One document matched: draft-ietf-xmpp-dna-03.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc compact="yes"?>
<?rfc strict="yes"?>
<?rfc symrefs="yes"?>
<?rfc toc="yes"?>
<?rfc tocdepth="2"?>
<rfc category="std" docName="draft-ietf-xmpp-dna-03" ipr="trust200902">
<front>
<title abbrev="XMPP DNA">Domain Name Associations (DNA) in the Extensible Messaging and Presence Protocol (XMPP)</title>
<author initials="P." surname="Saint-Andre" fullname="Peter Saint-Andre">
<organization>Cisco Systems, Inc.</organization>
<address>
<postal>
<street>1899 Wynkoop Street, Suite 600</street>
<city>Denver</city>
<region>CO</region>
<code>80202</code>
<country>USA</country>
</postal>
<email>psaintan@cisco.com</email>
</address>
</author>
<author initials="M." surname="Miller" fullname="Matthew Miller">
<organization>Cisco Systems, Inc.</organization>
<address>
<postal>
<street>1899 Wynkoop Street, Suite 600</street>
<city>Denver</city>
<region>CO</region>
<code>80202</code>
<country>USA</country>
</postal>
<email>mamille2@cisco.com</email>
</address>
</author>
<date/>
<area>RAI</area>
<keyword>Internet-Draft</keyword>
<keyword>XMPP</keyword>
<keyword>Extensible Messaging and Presence Protocol</keyword>
<keyword>Jabber</keyword>
<keyword>federation</keyword>
<keyword>delegation</keyword>
<keyword>security</keyword>
<abstract>
<t>This document improves the security of the Extensible Messaging and Presence Protocol (XMPP) in two ways. First, it specifies how "prooftypes" can establish a strong association between a domain name and an XML stream. Second, it describes how to securely delegate a source domain to a derived domain, which is especially important in virtual hosting environments.</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="intro">
<t>The need to establish a strong association between a domain name and an XML stream arises in both client-to-server and server-to-server communication using the Extensible Messaging and Presence Protocol (XMPP), because XMPP servers are typically identified by DNS domain names. However, a client or peer server needs to verify the identity of a server to which it connects. To date, such verification has been established based on information obtained from the Domain Name System (DNS), the Public Key Infrastructure (PKI), or similar sources. This document (1) generalizes the model currently in use so that additional prooftypes can be defined, (2) provides a basis for modernizing some prooftypes to reflect progress in underlying technologies such as DNS Security <xref target="RFC4033"/>, and (3) describes the flow of operations for establishing a domain name association.</t>
<t>Furthermore, the process for resolving the domain name of an XMPP service into the IP address at which an XML stream will be negotiated (defined in <xref target='RFC6120'/>) can involve delegation of a source domain (say, example.com) to a derived domain (say, hosting.example.net). If such delegation is not done in a secure manner, then the domain name association cannot be authenticated. Therefore, this document provides guidelines for defining secure delegation methods.</t>
</section>
<section title="Terminology" anchor="terms">
<t>This document inherits XMPP terminology from <xref target="RFC6120"/> and <xref target="XEP-0220"/>, DNS terminology from <xref target="RFC1034"/>, <xref target="RFC1035"/>, <xref target="RFC2782"/> and <xref target="RFC4033"/>, and security terminology from <xref target="RFC4949"/> and <xref target="RFC5280"/>. The terms "source domain", "derived domain", "reference identity", and "presented identity" are used as defined in the "CertID" specification <xref target="RFC6125"/>. The terms "permissive federation", "verified federation", and "encrypted federation" are derived from <xref target="XEP-0238"/>, although we substitute the term "authenticated federation" for the term "trusted federation" from that document.</t>
</section>
<section title="Flow Chart" anchor="flow">
<t>The following flow chart illustrates the protocol flow for establishing domain name associations between Server A and Server B, as described in the remaining sections of this document.</t>
<figure>
<artwork><![CDATA[
|
|
(Section 4: A Simple Scenario)
|
|
DNS RESOLUTION ETC.
|
+-------------STREAM HEADERS--------------------+
| |
| A: <stream from='a.example' to='b.example'> |
| |
| B: <stream from='b.example' to='a.example'> |
| |
+-----------------------------------------------+
|
+-------------TLS NEGOTIATION-------------------+
| |
| B: Server Certificate |
| [B: Certificate Request] |
| [A: Client Certificate] |
| |
+-----------------------------------------------+
|
(A establishes DNA for b.example!)
