Internet Engineering Task Force

Public-Key Infrastructure (X.509) (pkix)

Last Modified: 2011-08-18

Additional information is available at tools.ietf.org/wg/pkix

Chair(s):

Security Area Director(s):

Security Area Advisor:

Sean Turner <turners@ieca.com>

Mailing Lists:

General Discussion: pkix@ietf.org
To Subscribe: pkix-request@ietf.org
In Body: subscribe
Archive: http://www.ietf.org/mail-archive/web/pkix/current/maillist.html

Description of Working Group:

The PKIX Working Group was established in the fall of 1995 with the
goal of developing Internet standards to support X.509-based Public
Key Infrastructures (PKIs). Initially PKIX pursued this goal by
profiling X.509 standards developed by the CCITT (later the ITU-T).
Later, PKIX initiated the development of standards that are not
profiles of ITU-T work, but rather are independent initiatives
designed to address X.509-based PKI needs in the Internet. Over time
this latter category of work has become the major focus of PKIX work,
i.e., most PKIX-generated RFCs are no longer profiles of ITU-T X.509
documents.

PKIX has produced a number of standards track and informational RFCs.
RFC 3280 (Certificate and CRL Profile), and RCF 3281 (Attribute
Certificate Profile) are recent examples of standards track RFCs that
profile ITU-T documents. RFC 2560 (Online Certificate Status
Profile), RFC 3779 (IP Address and AS Number Extensions), and RFC
3161 (Time Stamp Authority) are examples of standards track RFCs that
are IETF-initiated. RFC 4055 (RSA) and RFC 3874 (SHA2) are examples
of informational RFCs that describe how to use public key and hash
algorithms in PKIs.

PKIX Work Plan

PKIX will continue to track the evolution of ITU-T X.509 documents,
and will maintain compatibility between these documents and IETF PKI
standards, since the profiling of X.509 standards for use in the
Internet remains an important topic for the working group.

PKIX does not endorse the use of specific cryptographic algorithms
with its protocols. However, PKIX does publish standards track RFCs
that describe how to identify algorithms and represent associated
parameters in these protocols, and how to use these algorithms with
these protocols. We anticipate efforts in this arena will continue to
be required over time.

PKIX will pursue new work items in the PKI arena if working group
members express sufficient interest, and if approved by the cognizant
Security Area director. For example, certificate validation under X.
509 and PKIX standards calls for a relying party to use a trust
anchor as the start of a certificate path. Neither X.509 nor extant
PKIX standards define protocols for the management of trust anchors.
Existing mechanisms for managing trust anchors, e.g., in browsers,
are limited in functionality and non-standard. There is considerable
interest in the PKI community to define a standard model for trust
anchor management, and standard protocols to allow remote management.
Thus a future work item for PKIX is the definition of such protocols
and associated data models.

Goals and Milestones:

Done		Complete approval of CMC, and qualified certificates documents
Done		Complete time stamping document
Done		Continue attribute certificate profile work
Done		Complete data certification document
Done		Complete work on attribute certificate profile
Done		Standard RFCs for public key and attribute certificate profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates, LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP
Done		INFORMATIONAL RFCs for X.509 PKI policies and practices, use of KEA
Done		Experimental RFC for Data Validation and Certification Server Protocols
Done		Production of revised certificate and CRL syntax and processing RFC (son-of-2459)
Done		DPD/DVP Requirements RFC
Done		Certificate Policy & CPS Informational RFC (revision)
Done		Logotype Extension RFC
Done		Proxy Certificate RFC
Done		Cert Path Building approved as Informational RFC
Done		CRMFbis approved as PROPOSED Standard RFC
Done		CMPbis approved as PROPOSED Standard RFC
Done		Principal Identifier approved as PROPOSED Standard RFC
Done		Warranty Extensions approved as Informational RFC
Done		Certificate Store approved as Informational RFC
Done		PKIX Repository approved as Informational RFC
Done		Subject Identification Method as Informational RFC
Done		GOST Cryptographic Algorithms (RFC 4491)
Done		Update to DirectoryString Processing for RFC 3280
Done		Attribute Certificate Policies approved as PROPOSED Standard (RFC 4476)
Sep 2007		Progression of CRMF, CMP, and CMP Transport to DRAFT Standard
Sep 2007		Progression of Qualified Certificates Profile RFC to DRAFT Standard
Sep 2007		Progression of Certificate & CRL Profile RFC to DRAFT Standard
Sep 2007		Progression of Time Stamp Protocols RFC to DRAFT Standard
Sep 2007		Progression of Logotype RFC to DRAFT Standard
Nov 2007		Progression of Proxy Certificate RFC to DRAFT Standard
Nov 2007		Progression of Attribute Certificate Profile RFC to DRAFT standard
Feb 2008		Update to CMC approved as PROPOSED Standard
Mar 2008		ECC Algorithms approved as PROPOSED Standard RFC
Mar 2008		Progression of CMC RFCs to DRAFT Standard
Mar 2008		SCVP approved as PROPOSED Standard RFC

Internet-Drafts:

Internet X.509 Public Key Infrastructure -- HTTP Transport for CMP (24272 bytes)
X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP (97108 bytes)
Certificate Management over CMS (CMC) Updates (66671 bytes)
Clarifications to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (10323 bytes)
S/MIME Capabilities for Public Key Definitions (37367 bytes)
Internationalized Email Addresses in X.509 certificates (6931 bytes)
DNS Certification Authority Authorization (CAA) Resource Record (45722 bytes)

Request For Comments: