2.6.12 Public-Key Infrastructure (X.509) (pkix)

NOTE: This charter is a snapshot of the 62nd IETF Meeting in Minneapolis, MN USA. It may now be out-of-date.

Last Modified: 2005-01-13

Chair(s):

Stephen Kent <kent@bbn.com>
Tim Polk <wpolk@nist.gov>

Security Area Director(s):

Russell Housley <housley@vigilsec.com>
Sam Hartman <hartmans-ietf@mit.edu>

Security Area Advisor:

Russell Housley <housley@vigilsec.com>

Mailing Lists:

General Discussion: ietf-pkix@imc.org
To Subscribe: ietf-pkix-request@imc.org
In Body: subscribe (In Body)
Archive: http://www.imc.org/ietf-pkix

Description of Working Group:

The PKIX Working Group was established in the Fall of 1995 with the
intent of developing Internet standards needed to support an
X.509-based PKI. The scope of PKIX work has expanded beyond this
initial goal. PKIX not only profiles ITU PKI standards, but also
develops new standards apropos to the use of X.509-based PKIs in the
Internet.

PKIX has produced several informational and standards track documents
in support of the original and revised scope of the WG. The first of
these standards, RFC 2459, profiled X.509 version 3 certificates and
version 2 CRLs for use in the Internet. Profiles for the use of
Attribute Certificates (RFC XXXX [pending]), LDAP v2 for certificate
and CRL storage (RFC 2587), the Internet X.509 Public Key
Infrastructure Qualified Certificates Profile (RFC 3039), and the
Internet X.509 Public Key Infrastructure Certificate Policy and
certification Practices Framework (RFC 2527 - Informational) are in
line with the initial scope.

The Certificate Management Protocol (CMP) (RFC 2510), the Online
Certificate Status Protocol (OCSP) (RFC 2560), Certificate Management
Request Format (CRMF) (RFC 2511), Time-Stamp Protocol (RFC 3161),
Certificate Management Messages over CMS (RFC 2797), Internet X.509
Public Key Infrastructure Time Stamp Protocols (RFC 3161), and the use
of FTP and HTTP for transport of PKI operations (RFC 2585) are
representative of the expanded scope of PKIX, as these are new
protocols developed in the working group, not profiles of ITU PKI
standards.

A roadmap, providing a guide to the growing set of PKIX document, also
has been developed as an informational RFC.

Ongoing PKIX Work items

An ongoing PKIX task is the progression of existing, standards track
RFCs from PROPOSED to DRAFT. Also, to the extent that PKIX work
relates to protocols from other areas, e.g., LDAP, it is necessary to
track the evolution of the other protocols and produce updated
RFCs. For example, the LDAP v2 documents from PKIX are evolving to
address LDAP v3. Finally, since the profiling of X.509 standards for
use in the Internet remains a major focus, the WG will continue to
track the evolution of these standards and incorporate changes and
additions as appropriate.

New Work items for PKIX

- production of a requirements RFC for delegated path discovery and
  path validation protocols (DPD/DPV) and subsequent production of
  RFCs for protocols that satisfy the requirements

- development of a logotype extension for certificates

- development of a proxy certificate extension and associated
  processing rules

- development of an informational document on PKI disaster recovery

These work items may become standards track, INFORMATIONAL or
EXPERIMENTAL RFCs, or may not even be published as RFCs.

Other deliverables may be agreed upon as extensions are proposed.
New deliverables must be approved by the Security Area Directors
before inclusion on the charter or IETF meeting agendas.

Goals and Milestones:

