Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP
RFC 4387
Document | Type |
RFC - Proposed Standard
(February 2006; No errata)
Updated by RFC 8553
|
|
---|---|---|---|
Author | Peter Gutmann | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4387 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | wpolk@nist.gov |
Network Working Group P. Gutmann, Ed. Request for Comments: 4387 University of Auckland Category: Standards Track February 2006 Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract The protocol conventions described in this document satisfy some of the operational requirements of the Internet Public Key Infrastructure (PKI). This document specifies the conventions for using the Hypertext Transfer Protocol (HTTP/HTTPS) as an interface mechanism to obtain certificates and certificate revocation lists (CRLs) from PKI repositories. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. Gutmann Standards Track [Page 1] RFC 4387 Certificate Store Access via HTTP February 2006 Table of Contents 1. Introduction ....................................................2 2. HTTP Certificate Store Interface ................................3 2.1. Converting Binary Blobs into Search Keys ...................4 2.2. Attribute Types: X.509 .....................................5 2.3. Attribute Types: PGP .......................................6 2.4. Attribute Types: XML .......................................6 2.5. Implementation Notes and Rationale .........................6 2.5.1. Identification ......................................7 2.5.2. Checking of Input Values ............................9 2.5.3. URI Notes ..........................................10 2.5.4. Responses ..........................................11 2.5.5. Performance Issues .................................12 2.5.6. Miscellaneous ......................................13 2.6. Examples ..................................................14 3. Locating HTTP Certificate Stores ...............................15 3.1. Information in the Certificate ............................15 3.2. Use of DNS SRV ............................................16 3.2.1. Example ............................................16 3.3. Use of a "well-known" Location ............................16 3.3.1. Examples ...........................................17 3.4. Manual Configuration of the Client Software ...............18 3.5. Implementation Notes and Rationale ........................18 3.5.1. DNS SRV ............................................18 3.5.2. "well-known" Locations .............................19 3.5.3. Information in the Certificate .....................19 3.5.4. Miscellaneous ......................................20 4. Security Considerations ........................................20 5. IANA Considerations ............................................22 6. Acknowledgements ...............................................22 7. References .....................................................22 7.1. Normative References ......................................22 7.2. Informative References ....................................23 1. Introduction This specification is part of a multi-part standard for the Internet Public Key Infrastructure (PKI) using X.509 certificates and certificate revocation lists (CRLs). This document specifies the conventions for using the Hypertext Transfer Protocol (HTTP), or optionally, HTTPS as an interface mechanism to obtain certificates or public keys, and certificate revocation lists (CRLs), from PKI repositories. Throughout the remainder of this document the generic term HTTP will be used to cover either option. Gutmann Standards Track [Page 2] RFC 4387 Certificate Store Access via HTTP February 2006 Although RFC 2585 [RFC2585] covers fetching certificates via HTTP, this merely mentions that certificates may be fetched from a static URL, which doesn't provide any general-purpose interface capabilities to a certificate store. The conventions described in this document allow HTTP to be used as a general-purpose, transparent interface to any type of certificate or key store including flat files, standard databases such as Berkeley DB and relational databases, andShow full document text