Network Working Group C. Adams Request for Comments: 2510 Entrust Technologies Category: Standards Track S. Farrell SSE March 1999 Internet X.509 Public Key Infrastructure Certificate Management Protocols Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved.
AbstractThis document describes the Internet X.509 Public Key Infrastructure (PKI) Certificate Management Protocols. Protocol messages are defined for all relevant aspects of certificate creation and management. Note that "certificate" in this document refers to an X.509v3 Certificate as defined in [COR95, X509-AM]. The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase, as shown) are to be interpreted as described in [RFC2119]. Introduction The layout of this document is as follows: - Section 1 contains an overview of PKI management; - Section 2 contains discussion of assumptions and restrictions; - Section 3 contains data structures used for PKI management messages; - Section 4 defines the functions that are to be carried out in PKI management by conforming implementations; - Section 5 describes a simple protocol for transporting PKI messages; - the Appendices specify profiles for conforming implementations and provide an ASN.1 module containing the syntax for all messages defined in this specification.
field of a certificate or cross-certificate. Where appropriate, the term "end-entity" will be used to refer to end entities who are not PKI management entities. All end entities require secure local access to some information -- at a minimum, their own name and private key, the name of a CA which is directly trusted by this entity and that CA's public key (or a fingerprint of the public key where a self-certified version is available elsewhere). Implementations MAY use secure local storage for more than this minimum (e.g., the end entity's own certificate or application-specific information). The form of storage will also vary -- from files to tamper-resistant cryptographic tokens. Such local trusted storage is referred to here as the end entity's Personal Security Environment (PSE). Though PSE formats are beyond the scope of this document (they are very dependent on equipment, et cetera), a generic interchange format for PSEs is defined here - a certification response message MAY be used.
5. PKI management protocols must allow the use of different industry-standard cryptographic algorithms, (specifically including RSA, DSA, MD5, SHA-1) -- this means that any given CA, RA, or end entity may, in principle, use whichever algorithms suit it for its own key pair(s). 6. PKI management protocols must not preclude the generation of key pairs by the end-entity concerned, by an RA, or by a CA -- key generation may also occur elsewhere, but for the purposes of PKI management we can regard key generation as occurring wherever the key is first present at an end entity, RA, or CA. 7. PKI management protocols must support the publication of certificates by the end-entity concerned, by an RA, or by a CA. Different implementations and different environments may choose any of the above approaches. 8. PKI management protocols must support the production of Certificate Revocation Lists (CRLs) by allowing certified end entities to make requests for the revocation of certificates - this must be done in such a way that the denial-of-service attacks which are possible are not made simpler. 9. PKI management protocols must be usable over a variety of "transport" mechanisms, specifically including mail, http, TCP/IP and ftp. 10. Final authority for certification creation rests with the CA; no RA or end-entity equipment can assume that any certificate issued by a CA will contain what was requested -- a CA may alter certificate field values or may add, delete or alter extensions according to its operating policy. In other words, all PKI entities (end-entities, RAs, and CAs) must be capable of handling responses to requests for certificates in which the actual certificate issued is different from that requested (for example, a CA may shorten the validity period requested). Note that policy may dictate that the CA must not publish or otherwise distribute the certificate until the requesting entity has reviewed and accepted the newly-created certificate (typically through use of the PKIConfirm message). 11. A graceful, scheduled change-over from one non-compromised CA key pair to the next (CA key update) must be supported (note that if the CA key is compromised, re-initialization must be performed for all entities in the domain of that CA). An end entity whose PSE contains the new CA public key (following a CA key update) must also be able to verify certificates verifiable using the old public key. End entities who directly
trust the old CA key pair must also be able to verify certificates signed using the new CA private key. (Required for situations where the old CA public key is "hardwired" into the end entity's cryptographic equipment). 12. The Functions of an RA may, in some implementations or environments, be carried out by the CA itself. The protocols must be designed so that end entities will use the same protocol (but, of course, not the same key!) regardless of whether the communication is with an RA or CA. 13. Where an end entity requests a certificate containing a given public key value, the end entity must be ready to demonstrate possession of the corresponding private key value. This may be accomplished in various ways, depending on the type of certification request. See Section 2.3, "Proof of Possession of Private Key", for details of the in-band methods defined for the PKIX-CMP (i.e., Certificate Management Protocol) messages. PKI Management Operations The following diagram shows the relationship between the entities defined above in terms of the PKI management operations. The letters in the diagram indicate "protocols" in the sense that a defined set of PKI management messages can be sent along each of the lettered lines.
+---+ cert. publish +------------+ j | | <--------------------- | End Entity | <------- | C | g +------------+ "out-of-band" | | | ^ loading | e | | | initial | r | a | | b registration/ | t | | | certification | | | | key pair recovery | / | | | key pair update | | | | certificate update | C | PKI "USERS" V | revocation request | R | -------------------+-+-----+-+------+-+------------------- | L | PKI MANAGEMENT | ^ | ^ | | ENTITIES a | | b a | | b | | V | | | | R | g +------+ d | | | e | <------------ | RA | <-----+ | | | p | cert. | | ----+ | | | | o | publish +------+ c | | | | | s | | | | | | i | V | V | | t | g +------------+ i | o | <------------------------| CA |-------> | r | h +------------+ "out-of-band" | y | cert. publish | ^ publication | | CRL publish | | +---+ | | cross-certification e | | f cross-certificate | | update | | V | +------+ | CA-2 | +------+ Figure 1 - PKI Entities At a high level the set of operations for which management messages are defined can be grouped as follows. 1 CA establishment: When establishing a new CA, certain steps are required (e.g., production of initial CRLs, export of CA public key). 2 End entity initialization: this includes importing a root CA public key and requesting information about the options supported by a PKI management entity.
