|
|
|
X.509
| X.509 Protocol |
|---|
|
| |
X.509 is a widely used standard for defining digital certificates.
The X.509 is an ITU standard for PKI (Public Key Infrastructure)
that defines specific formats for the public key certificates (PKC)
and the certification path validation algorithm.
The certification path validation algorithm verifies
that a given certificate path is valid under a give PKI (T).
| | X.509 History |
|---|
|
X.509 was published as ITU (ITU Telecommunication Standardization Sector)
recommendation called ITU-T X.509 (formerly CCITT X.509) and ISO/IEC/ITU 9594-8.
With minor differences in dates and titles, these publications provide identical text
in the defining of public-key and attribute certificates.
X.509 (Version 1) was first issued in 1988 as a part of the ITU X.500 Directory Services standard.
It assumed a hierarchical system of certification authorities for issuing of certificates,
quite contrary to the then existing web trust models - such as PGP -
where any one can sign thereby attesting to the validity of other's private
or public key certificates.
X.509 (Version 2) format appears in 1993 as when the X.509 was revised.
This is an enhanced version of the format that
includes two additional fields to provide support and directory access control.
X.509 (Version 3) defines the format for certificate extensions
used to store additional information regarding the certificate holder
and to define certificate usage. Includes compatibility with other topologies
such as meshes and bridges, and the option to use it in a peer-to-peer,
OpenPGP-similar web of trust environment, even though it is scarcely used that way as of 2006.
The term X.509 refers to the latest published version, unless the version number is stated.
These days the name X.509 broadly refers to the IETF's PKI
Certificate and CRL Profile of the X.509 version 3 certificate
standards, as given in the RFC 3280 specifications.
| Inside X.509 |
|---|
|
In a X.509 system, the Certification Authority issues a certificate
binding a public key to a given but unique name in the X.500 tradition,
or to an alternate one such as a DNS entry or email address.
The authenticity of a certificate and the certification authority in
turn is dependent on the root certificate, which is integral to the
X.509 certification chain model.
Root certificates are implicitly trusted,
and the best example for software programs coming with preinstalled
root certificates being the common web browser's itself.
X.509 system also includes the method for CRL - certificate
revocation list - implementations (often neglected in most PKI systems).
Certificate Structure
A X.509 version 3 digital certificate has three main variables:
the certificate, the certificate signature algorithm and the certificate signature.
The certificate is described by attributes such as version, algorithm ID, serial number, issuer,
subject, validity, subject public key info, extensions and several
other optional ones like subject and issuer unique identifier. The
subject public key info attribute is further detailed by the public key
algorithm and subject public key, while validity attribute comes has
further options for an upper and lower date limit, which eventually
decides the life of the certificate.
| Protocols Supporting X.509 Certificates |
|---|
Transport Layer Security (SSL/TLS)
IPSec
Secure Multipurpose Internet Mail Extensions (S/MIME)
Smartcard
SSH
HTTPS
LDAP v3
EAP
| |
|---|
|
| | | |
| |
Espaņol