|Open Group Guide|
|Architecture for Public-Key Infrastructure (APKI)|
|Document Number: G801|
©March 1999, The Open Group All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the copyright owners.
Any comments relating to the material contained in this document may be submitted to The Open Group at:
The Open Groupor by electronic mail to:
Berkshire, RG1 1AX
The Open Group is the leading vendor-neutral, international consortium for buyers and suppliers of technology. Its mission is to cause the development of a viable global information infrastructure that is ubiquitous, trusted, reliable, and as easy-to-use as the telephone. The essential functionality embedded in this infrastructure is what we term the IT DialTone. The Open Group creates an environment where all elements involved in technology development can cooperate to deliver less costly and more flexible IT solutions.
Formed in 1996 by the merger of the X/Open Company Ltd. (founded in 1984) and the Open Software Foundation (founded in 1988), The Open Group is supported by most of the world's largest user organizations, information systems vendors, and software suppliers. By combining the strengths of open systems specifications and a proven branding scheme with collaborative technology development and advanced research, The Open Group is well positioned to meet its new mission, as well as to assist user organizations, vendors, and suppliers in the development and implementation of products supporting the adoption and proliferation of systems which conform to standard specifications.
With more than 200 member companies, The Open Group helps the IT industry to advance technologically while managing the change caused by innovation. It does this by:
The Open Group operates in all phases of the open systems technology lifecycle including innovation, market adoption, product development, and proliferation. Presently, it focuses on seven strategic areas: open systems application platform development, architecture, distributed systems management, interoperability, distributed computing environment, security, and the information superhighway. The Open Group is also responsible for the management of the UNIX trademark on behalf of the industry.
This process includes the identification of requirements for open systems and, now, the IT DialTone, development of Technical Standards (formerly CAE and Preliminary Specifications) through an industry consensus review and adoption procedure (in parallel with formal standards work), and the development of tests and conformance criteria.
This leads to the preparation of a Product Standard which is the name used for the documentation that records the conformance requirements (and other information) to which a vendor may register a product.
The "X" Device is used by vendors to demonstrate that their products conform to the relevant Product Standard. By use of the Open Brand they guarantee, through the Open Brand Trade Mark License Agreement (TMLA), to maintain their products in conformance with the Product Standard so that the product works, will continue to work, and that any problems will be fixed by the vendor.
The Open Group publishes a wide range of technical documentation, the main part of which is focused on development of Technical Standards and product documentation, but which also includes Guides, Snapshots, Technical Studies, Branding and Testing documentation, industry surveys, and business titles.
There are several types of specification:
The Open Group Technical Standards form the basis for our Product Standards. These Standards are intended to be used widely within the industry for product development and procurement purposes.
Anyone developing products that implement a Technical Standard can enjoy the benefits of a single, widely supported industry standard. Where appropriate, they can demonstrate product compliance through the Open Brand. Technical Standards are published as soon as they are developed, so enabling vendors to proceed with development of conformant products without delay.
CAE Specifications and Developers' Specifications published prior to
January 1998 have the same status as Technical Standards (see above).
Preliminary Specifications have usually addressed an emerging area of technology and consequently are not yet supported by multiple sources of stable conformant implementations. They are published for the purpose of validation through implementation of products. A Preliminary Specification is as stable as can be achieved, through applying The Open Group's rigorous development and review procedures.
Preliminary Specifications are analogous to the trial-use
standards issued by formal standards organizations, and
developers are encouraged to develop products on the basis
of them. However, experience through implementation work may
result in significant (possibly upwardly incompatible) changes
before its progression to becoming a Technical Standard. While
the intent is to progress Preliminary Specifications to
corresponding Technical Standards, the ability to do so depends
on consensus among Open Group members.
The Open Group publishes specifications on behalf of industry consortia. For example, it publishes the NMF SPIRIT procurement specifications on behalf of the Network Management Forum. It also publishes Technology Specifications relating to OSF/1, DCE, OSF/Motif, and CDE.
Technology Specifications (formerly AES Specifications) are often candidates for consensus review, and may be adopted as Technical Standards, in which case the relevant Technology Specification is superseded by a Technical Standard.
In addition, The Open Group publishes:
This includes product documentation-programmer's guides, user manuals, and so on-relating to the Pre-structured Technology Projects (PSTs), such as DCE and CDE. It also includes the Single UNIX Documentation, designed for use as common product documentation for the whole industry.
These provide information that is useful in the evaluation, procurement, development, or management of open systems, particularly those that relate to the Technical Standards or Preliminary Specifications. The Open Group Guides are advisory, not normative, and should not be referenced for purposes of specifying or claiming conformance to a Product Standard.
