Public-Key Infrastructure (X.509) (pkix)

Last Modified: 2008-04-23

Additional information is available at tools.ietf.org/wg/pkix

Chair(s):

  • Stephen Kent <kent@bbn.com>

  • Stefan Santesson <stefans@microsoft.com>

    Security Area Director(s):

  • Tim Polk <tim.polk@nist.gov>
  • Pasi Eronen <pasi.eronen@nokia.com>

    Security Area Advisor:

  • Tim Polk <tim.polk@nist.gov>

    Mailing Lists:

    General Discussion: ietf-pkix@imc.org
    To Subscribe: ietf-pkix-request@imc.org
    In Body: subscribe (In Body)
    Archive: http://www.imc.org/ietf-pkix

    Description of Working Group:

    The PKIX Working Group was established in the fall of 1995 with the
    goal of developing Internet standards to support X.509-based Public
    Key Infrastructures (PKIs). Initially PKIX pursued this goal by
    profiling X.509 standards developed by the CCITT (later the ITU-T).
    Later, PKIX initiated the development of standards that are not
    profiles of ITU-T work, but rather are independent initiatives
    designed to address X.509-based PKI needs in the Internet. Over time
    this latter category of work has become the major focus of PKIX work,
    i.e., most PKIX-generated RFCs are no longer profiles of ITU-T X.509
    documents.

    PKIX has produced a number of standards track and informational RFCs.
    RFC 3280 (Certificate and CRL Profile), and RCF 3281 (Attribute
    Certificate Profile) are recent examples of standards track RFCs that
    profile ITU-T documents. RFC 2560 (Online Certificate Status
    Profile), RFC 3779 (IP Address and AS Number Extensions), and RFC
    3161 (Time Stamp Authority) are examples of standards track RFCs that
    are IETF-initiated. RFC 4055 (RSA) and RFC 3874 (SHA2) are examples
    of informational RFCs that describe how to use public key and hash
    algorithms in PKIs.

    PKIX Work Plan

    PKIX will continue to track the evolution of ITU-T X.509 documents,
    and will maintain compatibility between these documents and IETF PKI
    standards, since the profiling of X.509 standards for use in the
    Internet remains an important topic for the working group.

    PKIX does not endorse the use of specific cryptographic algorithms
    with its protocols. However, PKIX does publish standards track RFCs
    that describe how to identify algorithms and represent associated
    parameters in these protocols, and how to use these algorithms with
    these protocols. We anticipate efforts in this arena will continue to
    be required over time.

    PKIX will pursue new work items in the PKI arena if working group
    members express sufficient interest, and if approved by the cognizant
    Security Area director. For example, certificate validation under X.
    509 and PKIX standards calls for a relying party to use a trust
    anchor as the start of a certificate path. Neither X.509 nor extant
    PKIX standards define protocols for the management of trust anchors.
    Existing mechanisms for managing trust anchors, e.g., in browsers,
    are limited in functionality and non-standard. There is considerable
    interest in the PKI community to define a standard model for trust
    anchor management, and standard protocols to allow remote management.
    Thus a future work item for PKIX is the definition of such protocols
    and associated data models.

    Goals and Milestones:

    Done  Complete approval of CMC, and qualified certificates documents
    Done  Complete time stamping document
    Done  Continue attribute certificate profile work
    Done  Complete data certification document
    Done  Complete work on attribute certificate profile
    Done  Standard RFCs for public key and attribute certificate profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates, LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP
    Done  INFORMATIONAL RFCs for X.509 PKI policies and practices, use of KEA
    Done  Experimental RFC for Data Validation and Certification Server Protocols
    Done  Production of revised certificate and CRL syntax and processing RFC (son-of-2459)
    Done  DPD/DVP Requirements RFC
    Done  Certificate Policy & CPS Informational RFC (revision)
    Done  Logotype Extension RFC
    Done  Proxy Certificate RFC
    Done  Cert Path Building approved as Informational RFC
    Done  CRMFbis approved as PROPOSED Standard RFC
    Done  CMPbis approved as PROPOSED Standard RFC
    Done  Principal Identifier approved as PROPOSED Standard RFC
    Done  Warranty Extensions approved as Informational RFC
    Done  Certificate Store approved as Informational RFC
    Done  PKIX Repository approved as Informational RFC
    Done  Subject Identification Method as Informational RFC
    Done  GOST Cryptographic Algorithms (RFC 4491)
    Done  Update to DirectoryString Processing for RFC 3280
    Done  Attribute Certificate Policies approved as PROPOSED Standard (RFC 4476)
    Sep 2007  Progression of CRMF, CMP, and CMP Transport to DRAFT Standard
    Sep 2007  Progression of Qualified Certificates Profile RFC to DRAFT Standard
    Sep 2007  Progression of Certificate & CRL Profile RFC to DRAFT Standard
    Sep 2007  Progression of Time Stamp Protocols RFC to DRAFT Standard
    Sep 2007  Progression of Logotype RFC to DRAFT Standard
    Nov 2007  Progression of Proxy Certificate RFC to DRAFT Standard
    Nov 2007  Progression of Attribute Certificate Profile RFC to DRAFT standard
    Feb 2008  Update to CMC approved as PROPOSED Standard
    Mar 2008  ECC Algorithms approved as PROPOSED Standard RFC
    Mar 2008  Progression of CMC RFCs to DRAFT Standard
    Mar 2008  SCVP approved as PROPOSED Standard RFC

