RFC 1114 (rfc1114) - Page 3 of 25

Privacy enhancement for Internet electronic mail: Part II - certificate-based key management

Alternative Format: Original Text Document
< Previous
Next >
RFC 1114              Mail Privacy: Key Management           August 1989


   later in this RFC.  RSADSI will offer a service in which it will sign
   a certificate which has been generated by a user and vouched for
   either by an organization or by a Notary Public.  This service will
   carry a $25 biennial fee which includes an associated license to use
   the RSA algorithm in conjunction with privacy protection of
   electronic mail.  Users who do not come under the purview of the RSA
   patent, e.g., users affiliated with the U.S. government or users
   outside of the U.S., may make use of different certifying authorities
   and will not require a license from RSADSI.  Procedures for
   interacting with these other certification authorities, maintenance
   and distribution of revoked certificate lists from such authorities,
   etc. are outside the scope of this RFC.  However, techniques for
   validating certificates issued by other authorities are contained
   within the RFC to ensure interoperability across the resulting
   jurisdictional boundaries.

2.  Overview of Approach

   This RFC defines a key management architecture based on the use of
   public-key certificates, in support of the message encipherment and
   authentication procedures defined in RFC-1113.  In the proposed
   architecture, a "certification authority" representing an
   organization applies a digital signature to a collection of data
   consisting of a user's public component, various information that
   serves to identify the user, and the identity of the organization
   whose signature is affixed.  (Throughout this RFC we have adopted the
   terms "private component" and "public component" to refer to the
   quantities which are, respectively, kept secret and made publically
   available in asymmetric cryptosystems.  This convention is adopted to
   avoid possible confusion arising from use of the term "secret key" to
   refer to either the former quantity or to a key in a symmetric
   cryptosystem.)  This establishes a binding between these user
   credentials, the user's public component and the organization which
   vouches for this binding.  The resulting signed, data item is called
   a certificate.  The organization identified as the certifying
   authority for the certificate is the "issuer" of that certificate.

   In signing the certificate, the certification authority vouches for
   the user's identification, especially as it relates to the user's
   affiliation with the organization.  The digital signature is affixed
   on behalf of that organization and is in a form which can be
   recognized by all members of the privacy-enhanced electronic mail
   community.  Once generated, certificates can be stored in directory
   servers, transmitted via unsecure message exchanges, or distributed
   via any other means that make certificates easily accessible to
   message originators, without regard for the security of the
   transmission medium.




Kent & Linn
< Previous
Next >