datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP
RFC 4387

Document type: RFC - Proposed Standard (February 2006)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4387 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: kent@bbn.com, wpolk@nist.gov

Network Working Group                                    P. Gutmann, Ed.
Request for Comments: 4387                        University of Auckland
Category: Standards Track                                  February 2006

                Internet X.509 Public Key Infrastructure
        Operational Protocols: Certificate Store Access via HTTP

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   The protocol conventions described in this document satisfy some of
   the operational requirements of the Internet Public Key
   Infrastructure (PKI).  This document specifies the conventions for
   using the Hypertext Transfer Protocol (HTTP/HTTPS) as an interface
   mechanism to obtain certificates and certificate revocation lists
   (CRLs) from PKI repositories.  Additional mechanisms addressing PKIX
   operational requirements are specified in separate documents.

Gutmann                     Standards Track                     [Page 1]
RFC 4387           Certificate Store Access via HTTP       February 2006

Table of Contents

   1. Introduction ....................................................2
   2. HTTP Certificate Store Interface ................................3
      2.1. Converting Binary Blobs into Search Keys ...................4
      2.2. Attribute Types: X.509 .....................................5
      2.3. Attribute Types: PGP .......................................6
      2.4. Attribute Types: XML .......................................6
      2.5. Implementation Notes and Rationale .........................6
           2.5.1. Identification ......................................7
           2.5.2. Checking of Input Values ............................9
           2.5.3. URI Notes ..........................................10
           2.5.4. Responses ..........................................11
           2.5.5. Performance Issues .................................12
           2.5.6. Miscellaneous ......................................13
      2.6. Examples ..................................................14
   3. Locating HTTP Certificate Stores ...............................15
      3.1. Information in the Certificate ............................15
      3.2. Use of DNS SRV ............................................16
           3.2.1. Example ............................................16
      3.3. Use of a "well-known" Location ............................16
           3.3.1. Examples ...........................................17
      3.4. Manual Configuration of the Client Software ...............18
      3.5. Implementation Notes and Rationale ........................18
           3.5.1. DNS SRV ............................................18
           3.5.2. "well-known" Locations .............................19
           3.5.3. Information in the Certificate .....................19
           3.5.4. Miscellaneous ......................................20
   4. Security Considerations ........................................20
   5. IANA Considerations ............................................22
   6. Acknowledgements ...............................................22
   7. References .....................................................22
      7.1. Normative References ......................................22
      7.2. Informative References ....................................23

1.  Introduction

   This specification is part of a multi-part standard for the Internet
   Public Key Infrastructure (PKI) using X.509 certificates and
   certificate revocation lists (CRLs).  This document specifies the
   conventions for using the Hypertext Transfer Protocol (HTTP), or
   optionally, HTTPS as an interface mechanism to obtain certificates or
   public keys, and certificate revocation lists (CRLs), from PKI
   repositories.  Throughout the remainder of this document the generic
   term HTTP will be used to cover either option.

Gutmann                     Standards Track                     [Page 2]
RFC 4387           Certificate Store Access via HTTP       February 2006

   Although RFC 2585 [RFC2585] covers fetching certificates via HTTP,
   this merely mentions that certificates may be fetched from a static
   URL, which doesn't provide any general-purpose interface capabilities
   to a certificate store.  The conventions described in this document

[include full document text]