INTERNET-DRAFT S. Santesson (Microsoft) Intended Category: Standards Track Expires December 2006 June 2006 Internet X.509 Public Key Infrastructure Subject Alternative Name for expression of service name Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract This document defines a new name form for inclusion in the otherName filed of an X.509 Subject Alternative Name extension which allows a certificate subject to be associated with the service name and domain name components of a DNS Service Resource Record. Santesson [Page 1] INTERNET DRAFT DNS SRV RR otherName June 2006 Table of Contents 1 Introduction ................................................ 2 2 Name Definitions ............................................ 3 3 Name Constraints Matching Rules ............................. 5 4 Security Considerations ..................................... 6 5 IANA Considerations ......................................... 6 6 References .................................................. 6 Appendix A. ASN.1 Syntax ....................................... 7 Appendix A.1. 1988 ASN.1 Module ............................ 7 Appendix A.2. 1993 ASN.1 Module ............................ 8 Authors' Addresses ............................................. 10 Full Copyright Statement ....................................... 10 Intellectual Property .......................................... 10 1. Introduction RFC 2782 [N3] Defines a DNS RR (Resource Record) for specifying the location of services (SRV RR) which allows clients to ask for a specific service/protocol for a specific domain and get back the names of any available servers. Server discovery through a DNS query based on service/protocol relative to a domain is from an authentication perspective fundamentally different from when a client has prior trusted knowledge about the name and address of the server it attempts to connect. While authentication of the name and address of a server makes sense when the name and address of the server is prior knowledge, it typically has very little value if the name and address of the server is obtained from an untrusted source. Subsequent authentication of a server discovered through DNS RR lookup based on service name typically requires the client to authenticate that the connected server is authorized to provide the requested service rather than authenticating the servers host name. While DNS servers may have the capacity to provide trusted information, they may in many other situations not be trusted enough to do that, in which case the server may be required to provide verifiable credentials to support its due authorization to provide a requested service. One example where expression of such authorization can be very useful is when locating and authenticating a legitimate Kerberos KDC server. To support these scenarios, this standard defines a new name form for expression of service name relative to a domain in X.509 certificates. Santesson [Page 2] INTERNET DRAFT DNS SRV RR otherName June 2006 Current dNSName GeneralName Subject Alternative name form only provide for DNS host names to be expressed in "preferred name syntax," as specified by RFC 1034 [N4]. This definition is therefore not broad enough to allow expression of a service related to that domain. 1.1 Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [N1]. 2. Name Definitions This section defines the SRVName name as a form of otherName from the GeneralName structure in SubjectAltName defined in RFC 3280 [N2]. id-on-dnsSRV OBJECT IDENTIFIER ::= { id-on 7 } SRVName ::= UTF8String (SIZE (1..MAX)) The SRVName, if present, MUST contain a service name and a domain name in the following form: _Service.Name The content of the components of this name form MUST be consistent with the corresponding definition of these components in an SRV RR according to RFC 2782 [N3]. The content of these components are: Service The symbolic name of the desired service, as defined in Assigned Numbers [N5] or locally. An underscore (_) is prepended to the service identifier to avoid collisions with DNS labels that occur in nature. Some widely used services, notably POP, don't have a single universal name. If Assigned Numbers names the service indicated, that name is the only name which is allowed in the service component of this name form. The Service is case insensitive. All characters in the service name MUST be in the ASCII range (0..7F) Name The DNS domain name of the domain where the specified service is located. Santesson [Page 3] INTERNET DRAFT DNS SRV RR otherName June 2006 If the domain name is an Internationalized domain name (IDN) then all DNS labels in SRVName MUST have been processed with NAMEPREP (RFC3491) [N6]. Example: _mail.example.com Even though this name form is based on the service resource record (SRV RR) definition in RFC 2782 [N3] and may be used to enhance subsequent authentication of DNS based service discovery, this standard does not define any new conditions or requirements regarding use of SRV RR for service discovery or where and when such use is appropriate. Santesson [Page 4] INTERNET DRAFT DNS SRV RR otherName June 2006 3 Name Constraints Matching Rules Name constraining, as specified in RFC 3280, MAY be applied to the SRVName by adding name restriction in the name constraints extension in the form