Network Working Group J. Hildebrand Internet-Draft Cisco Intended status: Standards Track S. Turner Expires: April 22, 2010 IECA, Inc. October 19, 2009 Domain Name Assertions draft-hildebrand-dna-00 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 22, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract An application-level approach to asserting and proving the delegated ownership of a domain name for XMPP. Hildebrand & Turner Expires April 22, 2010 [Page 1] Internet-Draft DNA October 2009 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Generic Use Cases . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Assertions . . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Validation . . . . . . . . . . . . . . . . . . . . . . . . 5 4.3. Invalidation . . . . . . . . . . . . . . . . . . . . . . . 5 4.4. Requesting proof with a challenge . . . . . . . . . . . . 6 4.5. No proof possible . . . . . . . . . . . . . . . . . . . . 6 4.6. Proving a challenge . . . . . . . . . . . . . . . . . . . 7 5. Attribute Certificate Proof . . . . . . . . . . . . . . . . . 7 5.1. Attribute Certificate Issuer Profile . . . . . . . . . . . 7 5.2. Attribute Certificate Profile . . . . . . . . . . . . . . 8 5.3. Access Identity Values . . . . . . . . . . . . . . . . . . 8 5.3.1. XMPP . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.4. Attribute Certificate Signature Algorithms . . . . . . . . 9 5.5. Proof Encoding . . . . . . . . . . . . . . . . . . . . . . 9 6. DNA for XMPP Federation . . . . . . . . . . . . . . . . . . . 9 6.1. DNS SRV lookups . . . . . . . . . . . . . . . . . . . . . 10 6.2. Certificates during Start-TLS . . . . . . . . . . . . . . 10 6.3. Discovering Support . . . . . . . . . . . . . . . . . . . 11 6.4. Turning on DNA . . . . . . . . . . . . . . . . . . . . . . 11 6.5. Asserting new domains . . . . . . . . . . . . . . . . . . 12 6.6. Proactive challenges . . . . . . . . . . . . . . . . . . . 12 6.7. Proactive validation . . . . . . . . . . . . . . . . . . . 12 6.8. Reusing streams . . . . . . . . . . . . . . . . . . . . . 13 6.9. Implementation notes . . . . . . . . . . . . . . . . . . . 13 7. DNA for XMPP client connections . . . . . . . . . . . . . . . 13 7.1. Announcing Support . . . . . . . . . . . . . . . . . . . . 14 7.2. Client challenges for proof . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 8.1. XML Namespace Name for DNA . . . . . . . . . . . . . . . . 14 8.2. URN space for standard DNA Proof Types . . . . . . . . . . 14 8.3. DNA Proof Registry . . . . . . . . . . . . . . . . . . . . 15 8.4. Object Identifiers . . . . . . . . . . . . . . . . . . . . 15 9. Internationalization Considerations . . . . . . . . . . . . . 15 10. Security Considerations . . . . . . . . . . . . . . . . . . . 15 11. Normative References . . . . . . . . . . . . . . . . . . . . . 15 Appendix A. RELAX NG XML Schema . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 Hildebrand & Turner Expires April 22, 2010 [Page 2] Internet-Draft DNA October 2009 1. Introduction As large hosting providers begin providing XMPP services for multiple domains, several issues with previous mechanisms for server-to-server federation have become apparent. A large number of sockets are currently required between hosting providers. Although servers may attempt to piggyback whenever possible, the possibility exists that 2*N*M sockets will be created (where N is the number of domains on one hosting provider, and M is the number of domains on another hosting provider). The goal would be that the number of sockets was dependent on load or deployment considerations. In order to enable or require encryption, the hosting provider must create a separate socket for each hostname pair and have access to a X.509 certificate that is signed by a widely-trusted CA and includes both the public and private keys. Customers of hosting providers might be uncomfortable with the level of trust this requires. This document lays out an approach known as Domain Name Assertions (DNA) that allows providers to effectively host XMPP services on behalf of other companies, and might be expanded later to support other protocols. 2. Glossary Hosted domain An XMPP domain whose network services are delegated to a third party. Hosting provider A business entity that provides services for one or more domains that it does not directly and fully control. Self-hosted domain A domain whose owner acts as its hosting provider. Delegation A ceremony that acts as proof of the intent of the owner of a hosted domain to cede control to a hosting provider for a given protocol. Widely-trusted CA For open communities, a Certificate Authority whose certificate that is trusted by multiple web browsers by default. For closed communities, a Certificate Authority that is trusted by all members of that community. Sender Domain The domain associated with the 'from' address on a stanza to be sent across a federation boundary. Target