Professional Documents
Culture Documents
Administrator Guide
2.0
This documentation and related computer software program (hereinafter referred to as the Documentation) is for the end users informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. (CA) at any time. This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies. This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the users responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed. To the extent permitted by applicable law, CA provides this documentation as is without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage. The use of any product referenced in this documentation and this documentation is governed by the end users applicable license agreement. The manufacturer of this documentation is Computer Associates International, Inc. Provided with Restricted Rights as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.
Contents
Chapter 1: Introduction
PKI Capabilities .............................................................................. Hardware Support ........................................................................ PKI Components ............................................................................. Certificate Authority (CA) Server ........................................................... Registration Authority (RA) Server ......................................................... Web Enrolment Server..................................................................... Registration Authority (RA) Client .......................................................... End Entity Software ....................................................................... Certificate Database ....................................................................... Certificate Repository ..................................................................... CA Configuration Repository .................................................................. Configuration Manager .................................................................... 1-1 1-2 1-2 1-2 1-2 1-3 1-3 1-3 1-4 1-4 1-4 1-5
Contents
iii
Installing a Subordinate CA/RA Tier ........................................................... 2-11 Task 1Creating Subordinate CA/RA Tier Configuration Information ........................ 2-11 Task 2Deploying the Subordinate CA/RA Tier ............................................ 2-12 Task 3Installing the Subordinate CA/RA Tier ............................................. 2-12 Task 4Loading the Configuration onto the Target Machine ................................. 2-13
iv
Contents
vi
Glossary
Contents
vii
Chapter
Introduction
eTrust PKI issues and maintains digital certificates. Digital certificates provide an assured binding of the name of a person or system to a public key; they are a critical part of a public key infrastructure (PKI). eTrust PKI publishes completed digital certificates and certificate revocation lists (CRLs) in a directory. eTrust Directory is the recommended directory, but eTrust PKI will work with any fully LDAP-compliant directory. eTrust PKI can publish CRLs, but it does not rely on them entirely. It can also update the directory whenever a certificate is revokedthis allows the use of eTrust OCSPro for true online certificate status reporting.
PKI Capabilities
eTrust PKI includes eTrust Directory and eTrust OCSPro. eTrust PKI supports the important PKI public standards, including x.509, PKIX standards, and PKCS standards. This provides interoperability for PKI implementations. The administrator can use the Configuration Manager to set up the eTrust PKI security controls to be: Extremely secure Relaxed for less stringent environments
eTrust PKI can be scaled for large environments through the establishing of tiers of Certificate Authority/Registration Authority pairs.
Introduction
11
PKI Components
Hardware Support
eTrust PKI supports key generation and certificate storage on a range of hardware devices by a range of different vendors. Hardware support is by way of PKCS#11, the accepted hardware interface standard. Hardware support includes: Chrysalis-its Luna CA3 Data Key EraCom CSA 7000/8000 HSM GemPlus GPK8000 - Smartcard & GEMSAFE smartcards Rainbow iKey 2000 USB key token
PKI Components
eTrust PKI has several components. These can be installed on different machines, or on the same machine, providing flexibility of configuration.
12
PKI Components
The RA client supports both background batch processes and a foreground wizard-based GUI. The GUI provides direct control; the batch processes are provided for bulk and automated processing. The RA client is a Java GUI that requires the Java Run Time Libraries to be installed on the client machine.
Introduction
13
CA Configuration Repository
Certificate Database
The certificate database: Stores requests that are in progress (the user has requested the certificate and received the package, but has yet to return the request with the public key) Contains information on the revoked certificates Stores information from the tiers
Certificate Repository
The certificate repository is a directory service used to publish certificates and CRLs. The interface to the directory uses LDAP connecting to eTrust Directory. This allows access to any directory that offers a fully compliant LDAP interface.
CA Configuration Repository
The CA configuration repository is a directory service used to store distributed configuration settings for all PKI components within a defined infrastructure. The only directory supported as the administrative repository is eTrust Directory. This is for reasons of security and distribution. The administrative repository is separated from the publication directory. This allows you to choose eTrust Directory, or a third party directory, as the directory used to publish certificates.
14
CA Configuration Repository
Configuration Manager
The configuration manager allows the administrator to control the servers, and the general operation of the system. This includes stopping the servers, and changing the key-pairs available for signing certificates. The Configuration Manager also provides a GUI for controlling the configuration of subordinate tiers. The Configuration Manager communicates locally or remotely with any component by altering the configuration settings in the configuration directory. This allows the central rollout, administration, and maintenance of any component in the infrastructure.
Introduction
15
Chapter
This requires only one modification to the existing designthe signing certificate is not necessarily self-signed. This is not a modification to the software, but rather to the setup processthe signing certificate is installed rather than generated.
21
Advantages of Scaling
The advantages of scaling are: You can continue to build on a working design. You can test the software more readilyit will not have different modes of operation depending on the scale of operations. Each CA/RA node is capable of independent operation. Failure of any node does not affect any other node. It is possible for a failing node to be covered by another nodethe RA clients can fail over from one RA server to another without loss of functionality. The load is split. The only commonality required is in the eTrust OCSPro responder, and that has excellent scalability already. Performance problems can be addressed by upgrading or splitting the node. This does not impact other areas. There is no communications load (except for the OCSP traffic), because there is no requirement for on-going connection between the replicated systems the connection is one of issuing certificates. The impact of a compromised CA key is limited to those certificates that include the compromised CA in their chain. To minimize exposure even further, the root CA can be restricted to issuing certificates for subordinate CAs, and can operate off-line. There is no limit to the scaling. A single root CA can issue signing certificates to a vast number of subordinate CAs. One subordinate CA can have its signing certificate signed by another subordinate CA, which in turn might have its certificate signed by the root CA, or even by another level of subordinate CA. This design does not complicate the SDK component. Signing chains are supported for certificates generated by other systems.
22
23
2. 3. 4. 5.
The next time the computer is restarted, eTrust PKI Services will start automatically. Important! If the servers are running as services, they cannot start in the foreground.
