Public-Key Infrastructure (X.509) (pkix) ---------------------------------------- Charter Last Modified: 2007-04-02 Current Status: Active Working Group Chair(s): Stephen Kent Stefan Santesson Security Area Director(s): Tim Polk Sam Hartman Security Area Advisor: Tim Polk Mailing Lists: General Discussion:ietf-pkix@imc.org To Subscribe: ietf-pkix-request@imc.org In Body: subscribe (In Body) Archive: http://www.imc.org/ietf-pkix Description of Working Group: The PKIX Working Group was established in the Fall of 1995 with the intent of developing Internet standards needed to support an X.509-based PKI. The scope of PKIX work has expanded beyond this initial goal. PKIX not only profiles ITU PKI standards, but also develops new standards apropos to the use of X.509-based PKIs in the Internet. PKIX has produced several informational and standards track documents in support of the original and revised scope of the WG. The first of these standards, RFC 2459, profiled X.509 version 3 certificates and version 2 CRLs for use in the Internet. Profiles for the use of Attribute Certificates (RFC XXXX [pending]), LDAP v2 for certificate and CRL storage (RFC 2587), the Internet X.509 Public Key Infrastructure Qualified Certificates Profile (RFC 3039), and the Internet X.509 Public Key Infrastructure Certificate Policy and certification Practices Framework (RFC 2527 - Informational) are in line with the initial scope. The Certificate Management Protocol (CMP) (RFC 2510), the Online Certificate Status Protocol (OCSP) (RFC 2560), Certificate Management Request Format (CRMF) (RFC 2511), Time-Stamp Protocol (RFC 3161), Certificate Management Messages over CMS (RFC 2797), Internet X.509 Public Key Infrastructure Time Stamp Protocols (RFC 3161), and the use of FTP and HTTP for transport of PKI operations (RFC 2585) are representative of the expanded scope of PKIX, as these are new protocols developed in the working group, not profiles of ITU PKI standards. A roadmap, providing a guide to the growing set of PKIX document, also has been developed as an informational RFC. Ongoing PKIX Work items An ongoing PKIX task is the progression of existing, standards track RFCs from PROPOSED to DRAFT. Also, to the extent that PKIX work relates to protocols from other areas, e.g., LDAP, it is necessary to track the evolution of the other protocols and produce updated RFCs. For example, the LDAP v2 documents from PKIX are evolving to address LDAP v3. Finally, since the profiling of X.509 standards for use in the Internet remains a major focus, the WG will continue to track the evolution of these standards and incorporate changes and additions as appropriate. New Work items for PKIX - production of a requirements RFC for delegated path discovery and path validation protocols (DPD/DPV) and subsequent production of RFCs for protocols that satisfy the requirements - development of a logotype extension for certificates - development of a proxy certificate extension and associated processing rules - development of an informational document on PKI disaster recovery These work items may become standards track, INFORMATIONAL or EXPERIMENTAL RFCs, or may not even be published as RFCs. Other deliverables may be agreed upon as extensions are proposed. New deliverables must be approved by the Security Area Directors before inclusion on the charter or IETF meeting agendas. Goals and Milestones: Done Complete approval of CMC, and qualified certificates documents Done Complete time stamping document Done Continue attribute certificate profile work Done Complete data certification document Done Complete work on attribute certificate profile Done Standard RFCs for public key and attribute certificate profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates, LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP Done INFORMATIONAL RFCs for X.509 PKI policies and practices, use of KEA Done Experimental RFC for Data Validation and Certification Server Protocols Done Production of revised certificate and CRL syntax and processing RFC (son-of-2459) Done DPD/DVP Requirements RFC Done Certificate Policy & CPS Informational RFC (revision) Done Logotype Extension RFC Done Proxy Certificate RFC Done Cert Path Building approved as Informational RFC Done CRMFbis approved as PROPOSED Standard RFC Done CMPbis approved as PROPOSED Standard RFC Done Principal Identifier approved as PROPOSED Standard RFC Done Warranty Extensions approved as Informational RFC Done Certificate Store approved as Informational RFC Done PKIX Repository approved as Informational RFC Done Subject Identification Method as Informational RFC Done GOST Cryptographic Algorithms (RFC 4491) Done Update to DirectoryString Processing for RFC 3280 Done Attribute Certificate Policies approved as PROPOSED Standard (RFC 4476) Jul 2007 Update to CMC approved as