introduction
A Public key certificate is needed to secure e-commerce over the Internet. The contents of a certificate is defined by the X.509 standard.
An X.509 certificate links the owner's name and the owner's public key. It is signed by a CA to prove you can trust it.
what it is
Every public key certificate for every secure web site is written in the same format. This universal sameness is a big relief for people writing web clients and web servers. The standard they have to follow is called X.509.
The sci-fi B movie name "X.509" was created by the ITU (International Telecommunications Union), an agency of the United Nations. It is an open standard that anyone can use.
The ITU
As you would expect of a huge vast organisation like the United Nations, the division responsible for communication is big and clever. It is split into lots of specialist groups, and the recommendations of these groups are categorised. Category X is the one we are interested in. This is the one that defines OSI (Open Systems Interconnection).
| LIC table: ITU recommendations | ||
|---|---|---|
| name | title | notes |
| A | Organization of the work of ITU-T | |
| B | Means of expression: definitions, symbols, classification | |
| C | General telecommunication statistics | |
| D | General tariff principles | |
| E | Overall network operation, telephone service, service operation and human factors | |
| F | Non-telephone telecommunication services | |
| G | Transmission systems and media, digital systems and networks | |
| H | Audiovisual and multimedia systems | |
| I | Integrated services digital network | |
| J | Cable networks and transmission of television, sound programme and other multimedia signals | |
| K | Protection against interference | |
| L | Construction, installation and protection of cables and other elements of outside plant | |
| M | TMN and network maintenance: international transmission systems, telephone circuits, telegraphy, facsimile and leased circuits | |
| N | Maintenance: international sound programme and television transmission circuits | |
| O | Specifications of measuring equipment | |
| P | Telephone transmission quality, telephone installations, local line networks | |
| Q | Switching and signalling | |
| R | Telegraph transmission | |
| S | Telegraph services terminal equipment | |
| T | Terminals for telematic services | |
| U | Telegraph switching | |
| V | Data communication over the telephone network | |
| X | Data networks and open system communication | This is the one we are interested in. |
| Y | Global information infrastructure and internet protocol aspects | |
| Z | Languages and general software aspects for telecommunication systems | |
X recommendations
These are like Internet RFCs (Requests For Comments). The ITU bucked the engineering trend of using three letter acronyms and used a simple letter X followed by a serial number. There are hundreds of these recommendations, starting with the number 1.
| LIC table: X recommendations |
|---|
| X.1: International user classes of service in, and categories of access to, public data networks and Integrated Services Digital Networks (ISDNs) X.2: International data transmission services and optional user facilities in public data networks and ISDNs X.3: Packet assembly/disassembly facility (PAD) in a public data network ... X.950: Information technology - Open distributed processing - Trading function: Specification X.952: Information technology - Open distributed processing - Trading function: Provision of trading function using OSI Directory service X.960: Information Technology - Open Distributed Processing - Type Repository Function |
the X.509 recommendation
The title of the X.509 recommendation is "Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks". Sounds like bedtime reading to cure even the most hardened insomniac. This is a standard that includes a definition of what a certificate must contain. It does not define how a certificate is used. This standard is one of many produced by the ITU.
The X.509 standard also defines directory authentication and CRLs (Certificate Revocation Lists). The standard avoids naming any particular public key ciphers.
an X.509 public key certificate
The X.509 standard includes a definition of a certificate and its fields. Any certificate matching this definition is called an X.509 certificate. This is practically the only type of certificate used in e-commerce. It contains these fields.
- version
- serial number
- signature algorithm ID
- issuer name
- validity period
- subject (user) name
- subject public key information
- issuer unique identifier (version 2 and 3 only)
- subject unique identifier (version 2 and 3 only)
- extensions (version 3 only)
- signature on the above fields
This certificate is signed by the issuer to authenticate the binding between the subject (user's) name and the user's public key. The major difference between versions 2 and 3 is the addition of the extensions field. This field grants more flexibility as it can convey additional information beyond just the key and name binding. Standard extensions include subject and issuer attributes, certification policy information, and key usage restrictions, among others.
what it isn't
Anything to do with NASA's X aircraft.
where it is
Every secure web server stores an X.509 certificate.
history
In the beginning (or 1976), Whitfield Diffie, Martin Hellman and Ralph Merkle published work on PKC (Public key Cryptography). Three guys named Ronald Rivest, Adi Shamir, and Leonard Adleman built upon their work and started the RSA company in 1982 to turn mathematics into flash cars and big houses. These clever mathematicians made high grade cryptography available to the masses.
In 1988 the initial version of X.509 was published.
In 1993 version 2 was published.
In 1994 version 3 was proposed.
RSA and a bunch other companies got the e-commerce ball rolling by defining PKCS (Public Key Cryptography Standards) for using certificates: storing them, exchanging them, using them and so on.