|
+-------------AUTHENTICATION--------------------+
| | |
| {client certificate?} ----+ |
| | | |
| | yes no | |
| v | |
| SASL EXTERNAL | |
| (mutual auth!) | |
+------------------------------------|----------+
|
+----------------+
| B needs to auth A
|
(Section 5: One-Way Authentication)
|
|
DNS RESOLUTION ETC.
|
+-------------STREAM HEADERS--------------------+
| |
| B: <stream from='b.example' to='a.example'> |
| |
| A: <stream from='a.example' to='b.example'> |
| |
+-----------------------------------------------+
|
+-------------TLS NEGOTIATION-------------------+
| |
| A: Server Certificate |
| |
+-----------------------------------------------+
|
(B establishes DNA for a.example!)
|
|
(Section 6.1: Piggybacking Assertion)
|
|
+----------DIALBACK IDENTITY ASSERTION----------+
| |
| B: <db:result from='c.example' |
| to='a.example'/> |
| |
+-----------------------------------------------+
|
+-----------DNA DANCE AS ABOVE------------------+
| |
| DNS RESOLUTION, STREAM HEADERS, |
| TLS NEGOTIATION, AUTHENTICATION |
| |
+-----------------------------------------------+
|
+----------DIALBACK IDENTITY VERIFICATION-------+
| |
| A: <db:result from='a.example' |
| to='c.example' |
| type='valid'/> |
| |
+-----------------------------------------------+
|
|
(Section 6.2: Piggybacking Supposition)
|
|
+-----------SUBSEQUENT CONNECTION---------------+
| |
| B: <stream from='c.example' |
| to='rooms.a.example'> |
| |
| A: <stream from='rooms.a.example' |
| to='c.example'> |
| |
+-----------------------------------------------+
|
+-----------DNA DANCE AS ABOVE------------------+
| |
| DNS RESOLUTION, STREAM HEADERS, |
| TLS NEGOTIATION, AUTHENTICATION |
| |
+-----------------------------------------------+
|
+-----------DIALBACK OPTIMIZATION---------------+
| |
| B: <db:result from='c.example' |
| to='rooms.a.example'/> |
| |
| B: <db:result from='rooms.a.example' |
| to='c.example' |
| type='valid'/> |
| |
+-----------------------------------------------+
]]></artwork>
</figure>
</section>
<section title="A Simple Scenario" anchor="simple">
<t>To illustrate the problem, consider the simplified order of events (see <xref target='RFC6120'/> for details) in establishing an XML stream between Server A (a.example) and Server B (b.example):</t>
<t>
<list style='numbers'>
<t>Server A resolves the DNS domain name b.example.</t>
<t>Server A opens a TCP connection to the resolved IP address.</t>
<t>
Server A sends an initial stream header to Server B, asserting that it is a.example:
<vspace blankLines='1'/>
<stream:stream from='a.example' to='b.example'>
<vspace blankLines='1'/>
</t>
<t>
Server B sends a response stream header to Server A, asserting that it is b.example:
<vspace blankLines='1'/>
<stream:stream from='b.example' to='a.example'>
<vspace blankLines='1'/>
</t>
<t>The servers attempt TLS negotiation, during which Server B (acting as a TLS server) presents a PKIX certificate proving that it is b.example and Server A (acting as a TLS client) presents a PKIX certificate proving that it is a.example.</t>
<t>Server A checks the PKIX certificate that Server B provided and Server B checks the PKIX certificate that Server A provided; if these proofs are consistent with the XMPP profile of the matching rules from <xref target='RFC6125'/>, each server accepts that there is a strong domain name association between its stream to the other party and the DNS domain name of the other party.</t>
</list>
</t>
<t>Several simplifying assumptions underlie the happy scenario just outlined:</t>
<t>
<list style='symbols'>
<t>Server A presents a PKIX certificate during TLS negotiation, which enables the parties to complete mutual authentication.</t>
<t>There are no additional domains associated with Server A and Server B (say, a subdomain rooms.a.example on Server A or a second domain c.example on Server B).</t>
<t>The server administrators are able to obtain PKIX certificates in the first place.</t>
<t>The server administrators are running their own XMPP servers, rather than using hosting services.</t>
</list>
</t>
<t>Let's consider each of these "wrinkles" in turn.</t>
</section>
<section title="One-Way Authentication" anchor="oneway">
<t>If Server A does not present its PKIX certificate during TLS negotiation (perhaps because it wishes to verify the identity of Server B before presenting its own credentials), Server B is unable to mutually authenticate Server A. Therefore, Server B needs to negotiate and authenticate a stream to Server A, just as Server A has done:</t>
