PKI Technical Standards
PKI Technical Standards |
| What follows is a comprehensive set of lists of applicable PKI standards. |
| Notes: Standards tend to migrate from one body to another, as they mature and become ratified and adopted by steadily bigger groups. Over time this can lead to redundant standards documents. For instance, most of the RSA Laboratories' PKCS series have been adopted by the IETF now; such standards can appear more than once in the lists below. A nearly complete compendium of information security standards was produced by APEC and is available from the Federal PKI Steering Committe website: APEC Standards Handbook. |
Important PKI Standards Organisations |  |
| PKIX - the public key working group of the IETF |
| IETF Security Area |
| RSA PKCS - Standards Series |
| IEEE Standards for Public Key Cryptography |
| European Telecommunications Standards Institute |
| IPSEC - (IETF) |
| S/MIME Mail Security (IETF) - See also Internet Mail Consortium S/MIME site |
| Transport Layer Security (TLS) - (IETF) |
| NIST PKI Program - i.e. the National Institute of Standards and Technology. |
| NIST Federal PKI Technical Working Group |
| NIST PKI Program Document registers |
| ANSI X9 - Financial Industry Standards |
| Internet Mail Consortium |
| Open Specification for Pretty Good Privacy |
The Major PKI Related RFCs | |
| The chair of the IETF's PKIX Working Group once named these as the most important of their RFCs to do with public key security. All other PKI related RFCs are listed further below. |
| RFC3820 - Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile |
| RFC2560 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP |
| RFC2527 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. Superseded by RFC 3647. |
| RFC3647 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. Supersedes RFC 2527. |
| RFC2511 - Internet X.509 Certificate Request Message Format |
| RFC2797 - Certificate Management Messages over CMS |
| RFC3039 - Internet X.509 Public Key Infrastructure Qualified Certificates Profile |
| RFC3161 - Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) |
| RFC3281 - An Internet Attribute Certificate Profile for Authorization |
Other PKI related RFCs | |
| RFC2510 - Internet X.509 Public Key Infrastructure Certificate Management Protocols |
| RFC2585 - Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP |
| RFC2587 - Internet X.509 Public Key Infrastructure LDAPv2 Schema |
Other Cryptography Related RFCs | |
| RFC3779 - X.509 Extensions for IP Addresses and AS Identifiers |
| BCP0086 - Determining Strengths For Public Keys Used For Exchanging Symmetric Keys |
| RFC3739 - Internet X.509 Public Key Infrastructure: Qualified Certificates Profile |
| RFC3709 - Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates |
| RFC3647 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework |
| RFC3628 - Policy Requirements for Time-Stamping Authorities (TSAs) |
| RFC3447 - Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 |
| RFC3379 - Delegated Path Validation and Delegated Path Discovery Protocol Requirements |
| RFC3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile |
| RFC3279 - Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile |
| RFC3278 - Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS) |
| RFC3029 - Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols |
| RFC2986 - PKCS #10: Certification Request Syntax Specification Version 1.7 |
| RFC2985 - PKCS #9: Selected Object Classes and Attribute Types Version 2.0 |
| RFC2898 - PKCS #5: Password-Based Cryptography Specification Version 2.0 |
| RFC2847 - LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM |
| RFC2693 - SPKI Certificate Theory |
| RFC2692 - SPKI Requirements |
| RFC2559 - Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2 |
| RFC2528 - Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Certificates |
| RFC2510 - Internet X.509 Public Key Infrastructure Certificate Management Protocols |
| RFC2459 - Internet X.509 Public Key Infrastructure Certificate and CRL Profile |
| RFC2437 - PKCS #1: RSA Cryptography Specifications Version 2.0 |
| RFC2314 - PKCS #10: Certification Request Syntax Version 1.5 |
| RFC2313 - PKCS #1: RSA Encryption Version 1.5 |
