archive-org.com » ORG » J » JOSEFSSON.ORG

Total: 236

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Diff: draft-ietf-dnsext-rfc2538bis-01.txt - draft-ietf-dnsext-rfc2538bis-02.txt
    section Because purpose based owner names are recommended in this section Because purpose based owner names by nature depend on the specific scenario or purpose for which the by nature depend on the specific scenario or purpose for which the certificate will be used there are more than one recommendation certificate will be used there are more than one recommendation The following table summarize the purpose based X 509 CERT RR owner The following table summarize the purpose based X 509 CERT RR owner name guidelines name guidelines for use with S MIME 16 SSL TLS 11 and IPSEC 12 Scenario Owner name Scenario Owner name S MIME Certificate Standard translation of RFC 822 email address S MIME Certificate Standard translation of RFC 822 email address Example A S MIME certificate for Example A S MIME certificate for postmaster example org will use a standard postmaster example org will use a standard hostname translation of the owner name hostname translation of the owner name i e postmaster example org i e postmaster example org SSL Certificate Hostname of the SSL server TLS Certificate Hostname of the TLS server IPSEC Certificate Hostname of the IPSEC machine and or IPSEC Certificate Hostname of the IPSEC machine and or for the in addr arpa reverse lookup IP address for the in addr arpa reverse lookup IP address An alternative approach for IPSEC is to store raw public keys 1 2 An alternative approach for IPSEC is to store raw public keys 1 5 3 3 Content based OpenPGP CERT RR Names 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string OpenPGP signed keys certificates use a general character string User ID 5 However it is recommended by OpenPGP that such names User ID 5 However it is recommended by OpenPGP that such names include the RFC 2822 7 email address of the party as in Leslie include the RFC 2822 7 email address of the party as in Leslie Example Leslie host example If such a format is used the CERT Example Leslie host example If such a format is used the CERT should be under the standard translation of the email address into a should be under the standard translation of the email address into a domain name which would be leslie host example in this case If no domain name which would be leslie host example in this case If no RFC 2822 name can be extracted from the string name no specific RFC 2822 name can be extracted from the string name no specific skipping to change at page 9 line 30 skipping to change at page 9 line 34 3 4 Purpose based OpenPGP CERT RR Names 3 4 Purpose based OpenPGP CERT RR Names Applications that receive an OpenPGP packet containing encrypted or Applications that receive an OpenPGP packet containing encrypted or signed data but do not know the email address of the sender will have signed data but do not know the email address of the sender will have difficulties constructing the correct owner name and cannot use the difficulties constructing the correct owner name and cannot use the content based owner name guidelines However these clients commonly content based owner name guidelines However these clients commonly know the key fingerprint or the Key ID The key ID is found in know the key fingerprint or the Key ID The key ID is found in OpenPGP packets and the key fingerprint is commonly found in OpenPGP packets and the key fingerprint is commonly found in auxilliary data that may be available For these situations it is auxilliary data that may be available For these situations it is recommended to use an owner name identical to the key fingerprint and recommended to use an owner name identical to the key fingerprint and key ID expressed in hexadecimal 1 1 For example key ID expressed in hexadecimal 1 4 For example ORIGIN example org ORIGIN example org 0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP 0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP F835EDA21E94B565716F IN CERT PGP F835EDA21E94B565716F IN CERT PGP B565716F IN CERT PGP B565716F IN CERT PGP If the same key material is stored at several owner names the use of If the same key material is stored at several owner names the use of CNAME may be used to avoid data duplication Note that CNAME is not CNAME may be used to avoid data duplication Note that CNAME is not always applicable because it map an owner names to the other for all always applicable because it map an owner names to the other for all purposes and this may be sub optimal when two keys with the same Key purposes and this may be sub optimal when two keys with the same Key skipping to change at page 10 line 19 skipping to change at page 10 line 23 taken may include using the fewest possible optional or extensions taken may include using the fewest possible optional or extensions fields and using short field values for variable length fields that fields and using short field values for variable length fields that must be included must be included The RDATA field in the DNS protocol may only hold data of size 65535 The RDATA field in the DNS protocol may only hold data of size 65535 octets 64kb or less This means that each CERT RR cannot contain octets 64kb or less This means that each CERT RR cannot contain more than 64kb worth of payload even if the corresponding more than 64kb worth of payload even if the corresponding certificate or certificate revocation list is larger This document certificate or certificate revocation list is larger This document address this by defining indirect data types for each normal type address this by defining indirect data types for each normal type 5 Acknowledgement s 5 Contributor s The majority of this document is copied verbatim from RFC 2538 by The majority of this document is copied verbatim

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-02-from-1.diff.html (2016-04-30)
    Open archived version from archive


