draft-ietf-pkix-opp-ftp-http-03

PKIX Working Group R. Housley
Internet Draft SPYRUS
expires in six months April 1998


 Internet X.509 Public Key Infrastructure

 Operational Protocols: FTP and HTTP

 <draft-ietf-pkix-opp-ftp-http-03.txt>


Status of this Memo

 This document is an Internet-Draft. Internet-Drafts are working
 documents of the Internet Engineering Task Force (IETF), its areas,
 and its working groups. Note that other groups may also distribute
 working documents as Internet-Drafts.

 Internet-Drafts are draft documents valid for a maximum of six months
 and may be updated, replaced, or obsoleted by other documents at any
 time. It is inappropriate to use Internet- Drafts as reference
 material or to cite them other than as "work in progress."

 To view the entire list of current Internet-Drafts, please check
 the "1id-abstracts.txt" listing contained in the Internet-Drafts
 Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
 (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
 (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu
 (US West Coast).


Abstract

 The protocol conventions described in this document satisfy some of
 the operational requirements of the Internet Public Key
 Infrastructure (PKI). This document specifies the conventions for
 using the File Transfer Protocol (FTP) and the Hypertext Transfer
 Protocol (HTTP) to obtain certificates and certificate revocation
 lists (CRLs) from PKI repositories. Additional mechanisms addressing
 PKIX operational requirements are specified in separate documents.

 Please send comments on this document to the ietf-pkix@tandem.com
 mail list.








Housley [Page 1]


INTERNET DRAFT April 1998


1 Introduction

 This specification is part of a multi-part standard for the Internet
 Public Key Infrastructure (PKI) using X.509 certificates and
 certificate revocation lists (CRLs). This document specifies the
 conventions for using the File Transfer Protocol (FTP) and the
 Hypertext Transfer Protocol (HTTP) to obtain certificates and CRLs
 from PKI repositories. Additional mechanisms addressing PKI
 repository access are specified in separate documents.

1.1 Model

 Following is a simplified view of the architectural model assumed by
 the Internet PKI specifications.

 +---+
 | C | +------------+
 | e | <-------------------->| End entity |
 | r | Operational +------------+
 | t | transactions ^
 | | and management | Management
 | / | transactions | transactions
 | | | PKI users
 | C | v
 | R | -------------------+--+-----------+-----------------
  | L | ^ ^
 | | | | PKI management
 | | v | entities
 | R | +------+ |
 | e | <---------------------| RA | <---+ |
 | p | Publish certificate +------+ | |
 | o | | |
 | s | | |
 | I | v v
 | t | +------------+
 | o | <------------------------------| CA |
 | r | Publish certificate +------------+
 | y | Publish CRL ^
 | | |
 +---+ Management |
 transactions |
 v
 +------+
 | CA |
 +------+

 Figure 1 - Internet PKI Entities




Housley [Page 2]


INTERNET DRAFT April 1998


 The components in this model are:

 End Entity: user of PKI certificates and/or end user system that
 is the subject of a certificate;

 CA: certification authority;

 RA: registration authority, i.e., an optional system to
 which a CA delegates certain management functions;

 Repository: a system or collection of distributed systems that
 store certificates and CRLs and serves as a means of
 distributing these certificates and CRLs to end
 entities.

1.2 Certificate and CRL Repository

 Some CAs mandate the use of on-line validation services, while others
 distribute CRLs to allow certificate users to perform certificate
 validation themselves. In general, CAs make CRLs available to
 certificate users by publishing them in the Directory. The Directory
 is also the normal distribution mechanism for certificates. However,
 Directory Services are not available in many parts of the Internet
 today. The File Transfer Protocol (FTP) defined in RFC 959 and the
 Hypertext Transfer Protocol (HTTP) defined in RFC 2068 offer
 alternate methods for certificate and CRL distribution.

 End entities and CAs may retrieve certificates and CRLs from the
 repository using FTP or HTTP. End entities may publish their own
 certificate in the repository using FTP or HTTP, and RAs and CAs may
 publish certificates and CRLs in the repository using FTP or HTTP.

