[x500standard] Re: X.509 Summary for next (2016) edition

  • From: DP-Security-Consulting <dp.sec.consulting@xxxxxxx>
  • To: x500standard@xxxxxxxxxxxxx
  • Date: Mon, 14 Oct 2013 14:38:13 +0200

I would rather propose the following:
Recommendation ITU-T X.509 | ISO/IEC 9594-8 introduces the basic concept of asymmetric cryptographic techniques and defines both a framework for public-key infrastructure (PKI) and a framework for privilege management infrastructure (PMI). For the first framework, it defines PKI entity types, such as certification authority (CA), relying party and trust anchor. In addition, it specifies the following data types: public-key certificate, certificate revocation list (CRL) and authority revocation list (ARL). It also defines several certificate and CRL extensions. It also specifies the principles for certificate validation and certificate path validation using revocation lists and/or OCSP services. For the second framework, it defines PMI entity types, such as attribute authority (AA), relying party and trust anchor. In addition, it specifies the following data types: attribute certificate and attribute certificate revocation list (ACRL). It also defines several attribute certificate extensions.It also specifies the principles for attribute certificate validation and attribute certificate path validation. 

A few explanations:
This allows a better separation between PKI and PMI. It also removes the dependency with both a directory and the Directory. Trust broker is not a concept which is currently described, hence why I have suppressed it. However, I have added OCSP. The various sentences have been rearranged in a way which (I think) is more progressive or more natural. 

Denis
The only change I would make is to the first sentence to make it grammatically correct
a framework for public-key infrastructures (PKI) and privilege management infrastructures (PMI). 

regards

david

On 14/10/2013 11:14, Erik Andersen wrote:

Hi folks,

It has been decide to make X.509 a pure PKI/PMI specification moving
pure directory stuff to other parts (X.511 and X.520). That includes
Password Policy. This requires the Summary to be updated.

The old Summary is:

Recommendation ITU-T X.509 | ISO/IEC 9594-8 defines a framework for
public-key certificates and attribute certificates. These frameworks may
be used by other standards bodies to profile their application to Public
Key Infrastructures (PKI) and Privilege Management Infrastructures
(PMI). Also, this Recommendation | International Standard defines a
framework for the provision of authentication services by Directory to
its users. It describes two levels of authentication: simple
authentication, using a password as a verification of claimed identity;
and strong authentication, involving credentials formed using
cryptographic techniques. While simple authentication offers some
limited protection against unauthorized access, only strong
authentication should be used as the basis for providing secure services. 

A first draft for a new summary is proposed here:

Recommendation ITU-T X.509 | ISO/IEC 9594-8 defines frameworks for
public-key infrastructure (PKI) and privilege management infrastructure
(PMI). It introduces the basic concept of asymmetric cryptographic
techniques. It specifies the following data types: public-key
certificate, attribute certificate, certificate revocation list (CRL)
and attribute certificate revocation list (ACRL). It also defines
several certificate and CRL extensions, and it defines directory schema
information allowing PKI and PMI related data to be stored in a
directory. In addition, it defines PKI entity types, such as
certification authority (CA), attribute authority (AA), relying party,
trust broker and trust anchor. It specifies the principles for
certificate validation, validation path, certificate policy, etc.

Please comment. Any suggestion is welcome.

Regards,

Erik


-----
www.x500standard.com: The central source for information on the X.500 Directory Standard.

Other related posts:

  1. Home
  2. x500standard
  3. Archive
  4. 10-2013