RFC 2459        Internet X.509 Public Key Infrastructure    January 1999


1  Introduction

   This specification is one part of a family of standards for the X.509
   Public Key Infrastructure (PKI) for the Internet.  This specification
   is a standalone document; implementations of this standard may
   proceed independent from the other parts.

   This specification profiles the format and semantics of certificates
   and certificate revocation lists for the Internet PKI.  Procedures
   are described for processing of certification paths in the Internet
   environment.  Encoding rules are provided for popular cryptographic
   algorithms.  Finally, ASN.1 modules are provided in the appendices
   for all data structures defined or referenced.

   The specification describes the requirements which inspire the
   creation of this document and the assumptions which affect its scope
   in Section 2.  Section 3 presents an architectural model and
   describes its relationship to previous IETF and ISO/IEC/ITU
   standards.  In particular, this document's relationship with the IETF
   PEM specifications and the ISO/IEC/ITU X.509 documents are described.

   The specification profiles the X.509 version 3 certificate in Section
   4, and the X.509 version 2 certificate revocation list (CRL) in
   Section 5. The profiles include the identification of ISO/IEC/ITU and
   ANSI extensions which may be useful in the Internet PKI. The profiles
   are presented in the 1988 Abstract Syntax Notation One (ASN.1) rather
   than the 1994 syntax used in the ISO/IEC/ITU standards.

   This specification also includes path validation procedures in
   Section 6.  These procedures are based upon the ISO/IEC/ITU
   definition, but the presentation assumes one or more self-signed
   trusted CA certificates.  Implementations are required to derive the
   same results but are not required to use the specified procedures.

   Section 7 of the specification describes procedures for
   identification and encoding of public key materials and digital
   signatures.  Implementations are not required to use any particular
   cryptographic algorithms.  However, conforming implementations which
   use the identified algorithms are required to identify and encode the
   public key materials and digital signatures as described.

   Finally, four appendices are provided to aid implementers.  Appendix
   A contains all ASN.1 structures defined or referenced within this
   specification.  As above, the material is presented in the 1988
   Abstract Syntax Notation One (ASN.1) rather than the 1994 syntax.
   Appendix B contains the same information in the 1994 ASN.1 notation
   as a service to implementers using updated toolsets.  However,
   Appendix A takes precedence in case of conflict.  Appendix C contains




 
RFC 2459        Internet X.509 Public Key Infrastructure    January 1999


   notes on less familiar features of the ASN.1 notation used within
   this specification.  Appendix D contains examples of a conforming
   certificate and a conforming CRL.

2  Requirements and Assumptions

   The goal of this specification is to develop a profile to facilitate
   the use of X.509 certificates within Internet applications for those
   communities wishing to make use of X.509 technology. Such
   applications may include WWW, electronic mail, user authentication,
   and IPsec.  In order to relieve some of the obstacles to using X.509
   certificates, this document defines a profile to promote the
   development of certificate management systems; development of
   application tools; and interoperability determined by policy.