24
Select Security Level SSL + SASL + Keystore Password from the drop down list. Enter the client keystore passphrase then click OK. Select the Root Tier node under the eTrust PKI node. Select the RAC Operators node under the Root CA node and click on the Registration Authority Clients tab in the right window. Click the Add New User button. Enter a name for the new RA User, for example, New RA and click Next. Enter the location of the default RAC key (the name of the key will reflect the name of the new RAC operator you entered) and click Next. Enter a key alias for the key and click Next. Enter a passphrase to protect the private key and click Finish.
25
8.
6.
26
You can now run the RA client of the remote machine with the servers running on the root machine.
27
3.
Enter a DN for the computer the end entity client will be installed on. Enter a passphrase to protect all the client keys generated.
10. Enter a unique name for the CA/RA tier and click Finish.
28
5. 6. 7.
8.
6.
29
Task 4Loading the End Entity Configuration onto the Target Machine
1. 2. Access the folders created in task 2. Copy the main end entity folder and sub-folders onto the machine where you installed the end entity client. Do this via floppy disk or network connection.
Important: The following step must be done from the local hard drive. Do not try to do this over a network because the subordinate tier may not load properly. 3. Run MyConfig.bat located in the root of the Configuration folder. The existing certificate structure is replaced with the subordinate certificates.
210
Enter a DN for the computer you will install the subordinate CA/RA tier on. Enter a passphrase to protect the client keys generated.
10. Enter a unique name for the CA/RA tier an click Finish.
211
7.
Important: If you choose a custom install you must install all products for the Subordinate CA/RA Tier to work. 5. 6. Click Next and then Install. After the reboot, run the PKI configuration.
212
Important: The following step must be done from the local hard drive. Do not try to do this over a network because the subordinate tier may not load properly. 3. Run MyConfig.bat located in the root of the Configuration folder. This replaces your existing certificate structure with the subordinate certificates.
213
Chapter
Logging In
You must log in before using eTrust PKI. The only commands accepted are Login and Cancel if: The program is first started The operator has logged out A defined time interval without operator activity has elapsed
The form of the login is determined by the policy set by the administrator. It consists of a: Certificate User ID Passphrase
31
To start the RA client: 1. 2. Log onto the computer that has the RA client loaded. The CA/RA services must be started before the RA client can run. If these services have not been set to automatically load when the computer is started, select Start, Programs, Computer Associates, eTrust PKI, Foreground CA/RA Services, then click Start to launch the services. Select Start, Programs, eTrust PKI, RA Client. The RA Client Logon Information dialog is displayed. Click Browse. The Load Key Store File dialog is displayed. Select the RA client operator p12 certificate (the default is defaultRAC_crt.p12) and click Open.
3. 4. 5.
32
6.
Enter the RA client operators passphrase and click Login. The RA client interface is displayed.
33
Issuing Certificates
Issuing Certificates
Certificates are issued according to editable profiles set up by the CA administrator. Certificates can be issued: In DER, PEM, and PKCS#12 format. If required, certificates can be converted from PKCS#12 format to PEM format using SSL. For hardware such as: Smartcards USB tokens Cryptographic boards HSMs
Tip: Use the batch tools provided with eTrust PKI to automatically process a large number of certificates. Use the web enrolment interface to process certificates requests from remote users.
34
Issuing Certificates
35
Issuing Certificates
Tip: Locating the user in the directory ensures that a valid distinguished name for the user is captured. It is simpler, and less error-prone, for the operator to locate the user in a directory than type in the distinguished name.
3. 4.
The RA client copies the users distinguished name (DN) from directory. The RA client operator chooses the certificate profile and signing key-pair. The operator must select a certificate profile for the request. The list of available certificate profiles is obtained from the RA server when the operator logs in. The certificate profile: Dictates the list of attributes assigned to the certificate Specifies fixed values for some fields Specifies default values for some fieldswhere default values are blank Enforces the fields that must be populated before the certificate process can proceed
36
Issuing Certificates
Task 2Generating Certificate Items After the RA client operator has requested a certificate, the RA client generates the following list of items needed to complete the certificate request: A key-pair (if the encryption key-pair is to be generated by the PKI). The key-pair is optionally backed up. A message authentication code (if the user is to finish creating the certificate on their own machine). A session key (used to send the certificate request back to the RA client). An incomplete certificate that contains: The users identity The specification of choice of CA signing key-pair
Task 3Creating an RA Clients Package The RA client creates a package for the user that contains: End entity client softwareon the eTrust PKI CD-ROM An incomplete certificateon a floppy disk Configuration fileson a floppy disk Instructions for how the user is to complete the generation of the keys
The floppy contains the information needed by the end entity client software to complete the certificate request and submit it. The information on the floppy includes: The incomplete certificate The MAC session key The address of the RA server
One floppy can hold the information for more than one certificate request. This simplifies matters when generating multiple certificates for a single user. The end entity client software picks up all the certificate requests on the floppy disk, and will act on each of them. Important! A different floppy must be used for each user. The information is stored on the floppy by default. This default can be changed to transport the files via another medium, for example, email the files to the user.
37
Issuing Certificates
Task 4Setting Up the End Entity Client The end entity client: 1. Generates a signing key-pair. If the user plans to store the certificate on a smart card, they will need to install the software for the smartcard reader before generating their key-pair. Generates an encryption key-pair (if applicable). Stores the private keys. 4. 5. 6. In software using PKCS#12 In smartcard or token or HSM
2. 3.
Places the public keys in an incomplete certificate. Constructs PKCS#10 request for the certificate. Transmits a request to the RA server, encrypted using the unique session key issued by RA client. The RA server validates the request, submits the complete certificate to the CA server for signing using the selected signing key, publishes the certificate in the directory using LDAP, and sends the signed certificate to the end entity client software. Saves the certificate, making it available for use with certificate enabled applications.
7.
38
Revoking a Certificate
Revoking a Certificate
There are many reasons why a certificate may be revoked. It may be due to a user becoming concerned that their certificate has been compromised, or because a person is no longer in the organization. The details of the revoked certificates are published in a generally accessible CRL and in the certificate status field held in the directory that contains the user details. To revoke a certificate: 1. 2. Select the Revoke a Certificate option from the RA client interface. Browse the Directory Information Tree (DIT) to locate the certificate to be revoked. You will need to select the specific certificate if multiple certificates have been issued to the user. The interface displays the details of the certificate to be revoked. This is to confirm that you have selected the correct certificate. Confirm both the identity of the certificates subject, and the exact certificate to be revoked. Under Revocation settings select the reason for revoking a certificate as well as how the administrator has been contacted. Tip: Select certificateHold as the revocation reason to revoke the certificate and provide a recovery option.
