Public-Key Infrastructure (X.509) (pkix)
----------------------------------------

 Charter
 Last Modified: 2009-09-09

 Current Status: Active Working Group

 Chair(s):
     Stephen Kent  <kent@bbn.com>
     Stefan Santesson  <stefan@aaa-sec.com>

 Security Area Director(s):
     Tim Polk  <tim.polk@nist.gov>
     Pasi Eronen  <pasi.eronen@nokia.com>

 Security Area Advisor:
     Tim Polk  <tim.polk@nist.gov>

 Mailing Lists: 
     General Discussion:pkix@ietf.org
     To Subscribe:      pkix-request@ietf.org
         In Body:       subscribe
     Archive:           http://www.ietf.org/mail-archive/web/pkix/current/maillist.html

Description of Working Group:

The PKIX Working Group was established in the fall of 1995 with the 
goal of developing Internet standards to support X.509-based Public 
Key Infrastructures (PKIs). Initially PKIX pursued this goal by 
profiling X.509 standards developed by the CCITT (later the ITU-T). 
Later, PKIX initiated the development of standards that are not 
profiles of ITU-T work, but rather are independent initiatives 
designed to address X.509-based PKI needs in the Internet. Over time 
this latter category of work has become the major focus of PKIX work, 
i.e., most PKIX-generated RFCs are no longer profiles of ITU-T X.509 
documents.

PKIX has produced a number of standards track and informational RFCs. 
RFC 3280 (Certificate and CRL Profile), and RCF 3281 (Attribute 
Certificate Profile) are recent examples of standards track RFCs that 
profile ITU-T documents. RFC 2560 (Online Certificate Status 
Profile), RFC 3779 (IP Address and AS Number Extensions), and RFC 
3161 (Time Stamp Authority) are examples of standards track RFCs that 
are IETF-initiated. RFC 4055 (RSA) and RFC 3874 (SHA2) are examples 
of informational RFCs that describe how to use public key and hash 
algorithms in PKIs.

PKIX Work Plan

PKIX will continue to track the evolution of ITU-T X.509 documents, 
and will maintain compatibility between these documents and IETF PKI 
standards, since the profiling of X.509 standards for use in the 
Internet remains an important topic for the working group.

PKIX does not endorse the use of specific cryptographic algorithms 
with its protocols. However, PKIX does publish standards track RFCs 
that describe how to identify algorithms and represent associated 
parameters in these protocols, and how to use these algorithms with 
these protocols. We anticipate efforts in this arena will continue to 
be required over time.

PKIX will pursue new work items in the PKI arena if working group 
members express sufficient interest, and if approved by the cognizant 
Security Area director. For example, certificate validation under X. 
509 and PKIX standards calls for a relying party to use a trust 
anchor as the start of a certificate path. Neither X.509 nor extant 
PKIX standards define protocols for the management of trust anchors. 
Existing mechanisms for managing trust anchors, e.g., in browsers, 
are limited in functionality and non-standard. There is considerable 
interest in the PKI community to define a standard model for trust 
anchor management, and standard protocols to allow remote management. 
Thus a future work item for PKIX is the definition of such protocols 
and associated data models.

 Goals and Milestones:

   Done         Complete approval of CMC, and qualified certificates documents 

   Done         Complete time stamping document 

   Done         Continue attribute certificate profile work 

   Done         Complete data certification document 

   Done         Complete work on attribute certificate profile 

   Done         Standard RFCs for public key and attribute certificate 
                profiles, CMP, OCSP, CMC, CRMF, TSP, Qualified Certificates, 
                LDAP v2 schema, use of FTP/HTTP, Diffie-Hellman POP 

   Done         INFORMATIONAL RFCs for X.509 PKI policies and practices, use of 
                KEA 

   Done         Experimental RFC for Data Validation and Certification Server 
                Protocols 

   Done         Production of revised certificate and CRL syntax and processing 
                RFC (son-of-2459) 

   Done         DPD/DVP Requirements RFC 

   Done         Certificate Policy & CPS Informational RFC (revision) 

   Done         Logotype Extension RFC 

   Done         Proxy Certificate RFC 

   Done         Cert Path Building approved as Informational RFC 

   Done         CRMFbis approved as PROPOSED Standard RFC 

   Done         CMPbis approved as PROPOSED Standard RFC 

   Done         Principal Identifier approved as PROPOSED Standard RFC 

   Done         Warranty Extensions approved as Informational RFC 

   Done         Certificate Store approved as Informational RFC 

   Done         PKIX Repository approved as Informational RFC 

   Done         Subject Identification Method as Informational RFC 

   Done         GOST Cryptographic Algorithms (RFC 4491) 

   Done         Update to DirectoryString Processing for RFC 3280 

   Done         Attribute Certificate Policies approved as PROPOSED Standard 
                (RFC 4476) 

