draft-ietf-pkix-roadmap-09.txt

PKIX的RFC英文文档

   same flexibility makes it extremely difficult to produce independent 
   implementations that will actually interoperate with one another. In 
   order to build an Internet PKI based on X.509 v3 PKCs, the PKIX 
   working group had to develop a profile of the X.509 v3 PKC 
   specification. 
    
   A profile of the X.509 v3 PKC specification is a description of the 
   contents of the PKC and which extensions must be supported, which 
   extensions may be supported, and which extensions may not be 
 
Arsenault, Turner                                                   18 
 
Internet-Draft                PKIX Roadmap                  July 2002 

   supported. The Internet PKI Profile [FORMAT] provides such a profile 
   of X.509 v3 PKC for the Internet PKI. In addition, the Internet PKI 
   Profile [FORMAT] suggests ranges of values for many of the 
   extensions. 
    
   The Internet PKI Profile [FORMAT] also provides a profile for Version 
   2 CRLs for use in the Internet PKI. CRLs, like PKCs, have a number of 
   optional extensions. In order to promote interoperability, it is 
   necessary to constrain the choices an implementor supports. 
    
   In addition to profiling the PKC and CRL formats, it is necessary to 
   define particular Object Identifiers (OIDs) for certain encryption 
   algorithms, because there are a variety of OIDs registered for some 
   algorithm suites. PKIX has produced two documents ([RPKDS] and [KEA]) 
   which provide guidance on the proper implementation of specific 
   algorithms. 
    
   Some countries are in a process of updating their legal frameworks in 
   order to regulate and incorporate recognition of signatures in 
   electronic form. Many of these frameworks introduce certain basic 
   requirements on PKCs, often termed Qualified Certificates, supporting 
   these types of "legal" signatures. Partly as a result of this there 
   is a need for a specific PKC profile providing standardized support 
   for certain related issues such as a common structure for expressing 
   unambiguous identities of certified subjects (unmistakable identity). 
   In December 1998, PKIX adopted as a work item the development of a 
   refinement of [RFC2459] that further profiles PKIX PKC into qualified 
   certificates. This work is reflected in [QC]. 
    
   Like the X.509 v3 PKC, the AC also a very complex data structure 
   consisting of basic information fields, a number of optional 
   extensions, and a virtually unlimited number of attributes. Again, 
   many of the fields, extensions, and attributes can take on a wide 
   range of options allowing an enormous degree of flexibility. In order 
   to build an Internet PMI based on ACs, the PKIX working group had to 
   develop a profile of the AC. 
    
   The AC profile is description of the contents of the AC, the allowed 
   and required extensions, and applicable attributes. [AC] provides 
   such a profile of the X.509 v2 AC. 
    
   - DOCUMENT TITLE: Internet X.509 Public Key Infrastructure 
     Certificate and CRL Profile (RFC2459) [FORMAT] 
      
     DESCRIPTION: This document describes the profiles to be used for 
     X.509 v3 PKCs and version 2 CRLs by Internet PKI participants. The 
     profiles include the identification of ISO/IEC/ITU and ANSI 
     extensions which may be useful in the Internet PKI. The profiles 
     are presented in the 1988 Abstract Syntax Notation One (ASN.1) 
     rather than the 1994 syntax used in the ISO/IEC/ITU standards. 
     Would-be PKIX implementors and developers of certificate-using 
     applications should start with the Internet PKI Profile [FORMAT] to 

 
Arsenault, Turner                                                   19 
 
Internet-Draft                PKIX Roadmap                  July 2002 

     ensure that their systems will be able to interoperate with other 
     users of the PKI. 
      
     The Internet PKI Profile [FORMAT] also includes path validation 
     procedures. The procedures presented are based upon the ISO/IEC/ITU 
     definition, but the presentation assumes one or more self-signed 
     trusted CA PKCs. The procedures are provided as examples only. 
     Implementations are not required to use the procedures provided; 
     they may implement whichever procedures are efficient for their 
     situation. However, implementations are required to derive the same 
     results as the example procedures. 
      
