Network Working Group A. Newton Request for Comments: 3983 VeriSign, Inc. Category: Standards Track M. Sanz DENIC eG January 2005
Using the Internet Registry Information Service (IRIS) over the Blocks Extensible Exchange Protocol (BEEP)
Status of This Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2005).
This document specifies how to use the Blocks Extensible Exchange Protocol (BEEP) as the application transport substrate for the Internet Registry Information Service (IRIS).
The proposal in this document describes the IRIS  application transport binding that uses BEEP . Requirements for IRIS and the specification in this document are outlined in CRISP .
The choice of BEEP as the transport substrate is primarily driven by the need to reuse an existing, well-understood protocol with all the necessary features to support the requirements. This would give implementers a wealth of toolkits and debugging gear for use in constructing both servers and clients and allow operators to apply existing experience in issues of deployment. The construction of a simple application transport for the specific purpose of IRIS would yield a similar standard, though likely smaller and less complete, after taking into consideration matters such as framing and authentication.
Precedents for using other transport mechanisms in layered applications do not seem to fit with the design goals of IRIS. HTTP  offers many features employed for use by similar applications. However, IRIS is not intended to be put to uses such as bypassing firewalls, commingling URI schemes, or any other methods that might lead to confusion between IRIS and traditional World Wide Web applications. Beyond adhering to the guidelines spelled out in RFC 3205 , the use of HTTP also offers many other challenges that quickly erode its appeal. For example, the appropriate use of TLS  with HTTP is defined by RFC 2817 , but the common use, as described in RFC 2818 , is usually the only method in most implementations.
Finally, the use of IRIS directly over TCP, such as that specified by EPP-TCP , does not offer the client negotiation characteristics needed by a referral application in which a single client, in processing a query, may traverse multiple servers operating with different parameters.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 .
The BEEP profile identifier for IRIS is a URI composed of the IRIS schema URN, followed by a slash, followed by an IRIS registry type (which is a URN).
In this profile identifier, the IRIS schema MUST be abbreviated according to the rules of IRIS. This is possible because the IRIS schema URN is compliant with XML_URN .
The registry type URN MUST be abbreviated according to the rules of IRIS (see ). This is possible because the registry type URN is compliant with XML_URN .
The following is an example of an IRIS profile identifier for BEEP. It identifies the version of IRIS to match that specified by "urn:iana:params:xml:ns:iris1" with a registry type URN of "urn:iana:params:xml:ns:dreg1":
The full ABNF  follows, with certain values included from IRIS :
profile = profile-uri "/" iris-urn-abbrev "/" registry-urn-abbrev profile-uri = "http://iana.org/beep/" iris-urn-abbrev = // as specified by IRIS registry-urn-abbrev = // as specified by IRIS
This URI is used in the "profile" element in BEEP during channel creation. According to the rules of BEEP, multiple "profile" elements may be offered, thus allowing negotiation of the version of IRIS to be used for every registry type being served.
Once this profile is accepted and the channel is created, the channel is considered ready to exchange IRIS messages. A server MUST honor queries for all advertised registry types on any channel opened with an IRIS profile URI.
The BEEP profile for IRIS transmits XML  containing the requests and responses for IRIS registries. These XML instances MUST be encoded as Unicode  using the media-type of "application/xml" according to RFC 3023 .
XML processors are obliged to recognize both UTF-8 and UTF-16  encodings. XML allows mechanisms to identify and use other character encodings by means of the "encoding" attribute in the declaration. Absence of this attribute or a byte order mark (BOM) indicates a default of UTF-8 encoding. Thus, for compatibility reasons, and per RFC 2277 , use of UTF-8 is RECOMMENDED with this transport mapping. UTF-16 is OPTIONAL. Other encodings MUST NOT be used.
A registry type MAY define other message packages that are not IRIS XML instances (e.g., binary images referenced by an IRIS response).
Because each registry type is defined by a separate BEEP profile (see ), each registry type MAY define a different message pattern. These patterns MUST be within the allowable scope of BEEP . If a registry type does not explicitly define a message pattern, the default pattern is used (see Section 5.2).
However, each registry type MUST be capable of supporting the default pattern (Section 5.2) for use with the <lookupEntity> query in IRIS.
The default BEEP profile for IRIS only has a one-to-one request/ response message pattern. This exchange involves sending an IRIS XML instance, which results in a response of an IRIS XML instance.
The client sends the request by using an "MSG" message containing a valid IRIS XML instance. The server responds with an "RPY" message containing a valid IRIS XML instance. The "ERR" message is used for sending fault codes. The list of allowable fault codes is listed in BEEP .
When the TLS  tuning profile in BEEP is used, it is possible to verify the authenticity of the server. However, a convention is needed to conduct this authentication. This convention dictates the name of the authority a client uses to ask for authentication credentials so that the server knows which set of credentials to pass back. Because this is dependent on the authority component of the URI, each registry type SHOULD define a server authentication method.
If a registry type does not explicitly define a server authentication method, the basic server authentication method (Section 6.2) is used.
The basic server authentication method is as follows:
1. When connecting to a server, the client MUST present the name of the authority to the server by using the BEEP  serverName mechanism. For instance, if the URI "iris:dreg1//com/domain/ example.com" is being resolved, the client would use the serverName="com" attribute during the BEEP session instantiation.
2. During TLS negotiation, the server presents to the client a certificate for the authority given in serverName. This certificate MUST be an X.509 certificate . This certificate MUST contain the authority in either the subjectDN or the subjectAltName extension of type dNSName.
3. The certificate MUST be cryptographically verified according to the procedures of TLS.
4. The client then checks the subject of the certificate for a case insensitive match in the following order:
1. Any of the dNSName types in the subjectAltName. 2. The subjectDN consisting solely of 'dc' components, in which each 'dc' component represents a label from the authority name (e.g., example.com is dc=example, dc=com). 3. A subjectDN in which the left-most component is a 'cn' component containing the name of the authority. A wildcard character ('*') MAY be used as the left-most label of the name in the 'cn' component.
Newton & Sanz Standards Track [Page 5]
RFC 3983 IRIS-Beep January 2005
If the subject of the certificate does not match any of these name components, then the certificate is invalid for representing the authority.
Specifications of registry types MUST include the following explicit definitions:
o message pattern -- a definition of the message pattern for use with BEEP, or a declaration to use the default message pattern in Section 5.2.
o server authentication method -- a definition of the method to use for server authentication with TLS, a declaration to use the basic server authentication method in Section 6.2, or a declaration to use no server authentication at all.
IRIS contains a referral mechanism as a standard course of operation. However, care should be taken that user authentication mechanisms do not hand user credentials to untrusted servers. Therefore, clients SHOULD NOT use the http://iana.org/beep/SASL/PLAIN tuning profile. As specified by SASL/PLAIN, clients MUST NOT use the http://iana.org/beep/SASL/PLAIN tuning profile without first encrypting the TCP session (e.g. such as with the http://iana.org/beep/TLS tuning profile).
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- firstname.lastname@example.org.
Funding for the RFC Editor function is currently provided by the Internet Society.