Protocol Action: 'Internet X.509 Public Key Infrastructure Subject Alternative Name for expression of service name' to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The IESG has approved the following document:

- 'Internet X.509 Public Key Infrastructure Subject Alternative Name for 
   expression of service name '
   <draft-ietf-pkix-srvsan-05.txt> as a Proposed Standard

This document is the product of the Public-Key Infrastructure (X.509) 
Working Group. 

The IESG contact persons are Tim Polk and Sam Hartman.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-srvsan-05.txt

Technical Summary

  This document specifies how to use the existing X.509 certificate
  Subject Alternative Name extension (with the otherName syntax) to
  carry a reference to a DNS SRV record.  The intent is to link a
  certificate to the service named in the DNS record.

  The document notes that the problem being solved here is not the
  typical server authentication problem.  Instead, an authorization
  problem is being solved.  The question being answered here is whether
  the server that holds the private key is authorized to provide a
  particular service.  This mechanism fills a gap that otherwise would
  exist if the server is provisioned with typical server certificate
  that attests just to the name of the server.  A server holding a
  certificate with this extension has been certified by the issuer of
  the certificate to offer the service expressed in the corresponding
  SRV RR record.  The cited example in the document is that of a
  Kerberos server (e.g., a KDC).

  When DNSSEC is fully deployed, this extension may not be needed, as
  signed DNS records (SRV RR and others) should be able to provide the
  same form of authentic authorization information.  (This extension
  does not represent competition with DNSSEC as the only binding
  provided is to SRV RR records, a subset of overall DNSSEC
  functionality.)

Working Group Summary

  The PKIX WG expressed consensus to advance the draft to Proposed
  Standard.

Protocol Quality

  This document was reviewed by Russ Housley for the IESG.


_______________________________________________

IETF-Announce@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce

[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux