Revert docs changes for bx509 for now
This commit is contained in:
Nicolas Williams
@@ -22,20 +22,19 @@
|
||||
@ifinfo
|
||||
@dircategory Security
|
||||
@direntry
|
||||
* Heimdal: (heimdal). The Kerberos 5 and PKIX distribution from KTH
|
||||
* Heimdal: (heimdal). The Kerberos 5 distribution from KTH
|
||||
@end direntry
|
||||
@end ifinfo
|
||||
|
||||
@c title page
|
||||
@titlepage
|
||||
@title Heimdal
|
||||
@subtitle Kerberos 5 and PKIX from KTH
|
||||
@subtitle Kerberos 5 from KTH
|
||||
@subtitle Edition @value{EDITION}, for version @value{VERSION}
|
||||
@subtitle 2008
|
||||
@author Johan Danielsson
|
||||
@author Love Hörnquist Åstrand
|
||||
@author Assar Westerlund
|
||||
@author et al
|
||||
|
||||
@end titlepage
|
||||
|
||||
@@ -65,8 +64,6 @@ This manual for version @value{VERSION} of Heimdal.
|
||||
@menu
|
||||
* Introduction::
|
||||
* What is Kerberos?::
|
||||
* What is PKIX?::
|
||||
* What is a Certification Authority (CA)?::
|
||||
* Building and Installing::
|
||||
* Setting up a realm::
|
||||
* Applications::
|
||||
|
||||
@@ -48,7 +48,7 @@
|
||||
|
||||
@page
|
||||
@copyrightstart
|
||||
Copyright (c) 1994-2019 Kungliga Tekniska Högskolan
|
||||
Copyright (c) 1994-2008 Kungliga Tekniska Högskolan
|
||||
(Royal Institute of Technology, Stockholm, Sweden).
|
||||
All rights reserved.
|
||||
|
||||
@@ -187,7 +187,7 @@ This manual is for version @value{VERSION} of hx509.
|
||||
|
||||
@menu
|
||||
* Introduction::
|
||||
* What are X.509 and PKIX ?::
|
||||
* What is X.509 ?::
|
||||
* Setting up a CA::
|
||||
* CMS signing and encryption::
|
||||
* Certificate matching::
|
||||
@@ -230,21 +230,14 @@ Software PKCS 11 module
|
||||
@end detailmenu
|
||||
@end menu
|
||||
|
||||
@node Introduction, What are X.509 and PKIX ?, Top, Top
|
||||
@node Introduction, What is X.509 ?, Top, Top
|
||||
@chapter Introduction
|
||||
|
||||
A Public Key Infrastructure (PKI) is an authentication mechanism based on
|
||||
entities having certified cryptographic public keys and corresponding private
|
||||
(secret) keys.
|
||||
|
||||
The ITU-T PKI specifications are designated "x.509", while the IETF PKI
|
||||
specifications (PKIX) are specified by a number of Internet RFCs and are based
|
||||
on x.509.
|
||||
|
||||
The goals of a PKI (as stated in
|
||||
<a href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280</a>) is to meet
|
||||
The goals of a PKI infrastructure (as defined in
|
||||
<a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280</a>) is to meet
|
||||
@emph{the needs of deterministic, automated identification, authentication, access control, and authorization}.
|
||||
|
||||
|
||||
The administrator should be aware of certain terminologies as explained by the aforementioned
|
||||
RFC before attemping to put in place a PKI infrastructure. Briefly, these are:
|
||||
|
||||
@@ -253,9 +246,6 @@ RFC before attemping to put in place a PKI infrastructure. Briefly, these are:
|
||||
Certificate Authority
|
||||
@item RA
|
||||
Registration Authority, i.e., an optional system to which a CA delegates certain management functions.
|
||||
@item Certificate
|
||||
A binary document that names an entity and its public key and which is signed
|
||||
by an issuing CA.
|
||||
@item CRL Issuer
|
||||
An optional system to which a CA delegates the publication of certificate revocation lists.