Domain The domain associated with the 'to' address on a stanza to be sent across a federation boundary. Hildebrand & Turner Expires April 22, 2010 [Page 3] Internet-Draft DNA October 2009 Originating Server The machine that wants to send a message from an entity at the Sender Domain to an entity at the Target Domain and thus is attempting to establish a connection between the two servers. Receiving Server The machine to which the Originating Server has opened a connection for the purpose of sending a message from the Sender Domain to the Target Domain. Asserting Entity A system element (such as a server) asserting a given domain name as an identity. Validating Entity A system element (such as a client or server) that checks a given identity asserted by an asserting entity. Asserted Domain A domain name asserted by either side of a conversation. validating entities may require assertions to be backed up with proof. Proof A secure mechanism through which a validating entity can ascertain that an asserting entity has authority for the asserted domain, either directly or indirectly (by delegation). 3. Requirements 1. A hosting provider MUST be able to service domains for which it cannot obtain certificates signed by a widely-trusted CA. 2. All network traffic (except for initial handshakes) MUST be encrypted in a manner not subject to man-in-the-middle attacks. 3. The number of socket connections between hosting providers MUST NOT be a function of the number of domains hosted by either provider. 4. Connections MUST be usable in either direction, if allowed by policy and deployment considerations. 5. The owners of the hosted domain MUST NOT be required to give out private keying material associated with any certificate they own that has been signed by a widely-trusted CA. 6. The owners of the hosted domain MUST be allowed to choose the frequency with which they wish to perform the delegation ceremony. 7. The owners of the hosted domain MUST be allowed to revoke their delegation at any time. 8. Multiple mechanisms for proving delegation MUST be possible. 9. It MUST be possible for new assertions to be added to a stream at any point after the stream is fully established, but before the stream is closed 4. Generic Use Cases The DNA mechanism can be used for multiple different protocols. In particular, client-to-server XMPP and server-to-server XMPP are Hildebrand & Turner Expires April 22, 2010 [Page 4] Internet-Draft DNA October 2009 discussed herein, but the general approach could be used for non-XMPP protocols such as SMTP or IMAP. As such, the protocol syntax offered here is normative for XMPP, but merely illustrative for other protocols, which will need their own protocol bindings. The following domain names are used in the examples in this section: asserted.tld The domain name being asserted. 4.1. Assertions The asserting entity asserts a domain name through the use of an "assert" element. Assertions MUST contain a "from" attribute naming the domain name that is being asserted. 4.2. Validation When the validating entity has been satisified that the asserting entity is authoritative for the domain name asserted, it MUST send a "valid" element. At this point, the asserting entity MAY send stanzas to the validating entity containing from addresses in the asserted and validated domain. Validating entities SHOULD respond to a domain name assertion without asking for further proof when the domain name asserted is represented in the certificate offered by the asserting entity according to the rules set out in [rfc3920bis]. Validating entities MAY respond to a domain name assertion without asking for further proof when the domain name asserted is known to be associated with the asserting entity through some other secure means such as DNSSEC, caching, or local knowledge. In the DNSSEC case, the server hostname in the SRV record used to connect SHOULD be looked for in the certificate offered by the asserting entity, according to the rules set out in [rfc3920bis]. 4.3. Invalidation When the validating entity does not accept proof offered by the asserting entity, or it no longer trusts the proof (for example due to the proof timing out or being revoked), it sends the asserting entity an "invalid" element. The asserting entity MUST NOT send any stanzas to the validating entity containing from addresses in the invalidated domain without performing another validation. Invalid responses MAY be given in direct response to an assertion if the validating entity has reason to believe that no proof is Hildebrand & Turner Expires April 22, 2010 [Page 5] Internet-Draft DNA October 2009 possible. Examples that would cause this response include a blocking list or a negative cache. 