3.
Once the revocation is confirmed, the RA client notifies the RA server. The RA server marks the certificate as revoked in both the internal database, and in the directory. After the revocation is completed a dialog giving the option to update the CRL is displayed.
39
Revoking a Certificate
4.
Do one of the following: Click Yes to update the CRL immediately Click No to continue working without updating the CRL. You can update the CRL later with the RA Clients Generate CRL option. If your PKI uses certificate revocation lists, the lists are updated by this option.
Depending on the importance of the certificates being revoked, it may be better to wait until all the certificates have been revoked before updating the CRL. Tip: Use the batch tools provided with eTrust PKI to automatically revoke a large number of certificates. Use the web enrolment interface to revoke certificates from remote users.
310
Renewing Certificates
Renewing Certificates
A certificate must contain an expiry date. If a certificate expires and the private key has not been compromised, the certificate owner can apply to have the certificate renewed. The renewal process involves changing the expiry date and having the certificate signed again. The new expiry date of the certificate cannot be later than the expiry of the CA root certificate This option allows a customer to keep their existing set of keys and issue a new certificate for the next period. To renew a certificate: 1. 2. 3. 4. From the RA client interface, select the Renew a Certificate. The Renew a Certificate dialog is displayed. Use the Explore tab and the DIT to find the customer record. Open the customer folder and select certificateSerialNumber. Check that the certificate details match the ID presented by the user. The level of ID required is determined by the profile issued. Profiles for higher levels of security are likely to require the user to provide more ID. In Renewal Settings enter the date the new certificate expires. The date is in MM/DD/YYYY format. Click the Renew button. A dialog to confirm the renewal is displayed. Click Yes to proceed with the renewal. The RA server creates and signs a new version of the certificate. Save the new certificate onto a floppy disk and pass it to the user along with instructions on how to install it.
5. 6. 7. 8. 9.
10. The user can now install the new certificate onto their computer. Tip: Use the batch tools provided with eTrust PKI to automatically renew a large number of certificates. Use the web enrolment interface to renew certificates for remote users.
311
4. 5.
6. 7. 8.
9.
312
Standard Reports
There are a number of standard reports installed with the default installation of the RA client. These include: The details for any certificates that have been revoked. The details for any unsigned certificates that have been given to end entities. Systems activity reports for the RA client, RA server, and CA server log. By default, the log files record warnings, information, and debug events. You can change the events recorded to suit your requirements.
To run a standard report, open the RA Client and click Report on the Archived Data.
3.
The report can be run by you or another RA client operator at a later date.
313
You can select a profile that suits each applicant. The certificate profile determines: What fields are compulsory Default values The list of possible valid entries Whether the private / public key-pair is generated by the end entity client or by the RA client Whether the RA server is to retain a copy of the private key for backup purposes
314
Viewing Profiles
Viewing Profiles
The RA client operator can see the attributes available for each type of customer profile. Check with the eTrust PKI administrator before editing or creating new profiles. To view a profile: 1. 2. From the RA Client interface click View Profiles. Select a profile from the drop down box. Each profile has common attributes as well as a set of attributes that are personalized for that particular customer profile.
Tip: Use the Edit and Delete buttons to maintain your profiles while in view mode.
To keep previous versions of the profile, modify the version number each time a profile is modified. You can only select the latest version of a profile when issuing a certificate but all versions are kept for auditing and rollback purposes. For information on any of the V1, V2, or V3 certificate versions see RFC2459 on www.ietf.org.
Editing Profiles
To edit a profile: 1. 2. 3. 4. From the RA Client select View Profiles. Select the profile to be edited. Click the Edit button. To make the required changes expand the tree and: Edit the fields that have changed Add new fields Delete any fields not needed
315
316
2. 3. 4. 5.
Select Backup PKI configuration and click Next. Specify where the original PKI components are installed and where to save the configuration data. Click Next twice. The backup process starts. When the backup is complete, click Finish.
317
Important! If you are recovering from a backup, reinstall PKI with the original path. If you are moving your PKI installation to a new machine, install PKI to the original path and copy the backup directory (pkiconfig) to the original path.
318
Chapter
eTrust PKI provides a mechanism for replacing an expired certification authority signing certificate. This process is referred to as rollover. Rollover is needed because certificates have a limited life span. As the root certificate approaches the limit of its life span it needs to be replaced. The life span of the issued customer certificates is controlled by the life span of the root certificates. For example, if the life span of certificates issued to customers is one year, then the root certificate must be valid for at least the end of that year. The rollover tool creates a new certificate with the old. This allows the certificates issued by the old CA certificate to continue to be validated until their expiry.
Setting Up Rollover
Rolling over requires that a new certificate be published to the directory. To set up rollover: 1. 2. Ensure that the CA/RA servers are running. From a computer with a full PKI installation, choose Start, Programs, Computer Associates, eTrust PKI, Server Administrative Tools, Rollover tool. The Rollover Tool Logon Information dialog is displayed. Click Browse. The Load Key Store File dialog is displayed. Select the RA client operator p12 certificate (the default is defaultRAC_crt.p12) and click open. Enter the RA client operators passphrase and click Login. The Rollover Tool dialog is displayed.
3. 4. 5.
41
Setting Up Rollover
6.
Enter the fields on the dialog: Valid Fromthe initial date from which the root certificate will be valid. A calendar is available to ensure that the correct date is selected. This helps to ensure that leap years and short months are taken into account. Valid Tothe final date that the certificate will be valid. A calendar is available to ensure that the correct date is selected. This helps to ensure that leap years and short months are taken into account. Rollover the new certificate as soon as the validity period of the certificates it issues outlasts its own. Make CA certificates last for at least one year beyond the life span of the certificates issued to the end entities. Public Key Encryption Strengththe strength of encryption used for the public certificate. There is a trade-off between higher encryption and faster processing. 1024 or 2048 is recommended. Enter a Passphraseprotects the use of the CA private key.
4.