| RFC2025 - The Simple Public-Key GSS-API Mechanism (SPKM) |
| RFC1824 - The Exponential Security System TESS: An Identity-Based Cryptographic Protocol for Authenticated Key-Exchange (E.I.S.S.-Report 1995/4) |
Other Security and Crypto Standards | |
| Federal Information Processing Standards Publications - (FIPS PUBS) |
| FIPS PUB 140-2 - Security Requirements for Cryptographic Modules. Note that this page includes links to the standard as well as its Annexes, plus testing requirements and lists of current validated products. |
| Special Publication 800-29 - A Comparison of the Security Requirements in Cryptographic Modules in FIPS 140-1 and FIPS 140-2 |
| FIPS PUB 140-1 - Security Requirements for Cryptographic Modules (now superseded by FIPS 140-2) |
| ISO/IEC 15408:2000 - Common Criteria; see also Dutch Common Criteria site |
ANSI Financial Industry PKI Standards | |
| X9.30 Part 1:1997 - Public Key Cryptography Using Irreversible Algorithm: Digital Signature Algorithm (DSA) |
| X9.30 Part 2:1997 - Public Key Cryptography Using Irreversible Algorithms for the Financial Services Industry, Part 2: The Secure Hash Algorithm |
| X9.31:1998 - Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA) |
| X9.42:2003 - Public Key Cryptography for Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography |
| X9.55:1997 - Certificate Extensions for Multi-Domain Operations |
| X9.57:1997 - Public Key Cryptography For the Financial Services Industry: Certificate Management |
| X9.62:1998 - Public Key Cryptography: The Elliptic Curve Digital Signature Algorithm (ECDSA) |
| X9.63:2001 - Key Agreement and Key Management Using Elliptic Curve-Based Cryptography |
| X9.68 Part 2:2001 - Digital Certificates for High Transaction Volume Financial Systems |
| X9.69:1998 - Framework for Key Management Extensions |
| X9.73:2003 - Cryptographic Message Syntax |
| X9.79:2001 - PKI Practices and Policy Framework for the Financial Services Industry. Important standard upon which WebTrust for CAs was developed. |
ANSI Financial Industry PKI Standards IN DEVELOPMENT | |
| X9.77:200X - Public Key Infrastructure Protocols Withdrawn |
| X9.79 Part 2:200X - Protection Profiles for Certificate Issuing and Management Systems. Committee Voting |
| X9.88:200X - Long Term Non-Repudiation Using Digital SignaturesWithdrawn |
| X9.89-200X - Management Protocols for Short CertificatesWithdrawn |
ISO PKI Standards | |
| ISO/CD 11568 - Financial services -- Key management (retail) Parts 1, 3, 4 and 5 |
| ISO 13491-1:1998 - Banking -- Secure cryptographic devices (retail) -- Part 1: Concepts, requirements and evaluation methods |
| ISO 15782-1:2003 - Banking -- Certificate management for financial services -- Part 1: Public key certificates |
| ISO 15782-2:2001 - Banking -- Certificate management -- Part 2: Certificate extensions |
| ISO/TS 17090-1:2002 - Health informatics -- Public key infrastructure -- Parts 1-3: Framework and overview, Certificate profile, and Policy management of certification authority |
| ISO/CD 21188 - Public key infrastructure for financial services -- Practices and policy framework |
PKCS Series | |
| The PKCS series of cryptographic standards is managed by RSA Security Inc. The PKCS standards have moved beyond being proprietary and have equivalent standing in most of the PKI community as IETF or IEEE standards. |
| PKCS #1 - RSA Cryptography Standard |
| PKCS #3 - Diffie-Hellman Key Agreement Standard |
| PKCS #5 - Password-Based Cryptography Standard |
| PKCS #6 - Extended-Certificate Syntax Standard |
| PKCS #7 - Cryptographic Message Syntax Standard |
| PKCS #8 - Private-Key Information Syntax Standard |
| PKCS #9 - Selected Attribute Types |
| PKCS #10 - Certification Request Syntax Standard |
| PKCS #11 - Cryptographic Token Interface Standard |
| PKCS #12 - Personal Information Exchange Syntax Standard |
| PKCS #13 - Elliptic Curve Cryptography Standard |
| PKCS #15 - Cryptographic Token Information Format Standard |
Smartcard Standards & Guidelines | |
| ISO 7810 and ISO 7816 - Peak international physical, mechanical and electronic standards for plastic cards with embedded chips. |
| PC/SC - Smart card reader architecture specification for PCs. See also specs |