<t>
<list style='numbers'>
<t>Server B resolves the DNS domain name a.example.</t>
<t>Server B opens a TCP connection to the resolved IP address.</t>
<t>
Server B sends an initial stream header to Server A, asserting that it is b.example:
<vspace blankLines='1'/>
<stream:stream from='b.example' to='a.example'>
</t>
<t>
Server A sends a response stream header to Server B, asserting that it is a.example:
<vspace blankLines='1'/>
<stream:stream from='a.example' to='b.example'>
</t>
<t>The servers attempt TLS negotiation, during which Server A (acting as a TLS server) presents a PKIX certificate proving that it is a.example.</t>
<t>Server B checks the PKIX certificate that Server A provided; if it is consistent with the XMPP profile of the matching rules from <xref target='RFC6125'/>, Server B accepts that there is a strong domain name association between its stream to Server A and the DNS domain name a.example.</t>
</list>
</t>
<t>Unfortunately, now the servers are using two TCP connections instead of one, which is somewhat wasteful. However, there are ways to tie the authentication achieved on the second TCP connection to the first TCP connection; see <xref target='XEP-0288'/> for further discussion.</t>
</section>
<section title="Piggybacking" anchor="piggybacking">
<section title="Assertion" anchor="piggybacking-assertion">
<t>Consider the common scenario in which Server B hosts not only b.example but also a second domain c.example. If a user of Server B associated with c.example wishes to communicate with a friend at a.example, Server B needs to send XMPP stanzas from the domain c.example rather than b.example. Although Server B could open an new TCP connection and negotiate new XML streams for the domain pair of c.example and a.example, that too is wasteful. Server B already has a connection to a.example, so how can it assert that it would like to add a new domain pair to the existing connection?</t>
<t>The traditional method for doing so is the Server Dialback protocol, first specified in <xref target='RFC3920'/> and since moved to <xref target='XEP-0220'/>. Here, Server B can send a <db:result/> element for the new domain pair over the existing stream.</t>
<figure>
<artwork><![CDATA[
<db:result from='c.example' to='a.example'>
some-dialback-key
</db:result>
]]></artwork>
</figure>
<t>This element functions as Server B's assertion that it is (also) c.example, and thus is functionally equivalent to the 'from' address of an initial stream header as previously described.</t>
<t>In response to this assertion, Server A needs to obtain some kind of proof that Server B really is also c.example. It can do the same thing that it did before:</t>
<t>
<list style='numbers'>
<t>Server A resolves the DNS domain name c.example.</t>
<t>Server A opens a TCP connection to the resolved IP address (which might be the same IP address as for b.example).</t>
<t>
Server A sends an initial stream header to Server B, asserting that it is a.example:
<vspace blankLines='1'/>
<stream:stream from='a.example' to='c.example'>
</t>
<t>
Server B sends a response stream header to Server A, asserting that it is c.example:
<vspace blankLines='1'/>
<stream:stream from='c.example' to='a.example'>
</t>
<t>The servers attempt TLS negotiation, during which Server B (acting as a TLS server) presents a PKIX certificate proving that it is c.example.</t>
<t>Server A checks the PKIX certificate that Server B provided; if it is consistent with the XMPP profile of the matching rules from <xref target='RFC6125'/>, Server A accepts that there is a strong domain name association between its stream to Server B and the DNS domain name c.example.</t>
</list>
</t>
<t>Now that Server A accepts the domain name association, it informs Server B of that fact:</t>
<figure>
<artwork><![CDATA[
<db:result from='a.example' to='c.example' type='valid'/>
]]></artwork>
</figure>
<t>The parties can then terminate the second connection, since it was used only for Server A to associate a stream over the same IP:port combination with the domain name c.example (dialback key links the original stream to the new association).</t>
</section>
<section title="Supposition" anchor="piggybacking-supposition">
<t>Piggybacking can also occur in the other direction. Consider the common scenario in which Server A provides XMPP services not only for a.example but also for a subdomain such as a groupchat service at rooms.a.example (see <xref target='XEP-0045'/>). If a user from c.example at Server B wishes to join a room on the groupchat sevice, Server B needs to send XMPP stanzas from the domain c.example to the domain rooms.a.example rather than a.example. Therefore, Server B needs to negotiate and authenticate a stream to rooms.a.example:</t>
