RFC 6125 - Service Identity
Published: March 2011
Status: Standards Track
Authors: P. Saint-Andre, J. Hodges
Abstract
Many application technologies enable secure communication between two entities by means of Internet Public Key Infrastructure Using X.509 (PKIX) certificates in the context of Transport Layer Security (TLS). This document specifies procedures for representing and verifying the identity of application services in such interactions.
Contents
Main Sections
- 1. Introduction
- 1.1. Motivation
- 1.2. Audience
- 1.3. How to Read This Document
- 1.4. Applicability
- 1.5. Overview of Recommendations
- 1.6. Generalization from Current Technologies
- 1.7. Scope
- 1.8. Terminology
- 2. Naming of Application Services
- 2.1. Naming Application Services
- 2.2. DNS Domain Names
- 2.3. Subject Naming in PKIX Certificates
- 3. Designing Application Protocols
- 4. Representing Server Identity
- 4.1. Rules
- 4.2. Examples
- 5. Requesting Server Certificates
- 6. Verifying Service Identity
- 6.1. Overview
- 6.2. Constructing a List of Reference Identifiers
- 6.3. Preparing to Seek a Match
- 6.4. Matching the DNS Domain Name Portion
- 6.5. Matching the Application Service Type Portion
- 6.6. Outcome
- 7. Security Considerations
- 7.1. Pinned Certificates
- 7.2. Wildcard Certificates
- 7.3. Internationalized Domain Names
- 7.4. Multiple Identifiers
- 8. Contributors
- 9. Acknowledgements
- 10. References
- 10.1. Normative References
- 10.2. Informative References
Appendices
Related Resources
- Official Text: RFC 6125
- Official Page: RFC 6125 DataTracker
- Errata: RFC Editor Errata