fpki.htm

The Open–source PKI Book Version 2.4.6 Edition Copyright &copy 1999, 2000 by Symeon (Simos) Xenite

<HTML
><HEAD
><TITLE
>The NIST Public Key Infrastructure Program</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.55"><LINK
REL="HOME"
TITLE="The Open&#8211;source PKI Book"
HREF="ospki-book.htm"><LINK
REL="UP"
TITLE="PKI standards and specifications"
HREF="standards-specifications.htm"><LINK
REL="PREVIOUS"
TITLE="Architecture for Public-Key Infrastructure (APKI)"
HREF="apki-standard.htm"><LINK
REL="NEXT"
TITLE="Internet X.509 Public Key Infrastructure (PKIX)"
HREF="pkix.htm"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Open&#8211;source PKI Book: A guide to PKIs and Open&#8211;source Implementations</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="apki-standard.htm"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 5. PKI standards and specifications</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="pkix.htm"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="FPKI"
>The NIST Public Key Infrastructure Program</A
></H1
><P
>  The National Institute of Standards and Technology (NIST), part of
  the U.S. Department of Commerce, is developing specifications for Public Key Infrastructures
  for the internal use of the U.S. government electronic infrastructure.
  These efforts do not aim to duplicate existing work of PKI vendors, rather
  than to ease the integration of the use of public-key technology from
  possibly inoperable implementations.   
  </P
><P
>  This work is being developed with the help of industry partners, 
  using agreements called CRADAs (Cooperative Research and Development
  Agreements) in the sense that companies and the government work
  together to specify the PKI products to be produced that the latter
  will buy as a consumer. In this sense, since the U.S. government is
  a big buyer, one can expect that the work of the NIST somehow specifies 
  the future of the PKI products that will be used worldwide.
  </P
><P
>  Among the publicly available documents is the MISPC specification 
  that provides a basis for interoperation between
  PKI components from different vendors. Vendor willing to get contracts
  for U.S. Federal agencies should be able to provide compatible
  PKI components. Possible open-source PKI implementations would
  obviously need to comply with those specifications.
  The MISPC specification is the basis for the NIST reference implementation,
  also described in <A
HREF="impl-mispc.htm"
>the section called <I
>MISPC Reference Implementation</I
> in Chapter 7</A
>. It is available as
  <A
HREF="http://csrc.nist.gov/pki/documents/mispcv1.ps"
TARGET="_top"
>NIST Special
  Publication 800-15</A
> from the NIST WWW site.
  </P
><P
>  Another interesting document is the 
  <A
HREF="http://csrc.nist.gov/pki/twg/baseline/pkicon20b.PDF"
TARGET="_top"
>  Proposed Federal PKI Concept of Operation</A
>.
  </P
><P
>  Among the highlights of the above document is the clear description of
  available PKI types. The PKI that the browsers implement is described
  as the <I
CLASS="EMPHASIS"
>trust-list</I
> PKI. This is a somehow flat
  type of PKI in the sense that there is only one level of trust.
  The other two types are the hierarchical and the network (or mesh)
  PKIs. The former is the typical X.500 PKI while the latter is the
  mesh type with no single root. One can find analogies of the hierarchical
  PKI with the structure of the Domain Name Service. The network PKI
  is like the interconnection of the routers on the Internet.
  </P
><P
>  Another important issue is the same document, is the use the Bridge Certification Authority
  concept, a CA that bridges different trust domains. This bridging
  is established upon agreement of the interested parties and its purpose 
  is to limit the propagation of unnecessary trust.
  </P
><P
>  A pilot program is planned to test the bridge CA concept. From the
  information provided at the <A
HREF="http://csrc.nist.gov/pki/rootca/"
TARGET="_top"
>  NIST PKI Root CA Testbed</A
> page, the Bridge CA will be implemented
  by the NIST and commercial CAs will be tested by being bridged by
  this Bridge CA. The plan is to have twelve CAs and 4 X.509 Directory
  servers operational. Information to be sought from this pilot operation
  has to do with performance and scalability. Finally, the X.509 
  certification path building and validation will be tested.
  </P
><P
>  The author of these documents (either main author or in co-operation) is
  <A
HREF="mailto:william.burr@nist.gov"
TARGET="_top"
>William E. Burr</A
>.
  </P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="apki-standard.htm"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="ospki-book.htm"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="pkix.htm"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Architecture for Public-Key Infrastructure (<SPAN
CLASS="ACRONYM"
>APKI</SPAN
>)</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="standards-specifications.htm"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Internet X.509 Public Key Infrastructure (PKIX)</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>