When you have collected all of the information select Next to complete the rest of the steps required to rollover the old certificate to the new. You will need to enter the passphrase used to create the original CA private key. The Rollover Progress dialog displays the progress of the rollover process. Stop and restart the servers after rolling over the root certificate.
5. 6.
42
CA Key Rollover
CA Key Rollover
When a new root certificate is created it has the same name as the old one, but has a different serial number. Note that this relies on issued certificates containing the authority key identifier extension so that the root certificates can be distinguished from each other. When a new key pair is used it appears to be technically feasible to reuse the same key pair. X.509 section 7, however, implies that the keys would be distinct. If self signed cross certificates are created (the old key, signed with the new, and the new signed with the old) in addition to the new certificate, a path of trust between the new key and the old key is provided. RFC 2510 describes how cross certificates can be used in validation. It is possible to specify a private key usage period for the CA key that implies that it will not be used for signing certificates after a certain date. X.509 section 8.2.2.5 says: With digital signature keys, the usage period for the signing private key is typically shorter than that for the verifying public key. The CA private key is a signing key, so it should follow the same rules.
Background
X.509 section 7 lists the CA certificate types: Self issuedthe issuer and the subject are the same CA. A CA might use self issued certificates, for example, during a key rollover operation to provide trust from the old key to the new key. Self signeda special case of self issued certificates where the private key used by the CA to sign the certificate corresponds to the public key that is certified within the certificate. A CA might use a self signed certificate, for example, to advertise their public key or other information about their operations. Cross certificatethe issuer and the subject are different CAs. CAs issue certificates to other CAs: As a mechanism to authorize the existence of the subject CA (for example in a strict hierarchy) To recognize the existence of the subject CA (for example in a distributed trust model)
43
CA Key Rollover
The IETF's RFC2510 states: "2.4 Root CA key update. This discussion only applies to CAs that are a root CA for some end entity. The basis of the procedure described here is that the CA protects its new public key using its previous private key and vice versa. Thus when a CA updates its key pair it must generate two extra CACertificate attribute values if certificates are made available using an X.500 directory (for a total of four: OldWithOld; OldWithNew; NewWithOld; and NewWithNew). When a CA changes its key pair those entities which have acquired the old CA public key via "out-of-band" means are most affected. It is these end entities who will need access to the new CA public key protected with the old CA private key. However, they will only require this for a limited period (until they have acquired the new CA public key via the "out-of-band" mechanism). This will typically be easily achieved when these end entities' certificates expire. The data structure used to protect the new and old CA public keys is a standard certificate (which may also contain extensions). There are no new data structures required."
Further Information
Information on the IETF can be found at www.ietf.org Information on X.509: http://www.nci.ac.cn/os/linux/security/x509/X.509_4thEditionDraftV5.pdf
44
Chapter
Web Enrolment
Web enrolment enables local and remote users and the RA operator to conduct their certificate issuance and maintenance activities via a web server. The web enrolment server must be the same machine as the RA server. Web enrolment removes the need for users to be physically present with the RA operator when requesting that a certificate be: Issued Revoked Renewed Recovered
2. 3. 4. 5.
Tip: For information on the configuration fields and procedures click Help.
Web Enrolment
51
52
Issuing a CertificateWorkflow
Issuing a CertificateWorkflow
The workflow involved to request, issue, and receive a new certificate is: 1. 2. 3. 4. 5. 6. 7. The user accesses the web enrolment web server via a web browser, enters their details, and submits the request. The RA operator receives an email from the web enrolment server detailing the request. The RA operator confirms the validity of the request then processes it. The web enrolment server generates a request to the RA server to create a certificate. The RA server generates a certificate and notifies the web enrolment server. The web enrolment server notifies the RA operator and the user that the certificate has been generated. The user receives a notification email, downloads the certificate, and installs it. RA Server
RA Operator
Users
Web Enrolment
53
User Tasks
User Tasks
All of the user tasks are performed from the eTrust PKI Workflow interface page of the web enrolment server. The user can issue a request to: Create a certificate Recover a private key Renew a certificate Revoke a certificate
54
User Tasks
2. 3. 4. 5. 6. 7. 8. 9.
10. Locate the file and double-click it. A wizard is displayed. 11. Follow the steps in the wizard to extract and save the certificate in the Microsoft Certificate key store.
Web Enrolment
55
User Tasks
7. 8. 9.
10. Wait for the RA operator to process the request and respond via email. The email is sent to the address specified in step 8. 11. Open the notification email from the RA operator and click on the hyperlink. The Collect a Certificate page is displayed. 12. Click Download. The File Download dialog is displayed. 13. Specify a location to save the file to and click Save. The filename.p12 certificate downloads. 14. Locate the file and double click it. A wizard is displayed. 15. Follow the steps in the wizard to extract and save the certificate in the Microsoft Certificate key store.
56
User Tasks
7. 8.
9.
10. Wait for the RA operator to process the request and respond via email. The email is sent to the address specified in step 8. 11. Open the notification email from the RA operator and click on the hyperlink. The Certificate Collection page is displayed. 12. Click Download. The File Download dialog is displayed. 13. Specify a location and click Save. The name.p12 certificate downloads. 14. Locate the file and double click it. A wizard is displayed 15. Follow the steps in the wizard to extract and save the certificate in the Microsoft Certificate key store.
Web Enrolment
57
User Tasks
7. 8.
9.
10. Wait for the RA operator to process the request and respond via email. The email is sent to the address specified in step 8. 11. The certificate is revoked and a notification email is sent to the RA operator and the user.
58
Creating a Certificate
To process a certificate request from the web: 1. 2. Open the email that arrived from the user and click on the hyperlink. The Client Authentication dialog is displayed. Confirm your identity by selecting your certificate (the RAC operator certificate) and clicking OK. The eTrust PKI Web Enrolment Operator home page is displayed. Examine the request details and perform the required verification checks. Tick the Approve Request or Deny Request radio button. Click Submit. If you approved the request, the web enrolment server: Sends a request to the RA server for the certificate to be generated Sends an email containing a hyperlink to the certificate to the user Sends an email confirming that the certificate was generated to your email address
3. 4. 5.
Tip: If you reject a request, add a comment explaining why it was rejected. This is included in the notification email to the user.
