Multiple Public-Key Algorithm X.509 Certificates

Document Type Expired Internet-Draft (individual)
Authors Alexander Truskovsky  , Daniel Van Geest  , Scott Fluhrer  , Panos Kampanakis  , Mike Ounsworth  , Serge Mister 
Last updated 2019-03-02 (latest revision 2018-08-29)
Stream (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document describes a method of embedding alternative sets of cryptographic materials into X.509v3 digital certificates, X.509v2 Certificate Revocation Lists (CRLs), and PKCS #10 Certificate Signing Requests (CSRs). The embedded alternative cryptographic materials allow a Public Key Infrastructure (PKI) to use multiple cryptographic algorithms in a single object, and allow it to transition to the new cryptographic algorithms while maintaining backwards compatibility with systems using the existing algorithms. Three X.509 extensions and three PKCS #10 attributes are defined, and the signing and verification procedures for the alternative cryptographic material contained in the extensions and attributes are detailed.


Alexander Truskovsky (
Daniel Van Geest (
Scott Fluhrer (
Panos Kampanakis (
Mike Ounsworth (
Serge Mister (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)