[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Request for new work item - Defining an SRV RR otherName

To: <ietf-pkix@xxxxxxxx>
Subject: Request for new work item - Defining an SRV RR otherName
From: "Stefan Santesson" <stefans@xxxxxxxxxxxxx>
Date: Wed, 18 May 2005 22:49:32 +0100
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcVa49B3OIJ65dJPQLOybWmgvDp/swBDTguw
Thread-topic: Request for new work item - Defining an SRV RR otherName

All,

I have just submitted a new personal draft under the name:
draft-santesson-pkix-srvrr-00 and I hope this draft will be available
from the IETF server soon.

With this mail, I request this WG to consider acceptance of this draft
as a PKIX work item.

The purpose of this draft is to facilitate inclusion of a service name
to a X.509 certificate subject in the form of a DNS Service Resource
Record (SRV RR).

The primary immediate need for this draft is to resolve some of the last
hard issues with Kerberos PKINIT which still lack a way to express that
a certificate is issued to a host which act as a kdc server.

The PKINIT draft suggested recently that a SRV RR (_kdc._tcp.realm)
could be placed in a dNSName in SubjectAltName extension, but this would
be incompatible with RFC 3280 definition of dNSName and would cause
issues with name constraints. To fill this void, implementation of
PKINIT will strongly benefit from the definition of a new otherName to
express SRV RR in X.509 certificates.

Since the use of SRV RR is a generic feature, not only relevant to
Kerberos, the proposal is to define this otherName in PKIX.


Below is the introduction and otherName definition pasted from the
submitted draft.

1.  Introduction

   RFC 2782 [N3] Defines a DNS RR (Resource Record) for specifying the
   location of services (SRV RR) which allows clients to ask for a
   specific service/protocol for a specific domain and get back the
   names of any available servers.

   Current defined dNSName GeneralName name forms only provide for DNS
   host names to be expressed in "preferred name syntax," as specified
   by RFC 1034 [N4]. This definition is not broad enough to allow
   expression of a SRV RR. To accommodate expression of a SRV RR in
   X.509 certificates this document therefore defines an otherName for
   SRV RR.

   As DNS query based on an SRV RR returns the name of the host
   currently available for the requested service, reasonable subsequent
   authentication of that host as the appropriate host for the service
   will require the host to demonstrate that it is an authorized to
   provide the requested service.

   The ability to associate a host with a SRV RR in an X.509 certificate
   therefore facilitates the binding of the host to the originally
   requested SRV RR in order to protect against DNS spoofing attacks
   where an altered DNS could return the host name of a rouge or hacked
   host.

   One example where expression of a SRV RR can be very useful is to
   identify a host as a legitimate Kerberos KDC server.


2.  SRV RR otherName

   This section defines the SRVRRName as a form of otherName from the
   GeneralName structure in SubjectAltName.

   The SRVRRName if present MUST contain a Service Resource Record (SRV
   RR) formed according to RFC 2782 [N3].

   The use of a SRVRRName is OPTIONAL. The SRVRRName is defined as
   follows:

      id-on-sRVRRName   OBJECT IDENTIFIER ::= { id-on ? }

      SRVRRName ::= IA5String






Stefan Santesson
Program Manager, Standards Liaison
Windows Security

Prev by Date: Re: EuroPKI 2005 - Call for Participation
Next by Date: Re: Structuring Denis issues RE: Comments on <draft-ietf-pkix-crlaia-00.txt>
Previous by thread: EuroPKI 2005 - Call for Participation
Next by thread: RE: Request for new work item - Defining an SRV RR otherName
Index(es):
- Date
- Thread