2 FTP Conventions

 Within certificate extensions and CRL extensions, the URI form of
 GeneralName is used to specify the location where issuer certificates
 and CRLs may be obtained. For instance, a URI identifying the
 subject of a certificate may be carried in subjectAltName certificate
  extension. An IA5String describes the use of anonymous FTP to fetch
 certificate or CRL information. For example:

 ftp://ftp.netcom.com/sp/spyrus/housley.cer
 ftp://ftp.your.org/pki/id48.cer
 ftp://ftp.your.org/pki/id48.no42.crl

 Internet users may publish the URI reference to a file that contains
 their certificate on their business card. This practice is useful
 when there is no Directory entry for that user. FTP is widely



Housley [Page 3]


INTERNET DRAFT April 1998


 deployed, and anonymous FTP are accommodated by many firewalls.
 Thus, FTP is an attractive alternative to Directory access protocols
 for certificate and CRL distribution. While this service satisfies
 the requirement to retrieve information related to a certificate
 which is already identified by a URI, it is not intended to satisfy
 the more general problem of finding a certificate for a user about
 whom some other information, such as their electronic mail address or
 corporate affiliation, is known.

 For convenience, the names of files that contain certificates should
 have a suffix of ".cer". Each ".cer" file contains exactly one
 certificate, encoded in DER format. Likewise, the names of files
 that contain CRLs should have a suffix of ".crl". Each ".crl" file
 contains exactly one CRL, encoded in DER format.

3 HTTP Conventions

 Within certificate extensions and CRL extensions, the URI form of
 GeneralName is used to specify the location where issuer certificates
 and CRLs may be obtained. For instance, a URI identifying the
 subject of a certificate may be carried in subjectAltName certificate
 extension. An IA5String describes the use of HTTP to fetch
 certificate or CRL information. For example:

 http://www.netcom.com/sp/spyrus/housley.cer
 http://www.your.org/pki/id48.cer
 http://www.your.org/pki/id48.no42.crl

 Internet users may publish the URI reference to a file that contains
 their certificate on their business card. This practice is useful
 when there is no Directory entry for that user. HTTP is widely
 deployed, and HTTP is accommodated by many firewalls. Thus, HTTP is
 an attractive alternative to Directory access protocols for
 certificate and CRL distribution. While this service satisfies the
 requirement to retrieve information related to a certificate which is
 already identified by a URI, it is not intended to satisfy the more
 general problem of finding a certificate for a user about whom some
 other information, such as their electronic mail address or corporate
 affiliation, is known.

 For convenience, the names of files that contain certificates should
 have a suffix of ".cer". Each ".cer" file contains exactly one
 certificate, encoded in DER format. Likewise, the names of files
 that contain CRLs should have a suffix of ".crl". Each ".crl" file
 contains exactly one CRL, encoded in DER format.






Housley [Page 4]


INTERNET DRAFT April 1998


 Two MIME types are defined to support the transfer of certificates
 and CRLs. They are:

 application/pkix-cert[; version=1]
 application/pkix-crl[; version=1]

References

 [RFC 959] J. Postel and J. Reynolds, "File Transfer Protocol (FTP),"
 RFC 959, October 1985.

 [RFC 1738] T. Berners-Lee, L. Masinter, and M. McCahill, "Uniform
 Resource Locators (URL)," December 1994.

 [RFC 2068] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, and
 T. Berners-Lee; "Hypertext Transfer Protocol -- HTTP/1.1,"
 RFC 2068, January 1997.

Security Considerations

 Since certificates and CRLs are digitally signed, no additional
 integrity service is necessary. Neither certificates nor CRLs need
 be kept secret, and anonymous access to certificates and CRLs is
 generally acceptable. So, no privacy service is necessary.

 Operators of FTP sites and World Wide Web servers should authenticate
 end entities who publish certificates as well as CAs and RAs who
 publish certificates and CRLs. However, authentication is not
 necessary to retrieve certificates and CRLs.

Author Address

 Russell Housley
 SPYRUS
 381 Elden Street
 Suite 1120
 Herndon, VA 20170
 USA
 housley@spyrus.com












Housley [Page 5]

Document	Document type	This is an older version of an Internet-Draft that was ultimately published as RFC 2585. Expired & archived
	Select version	00 01 02 03 04 RFC 2585
	Compare versions
	Author
	RFC stream
	Other formats	txt pdf bibtex bibxml
	Additional resources	Mailing list discussion