4.4. Requesting proof with a challenge If an assertion cannot be validated immediately, the validating entity may ask for further proof. Inside the "challenge" element, at least one form of proof that will be acceptable MUST be given to the asserting entity. If an acceptable proof format is not available for the asserted domain, the validating entity MUST return an invalid response proactively. A "proof" element designates a type of proof that would be acceptable to the verifying entity. The "type" attribute of the "proof" element MUST be a valid URI. A registry of proof types will be created with the IANA (see Section 8). Standard proof types will begin with "urn:ietf:params:dna:proof:". Custom proofs should be signaled with a "type" attribute value containing a full URI under the control of the defining party. Proof types MUST be compared for equality using the rules for comparing URIs. Some proof types MAY require information or nonces from the validating entity. If so, the specification for that proof type MUST specify extensions to the "proof" element in a new namespace. In some protocols, a challenge MAY be sent without an assertion, if the validating entity has reason to believe that the entity with which it is talking is authoritative for a given domain. < type='http://example.com/proof/custom'/> 4.5. No proof possible If the validating entity requires proof, but will not accept proof by a means that the asserting entity has available for the asserted domain, the asserting entity MUST respond with an "impossible" element. The validating entity MUST NOT send a "valid" or "invalid" element in response, and MUST NOT accept stanzas from the asserted domain on this connection unless some other assertion works in the future. The "impossible" element MAY be sent after full validation, if the asserting entity would like to retract the assertion. Hildebrand & Turner Expires April 22, 2010 [Page 6] Internet-Draft DNA October 2009 4.6. Proving a challenge If an asserting entity thinks it can prove a given assertion when challenged, it sends that proof in a "proof" element. The REQUIRED "type" attribute specifies the chosen proof type, and the REQUIRED "from" attribute specifies the domain being proved. Each proof type MUST specify the format of the contents of the "proof" element. Suggestions for formats include Base64-encoded binary as character data or structured XML in a new namespace. (Base64-encoded attribute certificate) 5. Attribute Certificate Proof When an asserting entity has been delegated responsibility for hosting a given domain, an Attribute Certificate MUST be used to prove the delegation. The proof type URI associated with attribute certificates SHALL be 'urn:ietf:params:dna:proof:attribute-cert' (EDITOR'S NOTE: We will work with IANA to come up with a good URN. This is just a placeholder.) The certificate that signed the attribute certificate MUST have been acceptable as proof of ownership of a given domain for the protocol in question, according to the rules in [rfc3920bis]. Validating entities SHOULD try prepending the asserted domain with "www." and re-checking for name matches before rejecting the signing certificate, in order to allow for easier deployments using existing web certificates as proof. Each protocol that is delegated will be assigned its own OID to identify a service and whether the entity can act as a server or client. These values will be included in the Access Identifier attribute, from [I-D.ietf-pkix-3281update]. This document defines the OIDs for XMPP. Other documents may specify additional OIDs. The remaining paragraphs in this section profile the attribute certificate issuers public key certificate and the attribute certificate. 5.1. Attribute Certificate Issuer Profile The following is a profile of the attribute certificate issuer's public key certificate, which is as per [I-D.ietf-pkix-3281update]: Hildebrand & Turner Expires April 22, 2010 [Page 7] Internet-Draft DNA October 2009 o The issuer's certificate MUST conform to [RFC5280]. o The issuer's certificate MUST have a keyUsage extension with the digitalSignature bit set. o The issuer's certificate MUST NOT have a basicConstraints extension with the cA BOOLEAN set to TRUE. In addition to the [I-D.ietf-pkix-3281update] requirements, the subject name MUST be non-NULL in the attribute certificate issuer's public key certificate. 5.2. Attribute Certificate Profile The attribute certificate issued MUST conform to [I-D.ietf-pkix-3281update]. There are options in that profile and the following profiles those options: o The holder field MUST be the baseCertificateID. o The attributes field MUST include the Access Identity attribute, as specified in Section 4.4.2 of [I-D.ietf-pkix-3281update]. Both the service and ident fields' GeneralName choice MUST be registeredID. The service and ident fields MUST be as defined in Section 5.3. Other attributes MAY be included. o The extensions field MUST include the non-critical noRevAvail extension, as defined in Section 4.3.6 of [I-D.ietf-pkix-3281update], to indicate that no revocation information is available from the attribute certificate issuer. o The extensions field MAY include: * The authorityKeyIdentifier extension if the issuer has more than one key pair. * The issuerAltName extension if the issuer's certificate includes the subjectAltName extension. If included issuerAltName MUST be marked non-critical. 