Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP
RFC 4387
| Document | Type |
RFC - Proposed Standard
(February 2006; No errata)
Updated by RFC 8553
|
|
|---|---|---|---|
| Author | Peter Gutmann | ||
| Last updated | 2015-10-14 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 4387 (Proposed Standard) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Russ Housley | ||
| Send notices to | wpolk@nist.gov | ||
Network Working Group P. Gutmann, Ed.
Request for Comments: 4387 University of Auckland
Category: Standards Track February 2006
Internet X.509 Public Key Infrastructure
Operational Protocols: Certificate Store Access via HTTP
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
The protocol conventions described in this document satisfy some of
the operational requirements of the Internet Public Key
Infrastructure (PKI). This document specifies the conventions for
using the Hypertext Transfer Protocol (HTTP/HTTPS) as an interface
mechanism to obtain certificates and certificate revocation lists
(CRLs) from PKI repositories. Additional mechanisms addressing PKIX
operational requirements are specified in separate documents.
Gutmann Standards Track [Page 1]
RFC 4387 Certificate Store Access via HTTP February 2006
Table of Contents
1. Introduction ....................................................2
2. HTTP Certificate Store Interface ................................3
2.1. Converting Binary Blobs into Search Keys ...................4
2.2. Attribute Types: X.509 .....................................5
2.3. Attribute Types: PGP .......................................6
2.4. Attribute Types: XML .......................................6
2.5. Implementation Notes and Rationale .........................6
2.5.1. Identification ......................................7
2.5.2. Checking of Input Values ............................9
2.5.3. URI Notes ..........................................10
2.5.4. Responses ..........................................11
2.5.5. Performance Issues .................................12
2.5.6. Miscellaneous ......................................13
2.6. Examples ..................................................14
3. Locating HTTP Certificate Stores ...............................15
3.1. Information in the Certificate ............................15
3.2. Use of DNS SRV ............................................16
3.2.1. Example ............................................16
3.3. Use of a "well-known" Location ............................16
3.3.1. Examples ...........................................17
3.4. Manual Configuration of the Client Software ...............18
3.5. Implementation Notes and Rationale ........................18
3.5.1. DNS SRV ............................................18
3.5.2. "well-known" Locations .............................19
3.5.3. Information in the Certificate .....................19
3.5.4. Miscellaneous ......................................20
4. Security Considerations ........................................20
5. IANA Considerations ............................................22
6. Acknowledgements ...............................................22
7. References .....................................................22
7.1. Normative References ......................................22
7.2. Informative References ....................................23
1. Introduction
This specification is part of a multi-part standard for the Internet
Public Key Infrastructure (PKI) using X.509 certificates and
certificate revocation lists (CRLs). This document specifies the
conventions for using the Hypertext Transfer Protocol (HTTP), or
optionally, HTTPS as an interface mechanism to obtain certificates or
public keys, and certificate revocation lists (CRLs), from PKI
repositories. Throughout the remainder of this document the generic
term HTTP will be used to cover either option.
Gutmann Standards Track [Page 2]
RFC 4387 Certificate Store Access via HTTP February 2006
Although RFC 2585 [RFC2585] covers fetching certificates via HTTP,
this merely mentions that certificates may be fetched from a static
URL, which doesn't provide any general-purpose interface capabilities
to a certificate store. The conventions described in this document
allow HTTP to be used as a general-purpose, transparent interface to
any type of certificate or key store including flat files, standard
databases such as Berkeley DB and relational databases, and
Show full document text