Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
X.509
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==History and usage== X.509 was initially issued on July 3, 1988, and was begun in association with the [[X.500]] standard. The first tasks of it was providing users with secure access to information resources and avoiding a cryptographic [[man-in-the-middle attack]]. It assumes a strict hierarchical system of [[certificate authority|certificate authorities]] (CAs) for issuing the certificates. This contrasts with [[web of trust]] models, like [[Pretty Good Privacy|PGP]], where anyone (not just special CAs) may sign and thus attest to the validity of others' key certificates. Version 3 of X.509 includes the flexibility to support other topologies like [[network bridge|bridges]] and [[Mesh network|meshes]].{{Ref RFC|4158}} It can be used in a peer-to-peer, [[OpenPGP]]-like web of trust,{{citation needed|date=March 2011}} but was rarely used that way {{as of|2004|lc=y}}. The X.500 system has only been implemented by sovereign nations{{Which|date=April 2020}} for state identity information sharing treaty fulfillment purposes, and the [[IETF]]'s Public-Key Infrastructure (X.509) (PKIX) working group has adapted the standard to the more flexible organization of the Internet. In fact, the term ''X.509 certificate'' usually refers to the IETF's PKIX certificate and [[revocation list|CRL]] profile of the X.509 v3 certificate standard, as specified in {{IETF RFC|5280}}, commonly called PKIX for ''Public Key Infrastructure (X.509)''.{{Ref RFC|5280|quote=Following is a simplified view of the architectural model assumed by the Public-Key Infrastructure using X.509 (PKIX) specifications.}} An early issue with [[Public Key Infrastructure]] (PKI) and X.509 certificates was the well known "which directory" problem. The problem is the client does not know where to fetch missing intermediate certificates because the global X.500 directory never materialized. The problem was mitigated by including all intermediate certificates in a request. For example, early web servers only sent the web server's certificate to the client. Clients that lacked an intermediate CA certificate or where to find them failed to build a valid path from the CA to the server's certificate. To work around the problem, web servers now send all the intermediate certificates along with the web server's certificate.<ref name="gutmann_book">{{cite web |title=Engineering Security |url=https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf |first=Peter |last=Gutmann |author-link=Peter Gutmann (computer scientist) |date=April 2014}}</ref> While PKIX refers to the IETF's or Internet's PKI standard, there are many other PKIs with different policies. For example, the US Government has its own PKI with its own policies, and the CA/Browser Forum has its own PKI with its own policies. The US Government's PKI is a massive book of over 2500 pages. If an organization's PKI diverges too much from that of the IETF or CA/Browser Forum, then the organization risks losing interoperability with common tools like [[web browser]]s, [[cURL]], and [[Wget]]. For example, if a PKI has a policy of only issuing certificates on Monday, then common tools like cURL and Wget will not enforce the policy and allow a certificate issued on a Tuesday.<ref name="gutmann_book" />
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)