3 Certification: various operations result in the creation of new certificates: 3.1 initial registration/certification: This is the process whereby an end entity first makes itself known to a CA or RA, prior to the CA issuing a certificate or certificates for that end entity. The end result of this process (when it is successful) is that a CA issues a certificate for an end entity's public key, and returns that certificate to the end entity and/or posts that certificate in a public repository. This process may, and typically will, involve multiple "steps", possibly including an initialization of the end entity's equipment. For example, the end entity's equipment must be securely initialized with the public key of a CA, to be used in validating certificate paths. Furthermore, an end entity typically needs to be initialized with its own key pair(s). 3.2 key pair update: Every key pair needs to be updated regularly (i.e., replaced with a new key pair), and a new certificate needs to be issued. 3.3 certificate update: As certificates expire they may be "refreshed" if nothing relevant in the environment has changed. 3.4 CA key pair update: As with end entities, CA key pairs need to be updated regularly; however, different mechanisms are required. 3.5 cross-certification request: One CA requests issuance of a cross-certificate from another CA. For the purposes of this standard, the following terms are defined. A "cross- certificate" is a certificate in which the subject CA and the issuer CA are distinct and SubjectPublicKeyInfo contains a verification key (i.e., the certificate has been issued for the subject CA's signing key pair). When it is necessary to distinguish more finely, the following terms may be used: a cross-certificate is called an "inter-domain cross-certificate" if the subject and issuer CAs belong to different administrative domains; it is called an "intra- domain cross-certificate" otherwise.
Notes: Note 1. The above definition of "cross-certificate" aligns with the defined term "CA-certificate" in X.509. Note that this term is not to be confused with the X.500 "cACertificate" attribute type, which is unrelated. Note 2. In many environments the term "cross-certificate", unless further qualified, will be understood to be synonymous with "inter- domain cross-certificate" as defined above. Note 3. Issuance of cross-certificates may be, but is not necessarily, mutual; that is, two CAs may issue cross-certificates for each other. 3.6 cross-certificate update: Similar to a normal certificate update but involving a cross-certificate. 4 Certificate/CRL discovery operations: some PKI management operations result in the publication of certificates or CRLs: 4.1 certificate publication: Having gone to the trouble of producing a certificate, some means for publishing it is needed. The "means" defined in PKIX MAY involve the messages specified in Sections 3.3.13 - 3.3.16, or MAY involve other methods (LDAP, for example) as described in the "Operational Protocols" documents of the PKIX series of specifications. 4.2 CRL publication: As for certificate publication. 5 Recovery operations: some PKI management operations are used when an end entity has "lost" its PSE: 5.1 key pair recovery: As an option, user client key materials (e.g., a user's private key used for decryption purposes) MAY be backed up by a CA, an RA, or a key backup system associated with a CA or RA. If an entity needs to recover these backed up key materials (e.g., as a result of a forgotten password or a lost key chain file), a protocol exchange may be needed to support such recovery. 6 Revocation operations: some PKI operations result in the creation of new CRL entries and/or new CRLs: 6.1 revocation request: An authorized person advises a CA of an abnormal situation requiring certificate revocation.
7 PSE operations: whilst the definition of PSE operations (e.g., moving a PSE, changing a PIN, etc.) are beyond the scope of this specification, we do define a PKIMessage (CertRepMessage) which can form the basis of such operations. Note that on-line protocols are not the only way of implementing the above operations. For all operations there are off-line methods of achieving the same result, and this specification does not mandate use of on-line protocols. For example, when hardware tokens are used, many of the operations MAY be achieved as part of the physical token delivery. Later sections define a set of standard messages supporting the above operations. The protocols for conveying these exchanges in different environments (file based, on-line, E-mail, and WWW) is also specified.
We will now describe the classification of initial registration / certification schemes.
centralized key generation service - the actual key pair MAY have been generated elsewhere and transported to the end entity, RA, or CA using a (proprietary or standardized) key generation request/response protocol (outside the scope of this specification). There are thus three possibilities for the location of "key generation": the end entity, an RA, or a CA.
binding (for signature, encryption, and key agreement key pairs) exist, and are ubiquitous, this binding can only be assumed to have been verified by the CA/RA. Therefore, if the binding is not verified by the CA/RA, certificates in the Internet Public-Key Infrastructure end up being somewhat less meaningful. POP is accomplished in different ways depending upon the type of key for which a certificate is requested. If a key can be used for multiple purposes (e.g., an RSA key) then any appropriate method MAY be used (e.g., a key which may be used for signing, as well as other purposes, SHOULD NOT be sent to the CA/RA in order to prove possession). This specification explicitly allows for cases where an end entity supplies the relevant proof to an RA and the RA subsequently attests to the CA that the required proof has been received (and validated!). For example, an end entity wishing to have a signing key certified could send the appropriate signature to the RA which then simply notifies the relevant CA that the end entity has supplied the required proof. Of course, such a situation may be disallowed by some policies (e.g., CAs may be the only entities permitted to verify POP during certification).
Note 3.This scheme forces end entities to acquire the new CA public key on the expiry of the last certificate they owned that was signed with the old CA private key (via the "out-of-band" means). Certificate and/or key update operations occurring at other times do not necessarily require this (depending on the end entity's equipment).