  • domain name related to their issuer Following some of the guidelines below may result in the use in DNS names of characters that require DNS quoting which is to use a backslash followed by the octal representation of the ASCII code for the character such as 000 for NULL The choice of name under which CERT RRs are stored is important to clients that perform CERT queries In some situations the client may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client might only know the hostname of a service that uses X 509 certificates or the Key ID of an OpenPGP key This motivates describing two different owner name guidelines We call the two rules content based owner names and purpose based owner Josefsson Expires December 12 2005 Page 6 Internet Draft Storing Certificates in the DNS June 2005 names A content based owner name is derived from the content of the CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is selected to be a name that clients that wishes to retrieve CERT RRs are expected to know for example the host name of a X 509 protected service or a Key ID of an OpenPGP key Note that in some situations the content based and purpose based owner name can be the same for example when a client look up keys based on e mail addresses for incoming e mail Implementations SHOULD use the purpose based owner name guidelines described in this document and MAY use CNAMEs at content based owner names or other names pointing to the purpose based owner name 3 1 Content based X 509 CERT RR Names Some X 509 versions permit multiple names to be associated with subjects and issuers under Subject Alternate Name and Issuer Alternate Name For example x 509v3 has such Alternate Names with an ASN 1 specification as follows GeneralName CHOICE otherName 0 INSTANCE OF OTHER NAME rfc822Name 1 IA5String dNSName 2 IA5String x400Address 3 EXPLICIT OR ADDRESS Type directoryName 4 EXPLICIT Name ediPartyName 5 EDIPartyName uniformResourceIdentifier 6 IA5String iPAddress 7 OCTET STRING registeredID 8 OBJECT IDENTIFIER The recommended locations of CERT storage are as follows in priority order 1 If a domain name is included in the identification in the certificate or CRL that should be used 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate inverse domain name should be used 3 If neither of the above it used but a URI containing a domain name is present that domain name should be used 4 If none of the above is included but a character string name is included then it should be treated as described for OpenPGP names below 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 4 Josefsson Expires December 12 2005 Page 7 Internet Draft Storing Certificates in the DNS June 2005 Example 1 Assume that an X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative names of a string John the Man Doe b domain name john doe com and c uri Then the storage locations recommended in priority order would be 1 john doe com 2 www secure john doe com and 3 Doe com xy Example 2 Assume that an X 509v3 certificate is issued to CN James Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names of a domain name widget foo example b IPv4 address 10 251 13 201 and c string James Hacker Then the storage locations recommended in priority order would be 1 widget foo example 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 2 Purpose based X 509 CERT RR Names It is difficult for clients that do not already posses a certificate to reconstruct the content based owner name that should be used to retrieve the certificate For this reason purpose based owner names are recommended in this section Because purpose based owner names by nature depend on the specific scenario or purpose for which the certificate will be used there are more than one recommendation The following table summarize the purpose based X 509 CERT RR owner name guidelines for use with S MIME 16 SSL TLS 11 and IPSEC 12 Scenario Owner name S MIME Certificate Standard translation of RFC 822 email address Example A S MIME certificate for postmaster example org will use a standard hostname translation of the owner name i e postmaster example org TLS Certificate Hostname of the TLS server IPSEC Certificate Hostname of the IPSEC machine and or for IPv4 or IPv6 addresses the fully qualified domain name in the appropriate reverse domain An alternative approach for IPSEC is to store raw public keys 15 Josefsson Expires December 12 2005 Page 8 Internet Draft Storing Certificates in the DNS June 2005 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string User ID 6 However it is recommended by OpenPGP that such names include the RFC 2822 8 email address of the party as in Leslie Example If such a format is used the CERT should be under the standard translation of the email address into a domain name which would be leslie host example in this case If no RFC 2822 name can be extracted from the string name no specific domain name is recommended If a user has more than one email address the CNAME type can be used to reduce the amount

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-03.txt (2016-04-30)
    Open archived version from archive

  • Diff: draft-ietf-dnsext-rfc2538bis-02.txt - draft-ietf-dnsext-rfc2538bis-03.txt
    by an absolute URI The certificate portion of the CERT RR MUST begin with absolute URI The certificate portion of the CERT RR MUST begin with a null terminated URI 4 and the data after the null is the private a null terminated URI 5 and the data after the null is the private format certificate itself The URI SHOULD be such that a retrieval format certificate itself The URI SHOULD be such that a retrieval from it will lead to documentation on the format of the certificate from it will lead to documentation on the format of the certificate Recognition of private certificate types need not be based on URI Recognition of private certificate types need not be based on URI equality but can use various forms of pattern matching so that for equality but can use various forms of pattern matching so that for example subtype or version information can also be encoded into the example subtype or version information can also be encoded into the URI URI The OID private type indicates a private format certificate specified The OID private type indicates a private format certificate specified by a an ISO OID prefix The certificate section will start with a by a an ISO OID prefix The certificate section will start with a one byte unsigned OID length and then a BER encoded OID indicating one byte unsigned OID length and then a BER encoded OID indicating skipping to change at page 5 line 42 skipping to change at page 5 line 42 2 2 Text Representation of CERT RRs 2 2 Text Representation of CERT RRs The RDATA portion of a CERT RR has the type field as an unsigned The RDATA portion of a CERT RR has the type field as an unsigned decimal integer or as a mnemonic symbol as listed in section 2 1 decimal integer or as a mnemonic symbol as listed in section 2 1 above above The key tag field is represented as an unsigned decimal integer The key tag field is represented as an unsigned decimal integer The algorithm field is represented as an unsigned decimal integer or The algorithm field is represented as an unsigned decimal integer or a mnemonic symbol as listed in 9 a mnemonic symbol as listed in 10 The certificate CRL portion is represented in base 64 14 and may The certificate CRL portion is represented in base 64 14 and may be divided up into any number of white space separated substrings be divided up into any number of white space separated substrings down to single base 64 digits which are concatenated to obtain the down to single base 64 digits which are concatenated to obtain the full signature These substrings can span lines using the standard full signature These substrings can span lines using the standard parenthesis parenthesis Note that the certificate CRL portion may have internal sub fields Note that the certificate CRL portion may have internal sub fields but these do not appear in the master file representation For but these do not appear in the master file representation For example with type 254 there will be an OID size an OID and then example with type 254 there will be an OID size an OID and then skipping to change at page 7 line 50 skipping to change at page 7 line 50 certificate or CRL that should be used certificate or CRL that should be used 2 If a domain name is not included but an IP address is included 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate then the translation of that IP address into the appropriate inverse domain name should be used inverse domain name should be used 3 If neither of the above it used but a URI containing a domain 3 If neither of the above it used but a URI containing a domain name is present that domain name should be used name is present that domain name should be used 4 If none of the above is included but a character string name is 4 If none of the above is included but a character string name is included then it should be treated as described for OpenPGP included then it should be treated as described for OpenPGP names below names below 5 If none of the above apply then the distinguished name DN 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 3 should be mapped into a domain name as specified in 4 Example 1 Assume that an X 509v3 certificate is issued to CN John Example 1 Assume that an X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative names of a string John the Man Doe b domain name john names of a string John the Man Doe b domain name john doe com and c uri https www secure john doe com 8080 Then doe com and c uri https www secure john doe com 8080 Then the storage locations recommended in priority order would be the storage locations recommended in priority order would be 1 john doe com 1 john doe com 2 www secure john doe com and 2 www secure john doe com and 3 Doe com xy 3 Doe com xy skipping to change at page 8 line 46 skipping to change at page 8 line 46 Scenario Owner name Scenario Owner name S MIME Certificate Standard translation of RFC 822 email address S MIME Certificate Standard translation of RFC 822 email address Example A S MIME certificate for Example A S MIME certificate for postmaster example org will use a standard postmaster example org

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-03-from-2.diff.html (2016-04-30)
    Open archived version from archive


