HTTP/1.1 200 OK Date: Tue, 09 Apr 2002 06:26:48 GMT Server: Apache/1.3.20 (Unix) Last-Modified: Tue, 21 Oct 1997 17:15:00 GMT ETag: "361b18-2953-344ce314" Accept-Ranges: bytes Content-Length: 10579 Connection: close Content-Type: text/plain PKIX Working Group R. Housley Internet Draft SPYRUS expires in six months October 1997 Internet Public Key Infrastructure Operational Protocols: FTP and HTTP Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the Internet- Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Abstract The protocol conventions described in this document satisfy some of the operational requirements of the Internet Public Key Infrastructure (PKI). This document specifies the conventions for using the File Transfer Protocol (FTP) and the Hypertext Transfer Protocol (HTTP) to obtain certificates and certificate revocation lists (CRLs) from PKI repositories. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. Please send comments on this document to the ietf-pkix@tandem.com mail list. Housley [Page 1] INTERNET DRAFT October 1997 1 Introduction This specification is part of a multi-part standard for the Internet Public Key Infrastructure (PKI) using X.509 certificates and certificate revocation lists (CRLs). This document specifies the conventions for using the File Transfer Protocol (FTP) and the Hypertext Transfer Protocol (HTTP) to obtain certificates and CRLs from PKI repositories. Additional mechanisms addressing PKI repository access are specified in separate documents. 1.1 Model Following is a simplified view of the architectural model assumed by the Internet PKI specifications. +---+ | C | +------------+ | e | <-------------------->| End entity | | r | Operational +------------+ | t | transactions ^ | | and management | Management | / | transactions | transactions | | | | C | PKI users v | R | -------+-------+--------+------ | L | PKI management ^ ^ | | entities | | | | v | | R | +------+ | | e | <-------------- | RA | <-----+ | | p | certificate | | | | | o | publish +------+ | | | s | | | | I | v v | t | +------------+ | o | <--------------------------| CA | | r | certificate publish +------------+ | y | CRL publish ^ | | | +---+ | Management | transactions v +------+ | CA | +------+ Figure 1 - Internet PKI Entities Housley [Page 2] INTERNET DRAFT October 1997 The components in this model are: End Entity: user of PKI certificates and/or end user system that is the subject of a certificate; CA: certification authority; RA: registration authority, i.e., an optional system to which a CA delegates certain management functions; Repository: a system or collection of distributed systems that store certificates and CRLs and serves as a means of distributing these certificates and CRLs to end entities. 1.2 Certificate and CRL Repository Some CAs mandate the use of on-line validation services, while others distribute CRLs to allow certificate users to perform certificate validation themselves. In general, CAs make CRLs available to certificate users by publishing them in the Directory. The Directory is also the normal distribution mechanism for certificates. However, Directory Services are not available in many parts of the Internet today. The File Transfer Protocol (FTP) defined in RFC 959 and the Hypertext Transfer Protocol (HTTP) defined in RFC 2068 offer alternate methods for certificate and CRL distribution. End entities and CAs may retrieve certificates and CRLs from the repository using FTP or HTTP. Likewise, end entities, RAs, and CAs may publish certificates and CRLs in the repository using FTP or HTTP. 2 FTP Conventions Within certificate extensions and CRL extensions, the URI form of GeneralName is used to specify the location where issuer certificates and CRLs may be obtained. For instance, a URI identifying the subject of a certificate may be carried in subjectAltName certificate extension. An IA5String describes the use of anonymous FTP to fetch certificate or CRL information. For example: ftp://ftp.netcom.com/sp/spyrus/housley.cer ftp://ftp.your.org/pki/id48.cer ftp://ftp.your.org/pki/id48.no42.crl Internet users may publish the URI reference to a file that contains their certificate on their business card. This practice is useful when there is no Directory entry for that user. FTP is widely Housley [Page 3] INTERNET DRAFT October 1997 deployed, and anonymous FTP are accommodated by many firewalls. Thus, FTP is an attractive alternatives to Directory access protocols for certificate and CRL distribution. While this service satisfies the requirement to retrieve information related to a certificate which is already identified by a URI, it is not intended to satisfy the more general problem of finding a certificate for a user about whom some other information, such as their electronic mail address or corporate affiliation, is known. For convenience, the names of files that contain certificates should have a suffix of ".cer". Each ".cer" file contains exactly one certificate, encoded in DER format. Likewise, the names of files that contain CRLs should have a suffix of ".crl". Each ".crl" file contains exactly one CRL, encoded in DER format. 3 HTTP Conventions Within certificate extensions and CRL extensions, the URI form of GeneralName is used to specify the location where issuer certificates and CRLs may be obtained. For instance, a URI identifying the subject of a certificate may be carried in subjectAltName certificate extension. An IA5String describes the use of HTTP to fetch certificate or CRL information. For example: http://www.netcom.com/sp/spyrus/housley.cer http://www.your.org/pki/id48.cer http://www.your.org/pki/id48.no42.crl Internet users may publish the URI reference to a file that contains their certificate on their business card. This practice is useful when there is no Directory entry for that user. HTTP is widely deployed, and HTTP is accommodated by many firewalls. Thus, HTTP is an attractive alternatives to Directory access protocols for certificate and CRL distribution. While this service satisfies the requirement to retrieve information related to a certificate which is already identified by a URI, it is not intended to satisfy the more general problem of finding a certificate for a user about whom some other information, such as their electronic mail address or corporate affiliation, is known. For convenience, the names of files that contain certificates should have a suffix of ".cer". Each ".cer" file contains exactly one certificate, encoded in DER format. Likewise, the names of files that contain CRLs should have a suffix of ".crl". Each ".crl" file contains exactly one CRL, encoded in DER format. Housley [Page 4] INTERNET DRAFT October 1997 Two MIME types are defined to support the tranfer of certificates and CRLs. They are: application/pkix-cert[; version=1] application/pkix-crl[; version=1] References [RFC 959] J. Postel and J. Reynolds, "File Transfer Protocol (FTP)," RFC 959, October 1985. [RFC 1738] T. Berners-Lee, L. Masinter, and M. McCahill, "Uniform Resource Locators (URL)," December 1994. [RFC 2068] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, and T. Berners-Lee; "Hypertext Transfer Protocol -- HTTP/1.1," RFC 2068, January 1997. Security Considerations Since certificates and CRLs digitally signed, no additional integrity service is necessary. Neither certificates nor CRLs need be kept secret, and anonymous access to certificates and CRLs is generally acceptable. So, no privacy service is necessary. Operators of FTP sites and World Wide Web servers should authenticate end entities, CAs, and RAs who publish certificates and CRLs. However, authentication is not necessary to retrieve certificates and CRLs. Author Address Russell Housley SPYRUS PO Box 1198 Herndon, VA 20172 USA housley@spyrus.com Housley [Page 5]