issuer Alternate Name For example x 509v3 has such Alternate Names with Alternate Name For example x 509v3 has such Alternate Names with an ASN 1 specification as follows an ASN 1 specification as follows GeneralName CHOICE GeneralName CHOICE otherName 0 INSTANCE OF OTHER NAME otherName 0 INSTANCE OF OTHER NAME rfc822Name 1 IA5String rfc822Name 1 IA5String dNSName 2 IA5String dNSName 2 IA5String skipping to change at page 7 line 38 skipping to change at page 8 line 16 Example 2 Assume that an X 509v3 certificate is issued to CN James Example 2 Assume that an X 509v3 certificate is issued to CN James Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names of a domain name widget foo example b IPv4 address of a domain name widget foo example b IPv4 address 10 251 13 201 and c string James Hacker 10 251 13 201 and c string James Hacker hacker mail widget foo example Then the storage locations hacker mail widget foo example Then the storage locations recommended in priority order would be recommended in priority order would be 1 widget foo example 1 widget foo example 2 201 13 251 10 in addr arpa and 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 hacker mail widget foo example 3 2 PGP CERT RR Names 3 2 Purpose based X 509 CERT RR Names It is difficult for clients that do not already posses a certificate to reconstruct the content based owner name that should be used to retrieve the certificate For this reason purpose based owner names are recommended in this section Because purpose based owner names by nature depend on the specific scenario or purpose for which the certificate will be used there are more than one recommendation The following table summarize the purpose based X 509 CERT RR owner name guidelines Scenario Owner name S MIME Certificate Standard translation of RFC 822 email address Example A S MIME certificate for postmaster example org will use a standard hostname translation of the owner name i e postmaster example org SSL Certificate Hostname of the SSL server IPSEC Certificate Hostname of the IPSEC machine and or for the in addr arpa reverse lookup IP address CRLs Hostname of the issuing CA 3 3 Content based PGP CERT RR Names OpenPGP signed keys certificates use a general character string OpenPGP signed keys certificates use a general character string User ID 5 However it is recommended by PGP that such names User ID 5 However it is recommended by PGP that such names include the RFC 2822 7 email address of the party as in Leslie include the RFC 2822 7 email address of the party as in Leslie Example Leslie host example If such a format is used the CERT Example Leslie host example If such a format is used the CERT should be under the standard translation of the email address into a should be under the standard translation of the email address into a domain name which would be leslie host example in this case If no domain name which would be leslie host example in this case If no RFC 2822 name can be extracted from the string name no specific RFC 2822 name can be extracted from the string name no specific domain name is recommended domain name is recommended If a user has more than one email address the CNAME type can be used If a user has more than one email address the CNAME type can be used to reduce the amount of data stored in the DNS For example to reduce the amount of data stored in the DNS For example ORIGIN example org ORIGIN example org smith IN CERT PGP 0 0 OpenPGP binary smith IN CERT PGP 0 0 OpenPGP binary john smith IN CNAME smith john smith IN CNAME smith js IN CNAME

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-josefsson-rfc2538bis-01-from-0.diff.html (2016-04-30)
    Open archived version from archive


  • iso ccitt 2 ds 5 at 4 39 0x 03 55 04 27 3 Appropriate Owner Names for CERT RRs It is recommended that certificate CERT RRs be stored under a domain name related to their subject i e the name of the entity intended to control the private key corresponding to the public key being certified It is recommended that certificate revocation list CERT RRs be stored under a domain name related to their issuer Following some of the guidelines below may result in the use in DNS names of characters that require DNS quoting which is to use a backslash followed by the octal representation of the ASCII code for the character such as 000 for NULL The choice of name under which CERT RRs are stored is important to clients that perform CERT queries In some situations the client may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client might only know the hostname of a service that uses X 509 certificates or the Key ID of an OpenPGP key This motivate describing two different owner name guidelines We call the two rules content based owner names and purpose based owner names A content based owner name is derived from the content of the CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is selected to be a name that clients that wishes to retrieve CERT RRs are expected to know for example the host name of a X 509 protected service