idnits 2.17.1 

draft-ietf-dane-registry-acronyms-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  -- The draft header indicates that this document updates RFC6698, but the
     abstract doesn't seem to mention this, which it should.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (October 18, 2013) is 3843 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	DANE                                                      O. Gudmundsson
3	Internet-Draft                                             Shinkuro Inc.
4	Updates: 6698 (if approved)                             October 18, 2013
5	Intended status: Standards Track
6	Expires: April 21, 2014

8	             Adding acronyms to simplify DANE conversations
9	                  draft-ietf-dane-registry-acronyms-01

11	Abstract

13	   Experience has show that people get confused using the three numeric
14	   fields the TLSA record.  This document specifies descriptive acronyms
15	   for the three numeric fields in the TLSA records.

17	Status of This Memo

19	   This Internet-Draft is submitted in full conformance with the
20	   provisions of BCP 78 and BCP 79.

22	   Internet-Drafts are working documents of the Internet Engineering
23	   Task Force (IETF).  Note that other groups may also distribute
24	   working documents as Internet-Drafts.  The list of current Internet-
25	   Drafts is at http://datatracker.ietf.org/drafts/current/.

27	   Internet-Drafts are draft documents valid for a maximum of six months
28	   and may be updated, replaced, or obsoleted by other documents at any
29	   time.  It is inappropriate to use Internet-Drafts as reference
30	   material or to cite them other than as "work in progress."

32	   This Internet-Draft will expire on April 21, 2014.

34	Copyright Notice

36	   Copyright (c) 2013 IETF Trust and the persons identified as the
37	   document authors.  All rights reserved.

39	   This document is subject to BCP 78 and the IETF Trust's Legal
40	   Provisions Relating to IETF Documents
41	   (http://trustee.ietf.org/license-info) in effect on the date of
42	   publication of this document.  Please review these documents
43	   carefully, as they describe your rights and restrictions with respect
44	   to this document.  Code Components extracted from this document must
45	   include Simplified BSD License text as described in Section 4.e of
46	   the Trust Legal Provisions and are provided without warranty as
47	   described in the Simplified BSD License.

49	Table of Contents

51	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
52	   2.  IANA considerations . . . . . . . . . . . . . . . . . . . . .   2
53	     2.1.  TLSA Certificate Usages . . . . . . . . . . . . . . . . .   3
54	     2.2.  TLSA Selectors  . . . . . . . . . . . . . . . . . . . . .   3
55	     2.3.  TLSA Matching types . . . . . . . . . . . . . . . . . . .   3
56	   3.  Examples of usage . . . . . . . . . . . . . . . . . . . . . .   3
57	     3.1.  TLSA records using/displaying the acronyms: . . . . . . .   4
58	     3.2.  Acronym use in a specification example: . . . . . . . . .   4
59	   4.  Security considerations . . . . . . . . . . . . . . . . . . .   4
60	   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   4
61	   6.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
62	   Appendix A.  Document history . . . . . . . . . . . . . . . . . .   4
63	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   4

65	1.  Introduction

67	   During discussions on how to add DANE [RFC6698] technology to new
68	   protocols/services people repeatedly have got confused as what the
69	   numeric values stand for and even the order of the fields of a TLSA
70	   record.  This document updates the IANA registry definition for TLSA
71	   record to add a column with acronym for each specified field, in
72	   order to reduce confusion.  This document does not change the DANE
73	   protocol in any way.

75	   It is expected that DANE parsers in applications and DNS software can
76	   adopt parsing the acronyms for each field.

78	2.  IANA considerations

80	   This document applies to "DNS-Based Authentication of Named Entities
81	   (DANE) Parameters" located at "http://www.iana.org/assignments/dane-
82	   parameters/dane-parameters.xhtml".  Each one of the Sub-registries
83	   will add a column with an acronym for that field.

85	   [RFC6698] and this document are both to be the reference documents
86	   for the three sub-registries.

88	   As these acronyms are offered for human consumption, case does not
89	   matter, it is expected that software that parses TLSA records will
90	   handle either upper or lower case use as input.

