Memorandum for Multi-Domain Public Key Infrastructure Interoperability
RFC 5217
Document Type RFC - Informational (July 2008; No errata)
Was draft-shimaoka-multidomain-pki (individual in sec area)
Last updated 2015-10-14
Stream IETF
Formats plain text html pdf htmlized bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5217 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors IPR References Referenced by Nits 
Network Working Group                                   M. Shimaoka, Ed.
Request for Comments: 5217                                         SECOM
Category: Informational                                      N. Hastings
                                                                    NIST
                                                              R. Nielsen
                                                     Booz Allen Hamilton
                                                               July 2008

 Memorandum for Multi-Domain Public Key Infrastructure Interoperability

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   The objective of this document is to establish a terminology
   framework and to suggest the operational requirements of Public Key
   Infrastructure (PKI) domain for interoperability of multi-domain
   Public Key Infrastructure, where each PKI domain is operated under a
   distinct policy.  This document describes the relationships between
   Certification Authorities (CAs), provides the definition and
   requirements for PKI domains, and discusses typical models of multi-
   domain PKI.

Shimaoka, et al.             Informational                      [Page 1]
RFC 5217           Multi-Domain PKI Interoperability           July 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Objective  . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.2.  Document Outline . . . . . . . . . . . . . . . . . . . . .  3
   2.  Public Key Infrastructure (PKI) Basics . . . . . . . . . . . .  3
     2.1.  Basic Terms  . . . . . . . . . . . . . . . . . . . . . . .  3
     2.2.  Relationships between Certification Authorities  . . . . .  4
       2.2.1.  Hierarchical CA Relationships  . . . . . . . . . . . .  5
       2.2.2.  Peer-to-Peer CA Relationships  . . . . . . . . . . . .  6
     2.3.  Public Key Infrastructure (PKI) Architectures  . . . . . .  7
       2.3.1.  Single CA Architecture . . . . . . . . . . . . . . . .  7
       2.3.2.  Multiple CA Architectures  . . . . . . . . . . . . . .  8
     2.4.  Relationships between PKIs and Relying Parties . . . . . . 12
   3.  PKI Domain . . . . . . . . . . . . . . . . . . . . . . . . . . 12
     3.1.  PKI Domain Properties  . . . . . . . . . . . . . . . . . . 13
     3.2.  Requirements for Establishing and Participating in PKI
           Domains  . . . . . . . . . . . . . . . . . . . . . . . . . 13
       3.2.1.  PKI Requirements . . . . . . . . . . . . . . . . . . . 13
       3.2.2.  PKI Domain Documentation . . . . . . . . . . . . . . . 14
       3.2.3.  PKI Domain Membership Notification . . . . . . . . . . 15
       3.2.4.  Considerations for PKIs and PKI Domains with
               Multiple Policies  . . . . . . . . . . . . . . . . . . 16
     3.3.  PKI Domain Models  . . . . . . . . . . . . . . . . . . . . 16
       3.3.1.  Unifying Trust Point (Unifying Domain) Model . . . . . 16
       3.3.2.  Independent Trust Point Models . . . . . . . . . . . . 17
     3.4.  Operational Considerations . . . . . . . . . . . . . . . . 21
   4.  Trust Models External to PKI Relationships . . . . . . . . . . 22
     4.1.  Trust List Models  . . . . . . . . . . . . . . . . . . . . 22
       4.1.1.  Local Trust List Model . . . . . . . . . . . . . . . . 22
       4.1.2.  Trust Authority Model  . . . . . . . . . . . . . . . . 23
     4.2.  Trust List Considerations  . . . . . . . . . . . . . . . . 24
       4.2.1.  Considerations for a PKI . . . . . . . . . . . . . . . 24
       4.2.2.  Considerations for Relying Parties and Trust
               Authorities  . . . . . . . . . . . . . . . . . . . . . 24
       4.2.3.  Additional Considerations for Trust Authorities  . . . 25
   5.  Abbreviations  . . . . . . . . . . . . . . . . . . . . . . . . 25
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 25
     6.1.  PKI Domain Models  . . . . . . . . . . . . . . . . . . . . 25
     6.2.  Trust List Models  . . . . . . . . . . . . . . . . . . . . 26
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 27
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 27

Shimaoka, et al.             Informational                      [Page 2]
RFC 5217           Multi-Domain PKI Interoperability           July 2008

1.  Introduction

1.1.  Objective

   The objective of this document is to establish a terminology
   framework and to provide the operational requirements, which can be
   used by different Public Key Infrastructure (PKI) authorities who are
   considering establishing trust relationships with each other.  The
   document defines different types of possible trust relationships,
   identifies design and implementation considerations that PKIs should
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools