Internet X.509 Public Key Infrastructure Certificate Management Protocols
RFC 2510

Document Type RFC - Proposed Standard (March 1999; No errata)
Obsoleted by RFC 4210
Authors Stephen Farrell  , Carlisle Adams 
Last updated 2013-03-02
Stream Internent Engineering Task Force (IETF)
Formats plain text html pdf htmlized (tools) htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2510 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                            C. Adams
Request for Comments: 2510                           Entrust Technologies
Category: Standards Track                                      S. Farrell
                                                               March 1999

                Internet X.509 Public Key Infrastructure
                    Certificate Management Protocols

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.


   This document describes the Internet X.509 Public Key Infrastructure
   (PKI) Certificate Management Protocols. Protocol messages are defined
   for all relevant aspects of certificate creation and management.
   Note that "certificate" in this document refers to an X.509v3
   Certificate as defined in [COR95, X509-AM].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
   "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase,
   as shown) are to be interpreted as described in [RFC2119].


   The layout of this document is as follows:

   - Section 1 contains an overview of PKI management;
   - Section 2 contains discussion of assumptions and restrictions;
   - Section 3 contains data structures used for PKI management messages;
   - Section 4 defines the functions that are to be carried out in PKI
     management by conforming implementations;
   - Section 5 describes a simple protocol for transporting PKI messages;
   - the Appendices specify profiles for conforming implementations and
     provide an ASN.1 module containing the syntax for all messages
     defined in this specification.

Adams & Farrell             Standards Track                     [Page 1]
RFC 2510          PKI Certificate Management Protocols        March 1999

1 PKI Management Overview

   The PKI must be structured to be consistent with the types of
   individuals who must administer it.  Providing such administrators
   with unbounded choices not only complicates the software required but
   also increases the chances that a subtle mistake by an administrator
   or software developer will result in broader compromise. Similarly,
   restricting administrators with cumbersome mechanisms will cause them
   not to use the PKI.

   Management protocols are REQUIRED to support on-line interactions
   between Public Key Infrastructure (PKI) components.  For example, a
   management protocol might be used between a Certification Authority
   (CA) and a client system with which a key pair is associated, or
   between two CAs that issue cross-certificates for each other.

1.1 PKI Management Model

   Before specifying particular message formats and procedures we first
   define the entities involved in PKI management and their interactions
   (in terms of the PKI management functions required).  We then group
   these functions in order to accommodate different identifiable types
   of end entities.

1.2 Definitions of PKI Entities

   The entities involved in PKI management include the end entity (i.e.,
   the entity to be named in the subject field of a certificate) and the
   certification authority (i.e., the entity named in the issuer field
   of a certificate). A registration authority MAY also be involved in
   PKI management.

1.2.1 Subjects and End Entities

   The term "subject" is used here to refer to the entity named in the
   subject field of a certificate; when we wish to distinguish the tools
   and/or software used by the subject (e.g., a local certificate
   management module) we will use the term "subject equipment". In
   general, the term "end entity" (EE) rather than subject is preferred
   in order to avoid confusion with the field name.

   It is important to note that the end entities here will include not
   only human users of applications, but also applications themselves
   (e.g., for IP security). This factor influences the protocols which
   the PKI management operations use; for example, application software
   is far more likely to know exactly which certificate extensions are
   required than are human users. PKI management entities are also end
   entities in the sense that they are sometimes named in the subject

Adams & Farrell             Standards Track                     [Page 2]
RFC 2510          PKI Certificate Management Protocols        March 1999

   field of a certificate or cross-certificate. Where appropriate, the
   term "end-entity" will be used to refer to end entities who are not
   PKI management entities.
Show full document text