Network Working Group C. Adams
Request for Comments: 2510 Entrust Technologies
Category: Standards Track S. Farrell
Internet X.509 Public Key Infrastructure
Certificate Management Protocols
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document describes the Internet X.509 Public Key Infrastructure
(PKI) Certificate Management Protocols. Protocol messages are defined
for all relevant aspects of certificate creation and management.
Note that "certificate" in this document refers to an X.509v3
Certificate as defined in [COR95, X509-AM].
The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase,
as shown) are to be interpreted as described in [RFC2119].
The layout of this document is as follows:
- Section 1 contains an overview of PKI management;
- Section 2 contains discussion of assumptions and restrictions;
- Section 3 contains data structures used for PKI management messages;
- Section 4 defines the functions that are to be carried out in PKI
management by conforming implementations;
- Section 5 describes a simple protocol for transporting PKI messages;
- the Appendices specify profiles for conforming implementations and
provide an ASN.1 module containing the syntax for all messages
defined in this specification.
Adams & Farrell Standards Track [Page 1]RFC 2510 PKI Certificate Management Protocols March 1999
1 PKI Management Overview
The PKI must be structured to be consistent with the types of
individuals who must administer it. Providing such administrators
with unbounded choices not only complicates the software required but
also increases the chances that a subtle mistake by an administrator
or software developer will result in broader compromise. Similarly,
restricting administrators with cumbersome mechanisms will cause them
not to use the PKI.
Management protocols are REQUIRED to support on-line interactions
between Public Key Infrastructure (PKI) components. For example, a
management protocol might be used between a Certification Authority
(CA) and a client system with which a key pair is associated, or
between two CAs that issue cross-certificates for each other.
1.1 PKI Management Model
Before specifying particular message formats and procedures we first
define the entities involved in PKI management and their interactions
(in terms of the PKI management functions required). We then group
these functions in order to accommodate different identifiable types
of end entities.
1.2 Definitions of PKI Entities
The entities involved in PKI management include the end entity (i.e.,
the entity to be named in the subject field of a certificate) and the
certification authority (i.e., the entity named in the issuer field
of a certificate). A registration authority MAY also be involved in
1.2.1 Subjects and End Entities
The term "subject" is used here to refer to the entity named in the
subject field of a certificate; when we wish to distinguish the tools
and/or software used by the subject (e.g., a local certificate
management module) we will use the term "subject equipment". In
general, the term "end entity" (EE) rather than subject is preferred
in order to avoid confusion with the field name.
It is important to note that the end entities here will include not
only human users of applications, but also applications themselves
(e.g., for IP security). This factor influences the protocols which
the PKI management operations use; for example, application software
is far more likely to know exactly which certificate extensions are
required than are human users. PKI management entities are also end
entities in the sense that they are sometimes named in the subject