<t>
<list style='numbers'>
<t>Server B resolves the DNS domain name rooms.a.example.</t>
<t>Server B opens a TCP connection to the resolved IP address.</t>
<t>
Server B sends an initial stream header to Server A acting as rooms.a.example, asserting that it is b.example:
<vspace blankLines='1'/>
<stream:stream from='b.example' to='rooms.a.example'>
</t>
<t>
Server A sends a response stream header to Server B, asserting that it is rooms.a.example:
<vspace blankLines='1'/>
<stream:stream from='rooms.a.example' to='b.example'>
</t>
<t>The servers attempt TLS negotiation, during which Server A (acting as a TLS server) presents a PKIX certificate proving that it is rooms.a.example.</t>
<t>Server B checks the PKIX certificate that Server A provided; if it is consistent with the XMPP profile of the matching rules from <xref target='RFC6125'/>, Server B accepts that there is a strong domain name association between its stream to Server A and the DNS domain name rooms.a.example.</t>
</list>
</t>
<t>As before, the parties now have two TCP connections open. So that they can close the now-redundant connection, Server B sends a dialback key to Server A over the new connection.</t>
<figure>
<artwork><![CDATA[
<db:result from='c.example' to='rooms.a.example'>
some-dialback-key
</db:result>
]]></artwork>
</figure>
<t>Server A then informs Server B that it accepts the domain name association:</t>
<figure>
<artwork><![CDATA[
<db:result from='rooms.a.example' to='c.example' type='valid'/>
]]></artwork>
</figure>
<t>Server B can now close the connection over which it tested the domain name association for rooms.a.example.</t>
</section>
</section>
<section title="Alternative Prooftypes" anchor="alternatives">
<t>The foregoing protocol flows assumed that domain name associations were proved using the standard PKI prooftype specified in <xref target="RFC6120"/>: that is, the server's proof consists of a PKIX certificate that is checked according to a profile of the matching rules from <xref target="RFC6125"/>, the client's verification material is obtained out of band in the form of a trusted root, and secure DNS is not necessary.</t>
<t>However, sometimes XMPP server administrators are unable or unwilling to obtain valid PKIX certificates for their servers (e.g., the administrator of im.cs.podunk.example can't receive certification authority verification messages sent to mailto:hostmaster@podunk.example, or hosting.example.net does not want to take on the liability of holding the certificate and private key for example.com). In these circumstances, prooftypes other than PKIX are desirable. Two alternatives have been defined so far: DANE and POSH.</t>
<section title="DANE" anchor="alternatives-dane">
<t>In the DANE prooftype, the server's proof consists of a PKIX certificate that is compared as an exact match or a hash of either the SubjectPublicKeyInfo or the full certificate, and the client's verification material is obtained via secure DNS.</t>
<t>The DANE prooftype is based on <xref target='I-D.ietf-dane-srv'/>. For XMPP purposes, the following rules apply:</t>
<t>
<list style='symbols'>
<t>If there is no SRV resource record, pursue the fallback methods described in <xref target='RFC6120'/>.</t>
<t>Use the 'to' address of the initial stream header to determine the domain name of the TLS client's reference identifier (since use of the TLS Server Name Indication is purely discretionary in XMPP, as mentioned in <xref target='RFC6120'/>).</t>
</list>
</t>
</section>
<section title="POSH" anchor="alternatives-posh">
<t>In the POSH (PKIX Over Secure HTTP) prooftype, the server's proof consists of a PKIX certificate that is checked according to the rules from <xref target="RFC6120"/> and <xref target="RFC6125"/>, the client's verification material is obtained by retrieving the PKIK certificate over HTTPS at a well-known URI <xref target="RFC5785"/>, and secure DNS is not necessary since the HTTPS retrieval mechanism relies on the chain of trust from the public key infrastructure.</t>
<t>POSH is defined in <xref target='I-D.miller-posh'/>. For XMPP purposes, the well-known URIs <xref target='RFC5785'/> to be used are:</t>
<t>
<list style='symbols'>
<t>"/.well-known/posh._xmpp-client._tcp.json" for client-to-server connections</t>
