The RFC Archive
 The RFC Archive   RFC 2585   « Jump to any RFC number directly 
 RFC Home
Full RFC Index
Recent RFCs
RFC Standards
Best Current Practice
RFC Errata
1 April RFC



IETF RFC 2585

Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP

Last modified on Thursday, May 13th, 1999

Permanent link to RFC 2585
Search GitHub Wiki for RFC 2585
Show other RFCs mentioning RFC 2585







Network Working Group                                        R. Housley
Request for Comments: 2585                                       SPYRUS
Category: Standards Track                                  P. Hoffman
                                                                    IMC
                                                               May 1999


                Internet X.509 Public Key Infrastructure
                  Operational Protocols: FTP and HTTP

 Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

 Copyright Notice

   Copyright © The Internet Society (1999).  All Rights Reserved.

 Abstract

   The protocol conventions described in this document satisfy some of
   the operational requirements of the Internet Public Key
   Infrastructure (PKI).  This document specifies the conventions for
   using the File Transfer Protocol (FTP) and the Hypertext Transfer
   Protocol (HTTP) to obtain certificates and certificate revocation
   lists (CRLs) from PKI repositories.  Additional mechanisms addressing
   PKIX operational requirements are specified in separate documents.

1  Introduction

   This specification is part of a multi-part standard for the Internet
   Public Key Infrastructure (PKI) using X.509 certificates and
   certificate revocation lists (CRLs).  This document specifies the
   conventions for using the File Transfer Protocol (FTP) and the
   Hypertext Transfer Protocol (HTTP) to obtain certificates and CRLs
   from PKI repositories.  Additional mechanisms addressing PKI
   repository access are specified in separate documents.










Housley & Hoffman           Standards Track                  PAGE 1 top


RFC 2585 PKIX Operational Protocols: FTP and HTTP May 1999 1.1. Model The following is a simplified view of the architectural model assumed by the Internet PKI specifications. +---+ | C | +------------+ | e | <-------------------->| End entity | | r | Operational +------------+ | t | transactions ^ | | and management | Management | / | transactions | transactions | | | PKI users | C | v | R | -------------------+--+-----------+----------------- | L | ^ ^ | | | | PKI management | | v | entities | R | +------+ | | e | <---------------------| RA | <---+ | | p | Publish certificate +------+ | | | o | | | | s | | | | I | v v | t | +------------+ | o | <------------------------------| CA | | r | Publish certificate +------------+ | y | Publish CRL ^ | | | +---+ Management | transactions | v +------+ | CA | +------+ The components in this model are: End Entity: user of PKI certificates and/or end user system that is the subject of a certificate; CA: certification authority; RA: registration authority, i.e., an optional system to which a CA delegates certain management functions; Housley & Hoffman Standards Track PAGE 2 top

RFC 2585 PKIX Operational Protocols: FTP and HTTP May 1999 Repository: a system or collection of distributed systems that store certificates and CRLs and serves as a means of distributing these certificates and CRLs to end entities. 1.2. Certificate and CRL Repository Some CAs mandate the use of on-line validation services, while others distribute CRLs to allow certificate users to perform certificate validation themselves. In general, CAs make CRLs available to certificate users by publishing them in the Directory. The Directory is also the normal distribution mechanism for certificates. However, Directory Services are not available in many parts of the Internet today. The File Transfer Protocol (FTP) defined in RFC 959 and the Hypertext Transfer Protocol (HTTP) defined in RFC 2068 offer alternate methods for certificate and CRL distribution. End entities and CAs may retrieve certificates and CRLs from the repository using FTP or HTTP. End entities may publish their own certificate in the repository using FTP or HTTP, and RAs and CAs may publish certificates and CRLs in the repository using FTP or HTTP. 2 FTP Conventions Within certificate extensions and CRL extensions, the URI form of GeneralName is used to specify the location where issuer certificates and CRLs may be obtained. For instance, a URI identifying the subject of a certificate may be carried in subjectAltName certificate extension. An IA5String describes the use of anonymous FTP to fetch certificate or CRL information. For example: ftp://ftp.netcom.com/sp/spyrus/housley.cer ftp://ftp.your.org/pki/id48.cer ftp://ftp.your.org/pki/id48.no42.crl Internet users may publish the URI reference to a file that contains their certificate on their business card. This practice is useful when there is no Directory entry for that user. FTP is widely deployed, and anonymous FTP are accommodated by many firewalls. Thus, FTP is an attractive alternative to Directory access protocols for certificate and CRL distribution. While this service satisfies the requirement to retrieve information related to a certificate which is already identified by a URI, it is not intended to satisfy the more general problem of finding a certificate for a user about whom some other information, such as their electronic mail address or corporate affiliation, is known. Housley & Hoffman Standards Track PAGE 3 top

