Public-Key Infrastructure (X.509) (pkix)

Public-Key Infrastructure (X.509) (pkix)
----------------------------------------

Charter
Last Modified: 2009-09-09

Current Status: Active Working Group

Chair(s):
Stephen Kent <[email protected]>
Stefan Santesson <[email protected]>

Security Area Director(s):
Sean Turner <[email protected]>
Tim Polk <[email protected]>

Security Area Advisor:
Tim Polk <[email protected]>

Mailing Lists:
General Discussion:[email protected]
To Subscribe: [email protected]
In Body: subscribe
Archive: http://www.ietf.org/mail-archive/web/pkix/current/maillist.html

Description of Working Group:

The PKIX Working Group was established in the fall of 1995 with the
goal of developing Internet standards to support X.509-based Public
Key Infrastructures (PKIs). Initially PKIX pursued this goal by
profiling X.509 standards developed by the CCITT (later the ITU-T).
Later, PKIX initiated the development of standards that are not
profiles of ITU-T work, but rather are independent initiatives
designed to address X.509-based PKI needs in the Internet. Over time
this latter category of work has become the major focus of PKIX work,
i.e., most PKIX-generated RFCs are no longer profiles of ITU-T X.509
documents.

PKIX has produced a number of standards track and informational RFCs.
RFC 3280 (Certificate and CRL Profile), and RCF 3281 (Attribute
Certificate Profile) are recent examples of standards track RFCs that
profile ITU-T documents. RFC 2560 (Online Certificate Status
Profile), RFC 3779 (IP Address and AS Number Extensions), and RFC
3161 (Time Stamp Authority) are examples of standards track RFCs that
are IETF-initiated. RFC 4055 (RSA) and RFC 3874 (SHA2) are examples
of informational RFCs that describe how to use public key and hash
algorithms in PKIs.

PKIX Work Plan

PKIX will continue to track the evolution of ITU-T X.509 documents,
and will maintain compatibility between these documents and IETF PKI
standards, since the profiling of X.509 standards for use in the
Internet remains an important topic for the working group.

PKIX does not endorse the use of specific cryptographic algorithms
with its protocols. However, PKIX does publish standards track RFCs
that describe how to identify algorithms and represent associated
parameters in these protocols, and how to use these algorithms with
these protocols. We anticipate efforts in this arena will continue to
be required over time.

PKIX will pursue new work items in the PKI arena if working group
members express sufficient interest, and if approved by the cognizant
Security Area director. For example, certificate validation under X.
509 and PKIX standards calls for a relying party to use a trust
anchor as the start of a certificate path. Neither X.509 nor extant
PKIX standards define protocols for the management of trust anchors.
Existing mechanisms for managing trust anchors, e.g., in browsers,
are limited in functionality and non-standard. There is considerable
interest in the PKI community to define a standard model for trust
anchor management, and standard protocols to allow remote management.
Thus a future work item for PKIX is the definition of such protocols
and associated data models.

Goals and Milestones:

Done Complete approval of CMC, and qualified certificates documents

Done Complete time stamping document

Done Continue attribute certificate profile work

Done Complete data certification document

Done Complete work on attribute certificate profile

Done Standard RFCs for public key and attribute certificate
profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates,
LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP

Done INFORMATIONAL RFCs for X.509 PKI policies and practices, use of
KEA

Done Experimental RFC for Data Validation and Certification Server
Protocols

Done Production of revised certificate and CRL syntax and processing
RFC (son-of-2459)

Done DPD/DVP Requirements RFC

Done Certificate Policy & CPS Informational RFC (revision)

Done Logotype Extension RFC

Done Proxy Certificate RFC

Done Cert Path Building approved as Informational RFC

Done CRMFbis approved as PROPOSED Standard RFC

Done CMPbis approved as PROPOSED Standard RFC

Done Principal Identifier approved as PROPOSED Standard RFC

Done Warranty Extensions approved as Informational RFC

Done Certificate Store approved as Informational RFC

Done PKIX Repository approved as Informational RFC

Done Subject Identification Method as Informational RFC

Done GOST Cryptographic Algorithms (RFC 4491)

Done Update to DirectoryString Processing for RFC 3280

Done Attribute Certificate Policies approved as PROPOSED Standard
(RFC 4476)