| NIST Smartcards standards and research - Home page for the National Institute of Standards and Technology smartcard related activities |
| ISO 14443 - defines RFID proximity smart card standard (two types with different modulation specs) |
| US Government Smart Card Handbook - by the US General Services Administration |
European Electronic Signature Standards | |
| A comprehensive list of relevant standards including certificate profiles is available at ETSI. See also ETSI FAQ. |
| TS 101 862 v.1.3.1 - Qualified Certificate Profile, based on RFC 3679 X.509 Public Key Infrastructure Qualified Certificates Profile |
| TS 101 903 v.1.2.2 - XML Advanced Electronic Signatures (XAdES); specifies the XML format for Advanced Electronic Signatures satisfying the requirements defined in the European Directive for Electronic Signatures. |
PKI Based Protocols | |
| IPSEC - A comprehensive list of IPSEC related RFCs and Internet Drafts is available at the Working Group Home Page: IPSEC Charter. See also Advanced Engineering Resources above. |
| SSL - SSL v3.0 Specification. See also Advanced Engineering Resources above. |
| TLS - RFC 2246 the TLS Protocol Version 1.0. See also Advanced Engineering Resources above. |
| S/MIME - A comprehensive list of S/MIME related RFCs and Internet Drafts is available at the Working Group Home Page: S/MIME Home. Further links to related e-mail fundamentals (such as MIME, IMAP and POP) are collected at Web docs. See also Advanced Engineering Resources above. |
Alternative, Novel, Developmental and Historical Public Key Management Systems | |
| PGP - Pretty Good Privacy |
| The latest technical developments on PGP standards are at Open PGP. For information about products, see commercial PGP and for PGP shareware, see free PGP. |
| OpenPGP Message Format - All information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. |
| RFC 3156 - MIME Security with OpenPGP. This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol |
| PEM - Privacy Enhanced Email |
| RFC 1424 - Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services (Standard). This document describes three types of service in support of Internet Privacy-Enhanced Mail (PEM) [RFC 1421-1424]: key certification, certificate- revocation list (CRL) storage, and CRL retrieval. Such services are among those required of an RFC 1422 certification authority. |
| RFC 1423 - Privacy Enhancement for Internet Electronic Mail (PEM): Part III: Algorithms, Modes, and Identifiers. This document provides definitions, formats, references, and citations for cryptographic algorithms, usage modes, and associated identifiers and parameters used in support of Privacy Enhanced Mail (PEM) in the Internet community. |
| RFC 1422 - Privacy Enhancement for Internet Electronic Mail (PEM): Part II: Certificate-Based Key Management. This document defines a supporting key management architecture and infrastructure, based on public-key certificate techniques, to provide keying information to message originators and recipients. RFC 1424 provides additional specifications for services in conjunction with the key management infrastructure described herein. |
| RFC 1421 - Privacy Enhancement for Internet Electronic Mail (PEM): Part I: Message Encryption and Authentication Procedures. This document defines message encryption and authentication procedures, in order to provide privacy-enhanced mail (PEM) services for electronic mail transfer in the Internet. |
| Simple PKI |
| See SPKI Charter. "The IETF Simple Public Key Infrastructure [SPKI] Working Group is tasked with producing a certificate structure and operating procedure to meet the needs of the Internet community for trust management in as easy, simple and extensible a way as possible." Note that the last update to the SPKI Goals and Milestones was in 1997, and the latest RFC dates from 1999. |
| RFC 2692 - SPKI Requirements. The SPKI Working Group first established a list of things one might want to do with certificates (attached at the end of this document), and then summarized that list of desires into requirements. This document presents that summary of requirements. |
| RFC 2693 - SPKI Certificate Theory. This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. |
Comments
Post a Comment