or a Key ID of an OpenPGP key Note that in some situations the content based and purpose based owner name can be the same for example when a client look up keys based on e mail addresses for incoming e mail Implementations SHOULD use the purpose based owner name guidelines Josefsson Expires July 25 2005 Page 6 Internet Draft Storing Certificates in the DNS January 2005 described in this document and MAY use CNAMEs at content based owner names or other names pointing to the purpose based owner name 3 1 Content based X 509 CERT RR Names Some X 509 versions permit multiple names to be associated with subjects and issuers under Subject Alternate Name and Issuer Alternate Name For example x 509v3 has such Alternate Names with an ASN 1 specification as follows GeneralName CHOICE otherName 0 INSTANCE OF OTHER NAME rfc822Name 1 IA5String dNSName 2 IA5String x400Address 3 EXPLICIT OR ADDRESS Type directoryName 4 EXPLICIT Name ediPartyName 5 EDIPartyName uniformResourceIdentifier 6 IA5String iPAddress 7 OCTET STRING registeredID 8 OBJECT IDENTIFIER The recommended locations of CERT storage are as follows in priority order 1 If a domain name is included in the identification in the certificate or CRL that should be used 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate inverse domain name should be used 3 If neither of the above it used but a URI containing a domain name is present that domain name should be used 4 If none of the above is included but a character string name is included then it should be treated as described for PGP names below 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 3 Example 1 Assume that an X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative names of a string John the Man Doe b domain name john doe com and c uri Then the storage locations recommended in priority order would be 1 john doe com 2 www secure john doe com and 3 Doe com xy Example 2 Assume that an X 509v3 certificate is issued to CN James Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names Josefsson Expires July 25 2005 Page 7 Internet Draft Storing Certificates in the DNS January 2005 of a domain name widget foo example b IPv4 address 10 251 13 201 and c string James Hacker Then the storage locations recommended in priority order would be 1 widget foo example 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 2 Purpose based X 509 CERT RR Names It is difficult for clients that do not already posses a certificate to reconstruct the content based owner name that should be used to retrieve the certificate For this reason purpose based owner names are recommended in this section Because purpose based owner names by nature depend on the specific scenario or purpose for which the certificate will be used there are more than one recommendation The following table summarize the purpose based X 509 CERT RR owner name guidelines Scenario Owner name S MIME Certificate Standard translation of RFC 822 email address Example A S MIME certificate for postmaster example org will use a standard hostname translation of the owner name i e postmaster example org SSL Certificate Hostname of the SSL server IPSEC Certificate Hostname of the IPSEC machine and or for the in addr arpa reverse lookup IP address CRLs Hostname of the issuing CA 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string User ID 5 However it is recommended by OpenPGP that such names include the RFC 2822 7 email address of the party as in Leslie Example If such a format is used the CERT should be under the standard translation of the email address into a domain name which would be leslie host example in this case If no RFC 2822 name can be

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-00.txt (2016-04-30)
    Open archived version from archive

  • Diff: draft-josefsson-rfc2538bis-01.txt - draft-ietf-dnsext-rfc2538bis.txt
    in section 10 1 of 5 but it MAY handle additional OpenPGP packets MAY handle additional OpenPGP packets The IPKIX ISPKI and IPGP types indicate a URL which will serve the content that would have been in the certificate CRL or URL field of the corresponding PKIX SPKI or PGP packet types These types are known as indirect These packet types MUST be used when the content is too large to fit in the CERT RR and MAY be used at the implementations discretion They SHOULD NOT be used where the entire UDP packet would have fit in 512 bytes The URI private type indicates a certificate format defined by an The URI private type indicates a certificate format defined by an absolute URI The certificate portion of the CERT RR MUST begin with absolute URI The certificate portion of the CERT RR MUST begin with a null terminated URI 4 and the data after the null is the private a null terminated URI 5 and the data after the null is the private format certificate itself The URI SHOULD be such that a retrieval format certificate itself The URI SHOULD be such that a retrieval from it will lead to documentation on the format of the certificate from it will lead to documentation on the format of