Is PKI really that complicated?

X.509-based PKI has a reputation for being bad in many ways – expensive, hard to use, too complicated, etc.

But is it really that complicated?

To find out, I looked at the number of RFCs that the IETF's PKIX working group has published to date. Then I made the mistake of making a table of them. That took quite a while. There are actually 62 of them, which certainly seems like enough documents to make the technology qualify as "complicated."

Here's what's been written so far:

DocumentTitle
RFC 2459Internet X.509 Public Key Infrastructure Certificate and CRL Profile
RFC 2510Internet X.509 Public Key Infrastructure Certificate Management Protocols
RFC 2511Internet X.509 Certificate Request Message Format
RFC 2527Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
RFC 2528Internet X.509 Public Key Infrastructure Representation of Key Exchange Algorithm (KEA)
Keys in Internet X.509 Public Key Infrastructure Certificates
RFC 2559Internet X.509 Public Key Infrastructure Operational Protocols – LDAPv2
RFC 2560X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP
RFC 2585Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP
RFC 2587Internet X.509 Public Key Infrastructure LDAPv2 Schema
RFC 2797Certificate Management Messages over CMS
RFC 2875Diffie-Hellman Proof-of-Possession Algorithms
RFC 3029Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols
RFC 3039Internet X.509 Public Key Infrastructure Qualified Certificates Profile
RFC 3161Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)
RFC 3279Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile
RFC 3280Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 3281An Internet Attribute Certificate Profile for Authorization
RFC 3379Delegated Path Validation and Delegated Path Discovery Protocol Requirements
RFC 3628Policy Requirements for Time-Stamping Authorities (TSAs)
RFC 3647Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
RFC 3709Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates
RFC 3739Internet X.509 Public Key Infrastructure: Qualified Certificates Profile
RFC 3770Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP)
and Wireless Local Area Networks (WLAN)
RFC 3779X.509 Extensions for IP Addresses and AS Identifiers
RFC 3820Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile
RFC 3874A 224-bit One-way Hash Function: SHA-224
RFC 4043Internet X.509 Public Key Infrastructure Permanent Identifier
RFC 4055Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509
Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 4059Internet X.509 Public Key Infrastructure Warranty Certificate Extension
RFC 4158Internet X.509 Public Key Infrastructure: Certification Path Building
RFC 4210Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
RFC 4211Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)
RFC 4325Internet X.509 Public Key Infrastructure Authority Information Access
Certificate Revocation List (CRL) Extension
RFC 4334Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP)
and Wireless Local Area Networks (WLAN)
RFC 4386Internet X.509 Public Key Infrastructure Repository Locator Service
RFC 4387Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP
RFC 4476Attribute Certificate (AC) Policies Extension
RFC 4491Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms
with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile
RFC 4630Update to DirectoryString Processing in the Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile
RFC 4683Internet X.509 Public Key Infrastructure Subject Identification Method (SIM)
RFC 4985Internet X.509 Public Key Infrastructure Subject Alternative Name for Expression of Service Name
RFC 5019The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
RFC 5055Server-Based Certificate Validation Protocol (SCVP)
RFC 5272Certificate Management over CMS (CMC)
RFC 5273Certificate Management over CMS (CMC): Transport Protocols
RFC 5274Certificate Management Messages over CMS (CMC): Compliance Requirements
RFC 5280Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 5480Elliptic Curve Cryptography Subject Public Key Information
RFC 5636Traceable Anonymous Certificate
RFC 5697Other Certificates Extension
RFC 5755An Internet Attribute Certificate Profile for Authorization
RFC 5756Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters
RFC 5758Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA
RFC 5816ESSCertIDv2 Update for RFC 3161
RFC 5877The application/pkix-attr-cert Media Type for Attribute Certificates
RFC 5912New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)
RFC 5913Clearance Attribute and Authority Clearance Constraints Certificate Extension
RFC 5914Trust Anchor Format
RFC 5934Trust Anchor Management Protocol (TAMP)
RFC 6024Trust Anchor Management Requirements
RFC 6025ASN.1 Translation
RFC 6170Internet X.509 Public Key Infrastructure — Certificate Image

Leave a Reply

Your email address will not be published. Required fields are marked *