<t>"/.well-known/posh._xmpp-server._tcp.json" for server-to-server connections</t>
</list>
</t>
</section>
</section>
<section title="Secure Delegation and Multi-Tenancy" anchor="delegation">
<t>One common method for deploying XMPP services is multi-tenancy or virtual hosting: e.g., the XMPP service for example.com is actually hosted at hosting.example.net. Such an arrangement is relatively convenient in XMPP given the use of DNS SRV records <xref target="RFC2782"/>, such as the following pointer from example.com to hosting.example.net:</t>
<figure>
<artwork><![CDATA[
_xmpp-server._tcp.example.com. 0 IN SRV 0 0 5269 hosting.example.net
]]></artwork>
</figure>
<t>Secure connections with multi-tenancy can work using the PKIX prooftype on a small scale if the provider itself wishes to host several domains (e.g., several related domains such as jabber-de.example and jabber-ch.example). However, in practice the security of multi-tenancy has been found to be unwieldy when the provider hosts large numbers of XMPP services on behalf of multiple customers. Typically there are two main reasons for this state of affairs: the service provider (say, hosting.example.net) wishes to limit its liability and therefore does not wish to hold the certificate and private key for the customer (say, example.com) and the customer wishes to improve the security of the service and therefore does not wish to share its certificate and private key with service provider. As a result, server-to-server communications to example.com go unencrypted or the communications are TLS-encrypted but the certificates are not checked (which is functionally equivalent to a connection using an anonymous key exchange). This is also true of client-to-server communications, forcing end users to override certificate warnings or configure their clients to accept certificates for hosting.example.net instead of example.com. The fundamental problem here is that if DNSSEC is not used then the act of delegation via DNS SRV records is inherently insecure.</t>
<t><xref target='I-D.ietf-dane-srv'/> explains how to use DNSSEC for secure delegation with the DANE prooftype and <xref target='I-D.miller-posh'/> explains how to use HTTPS redirects for secure delegation with the POSH prooftype.</t>
</section>
<section title="Prooftype Model" anchor="model">
<t>In general, a DNA prooftype conforms to the following definition:</t>
<t>
<list style="hanging">
<t hangText="prooftype:">A mechanism for proving an association between a domain name and an XML stream, where the mechanism defines (1) the nature of the server's proof, (2) the matching rules for comparing the client's verification material against the server's proof, (3) how the client obtains its verification material, and (4) whether the mechanism depends on secure DNS.</t>
</list>
</t>
<t>The PKI, DANE, and POSH prooftypes adhere to this model. In addition, other prooftypes are possible (examples might include PGP keys rather than PKIX certificates, or a token mechanism such as Kerberos or OAuth).</t>
<t>Some prooftypes depend on (or are enhanced by) secure DNS and therefore also need to describe how secure delegation occurs for that prooftype.</t>
</section>
<section title="IANA Considerations" anchor="iana">
<t>The POSH specification <xref target='I-D.miller-posh'/> defines a registry for well-known URIs <xref target='RFC5785'/> of protocols that make use of POSH. This specification registers two such URIs, for which the completed registration templates follow.</t>
<section title="Well-Known URI for xmpp-client Service" anchor="iana-client">
<t>This specification registers the "posh._xmpp-client._tcp.json" well-known URI in the Well-Known URI Registry as defined by <xref target="RFC5785"/>.</t>
<t>URI suffix: posh._xmpp-client._tcp.json</t>
<t>Change controller: IETF</t>
<t>Specification document(s): [[ this document ]]</t>
</section>
<section title="Well-Known URI for xmpp-server Service" anchor="iana-server">
<t>This specification registers the "posh._xmpp-server._tcp.json" well-known URI in the Well-Known URI Registry as defined by <xref target="RFC5785"/>.</t>
<t>URI suffix: posh._xmpp-server._tcp.json</t>
<t>Change controller: IETF</t>
<t>Specification document(s): [[ this document ]]</t>
</section>
</section>
<section title="Security Considerations" anchor="security">