Web Enrolment
59
Tip: If you reject a request, add a comment explaining why it was rejected. This is included in the notification email to the user.
510
Revoking a Certificate
To revoke a certificate with the web enrolment server: 1. 2. 3. 4. 5. Open the email that arrived from the user and click on the hyperlink. The Client Authentication dialog is displayed. Confirm your identity by selecting your certificate and clicking OK. The eTrust PKI Web Enrolment dialog is displayed. Examine the request details and perform the required verification checks. Tick the Approve Request or Deny Request radio button. Click Submit. If you approved the request, the web enrolment server: Sends a request to the RA server for the certificate to be revoked Sends an email confirming that the certificate was revoked to the user Sends an email confirming that the certificate was revoked to your email address
Web Enrolment
511
Renewing a Certificate
To renew a certificate with the web enrolment server: 1. 2. 3. 4. 5. Open the email that arrived from the user and click on the hyperlink. The Client Authentication dialog is displayed. Confirm your identity by selecting your certificate and clicking OK. The eTrust PKI Web Enrolment dialog is displayed. Examine the request details and perform the required verification checks. Tick the Approve Request or Deny Request radio button Click Submit. If you approved the request, the web enrolment server: Sends a request to the RA server for the certificate to be renewed Sends an email containing a hyperlink to the renewed certificate to the user Sends an email confirming that the certificate was renewed to your email address
Tip: If you reject a request, add a comment explaining why it was rejected. This is included in the notification email to the user.
512
Viewing and Processing Certificate Requests To view all certificate requests: 1. Open Internet Explorer and enter the address of the web enrolment operator web server (https://webservercomputername.domain.com:8444/operator/index.html). The eTrust PKI Workflow Operator home page is displayed. Select See all Certificate Requests. The Certificate Requests page is displayed. Open requests have their ID displayed as a hyperlink. To process an open request select the ID hyperlink. The Approve a Request page is displayed. Approve or deny the request.
2. 3. 4.
Web Enrolment
513
Viewing and Processing Revocation Requests To view all revocation requests: 1. Open Internet Explorer and enter the address of the web enrolment operator web server (https://webservercomputername.domain.com:8444/operator/index.html). The eTrust PKI Workflow Operator home page is displayed. Select See all Revocation Requests. The Revocation Requests page is displayed. Open requests have their ID displayed as a hyperlink To process a request select the ID hyperlink. The Approve a Request page is displayed. Approve or deny the request.
2. 3. 4.
Viewing and Processing Renewal Requests To view all renewal requests: 1. Open Internet Explorer and enter the address of the web enrolment operator web server (https://webservercomputername.domain.com:8444/operator/index.html). The eTrust PKI Workflow Operator home page is displayed. Select See all Renewal Requests. The Renewal Requests page is displayed. Open renewals have their ID displayed as a hyperlink To process a request select the ID hyperlink. The Approve a Request page is displayed. Approve or deny the request.
2. 3. 4.
Viewing and Processing Recovery Requests To view all recovery requests: 1. Open Internet Explorer and enter the address of the web enrolment operator web server (https://webservercomputername.domain.com:8444/operator/index.html). The eTrust PKI Workflow Operator home page is displayed. Select See all Revocation Requests. The Recovery Requests page is displayed. Open requests have their ID displayed as a hyperlink To process a request select the ID hyperlink. The Approve a Request page is displayed. Approve or deny the request.
2. 3. 4.
514
2. 3.
Web Enrolment
515
516
To add a group to the list: 1. Open the file and add the new group. For example:
FirstGroup,AU,Acme,Testing SecondGroup,US,Acme,Marketing ThirdGroup,AU,Acme,HR FourthGroup,UK,WidgetCo,Finance
2. 3. 4. 5. 6.
Save the file. Reboot the user web server. Navigate to Create a Certificate Request. Select the drop down list. The new group is displayed in the list. Select the new group. The DN fields are populated.
Web Enrolment
517
Chapter
Batch Processing
The batch processor enables you to process a large number of transactions. Use the batch processor to: Create certificates (using a GUI or as a command line tool) Revoke certificates Renew certificates Create reports Generate CRLs on demand
Batch Processing
61
Delimiters chosen must be unique, and should not occur naturally within the text file. This is made easy by the fact that delimiters can be multiple characters in length, for example: ZZZZ9999. Values for basic key usage and extended key usage are separated by a pipe symbol (|). The batch file batchc.bat is located in %PKIHOME%\lib directory. It can be executed from any directory when using the command line. A certificate that is not created, revoked, or renewed by the batch client is logged to the text file %PKIHOME%\lib\batchc_retry.log. Use this file to correct any errors and retry the process. Examples of the text files used to create, revoke, and renew certificates are in %PKIHOME%\doc\samples.
62
2. 3.
Or:
This makes the passphrase to the certificate issued to Andrew Bumblebee secret01 and the passphrase to the certificate issued to or Bart Cummins secret02. Otherwise, the default passphrase secret is used. 4. To use the GUI to facilitate the production of the batch certificates type one of the following on the command line:
batchc genCert -gui
or
batchc genCert gui certPassword secret4all
This makes secret4 the passphrase for all the certificates created by the job The RAC batch client logon information is displayed. 5. Click Browse and select the client keystore to log onto the batchc application.
Batch Processing
63
6. 7. 8.
Enter your passphrase and click Login. Select the profile for the type of certificate to be issued. Select the file containing the input data and the delimiter used to define the end of each entity. A profile is the full name of the certificate template used to create certificates. Tip: Keystore details can be optionally entered with the certificate creation command. This reduces the command entry to one from three (creation, keystore location, and passphrase). If these are not entered the program prompts for their input.
9.
10. To run the entire process from the command line use the command:
batchc genCert profile "<Profile>" datafile "<datafile>" delimiter <delimiter> outputDir "output directory" keystore "<keystore location>" keypassword "<password>"
64
2.
2.
Batch Processing
65
Note: The query must already be configured and saved using the Reporting option from the RAC before it can be run from the command line.
66
Chapter
Central Concepts
The SDK provides functionality that enables the use of public key cryptography in applications. Central concepts for the use of the eTrust PKI SDK are: Keys Certificates Cryptographic providers
Most of the API functions take handles representing these types of objects.