the certificate Recognition of private certificate types need not be based on URI Recognition of private certificate types need not be based on URI equality but can use various forms of pattern matching so that for equality but can use various forms of pattern matching so that for example subtype or version information can also be encoded into the example subtype or version information can also be encoded into the URI URI The OID private type indicates a private format certificate specified The OID private type indicates a private format certificate specified by a an ISO OID prefix The certificate section will start with a by a an ISO OID prefix The certificate section will start with a one byte unsigned OID length and then a BER encoded OID indicating one byte unsigned OID length and then a BER encoded OID indicating skipping to change at page 5 line 32 skipping to change at page 5 line 44 The RDATA portion of a CERT RR has the type field as an unsigned The RDATA portion of a CERT RR has the type field as an unsigned decimal integer or as a mnemonic symbol as listed in section 2 1 decimal integer or as a mnemonic symbol as listed in section 2 1 above above The key tag field is represented as an unsigned decimal integer The key tag field is represented as an unsigned decimal integer The algorithm field is represented as an unsigned decimal integer or The algorithm field is represented as an unsigned decimal integer or a mnemonic symbol as listed in 10 a mnemonic symbol as listed in 10 The certificate CRL portion is represented in base 64 8 and may The certificate CRL portion is represented in base 64 14 and may be divided up into any number of white space separated substrings be divided up into any number of white space separated substrings down to single base 64 digits which are concatenated to obtain the down to single base 64 digits which are concatenated to obtain the full signature These substrings can span lines using the standard full signature These substrings can span lines using the standard parenthesis parenthesis Note that the certificate CRL portion may have internal sub fields Note that the certificate CRL portion may have internal sub fields but these do not appear in the master file representation For but these do not appear in the master file representation For example with type 254 there will be an OID size an OID and then example with type 254 there will be an OID size an OID and then the certificate CRL proper But only a single logical base 64 the certificate CRL proper But only a single logical base 64 string will appear in the text representation string will appear in the text representation skipping to change at page 6 line 36 skipping to change at page 6 line 46 Following some of the guidelines below may result in the use in DNS Following some of the guidelines below may result in the use in DNS names of characters that require DNS quoting which is to use a names of characters that require DNS quoting which is to use a backslash followed by the octal representation of the ASCII code for backslash followed by the octal representation of the ASCII code for the character such as 000 for NULL the character such as 000 for NULL The choice of name under which CERT RRs are stored is important to The choice of name under which CERT RRs are stored is important to clients that perform CERT queries In some situations the client clients that perform CERT queries In some situations the client may not know all information about the CERT RR object it wishes to may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client may only know the hostname of a service key Further the client might only know the hostname of a service that uses X 509 certificates or the OpenPGP key id of an OpenPGP key that uses X 509 certificates or the Key ID of an OpenPGP key This motivate describing two different owner name guidelines We This motivate s describing two different owner name guidelines We call the two rules content based owner names and purpose based owner call the two rules content based owner names and purpose based owner names A content based owner name is derived from the content of the names A content based owner name is derived from the content of the CERT RR data for example the Subject field in an X 509 certificate CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is or the User ID field in OpenPGP keys A purpose based owner name is selected to be a name that clients that wishes to retrieve CERT RRs selected to be a name that clients that wishes to retrieve CERT RRs knows for example the host name of a X 509 protected service or a are expected to know for example the host name of a X 509 protected OpenPGP key id of an OpenPGP key Note that in some situations the service or a Key ID of an OpenPGP key Note that in some situations content based and purpose based owner name can be the same for the content based and purpose based owner name can be the same for example when a client look up keys based on e mail addresses for example when a client look up keys