datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

Memorandum for Multi-Domain Public Key Infrastructure Interoperability
RFC 5217

Document type: RFC - Informational (July 2008)
Was draft-shimaoka-multidomain-pki (individual in sec area)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5217 (Informational)
Responsible AD: Russ Housley
Send notices to: m-shimaoka@secom.co.jp, nielsen_rebecca@bah.com, nelson.hastings@nist.gov

Network Working Group                                   M. Shimaoka, Ed.
Request for Comments: 5217                                         SECOM
Category: Informational                                      N. Hastings
                                                                    NIST
                                                              R. Nielsen
                                                     Booz Allen Hamilton
                                                               July 2008

 Memorandum for Multi-Domain Public Key Infrastructure Interoperability

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   The objective of this document is to establish a terminology
   framework and to suggest the operational requirements of Public Key
   Infrastructure (PKI) domain for interoperability of multi-domain
   Public Key Infrastructure, where each PKI domain is operated under a
   distinct policy.  This document describes the relationships between
   Certification Authorities (CAs), provides the definition and
   requirements for PKI domains, and discusses typical models of multi-
   domain PKI.

Shimaoka, et al.             Informational                      [Page 1]
RFC 5217           Multi-Domain PKI Interoperability           July 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Objective  . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.2.  Document Outline . . . . . . . . . . . . . . . . . . . . .  3
   2.  Public Key Infrastructure (PKI) Basics . . . . . . . . . . . .  3
     2.1.  Basic Terms  . . . . . . . . . . . . . . . . . . . . . . .  3
     2.2.  Relationships between Certification Authorities  . . . . .  4
       2.2.1.  Hierarchical CA Relationships  . . . . . . . . . . . .  5
       2.2.2.  Peer-to-Peer CA Relationships  . . . . . . . . . . . .  6
     2.3.  Public Key Infrastructure (PKI) Architectures  . . . . . .  7
       2.3.1.  Single CA Architecture . . . . . . . . . . . . . . . .  7
       2.3.2.  Multiple CA Architectures  . . . . . . . . . . . . . .  8
     2.4.  Relationships between PKIs and Relying Parties . . . . . . 12
   3.  PKI Domain . . . . . . . . . . . . . . . . . . . . . . . . . . 12
     3.1.  PKI Domain Properties  . . . . . . . . . . . . . . . . . . 13
     3.2.  Requirements for Establishing and Participating in PKI
           Domains  . . . . . . . . . . . . . . . . . . . . . . . . . 13
       3.2.1.  PKI Requirements . . . . . . . . . . . . . . . . . . . 13
       3.2.2.  PKI Domain Documentation . . . . . . . . . . . . . . . 14
       3.2.3.  PKI Domain Membership Notification . . . . . . . . . . 15
       3.2.4.  Considerations for PKIs and PKI Domains with
               Multiple Policies  . . . . . . . . . . . . . . . . . . 16
     3.3.  PKI Domain Models  . . . . . . . . . . . . . . . . . . . . 16
       3.3.1.  Unifying Trust Point (Unifying Domain) Model . . . . . 16
       3.3.2.  Independent Trust Point Models . . . . . . . . . . . . 17
     3.4.  Operational Considerations . . . . . . . . . . . . . . . . 21
   4.  Trust Models External to PKI Relationships . . . . . . . . . . 22
     4.1.  Trust List Models  . . . . . . . . . . . . . . . . . . . . 22
       4.1.1.  Local Trust List Model . . . . . . . . . . . . . . . . 22
       4.1.2.  Trust Authority Model  . . . . . . . . . . . . . . . . 23
     4.2.  Trust List Considerations  . . . . . . . . . . . . . . . . 24
       4.2.1.  Considerations for a PKI . . . . . . . . . . . . . . . 24
       4.2.2.  Considerations for Relying Parties and Trust
               Authorities  . . . . . . . . . . . . . . . . . . . . . 24
       4.2.3.  Additional Considerations for Trust Authorities  . . . 25
   5.  Abbreviations  . . . . . . . . . . . . . . . . . . . . . . . . 25
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 25
     6.1.  PKI Domain Models  . . . . . . . . . . . . . . . . . . . . 25
     6.2.  Trust List Models  . . . . . . . . . . . . . . . . . . . . 26
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 27
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 27

Shimaoka, et al.             Informational                      [Page 2]
RFC 5217           Multi-Domain PKI Interoperability           July 2008

1.  Introduction

1.1.  Objective

   The objective of this document is to establish a terminology
   framework and to provide the operational requirements, which can be
   used by different Public Key Infrastructure (PKI) authorities who are

[include full document text]