Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management
RFC 1422

Document Type RFC - Historic (February 1993; No errata)
Obsoletes RFC 1114
Author Stephen Kent 
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 1422 (Historic)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                            S. Kent
Request for Comments: 1422                                           BBN
Obsoletes: 1114                                  IAB IRTF PSRG, IETF PEM
                                                           February 1993

           Privacy Enhancement for Internet Electronic Mail:
               Part II: Certificate-Based Key Management

Status of this Memo

   This RFC specifies an IAB standards track protocol for the Internet
   community, and requests discussion and suggestions for improvements.
   Please refer to the current edition of the "IAB Official Protocol
   Standards" for the standardization state and status of this protocol.
   Distribution of this memo is unlimited.


   This memo is the outgrowth of a series of meetings of the Privacy and
   Security Research Group of the Internet Research Task Force (IRTF)
   and the Privacy-Enhanced Electronic Mail Working Group of the
   Internet Engineering Task Force (IETF).  I would like to thank the
   members of the PSRG and the PEM WG for their comments and
   contributions at the meetings which led to the preparation of this
   document.  I also would like to thank contributors to the PEM-DEV
   mailing list who have provided valuable input which is reflected in
   this memo.

1.  Executive Summary

   This is one of a series of documents defining privacy enhancement
   mechanisms for electronic mail transferred using Internet mail
   protocols.  RFC 1421 [6] prescribes protocol extensions and
   processing procedures for RFC-822 mail messages, given that suitable
   cryptographic keys are held by originators and recipients as a
   necessary precondition.  RFC 1423 [7] specifies algorithms, modes and
   associated identifiers for use in processing privacy-enhanced
   messages, as called for in RFC 1421 and this document.  This document
   defines a supporting key management architecture and infrastructure,
   based on public-key certificate techniques, to provide keying
   information to message originators and recipients.  RFC 1424 [8]
   provides additional specifications for services in conjunction with
   the key management infrastructure described herein.

   The key management architecture described in this document is
   compatible with the authentication framework described in CCITT 1988
   X.509 [2].  This document goes beyond X.509 by establishing

Kent                                                            [Page 1]
RFC 1422           Certificate-Based Key Management        February 1993

   procedures and conventions for a key management infrastructure for
   use with Privacy Enhanced Mail (PEM) and with other protocols, from
   both the TCP/IP and OSI suites, in the future.  There are several
   motivations for establishing these procedures and conventions (as
   opposed to relying only on the very general framework outlined in

       -It is important that a certificate management infrastructure
           for use in the Internet community accommodate a range of
           clearly-articulated certification policies for both users
           and   organizations in a well-architected fashion.
           Mechanisms must be provided to enable each user to be
           aware of the policies governing any certificate which the
           user may encounter.  This requires the introduction
           and standardization of procedures and conventions that are
           outside the scope of X.509.

       -The procedures for authenticating originators and recipient in
           the course of message submission and delivery should be
           simple, automated and uniform despite the existence of
           differing certificate management policies.  For example,
           users should not have to engage in careful examination of a
           complex set of certification relationships in order to
           evaluate the credibility of a claimed identity.

       -The authentication framework defined by X.509 is designed to
           operate in the X.500 directory server environment.  However
           X.500 directory servers are not expected to be ubiquitous
           in the Internet in the near future, so some conventions
           are adopted to facilitate operation of the key management
           infrastructure in the near term.

       -Public key cryptosystems are central to the authentication
           technology of X.509 and those which enjoy the most
           widespread use are patented in the U.S.  Although this
           certification management scheme is compatible with
           the use of different digital signature algorithms, it is
           anticipated that the RSA cryptosystem will be used as
           the primary signature algorithm in establishing the
           Internet certification hierarchy.  Special license
           arrangements have been made to facilitate the
           use of this algorithm in the U.S. portion of Internet
Show full document text