Memorandum for Multi-Domain Public Key Infrastructure Interoperability
RFC 5217
Document | Type |
RFC - Informational
(July 2008; No errata)
Was draft-shimaoka-multidomain-pki (individual in sec area)
|
|
---|---|---|---|
Authors | Nelson Hastings , Rebecca Nielsen , Masaki Shimaoka | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5217 (Informational) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group M. Shimaoka, Ed. Request for Comments: 5217 SECOM Category: Informational N. Hastings NIST R. Nielsen Booz Allen Hamilton July 2008 Memorandum for Multi-Domain Public Key Infrastructure Interoperability Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract The objective of this document is to establish a terminology framework and to suggest the operational requirements of Public Key Infrastructure (PKI) domain for interoperability of multi-domain Public Key Infrastructure, where each PKI domain is operated under a distinct policy. This document describes the relationships between Certification Authorities (CAs), provides the definition and requirements for PKI domains, and discusses typical models of multi- domain PKI. Shimaoka, et al. Informational [Page 1] RFC 5217 Multi-Domain PKI Interoperability July 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Objective . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Document Outline . . . . . . . . . . . . . . . . . . . . . 3 2. Public Key Infrastructure (PKI) Basics . . . . . . . . . . . . 3 2.1. Basic Terms . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Relationships between Certification Authorities . . . . . 4 2.2.1. Hierarchical CA Relationships . . . . . . . . . . . . 5 2.2.2. Peer-to-Peer CA Relationships . . . . . . . . . . . . 6 2.3. Public Key Infrastructure (PKI) Architectures . . . . . . 7 2.3.1. Single CA Architecture . . . . . . . . . . . . . . . . 7 2.3.2. Multiple CA Architectures . . . . . . . . . . . . . . 8 2.4. Relationships between PKIs and Relying Parties . . . . . . 12 3. PKI Domain . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.1. PKI Domain Properties . . . . . . . . . . . . . . . . . . 13 3.2. Requirements for Establishing and Participating in PKI Domains . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2.1. PKI Requirements . . . . . . . . . . . . . . . . . . . 13 3.2.2. PKI Domain Documentation . . . . . . . . . . . . . . . 14 3.2.3. PKI Domain Membership Notification . . . . . . . . . . 15 3.2.4. Considerations for PKIs and PKI Domains with Multiple Policies . . . . . . . . . . . . . . . . . . 16 3.3. PKI Domain Models . . . . . . . . . . . . . . . . . . . . 16 3.3.1. Unifying Trust Point (Unifying Domain) Model . . . . . 16 3.3.2. Independent Trust Point Models . . . . . . . . . . . . 17 3.4. Operational Considerations . . . . . . . . . . . . . . . . 21 4. Trust Models External to PKI Relationships . . . . . . . . . . 22 4.1. Trust List Models . . . . . . . . . . . . . . . . . . . . 22 4.1.1. Local Trust List Model . . . . . . . . . . . . . . . . 22 4.1.2. Trust Authority Model . . . . . . . . . . . . . . . . 23 4.2. Trust List Considerations . . . . . . . . . . . . . . . . 24 4.2.1. Considerations for a PKI . . . . . . . . . . . . . . . 24 4.2.2. Considerations for Relying Parties and Trust Authorities . . . . . . . . . . . . . . . . . . . . . 24 4.2.3. Additional Considerations for Trust Authorities . . . 25 5. Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . 25 6. Security Considerations . . . . . . . . . . . . . . . . . . . 25 6.1. PKI Domain Models . . . . . . . . . . . . . . . . . . . . 25 6.2. Trust List Models . . . . . . . . . . . . . . . . . . . . 26 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 7.1. Normative References . . . . . . . . . . . . . . . . . . . 27 7.2. Informative References . . . . . . . . . . . . . . . . . . 27 Shimaoka, et al. Informational [Page 2] RFC 5217 Multi-Domain PKI Interoperability July 2008 1. Introduction 1.1. Objective The objective of this document is to establish a terminology framework and to provide the operational requirements, which can be used by different Public Key Infrastructure (PKI) authorities who are considering establishing trust relationships with each other. The document defines different types of possible trust relationships, identifies design and implementation considerations that PKIs shouldShow full document text