     STATUS: Proposed Standard. 
    
   - DOCUMENT TITLE: Internet X.509 Public Key Infrastructure 
     Representation of Key Exchange Algorithm (KEA) Keys in Internet 
     X.509 Public Key Infrastructure Certificates (RFC 2528) [KEA]  
      
     DESCRIPTION: This document provides Object Identifiers (OIDs) and 
     other guidance for IPKI users who use the Key Exchange Algorithm 
     (KEA). It profiles the format and semantics of the 
     subjectPublicKeyInfo field and the keyUsage extension in X.509 v3 
     PKCs containing KEA keys. This document should be used by anyone 
     wishing to support KEA; others who do not support ECDSA are not 
     required to comply with it. 
      
     STATUS: Informational RFC. 
    
   - DOCUMENT TITLE: Internet X.509 Public Key Infrastructure Qualified 
     Certificates (RFC 3039) [QC] 
      
     DESCRIPTION: This document profiles the format for and defines 
     requirements on information content in a specific type of PKCs 
     called Qualified Certificates. A "Qualified Certificate" is a PKC 
     that is issued to a natural person (i.e., a living human being); 
     contains an unmistakable identity based on a real name or a 
     pseudonym of the subject; exclusively indicates non-repudiation as 
     the key usage for the certificate's public key; and meets a number 
     of requirements. 
      
     STATUS: Proposed Standard. 
    
   - DOCUMENT TITLE: An Internet Attribute Certificate Profile for 
     Authorizations <draft-ietf-pkix-ac509prof-09.txt> [AC] 
      
     DESCRIPTION: This document profiles the format for an defines 
     requirements on X.509 v2 ACs to support authorization services 
     required by various Internet protocols (TLS, CMS, and the consumers 
     of CMS, etc.). Two profiles are defined in support of basic 
     authorizations and in support of services that can operate via 
     proxy. 
      

 
Arsenault, Turner                                                   20 
 
Internet-Draft                PKIX Roadmap                  July 2002 

     STATUS: Approved as Proposed Standard; in RFC editor's Queue. 
     Issuance as an RFC blocked until the normative reference [2459bis] 
     progresses to Proposed Standard as well. (See below.) 
    
   - DOCUMENT TITLE: Internet X.509 Public Key Infrastructure 
     Certificate and CRL Profile <draft-ietf-pkix-new-part1-12.txt> 
     [2459bis] 
      
     DESCRIPTION: This document is an update of the Internet PKI Profile 
     [2459bis]. The treatment of path validation is enhanced, and 
     additional specificity is offered for various certificate and CRL 
     extensions. This document omits the encoding and identification of 
     public keys and digital signatures. (See [RPKDS] below.)  
      
     STATUS: Tentatively approved by IESG. 
    
   - DOCUMENT TITLE: Algorithms and Identifiers for the Internet X.509 
     Public Key Infrastructure Certificate and CRL Profile <draft-ietf-
     pkix-ipki-pkalgs-05.txt> [RPKDS] 
      
     DESCRIPTION: This document specifies algorithm identifiers and 
     encoding formats for the representation of cryptographic algorithms 
     keys, associated parameters, and digital signatures in Internet PKI 
     and X.509 certificates and certificate revocation lists. This draft 
     does not attempt to define the cryptographic algorithms themselves. 
     It instead references other appropriate standards. This draft 
     incorporates information from Section 7 of RFC 2459 and the 
     Internet-Draft "Representation of Elliptic Curve Digital Signature 
     Algorithm (ECDSA) Keys in Internet X.509 Public Infrastructure 
     Certificates." 
      
     STATUS: Tentatively approved by IESG. 
    
