Public-Key Infrastructure (X.509) (pkix)
----------------------------------------

 Charter
 Last Modified: 2007-04-02

 Current Status: Active Working Group

 Chair(s):
     Stephen Kent  <kent@bbn.com>
     Stefan Santesson  <stefans@microsoft.com>

 Security Area Director(s):
     Tim Polk  <tim.polk@nist.gov>
     Sam Hartman  <hartmans-ietf@mit.edu>

 Security Area Advisor:
     Tim Polk  <tim.polk@nist.gov>

 Mailing Lists: 
     General Discussion:ietf-pkix@imc.org
     To Subscribe:      ietf-pkix-request@imc.org
         In Body:       subscribe (In Body)
     Archive:           http://www.imc.org/ietf-pkix

Description of Working Group:

The PKIX Working Group was established in the Fall of 1995 with the
intent of developing Internet standards needed to support an
X.509-based PKI. The scope of PKIX work has expanded beyond this
initial goal. PKIX not only profiles ITU PKI standards, but also
develops new standards apropos to the use of X.509-based PKIs in the
Internet.

PKIX has produced several informational and standards track documents
in support of the original and revised scope of the WG. The first of
these standards, RFC 2459, profiled X.509 version 3 certificates and
version 2 CRLs for use in the Internet. Profiles for the use of
Attribute Certificates (RFC XXXX [pending]), LDAP v2 for certificate
and CRL storage (RFC 2587), the Internet X.509 Public Key
Infrastructure Qualified Certificates Profile (RFC 3039), and the
Internet X.509 Public Key Infrastructure Certificate Policy and
certification Practices Framework (RFC 2527 - Informational) are in
line with the initial scope.

The Certificate Management Protocol (CMP) (RFC 2510), the Online
Certificate Status Protocol (OCSP) (RFC 2560), Certificate Management
Request Format (CRMF) (RFC 2511), Time-Stamp Protocol (RFC 3161),
Certificate Management Messages over CMS (RFC 2797), Internet X.509
Public Key Infrastructure Time Stamp Protocols (RFC 3161), and the use
of FTP and HTTP for transport of PKI operations (RFC 2585) are
representative of the expanded scope of PKIX, as these are new
protocols developed in the working group, not profiles of ITU PKI
standards.

A roadmap, providing a guide to the growing set of PKIX document, also
has been developed as an informational RFC.

Ongoing PKIX Work items

An ongoing PKIX task is the progression of existing, standards track
RFCs from PROPOSED to DRAFT. Also, to the extent that PKIX work
relates to protocols from other areas, e.g., LDAP, it is necessary to
track the evolution of the other protocols and produce updated
RFCs. For example, the LDAP v2 documents from PKIX are evolving to
address LDAP v3. Finally, since the profiling of X.509 standards for
use in the Internet remains a major focus, the WG will continue to
track the evolution of these standards and incorporate changes and
additions as appropriate.

New Work items for PKIX

- production of a requirements RFC for delegated path discovery and
  path validation protocols (DPD/DPV) and subsequent production of
  RFCs for protocols that satisfy the requirements

- development of a logotype extension for certificates 

- development of a proxy certificate extension and associated
  processing rules

- development of an informational document on PKI disaster recovery

These work items may become standards track, INFORMATIONAL or
EXPERIMENTAL RFCs, or may not even be published as RFCs.

Other deliverables may be agreed upon as extensions are proposed.
New deliverables must be approved by the Security Area Directors
before inclusion on the charter or IETF meeting agendas.

 Goals and Milestones:

   Done         Complete approval of CMC, and qualified certificates documents 

   Done         Complete time stamping document 

   Done         Continue attribute certificate profile work 

   Done         Complete data certification document 

   Done         Complete work on attribute certificate profile 

   Done         Standard RFCs for public key and attribute certificate 
                profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates, 
                LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP 

   Done         INFORMATIONAL RFCs for X.509 PKI policies and practices, use of 
                KEA 

   Done         Experimental RFC for Data Validation and Certification Server 
                Protocols 

   Done         Production of revised certificate and CRL syntax and processing 
                RFC (son-of-2459) 

