Next: , Previous: Introduction, Up: Top


2 What is X.509, PKIX, PKCS7 and CMS ?

X.509 was created by CCITT (later ITU) for the X.500 directory service. Today, X.509 discussions and implementations commonly reference the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 3280.

ITU continues to develop the X.509 standard together with the IETF in a rather complicated dance.

X.509 is a public key based security system that has associated data stored within a so called certificate. Initially, X.509 was a strict hierarchical system with one root. However, ever evolving requiments and technology advancements saw the inclusion of multiple policy roots, bridges and mesh solutions.

x.509 can also be used as a peer to peer system, though often seen as a common scenario.

2.1 Type of certificates

There are several flavors of certificate in X.509.

2.2 Building a path

Before validating a certificate path (or chain), the path needs to be constructed. Given a certificate (EE, CA, Proxy, or any other type), the path construction algorithm will try to find a path to one of the trust anchors.

The process starts by looking at the issuing CA of the certificate, by Name or Key Identifier, and tries to find that certificate while at the same time evaluting any policies in-place.