Last Modified: 2004-09-07
|Done||Complete approval of CMC, and qualified certificates documents|
|Done||Complete time stamping document|
|Done||Continue attribute certificate profile work|
|Done||Complete data certification document|
|Done||Complete work on attribute certificate profile|
|Done||Standard RFCs for public key and attribute certificate profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates, LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP|
|Done||INFORMATIONAL RFCs for X.509 PKI policies and practices, use of KEA|
|Done||Experimental RFC for Data Validation and Certification Server Protocols|
|Done||Production of revised certificate and CRL syntax and processing RFC (son-of-2459)|
|Done||DPD/DVP Requirements RFC|
|Done||Certificate Policy & CPS Informational RFC (revision)|
|Dec 03||Progression of CMC RFCs to DRAFT Standard|
|Done||Logotype Extension RFC|
|Done||Proxy Certificate RFC|
|Mar 04||SCVP proposed Standard RFC|
|Mar 04||Progression of Qualified Certificates Profile RFC to DRAFT Standard|
|Mar 04||Progression of Certificate & CRL Profile RFC to DRAFT Standard|
|Mar 04||Progression of Time Stamp Protocols RFC to DRAFT Standard|
|Mar 04||Progression of Logotype RFC to DRAFT Standard|
|Apr 04||Progression of CRMF, CMP, and CMP Transport to DRAFT Standard|
|Jun 04||Progression of Proxy Certificate RFC to DRAFT Standard|
|Jun 04||Progression of SCVP to Draft Standard|
|Jun 04||Progression of Attribute Certificate Profile RFC to DRAFT standard|
|RFC2459||PS||Internet X.509 Public Key Infrastructure Certificate and CRL Profile|
|RFC2510||PS||Internet X.509 Public Key Infrastructure Certificate Management Protocols|
|RFC2511||PS||Internet X.509 Certificate Request Message Format|
|RFC2527||I||Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework|
|RFC2528||I||Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates|
|RFC2559||PS||Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2|
|RFC2560||PS||X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP|
|RFC2585||PS||Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP|
|RFC2587||PS||Internet X.509 Public Key Infrastructure LDAPv2 Schema|
|RFC2797||PS||Certificate Management Messages over CMS|
|RFC2875||PS||Diffie-Hellman Proof-of-Possession Algorithms|
|RFC3029||E||Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols|
|RFC3039||PS||Internet X.509 Public Key Infrastructure Qualified Certificates Profile|
|RFC3161||PS||Internet X.509 Public Key Infrastructure Time Stamp Protocols (TSP)|
|RFC3279||PS||Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRI Profile|
|RFC3280||PS||Internet X.509 Public Key Infrastructure Certificate and CRL Profile|
|RFC3281||PS||An Internet Attribute Certificate Profile for Authorization|
|RFC3379||I||Delegated Path Validation and Delegated Path Discovery Protocol Requirements|
|RFC3628||I||Policy Requirements for Time-Stamping Authorities|
|RFC3647||I||Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework|
|RFC3709||Standard||Internet X.509 Public Key Infrastructure: Logotypes in X.509 certificates|
|RFC3739||Standard||Internet X.509 Public Key Infrastructure: Qualified Certificates Profile|
|RFC3770||Standard||Certificate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN|
|RFC3779||Standard||X.509 Extensions for IP Addresses and AS Identifiers|
|RFC3820||Standard||Internet X.509 Public Key Infrastructure Proxy Certificate Profile|
|RFC3874||I||A 224-bit One-way Hash Function: SHA-224|
PKIX WG Meeting 11/10/04
Edited by Steve Kent
Chairs: Stephen Kent <email@example.com> & Tim Polk <firstname.lastname@example.org>
The PKIX WG met once during the 61st IETF. A total of approximately 55 individuals participated in the meeting.
Document status - Tim Polk (NIST)
One new RFC: SHA-224. Three documents approved by IESG, now in RFC Editor's queue: public key algorithms, CMPbis, and Permanent identifier. Warranty extension awaiting AD followup. Five documents under Security AD review (includes awaiting corrections by authors): AC policies, Certificate path building, Certificate Store, PKIX repository, and CRMFbis. In WG last call: SCVP. Almost ready for WG last call: SIM, various LDAP documents, and Elliptic curve algorithms. See slides for additional details.
