Frequently Asked Questions
Registrar Security FAQ
- How does the registry control access to the Shared Registry System?
- How do I specify the IP addresses that can access the SRS?
- What is a SSL Certificate?
- Where do I get a SSL Certificate?
- What is the purpose requirement of "SSL Client:YES" for the certificate I purchase?
- Which cipher suites are accepted?
- When do I get the username/password for the production SRS?
- Which SSL toolkit should I use?
- How does the registry control access to the Shared Registry System?
Access to the Shared Registry System is restricted by 3 mechanisms:- Access control to the production SRS is restricted by IP address filters.
- SSL encryption is required for the communication channels between the Registrar's client system and the OT&E and production systems.
- Authentication by means of a username and password is required for session establishment.
The SRS requires the correct combination of the above three mechanisms before a registrar is granted access. - How do I specify the IP addresses that can access the SRS?
The Registrar Data Form has a section where IP subnets can be specified for accessing the production SRS. The specified subnets must conform to the following rules:- A maximum of 2 subnets.
- A maximum of 64 IP addresses between the two subnets
- Subnets must be specified in CIDR format (e.g. 192.168.1.0/27) where the "/27" represents the length of the subnet. The limitation on the maximum of 64 IP addresses means that the length will never be less than /26.
- Examples of valid subnets include:
- One subnet of 64 hosts (e.g. 192.168.1.0/26)
- Two subnets of 32 hosts or less (e.g. subnet #1 as 192.168.2.0/27, which represents 32 addresses 192.168.2.0 to 192.168.2.31; and subnet #2 as 192.168.3.0/27, which represents 32 addresses 192.168.3.0 to 192.168.3.31)
- The specified subnets must fall on valid bit boundaries. For example, a subnet specified as 192.168.2.1/27 is not acceptable because ".1" is not a valid boundary for a /27 subnet. The following table defines the valid boundaries for each subnet length.
Length of Subnet Number of Hosts Boundaries /26 64 0,64,128,192 /27 31 0,32,64,96,128,160,192,224 /28 16 0,16,32,48,64,80,96,112,128, 144,160,176,192,208,224,240 /29 8 0,8,16,24,32,40,...,248
(in increments of 8)/30 4 0,4,8,12,16,20,...,252
(in increments of 4)/31 2 0,2,4,6,8,12,...,254
(in increments of 2)/32 1 0 through 255
(in increments of 1)
- What is a SSL Certificate?
A digital certificate is simply a statement digitally signed by an independent and trusted third party (the Certificate Authority). That statement usually follows a very specific format laid down in a standard called X.509, hence they are sometimes referred to as X.509 certificates.
A certificate is required to establish an authenticated and encrypted communications channel between the Registrar's server and the Registry's SRS. - Where do I get a SSL Certificate?
X.509 SSL certificates can be obtained from one of the accepted Certificate Authorities. Please make sure that the certificate you obtain is NOT an individual/personal certificate. The accepted Certificate Authorities are:Please note the Starfield Intermediate and Root certificate details:
Intermediate Certificate Details:
Issuer:
C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
Validity:
Not Before: Nov 16 01:15:40 2006 GMT
Not After : Nov 16 01:15:40 2026 GMT
Subject:
C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certificates.starfieldtech.com/repository, CN=Starfield Secure Certification Authority/serialNumber=10688435Root Certificate Details:
Issuer:
C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
Validity:
Not Before: Jun 29 17:39:16 2004 GMT
Not After : Jun 29 17:39:16 2034 GMT
Subject:
C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification AuthorityIf you would like to use a Certificate Authority that is not on this list, please contact .ME Tech Support support@registry.me
- What is the purpose requirement of "SSL Client:YES" for the certificate I purchase?
This defines the purpose of the certificate and whether it can be used as client certificate. The following is a sample of an expected output from the command: openssl x509 -in your_cert.filename -purposeCertificate purposes:
- SSL client : Yes
- SSL client CA : No
- SSL server : Yes
- SSL server CA : No
- Netscape SSL server : Yes
- Netscape SSL server CA : No
- S/MIME signing : No
- S/MIME signing CA : No
- S/MIME encryption : No
- S/MIME encryption CA : No
- CRL signing : Yes
- CRL signing CA : No
- Any Purpose : Yes
- Any Purpose CA : Yes
- OCSP helper : Yes
- OCSP helper CA : No
Please ensure that the certificate you purchase has "YES" for SSL client. As noted, this certificate can be used for both server and client purposes.
- Which cipher suites are accepted?
To establish a SSL connection to the SRS, the Registrar's client system must choose a cipher suite supported by the SRS. The SRS supports the following ciphers:- SSL_RSA_WITH_RC4_128_MD5
- SSL_RSA_WITH_RC4_128_SHA
- SSL_DHE_DSS_WITH_DES_CBC_SHA
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_DH_anon_WITH_RC4_128_MD5
- SSL_DH_anon_WITH_DES_CBC_SHA
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
- When do I get the username/password for the production SRS?
The username and password for the production SRS is issued after you have successfully completed accreditation - Which SSL toolkit should I use?
Registrars are responsible for obtaining an SSL toolkit that is compatible with the development language and platform of their client system. The minimum requirement is that it must support SSL version 3.
For C, C++ or Perl Environments- OpenSSL is the optimal open source SSL solution.
For Java Environments
- Sun's Java Secure Socket Extension
- SSLava from Phaos Technology
SSLava is also the toolkit used in the development of the SRS.