based on e mail addresses for incoming e mail incoming e mail Editorial note Purpose based owner name guidelines were introduced Implementations SHOULD use the purpose based owner name guidelines in RFC 2538bis Earlier in RFC 2538 only content based owner name described in this document and MAY use CNAMEs at content based owner guidelines were described Implementation experience suggested that names or other names pointing to the purpose based owner name the content based owner name guidelines were not generally applicable It was realized that purpose based owner name guidelines were required to use CERT RRs in some ways 3 1 Content based X 509 CERT RR Names 3 1 Content based X 509 CERT RR Names Some X 509 versions permit multiple names to be associated with Some X 509 versions permit multiple names to be associated with subjects and issuers under Subject Alternate Name and Issuer subjects and issuers under Subject Alternate Name and Issuer Alternate Name For example x 509v3 has such Alternate Names with Alternate Name For example x 509v3 has such Alternate Names with an ASN 1 specification as follows an ASN 1 specification as follows GeneralName CHOICE GeneralName CHOICE otherName 0 INSTANCE OF OTHER NAME otherName 0 INSTANCE OF OTHER NAME skipping to change at page 7 line 39 skipping to change at page 7 line 47 The recommended locations of CERT storage are as follows in priority The recommended locations of CERT storage are as follows in priority order order 1 If a domain name is included in the identification in the 1 If a domain name is included in the identification in the certificate or CRL that should be used certificate or CRL that should be used 2 If a domain name is not included but an IP address is included 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate then the translation of that IP address into the appropriate inverse domain name should be used inverse domain name should be used 3 If neither of the above it used but a URI containing a domain 3 If neither of the above it used but a URI containing a domain name is present that domain name should be used name is present that domain name should be used 4 If none of the above is included but a character string name is 4 If none of the above is included but a character string name is included then it should be treated as described for PGP names in included then it should be treated as described for OpenPGP 3 2 below names below 5 If none of the above apply then the distinguished name DN 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 3 should be mapped into a domain name as specified in 4 Example 1 Assume that an X 509v3 certificate is issued to CN John Example 1 Assume that an X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative names of a string John the Man Doe b domain name john names of a string John the Man Doe b domain name john doe com and c uri https www secure john doe com 8080 Then doe com and c uri https www secure john doe com 8080 Then the storage locations recommended in priority order would be the storage locations recommended in priority order would be 1 john doe com 1 john doe com 2 www secure john doe com and 2 www secure john doe com and 3 Doe com xy 3 Doe com xy skipping to change at page 8 line 25 skipping to change at page 8 line 33 3 2 Purpose based X 509 CERT RR Names 3 2 Purpose based X 509 CERT RR Names It is difficult for clients that do not already posses a certificate It is difficult for clients that do not already posses a certificate to reconstruct the content based owner name that should be used to to reconstruct the content based owner name that should be used to retrieve the certificate For this reason purpose based owner names retrieve the certificate For this reason purpose based owner names are recommended in this section Because purpose based owner names are recommended in this section Because purpose based owner names by nature depend on the specific scenario or purpose for which the by nature depend on the specific scenario or purpose for which the certificate will be used there are more than one recommendation certificate will be used there are more than one recommendation The following table summarize the purpose based X 509 CERT RR owner The following table summarize the purpose based X 509 CERT RR owner name guidelines name guidelines for use with S MIME 16 SSL TLS 11 and IPSEC 12 Scenario Owner name Scenario Owner name S MIME Certificate Standard translation of RFC 822 email address S MIME Certificate Standard translation of RFC 822 email address Example A S MIME certificate for Example A S MIME certificate for postmaster example org will use a standard postmaster example org will use a standard hostname translation of the owner name hostname translation of the owner name i e postmaster example org i e postmaster example org SSL Certificate Hostname of the SSL server TLS Certificate Hostname of the TLS server IPSEC Certificate Hostname of the IPSEC machine and or IPSEC Certificate Hostname of the IPSEC machine and or for for the in