<t>This document supplements but does not supersede the security considerations of <xref target="RFC6120"/> and <xref target="RFC6125"/>. Relevant security considerations can also be found in <xref target='I-D.ietf-dane-srv'/> and <xref target='I-D.miller-posh'/>.</t>
</section>
</middle>
<back>
<references title="Normative References">
<reference anchor='I-D.ietf-dane-srv'>
<front>
<title>Using DNS-Based Authentication of Named Entities (DANE) TLSA records with SRV and MX records.</title>
<author initials='T' surname='Finch' fullname='Tony Finch'>
<organization />
</author>
<date month='February' day='25' year='2013' />
<abstract><t>The DANE specification [RFC6698] describes how to use TLSA resource records in the DNS to associate a server's host name with its TLS certificate. The association is secured with DNSSEC. Some application protocols can use SRV records [RFC2782] to indirectly name the server hosts for a service domain. (SMTP uses MX records for the same purpose.) This specification gives generic instructions for how these application protocols locate and use TLSA records. Separate documents give the details that are specific to particular application protocols.</t></abstract>
</front>
<seriesInfo name='Internet-Draft' value='draft-ietf-dane-srv-02' />
<format type='TXT'
target='http://www.ietf.org/internet-drafts/draft-ietf-dane-srv-02.txt' />
</reference>
<reference anchor='I-D.miller-posh'>
<front>
<title>PKIX over Secure HTTP (POSH)</title>
<author initials='M' surname='Miller' fullname='Matt Miller'>
<organization />
</author>
<author initials='P' surname='Saint-Andre' fullname='Peter Saint-Andre'>
<organization />
</author>
<date month='September' day='6' year='2013' />
<abstract><t>Experience has shown that it is extremely difficult to deploy proper PKIX certificates for TLS in multi-tenanted environments, since certification authorities will not issue certificates for hosted domains to hosting services, hosted domains do not want hosting services to hold their private keys, and hosting services wish to avoid liability for holding those keys. As a result, domains hosted in multi-tenanted environments often deploy non-HTTP applications such as email and instant messaging using certificates that identify the hosting service, not the hosted domain. Such deployments force end users and peer services to accept a certificate with an improper identifier, resulting in obvious security implications. This document defines two methods that make it easier to deploy certificates for proper server identity checking in non-HTTP application protocols. The first method enables the TLS client associated with a user agent or peer application server to obtain the end-entity certificate of a hosted domain over secure HTTP as an alternative to standard PKIX techniques. The second method enables a hosted domain to securely delegate a non-HTTP application to a hosting service using redirects provided by HTTPS itself or by a pointer in a file served over HTTPS at the hosted domain.</t></abstract>
</front>
<seriesInfo name='Internet-Draft' value='draft-miller-posh-01' />
<format type='TXT'
target='http://www.ietf.org/internet-drafts/draft-miller-posh-01.txt' />
</reference>
<reference anchor="RFC1034">
<front>
<title abbrev="Domain Concepts and Facilities">Domain names - concepts and facilities</title>
<author initials="P." surname="Mockapetris" fullname="P. Mockapetris">
<organization>Information Sciences Institute (ISI)</organization>
</author>
<date year="1987" day="1" month="November"/>
</front>
<seriesInfo name="STD" value="13"/>
<seriesInfo name="RFC" value="1034"/>
<format type="TXT" octets="129180" target="http://www.rfc-editor.org/rfc/rfc1034.txt"/>
</reference>
<reference anchor="RFC1035">
<front>
<title abbrev="Domain Implementation and Specification">Domain names - implementation and specification</title>
<author initials="P." surname="Mockapetris" fullname="P. Mockapetris">
<organization>USC/ISI</organization>
<address>
<postal>
<street>4676 Admiralty Way</street>
<city>Marina del Rey</city>
<region>CA</region>
<code>90291</code>
<country>US</country>
</postal>
<phone>+1 213 822 1511</phone>
</address>
</author>
<date year="1987" day="1" month="November"/>
</front>
<seriesInfo name="STD" value="13"/>
<seriesInfo name="RFC" value="1035"/>
<format type="TXT" octets="125626" target="http://www.rfc-editor.org/rfc/rfc1035.txt"/>
</reference>
<reference anchor="RFC2782">
<front>
<title abbrev="DNS SRV RR">A DNS RR for specifying the location of services (DNS SRV)</title>
<author initials="A." surname="Gulbrandsen" fullname="Arnt Gulbrandsen">