|
||||
@item Repository
|
||||
@@ -263,7 +253,7 @@ A system or collection of distributed systems that stores certificates and CRLs
|
||||
and serves as a means of distributing these certificates and CRLs to end entities
|
||||
@end itemize
|
||||
|
||||
hx509 (Heimdal x509 support) is a near complete X.509/PKIX stack that can
|
||||
hx509 (Heimdal x509 support) is a near complete X.509 stack that can
|
||||
handle CMS messages (crypto system used in S/MIME and Kerberos PK-INIT)
|
||||
and basic certificate processing tasks, path construction, path
|
||||
validation, OCSP and CRL validation, PKCS10 message construction, CMS
|
||||
@@ -273,13 +263,10 @@ signed), and CMS EnvelopedData (certificate encrypted).
|
||||
hx509 can use PKCS11 tokens, PKCS12 files, PEM files, and/or DER encoded
|
||||
files.
|
||||
|
||||
hx509 consists of a library (libhx509) and a command-line utility (hxtool), as
|
||||
well as a RESTful, HTTPS-based service that implements an online CA.
|
||||
@node What is X.509 ?, Setting up a CA, Introduction, Top
|
||||
@chapter What is X.509, PKIX, PKCS7 and CMS ?
|
||||
|
||||
@node What are X.509 and PKIX ?, Setting up a CA, Introduction, Top
|
||||
@chapter What are X.509 and PKIX, PKIX, PKCS7 and CMS ?
|
||||
|
||||
X.509 was created by CCITT (later ITU-T) for the X.500 directory
|
||||
X.509 was created by CCITT (later ITU) for the X.500 directory
|
||||
service. Today, X.509 discussions and implementations commonly reference
|
||||
the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate
|
||||
standard, as specified in RFC 3280.
|
||||
@@ -361,7 +348,7 @@ The process starts by looking at the issuing CA of the certificate, by
|
||||
Name or Key Identifier, and tries to find that certificate while at the
|
||||
same time evaluting any policies in-place.
|
||||
|
||||
@node Setting up a CA, Creating a CA certificate, What are X.509 and PKIX ?, Top
|
||||
@node Setting up a CA, Creating a CA certificate, What is X.509 ?, Top
|
||||
@chapter Setting up a CA
|
||||
|
||||
Do not let information overload scare you off! If you are simply testing
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
@c $Id$
|
||||
|
||||
@node What is Kerberos?, What is PKIX?, Introduction, Top
|
||||
@node What is Kerberos?, Building and Installing, Introduction, Top
|
||||
@chapter What is Kerberos?
|
||||
|
||||
@quotation
|
||||
@@ -162,32 +162,3 @@ from 1988.
|
||||
|
||||
These documents can be found on our web-page at
|
||||
@url{http://www.pdc.kth.se/kth-krb/}.
|
||||
|
||||
@node What is PKIX?, What is a Certification Authority (CA)?, Introduction, Top
|
||||
@chapter What is PKIX?
|
||||
|
||||
PKIX is the set of Internet standards for Public Key Infrastructure (PKI),
|
||||
based on the ITU-T's x.509 standads. PKI is an authentication mechanism based
|
||||
on public keys (the 'PK' in 'PKI').
|
||||
|
||||
In PKIX we have public keys "certified" by certification authorities (CAs). A
|
||||
"relying party" is software that validates an entity's certificate and, if
|
||||
valid, trusts the certified public key to "speak for" the entity identified by
|
||||
the certificate.
|
||||
|
||||
In a PKI every entity has one (or more) certified public/private key pairs.
|
||||
|
||||
@node What is a Certification Authority (CA)?, Building and Installing, Introduction, Top
|
||||
|
||||
A Certification Authority (CA) is an entity in a PKI that issues certificates
|
||||
to other entities -- a CA certifies that a public key speaks for a particular,
|
||||
named entity.
|
||||
|
||||
There are two types of CAs: off-line and online. Typically PKI hierarchies are
|
||||
organized such that the most security-critical private keys are only used by
|
||||
off-line CAs to certify the less security-critical public keys of online CAs.
|
||||
|
||||
Heimdal has support for off-line CAs using its Hx509 library and hxtool
|
||||
command.
|
||||
|
||||
Heimdal also has an online CA with a RESTful, HTTPS-based protocol.
|
||||
|
||||
Reference in New Issue
Block a user