addr arpa reverse lookup IP address IPv4 or IPv6 addresses the fully qualified domain name in the appropriate reverse domain CRLs Hostname of the issuing CA An alternative approach for IPSEC is to store raw public keys 15 3 3 Content based PGP CERT RR Names 3 3 Content based Open PGP CERT RR Names OpenPGP signed keys certificates use a general character string OpenPGP signed keys certificates use a general character string User ID 5 However it is recommended by PGP that such names User ID 6 However it is recommended by OpenPGP that such names include the RFC 2822 7 email address of the party as in Leslie include the RFC 2822 8 email address of the party as in Leslie Example Leslie host example If such a format is used the CERT Example Leslie host example If such a format is used the CERT should be under the standard translation of the email address into a should be under the standard translation of the email address into a domain name which would be leslie host example in this case If no domain name which would be leslie host example in this case If no RFC 2822 name can be extracted from the string name no specific RFC 2822 name can be extracted from the string name no specific domain name is recommended domain name is recommended If a user has more than one email address the CNAME type can be used If a user has more than one email address the CNAME type can be used to reduce the amount of data stored in the DNS For example to reduce the amount of data stored in the DNS For example ORIGIN example org ORIGIN example org smith IN CERT PGP 0 0 OpenPGP binary smith IN CERT PGP 0 0 OpenPGP binary john smith IN CNAME smith john smith IN CNAME smith js IN CNAME smith js IN CNAME smith 3 4 Purpose based PGP CERT RR Names 3 4 Purpose based Open PGP CERT RR Names Applications that receive an OpenPGP packet but do not know the email Applications that receive an OpenPGP packet containing encrypted or address of the sender will have difficulties guessing the correct signed data but do not know the email address of the sender will have owner name and cannot use the content based owner name guidelines difficulties constructing the correct owner name and cannot use the However the OpenPGP packet typically contain the Key ID of the key content based owner name guidelines However these clients commonly In these situations it is recommended to use an owner name derived know the key fingerprint or the Key ID The key ID is found in from the Key ID For example OpenPGP packets and the key fingerprint is commonly found in auxilliary data that may be available For these situations it is recommended to use an owner name identical to the key fingerprint and key ID expressed in hexadecimal 14 For example ORIGIN example org ORIGIN example org 0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP F835EDA21E94B565716F IN CERT PGP F835EDA21E94B565716F IN CERT PGP B565716F IN CNAME F835EDA21E94B565716F B565716F IN CERT PGP As before if the same key material is stored at several owner names If the same key material is stored at several owner names the use of using CNAME can be used to avoid data duplication CNAME may be used to avoid data duplication Note that CNAME is not always applicable because it map an owner names to the other for all purposes and this may be sub optimal when two keys with the same Key ID are stored 3 5 Owner names for IPKIX ISPKI and IPGP These types are stored under the same owner names both purpose and content based as the PKIX SPKI and PGP types respectively 4 Performance Considerations 4 Performance Considerations Current Domain Name System DNS implementations are optimized for Current Domain Name System DNS implementations are optimized for small transfers typically not more than 512 bytes including small transfers typically not more than 512 bytes including overhead While larger transfers will perform correctly and work is overhead While larger transfers will perform correctly and work is underway to make larger transfers more efficient it is still underway to make larger transfers more efficient it is still advisable at this time to make every reasonable effort to minimize advisable at this time to make every reasonable effort to minimize the size of certificates stored within the DNS Steps that can be the size of certificates stored within the DNS Steps that can be taken may include using the fewest possible optional or extensions taken may include using the fewest possible optional or extensions fields and using short field values for variable length fields that fields and using short field values for variable length fields that must be included must be included 5 IANA Considerations The RDATA field in

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-from-josefsson-rfc2538bis-01.diff.html (2016-04-30)
    Open archived version from archive