of an SRVName. SRVName restrictions are expressed as a complete SRVName (_mail.example.com), just a service name (_mail) or just as a DNS name (example.com). The name restriction of the service name part and the DNS name part of SRVName are handled separately. If a service name is included in the restriction then that restriction can only be satisfied by an SRVName which includes a corresponding service name. If the restriction has an absent service name, then that restriction is satisfied by any SRVName that match the domain part of the restriction. DNS name restrictions are expressed as host.example.com. Any DNS name that can be constructed by simply adding subdomains to the left hand side of the name satisfies the DNS name part of the name constraint. For example, www.host.example.com would satisfy the constraint (host.example.com) but 1host.example.com would not. Examples: Name Constraints SRVName restriction Matching SRVName non-matching SRVName =================== ================ ==================== example.com _mail.example.com _mail.1example.com _ntp.example.com _mail.1.example.com _mail _mail.example.com _ntp.example.com _mail.1example.com _mail.example.com _mail.example.com _mail.1example.com _mail.1.example.com _ntp.example.com Santesson [Page 5] INTERNET DRAFT DNS SRV RR otherName June 2006 4 Security Considerations Assignment of services to hosts may be subject to change. Implementers should be aware of the need to revoke old certificates that no longer reflect the current assignment of services and thus make sure that all issued certificates are up to date. When X.509 certificates enhanced with the name form specified in this standard is used to enhance authentication of service discovery based on a SRV RR query to a DNS server, all security considerations of RFC 2782 applies. 5 IANA Considerations This document has no actions for IANA. 6 References Normative references: [N1] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [N2] R. Housley, W. Polk, W. Ford, and D. Solo, "Internet X.509 Public Key Infrastructure: Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002. [N3] A. Gulbrandsen and P. Vixie, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000. [N4] P. Mockapetris, "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC 1034, November 1987 [N5] J. Reynolds, "Assigned Numbers: RFC 1700 is Replaced by an On-line Database", RFC 3232, January 2002. [N6] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)", RFC 3491, March 2003. [N7] ITU-T Recommendation X.501 (2001): Information technology - Open Systems Interconnection - The Directory: Models Santesson [Page 6] INTERNET DRAFT DNS SRV RR otherName June 2006 Appendix A. ASN.1 Syntax As in RFC 2459, ASN.1 modules are supplied in two different variants of the ASN.1 syntax. This section describes data objects used by conforming PKI components in an "ASN.1-like" syntax. This syntax is a hybrid of the 1988 and 1993 ASN.1 syntaxes. The 1988 ASN.1 syntax is augmented with 1993 the UNIVERSAL Type UTF8String. The ASN.1 syntax does not permit the inclusion of type statements in the ASN.1 module, and the 1993 ASN.1 standard does not permit use of the new UNIVERSAL types in modules using the 1988 syntax. As a result, this module does not conform to either version of the ASN.1 standard. Appendix A.1 may be parsed by an 1988 ASN.1-parser by replacing the definitions for the UNIVERSAL Types with the 1988 catch-all "ANY". Appendix A.2 may be parsed "as is" by an 1997-compliant ASN.1 parser. In case of discrepancies between these modules, the 1988 module is the normative one. Appendix A.1. 1988 ASN.1 Module PKIXServiceNameSAN88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-dns-srv-name-88(39) } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- IMPORTS -- UTF8String, / move hyphens before slash if UTF8String does not -- resolve with your compiler id-pkix FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } ; -- from RFC3280 [N2] Santesson [Page 7] INTERNET DRAFT DNS SRV RR otherName June 2006 -- Service Name Object Identifier and Syntax id-on OBJECT IDENTIFIER ::= { id-pkix 8 } id-on-dnsSRV OBJECT IDENTIFIER ::= { id-on 7 } SRVName ::= UTF8String (SIZE (1..MAX)) END Appendix A.2. 1993 ASN.1 Module PKIXServiceNameSAN93 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-dns-srv-name-93(40) } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- IMPORTS id-pkix FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } -- from RFC 3280 [N2] ATTRIBUTE FROM InformationFramework {joint-iso-itu-t ds(5) module(1) informationFramework(1) 4}; -- from X.501 [N7] -- Service Name Object Identifier id-on OBJECT IDENTIFIER ::= { id-pkix 8 } id-on-dnsSRV OBJECT IDENTIFIER ::= { id-on 7 } -- Service Name Santesson [Page 8] INTERNET DRAFT DNS SRV RR otherName June 2006 permanentIdentifier ATTRIBUTE ::= { WITH SYNTAX SRVName ID id-on-dnsSRV } SRVName ::= UTF8String (SIZE (1..MAX)) END Santesson [Page 9] INTERNET DRAFT DNS SRV RR otherName June 2006 Authors' Addresses Stefan Santesson Microsoft Tuborg Boulevard 12 2900 Hellerup Denmark EMail: stefans@microsoft.com Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary Santesson [Page 10] INTERNET DRAFT DNS SRV RR otherName June 2006 rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org." Expires December 2006 Santesson [Page 11]