Last Modified: 2004-07-02
PKIX has produced several informational and standards track documents in support of the original and revised scope of the WG. The first of these standards, RFC 2459, profiled X.509 version 3 certificates and version 2 CRLs for use in the Internet. Profiles for the use of Attribute Certificates (RFC XXXX [pending]), LDAP v2 for certificate and CRL storage (RFC 2587), the Internet X.509 Public Key Infrastructure Qualified Certificates Profile (RFC 3039), and the Internet X.509 Public Key Infrastructure Certificate Policy and certification Practices Framework (RFC 2527 - Informational) are in line with the initial scope.
The Certificate Management Protocol (CMP) (RFC 2510), the Online Certificate Status Protocol (OCSP) (RFC 2560), Certificate Management Request Format (CRMF) (RFC 2511), Time-Stamp Protocol (RFC 3161), Certificate Management Messages over CMS (RFC 2797), Internet X.509 Public Key Infrastructure Time Stamp Protocols (RFC 3161), and the use of FTP and HTTP for transport of PKI operations (RFC 2585) are representative of the expanded scope of PKIX, as these are new protocols developed in the working group, not profiles of ITU PKI standards.
A roadmap, providing a guide to the growing set of PKIX document, also has been developed as an informational RFC.
Ongoing PKIX Work items
An ongoing PKIX task is the progression of existing, standards track RFCs from PROPOSED to DRAFT. Also, to the extent that PKIX work relates to protocols from other areas, e.g., LDAP, it is necessary to track the evolution of the other protocols and produce updated RFCs. For example, the LDAP v2 documents from PKIX are evolving to address LDAP v3. Finally, since the profiling of X.509 standards for use in the Internet remains a major focus, the WG will continue to track the evolution of these standards and incorporate changes and additions as appropriate.
New Work items for PKIX
- production of a requirements RFC for delegated path discovery and path validation protocols (DPD/DPV) and subsequent production of RFCs for protocols that satisfy the requirements
- development of a logotype extension for certificates
- development of a proxy certificate extension and associated processing rules
- development of an informational document on PKI disaster recovery
These work items may become standards track, INFORMATIONAL or EXPERIMENTAL RFCs, or may not even be published as RFCs.
Other deliverables may be agreed upon as extensions are proposed. New deliverables must be approved by the Security Area Directors before inclusion on the charter or IETF meeting agendas.
Done | Complete approval of CMC, and qualified certificates documents | |
Done | Complete time stamping document | |
Done | Continue attribute certificate profile work | |
Done | Complete data certification document | |
Done | Complete work on attribute certificate profile | |
Done | Standard RFCs for public key and attribute certificate profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates, LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP | |
Done | INFORMATIONAL RFCs for X.509 PKI policies and practices, use of KEA | |
Done | Experimental RFC for Data Validation and Certification Server Protocols | |
Done | Production of revised certificate and CRL syntax and processing RFC (son-of-2459) | |
Done | DPD/DVP Requirements RFC | |
Done | Certificate Policy & CPS Informational RFC (revision) | |
Dec 03 | Progression of CMC RFCs to DRAFT Standard | |
Done | Logotype Extension RFC | |
Done | Proxy Certificate RFC | |
Mar 04 | SCVP proposed Standard RFC | |
Mar 04 | Progression of Qualified Certificates Profile RFC to DRAFT Standard | |
Mar 04 | Progression of Certificate & CRL Profile RFC to DRAFT Standard | |
Mar 04 | Progression of Time Stamp Protocols RFC to DRAFT Standard | |
Mar 04 | Progression of Logotype RFC to DRAFT Standard | |
Apr 04 | Progression of CRMF, CMP, and CMP Transport to DRAFT Standard | |
Jun 04 | Progression of Proxy Certificate RFC to DRAFT Standard | |
Jun 04 | Progression of SCVP to Draft Standard | |
Jun 04 | Progression of Attribute Certificate Profile RFC to DRAFT standard |
RFC | Status | Title |
---|---|---|
RFC2459 | PS | Internet X.509 Public Key Infrastructure Certificate and CRL Profile |
RFC2510 | PS | Internet X.509 Public Key Infrastructure Certificate Management Protocols |
RFC2511 | PS | Internet X.509 Certificate Request Message Format |
RFC2527 | I | Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework |
RFC2528 | I | Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates |
RFC2559 | PS | Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2 |
RFC2585 | PS | Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP |
RFC2587 | PS | Internet X.509 Public Key Infrastructure LDAPv2 Schema |
RFC2560 | PS | X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP |
RFC2797 | PS | Certificate Management Messages over CMS |
RFC2875 | PS | Diffie-Hellman Proof-of-Possession Algorithms |
RFC3039 | PS | Internet X.509 Public Key Infrastructure Qualified Certificates Profile |
RFC3029 | E | Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols |
RFC3161 | PS | Internet X.509 Public Key Infrastructure Time Stamp Protocols (TSP) |
RFC3279 | PS | Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRI Profile |
RFC3280 | PS | Internet X.509 Public Key Infrastructure Certificate and CRL Profile |
RFC3281 | PS | An Internet Attribute Certificate Profile for Authorization |
RFC3379 | I | Delegated Path Validation and Delegated Path Discovery Protocol Requirements |
RFC3628 | I | Policy Requirements for Time-Stamping Authorities |
RFC3647 | I | Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework |
RFC3709 | Standard | Internet X.509 Public Key Infrastructure: Logotypes in X.509 certificates |
