/
746.txt
149 lines (116 loc) · 6.83 KB
/
746.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
[18] [DFN[[[PKI]]]] ([DFN[[[Public Key Infrastructure]]]]、[DFN[[[公開鍵基盤]]]])
は、[[公開鍵暗号]]による[[セキュリティー]]基盤です。
[[インターネット]]を含む様々な環境で[[暗号]]技術等の基礎的な構成要素として利用されています。
* 仕様書
[7] [DFN[[[PKI]]]] は [DFN[[[ITU-T X.509]]]] で規定されています。
[4] [DFN[[RUBYB[インターネットPKI]@en[Internet PKI]]]]は [DFN[[[RFC 5280]]]]
(旧 [DFN[[[RFC 3280]]]]、旧々 [DFN[[[RFC 2459]]]]) で規定されています。これは [[X.509]] により規定される [[PKI]]
の[[インターネット]]における利用のための[[プロファイル]]を規定するものです。
この[[プロファイル]]仕様あるいはその技術のことを [DFN[[[PKIX]]]] といいます。
;; [13] [[PKIX]] が何を意味するのか、 [[RFC 5280]] は明確に説明しておらず、
ページ見出しが「PKIX Certificate and CRL Profile」だったり、3章で
「Following is a simplified view of the architectural model assumed by
the Public-Key Infrastructure using X.509 (PKIX) specifications.」
と言及していたり、担当 [[IETF]] [[WG]] の名前が [[PKIX]] だったりして匂わせているだけなのですが。。。
[[RFC 6125]] は「PKIX is a short name for the Internet Public Key
Infrastructure using X.509 defined in RFC 5280」と述べています [SRC[>>14]]。
[REFS[
- [5] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) <http://tools.ietf.org/html/rfc5280>
- [9] [CITE[RFC Errata Report]] ([TIME[2015-03-23 15:33:42 +09:00]] 版) <http://www.rfc-editor.org/errata_search.php?rfc=5280>
- [14] [CITE@en[RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)]] ([TIME[2015-03-13 22:27:53 +09:00]] 版) <https://tools.ietf.org/html/rfc6125#section-1.8>
- [17] [CITE@en[RFC 6818 - Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-03-24 03:47:50 +09:00]] 版) <https://tools.ietf.org/html/rfc6818>
]REFS]
* 概念
[19] [[PKI]] には次のような概念や[[プロトコル要素]]が関係しています。
[FIG(short list)[
- [[証明書]]
- [[CA]]
- [[RA]]
- [[certification path]]
- [[trust anchor]]
- [[TAF]]
- [[CSR]]
- [[PKCS #7]]
- [[PKCS #12]]
- [[service identity]]
- [[CRL]]
- [[OCSP]]
- [[CRLSet]]
- [[OneCRL]]
- [[CA/Browser Forum]]
- [[WebTrust]]
- [[EV証明書]]
- [[Certificate Transparency]]
- [CODE[[[.pem]]]]
- [[PKP]]
- [[Let's Encrypt]]
]FIG]
* 応用
[8] [[PKI]] は次の場面で使われています。
[FIG(short list)[
- [[TLS]]
- [[S/MIME]]
]FIG]
* メモ
[1] [CITE@ja[5分で絶対に分かるPKI]]
([TIME[2015-03-07 23:18:18 +09:00]] 版)
<http://www.atmarkit.co.jp/fsecurity/special/02fivemin/fivemin00.html>
[2] [CITE@ja[公開鍵基盤 - Wikipedia]]
([TIME[2015-02-10 14:43:01 +09:00]] 版)
<http://ja.wikipedia.org/wiki/%E5%85%AC%E9%96%8B%E9%8D%B5%E5%9F%BA%E7%9B%A4>
[3] [CITE@ja[IPA 独立行政法人 情報処理推進機構:PKI 関連技術情報]]
([TIME[2013-06-26 11:41:57 +09:00]] 版)
<https://www.ipa.go.jp/security/pki/index.html>
[6] [CITE[Netscape Certificate Download Specification]] ([TIME[2007-03-24 01:36:39 +09:00]] 版) <http://wp.netscape.com/eng/security/downloadcert.html>
[10] [CITE@en[RFC 3279 - Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRL Profile]]
([TIME[2015-01-19 14:22:29 +09:00]] 版)
<http://tools.ietf.org/html/rfc3279>
[11] [CITE@en[RFC 4055 - Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-03-01 21:42:56 +09:00]] 版)
<http://tools.ietf.org/html/rfc4055>
[12] [CITE@en[RFC 4491 - Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile]]
([TIME[2015-03-15 18:54:32 +09:00]] 版)
<http://tools.ietf.org/html/rfc4491>
[15] [CITE[WAP Certificate and CRL Profiles WAP-211-WAPCert]]
([TIME[2013-09-23 14:20:49 +09:00]] 版)
<http://technical.openmobilealliance.org/tech/affiliates/wap/wap-211-wapcert-20010522-a.pdf>
[FIG(quote)[
[FIGCAPTION[
[16] [CITE@en[RFC 6844 - DNS Certification Authority Authorization (CAA) Resource Record]]
([TIME[2015-03-15 21:22:05 +09:00]] 版)
<https://tools.ietf.org/html/rfc6844>
]FIGCAPTION]
> Public Key Infrastructure X.509 (PKIX): Standards and specifications
> issued by the IETF that apply the '''['''X.509''']''' certificate standards
> specified by the ITU to Internet applications as specified in
> '''['''RFC5280''']''' and related documents.
]FIG]
[20] [CITE@en[X.509 : Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks]]
([[tsbmail]] 著, [TIME[2015-04-13 09:34:44 +09:00]] 版)
<http://www.itu.int/rec/T-REC-X.509-201210-I/en>
[21] [CITE@en[915930 – (mozilla::pkix) Make mozilla::pkix the default certificate verifier]]
( ([TIME[2016-05-09 21:39:37 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=915930>
[FIG(quote)[
[FIGCAPTION[
[22] [CITE@en[briansmith/webpki: WebPKI X.509 Certificate Validation in Rust]]
( ([TIME[2016-05-11 23:59:07 +09:00]]))
<https://github.com/briansmith/webpki>
]FIGCAPTION]
> libwebpki is a library that validates Web PKI (TLS/SSL) certificates. libwebpki is designed to provide a full implementation of the client side of the Web PKI to a diverse range of applications and devices, including embedded (IoT) applications, mobile apps, desktop applications, and server infrastructure. libwebpki is intended to not only be the best implementation of the Web PKI, but to also precisely define what the Web PKI is.
]FIG]
[23] [CITE@en[RFC 5912 - New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)]]
([TIME[2016-06-19 17:47:09 +09:00]])
<https://tools.ietf.org/html/rfc5912>
[24] [CITE@en[RFC 7299 - Object Identifier Registry for the PKIX Working Group]]
([TIME[2016-06-23 09:48:42 +09:00]])
<https://tools.ietf.org/html/rfc7299>
[25] [CITE@en[RFC 3820 - Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile]]
([TIME[2017-09-10 17:04:09 +09:00]])
<https://tools.ietf.org/html/rfc3820>
[26] [CITE[X.509 Style Guide]]
([TIME[2004-09-21 00:09:43 +09:00]])
<https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt>
[27] [CITE@en[RFC 6487 - A Profile for X.509 PKIX Resource Certificates]]
([TIME[2018-08-26 16:39:42 +09:00]])
<https://tools.ietf.org/html/rfc6487>