<organization>Troll Tech</organization>
<address>
<postal>
<street>Waldemar Thranes gate 98B</street>
<city>Oslo</city>
<region/>
<code>N-0175</code>
<country>NO</country>
</postal>
<phone>+47 22 806390</phone>
<facsimile>+47 22 806380</facsimile>
<email>arnt@troll.no</email>
</address>
</author>
<author initials="P." surname="Vixie" fullname="Paul Vixie">
<organization>Internet Software Consortium</organization>
<address>
<postal>
<street>950 Charter Street</street>
<city>Redwood City</city>
<region>CA</region>
<code>94063</code>
<country>US</country>
</postal>
<phone>+1 650 779 7001</phone>
</address>
</author>
<author initials="L." surname="Esibov" fullname="Levon Esibov">
<organization>Microsoft Corporation</organization>
<address>
<postal>
<street>One Microsoft Way</street>
<city>Redmond</city>
<region>WA</region>
<code>98052</code>
<country>US</country>
</postal>
<email>levone@microsoft.com</email>
</address>
</author>
<date year="2000" month="February"/>
<abstract>
<t>This document describes a DNS RR which specifies the location of the
server(s) for a specific protocol and domain.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2782"/>
<format type="TXT" octets="24013" target="http://www.rfc-editor.org/rfc/rfc2782.txt"/>
</reference>
<reference anchor="RFC4033">
<front>
<title>DNS Security Introduction and Requirements</title>
<author initials="R." surname="Arends" fullname="Roy Arends">
<organization>Telematica Instituut</organization>
<address>
<email>roy.arends@telin.nl</email>
</address>
</author>
<author initials="R." surname="Austein" fullname="Rob Austein">
<organization>Internet Systems Consortium</organization>
<address>
<email>sra@isc.org</email>
</address>
</author>
<author initials="M." surname="Larson" fullname="Matt Larson">
<organization>VeriSign, Inc.</organization>
<address>
<email>mlarson@verisign.com</email>
</address>
</author>
<author initials="D." surname="Massey" fullname="Dan Massey">
<organization>Colorado State University</organization>
<address>
<email>massey@cs.colostate.edu</email>
</address>
</author>
<author initials="S." surname="Rose" fullname="Scott Rose">
<organization>National Institute for Standards and Technology</organization>
<address>
<email>scott.rose@nist.gov</email>
</address>
</author>
<date month="May" year="2005"/>
</front>
<seriesInfo name="RFC" value="4033"/>
<format type="TXT" target="http://tools.ietf.org/rfc/rfc4033.txt"/>
</reference>
<reference anchor="RFC4949">
<front>
<title>Internet Security Glossary, Version 2</title>
<author initials="R." surname="Shirey" fullname="R. Shirey">
<organization/>
</author>
<date year="2007" month="August"/>
<abstract>
<t>This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4949"/>
<format type="TXT" octets="867626" target="ftp://ftp.isi.edu/in-notes/rfc4949.txt"/>
</reference>
<reference anchor="RFC5280">
<front>
<title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
<author initials="D." surname="Cooper" fullname="D. Cooper">
<organization/>
</author>
<author initials="S." surname="Santesson" fullname="S. Santesson">
<organization/>
</author>
<author initials="S." surname="Farrell" fullname="S. Farrell">
<organization/>
</author>
<author initials="S." surname="Boeyen" fullname="S. Boeyen">
<organization/>
</author>
<author initials="R." surname="Housley" fullname="R. Housley">
<organization/>
</author>
<author initials="W." surname="Polk" fullname="W. Polk">
<organization/>
</author>
<date year="2008" month="May"/>
<abstract>
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5280"/>
<format type="TXT" octets="352580" target="ftp://ftp.isi.edu/in-notes/rfc5280.txt"/>
</reference>
<reference anchor="RFC5785">
<front>
<title>Defining Well-Known Uniform Resource Identifiers (URIs)</title>
<author initials="M." surname="Nottingham" fullname="M. Nottingham">
<organization/>
</author>
<author initials="E." surname="Hammer-Lahav" fullname="E. Hammer-Lahav">
<organization/>
</author>
<date year="2010" month="April"/>
<abstract>
<t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5785"/>
<format type="TXT" octets="13779" target="http://www.rfc-editor.org/rfc/rfc5785.txt"/>
</reference>
<reference anchor="RFC6120">
<front>
<title>Extensible Messaging and Presence Protocol (XMPP): Core</title>
<author initials="P." surname="Saint-Andre" fullname="Peter Saint-Andre">
<organization>Cisco</organization>
<address>
<email>psaintan@cisco.com</email>
</address>
</author>
<date month="March" year="2011"/>
</front>
<seriesInfo name="RFC" value="6120"/>
