Public-Key Infrastructure (X.509) (pkix)
----------------------------------------
Charter
Last Modified: 2006-03-29
Current Status: Active Working Group
Chair(s):
Stephen Kent <kent@bbn.com>
Stefan Santesson <stefans@microsoft.com>
Security Area Director(s):
Russ Housley <housley@vigilsec.com>
Sam Hartman <hartmans-ietf@mit.edu>
Security Area Advisor:
Russ Housley <housley@vigilsec.com>
Mailing Lists:
General Discussion:ietf-pkix@imc.org
To Subscribe: ietf-pkix-request@imc.org
In Body: subscribe (In Body)
Archive: http://www.imc.org/ietf-pkix
Description of Working Group:
The PKIX Working Group was established in the Fall of 1995 with the
intent of developing Internet standards needed to support an
X.509-based PKI. The scope of PKIX work has expanded beyond this
initial goal. PKIX not only profiles ITU PKI standards, but also
develops new standards apropos to the use of X.509-based PKIs in the
Internet.
PKIX has produced several informational and standards track documents
in support of the original and revised scope of the WG. The first of
these standards, RFC 2459, profiled X.509 version 3 certificates and
version 2 CRLs for use in the Internet. Profiles for the use of
Attribute Certificates (RFC XXXX [pending]), LDAP v2 for certificate
and CRL storage (RFC 2587), the Internet X.509 Public Key
Infrastructure Qualified Certificates Profile (RFC 3039), and the
Internet X.509 Public Key Infrastructure Certificate Policy and
certification Practices Framework (RFC 2527 - Informational) are in
line with the initial scope.
The Certificate Management Protocol (CMP) (RFC 2510), the Online
Certificate Status Protocol (OCSP) (RFC 2560), Certificate Management
Request Format (CRMF) (RFC 2511), Time-Stamp Protocol (RFC 3161),
Certificate Management Messages over CMS (RFC 2797), Internet X.509
Public Key Infrastructure Time Stamp Protocols (RFC 3161), and the use
of FTP and HTTP for transport of PKI operations (RFC 2585) are
representative of the expanded scope of PKIX, as these are new
protocols developed in the working group, not profiles of ITU PKI
standards.
A roadmap, providing a guide to the growing set of PKIX document, also
has been developed as an informational RFC.
Ongoing PKIX Work items
An ongoing PKIX task is the progression of existing, standards track
RFCs from PROPOSED to DRAFT. Also, to the extent that PKIX work
relates to protocols from other areas, e.g., LDAP, it is necessary to
track the evolution of the other protocols and produce updated
RFCs. For example, the LDAP v2 documents from PKIX are evolving to
address LDAP v3. Finally, since the profiling of X.509 standards for
use in the Internet remains a major focus, the WG will continue to
track the evolution of these standards and incorporate changes and
additions as appropriate.
New Work items for PKIX
- production of a requirements RFC for delegated path discovery and
path validation protocols (DPD/DPV) and subsequent production of
RFCs for protocols that satisfy the requirements
- development of a logotype extension for certificates
- development of a proxy certificate extension and associated
processing rules
- development of an informational document on PKI disaster recovery
These work items may become standards track, INFORMATIONAL or
EXPERIMENTAL RFCs, or may not even be published as RFCs.
Other deliverables may be agreed upon as extensions are proposed.
New deliverables must be approved by the Security Area Directors
before inclusion on the charter or IETF meeting agendas.