5.3. Access Identity Values The following paragraphs define the service and ident values for the delegated protocols. Currently, only values for XMPP are defined. A later version of this document or another document may specify additional values for other protocols. 5.3.1. XMPP When XMPP is delegated the following procedures MUST be followed. The service field MUST be id-xmpp. The following object identifier identifies that the AC holder supports XMPP: id-xmpp OBJECT IDENTIFIER ::= { TBD } The ident field MUST be either id-xmpp-client or id-xmpp-server. Hildebrand & Turner Expires April 22, 2010 [Page 8] Internet-Draft DNA October 2009 Both id-xmpp-client and id-xmpp-server MAY appear in the same attribute certificate. Note that the Access Identity attribute will be multi-valued when both id-xmpp-client and id-xmpp-server are present. The following object identifier identifies the AC holder as the XMPP client: id-xmpp-client OBJECT IDENTIFIER ::= { id-xmpp 0 } The following object identifier identifies the AC holder as the XMPP server: id-xmpp-server OBJECT IDENTIFIER ::= { id-xmpp 1 } 5.4. Attribute Certificate Signature Algorithms The issuer MUST support signing attribute certificate with the PKCS #1 version 1.5 signature algorithm with SHA-256, as specified in [RFC4055]. 5.5. Proof Encoding The attribute certificate, the issuer's certificate, and all of the CA certificates in the trust chain of the signing certificate back to the trust anchor are encoded as a "certs-only" SMIME message, as per [I-D.ietf-smime-3851bis] (i.e, a degenerate SignedData with no content just certificates). The resulting message is then Base64 encoded, as per Section 6.8 of [RFC2045]. The end result is then transmitted as the character data of a "proof" element. 6. DNA for XMPP Federation Two XMPP servers, each of which hosts multiple domains that they do not directly control, desire to connect in order to exchange traffic for at least two of those domains (one on either side). The following domain names are used in the examples: target.tld The domain portion of the JID in the to address of the stanza that caused this connection to be initiated. othertarget.tld The domain portion of the JID in the to address of a stanza being sent across a stream that was originally started to talk to target.tld. targetprovider.tld The hosting provider for target.tld. server.targetprovider.tld A server with XMPP federation services at the target's hosting provider. Hildebrand & Turner Expires April 22, 2010 [Page 9] Internet-Draft DNA October 2009 originator.tld The domain portion of the JID in the from address of the stanza that caused this connection to be initiated. originatingprovider.tld The hosting provider for target.tld. server.originatingprovider.tld A server with XMPP federation services at the originator's hosting provider. 6.1. DNS SRV lookups In a delegated hosting scenario, DNS SRV records are REQUIRED, since otherwise the hosting provider will never be contacted for the target domain. As specified by [rfc3920bis] the originating server looks up the target domain to find a list of receiving servers. If the originating server already has a connection to the IP address represented by one of these servers (perhaps because it is communicating with another domain hosted by this provider), it MAY reuse that stream (see Stream Reuse). If the originating server does not have a connection it wants to reuse, it performs the SRV algorithm to select an SRV record and makes a TCP connection to the server and port specified by the selected SRV record. Unless assured by a mechanism such as DNSSEC, the originating server MUST NOT trust the information received from the DNS SRV as proof that the target domain has been delegated to the receiving server. % dig +short -t SRV _xmpp-server._tcp.target.tld 0 1 5269 server.targetprovider.tld 6.2. Certificates during Start-TLS The first step during stream negotiation MUST be Start-TLS. The receiving server MUST offer a certificate signed by a widely-trusted CA. The receiving server MUST require a client certificate. The certificate offered by the originating server MUST be signed be a widely-trusted CA. Both sides MUST check the certificate offered to it for validity (e.g. time period, signatures, and trust anchor), but MUST NOT disconnect when the certificate received does not contain a name matching its expectations. The names on these certificates SHOULD be associated with the relevant hosting provider, and need not be related to the domains being hosted. If the certificates have the name of the server offered in the SRV record, it MAY be possible to use DNSSEC for proof in the future. CN=server.targetprovider.tld CN=server.originatingprovider.tld Hildebrand & Turner Expires April 22, 2010 [Page 10] Internet-Draft DNA October 2009 6.3. Discovering Support To and from addresses are REQUIRED in the stream:stream tag. These represent the first domain pair associated with this stream, and are the domain names from the stanza that caused this connection to be established. To announce its support for DNA, the receiving server asserts its identity in the stream features following TLS negotiation. 