Sep 2007 Progression of CRMF, CMP, and CMP Transport to DRAFT Standard

Sep 2007 Progression of Qualified Certificates Profile RFC to DRAFT
Standard

Sep 2007 Progression of Certificate & CRL Profile RFC to DRAFT Standard

Sep 2007 Progression of Time Stamp Protocols RFC to DRAFT Standard

Sep 2007 Progression of Logotype RFC to DRAFT Standard

Nov 2007 Progression of Proxy Certificate RFC to DRAFT Standard

Nov 2007 Progression of Attribute Certificate Profile RFC to DRAFT
standard

Feb 2008 Update to CMC approved as PROPOSED Standard

Mar 2008 ECC Algorithms approved as PROPOSED Standard RFC

Mar 2008 Progression of CMC RFCs to DRAFT Standard

Mar 2008 SCVP approved as PROPOSED Standard RFC

Internet-Drafts:

Posted Revised I-D Title <Filename>
------ ------- --------------------------------------------
Jun 2000 Jul 2010 <draft-ietf-pkix-cmp-transport-protocols-09.txt>
Internet X.509 Public Key Infrastructure -- Transport Protocols
for CMP

Jun 2008 Mar 2010 <draft-ietf-pkix-ta-mgmt-reqs-05.txt>
Trust Anchor Management Requirements

Oct 2008 Apr 2010 <draft-ietf-pkix-tamp-08.txt>
Trust Anchor Management Protocol (TAMP)

Mar 2009 Mar 2010 <draft-ietf-pkix-ocspagility-08.txt>
OCSP Algorithm Agility

May 2009 Mar 2010 <draft-ietf-pkix-certimage-08.txt>
Internet X.509 Public Key Infrastructure - Certificate Image

May 2009 May 2010 <draft-ietf-pkix-asn1-translation-02.txt>
ASN.1 Translation

Feb 2010 Mar 2010 <draft-ietf-pkix-certid-keyid-01.txt>
Syntaxes for Unambiguous Identification of Certificates and
Public Keys

Mar 2010 Mar 2010 <draft-ietf-pkix-rfc5272-bis-00.txt>
Certificate Management over CMS (CMC) Updates

Apr 2010 Apr 2010 <draft-ietf-pkix-rfc5280-clarifications-00.txt>
Clarifications to the Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile

Request For Comments:

RFC Stat Published Title
------- -- ----------- ------------------------------------
RFC2459 PS Jan 1999 Internet X.509 Public Key Infrastructure Certificate and
CRL Profile

RFC2510 PS Mar 1999 Internet X.509 Public Key Infrastructure Certificate
Management Protocols

RFC2511 PS Mar 1999 Internet X.509 Certificate Request Message Format

RFC2527 I Mar 1999 Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework

RFC2528 I Mar 1999 Internet X.509 Public Key Infrastructure Representation
of Key Exchange Algorithm (KEA) Keys in Internet X.509
Public Key Infrastructure Certificates

RFC2559 PS Apr 1999 Internet X.509 Public Key Infrastructure Operational
Protocols - LDAPv2

RFC2585 PS May 1999 Internet X.509 Public Key Infrastructure Operational
Protocols: FTP and HTTP

RFC2587 PS Jun 1999 Internet X.509 Public Key Infrastructure LDAPv2 Schema

RFC2560 PS Jun 1999 X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol - OCSP

RFC2797 PS May 2000 Certificate Management Messages over CMS

RFC2875 PS Jul 2000 Diffie-Hellman Proof-of-Possession Algorithms

RFC3039 PS Jan 2001 Internet X.509 Public Key Infrastructure Qualified
Certificates Profile

RFC3029 E Feb 2001 Internet X.509 Public Key Infrastructure Data Validation
and Certification Server Protocols

RFC3161 PS Aug 2001 Internet X.509 Public Key Infrastructure Time Stamp
Protocols (TSP)

RFC3281 PS May 2002 An Internet Attribute Certificate Profile for
Authorization

RFC3280 PS May 2002 Internet X.509 Public Key Infrastructure Certificate and
CRL Profile

RFC3279 PS May 2002 Algorithms and Identifiers for the Internet X.509 Public
Key Infrastructure Certificate and CRI Profile

RFC3379 I Sep 2002 Delegated Path Validation and Delegated Path Discovery
Protocol Requirements