  • may result in the use in DNS names of characters that require DNS quoting which is to use a backslash followed by the octal representation of the ASCII code for the character e g 000 for NULL The choice of name under which CERT RRs are stored is important to clients that perform CERT queries In some situations the clients may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client might only know the hostname of a service that uses X 509 certificates or the Key ID of an OpenPGP key Josefsson Expires March 3 2006 Page 6 Internet Draft Storing Certificates in the DNS August 2005 Therefore two owner name guidelines are defined content based owner names and purpose based owner names A content based owner name is derived from the content of the CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is a name that a client retrieving CERT RRs MUST already know for example the host name of an X 509 protected service or the Key ID of an OpenPGP key The content based and purpose based owner name MAY be the same for example when a client looks up a key based on the From address of an incoming e mail Implementations SHOULD use the purpose based owner name guidelines described in this document and MAY use CNAMEs of content based owner names or other names pointing to the purpose based owner name 3 1 Content based X 509 CERT RR Names Some X 509 versions permit multiple names to be associated with subjects and issuers under Subject Alternate Name and Issuer Alternate Name For example X 509v3 has such Alternate Names with an ASN 1 specification as follows GeneralName CHOICE otherName 0 INSTANCE OF OTHER NAME rfc822Name 1 IA5String dNSName 2 IA5String x400Address 3 EXPLICIT OR ADDRESS Type directoryName 4 EXPLICIT Name ediPartyName 5 EDIPartyName uniformResourceIdentifier 6 IA5String iPAddress 7 OCTET STRING registeredID 8 OBJECT IDENTIFIER The recommended locations of CERT storage are as follows in priority order 1 If a domain name is included in the identification in the certificate or CRL that should be used 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate inverse domain name should be used 3 If neither of the above is used but a URI containing a domain name is present that domain name should be used 4 If none of the above is included but a character string name is included then it should be treated as described for OpenPGP names below Josefsson Expires March 3 2006 Page 7 Internet Draft Storing Certificates in the DNS August 2005 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 4 Example 1 An X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative Names of a string John the Man Doe b domain name john doe com and c uri The storage locations recommended in priority order would be 1 john doe com 2 www secure john doe com and 3 Doe com xy Example 2 An X 509v3 certificate is issued to CN James Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names of a domain name widget foo example b IPv4 address 10 251 13 201 and c string James Hacker The storage locations recommended in priority order would be 1 widget foo example 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 2 Purpose based X 509 CERT RR Names Due to the difficulty for clients that do not already possess a certificate to reconstruct the content based owner name purpose based owner names are recommended in this section Recommendations for purpose based owner names vary per scenario The following table summarizes the purpose based X 509 CERT RR owner name guidelines for use with S MIME 16 SSL TLS 11 and IPSEC 12 Scenario Owner name S MIME Certificate Standard translation of an RFC 2822 email address Example An S MIME certificate for postmaster example org will use a standard hostname translation of the owner name postmaster example org TLS Certificate Hostname of the TLS server IPSEC Certificate Hostname of the IPSEC machine and or for IPv4 or IPv6 addresses the fully qualified domain name in the appropriate reverse domain An alternate approach for IPSEC is to store raw public keys 15 Josefsson Expires March 3 2006 Page 8 Internet Draft Storing Certificates in the DNS August 2005 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string User ID 6 However it is recommended by OpenPGP that such names include the RFC 2822 8 email address of the party as in Leslie Example If such a format is used the CERT should be under the standard translation of the email address into a domain name which would be leslie host example in this case If no RFC 2822 name can be extracted from the string name no specific domain name is recommended If a user has more than one email address the CNAME type can be used to reduce the amount of data stored in the DNS Example ORIGIN example org smith IN CERT PGP 0 0 john smith IN CNAME smith js IN CNAME smith 3 4 Purpose based OpenPGP CERT RR Names Applications that receive an OpenPGP packet containing encrypted or signed data but do not know the email address of the sender will have difficulties constructing the correct owner name

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-04.txt (2016-04-30)
    Open archived version from archive

