INTERNET-DRAFT S. Santesson (Microsoft) Intended Category: Standards Track Expires June 2007 December 2006 Internet X.509 Public Key Infrastructure Subject Alternative Name for expression of service name Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract This document defines a new name form for inclusion in the otherName field of an X.509 Subject Alternative Name extension which allows a certificate subject to be associated with the service name and domain name components of a DNS Service Resource Record. Santesson [Page 1] INTERNET DRAFT DNS SRV RR otherName December 2006 Table of Contents 1 Introduction ................................................ 2 2 Name Definitions ............................................ 3 3 Name Constraints Matching Rules ............................. 5 4 Security Considerations ..................................... 6 5 IANA Considerations ......................................... 6 6 References .................................................. 6 Appendix A. ASN.1 Syntax ....................................... 7 Appendix A.1. 1988 ASN.1 Module ............................ 7 Appendix A.2. 1993 ASN.1 Module ............................ 8 Authors' Addresses ............................................. 10 Full Copyright Statement ....................................... 10 Intellectual Property .......................................... 10 1. Introduction RFC 2782 [N3] Defines a DNS RR (Resource Record) for specifying the location of services (SRV RR) which allows clients to ask for a specific service/protocol for a specific domain and get back the names of any available servers. Existing name forms in X.509 certificates support authentication of a host name. This is useful when the name of the host is known by the client prior to authentication. When a server host name is discovered through DNS RR lookup query based on service name, the client may need to authenticate the servers authorization to provide the requested service in addition to the servers host name. One example where expression of such authorization can be very useful is when a Kerberos KDC is located through a DNS RR query. While DNS servers may have the capacity to provide trusted information, there my be many other situations where the binding between then name of the host and the provided service needs to be supported by additional credentials. To support these scenarios, this standard defines a new name form for expression of service name relative to a domain in X.509 certificates. Current dNSName GeneralName Subject Alternative name form only provide for DNS host names to be expressed in "preferred name syntax," as specified by RFC 1034 [N4]. This definition is therefore not broad enough to allow expression of a service related to that domain. Santesson [Page 2] INTERNET DRAFT DNS SRV RR otherName December 2006 1.1 Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [N1]. 2. Name Definitions This section defines the SRVName name as a form of otherName from the GeneralName structure in SubjectAltName defined in RFC 3280 [N2]. id-on-dnsSRV OBJECT IDENTIFIER ::= { id-on 7 } SRVName ::= UTF8String (SIZE (1..MAX)) The SRVName, if present, MUST contain a service name and a domain name in the following form: _Service.Name The content of the components of this name form MUST be consistent with the corresponding definition of these components in an SRV RR according to RFC 2782 [N3]. The content of these components are: Service The symbolic name of the desired service, as defined in Assigned Numbers [N5] or locally. An underscore (_) is prepended to the service identifier to avoid collisions with DNS labels that occur in nature. Some widely used services, notably POP, don't have a single universal name. If Assigned Numbers names the service indicated, that name is the only name which is allowed in the service component of this name form. The Service is case insensitive. All characters in the service name MUST be in the ASCII range (0..7F) Name The DNS domain name of the domain where the specified service is located. If the domain name is an Internationalized domain name (IDN) then all DNS labels in SRVName MUST have been processed with NAMEPREP (RFC3491) [N6]. Santesson [Page 3] INTERNET DRAFT DNS SRV RR otherName December 2006 Example: _mail.example.com Example: The "mail" service at nave.net (an IDN, which becomes xn--nave-6pa.net when encoded as an IDNA) would use the following 15-character SRVName value: _mail.nave.net Its 16-byte UTF-8 encoding is (in hex): 5F 6D 61 69 6C 2E 6E 61 C3 AF 76 65 2E 6E 65 74 Even though this name form is based on the service resource record (SRV RR) definition in RFC 2782 [N3] and may be used to enhance subsequent authentication of DNS based service discovery, this standard does not define any new conditions or requirements regarding use of SRV RR for service discovery or where and when such use is appropriate. Santesson [Page 4] INTERNET DRAFT DNS SRV RR otherName December 2006 3 Name Constraints Matching Rules Name constraining, as specified in RFC 3280, MAY be applied to the SRVName by adding name restriction in the name constraints extension in the form of an SRVName. SRVName restrictions are expressed as a complete SRVName (_mail.example.com), just a