92	2.1.  TLSA Certificate Usages

94	    +-------+----------+--------------------------------+-------------+
95	    | Value | Acronym  | Short Description              | Reference   |
96	    +-------+----------+--------------------------------+-------------+
97	    |   0   | PKIX-CA  | CA constraint                  | [RFC6698]   |
98	    |   1   | PKIX-EE  | Service certificate constraint | [RFC6698]   |
99	    |   2   | DANE-TA  | Trust anchor assertion         | [RFC6698]   |
100	    |   3   | DANE-EE  | Domain-issued certificate      | [RFC6698]   |
101	    | 4-254 |          | Unassigned                     |             |
102	    |  255  | PrivCert | Reserved for Private Use       | [RFC6698]   |
103	    +-------+----------+--------------------------------+-------------+

105	                     Table 1: TLSA Certificate Usages

107	   Other options suggested for 0: PKIX-TA

109	2.2.  TLSA Selectors

111	       +-------+---------+--------------------------+-------------+
112	       | Value | Acronym | Short Description        | Reference   |
113	       +-------+---------+--------------------------+-------------+
114	       |   0   | Cert    | Full certificate         | [RFC6698]   |
115	       |   1   | SPKI    | SubjectPublicKeyInfo     | [RFC6698]   |
116	       | 2-254 |         | Unassigned               |             |
117	       |  255  | PrivSel | Reserved for Private Use | [RFC6698]   |
118	       +-------+---------+--------------------------+-------------+

120	                          Table 2: TLSA Selectors

122	2.3.  TLSA Matching types

124	      +-------+-----------+--------------------------+-------------+
125	      | Value | Acronym   | Short Description        | Reference   |
126	      +-------+-----------+--------------------------+-------------+
127	      |   0   | Full      | No hash used             | [RFC6698]   |
128	      |   1   | SHA2-256  | 256 bit hash by SHA2     | [RFC6698]   |
129	      |   2   | SHA2-512  | 512 bit hash by SHA2     | [RFC6698]   |
130	      | 3-254 |           | Unassigned               |             |
131	      |  255  | PrivMatch | Reserved for Private Use | [RFC6698]   |
132	      +-------+-----------+--------------------------+-------------+

134	                       Table 3: TLSA Matching types

136	3.  Examples of usage

138	   Two examples below

140	3.1.  TLSA records using/displaying the acronyms:
141	   _666._tcp.first.example.  TLSA PKIX-CA CERT SHA2-512 {blob}
142	   _666._tcp.second.example.  TLSA DANE-TA SPKI SHA2-256 {blob}

144	3.2.  Acronym use in a specification example:

146	   Protocol FOO only allows TLSA records using PKIX-EE and DANE-EE, with
147	   selector SPKI and using SHA2-512.

149	4.  Security considerations

151	   This document only changes registry fields and does not change the
152	   behavior of any protocol.  The hope is to reduce confusion and lead
153	   to better specification and operations.

155	5.  Acknowledgements

157	   Scott Schmit offered real good suggestions to decrease the
158	   possibility of confusion.  Viktor Dukhovni provided comments from
159	   expert point of view.  Jim Schaad, Wes Hardaker and Paul Hoffman
160	   provided feedback during WGLC.

162	6.  Normative References

164	   [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
165	              of Named Entities (DANE) Transport Layer Security (TLS)
166	              Protocol: TLSA", RFC 6698, August 2012.

168	Appendix A.  Document history

170	   [RFC Editor: Please remove this section before publication ]

172	   00 Initial version

174	   01 Updated version based on some comments ready for WGLC

176	   00 WG version almost identical to 01

178	   01 WG version result of WG last call one possible issue remains PKIX-
179	   CA ==> PKIX-TA no clear message if that change should be made

181	Author's Address
182	   Olafur Gudmundsson
183	   Shinkuro Inc.
184	   4922 Fairmont Av, Suite 250
185	   Bethesda, MD  20814
186	   USA

188	   Email: ogud@ogud.com