Done  Complete approval of CMC, and qualified certificates documents
Done  Complete time stamping document
Done  Continue attribute certificate profile work
Done  Complete data certification document
Done  Complete work on attribute certificate profile
Done  Standard RFCs for public key and attribute certificate profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates, LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP
Done  INFORMATIONAL RFCs for X.509 PKI policies and practices, use of KEA
Done  Experimental RFC for Data Validation and Certification Server Protocols
Done  Production of revised certificate and CRL syntax and processing RFC (son-of-2459)
Done  DPD/DVP Requirements RFC
Done  Certificate Policy & CPS Informational RFC (revision)
Done  Logotype Extension RFC
Done  Proxy Certificate RFC
Mar 04  SCVP proposed Standard RFC
Jan 05  Cert Path Building approved as Informational RFC
Jan 05  Certificate Store approved as Informational RFC
Jan 05  PKIX Repository approved as Informational RFC
Feb 05  ECC Algorithms approved as PROPOSED Standard RFC
Mar 05  CRMFbis approved as PROPOSED Standard RFC
Mar 05  SCVP approved as PROPOSED Standard RFC
Mar 05  Subject Identification Method as Informational RFC
May 05  OCXSPv2 Extensions approved as PROPOSED Standard RFC
Jun 05  Progression of Qualified Certificates Profile RFC to DRAFT Standard
Jun 05  Progression of CMC RFCs to DRAFT Standard
Jun 05  Progression of Certificate & CRL Profile RFC to DRAFT Standard
Jun 05  Progression of Time Stamp Protocols RFC to DRAFT Standard
Jul 05  Progression of Logotype RFC to DRAFT Standard
Jul 05  Progression of Proxy Certificate RFC to DRAFT Standard
Jul 05  Progression of Attribute Certificate Profile RFC to DRAFT standard
Nov 05  Progression of CRMF, CMP, and CMP Transport to DRAFT Standard
Dec 05  Progression of SCVP to Draft Standard

Internet-Drafts:

  • draft-ietf-pkix-scvp-18.txt
  • draft-ietf-pkix-rfc2510bis-09.txt
  • draft-ietf-pkix-pi-11.txt
  • draft-ietf-pkix-pkixrep-03.txt
  • draft-ietf-pkix-rfc2511bis-08.txt
  • draft-ietf-pkix-2797-bis-02.txt
  • draft-ietf-pkix-cmc-trans-03.txt
  • draft-ietf-pkix-cmc-archive-01.txt
  • draft-ietf-pkix-certstore-http-08.txt
  • draft-ietf-pkix-warranty-extn-04.txt
  • draft-ietf-pkix-acpolicies-extn-05.txt
  • draft-ietf-pkix-rsa-pkalgs-03.txt
  • draft-ietf-pkix-ldap-crl-schema-03.txt
  • draft-ietf-pkix-ldap-ac-schema-02.txt
  • draft-ietf-pkix-certpathbuild-05.txt
  • draft-ietf-pkix-gost-cppk-02.txt
  • draft-ietf-pkix-ecc-pkalgs-00.txt
  • draft-ietf-pkix-ldap-pkc-schema-01.txt
  • draft-ietf-pkix-lightweight-ocsp-profile-01.txt
  • draft-ietf-pkix-rfc3770bis-00.txt
  • draft-ietf-pkix-crlaia-00.txt

    Request For Comments:

    RFCStatusTitle
    RFC2459 PS Internet X.509 Public Key Infrastructure Certificate and CRL Profile
    RFC2510 PS Internet X.509 Public Key Infrastructure Certificate Management Protocols
    RFC2511 PS Internet X.509 Certificate Request Message Format
    RFC2527 I Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
    RFC2528 I Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates
    RFC2559 PS Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2
    RFC2560 PS X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
    RFC2585 PS Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP
    RFC2587 PS Internet X.509 Public Key Infrastructure LDAPv2 Schema
    RFC2797 PS Certificate Management Messages over CMS
    RFC2875 PS Diffie-Hellman Proof-of-Possession Algorithms
    RFC3029 E Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols
    RFC3039 PS Internet X.509 Public Key Infrastructure Qualified Certificates Profile
    RFC3161 PS Internet X.509 Public Key Infrastructure Time Stamp Protocols (TSP)
    RFC3279 PS Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRI Profile
    RFC3280 PS Internet X.509 Public Key Infrastructure Certificate and CRL Profile
    RFC3281 PS An Internet Attribute Certificate Profile for Authorization
    RFC3379 I Delegated Path Validation and Delegated Path Discovery Protocol Requirements
    RFC3628 I Policy Requirements for Time-Stamping Authorities
    RFC3647 I Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
    RFC3709 Standard Internet X.509 Public Key Infrastructure: Logotypes in X.509 certificates
    RFC3739 Standard Internet X.509 Public Key Infrastructure: Qualified Certificates Profile
    RFC3770 Standard Certificate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN
    RFC3779 Standard X.509 Extensions for IP Addresses and AS Identifiers
    RFC3820 Standard Internet X.509 Public Key Infrastructure Proxy Certificate Profile
    RFC3874 I A 224-bit One-way Hash Function: SHA-224

    Current Meeting Report
    PKIX WG Meeting 3/8/05

    Edited by Steve Kent

    Chairs: Stephen Kent <kent@bbn.com> & Tim Polk <tim.polk@nist.gov>

    The PKIX WG met once during the 62nd IETF. A total of approximately 45 individuals participated in the meeting.


