Network Working Group                                          S. Boeyen
Request for Comments: 4386                                  Entrust Inc.
Category: Experimental                                   P. Hallam-Baker
                                                           VeriSign Inc.
                                                           February 2006


               Internet X.509 Public Key Infrastructure
                      Repository Locator Service

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document defines a Public Key Infrastructure (PKI) repository
   locator service.  The service makes use of DNS SRV records defined in
   accordance with RFC 2782.  The service enables certificate-using
   systems to locate PKI repositories.

Table of Contents

   1. Overview ........................................................2
      1.1. Conventions Used in This Document ..........................2
   2. SRV RR Definition ...............................................2
      2.1. Assignment of New Protocol Prefixes ........................3
      2.2. Use of Multiple Repositories ...............................3
      2.3. SRV RR Example .............................................3
   3. Security Considerations .........................................4
   4. IANA Considerations .............................................4
   5. Informative References ..........................................4












Boeyen & Hallam-Baker         Experimental                      [Page 1]


RFC 4386                        PKIXREP                    February 2006


1.  Overview

   A number of RFCs (including [RFC2559], [RFC2560], and [RFC2585]) have
   specified operational protocols for retrieval of PKI data, including
   public-key certificates and revocation information, from PKI
   repositories.  These RFCs assume that a certificate-using system has
   the information necessary to identify, locate, and connect to the PKI
   repository with a specific protocol.  Although some tools are
   available in protocol-specific environments for this purpose, such as
   knowledge references in directory systems, these are restricted for
   use with a single protocol and do not share a common means of
   publication.  This document provides a solution to this problem
   through the use of Service Record (SRV) Resource Records (RRs) in
   DNS.  This solution is expected to be particularly useful in
   environments where only a domain name is available.  In other
   situations (e.g., where a certificate is available that contains the
   required information), such a DNS lookup is not needed.

   [RFC2782] defines a DNS RR for specifying the location of services
   (SRV).  This document defines SRV records for a PKI repository
   locator service to enable PKI clients to obtain the necessary
   information to connect to a domain's PKI repository, including
   information about each protocol that is supported by that domain for
   access to its repository.  This document includes the definition of
   an SRV RR format for this service and an example of its potential use
   in an email environment.

1.1.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
   "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase,
   as shown) are to be interpreted as described in [RFC2119].

   In examples, "C:" and "S:" indicate lines sent by the client and
   server, respectively.

2.  SRV RR Definition

   The format of the SRV RR, whose DNS type code is 33, is:

    _Service._Proto.Name TTL Class SRV Priority Weight Port Target

   For the PKI repository locator service, this document uses the
   symbolic name "PKIXREP".  Note that when used in an SRV RR, this name
   MUST be prepended with an "_" character.






Boeyen & Hallam-Baker         Experimental                      [Page 2]


RFC 4386                        PKIXREP                    February 2006


   The protocols that can be included in PKIXREP SRV RRs are:

      Protocol     SRV Prefix

      LDAP         _LDAP
      HTTP         _HTTP
      OCSP         _OCSP

2.1.  Assignment of New Protocol Prefixes

   Protocol prefix assignments for new PKIX repository protocols SHOULD
   be defined in the document that specifies the protocol.

2.2.  Use of Multiple Repositories

   The existence of multiple repositories MAY be determined by making
   separate DNS queries for each of the protocols supported by the
   client.

   If this approach is found to be unacceptably inefficient due to a
   proliferation of repository protocols at a future date, the service
   discovery protocol could be extended to allow the repository to
   advertise the protocols supported.

2.3.  SRV RR Example

   This example uses the fictional domain "example.com" as an aid in
   understanding the use of SRV records by a certificate-using system.

   Assume that Alice is an email client that needs a certificate for a
   recipient.  Alice's client system supports LDAP for certificate
   retrieval.  Assume the message recipient is Bob and that Bob's email
   address is bob@example.com.  Assume that example.test maintains a
   "border directory" PKI repository and that Bob's certificate is
   available from that directory, "border.example.com", via LDAP.

   Alice's client system retrieves, via DNS, the SRV record for
   _PKIXREP._LDAP.example.com.

      -  The QNAME of the DNS query is _PKIXREP._LDAP.example.com.

      - The QCLASS of the DNS query is IN.

      -  The QTYPE of the DNS query is SRV.

   The result SHOULD include the host address for example.com's border
   directory system.




Boeyen & Hallam-Baker         Experimental                      [Page 3]


RFC 4386                        PKIXREP                    February 2006


   Note that if example.com operated its service on a number of hosts,
   more than one SRV RR would be returned.  In this case, RFC 2782
   defines the procedure to be followed in determining which of these
   should be accessed first.

3.  Security Considerations

   Security issues regarding PKI repositories themselves are outside the
   scope of this document.  For LDAP repositories, for example, specific
   security considerations are addressed in RFC 2559.

   Security issues with respect to the use of SRV records in general are
   addressed in RFC 2782, and these issues apply to the use of SRV
   records in the context of the PKIXREP service defined here.

4.  IANA Considerations

   This document reserves the use of "_PKIXREP" service label.  Since
   this relates to a service that may pass messages over a number of
   different message transports, each message must be associated with a
   specific transport.

   In order to ensure that the association between "_PKIXREP" and their
   respective underlying services is deterministic, the IANA has created
   a new registry: PKIX SRV Protocol Labels.

   For this registry, an entry shall consist of a label name and a
   pointer to a specification describing how the protocol named in the
   label uses SRV.  Specifications should conform to the requirements
   listed in [RFC2434] for "specification required".

5.  Informative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
             IANA Considerations Section in RFCs", BCP 26, RFC 2434,
             October 1998.

   [RFC2559] Boeyen, S., Howes, T., and P. Richard, "Internet X.509
             Public Key Infrastructure Operational Protocols - LDAPv2",
             RFC 2559, April 1999.

   [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
             Adams, "X.509 Internet Public Key Infrastructure Online
             Certificate Status Protocol - OCSP", RFC 2560, June 1999.




Boeyen & Hallam-Baker         Experimental                      [Page 4]


RFC 4386                        PKIXREP                    February 2006


   [RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key
             Infrastructure Operational Protocols: FTP and HTTP", RFC
             2585, May 1999.

   [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
             specifying the location of services (DNS SRV)", RFC 2782,
             February 2000.

Authors' Addresses

   Sharon Boeyen
   Entrust
   1000 Innovation Drive
   Ottawa, Ontario
   Canada K2K 3E7

   EMail: sharon.boeyen@entrust.com


   Phillip M. Hallam-Baker
   VeriSign Inc.
   401 Edgewater Place, Suite 280
   Wakefield MA 01880

   EMail: pbaker@VeriSign.com


























Boeyen & Hallam-Baker         Experimental                      [Page 5]


RFC 4386                        PKIXREP                    February 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).







Boeyen & Hallam-Baker         Experimental                      [Page 6]