Keys
Keys are used for encrypting/decrypting data. Each key is associated with a specific encryption algorithm. Both symmetric keys and asymmetric keys (public/private key pairs) are available. Symmetric keys complement public key/private key pairs by providing a less computationally intensive encryption operation. To use a key it must be associated with a cryptographic provider. A key should not be used after its associated provider has been closed.
71
Central Concepts
Certificates
A certificate is a signed electronic document that asserts that a particular entity is the holder of the private key that corresponds to a particular public key. The certificate specifies the name of the entity, the name of the authority that makes this assertion, and the public key. Although certificates are frequently stored within cryptographic providers, they can exist independently and can be used even if the providers they have been loaded from are offline.
Cryptographic Providers
A cryptographic provider represents a device that can store certificates and keys. This may be a hardware device such as a smart card, or it may be implemented entirely in software. A default provider is created when the API is initialized, using information specified in a configuration file. The default provider holds all of the trusted certificates. After initialization, it is not possible to add more certificates to the default provider. To use the default provider NULL should be passed instead of a provider handle. When communicating with hardware providers the ETCER API uses the PKCS#11 - Cryptographic Token Interface Standard. Users of the ETCER API should be aware that not all hardware providers implement all algorithms detailed in this standard and not all hardware providers implement the standard in the same way. Although efforts have been made to ensure that the ETCER API will handle such variations in a robust fashion, it cannot be guaranteed that the ETCER API will be able to perform exactly as described for all such devices on the market.
72
Core Functionality
Core Functionality
The ETCER API is designed to provide simple access to common cryptographic functions. The functions that are available with this version include: Encrypting/Decrypting Signing/Verifying Certificate validation Extracting certificate details
Encrypting/Decrypting
There are two types of encryption/decryption supported by the ETCER API: Symmetricencrypts and decrypts using the same key. Symmetric is better suited to large amounts of data than asymmetric encryption/decryption and is usually faster. The biggest draw back with this method is finding a secure way for the sender of a message to inform the intended recipient of the symmetric key used. This method also fails to scale well as each individual that wishes to secretly communicate needs to have a shared secret with each other party. Asymmetricrequires a key pair. Data encrypted with either one of the keys must be decrypted using the other key. Usually one of these keys will be designated the private key and kept secret, the other will be designated the public key and may be freely distributed. The sender of a message can encrypt the message with the desired recipients public key. The recipient can then decrypt the message using the associated private (secret) key. This allows systems that use asymmetric encryption to scale far better than systems that use symmetric keys. This form of encryption is not well suited to large amounts of data.
73
Core Functionality
To get the best from both forms of encryption the following method is used: The sender of a message generates a symmetric key The sender uses the symmetric key to encrypt the message The sender uses recipients public key to encrypt the symmetric keythis is because the public key is usually very short compared to the actual message The sender sends both the encrypted message and the encrypted symmetric key to the recipient The recipient decrypts the symmetric key using their private key The recipient uses the decrypted symmetric key to decrypt the message
This combination of symmetric/asymmetric encryption has a secondary benefit. When sending the same document to multiple recipients the document only needs to be encrypted once. The symmetric key used to encrypt the document can then be asymmetrically encrypted for each recipient using the recipients public key. Sample code that illustrates encryption and decryption is provided within the samples folder of the ETCER SDK installation. See the appropriate readme files for further details.
Signing/Verifying
Digital signing and verifying of data can be used to ensure that the data has come from a particular source and that the data has not been tampered with. Signing is the process of generating a digital signature for a piece of data (often a document or a certificate). Signatures are a fixed length and are generated by first generating a digital hash or fingerprint of the document and then encrypting that fingerprint using the signing entities private key. Verifying is the process of testing that a digital signature and a piece of data match. Verification is performed using the public key associated with the private key used during signing. If the data being checked is not the same as the data that was signed, the signature will be invalid. If the public key used is not valid for the private key used during signing, the signature will also be invalid. It is not possible to distinguish between a signature being found invalid because of tampering with the document content, or because the private key used during signing is not the pair of the public key used during verification.
74
Core Functionality
Sample code is provided in the samples folder of the ETCER SDK installation that illustrates signing and verification. See the appropriate readme files for further details.
Validating Certificates
Certificates provide a means of associating a public key with a particular entity, so that those using the public key can feel secure in the knowledge that the key really does belong to the entity that they think it belongs to. Certification authorities issue certificates. These authorities sign the certificates they issue. The certificate authority will provide a certificate that can be used to verify this signature. This certificate will either be signed by another certificate authority or, if the authority in question is a root certificate authority, it may be self-signed. This is said to occur when a certificate authority signs its own certificate. It is up to the relying party to decide for themselves whether or not to trust a self-signed certificate. The chain of certificate signing that results is called a certification path. Before using a certificate it is vital to check that it is valid. A certificate may be deemed invalid if: It is out of date, either being used before or after its valid date range The issuing certificate authority has revoked it No certificate in the certification path is trusted by the entity performing the validation.
The ETCER API supports all of the above aspects of certificate authentication. Sample code is provided in the samples folder of the ETCER SDK installation that illustrates validation. See the appropriate readme files for further details.
75
Setting Properties
Properties and sections within a configuration object can be created and/or updated directly using the ECTER API function calls:
Etcer_OpenConfigSection, Etcer_CloseConfigSection, Etcer_SetConfigString
Configuration information can also be imported from a file using the ETCER API function call:
Etcer_ImportConfigFile
The file is structured as a Microsoft Windows initialization file. For example, to set the 'initpem' property of the 'default' section the file would look like:
[default] initpem=root.pem
76
77
78
Chapter
Setting Up HSMs
eTrust PKI supports key generation and certificate storage on a range of HSMs. This chapter describes how to use eTrust PKI with: Eracom CSA7000 and CSA8000 HSMs GemPlus GemPKCS SDKv3Smartcard and GemSAFE Smartcard Rainbow iKey 2000 USB key token Datakey Smartcard Chrysalis-ITS Luna CA3 GemPlus GemSAFE Smartcard
4. 5.
6. 7.
