Network Working Group R. Housley Request for Comments: 2585 SPYRUS Category: Standards Track P. Hoffman IMC May 1999 Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved.
AbstractThe protocol conventions described in this document satisfy some of the operational requirements of the Internet Public Key Infrastructure (PKI). This document specifies the conventions for using the File Transfer Protocol (FTP) and the Hypertext Transfer Protocol (HTTP) to obtain certificates and certificate revocation lists (CRLs) from PKI repositories. Additional mechanisms addressing PKIX operational requirements are specified in separate documents.
Repository: a system or collection of distributed systems that store certificates and CRLs and serves as a means of distributing these certificates and CRLs to end entities. RFC 959 and the Hypertext Transfer Protocol (HTTP) defined in RFC 2068 offer alternate methods for certificate and CRL distribution. End entities and CAs may retrieve certificates and CRLs from the repository using FTP or HTTP. End entities may publish their own certificate in the repository using FTP or HTTP, and RAs and CAs may publish certificates and CRLs in the repository using FTP or HTTP.
For convenience, the names of files that contain certificates should have a suffix of ".cer". Each ".cer" file contains exactly one certificate, encoded in DER format. Likewise, the names of files that contain CRLs should have a suffix of ".crl". Each ".crl" file contains exactly one CRL, encoded in DER format.
Optional parameters: version (default value is "1") Encoding considerations: will be none for 8-bit transports and most likely Base64 for SMTP or other 7-bit transports Security considerations: Carries a cryptographic certificate revocation list Interoperability considerations: None Published specification: draft-ietf-pkix-ipki-part1 Applications which use this media type: Any MIME-complaint transport Additional information: Magic number(s): None File extension(s): .CRL Macintosh File Type Code(s): none Person & email address to contact for further information: Russ Housley <email@example.com> Intended usage: COMMON Author/Change controller: Russ Housley <firstname.lastname@example.org> [RFC 959] Postel, J. and J. Reynolds, "File Transfer Protocol (FTP)", STD 5, RFC 959, October 1985. [RFC 1738] Berners-Lee, T., Masinter, L. and M. McCahill, "Uniform Resource Locators (URL)", RFC 1738, December 1994. [RFC 2068] Fielding, R., Gettys, J., Mogul, J., Frystyk, H. and T. Berners-Lee; "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2068, January 1997.
HTTP caching proxies are common on the Internet, and some proxies do not check for the latest version of an object correctly. If an HTTP request for a certificate or CRL goes through a misconfigured or otherwise broken proxy, the proxy may return an out-of-date response. Operators of FTP sites and World Wide Web servers should authenticate end entities who publish certificates as well as CAs and RAs who publish certificates and CRLs. However, authentication is not necessary to retrieve certificates and CRLs.
Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.