Revert docs changes for bx509 for now
This commit is contained in:
Nicolas Williams
@@ -22,20 +22,19 @@
|
|||||||
@ifinfo
|
@ifinfo
|
||||||
@dircategory Security
|
@dircategory Security
|
||||||
@direntry
|
@direntry
|
||||||
* Heimdal: (heimdal). The Kerberos 5 and PKIX distribution from KTH
|
* Heimdal: (heimdal). The Kerberos 5 distribution from KTH
|
||||||
@end direntry
|
@end direntry
|
||||||
@end ifinfo
|
@end ifinfo
|
||||||
|
|
||||||
@c title page
|
@c title page
|
||||||
@titlepage
|
@titlepage
|
||||||
@title Heimdal
|
@title Heimdal
|
||||||
@subtitle Kerberos 5 and PKIX from KTH
|
@subtitle Kerberos 5 from KTH
|
||||||
@subtitle Edition @value{EDITION}, for version @value{VERSION}
|
@subtitle Edition @value{EDITION}, for version @value{VERSION}
|
||||||
@subtitle 2008
|
@subtitle 2008
|
||||||
@author Johan Danielsson
|
@author Johan Danielsson
|
||||||
@author Love Hörnquist Åstrand
|
@author Love Hörnquist Åstrand
|
||||||
@author Assar Westerlund
|
@author Assar Westerlund
|
||||||
@author et al
|
|
||||||
|
|
||||||
@end titlepage
|
@end titlepage
|
||||||
|
|
||||||
@@ -65,8 +64,6 @@ This manual for version @value{VERSION} of Heimdal.
|
|||||||
@menu
|
@menu
|
||||||
* Introduction::
|
* Introduction::
|
||||||
* What is Kerberos?::
|
* What is Kerberos?::
|
||||||
* What is PKIX?::
|
|
||||||
* What is a Certification Authority (CA)?::
|
|
||||||
* Building and Installing::
|
* Building and Installing::
|
||||||
* Setting up a realm::
|
* Setting up a realm::
|
||||||
* Applications::
|
* Applications::
|
||||||
|
|||||||
@@ -48,7 +48,7 @@
|
|||||||
|
|
||||||
@page
|
@page
|
||||||
@copyrightstart
|
@copyrightstart
|
||||||
Copyright (c) 1994-2019 Kungliga Tekniska Högskolan
|
Copyright (c) 1994-2008 Kungliga Tekniska Högskolan
|
||||||
(Royal Institute of Technology, Stockholm, Sweden).
|
(Royal Institute of Technology, Stockholm, Sweden).
|
||||||
All rights reserved.
|
All rights reserved.
|
||||||
|
|
||||||
@@ -187,7 +187,7 @@ This manual is for version @value{VERSION} of hx509.
|
|||||||
|
|
||||||
@menu
|
@menu
|
||||||
* Introduction::
|
* Introduction::
|
||||||
* What are X.509 and PKIX ?::
|
* What is X.509 ?::
|
||||||
* Setting up a CA::
|
* Setting up a CA::
|
||||||
* CMS signing and encryption::
|
* CMS signing and encryption::
|
||||||
* Certificate matching::
|
* Certificate matching::
|
||||||
@@ -230,21 +230,14 @@ Software PKCS 11 module
|
|||||||
@end detailmenu
|
@end detailmenu
|
||||||
@end menu
|
@end menu
|
||||||
|
|
||||||
@node Introduction, What are X.509 and PKIX ?, Top, Top
|
@node Introduction, What is X.509 ?, Top, Top
|
||||||
@chapter Introduction
|
@chapter Introduction
|
||||||
|
|
||||||
A Public Key Infrastructure (PKI) is an authentication mechanism based on
|
The goals of a PKI infrastructure (as defined in
|
||||||
entities having certified cryptographic public keys and corresponding private
|
<a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280</a>) is to meet
|
||||||
(secret) keys.
|
|
||||||
|
|
||||||
The ITU-T PKI specifications are designated "x.509", while the IETF PKI
|
|
||||||
specifications (PKIX) are specified by a number of Internet RFCs and are based
|
|
||||||
on x.509.
|
|
||||||
|
|
||||||
The goals of a PKI (as stated in
|
|
||||||
<a href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280</a>) is to meet
|
|
||||||
@emph{the needs of deterministic, automated identification, authentication, access control, and authorization}.
|
@emph{the needs of deterministic, automated identification, authentication, access control, and authorization}.
|
||||||
|
|
||||||
|
|
||||||
The administrator should be aware of certain terminologies as explained by the aforementioned
|
The administrator should be aware of certain terminologies as explained by the aforementioned
|
||||||
RFC before attemping to put in place a PKI infrastructure. Briefly, these are:
|
RFC before attemping to put in place a PKI infrastructure. Briefly, these are:
|
||||||
|
|
||||||
@@ -253,9 +246,6 @@ RFC before attemping to put in place a PKI infrastructure. Briefly, these are:
|
|||||||
Certificate Authority
|
Certificate Authority
|
||||||
@item RA
|
@item RA
|
||||||
Registration Authority, i.e., an optional system to which a CA delegates certain management functions.
|
Registration Authority, i.e., an optional system to which a CA delegates certain management functions.
|
||||||
@item Certificate
|
|
||||||
A binary document that names an entity and its public key and which is signed
|
|
||||||
by an issuing CA.
|
|
||||||
@item CRL Issuer
|
@item CRL Issuer
|
||||||
An optional system to which a CA delegates the publication of certificate revocation lists.
|
An optional system to which a CA delegates the publication of certificate revocation lists.
|
||||||
@item Repository
|
@item Repository
|
||||||
@@ -263,7 +253,7 @@ A system or collection of distributed systems that stores certificates and CRLs
|
|||||||
and serves as a means of distributing these certificates and CRLs to end entities
|
and serves as a means of distributing these certificates and CRLs to end entities
|
||||||
@end itemize
|
@end itemize
|
||||||
|
|
||||||
hx509 (Heimdal x509 support) is a near complete X.509/PKIX stack that can
|
hx509 (Heimdal x509 support) is a near complete X.509 stack that can
|
||||||
handle CMS messages (crypto system used in S/MIME and Kerberos PK-INIT)
|
handle CMS messages (crypto system used in S/MIME and Kerberos PK-INIT)
|
||||||
and basic certificate processing tasks, path construction, path
|
and basic certificate processing tasks, path construction, path
|
||||||
validation, OCSP and CRL validation, PKCS10 message construction, CMS
|
validation, OCSP and CRL validation, PKCS10 message construction, CMS
|
||||||
@@ -273,13 +263,10 @@ signed), and CMS EnvelopedData (certificate encrypted).
|
|||||||
hx509 can use PKCS11 tokens, PKCS12 files, PEM files, and/or DER encoded
|
hx509 can use PKCS11 tokens, PKCS12 files, PEM files, and/or DER encoded
|
||||||
files.
|
files.
|
||||||
|
|
||||||
hx509 consists of a library (libhx509) and a command-line utility (hxtool), as
|
@node What is X.509 ?, Setting up a CA, Introduction, Top
|
||||||
well as a RESTful, HTTPS-based service that implements an online CA.
|
@chapter What is X.509, PKIX, PKCS7 and CMS ?
|
||||||
|
|
||||||
@node What are X.509 and PKIX ?, Setting up a CA, Introduction, Top
|
X.509 was created by CCITT (later ITU) for the X.500 directory
|
||||||
@chapter What are X.509 and PKIX, PKIX, PKCS7 and CMS ?
|
|
||||||
|
|
||||||
X.509 was created by CCITT (later ITU-T) for the X.500 directory
|
|
||||||
service. Today, X.509 discussions and implementations commonly reference
|
service. Today, X.509 discussions and implementations commonly reference
|
||||||
the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate
|
the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate
|
||||||
standard, as specified in RFC 3280.
|
standard, as specified in RFC 3280.
|
||||||
@@ -361,7 +348,7 @@ The process starts by looking at the issuing CA of the certificate, by
|
|||||||
Name or Key Identifier, and tries to find that certificate while at the
|
Name or Key Identifier, and tries to find that certificate while at the
|
||||||
same time evaluting any policies in-place.
|
same time evaluting any policies in-place.
|
||||||
|
|
||||||
@node Setting up a CA, Creating a CA certificate, What are X.509 and PKIX ?, Top
|
@node Setting up a CA, Creating a CA certificate, What is X.509 ?, Top
|
||||||
@chapter Setting up a CA
|
@chapter Setting up a CA
|
||||||
|
|
||||||
Do not let information overload scare you off! If you are simply testing
|
Do not let information overload scare you off! If you are simply testing
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
@c $Id$
|
@c $Id$
|
||||||
|
|
||||||
@node What is Kerberos?, What is PKIX?, Introduction, Top
|
@node What is Kerberos?, Building and Installing, Introduction, Top
|
||||||
@chapter What is Kerberos?
|
@chapter What is Kerberos?
|
||||||
|
|
||||||
@quotation
|
@quotation
|
||||||
@@ -162,32 +162,3 @@ from 1988.
|
|||||||
|
|
||||||
These documents can be found on our web-page at
|
These documents can be found on our web-page at
|
||||||
@url{http://www.pdc.kth.se/kth-krb/}.
|
@url{http://www.pdc.kth.se/kth-krb/}.
|
||||||
|
|
||||||
@node What is PKIX?, What is a Certification Authority (CA)?, Introduction, Top
|
|
||||||
@chapter What is PKIX?
|
|
||||||
|
|
||||||
PKIX is the set of Internet standards for Public Key Infrastructure (PKI),
|
|
||||||
based on the ITU-T's x.509 standads. PKI is an authentication mechanism based
|
|
||||||
on public keys (the 'PK' in 'PKI').
|
|
||||||
|
|
||||||
In PKIX we have public keys "certified" by certification authorities (CAs). A
|
|
||||||
"relying party" is software that validates an entity's certificate and, if
|
|
||||||
valid, trusts the certified public key to "speak for" the entity identified by
|
|
||||||
the certificate.
|
|
||||||
|
|
||||||
In a PKI every entity has one (or more) certified public/private key pairs.
|
|
||||||
|
|
||||||
@node What is a Certification Authority (CA)?, Building and Installing, Introduction, Top
|
|
||||||
|
|
||||||
A Certification Authority (CA) is an entity in a PKI that issues certificates
|
|
||||||
to other entities -- a CA certifies that a public key speaks for a particular,
|
|
||||||
named entity.
|
|
||||||
|
|
||||||
There are two types of CAs: off-line and online. Typically PKI hierarchies are
|
|
||||||
organized such that the most security-critical private keys are only used by
|
|
||||||
off-line CAs to certify the less security-critical public keys of online CAs.
|
|
||||||
|
|
||||||
Heimdal has support for off-line CAs using its Hx509 library and hxtool
|
|
||||||
command.
|
|
||||||
|
|
||||||
Heimdal also has an online CA with a RESTful, HTTPS-based protocol.
|
|
||||||
|
|||||||
Reference in New Issue
Block a user