6.4. Turning on DNA If the originating server supports DNA, it looks for an assertion in the stream features. If it finds none, it MAY fall back on another means of verifying the identiy of the target server, if allowed by local policy. Originating servers that support DNA talking to target servers that declare support for DNA MUST NOT send protocol other than DNA negotations until they are able to validate the assertion offered by the target server in the stream features. The first validation proves to the originating server that it is talking to a server authoritative for the target domain, so that it is safe to use this domain in "to" addresses on this stream. Once an originating server completes this first validation it signals that it is willing and able to participate in bi-directional XMPP federation traffic, as long as all of the domains required have been asserted and validated at least once on this stream. If the originating server does not require more proof (due to a certificate match or DNSSEC-verified delegation), it may send a "valid" element without requesting proof first, as in all DNA interactions. (Base64-encoded attribute certificate) Hildebrand & Turner Expires April 22, 2010 [Page 11] Internet-Draft DNA October 2009 6.5. Asserting new domains Before either side sends stanzas on a given stream, it MUST ensure that the other side will accept those stanzas by asserting the domain in the "from" attribute of those stanzas, and waiting for a "valid" response before sending the stanzas in question. The originating server MUST therefore send its own assertion after accepting the target domain's assertion. 6.6. Proactive challenges Before either side sends stanzas on a given stream, it MUST ensure that the other side is authoriative for the domain in the "to" attribute on those stanzas. If the sender has already accepted an assertion on this stream, and that assertion has not been revoked with an "impossible" element, no action is required. Otherwise, the sender can proactively request proof for that domain by sending a challenge even though the other side has not sent an assertion for that domain yet. 6.7. Proactive validation When two hosting providers connect, they may have previous knowledge (perhaps from a cache) of which domains they will trust on the new connection. If so, either side MAY send as many "valid" elements as desired, even though the other side has not sent assertions for those domain. The server receiving these proactive validations MUST NOT change its self-image (which domains it thinks it is authoritative for), but SHOULD NOT send assertions for these domains on this stream. If the server receiving a proactive validation is no long authoritative for a given domain, it MUST send an "impossible" element, at which point the sender MUST remove the receiver from any cache and not send any stanzas on this stream to the given domain. Any cache of DNA information SHOULD be associated with the certificate offerred by the relevant server, and SHOULD be checked for revocation if possible, according to local policy. Hildebrand & Turner Expires April 22, 2010 [Page 12] Internet-Draft DNA October 2009 6.8. Reusing streams DNA streams are bi-directional, and may have an aribtrary number of domains validated in either direction, at any point in the lifetime of the stream. Before sending a stanza on a given stream, the sender MUST ensure that "valid" elements have been exchanged according to the above rules for both the "to" and "from" address, and that no "invalid" or "impossible" element has revoked an assertion. An "impossible" or "invalid" element SHOULD NOT cause the rest of the stream to become invalidated in either directions. When these elements are seen, they SHOULD merely change the list of domains that are valid on that stream. If no domains are valid on the stream, the stream MAY be closed immediately, or MAY be left open if desired. If left open, the stream MUST NOT be used for stanza traffic until domains are asserted as needed for the desired domains. Domains that are marked as "invalid" or "impossible" SHOULD NOT be retried on the same stream unless new information has become available, in order to prevent assertion storms. 