RFC 1422 (rfc1422) - Page 2 of 32
Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management
Alternative Format: Original Text Document
RFC 1422 Certificate-Based Key Management February 1993
procedures and conventions for a key management infrastructure for
use with Privacy Enhanced Mail (PEM) and with other protocols, from
both the TCP/IP and OSI suites, in the future. There are several
motivations for establishing these procedures and conventions (as
opposed to relying only on the very general framework outlined in
X.509):
-It is important that a certificate management infrastructure
for use in the Internet community accommodate a range of
clearly-articulated certification policies for both users
and organizations in a well-architected fashion.
Mechanisms must be provided to enable each user to be
aware of the policies governing any certificate which the
user may encounter. This requires the introduction
and standardization of procedures and conventions that are
outside the scope of X.509.
-The procedures for authenticating originators and recipient in
the course of message submission and delivery should be
simple, automated and uniform despite the existence of
differing certificate management policies. For example,
users should not have to engage in careful examination of a
complex set of certification relationships in order to
evaluate the credibility of a claimed identity.
-The authentication framework defined by X.509 is designed to
operate in the X.500 directory server environment. However
X.500 directory servers are not expected to be ubiquitous
in the Internet in the near future, so some conventions
are adopted to facilitate operation of the key management
infrastructure in the near term.
-Public key cryptosystems are central to the authentication
technology of X.509 and those which enjoy the most
widespread use are patented in the U.S. Although this
certification management scheme is compatible with
the use of different digital signature algorithms, it is
anticipated that the RSA cryptosystem will be used as
the primary signature algorithm in establishing the
Internet certification hierarchy. Special license
arrangements have been made to facilitate the
use of this algorithm in the U.S. portion of Internet
environment.
The infrastructure specified in this document establishes a single
root for all certification within the Internet, the Internet Policy
Registration Authority (IPRA). The IPRA establishes global policies,
described in this document, which apply to all certification effected
Kent