1 Internet Engineering Task Force (IETF) O. Gudmundsson
2 Request for Comments: 7218 Shinkuro Inc.
3 Updates: 6698 April 2014
4 Category: Standards Track
5 ISSN: 2070-1721
6
7
8 Adding Acronyms to Simplify Conversations about
9 DNS-Based Authentication of Named Entities (DANE)
10
11 Abstract
12
13 Experience has shown that people get confused when discussing the
14 three numeric fields of the TLSA record. This document specifies
15 descriptive acronyms for the three numeric fields in TLSA records.
16 This document updates the format of the IANA registry created by RFC
17 6698.
18
19 Status of This Memo
20
21 This is an Internet Standards Track document.
22
23 This document is a product of the Internet Engineering Task Force
24 (IETF). It represents the consensus of the IETF community. It has
25 received public review and has been approved for publication by the
26 Internet Engineering Steering Group (IESG). Further information on
27 Internet Standards is available in Section 2 of RFC 5741.
28
29 Information about the current status of this document, any errata,
30 and how to provide feedback on it may be obtained at
31 http://www.rfc-editor.org/info/rfc7218.
32
33 Copyright Notice
34
35 Copyright (c) 2014 IETF Trust and the persons identified as the
36 document authors. All rights reserved.
37
38 This document is subject to BCP 78 and the IETF Trust's Legal
39 Provisions Relating to IETF Documents
40 (http://trustee.ietf.org/license-info) in effect on the date of
41 publication of this document. Please review these documents
42 carefully, as they describe your rights and restrictions with respect
43 to this document. Code Components extracted from this document must
44 include Simplified BSD License text as described in Section 4.e of
45 the Trust Legal Provisions and are provided without warranty as
46 described in the Simplified BSD License.
47
48
49
50
51
52 Gudmundsson Standards Track [Page 1]
53 RFC 7218 Adding Acronyms to DANE Registries April 2014
54
55
56 Table of Contents
57
58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
59 2. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 2
60 2.1. TLSA Certificate Usages Registry . . . . . . . . . . . . 3
61 2.2. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . 3
62 2.3. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 4
63 3. Examples of Usage . . . . . . . . . . . . . . . . . . . . . . 4
64 3.1. TLSA Records Using/Displaying the Acronyms . . . . . . . 4
65 3.2. Acronym Use in a Specification Example . . . . . . . . . 4
66 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
67 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
68 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
69 6.1. Normative References . . . . . . . . . . . . . . . . . . 5
70 6.2. Informative References . . . . . . . . . . . . . . . . . 5
71
72 1. Introduction
73
74 During discussions on how to add DNS-Based Authentication of Named
75 Entities (DANE) [RFC6698] technology to new protocols and services,
76 people were repeatedly confused as to what the numeric values stood
77 for and even the order of the fields of a TLSA record (note that TLSA
78 is not an acronym but a name). This document updates the IANA
79 registry definition for the TLSA record to add a column containing an
80 acronym for each specified field, in order to reduce confusion. This
81 document does not change the DANE protocol in any way.
82
83 It is expected that DANE parsers in applications and DNS software can
84 adopt parsing the acronyms for each field.
85
86 2. IANA Considerations
87
88 This document applies to the "DNS-Based Authentication of Named
89 Entities (DANE) Parameters" registry located at <http://www.iana.org/
90 assignments/dane-parameters>. IANA has added a column with an
91 acronym to each of the sub-registries.
92
93 [RFC6698] and this document are the referenced documents for the
94 three sub-registries.
95
96 As these acronyms are offered for human consumption, case does not
97 matter; it is expected that software that parses TLSA records will
98 handle upper-, mixed-, or lower-case characters as input.
99
100
101
102
103
104
105
106
107 Gudmundsson Standards Track [Page 2]
108 RFC 7218 Adding Acronyms to DANE Registries April 2014
109
110
111 2.1. TLSA Certificate Usages Registry
112
113 The reference for this registry has been updated to include both
114 [RFC6698] and this document.
