Skip to main content

Internet X.509 Public Key Infrastructure Repository Locator Service
draft-ietf-pkix-pkixrep-04

The information below is for an old version of the document that is already published as an RFC.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 4386.
Authors Phillip Hallam-Baker , Sharon Boeyen
Last updated 2015-10-14 (Latest revision 2005-09-12)
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status Experimental
Formats
Additional resources Mailing list discussion
Stream WG state (None)
Document shepherd (None)
IESG IESG state Became RFC 4386 (Experimental)
Action Holders
(None)
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD Russ Housley
Send notices to <wpolk@nist.gov>
draft-ietf-pkix-pkixrep-04
Internet Draft                                             S. Boeyen 
   PKIX Working Group                                      Entrust Inc. 
   Document: draft-ietf-pkix-pkixrep-04.txt             P. Hallam-Baker 
   Expires: Jan 2006                                      VeriSign Inc. 
   Experimental                                          September 2005 
    
    
                   Internet X.509 Public Key Infrastructure 
                           Repository Locator Service 
                      <draft-ietf-pkix-pkixrep-04.txt> 
    
Status of this Memo 
    
   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF), its areas, and its working groups.  Note that 
   other groups may also distribute working documents as Internet-
   Drafts. 
    
   Internet-Drafts are draft documents valid for a maximum of six months 
   and may be updated, replaced, or obsoleted by other documents at any 
   time. It is inappropriate to use Internet-Drafts as reference 
   material or to cite them other than as "work in progress." 
    
   The list of current Internet-Drafts can be accessed at 
   http://www.ietf.org/ietf/1id-abstracts.txt 
    
   The list of Internet-Draft Shadow Directories can be accessed at 
   http://www.ietf.org/shadow.html. 
    
   This Internet-Draft will expire in Jan 2006. Comments should be sent 
   to the PKIX mail list at:  ietf-pkix@imc.org. 
    
   By submitting this Internet-Draft, each author represents that any 
   applicable patent or other IPR claims of which he or she is aware 
   have been or will be disclosed, and any of which he or she becomes 
   aware will be disclosed, in accordance with Section 6 of BCP 79. 
    
Abstract 
    
   This document defines a PKI repository locator service. The service 
   makes use of DNS SRV records defined in accordance with RFC 2782. The 
   service enables certificate using systems to locate PKI repositories 
    
    
    
    
Conventions used in this document 
    

 
 
 
Boeyen & Hallam-Baker      Expires Feb 2006                   [Page 1] 

                               PKIXREP                 September 2005 
 
 
   The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", 
   "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase, 
   as shown) are to be interpreted as described in [RFC2119]. 
    
   In examples, "C:" and "S:" indicate lines sent by the client and 
   server respectively. 
    
Table of Contents 
    
   1. Overview.......................................................2 
   2. SRV RR definition..............................................2 
      2.1 Assignment of new protocol prefixes........................3 
      2.2 Use of multiple repositories...............................3 
      2.3 SRV RR example.............................................3 
   3. Security considerations........................................4 
   4. IANA Considerations............................................4 
   Copyright.........................................................4 
   References........................................................5 
   Author's Addresses................................................5 
    
1.   Overview 
    
   Operational protocols have been specified for retrieval of PKI data, 
   including public-key certificates and revocation information, from 
   PKI repositories in a number of RFCs including RFC 2559, RFC 2560     
   and RFC 2585. These RFCs assume that a certificate using system has 
   the knowledge information necessary to identify, locate and connect 
   to the PKI repository with a specific protocol. Although there are 
   some tools available in protocol-specific environments for this 
   purpose, such as knowledge references in directory systems, these are 
   restricted to use with a single protocol and do not share a common 
   means of publication. This draft provides a solution to this problem 
   through the use of SRV RRs in DNS. This solution is expected to be 
   particularly useful in environments where only a domain name is 
   available. In other situations (e.g. where a certificate is available 
   that contains the required information), such a DNS lookup is not 
   needed. 
    
   RFC 2782 defines a DNS RR for specifying the location of services 
   (SRV). This Internet-draft defines SRV records for a PKI repository 
   locator service to enable PKI clients to obtain the necessary 
   information to connect to a domain's PKI repository, including 
   information about each protocol that is supported by that domain for 
   access to its repository. This Internet-draft includes the definition 
   of a SRV RR format for this service and an example of its potential 
   use in an email environment. 
    
2.   SRV RR definition 
    
 
 
Boeyen & Hallam-Baker      Expires Feb 2006                   [Page 2] 

                               PKIXREP                 September 2005 
 
 
   The format of the SRV RR, whose DNS type code is 33, is: 
    
    _Service._Proto.Name TTL Class SRV Priority Weight Port Target 
    
   For the PKI repository locator service, this draft uses the symbolic 
   name "PKIXREP". Note that when used in an SRV RR, this name MUST 
   be prepended with a "_" character. 
    