RFC3628 I Nov 2003 Policy Requirements for Time-Stamping Authorities

RFC3647 I Nov 2003 Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework

RFC3709Standard Feb 2004 Internet X.509 Public Key Infrastructure: Logotypes in
X.509 certificates

RFC3739Standard Mar 2004 Internet X.509 Public Key Infrastructure: Qualified
Certificates Profile

RFC3770Standard May 2004 Certificate Extensions and Attributes Supporting
Authentication in PPP and Wireless LAN

RFC3779Standard Jun 2004 X.509 Extensions for IP Addresses and AS Identifiers

RFC3820Standard Jul 2004 Internet X.509 Public Key Infrastructure Proxy
Certificate Profile

RFC3874 I Sep 2004 A 224-bit One-way Hash Function: SHA-224

RFC4059 I May 2005 Internet X.509 Public Key Infrastructure Warranty
Certificate Extension

RFC4043Standard May 2005 Internet X.509 Public Key Infrastructure Permanent
Identifier

RFC4055Standard Jun 2005 Additional Algorithms and Identifiers for RSA
Cryptography for use in the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation
List (CRL) Profile

RFC4158 I Sep 2005 Internet X.509 Public Key Infrastructure: Certification
Path Building

RFC4210Standard Oct 2005 Internet X.509 Public Key Infrastructure Certificate
Management Protocols

RFC4211Standard Oct 2005 Internet X.509 Public Key Infrastructure Certificate
Request Message Format (CRMF)

RFC4325Standard Dec 2005 Internet X.509 Public Key Infrastructure Authority
Information Access Certificate Revocation List (CRL)
Extension

RFC4334Standard Feb 2006 Certificate Extensions and Attributes Supporting
Authentication in Point-to-Point Protocol (PPP) and
Wireless Local Area Networks (WLAN)

RFC4386 E Feb 2006 Internet X.509 Public Key Infrastructure Repository
Locator Service

RFC4387Standard Feb 2006 Internet X.509 Public Key Infrastructure Operational
Protocols: Certificate Store Access via HTTP

RFC4476 PS May 2006 Attribute Certificate (AC) Policies Extension

RFC4491 PS May 2006 Using the GOST R 34.10-94, GOST R 34.10-2001 and GOST R
34.11-94 algorithms with the Internet X.509 Public Key
Infrastructure Certificate and CRL Profile.

RFC4630 PS Aug 2006 Update to DirectoryString Processing in the Internet
X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile

RFC4683 PS Oct 2006 Internet X.509 Public Key Infrastructure Subject
Identification Method (SIM)

RFC4985 PS Aug 2007 Internet X.509 Public Key Infrastructure Subject
Alternative Name for expression of service name

RFC5019 PS Sep 2007 The Lightweight Online Certificate Status Protocol
(OCSP) Profile for High-Volume Environments

RFC5055 PS Dec 2007 Server-based Certificate Validation Protocol (SCVP)

RFC5280Standard May 2008 Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile

RFC5272 PS Jun 2008 Certificate Management Messages over CMS

RFC5273 PS Jun 2008 Certificate Management over CMS (CMC): Transport
Protocols

RFC5274 PS Jun 2008 Certificate Management Messages over CMS (CMC):
Compliance Requirements

RFC5480 PS Mar 2009 Elliptic Curve Cryptography Subject Public Key
Information

RFC5636 E Aug 2009 Traceable Anonymous Certificate

RFC5697 E Nov 2009 Other Certificates Extension

RFC5758 PS Jan 2010 Internet X.509 Public Key Infrastructure: Additional
Algorithms and Identifiers for DSA and ECDSA

RFC5756 PS Jan 2010 Updates for RSAES-OAEP and RSASSA-PSS Algorithm
Parameters

RFC5755 PS Jan 2010 An Internet Attribute Certificate Profile for
Authorization

RFC5816 PS Apr 2010 ESSCertIDv2 Update for RFC 3161

RFC5877 I May 2010 The application/pkix-attr-cert Media Type for Attribute
Certificates

RFC5912 I Jun 2010 New ASN.1 Modules for the Public Key Infrastructure
Using X.509 (PKIX)

RFC5913 PS Jun 2010 Clearance Attribute and Authority Clearance Constraints
Certificate Extension

RFC5914 PS Jun 2010 Trust Anchor Format