    Document status - Tim Polk (NIST)
    Five documents in RFC Editor's queue. One document just approved by IESG, several more in the IESG queue for review & approval. Several documents stalled.
    PKIX WG Document Presentations

    Simple Certificate Validation Protocol (SCVP) - David Cooper (NIST)
    Significant progress has been made towards rough consensus through the two drafts submitted since the last meeting. These drafts represent been submitted with significant enhancements. At this stage (rev 18) the editors are trying to determine if the remaining comments suggesting changes have wide support and thus need to be accommodated. David noted some confusion re the semantics of the default validation policy part of the spec, which needs to be discussed on the list to resolve some ambiguities. Several "sense of the room" polls were taken, but the questions will be brought to the list for resolution.

    3280bis - David Cooper (NIST)
    A design team met in January to develop a -00 draft from a issues list complied from PKIX mail messages and mail to the RFC 3280 editors. Draft -00 incorporates a number of clarifications and small changes designed to align with ISO and remove ambiguities, and a new section on comparing internationalized names. See the next presentation for details on internationalization of names. A question was raised as to whether this document should be used by an application to guide name matching rules, if the application makes use of a name from a certificate to make an access control decision or analogous determination. To first order, this document addresses matching rules only for name comparisons relative to path validation, e.g., for certificate chaining and for applications of name constraints.

    UTF8String Deployment and Migration - Akira Kanaoka (Secom/JNSA PKI Challenge Project)
    This presentation reported on feedback received from a questionnaire on UTF8String deployment in Asia, i.e., to determine the extent to which CAs in Asia followed the RFC 3280 guidance on this topic, guidance that was rescinded in 3280bis! The survey was sent to Asia PKI Forum members in 9 countries, but got replies from 11 CAs in 3 only countries. All of the CAs that replied were government-funded, not private CAs. Responses indicate that most CAs use UTF8 when they need to represent names in other than their local character set. Another survey looked at MS Windows root certificate stores, as a measure of commercial CA migration, and here none of the root CAs had UTF8 encodings! Given the commercial CA situation, need a migration plan. Suggestion is to create an individual submission, Informational RFC to describe whatever migration strategy is developed, test cases, etc.

    CRL Signer Certificates and AIA - Stefan Santesson (Microsoft)
    Draft -00 of this new PKIX document was published after the last meeting. There has been moderate discussion on the list about this draft. About 5 major issues were identified. Responses have been proposed for each issue and, where appropriate, will be reflected in the next draft. One issue (choice of recommended referral methods) still remains, and will be addressed on the list.

    Update on CRMF, CMC documents - Jim Schaad (Soaring Hawk)
    This presentation reviewed the state of several related drafts and highlight the controversies that remain. CRMF was forwarded to the RFC editor a bit earlier that Jim had anticipated. Two OID assignments need to be changed, and the plan is to use the 48-hour author's review period to make these changes, after confirmation on the WG list. CMC-based and transport documents are ready, will go out soon. CMC compliance document will go out very soon. CMC archive has one issue to be resolved, dealing with packaging of multiple keys retrieved from an escrow agent. Nonetheless, this document also will be republished and ready for last call very shortly.

    Related Specifications & Liaison Presentations

    LDAP schema definitions - Kurt Zeilenga (OpenLDAP)
    The author of this individual submission has requested that the WG review and comment upon this draft. He intends to make a decision by the end of IETF#62 whether to recommend this revision for IESG consideration as a Proposed Standard. This document is intended to be published at the same time as the revised LDAP TS being developed by the LDAPBIS WG.

    OCSP Data Interchange Format - John Hines (Tumbleweed)
    The presenter will be submitting an individual draft defining a data interchange format for OCSP servers. The presentation described the problems that inspired this draft and invites WG participation, even though the document will not be a PKIX document. The goal is to eventually make this a standard, and Russ Housley explained the procedure for doing this via the individual submission path.

    Slides

    Document Status
    3280bis
    SCVP
    UTF8 String Deployment
    CRL Signer Certificates & AIA
    Update on CRMF & CMC
    LDAP Schema Definitions