Goals and Milestones:
Done Complete approval of CMC, and qualified certificates documents
Done Complete time stamping document
Done Continue attribute certificate profile work
Done Complete data certification document
Done Complete work on attribute certificate profile
Done Standard RFCs for public key and attribute certificate
profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates,
LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP
Done INFORMATIONAL RFCs for X.509 PKI policies and practices, use of
KEA
Done Experimental RFC for Data Validation and Certification Server
Protocols
Done Production of revised certificate and CRL syntax and processing
RFC (son-of-2459)
Done DPD/DVP Requirements RFC
Done Certificate Policy & CPS Informational RFC (revision)
Done Logotype Extension RFC
Done Proxy Certificate RFC
Done Cert Path Building approved as Informational RFC
Done CRMFbis approved as PROPOSED Standard RFC
Done CMPbis approved as PROPOSED Standard RFC
Done Principal Identifier approved as PROPOSED Standard RFC
Done Warranty Extensions approved as Informational RFC
Done Certificate Store approved as Informational RFC
Sep 2005 OCSPv2 Extensions approved as PROPOSED Standard RFC
Dec 2005 PKIX Repository approved as Informational RFC
Jan 2006 Progression of CRMF, CMP, and CMP Transport to DRAFT Standard
Jan 2006 Progression of SCVP to Draft Standard
Jan 2006 Subject Identification Method as Informational RFC
Mar 2006 Progression of Time Stamp Protocols RFC to DRAFT Standard
Apr 2006 Progression of Qualified Certificates Profile RFC to DRAFT
Standard
Apr 2006 Progression of Certificate & CRL Profile RFC to DRAFT Standard
Apr 2006 Progression of Logotype RFC to DRAFT Standard
Apr 2006 Progression of Proxy Certificate RFC to DRAFT Standard
Apr 2006 Progression of Attribute Certificate Profile RFC to DRAFT
standard
Apr 2006 SCVP approved as PROPOSED Standard RFC
Apr 2006 ECC Algorithms approved as PROPOSED Standard RFC
Aug 2006 Progression of CMC RFCs to DRAFT Standard
Internet-Drafts:
Posted Revised I-D Title <Filename>
------ ------- --------------------------------------------
Jun 1999 Jun 2006 <draft-ietf-pkix-scvp-27.txt>
Server-based Certificate Validation Protocol (SCVP)
Mar 2001 Mar 2006 <draft-ietf-pkix-2797-bis-04.txt>
Certificate Management Messages over CMS
Jul 2001 May 2006 <draft-ietf-pkix-cmc-trans-05.txt>
Certificate Management over CMS (CMC) Transport Protocols
Jul 2001 Mar 2006 <draft-ietf-pkix-cmc-compl-03.txt>
CMC Complience Document
Nov 2002 Jul 2006 <draft-ietf-pkix-sim-08.txt>
Internet X.509 Public Key Infrastructure Subject Identification
Method (SIM)
Aug 2004 Jan 2006 <draft-ietf-pkix-ecc-pkalgs-02.txt>
Additional Algorithms and Identifiers for use of Elliptic Curve
Cryptography with PKIX
Oct 2004 May 2006 <draft-ietf-pkix-lightweight-ocsp-profile-05.txt>
Lightweight OCSP Profile for High Volume Environments
Apr 2005 Jun 2006 <draft-ietf-pkix-rfc3280bis-04.txt>
Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile
Sep 2005 Jun 2006 <draft-ietf-pkix-srvsan-02.txt>
Internet X.509 Public Key Infrastructure Subject Alternative
Name for expression of service name
Feb 2006 Apr 2006 <draft-ietf-pkix-cert-utf8-03.txt>
Update to DirectoryString Processing in the Internet X.509
Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile
Jun 2006 Jun 2006 <draft-ietf-pkix-sha2-dsa-ecdsa-00.txt>
Internet X.509 Public Key Infrastructure: Additional Algorithms
and Identifiers for DSA and ECDSA
Request For Comments:
RFC Stat Published Title
------- -- ----------- ------------------------------------
RFC2459 PS Jan 1999 Internet X.509 Public Key Infrastructure Certificate and