  • 26 id at certificateRevocationList joint iso ccitt 2 ds 5 at 4 39 0x 03 55 04 27 3 Appropriate Owner Names for CERT RRs It is recommended that certificate CERT RRs be stored under a domain name related to their subject i e the name of the entity intended to control the private key corresponding to the public key being certified It is recommended that certificate revocation list CERT RRs be stored under a domain name related to their issuer Following some of the guidelines below may result in the use in DNS names of characters that require DNS quoting which is to use a backslash followed by the octal representation of the ASCII code for the character such as 000 for NULL The choice of name under which CERT RRs are stored is important to clients that perform CERT queries In some situations the client may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client might only know the hostname of a service that uses X 509 certificates or the Key ID of an OpenPGP key This motivates describing two different owner name guidelines We call the two rules content based owner names and purpose based owner Josefsson Expires July 2 2005 Page 6 Internet Draft Storing Certificates in the DNS January 2005 names A content based owner name is derived from the content of the CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is selected to be a name that clients that wishes to retrieve CERT RRs are expected to know for example the host name of a X 509 protected service or a Key ID of an OpenPGP key Note that in some situations the content based and purpose based owner name can be the same for example when a client look up keys based on e mail addresses for incoming e mail Implementations SHOULD use the purpose based owner name guidelines described in this document and MAY use CNAMEs at content based owner names or other names pointing to the purpose based owner name 3 1 Content based X 509 CERT RR Names Some X 509 versions permit multiple names to be associated with subjects and issuers under Subject Alternate Name and Issuer Alternate Name For example x 509v3 has such Alternate Names with an ASN 1 specification as follows GeneralName CHOICE otherName 0 INSTANCE OF OTHER NAME rfc822Name 1 IA5String dNSName 2 IA5String x400Address 3 EXPLICIT OR ADDRESS Type directoryName 4 EXPLICIT Name ediPartyName 5 EDIPartyName uniformResourceIdentifier 6 IA5String iPAddress 7 OCTET STRING registeredID 8 OBJECT IDENTIFIER The recommended locations of CERT storage are as follows in priority order 1 If a domain name is included in the identification in the certificate or CRL that should be used 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate inverse domain name should be used 3 If neither of the above it used but a URI containing a domain name is present that domain name should be used 4 If none of the above is included but a character string name is included then it should be treated as described for OpenPGP names below 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 3 Josefsson Expires July 2 2005 Page 7 Internet Draft Storing Certificates in the DNS January 2005 Example 1 Assume that an X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative names of a string John the Man Doe b domain name john doe com and c uri Then the storage locations recommended in priority order would be 1 john doe com 2 www secure john doe com and 3 Doe com xy Example 2 Assume that an X 509v3 certificate is issued to CN James Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names of a domain name widget foo example b IPv4 address 10 251 13 201 and c string James Hacker Then the storage locations recommended in priority order would be 1 widget foo example 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 2 Purpose based X 509 CERT RR Names It is difficult for clients that do not already posses a certificate to reconstruct the content based owner name that should be used to retrieve the certificate For this reason purpose based owner names are recommended in this section Because purpose based owner names by nature depend on the specific scenario or purpose for which the certificate will be used there are more than one recommendation The following table summarize the purpose based X 509 CERT RR owner name guidelines Scenario Owner name S MIME Certificate Standard translation of RFC 822 email address Example A S MIME certificate for postmaster example org will use a standard hostname translation of the owner name i e postmaster example org SSL Certificate Hostname of the SSL server IPSEC Certificate Hostname of the IPSEC machine and or for the in addr arpa reverse lookup IP address An alternative approach for IPSEC is to store raw public keys 12 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string Josefsson Expires July 2 2005 Page 8 Internet Draft Storing Certificates in the DNS January 2005 User ID 5 However it is recommended by OpenPGP that such names include the RFC 2822 7 email address of the party as in Leslie Example If such a format is used the CERT should be under

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-01.txt (2016-04-30)
    Open archived version from archive

  • Diff: draft-ietf-dnsext-rfc2538bis-00.txt - draft-ietf-dnsext-rfc2538bis-01.txt
