draft-ietf-pkix-srvsan-00

1
draft-ietf-pkix-srvsan-00

• Stefan Santesson
• Microsoft

2
New approach with pkix 00 draft

• Now a service name associated with domain name
• Form _service.domain
• Example _pop.example.com
• No longer a SRV record in the certificate

3
Usage scenario

• Primary scenario
• Client pre-knowledge service name and domain
  name
• Client makes DNS query for SRV record for the
  service in that domain
• Client obtain list of available hosts
• Client authenticate host against service name ON
  in its certificate
• Note Service ON in host cert is compared with
  pre-knowledge. NOT against SRV record.

4
Encoding format?

• Current draft UTF8
• Other proposals
• OCTETSTRING
• IA5String

5
WHY UTF8?

• Service ON is compared with client pre-knowledge
  (not SRV record). This pre-knowledge is likely to
  be stored in string format.
• SRV Records contains ASCII within the binary
  data.
• In case of IDNA
• UTF8 to ASCII is easy
• ASCII to UTF8 is not so easy
• UTF8 makes UI design much easier

6
Where do we go from here?

• Decide encoding format
• Decide whether we think this will make it to RFC
  and get an OID defined.
• Ready for WG last call?