Setting Up HSMs
81
To save a certificate to the Eracom CSA adapter through the RA client: 1. 2. 3. 4. 5. Click Issue a Certificate. Choose Profile of Certificate. Follow the Issue a Certificate instructions until Step 7. Choose Via Smartcard and the Eracom CSA7000 Vendor. Change the PIN field to your Eracom CSA Adapter passphrase.
82
2. 3. 4. 5. 6. 7. 8.
Setting Up HSMs
83
5.
Ensure that your setup matches the configuration: Value GEMPLUS_SmartCard ck2priv 0 **** rsa1 Notes This is the vendor for GemPKCS SDKv3 drivers Default Default Default if this has been changed, change it here also Default
After you have saved the root on the smart card, do not save any more certificates on that card. To save a certificate to the smart card through the RA Client: 1. 2. 3. 4. 5. Click Issue a Certificate. Choose Profile of Certificate. Follow the Issue a Certificate instructions until Step 7. Choose Via Smartcard and the GEMPLUS_SmartCard Vendor. Change the PIN field to your Smart Card passphrase.
84
Important! When installing the drivers for Windows 2000 do not use the complete installation the typical installation provides the correct functionality. 2. 3. 4. Choose the correct reader and port number. Insert a GemSAFE smart card into the card reader. Use the card details tool to check that you can talk to the card: NT: Start, Programs, GemSAFE, GEMSAFE Card Details Tool 2000: Start, Programs, GemSAFE Card Details Tool Enter the card passphrase. If you encounter any difficulties reading the card, reboot the PC and try again. Select Card, Information. Check that the card is empty.
5. 6. 7.
Setting Up HSMs
85
5.
Ensure that your setup matches the configuration: Value GEMPLUS_SmartCard ck2priv 0 **** rsa1 Notes This is the vendor for GemPLUS drivers Default Default Default if this has been changed, change it here also Default
After you save the root on the smart card, do not save any more certificates on that card. To save a certificate to the smart card through the RA Client: 1. 2. 3. 4. 5. Click on Issue a Certificate. Choose Profile of Certificate. Follow the Create a Certificate instructions until Step 7. Choose Via Smartcard and the GEMPLUS_SmartCard Vendor. Change the PIN field to your Smart Card passphrase.
86
Setting Up HSMs
87
4.
Uncheck the In Software option and choose the Via Smartcard option, ensuring that your setup matches the configuration: Value Rainbow_iKey dkck201 0 ******* rsa1 Notes This is the vendor for Rainbow iKey drivers Default Default Default if this has been changed, change it here also Default
After you have saved the root on the token, do not save any more certificates on that token. To save a certificate to the token through the RA Client: 1. 2. 3. 4. 5. Click Create a Certificate Request. Choose Profile of Certificate. Follow the Create a Certificate instructions until Step 7. Choose Via smartcard and the Rainbow_iKey Vendor. Change the PIN field to your tokens passphrase.
88
When using the Datakey with eTrust PKI ensure that you have the right drivers for the reader you are using. To install the Datakey drivers: 1. 2. 3. 4. 5. 6. 7. 8. Follow the install wizard and choose the correct reader and port number. Insert a Datakey smartcard into the card reader. Select Start, Programs, Datakey, Token Utility. The Token Utility dialog is displayed. Check that you can talk to the card. Click Display Objects. The card information is displayed. Enter the card passphrase. Check the card for previous information and make sure that it is empty. Opening the Token drop down menu and select Initialize Token. The card is initialized.
Setting Up HSMs
89
After saving the root on the smart card, do not save any more certificates on that card. To save a certificate to the smart card through the RA Client: 1. 2. 3. 4. 5. Click on Create a Certificate Request. Choose Profile of Certificate. Follow the Create a Certificate instructions to Step 7. Choose Via Smartcard and the Datakey vendor. Change the PIN field to your smart card passphrase.
810
[Chrystoki2] LibNT=C:\Program Files\Luna\cryst201.dll L-ibNT=C:\Program Files\Luna\lblib201.dll [Luna] DefaultTimeOut=500000 PEDTimeout1=100000 PEDTimeout2=100000 [CardReader] RemoteCommand=1 [LBLib2] L-ibNT=C:\Program Files\Luna\cryst201.dll E-nabled=1
4.
[Chrystoki2] L-ibNT=C:\Program Files\Luna\cryst201.dll LibNT=C:\Program Files\Luna\lblib201.dll [Luna] DefaultTimeOut=500000 PEDTimeout1=100000 PEDTimeout2=100000 [CardReader] RemoteCommand=1 [LBLib2] LibNT=C:\Program Files\Luna\cryst201.dll Enabled=1
Setting Up HSMs
811
10. When the window finds the driver click Next, then Finish.
812
10. Insert the red PED key and press Enter. 11. Select No when asked to create a domain. 12. Select No when asked if this is a duplicate PED key. 13. Insert the blue and black PED keys. 14. Enter a PIN to protect the key. (This can be left blank.) 15. Type N when asked if this is a duplicate PED key. The initialization completes.
Setting Up HSMs
813
814
Setting Up HSMs
815
5.
Ensure that your setup matches the configuration: Value GemPLUS3.0_ SmartCard GCLib 0 **** rsa1 Notes This is the vendor for GemPLUS 3.0 drivers Default Default Default if this has been changed, change it here also Default
Note: Do not save any other certificates on the card with the root certificate.
816
Chapter
Cross Certification
Cross certification occurs where one CA certifies that another CA can be trusted. Cross certification can be used to verify third party CAs and their certificates. This can be important when you want your certificates to work with third party hardware or software that has fixed trusted root certificate stores.
Cross Certification
91
92
To copy a public key from the MS certificate store: 1. 2. 3. 4. 5. 6. 7. 8. 9. Open Internet Explorer. Select Tools, Internet Options. The Internet options dialog is displayed. Select the Contents tab and click Certificates. The Certificates Manager dialog is displayed. Select the Trusted Root Certification Authorities tab. Select the CA to cross certify with. Select Export. The Certificate Manager Export Wizard is displayed. Click Next twice, then enter the path and file name where the certificate is stored. Click Next, Finish. The completed dialog is displayed. Click OK and close Internet Explorer.
Cross Certification
93
3. 4. 5.
6. 7.