    Internet-Drafts:

    Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA (34636 bytes)
    Elliptic Curve Cryptography Subject Public Key Information (60924 bytes)
    Trust Anchor Management Problem Statement (26864 bytes)
    Update for RSAES-OAEP Algorithm Parameters (11074 bytes)
    Traceable Anonymous Certificate (46013 bytes)
    Trust Anchor Management Requirements (33514 bytes)

    Request For Comments:

    Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC 2459) (278438 bytes) obsoleted by RFC 3280
    Internet X.509 Public Key Infrastructure Certificate Management Protocols (RFC 2510) (158178 bytes) obsoleted by RFC 4210
    Internet X.509 Certificate Request Message Format (RFC 2511) (48278 bytes) obsoleted by RFC 4211
    Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527) (91860 bytes) obsoleted by RFC 3647
    Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates (RFC 2528) (18273 bytes)
    Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2 (RFC 2559) (22894 bytes) obsoleted by RFC 3494/ updates RFC 1778
    Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP (RFC 2585) (14813 bytes)
    Internet X.509 Public Key Infrastructure LDAPv2 Schema (RFC 2587) (15102 bytes) obsoleted by RFC 4523
    X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP (RFC 2560) (43243 bytes)
    Certificate Management Messages over CMS (RFC 2797) (103357 bytes) obsoleted by RFC 5272
    Diffie-Hellman Proof-of-Possession Algorithms (RFC 2875) (45231 bytes)
    Internet X.509 Public Key Infrastructure Qualified Certificates Profile (RFC 3039) (67619 bytes) obsoleted by RFC 3739
    Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols (RFC 3029) (107347 bytes)
    Internet X.509 Public Key Infrastructure Time Stamp Protocols (TSP) (RFC 3161) (54585 bytes)
    Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRI Profile (RFC 3279) (53833 bytes) updated by RFC 4491
    Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC 3280) (295556 bytes) obsoletes RFC 2459/ obsoleted by RFC 5280/ updated by RFC 4325,RFC 4630
    An Internet Attribute Certificate Profile for Authorization (RFC 3281) (90580 bytes)
    Delegated Path Validation and Delegated Path Discovery Protocol Requirements (RFC 3379) (32455 bytes)
    Policy Requirements for Time-Stamping Authorities (RFC 3628) (92941 bytes)
    Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 3647) (228124 bytes) obsoletes RFC 2527
    Internet X.509 Public Key Infrastructure: Logotypes in X.509 certificates (RFC 3709) (46453 bytes)
    Internet X.509 Public Key Infrastructure: Qualified Certificates Profile (RFC 3739) (67436 bytes) obsoletes RFC 3039
    Certificate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN (RFC 3770) (18635 bytes) obsoleted by RFC 4334
    X.509 Extensions for IP Addresses and AS Identifiers (RFC 3779) (60732 bytes)
    Internet X.509 Public Key Infrastructure Proxy Certificate Profile (RFC 3820) (86374 bytes)
    A 224-bit One-way Hash Function: SHA-224 (RFC 3874) (11600 bytes)
    Internet X.509 Public Key Infrastructure Warranty Certificate Extension (RFC 4059) (17904 bytes)
    Internet X.509 Public Key Infrastructure Permanent Identifier (RFC 4043) (30092 bytes)
    Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC 4055) (57479 bytes)
    Internet X.509 Public Key Infrastructure: Certification Path Building (RFC 4158) (199297 bytes)
    Internet X.509 Public Key Infrastructure Certificate Management Protocols (RFC 4210) (212013 bytes) obsoletes RFC 2510
    Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF) (RFC 4211) (86136 bytes) obsoletes RFC 2511
    Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension (RFC 4325) (14449 bytes) obsoleted by RFC 5280/ updates RFC 3280
    Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN) (RFC 4334) (20739 bytes) obsoletes RFC 3770
    Internet X.509 Public Key Infrastructure Repository Locator Service (RFC 4386) (11330 bytes)
    Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP (RFC 4387) (63182 bytes)
    Attribute Certificate (AC) Policies Extension (RFC 4476) (20229 bytes)
    Using the GOST R 34.10-94, GOST R 34.10-2001 and GOST R 34.11-94 algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile. (RFC 4491) (39095 bytes) updates RFC 3279
    Update to DirectoryString Processing in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC 4630) (12539 bytes) obsoleted by RFC 5280/ updates RFC 3280
    Internet X.509 Public Key Infrastructure Subject Identification Method (SIM) (RFC 4683) (41285 bytes)
    Internet X.509 Public Key Infrastructure Subject Alternative Name for expression of service name (RFC 4985) (17868 bytes)
    The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments (RFC 5019) (46371 bytes)
    Server-based Certificate Validation Protocol (SCVP) (RFC 5055) (198764 bytes)
    Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC 5280) (352580 bytes) obsoletes RFC 4630,RFC 4325,RFC 3280
    Certificate Management Messages over CMS (CMC): Compliance Requirements (RFC 5274) (27380 bytes)
    Certificate Management over CMS (CMC): Transport Protocols (RFC 5273) (14030 bytes)
    Certificate Management Messages over CMS (RFC 5272) (167138 bytes) obsoletes RFC 2797
    IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.

    Return to working group directory.

    Return to IETF home page.