    ID field in OpenPGP keys A purpose based owner name is or the User ID field in OpenPGP keys A purpose based owner name is selected to be a name that clients that wishes to retrieve CERT RRs selected to be a name that clients that wishes to retrieve CERT RRs are expected to know for example the host name of a X 509 protected are expected to know for example the host name of a X 509 protected service or a Key ID of an OpenPGP key Note that in some situations service or a Key ID of an OpenPGP key Note that in some situations the content based and purpose based owner name can be the same for the content based and purpose based owner name can be the same for example when a client look up keys based on e mail addresses for example when a client look up keys based on e mail addresses for incoming e mail incoming e mail skipping to change at page 7 line 36 skipping to change at page 7 line 47 The recommended locations of CERT storage are as follows in priority The recommended locations of CERT storage are as follows in priority order order 1 If a domain name is included in the identification in the 1 If a domain name is included in the identification in the certificate or CRL that should be used certificate or CRL that should be used 2 If a domain name is not included but an IP address is included 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate then the translation of that IP address into the appropriate inverse domain name should be used inverse domain name should be used 3 If neither of the above it used but a URI containing a domain 3 If neither of the above it used but a URI containing a domain name is present that domain name should be used name is present that domain name should be used 4 If none of the above is included but a character string name is 4 If none of the above is included but a character string name is included then it should be treated as described for PGP names included then it should be treated as described for OpenPGP below names below 5 If none of the above apply then the distinguished name DN 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 3 should be mapped into a domain name as specified in 3 Example 1 Assume that an X 509v3 certificate is issued to CN John Example 1 Assume that an X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative names of a string John the Man Doe b domain name john names of a string John the Man Doe b domain name john doe com and c uri https www secure john doe com 8080 Then doe com and c uri https www secure john doe com 8080 Then the storage locations recommended in priority order would be the storage locations recommended in priority order would be 1 john doe com 1 john doe com 2 www secure john doe com and 2 www secure john doe com and skipping to change at page 8 line 36 skipping to change at page 8 line 48 Example A S MIME certificate for Example A S MIME certificate for postmaster example org will use a standard postmaster example org will use a standard hostname translation of the owner name hostname translation of the owner name i e postmaster example org i e postmaster example org SSL Certificate Hostname of the SSL server SSL Certificate Hostname of the SSL server IPSEC Certificate Hostname of the IPSEC machine and or IPSEC Certificate Hostname of the IPSEC machine and or for the in addr arpa reverse lookup IP address for the in addr arpa reverse lookup IP address CRLs Hostname of the issuing CA An alternative approach for IPSEC is to store raw public keys 12 3 3 Content based OpenPGP CERT RR Names 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string OpenPGP signed keys certificates use a general character string User ID 5 However it is recommended by OpenPGP that such names User ID 5 However it is recommended by OpenPGP that such names include the RFC 2822 7 email address of the party as in Leslie include the RFC 2822 7 email address of the party as in Leslie Example Leslie host example If such a format is used the CERT Example Leslie host example If such a format is used the CERT should be under the standard translation of the email address into a should be under the standard translation of the email address into a domain name which would be leslie host example in this case If no domain name which would be leslie host example in this case If no RFC 2822 name can be extracted from the string name no specific RFC 2822 name can be extracted from the string name no specific skipping to change at page 9 line 12 skipping to change at page 9 line 22 If a user has more than one email address the CNAME type can be used If a user has more than one email address the CNAME type can be used to reduce the amount of data stored in the DNS For example to reduce the amount of data stored in the DNS For example ORIGIN example org ORIGIN example org smith IN CERT PGP 0 0 OpenPGP binary smith IN CERT PGP 0 0 OpenPGP binary john

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-01-from-0.diff.html (2016-04-30)
    Open archived version from archive