   Sep 2007       Progression of CRMF, CMP, and CMP Transport to DRAFT Standard 

   Sep 2007       Progression of Qualified Certificates Profile RFC to DRAFT 
                Standard 

   Sep 2007       Progression of Certificate & CRL Profile RFC to DRAFT Standard 

   Sep 2007       Progression of Time Stamp Protocols RFC to DRAFT Standard 

   Sep 2007       Progression of Logotype RFC to DRAFT Standard 

   Nov 2007       Progression of Proxy Certificate RFC to DRAFT Standard 

   Nov 2007       Progression of Attribute Certificate Profile RFC to DRAFT 
                standard 

   Feb 2008       Update to CMC approved as PROPOSED Standard 

   Mar 2008       ECC Algorithms approved as PROPOSED Standard RFC 

   Mar 2008       Progression of CMC RFCs to DRAFT Standard 

   Mar 2008       SCVP approved as PROPOSED Standard RFC 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Jun 2000 Oct 2009   <draft-ietf-pkix-cmp-transport-protocols-07.txt>
                Internet X.509 Public Key Infrastructure -- Transport Protocols 
                for CMP 

Jun 2006 Oct 2009   <draft-ietf-pkix-sha2-dsa-ecdsa-10.txt>
                Internet X.509 Public Key Infrastructure: Additional Algorithms 
                and Identifiers for DSA and ECDSA 

Dec 2007 Aug 2009   <draft-ietf-pkix-new-asn1-07.txt>
                New ASN.1 Modules for PKIX 

Jan 2008 Mar 2009   <draft-ietf-pkix-rfc4055-update-02.txt>
                Update for RSAES-OAEP Algorithm Parameters 

Jun 2008 Sep 2009   <draft-ietf-pkix-ta-mgmt-reqs-04.txt>
                Trust Anchor Management Requirements 

Oct 2008 Oct 2009   <draft-ietf-pkix-tamp-04.txt>
                Trust Anchor Management Protocol (TAMP) 

Oct 2008 Oct 2009   <draft-ietf-pkix-ta-format-04.txt>
                Trust Anchor Format 

Oct 2008 Apr 2009   <draft-ietf-pkix-3281update-05.txt>
                An Internet Attribute Certificate Profile for Authorization 

Oct 2008 Oct 2009   <draft-ietf-pkix-authorityclearanceconstraints-03.txt>
                Clearance Attribute and Authority Clearance Constraints 
                Certificate Extension 

Mar 2009 Aug 2009   <draft-ietf-pkix-ocspagility-03.txt>
                OCSP Algorithm Agility 

May 2009 Nov 2009   <draft-ietf-pkix-certimage-03.txt>
                Internet X.509 Public Key Infrastructure - Certificate Image 

May 2009 May 2009   <draft-ietf-pkix-asn1-translation-00.txt>
                ASN.1 Translation 

Aug 2009 Oct 2009   <draft-ietf-pkix-attr-cert-mime-type-02.txt>
                The application/pkix-attr-cert Content Type for Attribute 
                Certificates 

Aug 2009 Oct 2009   <draft-ietf-pkix-rfc3161-update-09.txt>
                ESSCertIDv2 update for RFC 3161 

 Request For Comments:

  RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC2459 PS   Jan 1999    Internet X.509 Public Key Infrastructure Certificate and 
                       CRL Profile 

RFC2510 PS   Mar 1999    Internet X.509 Public Key Infrastructure Certificate 
                       Management Protocols 

RFC2511 PS   Mar 1999    Internet X.509 Certificate Request Message Format 

RFC2527 I    Mar 1999    Internet X.509 Public Key Infrastructure Certificate 
                       Policy and Certification Practices Framework 

RFC2528 I    Mar 1999    Internet X.509 Public Key Infrastructure Representation 
                       of Key Exchange Algorithm (KEA) Keys in Internet X.509 
                       Public Key Infrastructure Certificates 

RFC2559 PS   Apr 1999    Internet X.509 Public Key Infrastructure Operational 
                       Protocols - LDAPv2 

RFC2585 PS   May 1999    Internet X.509 Public Key Infrastructure Operational 
                       Protocols: FTP and HTTP 

RFC2587 PS   Jun 1999    Internet X.509 Public Key Infrastructure LDAPv2 Schema 

RFC2560 PS   Jun 1999    X.509 Internet Public Key Infrastructure Online 
                       Certificate Status Protocol - OCSP 

RFC2797 PS   May 2000    Certificate Management Messages over CMS 

RFC2875 PS   Jul 2000    Diffie-Hellman Proof-of-Possession Algorithms 

RFC3039 PS   Jan 2001    Internet X.509 Public Key Infrastructure Qualified 
                       Certificates Profile 

RFC3029 E    Feb 2001    Internet X.509 Public Key Infrastructure Data Validation 
                       and Certification Server Protocols 

