Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info



X.509 Certificates

Related Entries    Web Links    New/Updated Information

Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

X.509 is an ITU standard for digital certificates. It is important because it is the basis of the Internet's PKI (public-key infrastructure) standard. The X.509 was first published in 1988 as part of the ITU X.500 directory services standard. The latest version (3.0) was released in 1996. X.500 is a database of named entities (people, computers, printers, and so on) that was meant for global use. Think of a global telephone book. The design was distributed so that organizations could manage the part of the database pertaining to the entities it managed. While X.500 directory services have failed to take hold, X.509 has become the leading framework for certificate services.

The IETF's PKIX (Public Key Infrastructure X.509) defines the management of X.509 keys. The Web site is listed on the related entries page.

X.509 defines a certificate format for binding public keys to X.500 distinguished path names. X.509 supports both secret-key (single-key) cryptography and public-key cryptography. The original intention was to define the keyholder that could modify a particular X.500 directory node. The original X.509 data record was originally designed to hold a password instead of a public key.

X.509 version 3 defines the field contents of a certificate, which is a record of data that contains 11 major fields as shown in Figure X-1.

The fields in the certificate define the issuing CA, the signing algorithms, how long the certificate is valid, and information about the owner of the certificate. The version 3 extension fields are useful for adding additional information into the certificate. This information can be customized to fit a particular issuer's own requirements. For example, an insurance company could add patient information. A retail chain could add unique customer information. More important, these fields may provide access control information, which authorizes the holder of the certificate to access network or system resources. Thus, version 3 X.509 certificates can play a unique role in managing network security.

An important aspect of certificates that is easy to overlook is their portable nature. When public-key schemes were first created, names and associated keys were listed in the same public file. Later, each name/key pair was broken out into a separate record and then signed by a certificate authority, thus creating "certificates." A certificate may be freely distributed with trust since the content is digitally signed by the issuing certificate authority. This portable nature makes certificates ideal for use in authentication.

As mentioned, X.500 directory services has not achieved its goals, but a slimmer directory services protocol called LDAP (Lightweight Directory Access Protocol) has been derived from parts of X.500. LDAP was defined by the IETF specifically to use on the Internet (or intranets). It is based on some of the features in X.500 and is even interoperable with X.500 (if such installations exist!). Refer to the LDAP heading in the book for more information.

Certificates are typically managed by CAs (certificate authorities), which are public entities, usually regulated, that act as third-party key holders. To create a certificate, the CA combines a user's public key with the user information (as defined by X.509), then signs the information with its private key. Anyone receiving the certificate can verify its authenticity with the CA's public key. The authenticity of the CA's public key can be further verified via the chain of trust that exists within the PKI (public-key infrastructure). Certificates, public keys, and PKI are discussed under separate headings as listed on the related entries page.

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.