  • related to their issuer Following some of the guidelines below may result in the use in DNS names of characters that require DNS quoting which is to use a backslash followed by the octal representation of the ASCII code for the character such as 000 for NULL The choice of name under which CERT RRs are stored is important to clients that perform CERT queries In some situations the client may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client might only know the hostname of a service that uses X 509 certificates or the Key ID of an OpenPGP key This motivates describing two different owner name guidelines We call the two rules content based owner names and purpose based owner Josefsson Expires November 26 2005 Page 6 Internet Draft Storing Certificates in the DNS May 2005 names A content based owner name is derived from the content of the CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is selected to be a name that clients that wishes to retrieve CERT RRs are expected to know for example the host name of a X 509 protected service or a Key ID of an OpenPGP key Note that in some situations the content based and purpose based owner name can be the same for example when a client look up keys based on e mail addresses for incoming e mail Implementations SHOULD use the purpose based owner name guidelines described in this document and MAY use CNAMEs at content based owner names or other names pointing to the purpose based owner name 3 1 Content based X 509 CERT RR Names Some X 509 versions permit multiple names to be associated with subjects and issuers under Subject Alternate Name and Issuer Alternate Name For example x 509v3 has such Alternate Names with an ASN 1 specification as follows GeneralName CHOICE otherName 0 INSTANCE OF OTHER NAME rfc822Name 1 IA5String dNSName 2 IA5String x400Address 3 EXPLICIT OR ADDRESS Type directoryName 4 EXPLICIT Name ediPartyName 5 EDIPartyName uniformResourceIdentifier 6 IA5String iPAddress 7 OCTET STRING registeredID 8 OBJECT IDENTIFIER The recommended locations of CERT storage are as follows in priority order 1 If a domain name is included in the identification in the certificate or CRL that should be used 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate inverse domain name should be used 3 If neither of the above it used but a URI containing a domain name is present that domain name should be used 4 If none of the above is included but a character string name is included then it should be treated as described for OpenPGP names below 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 3 Josefsson Expires November 26 2005 Page 7 Internet Draft Storing Certificates in the DNS May 2005 Example 1 Assume that an X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative names of a string John the Man Doe b domain name john doe com and c uri Then the storage locations recommended in priority order would be 1 john doe com 2 www secure john doe com and 3 Doe com xy Example 2 Assume that an X 509v3 certificate is issued to CN James Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names of a domain name widget foo example b IPv4 address 10 251 13 201 and c string James Hacker Then the storage locations recommended in priority order would be 1 widget foo example 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 2 Purpose based X 509 CERT RR Names It is difficult for clients that do not already posses a certificate to reconstruct the content based owner name that should be used to retrieve the certificate For this reason purpose based owner names are recommended in this section Because purpose based owner names by nature depend on the specific scenario or purpose for which the certificate will be used there are more than one recommendation The following table summarize the purpose based X 509 CERT RR owner name guidelines for use with S MIME 16 SSL TLS 11 and IPSEC 12 Scenario Owner name S MIME Certificate Standard translation of RFC 822 email address Example A S MIME certificate for postmaster example org will use a standard hostname translation of the owner name i e postmaster example org TLS Certificate Hostname of the TLS server IPSEC Certificate Hostname of the IPSEC machine and or for the in addr arpa reverse lookup IP address An alternative approach for IPSEC is to store raw public keys 15 Josefsson Expires November 26 2005 Page 8 Internet Draft Storing Certificates in the DNS May 2005 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string User ID 5 However it is recommended by OpenPGP that such names include the RFC 2822 7 email address of the party as in Leslie Example If such a format is used the CERT should be under the standard translation of the email address into a domain name which would be leslie host example in this case If no RFC 2822 name can be extracted from the string name no specific domain name is recommended If a user has more than one email address the CNAME type can be used to reduce the amount of data stored in the DNS For example

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-02.txt (2016-04-30)
    Open archived version from archive



  •