Previous | Next

Frontpage | Contents | Keywords

Internet X.509 Public Key Infrastructure Certificate Management Protocols

1. PKI Management Overview

1.1. PKI Management Model

1.2. Definitions of PKI Entities

1.2.1. Subjects and End Entities

1.2.2. Certification Authority

1.2.3. Registration Authority

1.3. PKI Management Requirements

2. Assumptions and restrictions

2.1. End entity initialization

2.2. Initial registration/certification

2.2.1. Criteria used

2.2.1.1. Initiation of registration / certification

2.2.1.2. End entity message origin authentication

2.2.1.3. Location of key generation

2.2.1.4. Confirmation of successful certification

2.2.2. Mandatory schemes

2.2.2.1. Centralized scheme

2.2.2.2. Basic authenticated scheme

2.3. Proof of Possession (POP) of Private Key

2.3.1. Signature Keys

2.3.2. Encryption Keys

2.3.3. Key Agreement Keys

2.4. Root CA key update

2.4.1. CA Operator actions

2.4.2. Verifying Certificates.

2.4.2.1. Verification in cases 1, 4, 5 and 8.

2.4.2.2. Verification in case 2.

2.4.2.3. Verification in case 3.

2.4.2.4. Failure of verification in case 6.

2.4.2.5. Failure of verification in case 7.

2.4.3. Revocation - Change of CA key

3. Data Structures

3.1. Overall PKI Message

3.1.1. PKI Message Header

3.1.2. PKI Message Body

3.1.3. PKI Message Protection

3.2. Common Data Structures

3.2.1. Requested Certificate Contents

3.2.2. Encrypted Values

3.2.3. Status codes and Failure Information for PKI messages

3.2.4. Certificate Identification

3.2.5. "Out-of-band" root CA public key

3.2.6. Archive Options

3.2.7. Publication Information

3.2.8. Proof-of-Possession Structures

3.3. Operation-Specific Data Structures

3.3.1. Initialization Request

3.3.2. Initialization Response

3.3.3. Registration/Certification Request

3.3.4. Registration/Certification Response

3.3.5. Key update request content

3.3.6. Key Update response content

3.3.7. Key Recovery Request content

3.3.8. Key recovery response content

3.3.9. Revocation Request Content

3.3.10. Revocation Response Content

3.3.11. Cross certification request content

3.3.12. Cross certification response content

3.3.13. CA Key Update Announcement content

3.3.14. Certificate Announcement

3.3.15. Revocation Announcement

3.3.16. CRL Announcement

3.3.17. PKI Confirmation content

3.3.18. PKI General Message content

3.3.19. PKI General Response content

3.3.20. Error Message content

4. Mandatory PKI Management functions

4.1. Root CA initialization

4.2. Root CA key update

4.3. Subordinate CA initialization

4.4. CRL production

4.5. PKI information request

4.6. Cross certification

4.6.1. One-way request-response scheme:

4.7. End entity initialization

4.7.1. Acquisition of PKI information

4.7.2. Out-of-Band Verification of Root-CA Key

4.8. Certificate Request

4.9. Key Update

5. Transports

5.1. File based protocol

5.2. Direct TCP-Based Management Protocol

5.3. Management Protocol via E-mail

5.4. Management Protocol via HTTP

6. SECURITY CONSIDERATIONS

7. References

8. Acknowledgements

9. Authors' Addresses

10. APPENDIX A: Reasons for the presence of RAs

11. Appendix B. PKI Management Message Profiles.

11.1. B1. General Rules for interpretation of these profiles.

11.2. B2. Algorithm Use Profile

11.3. B3. "Self-signed" certificates

11.4. B4. Proof of Possession Profile

11.5. B5. Root CA Key Update

11.6. B6. PKI Information request/response

11.7. B7. Cross certification request/response (1-way)

11.8. B8. Initial Registration/Certification (Basic Authenticated Scheme)

11.9. B9. Certificate Request

11.10. B10. Key Update Request

12. Appendix C: "Compilable" ASN.1 Module using 1988 Syntax

13. Appendix D: Registration of MIME Type for Section 5

14. Full Copyright Statement

Previous | Next

Frontpage | Contents | Keywords

RFC-Ref.org

Sister Sites

Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org