SCVP (version 16) - Trevor Freeman (Microsoft)
Lots of changes have been made from v15; many were editorial but also many substantive changes and some new features. Another rev of the document will be needed. We need to ensure that the ASN.1 is correct, once we agree on the functionality, and so we will compile it to verify. Presentation reviewed changes and new features (relative to v15). See slides for additional details.
3280bis - Tim Polk (NIST)
The co-chairs have selected a lead editor for RFC 3280bis and formed a design team to develop a -00 draft from a issues list complied from PKIX mail messages and mail to the RFC 3280 editors. Draft -00 is expected late in 2004. See slides for additional details.
Using AIA in CRLs - Stefan Santesson (Microsoft)
A new PKIX document proposing extending use of the AIA certificate extension in CRLs, to facilitate locating the certificate for the signer of a CRL. This is a simple, new use of this existing (certificate) extension, with straightforward semantics. Examples were presented showing how this new capability accommodates CA rekey and indirect CRL situations. This solution is preferable to use of SIA, since SIA would work only a subset of the cases presented, and because inserting AIA in CRLs is easier than inserting SIA in certificates, given the relative frequency of issuance of each. See slides for additional details.
CRL Processing Rules Issues - Santosh Chokhani (Orion)
This presentation provides a review of issues in CRL processing when different keys are used for signing certificates vs. the CRLs that revoke those certificates. This is allowed in X.509 and 3280 for various purposes, e.g., indirect CRLs, CA key rollover, etc. However, these standards do not address the details of how to ensure that the right public key is used to verify CRL signatures in these cases. Problems also may arise due to conflicts in CA names (assigned under different administrative entities). Finally, some problems also may arise when OCSP is used (in lieu of CRLs) and this presentation proposes means to address these problems as well. Russ notes that for this and for Stafan's presentation, a critical feature is that the SAME trust anchor must be used to verify the target certificates and certificates for the corresponding CRLs. See slides for additional details.
LDAP Schemas - David Chadwick (Univ. of Salford)
PKIX has a suite of LDAP-PKIX drafts forming a comprehensive solution for LDAP based PKI information distribution. No significant change since the last meeting, just minor updates. So the versions posted last week should not be ready for last call, which will be issued by mid-November. Goal is to issue these as Informational RFCs. In parallel, we will pass these I-Ds to the LDAP folks for review. See slides for additional details.
LDAP PKIX Schema Issues - Kurt Zeilenga (OpenLDAP Project)
This presentation provided a brief status update on draft-zeilenga-ldap-x509. The author is preparing a revision to provide missing informative appendices and hopes that this revision will be found suitable for progression.
Lightweight OCSP - Ryan Hurst (Microsoft)
This presentation discusses a new document (not a PKIX work item) that describes how to use OCSP in "response pre-production" environments. The document also includes a profile for OCSP clients and servers, and proposes some new extensions to improve functionality. Initial intent was to make this an informational RFC, but they are reconsidering its status, perhaps shooting for a standards track document as an individual submission. See slides for additional details.
Algorithm IDs for ECC in PKIX - Tim Polk presented for Daniel Brown (Certicom)
There have been changes since the previous version, for better alignment with NIST algorithm publications. The document also provides info for other EC curves, not just the NIST ones. Suggestion from Russ is to edit this document to address only NIST approved curves, and use a separate document for other curves and for MQV (e.g., vs. EC-DSA and EC-RSA). Issue arose as to whether we need a means of restricting use of a key to a SET of EC algorithms, vs. an individual (EC) algorithm. Russ advises that this is NOT a good idea, given experience with RSA keys. See slides for additional details.
User Interface Requirements for PKIX - Baehyo Park (KISA)
This presentation describes a personal draft, not a PKIX work item. The presentation is a follow-up to a presentation on draft -00 at IETF-60. The speaker used his laptop to demonstrate the GUI he proposes, though a scripted scenario.