  • Diff: draft-ietf-dnsext-rfc2538bis-03.txt - draft-ietf-dnsext-rfc2538bis-04.txt
    is the private format certificate itself The URI SHOULD be such that a retrieval format certificate itself The URI SHOULD be such that a retrieval from it will lead to documentation on the format of the certificate from it will lead to documentation on the format of the certificate Recognition of private certificate types need not be based on URI Recognition of private certificate types need not be based on URI equality but can use various forms of pattern matching so that for equality but can use various forms of pattern matching so that for example subtype or version information can also be encoded into the example subtype or version information can also be encoded into the URI URI The OID private type indicates a private format certificate specified The OID private type indicates a private format certificate specified by a an ISO OID prefix The certificate section will start with a by an ISO OID prefix The certificate section will start with a one one byte unsigned OID length and then a BER encoded OID indicating byte unsigned OID length and then a BER encoded OID indicating the the nature of the remainder of the certificate section This can be nature of the remainder of the certificate section This can be an an X 509 certificate format or some other format X 509 certificates X 509 certificate format or some other format X 509 certificates that conform to the IETF PKIX profile SHOULD be indicated by the PKIX that conform to the IETF PKIX profile SHOULD be indicated by the PKIX type not the OID private type Recognition of private certificate type not the OID private type Recognition of private certificate types need not be based on OID equality but can use various forms of types need not be based on OID equality but can use various forms of pattern matching such as OID prefix pattern matching such as OID prefix 2 2 Text Representation of CERT RRs 2 2 Text Representation of CERT RRs The RDATA portion of a CERT RR has the type field as an unsigned The RDATA portion of a CERT RR has the type field as an unsigned decimal integer or as a mnemonic symbol as listed in section 2 1 decimal integer or as a mnemonic symbol as listed in section 2 1 above above The key tag field is represented as an unsigned decimal integer The key tag field is represented as an unsigned decimal integer The algorithm field is represented as an unsigned decimal integer or The algorithm field is represented as an unsigned decimal integer or a mnemonic symbol as listed in 10 a mnemonic symbol as listed in 10 The certificate CRL portion is represented in base 64 14 and may The certificate CRL portion is represented in base 64 14 and may be divided up into any number of white space separated substrings be divided up into any number of white space separated substrings down to single base 64 digits which are concatenated to obtain the down to single base 64 digits which are concatenated to obtain the full signature These substrings can span lines using the standard full signature These substrings can span lines using the standard parenthesis parenthesis Note that the certificate CRL portion may have internal sub fields Note that the certificate CRL portion may have internal sub fields but these do not appear in the master file representation For but these do not appear in the master file representation For example with type 254 there will be an OID size an OID and then example with type 254 there will be an OID size an OID and then the certificate CRL proper But only a single logical base 64 the certificate CRL proper But only a single logical base 64 string will appear in the text representation string will appear in the text representation 2 3 X 509 OIDs 2 3 X 509 OIDs OIDs have been defined in connection with the X 500 directory for OIDs have been defined in connection with the X 500 directory for user certificates certification authority certificates revocations user certificates certification authority certificates revocations of certification authority and revocations of user certificates of certification authority and revocations of user certificates The following table lists the OIDs their BER encoding and their The following table lists the OIDs their BER encoding and their length prefixed hex format for use in CERT RRs length prefixed hex format for use in CERT RRs id at userCertificate id at userCertificate joint iso ccitt 2 ds 5 at 4 36 joint iso ccitt 2 ds 5 at 4 36 0x 03 55 04 24 0x 03 55 04 24 id at cACertificate id at cACertificate joint iso ccitt 2 ds 5 at 4 37 joint iso ccitt 2 ds 5 at 4 37 0x 03 55 04 25 0x 03 55 04 25 id at authorityRevocationList id at authorityRevocationList joint iso ccitt 2 ds 5 at 4 38 joint iso ccitt 2 ds 5 at 4 38 0x 03 55 04 26 0x 03 55 04 26 skipping to change at page 6 line 39 skipping to change at page 6 line 43 It is recommended that certificate CERT RRs be stored under a domain It is recommended that certificate CERT RRs be stored under a domain name related to their subject i e the name of the entity intended name related to their subject i e the name of the entity intended to control the private key corresponding to the public key being to control the private key corresponding to the public key being certified It is recommended that certificate revocation list CERT certified It is recommended that certificate revocation list CERT RRs be stored under a domain name related to their issuer RRs be stored under a domain name related to their issuer Following some of the guidelines below may result in the use in DNS Following some of the guidelines below may result in the use in DNS names of characters that require DNS quoting which is to use a names of characters that require DNS quoting which is to use a backslash followed by the octal representation of the ASCII code for backslash followed by the octal representation of the ASCII code for the character such as 000 for NULL the character e g 000 for NULL The choice of name under which CERT RRs are stored is important to The choice of name under which CERT RRs are stored is important to clients that perform CERT queries In some situations the client clients that perform CERT queries In some situations the client s may not know all information about the CERT RR object it wishes to may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client might only know the hostname of a service key Further the client might only know the hostname of a service that uses X 509 certificates or the Key ID of an OpenPGP key that uses X 509 certificates or the Key ID of an OpenPGP key This motivates describing two different owner name guidelines We Therefore two owner name guidelines are defined content based owner call the two rules content based owner names and purpose based owner names and purpose based owner names A content based owner name is names A content based owner name is derived from the content of the derived from the content of the CERT RR data for example the CERT RR data for example the Subject field in an X 509 certificate Subject field in an X 509 certificate or the User ID field in OpenPGP or the User ID field in OpenPGP keys A purpose based owner name is keys A purpose based owner name is a name that a client retrieving selected to be a name that clients that wishes to retrieve CERT RRs CERT RRs MUST already know for example the host name of an X 509 are expected to know for example the host name of a X 509 protected protected service or the Key ID of an OpenPGP key The content based service or a Key ID of an OpenPGP key Note that in some situations and purpose based owner name MAY be the same for example when a the content based and purpose based owner name can be the same for client looks up a key based on the From address of an incoming example when a client look up keys based on e mail addresses for e mail incoming e mail Implementations SHOULD use the purpose based owner name guidelines Implementations SHOULD use the purpose based owner name guidelines described in this document and MAY use CNAMEs at content based owner described in this document and MAY use CNAMEs of content based owner names or other names pointing to the purpose based owner name names or other names pointing to the purpose based owner name 3 1 Content based X 509 CERT RR Names 3 1 Content based X 509 CERT RR Names Some X 509 versions permit multiple names to be associated with Some X 509 versions permit multiple names to be associated with subjects and issuers under Subject Alternate Name and Issuer subjects and issuers under Subject Alternate Name and Issuer Alternate Name For example x 509v3 has such Alternate Names with Alternate Name For example X 509v3 has such Alternate Names with an ASN 1 specification as follows an ASN 1 specification as follows GeneralName CHOICE GeneralName CHOICE otherName 0 INSTANCE OF OTHER NAME otherName 0 INSTANCE OF OTHER NAME rfc822Name 1 IA5String rfc822Name 1 IA5String dNSName 2 IA5String dNSName 2 IA5String x400Address 3 EXPLICIT OR ADDRESS Type x400Address 3 EXPLICIT OR ADDRESS Type directoryName 4 EXPLICIT Name directoryName 4 EXPLICIT Name ediPartyName 5 EDIPartyName ediPartyName 5 EDIPartyName uniformResourceIdentifier 6 IA5String uniformResourceIdentifier 6 IA5String skipping to change at page 7 line 44 skipping to change at page 7 line 46 registeredID 8 OBJECT IDENTIFIER registeredID 8 OBJECT IDENTIFIER The recommended locations of CERT storage are as follows in priority The recommended locations of CERT storage are as follows in priority order order 1 If a domain name is included in the identification in the 1 If a domain name is included in the identification in the certificate or CRL that should be used certificate or CRL that should be used 2 If a domain name is not included but an IP address is included 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate then the translation of that IP address into the appropriate inverse domain name should be used inverse domain name should be used 3 If neither of the above i t used but a URI containing a domain 3 If neither of the above i s used but a URI containing a domain name is present that domain name should be used name is present that domain name should be used 4 If none of the above is included but a character string name is 4 If none of the above is included but a character string name is included then it should be treated as described for OpenPGP included then it should be treated as described for OpenPGP names below names below 5 If none of the above apply then the distinguished name DN 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 4 should be mapped into a domain name as specified in 4 Example 1 Assume that an X 509v3 certificate is issued to CN John Example 1 An X 509v3 certificate is issued to CN John Doe DC Doe Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative DC com DC xy O Doe Inc C XY with Subject Alternative Names of a names of a string John the Man Doe b domain name john string John the Man Doe b domain name john doe com and c doe com and c uri https www secure john doe com 8080 Then uri https www secure john doe com 8080 The storage locations the storage locations recommended in priority order would be recommended in priority order would be 1 john doe com 1 john doe com 2 www secure john doe com and 2 www secure john doe com and 3 Doe com xy 3 Doe com xy Example 2 Assume that an X 509v3 certificate is issued to CN James Example 2 An X 509v3 certificate is issued to CN James Hacker Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names L Basingstoke O Widget Inc C GB with Subject Alternate names of a of a domain name widget foo example b IPv4 address domain name widget foo example b IPv4 address 10 251 13 201 and 10 251 13 201 and c string James Hacker c string James Hacker hacker mail widget foo example The hacker mail widget foo example Then the storage locations storage locations recommended in priority order would be recommended in priority order would be 1 widget foo example 1 widget foo example 2 201 13 251 10 in addr arpa and 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 hacker mail widget foo example 3 2 Purpose based X 509 CERT RR Names 3 2 Purpose based X 509 CERT RR Names It is difficult for clients that do not already posses a certificate Due to the difficulty for clients that do not already possess a to reconstruct the content based owner name that should be used to certificate to reconstruct the content based owner name purpose retrieve the certificate For this reason purpose based owner names based owner names are recommended in this section Recommendations are recommended in this section Because purpose based owner names for purpose based owner names vary per scenario The following table by nature depend on the specific scenario or purpose for which the summarizes the purpose based X 509 CERT RR owner name guidelines for certificate will be used there are more than one recommendation use with S MIME 16 SSL TLS 11 and IPSEC 12 The following table summarize the purpose based X 509 CERT RR owner name guidelines for use with S MIME 16 SSL TLS 11 and IPSEC 12 Scenario Owner name Scenario Owner name S MIME Certificate Standard translation of RFC 822 email address S MIME Certificate Standard translation of an RFC 2822 email Example A S MIME certificate for address Example An S MIME certificate for postmaster example org will use a standard postmaster example org will use a standard hostname translation of the owner name hostname translation of the owner name i e postmaster example org postmaster example org TLS Certificate Hostname of the TLS server TLS Certificate Hostname of the TLS server IPSEC Certificate Hostname of the IPSEC machine and or for IPSEC Certificate Hostname of the IPSEC machine and or for IPv4 IPv4 or IPv6 addresses the fully qualified or IPv6 addresses the fully qualified domain domain name in the appropriate reverse domain name in the appropriate reverse domain An alternat iv e approach for IPSEC is to store raw public keys 15 An alternate approach for IPSEC is to store raw public keys 15 3 3 Content based OpenPGP CERT RR Names 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string OpenPGP signed keys certificates use a general character string User ID 6 However it is recommended by OpenPGP that such names User ID 6 However it is recommended by OpenPGP that such names include the RFC 2822 8 email address of the party as in Leslie include the RFC 2822 8 email address of the party as in Leslie Example Leslie host example If such a format is used the CERT Example Leslie host example If such a format is used the CERT should be under the standard translation of the email address into a should be under the standard translation of the email address into a domain name which would be leslie host example in this case If no domain name which would be leslie host example in this case If no RFC 2822 name can be extracted from the string name no specific RFC 2822 name can be extracted from the string name no specific domain name is recommended domain name is recommended If a user has more than one email address the CNAME type can be used If a user has more than one email address the CNAME type can be used to reduce the amount of data stored in the DNS For e xample to reduce the amount of data stored in the DNS E xample ORIGIN example org ORIGIN example org smith IN CERT PGP 0 0 OpenPGP binary smith IN CERT PGP 0 0 OpenPGP binary john smith IN CNAME smith john smith IN CNAME smith js IN CNAME smith js IN CNAME smith 3 4 Purpose based OpenPGP CERT RR Names 3 4 Purpose based OpenPGP CERT RR Names Applications that receive an OpenPGP packet containing encrypted or Applications that receive an OpenPGP packet containing encrypted or signed data but do not know the email address of the sender will have signed data but do not know the email address of the sender will have difficulties constructing the correct owner name and cannot use the difficulties constructing the correct

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-04-from-3.diff.html (2016-04-30)
    Open archived version from archive


  • some situations the clients may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client might only know the hostname of a service Josefsson Expires March 12 2006 Page 6 Internet Draft Storing Certificates in the DNS September 2005 that uses X 509 certificates or the Key ID of an OpenPGP key Therefore two owner name guidelines are defined content based owner names and purpose based owner names A content based owner name is derived from the content of the CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is a name that a client retrieving CERT RRs ought to already know for example the host name of an X 509 protected service or the Key ID of an OpenPGP key The content based and purpose based owner name may be the same for example when a client looks up a key based on the From address of an incoming e mail Implementations SHOULD use the purpose based owner name guidelines described in this document and MAY use CNAME RRs at content based owner names or other names pointing to the purpose based owner name Note that this section describes an application based mapping from the name space used in a certificate to the name space used by DNS The DNS does not infer any relationship amongst CERT resource records based on similarities or differences of the DNS owner name s of CERT resource records For example if multiple labels are used when mapping from a CERT identifier to a domain name then care must be taken in understanding wildcard record synthesis 3 1 Content based X 509 CERT RR Names Some X 509 versions such as the PKIX profile of X 509 9 permit multiple names to be associated with subjects and issuers under Subject Alternative Name and Issuer Alternative Name For example the PKIX profile has such Alternate Names with an ASN 1 specification as follows GeneralName CHOICE otherName 0 OtherName rfc822Name 1 IA5String dNSName 2 IA5String x400Address 3 ORAddress directoryName 4 Name ediPartyName 5 EDIPartyName uniformResourceIdentifier 6 IA5String iPAddress 7 OCTET STRING registeredID 8 OBJECT IDENTIFIER The recommended locations of CERT storage are as follows in priority order Josefsson Expires March 12 2006 Page 7 Internet Draft Storing Certificates in the DNS September 2005 1 If a domain name is included in the identification in the certificate or CRL that ought be used 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate inverse domain name ought to be used 3 If neither of the above is used but a URI containing a domain name is present that domain name ought to be used 4 If none of the above is included but a character string name is included then it ought to be treated as described for OpenPGP names below 5 If none of the above apply then the distinguished name DN ought to be mapped into a domain name as specified in 4 Example 1 An X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative Names of a string John the Man Doe b domain name john doe com and c URI The storage locations recommended in priority order would be 1 john doe com 2 www secure john doe com and 3 Doe com xy Example 2 An X 509v3 certificate is issued to CN James Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names of a domain name widget foo example b IPv4 address 10 251 13 201 and c string James Hacker The storage locations recommended in priority order would be 1 widget foo example 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 2 Purpose based X 509 CERT RR Names Due to the difficulty for clients that do not already possess a certificate to reconstruct the content based owner name purpose based owner names are recommended in this section Recommendations for purpose based owner names vary per scenario The following table summarizes the purpose based X 509 CERT RR owner name guidelines for use with S MIME 16 SSL TLS 12 and IPSEC 13 Josefsson Expires March 12 2006 Page 8 Internet Draft Storing Certificates in the DNS September 2005 Scenario Owner name S MIME Certificate Standard translation of an RFC 2822 email address Example An S MIME certificate for postmaster example org will use a standard hostname translation of the owner name postmaster example org TLS Certificate Hostname of the TLS server IPSEC Certificate Hostname of the IPSEC machine and or for IPv4 or IPv6 addresses the fully qualified domain name in the appropriate reverse domain An alternate approach for IPSEC is to store raw public keys 17 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string User ID 6 However it is recommended by OpenPGP that such names include the RFC 2822 8 email address of the party as in Leslie Example If such a format is used the CERT ought to be under the standard translation of the email address into a domain name which would be leslie host example in this case If no RFC 2822 name can be extracted from the string name no specific domain name is recommended If a user has more than one email address the CNAME type can be used to reduce the amount of data stored in the DNS Example ORIGIN example org smith IN CERT PGP 0 0 john smith IN CNAME smith js IN CNAME smith 3 4 Purpose based OpenPGP CERT

