Public-Key Infrastructure (X.509) (pkix)

Last modified: 2013-10-31

Chairs

Security Area Directors

Security Area Advisor

Mailing Lists:

General Discussion: pkix@ietf.org
To Subscribe: pkix-request@ietf.org
Archive: http://www.ietf.org/mail-archive/web/pkix/

Description of Working Group:

The PKIX Working Group was established in the fall of 1995 with the goal of developing Internet standards to support X.509-based Public Key Infrastructures (PKIs). Initially PKIX pursued this goal by profiling X.509 standards developed by the CCITT (later the ITU-T). Later, PKIX initiated the development of standards that are not profiles of ITU-T work, but rather are independent initiatives designed to address X.509-based PKI needs in the Internet. Over time this latter category of work has become the major focus of PKIX work, i.e., most PKIX-generated RFCs are no longer profiles of ITU-T X.509 documents.

PKIX has produced a number of standards track and informational RFCs. RFC 3280 (Certificate and CRL Profile), and RCF 3281 (Attribute Certificate Profile) are recent examples of standards track RFCs that profile ITU-T documents. RFC 2560 (Online Certificate Status Profile), RFC 3779 (IP Address and AS Number Extensions), and RFC 3161 (Time Stamp Authority) are examples of standards track RFCs that are IETF-initiated. RFC 4055 (RSA) and RFC 3874 (SHA2) are examples of informational RFCs that describe how to use public key and hash algorithms in PKIs.

PKIX Work Plan

PKIX will continue to track the evolution of ITU-T X.509 documents, and will maintain compatibility between these documents and IETF PKI standards, since the profiling of X.509 standards for use in the Internet remains an important topic for the working group.

PKIX does not endorse the use of specific cryptographic algorithms with its protocols. However, PKIX does publish standards track RFCs that describe how to identify algorithms and represent associated parameters in these protocols, and how to use these algorithms with these protocols. We anticipate efforts in this arena will continue to be required over time.

PKIX will pursue new work items in the PKI arena if working group members express sufficient interest, and if approved by the cognizant Security Area director. For example, certificate validation under X. 509 and PKIX standards calls for a relying party to use a trust anchor as the start of a certificate path. Neither X.509 nor extant PKIX standards define protocols for the management of trust anchors. Existing mechanisms for managing trust anchors, e.g., in browsers, are limited in functionality and non-standard. There is considerable interest in the PKI community to define a standard model for trust anchor management, and standard protocols to allow remote management. Thus a future work item for PKIX is the definition of such protocols and associated data models.

Goals and Milestones

Done
Complete approval of CMC, and qualified certificates documents
Done
Complete time stamping document
Done
Continue attribute certificate profile work
Done
Complete data certification document
Done
Complete work on attribute certificate profile
Done
Standard RFCs for public key and attribute certificate profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates, LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP
Done
INFORMATIONAL RFCs for X.509 PKI policies and practices, use of KEA
Done
Experimental RFC for Data Validation and Certification Server Protocols
Done
Production of revised certificate and CRL syntax and processing RFC (son-of-2459)
Done
DPD/DVP Requirements RFC
Done
Certificate Policy & CPS Informational RFC (revision)
Done
Logotype Extension RFC
Done
Proxy Certificate RFC
Done
Cert Path Building approved as Informational RFC
Done
CRMFbis approved as PROPOSED Standard RFC
Done
CMPbis approved as PROPOSED Standard RFC
Done
Principal Identifier approved as PROPOSED Standard RFC
Done
Warranty Extensions approved as Informational RFC
Done
Certificate Store approved as Informational RFC
Done
PKIX Repository approved as Informational RFC
Done
Subject Identification Method as Informational RFC
Done
GOST Cryptographic Algorithms (RFC 4491)
Done
Update to DirectoryString Processing for RFC 3280
Done
Attribute Certificate Policies approved as PROPOSED Standard (RFC 4476)
Sep 2007
Progression of CRMF, CMP, and CMP Transport to DRAFT Standard
Sep 2007
Progression of Qualified Certificates Profile RFC to DRAFT Standard
Sep 2007
Progression of Certificate & CRL Profile RFC to DRAFT Standard
Sep 2007
Progression of Time Stamp Protocols RFC to DRAFT Standard
Sep 2007
Progression of Logotype RFC to DRAFT Standard
Nov 2007
Progression of Proxy Certificate RFC to DRAFT Standard
Nov 2007
Progression of Attribute Certificate Profile RFC to DRAFT standard
Feb 2008
Update to CMC approved as PROPOSED Standard
Mar 2008
ECC Algorithms approved as PROPOSED Standard RFC
Mar 2008
Progression of CMC RFCs to DRAFT Standard
Mar 2008
SCVP approved as PROPOSED Standard RFC

No Internet-Drafts

Request for Comments

Internet SocietyAMSHome - Tools Team - Datatracker - IASA - IAB - RFC Editor - IANA - IRTF - IETF Trust - ISOC - IETF Journal - Store - Contact Us
Secretariat services provided by Association Management Solutions, LLC (AMS).
Please send problem reports to: ietf-action@ietf.org.