Is PKI really that complicated?

X.509-based PKI has a reputation for being bad in many ways – expensive, hard to use, too complicated, etc.

But is it really that complicated?

To find out, I looked at the number of RFCs that the IETF's PKIX working group has published to date. Then I made the mistake of making a table of them. That took quite a while. There are actually 62 of them, which certainly seems like enough documents to make the technology qualify as "complicated."

Here's what's been written so far:

Document Title
RFC 2459 Internet X.509 Public Key Infrastructure Certificate and CRL Profile
RFC 2510 Internet X.509 Public Key Infrastructure Certificate Management Protocols
RFC 2511 Internet X.509 Certificate Request Message Format
RFC 2527 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
RFC 2528 Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA)
Keys in Internet X.509 Public Key Infrastructure Certificates
RFC 2559 Internet X.509 Public Key Infrastructure Operational Protocols – LDAPv2
RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP
RFC 2585 Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP
RFC 2587 Internet X.509 Public Key Infrastructure LDAPv2 Schema
RFC 2797 Certificate Management Messages over CMS
RFC 2875 Diffie-Hellman Proof-of-Possession Algorithms
RFC 3029 Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols
RFC 3039 Internet X.509 Public Key Infrastructure Qualified Certificates Profile
RFC 3161 Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)
RFC 3279 Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile
RFC 3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 3281 An Internet Attribute Certificate Profile for Authorization
RFC 3379 Delegated Path Validation and Delegated Path Discovery Protocol Requirements
RFC 3628 Policy Requirements for Time-Stamping Authorities (TSAs)
RFC 3647 Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
RFC 3709 Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates
RFC 3739 Internet X.509 Public Key Infrastructure: Qualified Certificates Profile
RFC 3770 Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP)
and Wireless Local Area Networks (WLAN)
RFC 3779 X.509 Extensions for IP Addresses and AS Identifiers
RFC 3820 Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile
RFC 3874 A 224-bit One-way Hash Function: SHA-224
RFC 4043 Internet X.509 Public Key Infrastructure Permanent Identifier
RFC 4055 Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509
Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 4059 Internet X.509 Public Key Infrastructure Warranty Certificate Extension
RFC 4158 Internet X.509 Public Key Infrastructure: Certification Path Building
RFC 4210 Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
RFC 4211 Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)
RFC 4325 Internet X.509 Public Key Infrastructure Authority Information Access
Certificate Revocation List (CRL) Extension
RFC 4334 Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP)
and Wireless Local Area Networks (WLAN)
RFC 4386 Internet X.509 Public Key Infrastructure Repository Locator Service
RFC 4387 Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP
RFC 4476 Attribute Certificate (AC) Policies Extension
RFC 4491 Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms
with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile
RFC 4630 Update to DirectoryString Processing in the Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile
RFC 4683 Internet X.509 Public Key Infrastructure Subject Identification Method (SIM)
RFC 4985 Internet X.509 Public Key Infrastructure Subject Alternative Name for Expression of Service Name
RFC 5019 The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
RFC 5055 Server-Based Certificate Validation Protocol (SCVP)
RFC 5272 Certificate Management over CMS (CMC)
RFC 5273 Certificate Management over CMS (CMC): Transport Protocols
RFC 5274 Certificate Management Messages over CMS (CMC): Compliance Requirements
RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 5480 Elliptic Curve Cryptography Subject Public Key Information
RFC 5636 Traceable Anonymous Certificate
RFC 5697 Other Certificates Extension
RFC 5755 An Internet Attribute Certificate Profile for Authorization
RFC 5756 Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters
RFC 5758 Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA
RFC 5816 ESSCertIDv2 Update for RFC 3161
RFC 5877 The application/pkix-attr-cert Media Type for Attribute Certificates
RFC 5912 New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)
RFC 5913 Clearance Attribute and Authority Clearance Constraints Certificate Extension
RFC 5914 Trust Anchor Format
RFC 5934 Trust Anchor Management Protocol (TAMP)
RFC 6024 Trust Anchor Management Requirements
RFC 6025 ASN.1 Translation
RFC 6170 Internet X.509 Public Key Infrastructure — Certificate Image

Leave a Reply

Your email address will not be published. Required fields are marked *