[caops-wg] Fwd: Protocol Action: 'Internet X.509 Public Key Infrastructure Subject Alternative Name for expression of service name' to Proposed Standard

[Alan Sill]

FYI.  May be of interest for solving problems associated with  
verification of association of a service certificate with a  
particular DNS record.

Alan

Begin forwarded message:

> From: The IESG <iesg-secretary at ietf.org>
> Date: May 30, 2007 12:27:37 PM CDT
> To: IETF-Announce <ietf-announce at ietf.org>
> Cc: Internet Architecture Board <iab at iab.org>, RFC Editor <rfc- 
> editor at rfc-editor.org>, pkix mailing list <ietf-pkix at imc.org>, pkix  
> chair <pkix-chairs at tools.ietf.org>
> Subject: Protocol Action: 'Internet X.509 Public Key   
> Infrastructure Subject Alternative Name for expression of  service  
> name' to Proposed Standard
>
>
> The IESG has approved the following document:
>
> - 'Internet X.509 Public Key Infrastructure Subject Alternative  
> Name for
>    expression of service name '
>    <draft-ietf-pkix-srvsan-05.txt> as a Proposed Standard
>
> This document is the product of the Public-Key Infrastructure (X.509)
> Working Group.
>
> The IESG contact persons are Tim Polk and Sam Hartman.
>
> A URL of this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-srvsan-05.txt
>
> Technical Summary
>
>   This document specifies how to use the existing X.509 certificate
>   Subject Alternative Name extension (with the otherName syntax) to
>   carry a reference to a DNS SRV record.  The intent is to link a
>   certificate to the service named in the DNS record.
>
>   The document notes that the problem being solved here is not the
>   typical server authentication problem.  Instead, an authorization
>   problem is being solved.  The question being answered here is  
> whether
>   the server that holds the private key is authorized to provide a
>   particular service.  This mechanism fills a gap that otherwise would
>   exist if the server is provisioned with typical server certificate
>   that attests just to the name of the server.  A server holding a
>   certificate with this extension has been certified by the issuer of
>   the certificate to offer the service expressed in the corresponding
>   SRV RR record.  The cited example in the document is that of a
>   Kerberos server (e.g., a KDC).
>
>   When DNSSEC is fully deployed, this extension may not be needed, as
>   signed DNS records (SRV RR and others) should be able to provide the
>   same form of authentic authorization information.  (This extension
>   does not represent competition with DNSSEC as the only binding
>   provided is to SRV RR records, a subset of overall DNSSEC
>   functionality.)
>
> Working Group Summary
>
>   The PKIX WG expressed consensus to advance the draft to Proposed
>   Standard.
>
> Protocol Quality
>
>   This document was reviewed by Russ Housley for the IESG.
>

Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU

====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================