The Enterprise environment is typified by organizations seeking to provide consistent, transparent security across all end-user applications. The organization has the greatest amount of control in this environment, allowing it to leverage investment in interoperable PKI solutions for both infrastructure and end-users.
Certificate Generation – X.509, PKIX Profile X.509 defines the format of a public key digital certificate as well as a Certificate Revocation List (CRL). RFC 3280, from the IETF PKIX Working group, provides profiles for each of these two formats.
Certificate Distribution – Lightweight Directory Access Protocol (LDAP)
LDAP defines the protocol used to publish and access digital certificates and CRLs from a repository.
Certificate Management – PKIX Certificate Management Protocol (PKIX-CMP)
RFCs 2510 and 2511 from the IETF PKI Working Group define the protocol for managing keys and certificates. Extends beyond simple certificate request to support PKI lifecycle functions required in the Enterprise.
The Inter-Enterprise environment is typified by organizations seeking to provide trusted and secure means for business-to-business electronic commerce. The organization has control over its own resources, both infrastructure and end-user, that must interoperate with others’ PKIs.
Certificate Generation – X.509, PKIX Profile These standards also apply to cross certificates and CRLs used in establishing one-to-one or hierarchical trust between enterprises.
Certificate Distribution – LDAP, S/MIME
LDAP provides the access protocol for enterprises wishing to share full or partial certificate repositories. S/MIME (RFCs 2632-2634) defines a protocol that is used for the direct exchange of digital certificates between end users.
Certificate Management – PKIX CMP, PKCS #7/#10
PKIX-CMP provides protocols for the request and management of cross-certificates, as well as keys and certificates as in the Enterprise model. PKCS #7/#10 (RFCs 2315, 2986) provide protocols for requesting and receiving certificates without any management once created and distributed.
The Consumer environment is typified by organizations seeking to enable electronic commerce with consumers over the Internet. While controlling its infrastructure, the organization must interoperate with consumers using a wide variety of applications, typically web browsers and associated email.
Certificate Generation – X.509 v3, PKIX Profile
These standards provide the profile definition of a public key digital certificate. While no standards have been universally adopted for revocation checking in this environment, schemes such as OCSP (RFC 2560) are getting increasing attention.
Certificate Distribution – S/MIME
Distribution of certificates in this environment is currently limited to direct user to user communication with S/MIME.
Certificate Management – PKCS #7/#10
PKCS #7/#10 supports certificate request and receipt but does not provide for any key or certificate management. While no standards have been universally adopted for key and certificate management in this environment, schemes such as PKIX-CMC (RFC 2797) are being considered.
Entrust has demonstrated interoperability with all these approved protocols?
Elements of PKI Interoperability
Regardless of the environment in which it operates, a Managed PKI is made up of several components that must interoperate. As shown in the figure below, these include interfaces within a single PKI as well as to external environments.
A brief summary of the purpose of each component is as follows:
Because of their central role in a Public Key Infrastructure, regardless of the environment, these components must interact and interoperate. These operations can be summarized as follows: