PROXY  WHOIS  RQUOTE  TEXTS  SOFT  FOREX  BBOARD
 Music  Philosophy  Code  Literature  Russian

= ROOT|Technical|RFC|rfc2459.txt =

page 8 of 73 




   Operational protocols are required to deliver certificates and CRLs
   (or status information) to certificate using client systems.
   Provision is needed for a variety of different means of certificate
   and CRL delivery, including distribution procedures based on LDAP,
   HTTP, FTP, and X.500.  Operational protocols supporting these
   functions are defined in other PKIX specifications.  These
   specifications may include definitions of message formats and
   procedures for supporting all of the above operational environments,
   including definitions of or references to appropriate MIME content
   types.

3.5  Management Protocols

   Management protocols are required to support on-line interactions
   between PKI user and management entities.  For example, a management
   protocol might be used between a CA and a client system with which a
   key pair is associated, or between two CAs which cross-certify each
   other.  The set of functions which potentially need to be supported
   by management protocols include:

      (a)  registration:  This is the process whereby a user first makes
      itself known to a CA (directly, or through an RA), prior to that
      CA issuing  a certificate or certificates for that user.






 
RFC 2459        Internet X.509 Public Key Infrastructure    January 1999


      (b)  initialization:  Before a client system can operate securely
      it is necessary to install key materials which have the
      appropriate relationship with keys stored elsewhere in the
      infrastructure.  For example, the client needs to be securely
      initialized with the public key and other assured information of
      the trusted CA(s), to be used in validating certificate paths.
      Furthermore, a client typically needs to be initialized with its
      own key pair(s).

      (c)  certification:  This  is the process in which a CA issues a
      certificate for a user's public key, and returns that certificate
      to the user's client system and/or posts that certificate in a
      repository.

      (d)  key pair recovery:  As an option, user client key materials
      (e.g., a user's private key used for encryption purposes) may be
      backed up by a CA or a key backup system.  If a user needs to
      recover these backed up key materials (e.g., as a result of a
      forgotten password or a lost key chain file), an on-line protocol
      exchange may be needed to support such recovery.

      (e)  key pair update:  All key pairs need to be updated regularly,
      i.e., replaced with a new key pair, and new certificates issued.

      (f)  revocation request:  An authorized person advises a CA of an
      abnormal situation requiring certificate revocation.

      (g)  cross-certification:  Two CAs exchange information used in
      establishing a cross-certificate. A cross-certificate is a
      certificate issued by one CA to another CA which contains a CA
      signature key used for issuing certificates.

   Note that on-line protocols are not the only way of implementing the
   above functions.  For all functions there are off-line methods of
   achieving the same result, and this specification does not mandate
   use of on-line protocols.  For example, when hardware tokens are
   used, many of the functions may be achieved as part of the physical
   token delivery.  Furthermore, some of the above functions may be
   combined into one protocol exchange.  In particular, two or more of
   the registration, initialization, and certification functions can be
   combined into one protocol exchange.

   The PKIX series of specifications may define a set of standard
   message formats supporting the above functions in future
   specifications.  In that case, the protocols for conveying these
   messages in different environments (e.g., on-line, file transfer, e-
   mail, and WWW) will also be described in those specifications.





 
RFC 2459        Internet X.509 Public Key Infrastructure    January 1999


4  Certificate and Certificate Extensions Profile

   This section presents a profile for public key certificates that will
   foster interoperability and a reusable PKI.  This section is based
   upon the X.509 v3 certificate format and the standard certificate
   extensions defined in [X.509].  The ISO/IEC/ITU documents use the
   1993 version of ASN.1; while this document uses the 1988 ASN.1
   syntax, the encoded certificate and standard extensions are
   equivalent.  This section also defines private extensions required to
   support a PKI for the Internet community.
=8=

1|2|3|4|5|6|7| < PREV = PAGE 8 = NEXT > |9|10|11|12|13|14|15|16|17.73

UP TO ROOT | UP TO DIR | TO FIRST PAGE

Google
 


E-mail Facebook Google Digg del.icio.us BlinkList Fark Furl Ma.gnolia Netscape NewsVine Reddit Slashdot Spurl StumbleUpon Technorati YahooMyWeb LiveJournal Blogmarks TwitThis Live News2.ru BobrDobr.ru Memori.ru MoeMesto.ru

0.0286472 wallclock secs ( 0.01 usr + 0.00 sys = 0.01 CPU)