RFC3161 PS   Aug 2001    Internet X.509 Public Key Infrastructure Time Stamp 
                       Protocols (TSP) 

RFC3279 PS   May 2002    Algorithms and Identifiers for the Internet X.509 Public 
                       Key Infrastructure Certificate and CRI Profile 

RFC3280 PS   May 2002    Internet X.509 Public Key Infrastructure Certificate and 
                       CRL Profile 

RFC3281 PS   May 2002    An Internet Attribute Certificate Profile for 
                       Authorization 

RFC3379 I    Sep 2002    Delegated Path Validation and Delegated Path Discovery 
                       Protocol Requirements 

RFC3647 I    Nov 2003    Internet X.509 Public Key Infrastructure Certificate 
                       Policy and Certification Practices Framework 

RFC3628 I    Nov 2003    Policy Requirements for Time-Stamping Authorities 

RFC3709Standard  Feb 2004    Internet X.509 Public Key Infrastructure: Logotypes in 
                       X.509 certificates 

RFC3739Standard  Mar 2004    Internet X.509 Public Key Infrastructure: Qualified 
                       Certificates Profile 

RFC3770Standard  May 2004    Certificate Extensions and Attributes Supporting 
                       Authentication in PPP and Wireless LAN 

RFC3779Standard  Jun 2004    X.509 Extensions for IP Addresses and AS Identifiers 

RFC3820Standard  Jul 2004    Internet X.509 Public Key Infrastructure Proxy 
                       Certificate Profile 

RFC3874 I    Sep 2004    A 224-bit One-way Hash Function: SHA-224 

RFC4059 I    May 2005    Internet X.509 Public Key Infrastructure Warranty 
                       Certificate Extension 

RFC4043Standard  May 2005    Internet X.509 Public Key Infrastructure Permanent 
                       Identifier 

RFC4055Standard  Jun 2005    Additional Algorithms and Identifiers for RSA 
                       Cryptography for use in the Internet X.509 Public Key 
                       Infrastructure Certificate and Certificate Revocation 
                       List (CRL) Profile 

RFC4158 I    Sep 2005    Internet X.509 Public Key Infrastructure: Certification 
                       Path Building 

RFC4210Standard  Oct 2005    Internet X.509 Public Key Infrastructure Certificate 
                       Management Protocols 

RFC4211Standard  Oct 2005    Internet X.509 Public Key Infrastructure Certificate 
                       Request Message Format (CRMF) 

RFC4325Standard  Dec 2005    Internet X.509 Public Key Infrastructure Authority 
                       Information Access Certificate Revocation List (CRL) 
                       Extension 

RFC4334Standard  Feb 2006    Certificate Extensions and Attributes Supporting 
                       Authentication in Point-to-Point Protocol (PPP) and 
                       Wireless Local Area Networks (WLAN) 

RFC4386 E    Feb 2006    Internet X.509 Public Key Infrastructure Repository 
                       Locator Service 

RFC4387Standard  Feb 2006    Internet X.509 Public Key Infrastructure Operational 
                       Protocols: Certificate Store Access via HTTP 

RFC4476 PS   May 2006    Attribute Certificate (AC) Policies Extension 

RFC4491 PS   May 2006    Using the GOST R 34.10-94, GOST R 34.10-2001 and GOST R 
                       34.11-94 algorithms with the Internet X.509 Public Key 
                       Infrastructure Certificate and CRL Profile. 

RFC4630 PS   Aug 2006    Update to DirectoryString Processing in the Internet 
                       X.509 Public Key Infrastructure Certificate and 
                       Certificate Revocation List (CRL) Profile 

RFC4683 PS   Oct 2006    Internet X.509 Public Key Infrastructure Subject 
                       Identification Method (SIM) 

RFC4985 PS   Aug 2007    Internet X.509 Public Key Infrastructure Subject 
                       Alternative Name for expression of service name 

RFC5019 PS   Sep 2007    The Lightweight Online Certificate Status Protocol 
                       (OCSP) Profile for High-Volume Environments 

RFC5055 PS   Dec 2007    Server-based Certificate Validation Protocol (SCVP) 

RFC5280Standard  May 2008    Internet X.509 Public Key Infrastructure Certificate and 
                       Certificate Revocation List (CRL) Profile 

RFC5272 PS   Jun 2008    Certificate Management Messages over CMS 

RFC5273 PS   Jun 2008    Certificate Management over CMS (CMC): Transport 
                       Protocols 

RFC5274 PS   Jun 2008    Certificate Management Messages over CMS (CMC): 
                       Compliance Requirements 

RFC5480 PS   Mar 2009    Elliptic Curve Cryptography Subject Public Key 
                       Information 

RFC5636 E    Aug 2009    Traceable Anonymous Certificate 

RFC5697 E    Nov 2009    Other Certificates Extension