RFC3739 | Standard | Internet X.509 Public Key Infrastructure: Qualified Certificates Profile |
RFC3770 | Standard | Certificate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN |
RFC3779 | Standard | X.509 Extensions for IP Addresses and AS Identifiers |
RFC3820 | Standard | Internet X.509 Public Key Infrastructure Proxy Certificate Profile |
PKIX WG Meeting 8-4-04
Edited by Steve Kent Chairs: Stephen Kent <kent@bbn.com> & Tim Polk <tim.polk@nist.gov> The PKIX WG met once during the 60th IETF. A total of approximately 73 individuals participated in the meeting. WG Status and Direction Document Status Review [Tim Polk (NIST)] The working group has a number of Internet-Drafts. Many documents are with the ADs or in various stages of WG Last Call. Several others are ready for Last Call. (Also, The working group milestones have been out of date, although several were recently updated. An additional pass to revise the milestones will be made by the WG chairs, and the results posted to the WG home page. (slides) PKIX WG Specifications LDAP Specifications PKIX has a number of LDAP-based specifications supporting publication and distribution of certificates and CRLs. LDAP Schemas, String Values, etc. - David Chadwick (U. of Salford) draft-ietf-pkix-ldap-crl-schema-02.txt draft-ietf-pkix-ldap-ac-schema-01.txt The WG has a suite of LDAP-PKIX drafts forming a comprehensive solution for LDAP based PKI information distribution. New drafts of two I-Ds have been submitted since IETF 59 and additional drafts will be published soon after this meeting. Documents will be Informational, WG submissions, having previously been individual submissions. A late September WG last call is planned, to accommodate the author's schedule. (slides) Practical Considerations for Use of LDAP in PKIX - Kurt Zeilenga (LDAPbis WG co-chair) Practical considerations must be considered to maximize the utility and interoperability of LDAP-based PKIs. This presentation discussed known issues and (where applicable) ways to address them. Highlights include ";binary" support. Goal is to complete this work (3 documents) via staged WG last calls in late August, September, and October, so that all 3 are done before D.C. IETF meeting. (slides) Matching Text Strings in PKIX Certificates - Paul Hoffman (IMC) & Steve Hanna (Sun->Funk) draft-hoffman-pkix-stringmatch-00.txt This specification describes the use of (LDAP) Stringprep to support comparison and matching of international text strings. This document resolves an open issue from RFC 3280, where the minimum requirements for name comparison were specified as binary matching. Since the publication of RFC 3280, the Stringprep specification has been completed, providing a solid basis for comparison and matching of test strings in PKIX certificates. Target is a standards track document as a PKIX WG item, to be referenced from 3280bis. X.500 provides per-attribute matching rules, and is being updated to use Stringprep, so the emphasis in PKIX should be on alternative name matching. Target is to identify, and resolve, issues by the next IETF meeting. (slides) RFC 3280 Progression- Tim Polk (NIST) NIST presented the current plan and milestones for progression of RFC 3280 to Draft Standard. Russ identified a problem for 3280bis, related to international string matching, i.e., 3280 punted on the topic of wildcard matching, and so 3280bis needs to address this issue, in the Stringprep context. (slides) Subject Identification Method - Tim Polk (NIST) for Jongwook Park (KISA) draft-ietf-pkix-sim-03.txt A new draft of the Subject Identification Method has been submitted since IETF 59. The document is relatively stable and mature. WG Last Call is expected very soon for the next (final?) draft of this document. (slides) SCVP Progression - Tim Polk (NIST) for Trevor Freeman (Microsoft) draft-ietf-pkix-scvp-15.txt This document has been in WG Last Call since early 2004. Completion of WG Last Call was blocked by newly identified implementation requirements for unsigned messages to support DPD. Early proposals did not satisfy RFC 3739, and were rejected. A new draft has been submitted since IETF 59 implementing unsigned messages while satisfying RFC 3379 and the implementation requirements. It seems likely that additional revisions will be needed before the document is finished, given last call comments. Target is to be done before D.C. meeting. (slides) OCSPv1 Progression to DRAFT - Mike Myers (Traceroute) Need to resolve an ambiguity in the text, re nonces, to clarify this in a fashion that accommodates existing implementation practice. Should be a 1 paragraph change and allow the document to proceed to DRAFT quickly. (no slides) Related Specifications & Liaison Presentations Specification of OCSP in IKEv2 - Mike Myers (TraceRoute) draft-myers-ipsec-ikev2-oscp-00.txt This is an IPsec topic that uses a PKIX protocol. The presentation described issues with the specification of OCSP in IKEv2, to provide an alternative to sending CRLs via IKE. Motivations are to avoid fragmentation concerns in IKE, and because it might be hard to gain access to an OCSP server w/o secure access (a chicken & egg problem). An individual submission; not a PKIX document. (slides) User Interface Requirement for the Internet X.509 Public Key Infrastructure - Jaehoo Yoon (KISA) draft-choi-pkix-ui-00.txt This document proposes basic requirements for a user interface for PKI client software, with an emphasis on usability and smart card support. Requirements addressed by the document include root CA certificate management, certificate sharing among applications, local storage, etc. Targeted to be an informational document for system designers. An individual (not PKIX) submission. (slides) |