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-05.txt (2016-04-30)
    Open archived version from archive

  • Diff: draft-ietf-dnsext-rfc2538bis-04.txt - draft-ietf-dnsext-rfc2538bis-05.txt
    254 OID OID private 254 OID OID private 255 65534 available for IANA assignment 255 65534 available for IANA assignment 65535 reserved 65535 reserved The PKIX type is reserved to indicate an X 509 certificate conforming The PKIX type is reserved to indicate an X 509 certificate conforming to the profile being defined by the IETF PKIX working group The to the profile defined by the IETF PKIX working group 9 The certificate section will start with a one byte unsigned OID length certificate section will start with a one byte unsigned OID length and then an X 500 OID indicating the nature of the remainder of the and then an X 500 OID indicating the nature of the remainder of the certificate section see 2 3 below NOTE X 509 certificates do certificate section see 2 3 below NOTE X 509 certificates do not include their X 500 directory type designating OID as a prefix not include their X 500 directory type designating OID as a prefix The SPKI type is reserved to indicate the SPKI certificate format The SPKI type is reserved to indicate the SPKI certificate format 1 3 for use when the SPKI documents are moved from experimental 1 4 for use when the SPKI documents are moved from experimental status status The PGP type indicates an OpenPGP packet as described in 6 and its The PGP type indicates an OpenPGP packet as described in 6 and its extensions and successors Two uses are to transfer public key extensions and successors Two uses are to transfer public key material and revocation signatures The data is binary and MUST NOT material and revocation signatures The data is binary and MUST NOT be encoded into an ASCII armor An implementation SHOULD process be encoded into an ASCII armor An implementation SHOULD process transferable public keys as described in section 10 1 of 6 but it transferable public keys as described in section 10 1 of 6 but it MAY handle additional OpenPGP packets MAY handle additional OpenPGP packets The IPKIX ISPKI and IPGP types indicate a URL which will serve the The IPKIX ISPKI and IPGP types indicate a URL which will serve the skipping to change at page 5 line 44 skipping to change at page 5 line 46 2 2 Text Representation of CERT RRs 2 2 Text Representation of CERT RRs The RDATA portion of a CERT RR has the type field as an unsigned The RDATA portion of a CERT RR has the type field as an unsigned decimal integer or as a mnemonic symbol as listed in section 2 1 decimal integer or as a mnemonic symbol as listed in section 2 1 above above The key tag field is represented as an unsigned decimal integer The key tag field is represented as an unsigned decimal integer The algorithm field is represented as an unsigned decimal integer or The algorithm field is represented as an unsigned decimal integer or a mnemonic symbol as listed in 1 0 a mnemonic symbol as listed in 1 1 The certificate CRL portion is represented in base 64 1 4 and may The certificate CRL portion is represented in base 64 1 5 and may be divided up into any number of white space separated substrings be divided up into any number of white space separated substrings down to single base 64 digits which are concatenated to obtain the down to single base 64 digits which are concatenated to obtain the full signature These substrings can span lines using the standard full signature These substrings can span lines using the standard parenthesis parenthesis Note that the certificate CRL portion may have internal sub fields Note that the certificate CRL portion may have internal sub fields but these do not appear in the master file representation For but these do not appear in the master file representation For example with type 254 there will be an OID size an OID and then example with type 254 there will be an OID size an OID and then the certificate CRL proper But only a single logical base 64 the certificate CRL proper But only a single logical base 64 string will appear in the text representation string will appear in the text representation skipping to change at page 6 line 41 skipping to change at page 6 line 42 3 Appropriate Owner Names for CERT RRs 3 Appropriate Owner Names for CERT RRs It is recommended that certificate CERT RRs be stored under a domain It is recommended that certificate CERT RRs be stored under a domain name related to their subject i e the name of the entity intended name related to their subject i e the name of the entity intended to control the private key corresponding to the public key being to control the private key corresponding to the public key being certified It is recommended that certificate revocation list CERT certified It is recommended that certificate revocation list CERT RRs be stored under a domain name related to their issuer RRs be stored under a domain name related to their issuer Following some of the guidelines below may result in the use in DNS Following some of the guidelines below may result in the use in DNS names of characters that require DNS quoting which is to use a names with characters that require DNS quoting as per section 5 1 of backslash followed by the octal representation of the ASCII code for RFC 1035 2 the character e g 000 for NULL The choice of name under which CERT RRs are stored is important to The choice of name under which CERT RRs are stored is important to clients that perform CERT queries In some situations the clients clients that perform CERT queries In some situations the clients may not know all information about the CERT RR object it wishes to may not know all information about the CERT RR object it wishes to retrieve For example a client may not know the subject name of an retrieve For example a client may not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP X 509 certificate or the e mail address of the owner of an OpenPGP key Further the client might only know the hostname of a service key Further the client might only know the hostname of a service that uses X 509 certificates or the Key ID of an OpenPGP key that uses X 509 certificates or the Key ID of an OpenPGP key Therefore two owner name guidelines are defined content based owner Therefore two owner name guidelines are defined content based owner names and purpose based owner names A content based owner name is names and purpose based owner names A content based owner name is derived from the content of the CERT RR data for example the derived from the content of the CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is a name that a client retrieving keys A purpose based owner name is a name that a client retrieving CERT RRs MUST already know for example the host name of an X 509 CERT RRs ought to already know for example the host name of an protected service or the Key ID of an OpenPGP key The content based X 509 protected service or the Key ID of an OpenPGP key The and purpose based owner name MAY be the same for example when a content based and purpose based owner name may be the same for client looks up a key based on the From address of an incoming example when a client looks up a key based on the From address of e mail an incoming e mail Implementations SHOULD use the purpose based owner name guidelines Implementations SHOULD use the purpose based owner name guidelines described in this document and MAY use CNAMEs of content based owner described in this document and MAY use CNAME RRs at content based names or other names pointing to the purpose based owner name owner names or other names pointing to the purpose based owner name Note that this section describes an application based mapping from the name space used in a certificate to the name space used by DNS The DNS does not infer any relationship amongst CERT resource records based on similarities or differences of the DNS owner name s of CERT resource records For example if multiple labels are used when mapping from a CERT identifier to a domain name then care must be taken in understanding wildcard record synthesis 3 1 Content