6.9. Implementation notes If the first server-to-server validation exchange fails, the parties MAY keep the connection open (perhaps for a shorter than is usual) in case another domain pair would need a connection between these servers. Ensure that only one challenge is outstanding on a given connection for a given domain. Ensure that only one assertion or one proof is outstanding on a given connection for a given domain. 7. DNA for XMPP client connections Hosting providers have a similar problem for client to server connections. Clients need to ensure that they are talking to an authoritative server for the domain they intend to log in to. Typically, this is done by examining the certificate offered by the server during TLS negotiation, according to the rules in [rfc3920bis]. However, hosting providers will typically not have access to a valid certificate for the target domain and its associated private key. DNA can be used for the hosting provider to prove that hosting services have been delegated to it. Hildebrand & Turner Expires April 22, 2010 [Page 13] Internet-Draft DNA October 2009 7.1. Announcing Support To announce its support for DNA, the server asserts its identity in the stream features following TLS negotiation. The server MUST offer the identity of the domain specified in the client's stream header "to" attribute. 7.2. Client challenges for proof To utilize the server's DNA assertion, the client performs Start-TLS per [rfc3920bis], however, if the client does not find a name match on the offered certificate, it does not disconnect immediately. Instead, if the server offers an assertion, it can use the name from that assertion to ask the server for proof of delegation. Subsequent protocol follows the generic use cases above, with the exception that alternate or additional domain names MUST NOT be asserted. If the server returns an "impossible" element, the server MUST terminate the stream. If the client sends an "invalid" element, the client MUST terminate the stream. 8. IANA Considerations 8.1. XML Namespace Name for DNA A URN sub-namespace for Domain Name Assertion (DNA) negotiation data in the Extensible Messaging and Presence Protocol (XMPP) is defined as follows. (This namespace name adheres to the format defined in .) URI: urn:ietf:params:xml:ns:dna Specification: XXXX Description: This is the XML namespace name for Domain Name Assertion (DNA) negotiation data in the Extensible Messaging and Presence Protocol (XMPP) as defined by XXXX. Registrant Contact: IETF, XMPP Working Group, 8.2. URN space for standard DNA Proof Types A URN sub-namespace for DNA is defined as follows. (This namespace name adheres to the format defined in .) Hildebrand & Turner Expires April 22, 2010 [Page 14] Internet-Draft DNA October 2009 URI: urn:ietf:params:dna:proof Specification: XXXX Description: This is the sub-namespace for standardized Domain Name Assertion (DNA) proof types as defined by XXXX. Registrant Contact: IETF, XMPP Working Group, 8.3. DNA Proof Registry The URNs inside urn:ietf:params:dna:proof 8.4. Object Identifiers The following OIDs are defined in Section 5.3 of this document: o id-xmpp o id-xmpp-client o id-xmpp-server 9. Internationalization Considerations The domains offered MUST conform to all of the rules for "Domain Identitifiers", as specified in &rfc3920bis;, including (but not limited to) the rules for syntax, cannonicalization and comparison. 10. Security Considerations TBD. 11. Normative References [rfc3920bis] Saint-Andre, P., "Extensible Messaging and Presence Protocol (XMPP): Core", draft-ietf-xmpp-3920bis-02 (work in progress), September 2009. [I-D.ietf-pkix-3281update] Housley, R., Farrell, S., and S. Turner, "An Internet Attribute Certificate Profile for Authorization", draft-ietf-pkix-3281update-05 (work in progress), April 2009. [I-D.ietf-smime-3851bis] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification", draft-ietf-smime-3851bis-11 (work in progress), May 2009. Hildebrand & Turner Expires April 22, 2010 [Page 15] Internet-Draft DNA October 2009 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies", RFC 2045, November 1996. [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, June 2005. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. Appendix A. RELAX NG XML Schema default namespace = "urn:ietf:params:xml:ns:dna" # Intent: Internationalized Domain Name (simplisitic view) domain = xsd:string { pattern = "(\p{L}|\p{N})(\p{L}|\p{N}|\p{M}|-)*" "(\.(\p{L}|\p{N})(\p{L}|\p{N}|\p{M}|-)*)*"} assert = element assert { attribute from { domain } } valid = element valid { attribute to { domain } } invalid = element valid { attribute to { domain } } proof = element proof { attribute type { xsd:anyURI }, attribute from { domain }?, text? } challenge = element challenge { proof+ } start = assert | valid | invalid | proof | challenge Hildebrand & Turner Expires April 22, 2010 [Page 16] Internet-Draft DNA October 2009 Authors' Addresses Joe Hildebrand Cisco Email: jhildebr@cisco.com Sean Turner IECA, Inc. Email: turners@ieca.com Hildebrand & Turner Expires April 22, 2010 [Page 17]