2.7.9 Public-Key Infrastructure (X.509) (pkix)

NOTE: This charter is a snapshot of the 77th IETF Meeting in Anaheim, California USA. It may now be out-of-date.

Last Modified: 2009-09-09

Chair(s):

Stephen Kent <kent@bbn.com>
Stefan Santesson <stefan@aaa-sec.com>

Security Area Director(s):

Sean Turner <turners@ieca.com>
Tim Polk <tim.polk@nist.gov>

Security Area Advisor:

Tim Polk <tim.polk@nist.gov>

Mailing Lists:

General Discussion: pkix@ietf.org
To Subscribe: pkix-request@ietf.org
In Body: subscribe
Archive: http://www.ietf.org/mail-archive/web/pkix/current/maillist.html

Description of Working Group:

The PKIX Working Group was established in the fall of 1995 with the
goal of developing Internet standards to support X.509-based Public
Key Infrastructures (PKIs). Initially PKIX pursued this goal by
profiling X.509 standards developed by the CCITT (later the ITU-T).
Later, PKIX initiated the development of standards that are not
profiles of ITU-T work, but rather are independent initiatives
designed to address X.509-based PKI needs in the Internet. Over time
this latter category of work has become the major focus of PKIX work,
i.e., most PKIX-generated RFCs are no longer profiles of ITU-T X.509
documents.

PKIX has produced a number of standards track and informational RFCs.
RFC 3280 (Certificate and CRL Profile), and RCF 3281 (Attribute
Certificate Profile) are recent examples of standards track RFCs that
profile ITU-T documents. RFC 2560 (Online Certificate Status
Profile), RFC 3779 (IP Address and AS Number Extensions), and RFC
3161 (Time Stamp Authority) are examples of standards track RFCs that
are IETF-initiated. RFC 4055 (RSA) and RFC 3874 (SHA2) are examples
of informational RFCs that describe how to use public key and hash
algorithms in PKIs.

PKIX Work Plan

PKIX will continue to track the evolution of ITU-T X.509 documents,
and will maintain compatibility between these documents and IETF PKI
standards, since the profiling of X.509 standards for use in the
Internet remains an important topic for the working group.

PKIX does not endorse the use of specific cryptographic algorithms
with its protocols. However, PKIX does publish standards track RFCs
that describe how to identify algorithms and represent associated
parameters in these protocols, and how to use these algorithms with
these protocols. We anticipate efforts in this arena will continue to
be required over time.

PKIX will pursue new work items in the PKI arena if working group
members express sufficient interest, and if approved by the cognizant
Security Area director. For example, certificate validation under X.
509 and PKIX standards calls for a relying party to use a trust
anchor as the start of a certificate path. Neither X.509 nor extant
PKIX standards define protocols for the management of trust anchors.
Existing mechanisms for managing trust anchors, e.g., in browsers,
are limited in functionality and non-standard. There is considerable
interest in the PKI community to define a standard model for trust
anchor management, and standard protocols to allow remote management.
Thus a future work item for PKIX is the definition of such protocols
and associated data models.

Goals and Milestones:

Done  Complete approval of CMC, and qualified certificates documents
Done  Complete time stamping document
Done  Continue attribute certificate profile work
Done  Complete data certification document
Done  Complete work on attribute certificate profile
Done  Standard RFCs for public key and attribute certificate profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates, LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP
Done  INFORMATIONAL RFCs for X.509 PKI policies and practices, use of KEA
Done  Experimental RFC for Data Validation and Certification Server Protocols
Done  Production of revised certificate and CRL syntax and processing RFC (son-of-2459)
Done  DPD/DVP Requirements RFC
Done  Certificate Policy & CPS Informational RFC (revision)
Done  Logotype Extension RFC
Done  Proxy Certificate RFC
Done  Cert Path Building approved as Informational RFC
Done  CRMFbis approved as PROPOSED Standard RFC
Done  CMPbis approved as PROPOSED Standard RFC
Done  Principal Identifier approved as PROPOSED Standard RFC
Done  Warranty Extensions approved as Informational RFC
Done  Certificate Store approved as Informational RFC
Done  PKIX Repository approved as Informational RFC
Done  Subject Identification Method as Informational RFC
Done  GOST Cryptographic Algorithms (RFC 4491)
Done  Update to DirectoryString Processing for RFC 3280
Done  Attribute Certificate Policies approved as PROPOSED Standard (RFC 4476)
Sep 2007  Progression of CRMF, CMP, and CMP Transport to DRAFT Standard
Sep 2007  Progression of Qualified Certificates Profile RFC to DRAFT Standard
Sep 2007  Progression of Certificate & CRL Profile RFC to DRAFT Standard
Sep 2007  Progression of Time Stamp Protocols RFC to DRAFT Standard
Sep 2007  Progression of Logotype RFC to DRAFT Standard
Nov 2007  Progression of Proxy Certificate RFC to DRAFT Standard
Nov 2007  Progression of Attribute Certificate Profile RFC to DRAFT standard
Feb 2008  Update to CMC approved as PROPOSED Standard
Mar 2008  ECC Algorithms approved as PROPOSED Standard RFC
Mar 2008  Progression of CMC RFCs to DRAFT Standard
Mar 2008  SCVP approved as PROPOSED Standard RFC