   Done         DPD/DVP Requirements RFC 

   Done         Certificate Policy & CPS Informational RFC (revision) 

   Done         Logotype Extension RFC 

   Done         Proxy Certificate RFC 

   Done         Cert Path Building approved as Informational RFC 

   Done         CRMFbis approved as PROPOSED Standard RFC 

   Done         CMPbis approved as PROPOSED Standard RFC 

   Done         Principal Identifier approved as PROPOSED Standard RFC 

   Done         Warranty Extensions approved as Informational RFC 

   Done         Certificate Store approved as Informational RFC 

   Done         PKIX Repository approved as Informational RFC 

   Done         Subject Identification Method as Informational RFC 

   Done         GOST Cryptographic Algorithms (RFC 4491) 

   Done         Update to DirectoryString Processing for RFC 3280 

   Done         Attribute Certificate Policies approved as PROPOSED Standard 
                (RFC 4476) 

   Jul 2007       Update to CMC approved as PROPOSED Standard 

   Sep 2007       Progression of CRMF, CMP, and CMP Transport to DRAFT Standard 

   Sep 2007       Progression of Qualified Certificates Profile RFC to DRAFT 
                Standard 

   Sep 2007       Progression of Certificate & CRL Profile RFC to DRAFT Standard 

   Sep 2007       Progression of Time Stamp Protocols RFC to DRAFT Standard 

   Sep 2007       Progression of Logotype RFC to DRAFT Standard 

   Nov 2007       Progression of Proxy Certificate RFC to DRAFT Standard 

   Nov 2007       Progression of Attribute Certificate Profile RFC to DRAFT 
                standard 

   Nov 2007       ECC Algorithms approved as PROPOSED Standard RFC 

   Mar 2008       Progression of CMC RFCs to DRAFT Standard 

   Mar 2008       SCVP approved as PROPOSED Standard RFC 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Jun 1999 Jan 2007   <draft-ietf-pkix-scvp-31.txt>
                Server-based Certificate Validation Protocol (SCVP) 

Mar 2001 Mar 2006   <draft-ietf-pkix-2797-bis-04.txt>
                Certificate Management Messages over CMS 

Jul 2001 May 2006   <draft-ietf-pkix-cmc-trans-05.txt>
                Certificate Management over CMS (CMC) Transport Protocols 

Jul 2001 Mar 2006   <draft-ietf-pkix-cmc-compl-03.txt>
                CMC Complience Document 

Oct 2004 Jun 2007   <draft-ietf-pkix-lightweight-ocsp-profile-11.txt>
                Lightweight OCSP Profile for High Volume Environments 

Apr 2005 Feb 2007   <draft-ietf-pkix-rfc3280bis-08.txt>
                Internet X.509 Public Key Infrastructure Certificate and 
                Certificate Revocation List (CRL) Profile 

Sep 2005 May 2007   <draft-ietf-pkix-srvsan-05.txt>
                Internet X.509 Public Key Infrastructure Subject Alternative 
                Name for expression of service name 

 Request For Comments:

  RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC2459 PS   Jan 1999    Internet X.509 Public Key Infrastructure Certificate and 
                       CRL Profile 

RFC2510 PS   Mar 1999    Internet X.509 Public Key Infrastructure Certificate 
                       Management Protocols 

RFC2511 PS   Mar 1999    Internet X.509 Certificate Request Message Format 

RFC2527 I    Mar 1999    Internet X.509 Public Key Infrastructure Certificate 
                       Policy and Certification Practices Framework 

RFC2528 I    Mar 1999    Internet X.509 Public Key Infrastructure Representation 
                       of Key Exchange Algorithm (KEA) Keys in Internet X.509 
                       Public Key Infrastructure Certificates 

RFC2559 PS   Apr 1999    Internet X.509 Public Key Infrastructure Operational 
                       Protocols - LDAPv2 

RFC2585 PS   May 1999    Internet X.509 Public Key Infrastructure Operational 
                       Protocols: FTP and HTTP 

RFC2587 PS   Jun 1999    Internet X.509 Public Key Infrastructure LDAPv2 Schema 

RFC2560 PS   Jun 1999    X.509 Internet Public Key Infrastructure Online 
                       Certificate Status Protocol - OCSP 

