INTERNET-DRAFT S. Santesson (Microsoft) Intended Category: Standards Track Expires November 2005 May 2005 Internet X.509 Public Key Infrastructure DNS Service Resource Record otherName Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than a "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract This document defines a new name form for inclusion in the otherName filed of an X.509 Subject Alternative Name extension which allows a certificate subject to be associated with a DNS Service Resource Record. Santesson [Page 1] INTERNET DRAFT DNS SRV RR otherName January 2005 Table of Contents 1 Introduction ................................................ 2 2 SRV RR otherName ............................................ 3 3 Security Considerations ..................................... 3 4 References .................................................. 3 Appendix A. ASN.1 definitions .................................. 4 Authors' Addresses ............................................. 4 Disclaimer ..................................................... 5 Copyright Statement ............................................ 5 1. Introduction RFC 2782 [N3] Defines a DNS RR (Resource Record) for specifying the location of services (SRV RR) which allows clients to ask for a specific service/protocol for a specific domain and get back the names of any available servers. Current defined dNSName GeneralName name forms only provide for DNS host names to be expressed in "preferred name syntax," as specified by RFC 1034 [N4]. This definition is not broad enough to allow expression of a SRV RR. To accommodate expression of a SRV RR in X.509 certificates this document therefore defines an otherName for SRV RR. As DNS query based on an SRV RR returns the name of the host currently available for the requested service, reasonable subsequent authentication of that host as the appropriate host for the service will require the host to demonstrate that it is an authorized to provide the requested service. The ability to associate a host with a SRV RR in an X.509 certificate therefore facilitates the binding of the host to the originally requested SRV RR in order to protect against DNS spoofing attacks where an altered DNS could return the host name of a rouge or hacked host. One example where expression of a SRV RR can be very useful is to identify a host as a legitimate Kerberos KDC server. Santesson [Page 2] INTERNET DRAFT DNS SRV RR otherName January 2005 2. SRV RR otherName This section defines the SRVRRName as a form of otherName from the GeneralName structure in SubjectAltName. The SRVRRName if present MUST contain a Service Resource Record (SRV RR) formed according to RFC 2782 [N3]. The use of a SRVRRName is OPTIONAL. The SRVRRName is defined as follows: id-on-sRVRRName OBJECT IDENTIFIER ::= { id-on ? } SRVRRName ::= IA5String 3 Security Considerations Since assignment of services to hosts may be subject to change, implementers should be aware of the issues involved with transfer and suspension of services between different hosts to make sure that issued certificates are up to date and that old inaccurate certificates are revoked. 4 References Normative references: [N1] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [N2] R. Housley, W. Polk, W. Ford, and D. Solo, "Internet X.509 Public Key Infrastructure: Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002. [N3] A. Gulbrandsen and P. Vixie, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000. [N4] P. Mockapetris, "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC 1034, November 1987 Santesson [Page 3] INTERNET DRAFT DNS SRV RR otherName January 2005 Appendix A. ASN.1 definitions TBD Authors' Addresses Stefan Santesson Microsoft Tuborg Boulevard 12 2900 Hellerup Denmark EMail: stefans@microsoft.com Santesson [Page 4] INTERNET DRAFT DNS SRV RR otherName January 2005 Disclaimer This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Expires November 2005 Santesson [Page 5]