PROPOSED Standard Sep 2007 Progression of CRMF, CMP, and CMP Transport to DRAFT Standard Sep 2007 Progression of Qualified Certificates Profile RFC to DRAFT Standard Sep 2007 Progression of Certificate & CRL Profile RFC to DRAFT Standard Sep 2007 Progression of Time Stamp Protocols RFC to DRAFT Standard Sep 2007 Progression of Logotype RFC to DRAFT Standard Nov 2007 Progression of Proxy Certificate RFC to DRAFT Standard Nov 2007 Progression of Attribute Certificate Profile RFC to DRAFT standard Nov 2007 ECC Algorithms approved as PROPOSED Standard RFC Mar 2008 Progression of CMC RFCs to DRAFT Standard Mar 2008 SCVP approved as PROPOSED Standard RFC Internet-Drafts: Posted Revised I-D Title ------ ------- -------------------------------------------- Jun 1999 Sep 2007 Server-based Certificate Validation Protocol (SCVP) Mar 2001 Mar 2006 Certificate Management Messages over CMS Jul 2001 May 2006 Certificate Management over CMS (CMC) Transport Protocols Jul 2001 Mar 2006 CMC Complience Document Oct 2004 Jun 2007 Lightweight OCSP Profile for High Volume Environments Apr 2005 Feb 2007 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile Jun 2006 Jul 2007 Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA Request For Comments: RFC Stat Published Title ------- -- ----------- ------------------------------------ RFC2459 PS Jan 1999 Internet X.509 Public Key Infrastructure Certificate and CRL Profile RFC2510 PS Mar 1999 Internet X.509 Public Key Infrastructure Certificate Management Protocols RFC2511 PS Mar 1999 Internet X.509 Certificate Request Message Format RFC2527 I Mar 1999 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework RFC2528 I Mar 1999 Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates RFC2559 PS Apr 1999 Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2 RFC2585 PS May 1999 Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP RFC2587 PS Jun 1999 Internet X.509 Public Key Infrastructure LDAPv2 Schema RFC2560 PS Jun 1999 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP RFC2797 PS May 2000 Certificate Management Messages over CMS RFC2875 PS Jul 2000 Diffie-Hellman Proof-of-Possession Algorithms RFC3039 PS Jan 2001 Internet X.509 Public Key Infrastructure Qualified Certificates Profile RFC3029 E Feb 2001 Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols RFC3161 PS Aug 2001 Internet X.509 Public Key Infrastructure Time Stamp Protocols (TSP) RFC3279 PS May 2002 Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRI Profile RFC3280 PS May 2002 Internet X.509 Public Key Infrastructure Certificate and CRL Profile RFC3281 PS May 2002 An Internet Attribute Certificate Profile for Authorization RFC3379 I Sep 2002 Delegated Path Validation and Delegated Path Discovery Protocol Requirements RFC3628 I Nov 2003 Policy Requirements for Time-Stamping Authorities RFC3647 I Nov 2003 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework RFC3709Standard Feb 2004 Internet X.509 Public Key Infrastructure: Logotypes in X.509 certificates RFC3739Standard Mar 2004 Internet X.509 Public Key Infrastructure: Qualified Certificates Profile RFC3770Standard May 2004 Certificate Extensions and Attributes Supporting Authentication in PPP and Wireless LAN RFC3779Standard Jun 2004 X.509 Extensions for IP Addresses and AS Identifiers RFC3820Standard Jul 2004 Internet X.509 Public Key Infrastructure Proxy Certificate Profile RFC3874 I Sep 2004 A 224-bit One-way Hash Function: SHA-224 RFC4059 I May 2005 Internet X.509 Public Key Infrastructure Warranty Certificate Extension RFC4043Standard May 2005 Internet X.509 Public Key Infrastructure Permanent Identifier RFC4055Standard Jun 2005 Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile RFC4158 I Sep 2005 Internet X.509 Public Key Infrastructure: Certification Path Building RFC4210Standard Oct 2005 Internet X.509 Public Key Infrastructure Certificate Management Protocols RFC4211Standard Oct 2005 Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF) RFC4325Standard Dec 2005 Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension RFC4334Standard Feb 2006 Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN) RFC4386 E Feb 2006 Internet X.509 Public Key Infrastructure Repository Locator Service RFC4387Standard Feb 2006 Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP RFC4476 PS May 2006 Attribute Certificate (AC) Policies Extension RFC4491 PS May 2006 Using the GOST R 34.10-94, GOST R 34.10-2001 and GOST R 34.11-94 algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC4630 PS Aug 2006 Update to DirectoryString Processing in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile RFC4683 PS Oct 2006 Internet X.509 Public Key Infrastructure Subject Identification Method (SIM) RFC4985 PS Aug 2007 Internet X.509 Public Key Infrastructure Subject Alternative Name for expression of service name