RFC 2585 PKIX Operational Protocols: FTP and HTTP May 1999 For convenience, the names of files that contain certificates should have a suffix of ".cer". Each ".cer" file contains exactly one certificate, encoded in DER format. Likewise, the names of files that contain CRLs should have a suffix of ".crl". Each ".crl" file contains exactly one CRL, encoded in DER format. 3 HTTP Conventions Within certificate extensions and CRL extensions, the URI form of GeneralName is used to specify the location where issuer certificates and CRLs may be obtained. For instance, a URI identifying the subject of a certificate may be carried in subjectAltName certificate extension. An IA5String describes the use of HTTP to fetch certificate or CRL information. For example: http://www.netcom.com/sp/spyrus/housley.cer http://www.your.org/pki/id48.cer http://www.your.org/pki/id48.no42.crl Internet users may publish the URI reference to a file that contains their certificate on their business card. This practice is useful when there is no Directory entry for that user. HTTP is widely deployed, and HTTP is accommodated by many firewalls. Thus, HTTP is an attractive alternative to Directory access protocols for certificate and CRL distribution. While this service satisfies the requirement to retrieve information related to a certificate which is already identified by a URI, it is not intended to satisfy the more general problem of finding a certificate for a user about whom some other information, such as their electronic mail address or corporate affiliation, is known. For convenience, the names of files that contain certificates should have a suffix of ".cer". Each ".cer" file contains exactly one certificate, encoded in DER format. Likewise, the names of files that contain CRLs should have a suffix of ".crl". Each ".crl" file contains exactly one CRL, encoded in DER format. 4 MIME registrations Two MIME types are defined to support the transfer of certificates and CRLs. They are: application/pkix-cert application/pkix-crl Housley & Hoffman Standards Track PAGE 4 top

RFC 2585 PKIX Operational Protocols: FTP and HTTP May 1999 4.1. application/pkix-cert To: ietf-types@iana.org Subject: Registration of MIME media type application/pkix-cert MIME media type name: application MIME subtype name: pkix-cert Required parameters: None Optional parameters: version (default value is "1") Encoding considerations: will be none for 8-bit transports and most likely Base64 for SMTP or other 7-bit transports Security considerations: Carries a cryptographic certificate Interoperability considerations: None Published specification: draft-ietf-pkix-ipki-part1 Applications which use this media type: Any MIME-complaint transport Additional information: Magic number(s): None File extension(s): .CER Macintosh File Type Code(s): none Person & email address to contact for further information: Russ Housley <housley@spyrus.com> Intended usage: COMMON Author/Change controller: Russ Housley <housley@spyrus.com> 4.2. application/pkix-crl To: ietf-types@iana.org Subject: Registration of MIME media type application/pkix-crl MIME media type name: application MIME subtype name: pkix-crl Required parameters: None Housley & Hoffman Standards Track PAGE 5 top

RFC 2585 PKIX Operational Protocols: FTP and HTTP May 1999 Optional parameters: version (default value is "1") Encoding considerations: will be none for 8-bit transports and most likely Base64 for SMTP or other 7-bit transports Security considerations: Carries a cryptographic certificate revocation list Interoperability considerations: None Published specification: draft-ietf-pkix-ipki-part1 Applications which use this media type: Any MIME-complaint transport Additional information: Magic number(s): None File extension(s): .CRL Macintosh File Type Code(s): none Person & email address to contact for further information: Russ Housley <housley@spyrus.com> Intended usage: COMMON Author/Change controller: Russ Housley <housley@spyrus.com> References [RFC 959] Postel, J. and J. Reynolds, "File Transfer Protocol (FTP)", STD 5, RFC 959, October 1985. [RFC 1738] Berners-Lee, T., Masinter, L. and M. McCahill, "Uniform Resource Locators (URL)", RFC 1738, December 1994. [RFC 2068] Fielding, R., Gettys, J., Mogul, J., Frystyk, H. and T. Berners-Lee; "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2068, January 1997. Security Considerations Since certificates and CRLs are digitally signed, no additional integrity service is necessary. Neither certificates nor CRLs need be kept secret, and anonymous access to certificates and CRLs is generally acceptable. Thus, no privacy service is necessary. Housley & Hoffman Standards Track PAGE 6 top

RFC 2585 PKIX Operational Protocols: FTP and HTTP May 1999 HTTP caching proxies are common on the Internet, and some proxies do not check for the latest version of an object correctly. If an HTTP request for a certificate or CRL goes through a misconfigured or otherwise broken proxy, the proxy may return an out-of-date response. Operators of FTP sites and World Wide Web servers should authenticate end entities who publish certificates as well as CAs and RAs who publish certificates and CRLs. However, authentication is not necessary to retrieve certificates and CRLs. Authors' Addresses Russell Housley SPYRUS 381 Elden Street, Suite 1120 Herndon, VA 20170 USA EMail: housley@spyrus.com Paul Hoffman Internet Mail Consortium 127 Segre Place Santa Cruz, CA 95060 USA EMail: phoffman@imc.org Housley & Hoffman Standards Track PAGE 7 top

RFC 2585 PKIX Operational Protocols: FTP and HTTP May 1999 Full Copyright Statement Copyright © The Internet Society (1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Housley & Hoffman Standards Track PAGE 8 top

Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP RFC TOTAL SIZE: 14813 bytes PUBLICATION DATE: Thursday, May 13th, 1999 LEGAL RIGHTS: The IETF Trust (see BCP 78)


RFC-ARCHIVE.ORG

© RFC 2585: The IETF Trust, Thursday, May 13th, 1999
© the RFC Archive, 2024, RFC-Archive.org
Maintainer: J. Tunnissen

Privacy Statement