3. Overview of Approach
Following is a simplified view of the architectural model assumed by the Public-Key Infrastructure using X.509 (PKIX) specifications.
The components in this model are:
- end entity: user of PKI certificates and/or end user system that is the subject of a certificate
- CA: certification authority
- RA: registration authority, i.e., an optional system to which a CA delegates certain management functions
- CRL issuer: a system that generates and signs CRLs
- repository: a system or collection of distributed systems that stores certificates and CRLs and serves as a means of distributing these certificates and CRLs to end entities
3.1. X.509 Version 3 Certificate
Users of a public key require confidence that the associated private key is owned by the correct remote subject (person or system) with which an encryption or digital signature mechanism will be used. This confidence is obtained through the use of public key certificates, which are data structures that bind public key values to subjects.
3.2. Certification Paths and Trust
A user of a security service requiring knowledge of a public key generally needs to obtain and validate a certificate containing the required public key.
3.3. Revocation
When a certificate is issued, it is expected to be in use for its entire validity period. However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity period.
3.4. Operational Protocols
Operational protocols are required to deliver certificates and CRLs (or status information) to certificate-using client systems.
3.5. Management Protocols
Management protocols are required to support on-line interactions between PKI user and management entities.