   The protocols that can be included in PKIXREP SRV RRs are: 
    
      Protocol     SRV Prefix 
    
      LDAP         _LDAP 
      HTTP         _HTTP 
      OCSP         _OCSP 
       
2.1     Assignment of new protocol prefixes 
    
   Protocol prefix assignments for new PKIX repository protocols SHOULD 
   be defined in the document that specifies the protocol. 
    
2.2     Use of multiple repositories 
    
   The existence of multiple repositories MAY be determined by making 
   separate DNS queries for each of the protocols supported by the 
   client. 
    
   If this approach is found to be unacceptably inefficient due to a 
   proliferation of repository protocols at a future date the service 
   discovery protocol could be extended to allow the repository to 
   advertise the protocols supported. 
    
2.3     SRV RR example 
    
   This example uses fictional domain "example.com" as an aid in 
   understanding the use of SRV records by a certificate using system. 
    
   Let an email client that needs a certificate for a recipient be Alice 
   and assume that Alice's client system supports LDAP for certificate 
   retrieval. Let the message recipient be Bob and let Bob's email 
   address be bob@example.com. Assume that example.test maintains a 
   "border directory" PKI repository and that Bob's certificate is 
   available from that directory "border.example.com" via LDAP.   
    
   Alice's client system retrieves, via DNS, the SRV record for 
   _PKIXREP._LDAP.example.com.  
    
        - the QNAME of the DNS query is _PKIXREP._LDAP.example.com 
        - the QCLASS of the DNS query is IN 
 
 
Boeyen & Hallam-Baker      Expires Feb 2006                   [Page 3] 

                               PKIXREP                 September 2005 
 
 
        - the QTYPE of the DNS query is SRV 
    
   The result SHOULD include the host address for example.com's border 
   directory system. 
    
   Note that if example.com operated their service on a number of hosts, 
   more than one SRV RR would be returned. In this case, RFC 2782 
   defines the procedure to be followed in determining which of these 
   should be accessed first. 
    
3.   Security considerations 
    
   Security issues regarding PKI repositories themselves are outside the 
   scope of this specification. For LDAP repositories, for example, 
   specific security considerations are addressed in RFC 2559. 
    
   Security issues with respect to the use of SRV records in general are 
   addressed in RFC 2782 and these issues apply to the use of SRV 
   records in the context of the PKIXREP service defined here. 
    
4.   IANA Considerations 
    
   This document reserves the use of "_PKIXREP" Service label. Since 
   this relates to a service which may pass messages over a number of 
   different message transports, they must be associated with a specific 
   transport. 
    
   In order to ensure that the association between "_PKIXREP" and their 
   respective underlying services is deterministic, this document 
   requests that IANA create a registry: The PKIX SRV Protocol Label.  
    
   For this registry, an entry shall consist of a label name and a 
   pointer to a specification describing how the protocol named in the 
   label uses SRV. Specifications should conform to the requirements 
   listed in RFC 2434 for "specification required". 
    
Copyright 
    
   Copyright (C) The Internet Society (2005). 
    
   This document is subject to the rights, licenses and restrictions 
   contained in BCP 78, and except as set forth therein, the authors 
   retain all their rights." 
    
   This document and the information contained herein are provided on an 
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 
 
 
Boeyen & Hallam-Baker      Expires Feb 2006                   [Page 4] 

                               PKIXREP                 September 2005 
 
 
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 
    
 
References 
    
   [RFC 2119] Bradner, S., "Keywords for use in RFCs to indicate  
              requirement levels, March 1997. 
    
   [RFC 2782] Gulbrandsen, A. Vixie, P. and Esibov, L., "A DNS RR for  
              specifying the location of services (DNS SRV)", Feb 2000. 
    
   [RFC 2559] Boeyen, S. Howes, T. and Richard, P., "Internet X.509  
              Public Key Infrastructure Operational Protocols - LDAPv2", 
              April 1999. 
    
   [RFC 2560] Myers, M. Ankney, R. Malpani, A. Galperin, S. and Adams, C.  
              "Internet X.509 Public Key Infrastructure Online Certificate  
              Status Protocol - OCSP", June 1999. 
    
   RFC 2585] Housley, R. and Hoffman, P. "Internet X.509 Public Key  
             Infrastructure Operational Protocols: FTP and HTTP",  
             May, 1999. 
    
   RFC 2434] Narten, T. and Alvestrand, H. "Guidelines for Writing an  
             IANA Considerations Section in RFCs", RFC 2434, BCP 26,  
             October 1998. 
 
Author's Addresses 
    
   Sharon Boeyen                      
   Entrust  
   1000 Innovation Drive         
   Ottawa, Ontario                    
   Canada K2K 3E7                     
   email: sharon.boeyen@entrust.com 
    
   Phillip M. Hallam-Baker 
   VeriSign Inc. 
   401 Edgewater Place, Suite 280 
   Wakefield MA 01880 
   email: pbaker@VeriSign.com 

 
 
Boeyen & Hallam-Baker      Expires Feb 2006                   [Page 5]