Internet-Drafts:

  • draft-ietf-pkix-cmp-transport-protocols-08.txt
  • draft-ietf-pkix-ta-mgmt-reqs-05.txt
  • draft-ietf-pkix-tamp-08.txt
  • draft-ietf-pkix-ocspagility-08.txt
  • draft-ietf-pkix-certimage-08.txt
  • draft-ietf-pkix-asn1-translation-02.txt
  • draft-ietf-pkix-certid-keyid-01.txt
  • draft-ietf-pkix-rfc5272-bis-00.txt
  • draft-ietf-pkix-rfc5280-clarifications-00.txt

    Request For Comments:

    RFCStatusTitle
    RFC2459 PS Internet X.509 Public Key Infrastructure Certificate and CRL Profile
    RFC2510 PS Internet X.509 Public Key Infrastructure Certificate Management Protocols
    RFC2511 PS Internet X.509 Certificate Request Message Format
    RFC2527 I Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
    RFC2528 I Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates
    RFC2559 PS Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2
    RFC2560 PS X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
    RFC2585 PS Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP
    RFC2587 PS Internet X.509 Public Key Infrastructure LDAPv2 Schema
    RFC2797 PS Certificate Management Messages over CMS
    RFC2875 PS Diffie-Hellman Proof-of-Possession Algorithms
    RFC3029 E Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols
    RFC3039 PS Internet X.509 Public Key Infrastructure Qualified Certificates Profile
    RFC3161 PS Internet X.509 Public Key Infrastructure Time Stamp Protocols (TSP)
    RFC3279 PS Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRI Profile
    RFC3280 PS Internet X.509 Public Key Infrastructure Certificate and CRL Profile
    RFC3281 PS An Internet Attribute Certificate Profile for Authorization
    RFC3379 I Delegated Path Validation and Delegated Path Discovery Protocol Requirements
    RFC3628 I Policy Requirements for Time-Stamping Authorities
    RFC3647 I Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
    RFC3709 Standard Internet X.509 Public Key Infrastructure: Logotypes in X.509 certificates
    RFC3739 Standard Internet X.509 Public Key Infrastructure: Qualified Certificates Profile
    RFC3770 Standard Certificate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN
    RFC3779 Standard X.509 Extensions for IP Addresses and AS Identifiers
    RFC3820 Standard Internet X.509 Public Key Infrastructure Proxy Certificate Profile
    RFC3874 I A 224-bit One-way Hash Function: SHA-224
    RFC4043 Standard Internet X.509 Public Key Infrastructure Permanent Identifier
    RFC4055 Standard Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
    RFC4059 I Internet X.509 Public Key Infrastructure Warranty Certificate Extension
    RFC4158 I Internet X.509 Public Key Infrastructure: Certification Path Building
    RFC4210 Standard Internet X.509 Public Key Infrastructure Certificate Management Protocols
    RFC4211 Standard Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)
    RFC4325 Standard Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension
    RFC4334 Standard Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN)
    RFC4386 E Internet X.509 Public Key Infrastructure Repository Locator Service
    RFC4387 Standard Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP
    RFC4476 PS Attribute Certificate (AC) Policies Extension
    RFC4491 PS Using the GOST R 34.10-94, GOST R 34.10-2001 and GOST R 34.11-94 algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile.
    RFC4630 PS Update to DirectoryString Processing in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
    RFC4683 PS Internet X.509 Public Key Infrastructure Subject Identification Method (SIM)
    RFC4985 PS Internet X.509 Public Key Infrastructure Subject Alternative Name for expression of service name
    RFC5019 PS The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
    RFC5055 PS Server-based Certificate Validation Protocol (SCVP)
    RFC5272 PS Certificate Management Messages over CMS
    RFC5273 PS Certificate Management over CMS (CMC): Transport Protocols
    RFC5274 PS Certificate Management Messages over CMS (CMC): Compliance Requirements
    RFC5280 Standard Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
    RFC5480 PS Elliptic Curve Cryptography Subject Public Key Information
    RFC5636 E Traceable Anonymous Certificate
    RFC5697 E Other Certificates Extension
    RFC5755 PS An Internet Attribute Certificate Profile for Authorization
    RFC5756 PS Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters
    RFC5758 PS Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA
    RFC5816 PS ESSCertIDv2 Update for RFC 3161
    RFC5877 I The application/pkix-attr-cert Media Type for Attribute Certificates
    RFC5912 I New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)
    RFC5913 PS Clearance Attribute and Authority Clearance Constraints Certificate Extension
    RFC5914 PS Trust Anchor Format

    Meeting Minutes


    Slides

    PKIX Overview
    Trust Anchor Management
    PKIX ASN.1 Translation
    RFC 5280 Implementation report
    Certificate Image
    Suite B Profile of CMC
    Robust Revocation
    Application Server Identity
    CertID and KeyID for PKIX
    Proxy Architecture on DRM Service