Technical Studies present results of analyses performed on subjects of interest in areas relevant to The Open Group's Technical Program. They are intended to communicate the findings to the outside world so as to stimulate discussion and activity in other bodies and the industry in general.
As with all live documents, Technical Standards and Specifications require revision to align with new developments and associated international standards. To distinguish between revised specifications which are fully backwards compatible and those which are not:
Readers should note that Corrigenda may apply to any publication. Corrigenda information is published on the World-Wide Web at http://www.opengroup.org/corrigenda.
Full catalogue and ordering information on all Open Group publications is available on the World-Wide Web at http://www.opengroup.org/pubs.
This document is a Guide (see above).
To be considered a "candidate" for purposes of the PKI Architecture, an interface or protocol must:
It is assumed that the candidate interface and protocol specifications identified in this document will serve as base documents for open standardization processes, which will produce finalized PKI component interface and protocol specifications.
The Open Group PKI Task Group continues to refine and extend these requirements; comments should be sent by electronic mail to firstname.lastname@example.org.
Motif®, OSF/1®, UNIX®, and the "X Device"® are registered trademarks and IT DialToneTM; and The Open GroupTM; are trademarks of The Open Group in the U.S. and other countries.
The Open Group acknowledges that there may be other products that might be covered by trademark protection and advises the reader to verify them independently.
The Open Group gratefully acknowledges the work of the Open Group Security Program Group, in particular the PKI Task Group, in the development of this Guide, and also the following individuals:
Additionally, the following organizations contributed to the specification of the requirements.
Barclays Bank plc
Digital Equipment Corporation
Electronic Data Systems
Information & Support Group
Jet Propulsion Laboratory
JP Morgan & Co. Inc.
Pacific Gas & Electric
Sun Microsystems, Inc.
Telecom Finland Ltd.
The Open Group
U.K. Ministry of Defence
U.S. Dept. of Defense/DISA
U.S. Dept. of Defense/NSA
Veritas Software Corporation
Further details about these and other Open Group documents can be found at: http://www.opengroup.org/publications.
These documents may be found at: http://www.ietf.org/rfc.
This document describes how to use the SPKM protocol under a GSS-API interface
This document describes the GSS-API, Version 2.0 interface, which provides integrity and privacy services for session-oriented messages.
This document describes the profiles for use of X.509v3 certificates and Version 2 Certificate Revocation Lists (CRLs) by users in the Internet environment.
This document describes a proposed mechanism negotiation preamble protocol for use by protocol partners wishing to use GSS-API to establish a secure association.
This document describes the IDUP GSS-API interface, which provides integrity and privacy services for store-and-forward messages, and non-repudiation services.
This document specifies a new protocol specifically developed for the purpose of transporting messages like those specified in CMMF and CRMF among PKI elements.
Certificate Request Message Format (CRMF) specifies a format used to convey a request for a certificate to a Certification Authority (CA) or Registration Authority (RA).
This document defines Certificate Policies and Certification Practice Statements (CPSs) and their inter-relationship. This document provides a framework to assist the writers of certificate policies or CPSs with their tasks.
The latest versions of these documents can be found at: http://www.ietf.org/ids.by.wg/pkix.html.
Certificate Management Messages over CMS (CMC) defines the means by which PKI clients and servers may exchange PKI messages when using IETF S/MIME Cryptographic Message Syntax (CMS), Version 3 as a transaction envelope.
PKI Certificate Management Message Formats (CMMF) defines message formats to be used between a PKI client and a PKI server or service. It complements standard protocols such as the separately specified Certificate Management Protocol (CMP) or CMC.
This document defines a minimal scheme necessary to support the use of LDAPv2 for certificate and CRL retrieval and related functions for PKIX.
The Online Certificate Status Protocol (OCSP) enables applications to determine the state of an identified certificate in a more timely fashion than is possible with the Certificate Revocation List (CRL) mechanism.
This document describes the use of the File Transfer Protocol (FTP) and the Hyper-Text Transfer Protocol (HTTP) to obtain certificates and CRLs from PKI repositories.
This document describes the use of LDAPv2 as a protocol for publishing and retrieving certificates and CRLs from a certificate repository.
The latest versions of these documents can be found at: http://www.ietf.org/ids.by.wg/cat.html.
Refer to http://www.ietf.org/html.charters/ldapext-charter.html for the current status of this API.
This document defines the C bindings for GSS-API, Version 2.0.
This document extends the GSS-API to allow support of security attributes in addition to a single identity and to allow fine control of delegation.
Refer to http://www.ietf.org/html.charters/cat-charter.html for the current status of this API.
Refer to http://www.ietf.org/html.charters/smime-charter.html for the current status of CMS.
This document defines the C bindings for IETF RFC 2479.
The IETF IPsec Working Group documents can be found at: http://www.ietf.org/ids.by.wg/ipsec.html.