   - DOCUMENT TITLE: Internet X.509 Public Key Infrastructure Permanent 
     Identifier <draft-ietf-pkix-pi-03.txt> [PI] 
      
     DESCRIPTION: This document defines a new form of name, the 
     permanent identifier, which is a name assigned by an organization, 
     unique within that organization, that singles out a particular 
     entity from all other individuals. The permanent identifier is an 
     optional feature that may be used by a CA to indicate that the 
     certificate relates to the same individual even if the name or the 
     affiliation of that entity has changed. The permanent identifier is 
     important in the context of access control and of non-repudiation. 
      
     STATUS: Under AD review. 
    
   - DOCUMENT TITLE: Supplemental Algorithms and Identifiers for the 
     Internet X.509 Public Key Infrastructure Certificate and CRL 
     Profile <draft-ietf-pkix-pkalgs-supp-01.txt> [SUPPALGS] 
      
     DESCRIPTION: This document supplements [RPKDS], defining specifies 
     algorithm identifiers and encoding formats for the representation 
 
Arsenault, Turner                                                   21 
 
Internet-Draft                PKIX Roadmap                  July 2002 

     of emerging cryptographic algorithms and associated keys. The 
     document encompasses lattice-based public key algorithms as well as 
     digital signatures using larger hash algorithms (e.g., SHA-256). 
      
     STATUS: Under WG review. 
    
   - DOCUMENT TITLE: Internet X.509 Public Key Infrastructure Logotypes 
     in X.509 Certificate <draft-ietf-pkix-logotypes-02.txt> [LOGO] 
      
     DESCRIPTION: This document specifies a certificate extension for 
     including logotypes in public key certificates and attribute 
     certificates. 
      
     STATUS: Under WG review. 
      
   - DOCUMENT TITLE: X.509 Extensions for IP Addresses and AS 
     Identifiers <draft-ietf-pkix-x509-ipaddr-as-extn-00.txt> [IPEXT] 
      
     DESCRIPTION: This document specifies a certificate extension for 
     including logotypes in public key certificates and attribute 
     certificates. 
      
     STATUS: Under WG review. 
    
   - DOCUMENT TITLE: Warranty Certificate Extension <draft-ietf-pkix-
     warranty-extn-00.txt> [WARR] 
      
     DESCRIPTION: This document describes a certificate extension to 
     explicitly state the warranty offered by a Certificate Authority 
     (CA) for the certificate containing the extension.  
      
     STATUS: Under WG review. 
    
    
4.2 Operational Protocols 
    
   Operational protocols are required to deliver certificates and CRLs 
   (or other certificate status information) to certificate using 
   systems. Provision is needed for a variety of different means of 
   certificate and CRL delivery, including distribution procedures based 
   on DNS, LDAP, HTTP, FTP, and X.500. A limited protocol to support AC 
   retrieval has also been documented. 
    
   - DOCUMENT TITLE: Internet X.509 Public Key Infrastructure 
     Operational Protocols - LDAPv2 (RFC 2559) [PKI-LDAPv2] 
      
     DESCRIPTION: This document describes the use of LDAPv2 as a 
     protocol for PKI elements to publish and retrieve certificates and 
     CRLs from a repository. [LDAPv2] is a protocol that allows 
     publishing and retrieving of information. 
      
     STATUS: Proposed Standard. 
    
 
Arsenault, Turner                                                   22 
 
Internet-Draft                PKIX Roadmap                  July 2002 

   - DOCUMENT TITLE: Internet X.509 Public Key Infrastructure LDAPv2 
     Schema (RFC 2587) [SCHEMA] 
      
     DESCRIPTION: This document defines a minimal schema necessary to 
     support the use of LDAPv2 for PKC and CRL retrieval and related 
     functions for PKIX. This document supplements [LDAPv2] by 
     identifying the PKIX-related attributes that must be present. 
      
     STATUS: Proposed Standard. 
    
   - DOCUMENT TITLE: X