SPKI Requirements
RFC 2692

 
Document Type RFC - Experimental (September 1999; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2692 (Experimental)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         C. Ellison
Request for Comments: 2692                                         Intel
Category: Experimental                                    September 1999

                           SPKI Requirements

Status of this Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   The IETF Simple Public Key Infrastructure [SPKI] Working Group is
   tasked with producing a certificate structure and operating procedure
   to meet the needs of the Internet community for trust management in
   as easy, simple and extensible a way as possible.

   The SPKI Working Group first established a list of things one might
   want to do with certificates (attached at the end of this document),
   and then summarized that list of desires into requirements.  This
   document presents that summary of requirements.

Table of Contents

   Charter of the SPKI working group................................2
   Background.......................................................2
   General Requirements.............................................3
   Validity and CRLs................................................4
   Implementation of Certificates...................................4
   List of Certificate Uses.........................................5
   Open Questions..................................................11
   References......................................................12
   Security Considerations.........................................12
   Author's Address................................................13
   Full Copyright Statement........................................14

Ellison                       Experimental                      [Page 1]
RFC 2692                   SPKI Requirements              September 1999

Charter of the SPKI working group

   Many Internet protocols and applications which use the Internet
   employ public key technology for security purposes and require a
   public key infrastructure to manage public keys.

   The task of the working group will be to develop Internet standards
   for an IETF sponsored public key certificate format, associated
   signature and other formats, and key acquisition protocols.  The key
   certificate format and associated protocols are to be simple to
   understand, implement, and use. For purposes of the working group,
   the resulting formats and protocols are to be known as the Simple
   Public Key Infrastructure, or SPKI.

   The SPKI is intended to provide mechanisms to support security in a
   wide range of Internet applications, including IPSEC protocols,
   encrypted electronic mail and WWW documents, payment protocols, and
   any other application which will require the use of public key
   certificates and the ability to access them. It is intended that the
   Simple Public Key Infrastructure will support a range of trust
   models.

Background

   The term certificate traces back to the MIT bachelor's thesis of
   Loren M. Kohnfelder [KOHN].  Kohnfelder, in turn, was responding to a
   suggestion by Diffie and Hellman in their seminal paper [DH].  Diffie
   and Hellman noted that with public key cryptography, one no longer
   needs a secure channel over which to transmit secret keys between
   communicants.  Instead, they suggested, one can publish a modified
   telephone book -- one with public keys in place of telephone numbers.
   One could then look up his or her desired communication partner in
   the directory, find that person's public key and open a secure
   channel to that person.  Kohnfelder took that suggestion and noted
   that an on-line service has the disadvantage of being a performance
   bottleneck.  To replace it, he proposed creation of digitally signed
   directory entries which he called certificates.  In the time since
   1978, the term certificate has frequently been assumed to mean a
   binding between name and key.

   The SPKI team directly addressed the issue of <name,key> bindings and
   realized that such certificates are of extremely limited use for
   trust management.  A keyholder's name is one attribute of the
   keyholder, but as can be seen in the list of needs in this document,
   a person's name is rarely of security interest.  A user of a
   certificate needs to know whether a given keyholder has been granted
   some specific authorization.

Ellison                       Experimental                      [Page 2]
RFC 2692                   SPKI Requirements              September 1999
Show full document text