<format type="TXT" target="http://tools.ietf.org/rfc/rfc6120.txt"/>
</reference>
<reference anchor="RFC6125">
<front>
<title>Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)</title>
<author initials="P." surname="Saint-Andre" fullname="Peter Saint-Andre">
<organization>Cisco</organization>
<address>
<email>psaintan@cisco.com</email>
</address>
</author>
<author initials="J." surname="Hodges" fullname="Jeff Hodges">
<organization>PayPal</organization>
<address>
<email>jeff.hodges@paypal.com</email>
</address>
</author>
<date month="March" year="2011"/>
</front>
<seriesInfo name="RFC" value="6125"/>
<format type="TXT" target="http://tools.ietf.org/rfc/rfc6125.txt"/>
</reference>
<reference anchor="XEP-0220">
<front>
<title>Server Dialback</title>
<author initials="J" surname="Miller" fullname="Jeremie Miller">
<address>
<email>jer@jabber.org</email>
</address>
</author>
<author initials="P" surname="Saint-Andre" fullname="Peter Saint-Andre">
<organization>Cisco</organization>
<address>
<email>psaintan@cisco.com</email>
</address>
</author>
<author initials="P" surname="Hancke" fullname="Philipp Hancke">
<address>
<email>fippo@goodadvice.pages.de</email>
</address>
</author>
<date month="August" year="2013"/>
</front>
<seriesInfo name="XSF XEP" value="0220"/>
<format type="HTML" target="http://xmpp.org/extensions/xep-0220.html#appendix-authorinfo"/>
</reference>
</references>
<references title="Informative References">
<reference anchor="RFC3920">
<front>
<title abbrev="XMPP Core">Extensible Messaging and Presence Protocol (XMPP): Core</title>
<author initials="P." surname="Saint-Andre" fullname="Peter Saint-Andre" role="editor">
<organization>Jabber Software Foundation</organization>
<address>
<email>stpeter@jabber.org</email>
</address>
</author>
<date year="2004" month="October"/>
<area>Applications</area>
<workgroup>XMPP Working Group</workgroup>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<keyword>XMPP</keyword>
<keyword>Extensible Messaging and Presence Protocol</keyword>
<keyword>Jabber</keyword>
<keyword>IM</keyword>
<keyword>Instant Messaging</keyword>
<keyword>Presence</keyword>
<keyword>XML</keyword>
<keyword>Extensible Markup Language</keyword>
<abstract>
<t>This memo defines the core features of the Extensible Messaging and Presence Protocol (XMPP), a protocol for streaming Extensible Markup Language (XML) elements in order to exchange structured information in close to real time between any two network endpoints. While XMPP provides a generalized, extensible framework for exchanging XML data, it is used mainly for the purpose of building instant messaging and presence applications that meet the requirements of RFC 2779.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3920"/>
<format type="TXT" octets="194313" target="http://www.rfc-editor.org/rfc/rfc3920.txt"/>
<format type="HTML" octets="279912" target="http://xml.resource.org/public/rfc/html/rfc3920.html"/>
<format type="XML" octets="234610" target="http://xml.resource.org/public/rfc/xml/rfc3920.xml"/>
</reference>
<reference anchor="XEP-0045">
<front>
<title>Multi-User Chat</title>
<author initials="P." surname="Saint-Andre" fullname="Peter Saint-Andre">
<organization/>
<address>
<email>stpeter@jabber.org</email>
</address>
</author>
<date day="08" month="February" year="2012"/>
</front>
<seriesInfo name="XSF XEP" value="0045"/>
<format type="HTML" target="http://xmpp.org/extensions/xep-0045.html"/>
</reference>
<reference anchor="XEP-0238">
<front>
<title>XMPP Protocol Flows for Inter-Domain Federation</title>
<author initials="P." surname="Saint-Andre" fullname="Peter Saint-Andre">
<organization/>
<address>
<email>stpeter@jabber.org</email>
</address>
</author>
<date day="31" month="March" year="2008"/>
</front>
<seriesInfo name="XSF XEP" value="0238"/>
<format type="HTML" target="http://xmpp.org/extensions/xep-0238.html"/>
</reference>
<reference anchor="XEP-0288">
<front>
<title>Bidirectional Server-to-Server Connections</title>
<author initials="P." surname="Hancke" fullname="Philipp Hancke">
<organization/>
<address>
<email/>
</address>
</author>
<author initials="D." surname="Cridland" fullname="Dave Cridland">
<organization/>
<address>
<email>dave.cridland@isode.com</email>
</address>
</author>
<date day="21" month="August" year="2012"/>
</front>
<seriesInfo name="XSF XEP" value="0288"/>
<format type="HTML" target="http://xmpp.org/extensions/xep-0288.html"/>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:22:02 |