service name (_mail) or just as a DNS name (example.com). The name restriction of the service name part and the DNS name part of SRVName are handled separately. If a service name is included in the restriction then that restriction can only be satisfied by an SRVName which includes a corresponding service name. If the restriction has an absent service name, then that restriction is satisfied by any SRVName that match the domain part of the restriction. DNS name restrictions are expressed as host.example.com. Any DNS name that can be constructed by simply adding subdomains to the left hand side of the name satisfies the DNS name part of the name constraint. For example, www.host.example.com would satisfy the constraint (host.example.com) but 1host.example.com would not. Examples: Name Constraints SRVName restriction Matching SRVName non-matching SRVName =================== ================ ==================== example.com _mail.example.com _mail.1example.com _ntp.example.com _mail.1.example.com _mail _mail.example.com _ntp.example.com _mail.1example.com _mail.example.com _mail.example.com _mail.1example.com _mail.1.example.com _ntp.example.com Santesson [Page 5] INTERNET DRAFT DNS SRV RR otherName December 2006 4 Security Considerations Assignment of services to hosts may be subject to change. Implementers should be aware of the need to revoke old certificates that no longer reflect the current assignment of services and thus make sure that all issued certificates are up to date. When X.509 certificates enhanced with the name form specified in this standard is used to enhance authentication of service discovery based on a SRV RR query to a DNS server, all security considerations of RFC 2782 applies. 5 IANA Considerations This document has no actions for IANA. 6 References Normative references: [N1] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [N2] R. Housley, W. Polk, W. Ford, and D. Solo, "Internet X.509 Public Key Infrastructure: Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002. [N3] A. Gulbrandsen and P. Vixie, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000. [N4] P. Mockapetris, "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC 1034, November 1987 [N5] J. Reynolds, "Assigned Numbers: RFC 1700 is Replaced by an On-line Database", RFC 3232, January 2002. [N6] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)", RFC 3491, March 2003. [N7] ITU-T Recommendation X.501 (2001): Information technology - Open Systems Interconnection - The Directory: Models Santesson [Page 6] INTERNET DRAFT DNS SRV RR otherName December 2006 Appendix A. ASN.1 Syntax As in RFC 2459, ASN.1 modules are supplied in two different variants of the ASN.1 syntax. This section describes data objects used by conforming PKI components in an "ASN.1-like" syntax. This syntax is a hybrid of the 1988 and 1993 ASN.1 syntaxes. The 1988 ASN.1 syntax is augmented with the 1993 UNIVERSAL Type UTF8String. The ASN.1 syntax does not permit the inclusion of type statements in the ASN.1 module, and the 1993 ASN.1 standard does not permit use of the new UNIVERSAL types in modules using the 1988 syntax. As a result, this module does not conform to either version of the ASN.1 standard. Appendix A.1 may be parsed by an 1988 ASN.1-parser by replacing the definitions for the UNIVERSAL Types with the 1988 catch-all "ANY". Appendix A.2 may be parsed "as is" by an 1997-compliant ASN.1 parser. In case of discrepancies between these modules, the 1988 module is the normative one. Appendix A.1. 1988 ASN.1 Module PKIXServiceNameSAN88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-dns-srv-name-88(39) } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- IMPORTS -- UTF8String, / move hyphens before slash if UTF8String does not -- resolve with your compiler id-pkix FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } ; -- from RFC3280 [N2] Santesson [Page 7] INTERNET DRAFT DNS SRV RR otherName December 2006 -- Service Name Object Identifier and Syntax -- id-pkix OBJECT IDENTIFIER ::= {1 3 6 1 5 5 7} id-on OBJECT IDENTIFIER ::= { id-pkix 8 } id-on-dnsSRV OBJECT IDENTIFIER ::= { id-on 7 } SRVName ::= UTF8String (SIZE (1..MAX)) END Appendix A.2. 1993 ASN.1 Module PKIXServiceNameSAN93 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-dns-srv-name-93(40) } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- IMPORTS id-pkix FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } ; -- from RFC 3280 [N2] -- In the GeneralName definition using the 1993 ASN.1 syntax includes: OTHER-NAME ::= TYPE-IDENTIFIER -- Service Name Object Identifier id-on OBJECT IDENTIFIER ::= { id-pkix 8 } id-on-dnsSRV OBJECT IDENTIFIER ::= { id-on 7 } Santesson [Page 8] INTERNET DRAFT DNS SRV RR otherName December 2006 -- Service Name srvName OTHER-NAME ::= { SRVName IDENTIFIED BY { id-on-dnsSRV }} SRVName ::= UTF8String (SIZE (1..MAX)) END Santesson [Page 9] INTERNET DRAFT DNS SRV RR otherName December 2006 Authors' Addresses Stefan Santesson Microsoft Tuborg Boulevard 12 2900 Hellerup Denmark EMail: stefans@microsoft.com Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary Santesson [Page 10] INTERNET DRAFT DNS SRV RR otherName December 2006 rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org." Expires June 2007 Santesson [Page 11]