RFC2797 PS   May 2000    Certificate Management Messages over CMS 

RFC2875 PS   Jul 2000    Diffie-Hellman Proof-of-Possession Algorithms 

RFC3039 PS   Jan 2001    Internet X.509 Public Key Infrastructure Qualified 
                       Certificates Profile 

RFC3029 E    Feb 2001    Internet X.509 Public Key Infrastructure Data Validation 
                       and Certification Server Protocols 

RFC3161 PS   Aug 2001    Internet X.509 Public Key Infrastructure Time Stamp 
                       Protocols (TSP) 

RFC3279 PS   May 2002    Algorithms and Identifiers for the Internet X.509 Public 
                       Key Infrastructure Certificate and CRI Profile 

RFC3280 PS   May 2002    Internet X.509 Public Key Infrastructure Certificate and 
                       CRL Profile 

RFC3281 PS   May 2002    An Internet Attribute Certificate Profile for 
                       Authorization 

RFC3379 I    Sep 2002    Delegated Path Validation and Delegated Path Discovery 
                       Protocol Requirements 

RFC3628 I    Nov 2003    Policy Requirements for Time-Stamping Authorities 

RFC3647 I    Nov 2003    Internet X.509 Public Key Infrastructure Certificate 
                       Policy and Certification Practices Framework 

RFC3709Standard  Feb 2004    Internet X.509 Public Key Infrastructure: Logotypes in 
                       X.509 certificates 

RFC3739Standard  Mar 2004    Internet X.509 Public Key Infrastructure: Qualified 
                       Certificates Profile 

RFC3770Standard  May 2004    Certificate Extensions and Attributes Supporting 
                       Authentication in PPP and Wireless LAN 

RFC3779Standard  Jun 2004    X.509 Extensions for IP Addresses and AS Identifiers 

RFC3820Standard  Jul 2004    Internet X.509 Public Key Infrastructure Proxy 
                       Certificate Profile 

RFC3874 I    Sep 2004    A 224-bit One-way Hash Function: SHA-224 

RFC4059 I    May 2005    Internet X.509 Public Key Infrastructure Warranty 
                       Certificate Extension 

RFC4043Standard  May 2005    Internet X.509 Public Key Infrastructure Permanent 
                       Identifier 

RFC4055Standard  Jun 2005    Additional Algorithms and Identifiers for RSA 
                       Cryptography for use in the Internet X.509 Public Key 
                       Infrastructure Certificate and Certificate Revocation 
                       List (CRL) Profile 

RFC4158 I    Sep 2005    Internet X.509 Public Key Infrastructure: Certification 
                       Path Building 

RFC4210Standard  Oct 2005    Internet X.509 Public Key Infrastructure Certificate 
                       Management Protocols 

RFC4211Standard  Oct 2005    Internet X.509 Public Key Infrastructure Certificate 
                       Request Message Format (CRMF) 

RFC4325Standard  Dec 2005    Internet X.509 Public Key Infrastructure Authority 
                       Information Access Certificate Revocation List (CRL) 
                       Extension 

RFC4334Standard  Feb 2006    Certificate Extensions and Attributes Supporting 
                       Authentication in Point-to-Point Protocol (PPP) and 
                       Wireless Local Area Networks (WLAN) 

RFC4386 E    Feb 2006    Internet X.509 Public Key Infrastructure Repository 
                       Locator Service 

RFC4387Standard  Feb 2006    Internet X.509 Public Key Infrastructure Operational 
                       Protocols: Certificate Store Access via HTTP 

RFC4476 PS   May 2006    Attribute Certificate (AC) Policies Extension 

RFC4491 PS   May 2006    Using the GOST R 34.10-94, GOST R 34.10-2001 and GOST R 
                       34.11-94 algorithms with the Internet X.509 Public Key 
                       Infrastructure Certificate and CRL Profile. 

RFC4630 PS   Aug 2006    Update to DirectoryString Processing in the Internet 
                       X.509 Public Key Infrastructure Certificate and 
                       Certificate Revocation List (CRL) Profile 

RFC4683 PS   Oct 2006    Internet X.509 Public Key Infrastructure Subject 
                       Identification Method (SIM)