RFC 2510 (rfc2510) - Page 2 of 72
Internet X
Alternative Format: Original Text Document
RFC 2510 PKI Certificate Management Protocols March 1999
1 PKI Management Overview
The PKI must be structured to be consistent with the types of
individuals who must administer it. Providing such administrators
with unbounded choices not only complicates the software required but
also increases the chances that a subtle mistake by an administrator
or software developer will result in broader compromise. Similarly,
restricting administrators with cumbersome mechanisms will cause them
not to use the PKI.
Management protocols are REQUIRED to support on-line interactions
between Public Key Infrastructure (PKI) components. For example, a
management protocol might be used between a Certification Authority
(CA) and a client system with which a key pair is associated, or
between two CAs that issue cross-certificates for each other.
1.1 PKI Management Model
Before specifying particular message formats and procedures we first
define the entities involved in PKI management and their interactions
(in terms of the PKI management functions required). We then group
these functions in order to accommodate different identifiable types
of end entities.
1.2 Definitions of PKI Entities
The entities involved in PKI management include the end entity (i.e.,
the entity to be named in the subject field of a certificate) and the
certification authority (i.e., the entity named in the issuer field
of a certificate). A registration authority MAY also be involved in
PKI management.
1.2.1 Subjects and End Entities
The term "subject" is used here to refer to the entity named in the
subject field of a certificate; when we wish to distinguish the tools
and/or software used by the subject (e.g., a local certificate
management module) we will use the term "subject equipment". In
general, the term "end entity" (EE) rather than subject is preferred
in order to avoid confusion with the field name.
It is important to note that the end entities here will include not
only human users of applications, but also applications themselves
(e.g., for IP security). This factor influences the protocols which
the PKI management operations use; for example, application software
is far more likely to know exactly which certificate extensions are
required than are human users. PKI management entities are also end
entities in the sense that they are sometimes named in the subject
Adams & Farrell Standards Track