draft-ietf-pkix-roadmap-09.txt

PKIX的RFC英文文档

PKIX Working Group                                         A. Arsenault 
Internet Draft                                               Diversinet 
Document: draft-ietf-pkix-roadmap-09.txt                      S. Turner 
Expires: January, 2003                                             IECA 
                                                              July 2002 
 
 
           Internet X.509 Public Key Infrastructure: Roadmap 
 
 
Status of this Memo 
    
   This document is an Internet-Draft and is in full conformance with 
   all provisions of Section 10 of [RFC2026]. 
    
   This document is an Internet-Draft. Internet-Drafts are working 
   documents of the Internet Engineering Task Force (IETF), its areas, 
   and its working groups. Note that other groups may also distribute 
   working documents as Internet-Drafts.  
    
   Internet-Drafts are draft documents valid for a maximum of six 
   months and may be updated, replaced, or obsoleted by other documents 
   at any time. It is inappropriate to use Internet-Drafts as reference 
   material or to cite them other than as "work in progress." 
    
   The list of current Internet-Drafts can be accessed at 
   http://www.ietf.org/ietf/1id-abstracts.txt  
    
   The list of Internet-Draft Shadow Directories can be accessed at 
   http://www.ietf.org/shadow.html. 
    
   This draft is being discussed on the 'ietf-pkix' mailing list. To 
   subscribe, send a message to ietf-pkix-request@imc.org with the 
   single word subscribe in the body of the message. There is a Web 
   site for the mailing list at <http://www.imc.org/ietf-pkix/>. 
    
    
Abstract 
    
   This document provides an overview or "roadmap" of the work done by 
   the IETF PKIX working group. It describes some of the terminology 
   used in the working group's documents, and the theory behind an 
   X.509-based Public Key Infrastructure, Privilege Management 
   Infrastructure (PMI), and Time Stamping and Data Certification 
   Infrastructures. It identifies each document developed by the PKIX 
   working group, and describes the relationships among the various 
   documents. It also provides advice to would-be PKIX implementors 
   about some of the issues discussed at length during PKIX development, 
   in hopes of making it easier to build implementations that will 
   actually interoperate. 
    
    
  
 
Arsenault, Turner                                                    1 
 
Internet-Draft                PKIX Roadmap                  July 2002 

   1 INTRODUCTION.....................................................3 
   1.1 THIS DOCUMENT..................................................3 
   1.2 TERMINOLOGY....................................................3 
   1.3 HISTORY........................................................5 
   2 PKI..............................................................8 
   2.1 THEORY.........................................................8 
   2.2 ARCHITECTURE MODEL.............................................9 
   2.3 PUBLIC KEY CERTIFICATES.......................................11 
   2.4 FUNCTIONS OF A PKI............................................11 
   2.4.1 REGISTRATION................................................11 
   2.4.2 INITIALIZATION..............................................12 
   2.4.3 CERTIFICATION...............................................12 
   2.4.4 KEY PAIR RECOVERY...........................................12 
   2.4.5 KEY GENERATION..............................................12 
   2.4.6 KEY UPDATE..................................................13 
   2.4.6.1 KEY EXPIRY................................................13 
   2.4.6.2 KEY COMPROMISE............................................13 
   2.4.7 CROSS-CERTIFICATION.........................................14 
   2.4.8 REVOCATION..................................................14 
   2.4.9 CERTIFICATE & REVOCATION NOTICE DISTRIBUTION & PUBLICATION..15 
   3 PMI.............................................................16 
   3.1 THEORY........................................................16 
   3.2 ARCHITECTURAL MODEL...........................................16 
   3.3 ATTRIBUTE CERTIFICATES........................................17 
   4 PKIX DOCUMENTS..................................................18 
   4.1 PROFILES......................................................18 
   4.2 OPERATIONAL PROTOCOLS.........................................22 
   4.3 MANAGEMENT PROTOCOLS..........................................25 
   4.4 POLICY OUTLINE................................................28 
   4.4 TIME STAMPING AND DATA CERTIFICATION..........................28 
   4.5 EXPIRED DRAFTS................................................32 
   5 IMPLEMENTATION ADVICE...........................................36 
   5.1 NAMES.........................................................36 
   5.1.1 NAME FORMS..................................................36 
   5.1.1.1 DISTINGUISHED NAMES.......................................36 
   5.1.1.2 SUBJECTALTNAME FORMS......................................37 
   5.1.1.2.1 INTERNET E-MAIL ADDRESSES...............................37 
   5.1.1.2.2 DNS NAMES...............................................38 
   5.1.1.2.4 URIS....................................................38 
   5.1.2 SCOPE OF NAMES..............................................38 
   5.1.3 CERTIFICATE PATH CONSTRUCTION...............................39 
   5.1.4 NAME CONSTRAINTS............................................40 
   5.1.4.1 RFC822NAMES...............................................41 
   5.1.4.2 DNSNAMES..................................................41 
   5.1.4.3 X.400 ADDRESSES...........................................42 
   5.1.4.5 DNS.......................................................42 
   5.1.4.6 URIS......................................................42 
   5.1.4.7 IPADDRESSES...............................................43 
   5.1.4.8 OTHERS....................................................43 
   5.1.5 WILDCARDS IN NAME FORMS.....................................43 
   5.1.6 NAME ENCODING...............................................44 
   5.2 POP...........................................................44 
   5.2.1 POP FOR SIGNING KEYS........................................44 
 
Arsenault, Turner                                                    2 
 
Internet-Draft                PKIX Roadmap                  July 2002 

   5.2.2 POP FOR KEY MANAGEMENT KEYS.................................45 
   5.3 KEY USAGE BITS................................................47 
   5.4 NON-REPUDIATION...............................................48 
   5.5 TRUST MODELS..................................................49 
   5.5.1 HIERARCHICAL................................................49 
   5.5.2 LOCAL/FEDERATION............................................49 
   5.5.3 ROOT REPOSITORY.............................................50 
   5.5.4 RP'S PERSPECTIVE............................................50 
   6 REFERENCES......................................................50 
   7 SECURITY CONSIDERATIONS.........................................54 
   8 ACKNOWLEDGEMENTS................................................55 
   9 AUTHOR'S ADDRESSES..............................................55 
    
    
1 Introduction 
    
1.1 This Document 
    
   This document is an informational Internet-Draft that provides a 
   "roadmap" to the documents produced by the PKIX working group. It is 
   intended to provide information; there are no requirements or 
   specifications in this document. 
    