based X 509 CERT RR Names 3 1 Content based X 509 CERT RR Names Some X 509 versions permit multiple names to be associated with Some X 509 versions such as the PKIX profile of X 509 9 permit subjects and issuers under Subject Alternate Name and Issuer multiple names to be associated with subjects and issuers under Alternate Name For example X 509v3 has such Alternate Names with Subject Alternative Name and Issuer Alternative Name For an ASN 1 specification as follows example the PKIX profile has such Alternate Names with an ASN 1 specification as follows GeneralName CHOICE GeneralName CHOICE otherName 0 INSTANCE OF OTHER NAME otherName 0 OtherName rfc822Name 1 IA5String rfc822Name 1 IA5String dNSName 2 IA5String dNSName 2 IA5String x400Address 3 EXPLICIT OR ADDRESS Type x400Address 3 ORAddress directoryName 4 EXPLICIT Name directoryName 4 Name ediPartyName 5 EDIPartyName ediPartyName 5 EDIPartyName uniformResourceIdentifier 6 IA5String uniformResourceIdentifier 6 IA5String iPAddress 7 OCTET STRING iPAddress 7 OCTET STRING registeredID 8 OBJECT IDENTIFIER registeredID 8 OBJECT IDENTIFIER The recommended locations of CERT storage are as follows in priority The recommended locations of CERT storage are as follows in priority order order 1 If a domain name is included in the identification in the 1 If a domain name is included in the identification in the certificate or CRL that should be used certificate or CRL that ought be used 2 If a domain name is not included but an IP address is included 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate then the translation of that IP address into the appropriate inverse domain name should be used inverse domain name ought to be used 3 If neither of the above is used but a URI containing a domain 3 If neither of the above is used but a URI containing a domain name is present that domain name should be used name is present that domain name ought to be used 4 If none of the above is included but a character string name is 4 If none of the above is included but a character string name is included then it should be treated as described for OpenPGP included then it ought to be treated as described for OpenPGP names below names below 5 If none of the above apply then the distinguished name DN 5 If none of the above apply then the distinguished name DN should be mapped into a domain name as specified in 4 ought to be mapped into a domain name as specified in 4 Example 1 An X 509v3 certificate is issued to CN John Doe DC Doe Example 1 An X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative Names of a DC com DC xy O Doe Inc C XY with Subject Alternative Names of a string John the Man Doe b domain name john doe com and c string John the Man Doe b domain name john doe com and c uri https www secure john doe com 8080 The storage locations URI https www secure john doe com 8080 The storage locations recommended in priority order would be recommended in priority order would be 1 john doe com 1 john doe com 2 www secure john doe com and 2 www secure john doe com and 3 Doe com xy 3 Doe com xy Example 2 An X 509v3 certificate is issued to CN James Hacker Example 2 An X 509v3 certificate is issued to CN James Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names of a L Basingstoke O Widget Inc C GB with Subject Alternate names of a domain name widget foo example b IPv4 address 10 251 13 201 and domain name widget foo example b IPv4 address 10 251 13 201 and c string James Hacker hacker mail widget foo example The c string James Hacker hacker mail widget foo example The storage locations recommended in priority order would be storage locations recommended in priority order would be skipping to change at page 8 line 33 skipping to change at page 8 line 43 2 201 13 251 10 in addr arpa and 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 hacker mail widget foo example 3 2 Purpose based X 509 CERT RR Names 3 2 Purpose based X 509 CERT RR Names Due to the difficulty for clients that do not already possess a Due to the difficulty for clients that do not already possess a certificate to reconstruct the content based owner name purpose certificate to reconstruct the content based owner name purpose based owner names are recommended in this section Recommendations based owner names are recommended in this section Recommendations for purpose based owner names vary per scenario The following table for purpose based owner names vary per scenario The following table summarizes the purpose based X 509 CERT RR owner name guidelines for summarizes the purpose based X 509 CERT RR owner name guidelines for use with S MIME 16 SSL TLS 1 1 and IPSEC 12 use with S MIME 16 SSL TLS 1 2 and IPSEC 13 Scenario Owner name Scenario Owner name S MIME Certificate Standard translation of an RFC 2822 email S MIME Certificate Standard translation of an RFC 2822 email address Example An S MIME certificate for address Example An S MIME certificate for postmaster example org will use a standard postmaster example org will use a standard hostname translation of the owner name hostname translation of the owner name postmaster example org postmaster example org TLS Certificate Hostname of the TLS server TLS Certificate Hostname of the TLS server IPSEC Certificate Hostname of the IPSEC machine and or for IPv4 IPSEC Certificate Hostname of the IPSEC machine and or for IPv4 or IPv6 addresses the fully qualified domain or IPv6 addresses the fully qualified domain name in the appropriate reverse domain name in the appropriate reverse domain An alternate approach for IPSEC is to store raw public keys 1 5 An alternate approach for IPSEC is to store raw public keys 1 7 3 3 Content based OpenPGP CERT RR Names 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string OpenPGP signed keys certificates use a general character string User ID 6 However it is recommended by OpenPGP that such names User ID 6 However it is recommended by OpenPGP that such names include the RFC 2822 8 email address of the party as in Leslie include the RFC 2822 8 email address of the party as in Leslie Example Leslie host example If such a format is used the CERT Example Leslie host example If such a format is used the CERT should be under the standard translation of the email address into a ought to be under the standard translation of the email address into domain name which would be leslie host example in this case If no a domain name which would be leslie host example in this case If RFC 2822 name can be extracted from the string name no specific no RFC 2822 name can be extracted from the string name no specific domain name is recommended domain name is recommended If a user has more than one email address the CNAME type can be used If a user has more than one email address the CNAME type can be used to reduce the amount of data stored in the DNS Example to reduce the amount of data stored in the DNS Example ORIGIN example org ORIGIN example org smith IN CERT PGP 0 0 OpenPGP binary smith IN CERT PGP 0 0 OpenPGP binary john smith IN CNAME smith john smith IN CNAME smith js IN CNAME smith js IN CNAME smith 3 4 Purpose based OpenPGP CERT RR Names 3 4 Purpose based OpenPGP CERT RR Names Applications that receive an OpenPGP packet containing encrypted or Applications that receive an OpenPGP packet containing encrypted or signed data but do not know the email address of the sender will have signed data but do not know the email address of the sender will have difficulties constructing the correct owner name and cannot use the difficulties constructing the correct owner name and cannot use the content based owner name guidelines However these clients commonly content based owner name guidelines However these clients commonly know the key fingerprint or the Key ID The key ID is found in know the key fingerprint or the Key ID The key ID is found in OpenPGP packets and the key fingerprint is commonly found in OpenPGP packets and the key fingerprint is commonly found in auxil l iary data that may be available In this case use of an owner auxiliary data that may be available In this case use of an owner name identical to the key fingerprint and