CRL Profile
RFC2510 PS Mar 1999 Internet X.509 Public Key Infrastructure Certificate
Management Protocols
RFC2511 PS Mar 1999 Internet X.509 Certificate Request Message Format
RFC2527 I Mar 1999 Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework
RFC2528 I Mar 1999 Internet X.509 Public Key Infrastructure Representation
of Key Exchange Algorithm (KEA) Keys in Internet X.509
Public Key Infrastructure Certificates
RFC2559 PS Apr 1999 Internet X.509 Public Key Infrastructure Operational
Protocols - LDAPv2
RFC2585 PS May 1999 Internet X.509 Public Key Infrastructure Operational
Protocols: FTP and HTTP
RFC2587 PS Jun 1999 Internet X.509 Public Key Infrastructure LDAPv2 Schema
RFC2560 PS Jun 1999 X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol - OCSP
RFC2797 PS May 2000 Certificate Management Messages over CMS
RFC2875 PS Jul 2000 Diffie-Hellman Proof-of-Possession Algorithms
RFC3039 PS Jan 2001 Internet X.509 Public Key Infrastructure Qualified
Certificates Profile
RFC3029 E Feb 2001 Internet X.509 Public Key Infrastructure Data Validation
and Certification Server Protocols
RFC3161 PS Aug 2001 Internet X.509 Public Key Infrastructure Time Stamp
Protocols (TSP)
RFC3279 PS May 2002 Algorithms and Identifiers for the Internet X.509 Public
Key Infrastructure Certificate and CRI Profile
RFC3280 PS May 2002 Internet X.509 Public Key Infrastructure Certificate and
CRL Profile
RFC3281 PS May 2002 An Internet Attribute Certificate Profile for
Authorization
RFC3379 I Sep 2002 Delegated Path Validation and Delegated Path Discovery
Protocol Requirements
RFC3647 I Nov 2003 Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework
RFC3628 I Nov 2003 Policy Requirements for Time-Stamping Authorities
RFC3709Standard Feb 2004 Internet X.509 Public Key Infrastructure: Logotypes in
X.509 certificates
RFC3739Standard Mar 2004 Internet X.509 Public Key Infrastructure: Qualified
Certificates Profile
RFC3770Standard May 2004 Certificate Extensions and Attributes Supporting
Authentication in PPP and Wireless LAN
RFC3779Standard Jun 2004 X.509 Extensions for IP Addresses and AS Identifiers
RFC3820Standard Jul 2004 Internet X.509 Public Key Infrastructure Proxy
Certificate Profile
RFC3874 I Sep 2004 A 224-bit One-way Hash Function: SHA-224
RFC4059 I May 2005 Internet X.509 Public Key Infrastructure Warranty
Certificate Extension
RFC4043Standard May 2005 Internet X.509 Public Key Infrastructure Permanent
Identifier
RFC4055Standard Jun 2005 Additional Algorithms and Identifiers for RSA
Cryptography for use in the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation
List (CRL) Profile
RFC4158 I Sep 2005 Internet X.509 Public Key Infrastructure: Certification
Path Building
RFC4210Standard Oct 2005 Internet X.509 Public Key Infrastructure Certificate
Management Protocols
RFC4211Standard Oct 2005 Internet X.509 Public Key Infrastructure Certificate
Request Message Format (CRMF)
RFC4325Standard Dec 2005 Internet X.509 Public Key Infrastructure Authority
Information Access Certificate Revocation List (CRL)
Extension
RFC4334Standard Feb 2006 Certificate Extensions and Attributes Supporting
Authentication in Point-to-Point Protocol (PPP) and
Wireless Local Area Networks (WLAN)
RFC4386 E Feb 2006 Internet X.509 Public Key Infrastructure Repository
Locator Service
RFC4387Standard Feb 2006 Internet X.509 Public Key Infrastructure Operational
Protocols: Certificate Store Access via HTTP
RFC4476 PS May 2006 Attribute Certificate (AC) Policies Extension
RFC4491 PS May 2006 Using the GOST R 34.10-94, GOST R 34.10-2001 and GOST R
34.11-94 algorithms with the Internet X.509 Public Key
Infrastructure Certificate and CRL Profile.