Select View Cert and check the details of the certificate. Note the Issued By field as this will be change when cross certification is finished. From the Cross CA Certificate Generation wizard, select Next to start updating the Certificate details. Name: The distinguished name (DN) of the CA root server Non-standard DN: The DN of the CA root server Ordered DN: This allows a DN to be specified in a structured manner Country: The two letter country code where the subject CA root server is located Organization: The organization that owns the subject CA root server Organization Unit: The office or group that controls the CA Root server Name: The name of the CA root server E-mail: The e-mail address of the CA root server
94
8. 9.
Enter the details for Valid Fromthe first date that the root CA certificate will be valid from. Enter the details for Valid Tothe last day that the root CA certificate will be valid.
10. Enter the details for Authority Info Accessthe host name and port number for the OCSP responder. Users of your new cross certificate will know where to check its online status. 11. Click Next to continue. 12. Enter the field Basic Constraints. These allow you to specify if the certificate being cross certified to is for a user or for a CA. In practice, it would be unusual to cross certify to an individuals certificate. It is expected that you would normally cross certify to another CA. 13. Enter the field Path Length. This specifies the number of certificates that can be chained from your cross certified CA. The options are: NoneYou do not trust any certificates that were issued by the cross certificate CA. You will only trust the exact certificate that is being cross certified. This may be useful if you want to certify a single user. Select Type = EE and Path Length Constraint = None. 1You only trust the certificates that were issued by the CA that you are cross certifying to. 2You trust the CA that you are cross certifying with, and also trust a certificate issued by a third CA who is trusted by the CA that you are cross certifying with.
Tip: You may not be fully aware of the issuance policies that are used by third parties. For this reason a path length of 1 is recommend.
14. Click Next to confirm your wizard selections. The new certificate is created. 15. Enter where to save copies of the new certificate.
Cross Certification
95
Glossary
Attribute Authority (AA) An authority trusted by one or more users to create and sign attribute certificates. It is important to note that the AA is responsible for the attribute certificates during their whole lifetime, not just for issuing them.* Attribute Certificate (AC) A data structure containing a set of attributes for an end-entity and some other information, which is digitally signed with the private key of the AA which issued it.* Certificate Can refer to either an AC or a public key certificate.* Certification Authority (CA) An authority trusted by one or more users to create and assign public key certificates. Optionally the CA may create the users keys. It is important to note that the CA is responsible for the public key certificates during their whole lifetime, not just for issuing them. Certificate Policy (CP) A named set of rules that indicates the applicability of a public key certificate to a particular community and/or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of public key certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range.* Certification Practice Statement (CPS) A statement of the practices which a CA employs in issuing public key certificates.*
Glossary1
Certificate Revocation Lists (CRL) A list of certificates that have been revoked before their scheduled expiration date. DER Distinguished Encoding Rules. DER is a component of the Abstract Syntax Notation (ASN.1) standard as defined by the International Standards Organization (ISO). It defines the format used to transfer data across a network. Directory Information Tree (DIT) The collection of entries within a directory organized in hierarchical fashion that reflects their inter-relationship. End-entity (EE) A subject of a certificate who is not a CA in the PKIX or an AA in the PMI. (An EE from the PKI can be an AA in the PMI).* HSM Hardware Security Module. HSMs are used to securely store private keys. When a document is to be signed, the document is sent to the HSM which then generates the signature. The important feature is that the private key never leaves the HSM. HSMs may be certified as resistant to various forms of electronic and physical attack, for example, FIPS 140-1 Level 3. Lightweight Directory Access Protocol (LDAP) A communications protocol that allows access to a directory service. Supports lightweight access to static directory services, allowing relatively fast search and update. Lightweight Directory Interchange Format (LDIF) An ASCII file format used to exchange data and enable the synchronization of that data between LDAP servers. Method Each policy consists of one or more methods, each of which perform a welldefined unit of work, e.g. set the status of the response, set the signature of the response, etc. OCSP Online Certificate Status Protocol.
Glossary2
PEM Privacy Enhanced Mail. The PEM application defines a file format for storing certificates, CRLs and private keys. This format has become popular and is now used by several other applications. Policy Each policy represents a personality or role that the responder takes on. Example roles in the Identris model are Relying Customer Role and Inter-participant Role. Privilege Management Infrastructure (PMI) A collection of ACs, with their issuing AAs, subjects, relying parties and repositories, is referred to as a Privilege Management Infrastructure.* Public Key Certificate (PKC) A data structure containing the public key of an end-entity and some other information, which is digitally signed with the private key of the CA which issued it.* PKCS Public Key Cryptography Standards. This is a series of standards defined by RSA Laboratories (http:// www.rsasecurity.com). eTrust OCSPro uses PKCS #11: Cryptographic Token Interface to access Hardware Security Modules (HSMs). Public Key Infrastructure (PKI) The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute and revoke PKCs based on public-key cryptography.* Registration Authority (RA) An optional entity given responsibility for performing some of the administrative tasks necessary in the registration of subjects, such as: confirming the subjects identity; validating that the subject is entitled to have the values requested in the PKC and verifying that the subject has possession of the private key associated with the public key requested for a PKC.* Relative Distinguished Name (RDN) A name component that identifies an entry with respect to the entry just above in the hierarchy.
Glossary3
Relying Party (RP) A user or agent (for example, a client or server) who relies on the data in a certificate when making decisions.* Resco Responder Configuration. This is the tool which configures the OCSPro Responder. Root CA A CA that is directly trusted by an EE; that is, securely acquiring the value of a Root CA public key requires some out-of-band steps. this term is not meant to imply that a Root CA is necessarily at the top of any hierarchy, simply that the CA in question is trusted directly.* Selection Criteria Selection criteria are evaluated prior to the execution of each policy and method to determine whether the policy/method should be evaluated. Selection criteria are based on attributes of the request, the current state of the response and information stored in the directory. Subject Certificate The certificate identified in the CertId field of the OCSP request. Subordinate CA A "subordinate CA" is one that is not a Root CA for the EE in question. Often a subordinate CA will not be a Root CA for any entity, but this is not mandatory.* Top CA A CA that is at the top of a PKI hierarchy.
* Denotes that this definition has come from the IETF PKIX Roadmap, draft-ietf-pkixroadmap-04.txt, available from http://www.ietf.org.
Glossary4