draft-day-svrloc-signature-00.txt

Pegasus is an open-source implementationof the DMTF CIM and WBEM standards. It is designed to be por

Internet Engineering Task Force                             Michael Day
INTERNET DRAFT                                                      IBM
                                                           Ira McDonald
[Target Category: Experimental]                              High North
25 April 2003                                      Expires in Six Months

          Signature Extension for Service Location Protocol v2
                   draft-day-svrloc-signature-00.txt






Status of This Memo
   This document is an Internet-Draft and is subject to all provisions
   of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This document is an individual contribution to the Internet
   Engineering Task Force (IETF). Comments should be submitted to the
   srvloc@srvloc.org mailing list.

   Distribution of this memo is unlimited.













Day                      Expires: 25 August 2003                [Page i]

Internet Draft           SLP Signature Extension             April 2003

   Table of Contents


   1  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .   2
   2  Applicability Statement  . . . . . . . . . . . . . . . . . . .   2
   2.1 Use with DAs  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.2 Use with SLP Messages . . . . . . . . . . . . . . . . . . . .   4
   3  Signature Extension Format . . . . . . . . . . . . . . . . . .   4
   3.1 Signature Extension Fields  . . . . . . . . . . . . . . . . .   4
   3.1.1 CMS signed-data Field . . . . . . . . . . . . . . . . . . .   4
   3.1.2 Size of signed-data Field . . . . . . . . . . . . . . . . .   5
   3.2 Contents of signed-data Field . . . . . . . . . . . . . . . .   5
   3.3 Omission of eContent  . . . . . . . . . . . . . . . . . . . .   5
   4  Use of the Signature Extension . . . . . . . . . . . . . . . .   6
   4.1 Input to signed-data Field  . . . . . . . . . . . . . . . . .   6
   4.1.1 Calculating the Length of a Signed SLP Message  . . . . . .   6
   4.2 Signature Generation Process  . . . . . . . . . . . . . . . .   7
   4.3 Signature Verification Process  . . . . . . . . . . . . . . .   7
   5  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .   8
   6  References . . . . . . . . . . . . . . . . . . . . . . . . . .   8
   7  Author's Contact Information . . . . . . . . . . . . . . . . .   9
   8  Full Copyright Statement . . . . . . . . . . . . . . . . . . .   9





























Day                      Expires: 25 August 2003                [Page 1]

Internet Draft           SLP Signature Extension             April 2003


1  Introduction

   The Service Location Protocol [rfc2608bis] provides a scalable
   framework for the discovery and selection of network services. Using
   this protocol, computers using the Internet need little or no static
   configuration of network services for network based applications.

   SLP recommends the use of IPSec Authentication Headers [AH] for
   authenticating service information. It also recommends the use of the
   IPSec Encapsulating Security Payload [ESP] for causing SLP exchanges
   to be private.

   An addition to [rfc2608bis], the internet-draft "Upgrading to TLS
   Within Service Location Protocol" (work in progress) [TLS] also
   specifies a method for upgrading TCP connections to be encrypted.

   The security discussion in section 15 of [rfcs608bis] enumerates the
   security implications of using SLP for the discovery and selection of
   network services. IPSec SHOULD be used in the manner described
   whenever possible.

   There are some situations where the use of IPSEC is not an option for
   SLP. These include


     1. SLP is being transported by a protocol stack other than IP. This
        point includes the case where SLP is publishing information
        about a service that is accessible only via non-IP media.

     2. The SLP agent is running on a platform for which IPSec has not
        been implemented, such as an embedded system.

     3. SLP is being used within an application model that does not have
        an affinity with IPSec security associations, such as with a
        high-latency store-and-forward protocol or a many-to-one fanout
        engine.

   When using SLP in environments where IPSec AH is not avialable it is
   still desirable to provide a means to authenticate SLP messages. This
   document describes an optional SLP protocol extension for the genera