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-05-from-4.diff.html (2016-04-30)
    Open archived version from archive


  • not know the subject name of an X 509 certificate or the e mail address of the owner of an OpenPGP Josefsson Expires March 19 2006 Page 6 Internet Draft Storing Certificates in the DNS September 2005 key Further the client might only know the hostname of a service that uses X 509 certificates or the Key ID of an OpenPGP key Therefore two owner name guidelines are defined content based owner names and purpose based owner names A content based owner name is derived from the content of the CERT RR data for example the Subject field in an X 509 certificate or the User ID field in OpenPGP keys A purpose based owner name is a name that a client retrieving CERT RRs ought to already know for example the host name of an X 509 protected service or the Key ID of an OpenPGP key The content based and purpose based owner name may be the same for example when a client looks up a key based on the From address of an incoming e mail Implementations SHOULD use the purpose based owner name guidelines described in this document and MAY use CNAME RRs at content based owner names or other names pointing to the purpose based owner name Note that this section describes an application based mapping from the name space used in a certificate to the name space used by DNS The DNS does not infer any relationship amongst CERT resource records based on similarities or differences of the DNS owner name s of CERT resource records For example if multiple labels are used when mapping from a CERT identifier to a domain name then care must be taken in understanding wildcard record synthesis 3 1 Content based X 509 CERT RR Names Some X 509 versions such as the PKIX profile of X 509 9 permit multiple names to be associated with subjects and issuers under Subject Alternative Name and Issuer Alternative Name For example the PKIX profile has such Alternate Names with an ASN 1 specification as follows GeneralName CHOICE otherName 0 OtherName rfc822Name 1 IA5String dNSName 2 IA5String x400Address 3 ORAddress directoryName 4 Name ediPartyName 5 EDIPartyName uniformResourceIdentifier 6 IA5String iPAddress 7 OCTET STRING registeredID 8 OBJECT IDENTIFIER The recommended locations of CERT storage are as follows in priority order Josefsson Expires March 19 2006 Page 7 Internet Draft Storing Certificates in the DNS September 2005 1 If a domain name is included in the identification in the certificate or CRL that ought be used 2 If a domain name is not included but an IP address is included then the translation of that IP address into the appropriate inverse domain name ought to be used 3 If neither of the above is used but a URI containing a domain name is present that domain name ought to be used 4 If none of the above is included but a character string name is included then it ought to be treated as described for OpenPGP names below 5 If none of the above apply then the distinguished name DN ought to be mapped into a domain name as specified in 4 Example 1 An X 509v3 certificate is issued to CN John Doe DC Doe DC com DC xy O Doe Inc C XY with Subject Alternative Names of a string John the Man Doe b domain name john doe com and c URI The storage locations recommended in priority order would be 1 john doe com 2 www secure john doe com and 3 Doe com xy Example 2 An X 509v3 certificate is issued to CN James Hacker L Basingstoke O Widget Inc C GB with Subject Alternate names of a domain name widget foo example b IPv4 address 10 251 13 201 and c string James Hacker The storage locations recommended in priority order would be 1 widget foo example 2 201 13 251 10 in addr arpa and 3 hacker mail widget foo example 3 2 Purpose based X 509 CERT RR Names Due to the difficulty for clients that do not already possess a certificate to reconstruct the content based owner name purpose based owner names are recommended in this section Recommendations for purpose based owner names vary per scenario The following table summarizes the purpose based X 509 CERT RR owner name guidelines for use with S MIME 16 SSL TLS 12 and IPSEC 13 Josefsson Expires March 19 2006 Page 8 Internet Draft Storing Certificates in the DNS September 2005 Scenario Owner name S MIME Certificate Standard translation of an RFC 2822 email address Example An S MIME certificate for postmaster example org will use a standard hostname translation of the owner name postmaster example org TLS Certificate Hostname of the TLS server IPSEC Certificate Hostname of the IPSEC machine and or for IPv4 or IPv6 addresses the fully qualified domain name in the appropriate reverse domain An alternate approach for IPSEC is to store raw public keys 17 3 3 Content based OpenPGP CERT RR Names OpenPGP signed keys certificates use a general character string User ID 6 However it is recommended by OpenPGP that such names include the RFC 2822 8 email address of the party as in Leslie Example If such a format is used the CERT ought to be under the standard translation of the email address into a domain name which would be leslie host example in this case If no RFC 2822 name can be extracted from the string name no specific domain name is recommended If a user has more than one email address the CNAME type can be used to reduce the amount of data stored in the DNS Example ORIGIN example org smith IN CERT PGP 0 0 john smith IN CNAME smith js IN CNAME smith 3 4 Purpose based OpenPGP CERT RR Names Applications that receive an OpenPGP packet containing encrypted or signed data but do not know the email address of the sender

    Original URL path: http://www.josefsson.org/rfc2538bis/draft-ietf-dnsext-rfc2538bis-06.txt (2016-04-30)
    Open archived version from archive



  •