   Section 1.2 of this document defines key terms used in this document. 
   Section 1.3 covers some of the basic history behind the PKIX working 
   group. Section 2 covers Public Key Infrastructure (PKI) theory and 
   functions. Section 3 covers Privilege Management Infrastructure (PMI) 
   theory and functions. Section 4 provides an overview of the various 
   PKIX documents. It identifies which documents address which areas, 
   and describes the relationships among the various documents. Section 
   5 contains "Advice to implementors." Its primary purpose is to 
   capture some of the major issues discussed by the PKIX working group, 
   as a way of explaining why some of the requirements and 
   specifications say what they say. This explaination should cut down 
   on the number of misinterpretations of the documents, and help 
   developers build interoperable implementations. Section 6 contains a 
   list of contributors we wish to thank. Section 7 provides a list 
   references. Section 8 discusses security considerations, and Section 
   9 provides contact information for the editors. 
    
    
1.2 Terminology 
    
   There are a number of terms used and misused throughout PKI-related, 
   PMI-related, and Time Stamp and Data Certification literature. To 
   limit confusion caused by some of those terms, used throughout this 
   document, we will use the following terms in the following ways: 
    
     - Attribute Authority (AA) - An authority trusted by one or more 
       users to create and sign attribute certificates. It is important 
       to note that the AA is responsible for the attribute 
       certificates during their whole lifetime, not just for issuing 
       them. 
 
Arsenault, Turner                                                    3 
 
Internet-Draft                PKIX Roadmap                  July 2002 

      
     - Attribute Certificate (AC) - A data structure containing a set of 
       attributes for an end-entity and some other information, which 
       is digitally signed with the private key of the AA which issued 
       it. 
      
     - Certificate - Can refer to either an AC or a public key 
       certificate. Where there is no distinction made the context 
       should be assumed that the term could apply to both an AC or a 
       public key certificate. 
      
     - Certification Authority (CA) - An authority trusted by one or 
       more users to create and assign public key certificates. 
       Optionally the CA may create the user's keys. It is important to 
       note that the CA is responsible for the public key certificates 
       during their whole lifetime, not just for issuing them. 
      
     - Certificate Policy (CP) - A named set of rules that indicates the 
       applicability of a public key certificate to a particular 
       community or class of application with common security 
       requirements. For example, a particular certificate policy might 
       indicate applicability of a type of public key certificate to 
       the authentication of electronic data interchange transactions 
       for the trading of goods within a given price range. 
      
     - Certification Practice Statement (CPS) - A statement of the 
       practices which a CA employs in issuing public key certificates. 
      
     - End-entity - A subject of a certificate who is not a CA in the 
       PKI or an AA in the PMI. (An EE from the PKI can be an AA in the 
       PMI.) 
      
     - Public Key Certificate (PKC) - A data structure containing the 
       public key of an end-entity and some other information, which is 
       digitally signed with the private key of the CA which issued it. 
      
     - Public Key Infrastructure (PKI) - The set of hardware, software, 
       people, policies and procedures needed to create, manage, store, 
       distribute, and revoke PKCs based on public-key cryptography. 
      
     - Privilege Management Infrastructure (PMI) - A collection of ACs, 
       with their issuing AA's, subjects, relying parties, and 
       repositories, is referred to as a Privilege Management 
       Infrastructure. 
      
     - Registration Authority (RA) - An optional entity given 
       responsibility for performing some of the administrative tasks 
       necessary in the registration of subjects, such as: confirming 
       the subject's identity; validating that the subject is entitled 
       to have the values requested in a PKC; and verifying that the 
       subject has possession of the private key associated with the 
       public key requested for a PKC. 
      
 
Arsenault, Turner                                                    4 
 
Internet-Draft                PKIX Roadmap                  July 2002 

     - Relying party - A user or agent (e.g., a client or server) who 
       relies on the data in a certificate in making decisions. 
      
     - Root CA - A CA that is directly trusted by an EE; that is, 
       securely acquiring the value of a Root CA public key requires 
       some out-of-band step(s). This term is not meant to imply that a 
       Root CA is necessarily at the top of any hierarchy, simply that 
       the CA in question is trusted directly. Note that the term 
       'trust anchor' is commonly used with the same meaning as 'root 
       CA' in this document. 
      
     - Subordinate CA - A "subordinate CA" is one that is not a Root CA 
       for the EE in question. Often, a subordinate CA will not be a 
       Root CA for any entity but this is not mandatory. 
      
     - Subject - A subject is the entity (AA, CA, or EE) named in a 
       certificate, either a PKC or AC. Subjects can be human users, 
       computers (as represented by Domain Name Service (DNS) names or 
       Internet Protocol (IP) addresses), or even software agents. 
      
     - Time Stamp Authority (TSA) - A TSA is a trusted Third Party who 
       provides a "proof-of-existence" for a particular datum prior to 
       an instant in time.