115
116 +-------+----------+--------------------------------+-------------+
117 | Value | Acronym | Short Description | Reference |
118 +-------+----------+--------------------------------+-------------+
119 | 0 | PKIX-TA | CA constraint | [RFC6698] |
120 | 1 | PKIX-EE | Service certificate constraint | [RFC6698] |
121 | 2 | DANE-TA | Trust anchor assertion | [RFC6698] |
122 | 3 | DANE-EE | Domain-issued certificate | [RFC6698] |
123 | 4-254 | | Unassigned | |
124 | 255 | PrivCert | Reserved for Private Use | [RFC6698] |
125 +-------+----------+--------------------------------+-------------+
126
127 Table 1: TLSA Certificate Usages
128
129 2.2. TLSA Selectors
130
131 The reference for this registry has been updated to include both
132 [RFC6698] and this document.
133
134 +-------+---------+--------------------------+-------------+
135 | Value | Acronym | Short Description | Reference |
136 +-------+---------+--------------------------+-------------+
137 | 0 | Cert | Full certificate | [RFC6698] |
138 | 1 | SPKI | SubjectPublicKeyInfo | [RFC6698] |
139 | 2-254 | | Unassigned | |
140 | 255 | PrivSel | Reserved for Private Use | [RFC6698] |
141 +-------+---------+--------------------------+-------------+
142
143 Table 2: TLSA Selectors
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162 Gudmundsson Standards Track [Page 3]
163 RFC 7218 Adding Acronyms to DANE Registries April 2014
164
165
166 2.3. TLSA Matching Types
167
168 The reference for this registry has been updated to include both
169 [RFC6698] and this document.
170
171 +-------+-----------+--------------------------+-------------+
172 | Value | Acronym | Short Description | Reference |
173 +-------+-----------+--------------------------+-------------+
174 | 0 | Full | No hash used | [RFC6698] |
175 | 1 | SHA2-256 | 256 bit hash by SHA2 | [RFC6234] |
176 | 2 | SHA2-512 | 512 bit hash by SHA2 | [RFC6234] |
177 | 3-254 | | Unassigned | |
178 | 255 | PrivMatch | Reserved for Private Use | [RFC6698] |
179 +-------+-----------+--------------------------+-------------+
180
181 Table 3: TLSA Matching Types
182
183 3. Examples of Usage
184
185 Two examples are described below.
186
187 3.1. TLSA Records Using/Displaying the Acronyms
188
189 _666._tcp.first.example. TLSA PKIX-TA CERT SHA2-512 {blob}
190 _666._tcp.second.example. TLSA DANE-TA SPKI SHA2-256 {blob}
191
192 3.2. Acronym Use in a Specification Example
193
194 Protocol FOO only allows TLSA records using PKIX-EE and DANE-EE, with
195 selector SPKI, and using SHA2-512.
196
197 4. Security Considerations
198
199 This document only changes registry fields and does not change the
200 behavior of any protocol. The hope is to reduce confusion, which
201 would lead to better specification and operations.
202
203 5. Acknowledgements
204
205 Scott Schmit offered really good suggestions to decrease the
206 possibility of confusion. Viktor Dukhovni provided comments from the
207 expert point of view. Jim Schaad, Wes Hardaker, and Paul Hoffman
208 provided feedback during WGLC. Dan Romascanu and Tobias Gondrom
209 pointed out a few defects during the IESG last call.
210
211
212
213
214
215
216
217 Gudmundsson Standards Track [Page 4]
218 RFC 7218 Adding Acronyms to DANE Registries April 2014
219
220
221 6. References
222
223 6.1. Normative References
224
225 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
226 of Named Entities (DANE) Transport Layer Security (TLS)
227 Protocol: TLSA", RFC 6698, August 2012.
228
229 6.2. Informative References
230
231 [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
232 (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.
233
234 Author's Address
235
236 Olafur Gudmundsson
237 Shinkuro Inc.
238 4922 Fairmont Av, Suite 250
239 Bethesda, MD 20814
240 USA
241
242 EMail: ogud@ogud.com
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272 Gudmundsson Standards Track [Page 5]
273
The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.
This RFC is included in the DNS RFCs annotation project whose home page is here.