Project Links

  Programmer's Guide
  Implementation Guidelines
  Project Page
  CVS Tree
  Contributor Form

Hosted By

Frequently Asked Questions

libpkix Q: What is PKIX?

PKIX is an acronym for Public Key Infrastructure (X.509). PKIX is an IETF Working Group whose charter includes the development of Internet standards needed to support a PKI based on X.509. The libpkix library implements the PKIX standards relevant to certificate chain validation and construction (namely, RFC 3280).

Q: Why is RFC 3280 important?

RFC 3280 provides a stable and clearly defined standard for certificate chain validation. Getting consistent support for RFC 3280 into applications will reduce interoperability problems related to certificate handling(affecting crucial protocols such as SSL).

RFC 3280 includes important features (like name constraints and support for bridge CAs) that enable organizations to cross-certify while limiting the risk due to this cross-certification. The U.S. Government Federal Bridge CA and other substantial PKI deployments depend on these features.

Q:What are the benefits of libpkix?

Through libpkix, we hope to help address several problems that have slowed PKI deployment: poor interoperability due to non-standard certificate chain validation and lack of application support for PKI. These are not the only obstacles to PKI usage, but they are substantial ones.

Applications using libpkix are provided with consistent support for RFC 3280, reducing interoperability problems related to certificate handling (affecting crucial protocols such as SSL). At the same time, libpkix makes it much easier for application developers to include high-quality certificate chain validation and building in their applications.

Q: Hasn't this been done before?

There are two comparable projects we are aware of: Certificate Management Library (CML) and the Certification Path API (CertPath).

CML provides a freely available 3280-compliant path validation and building library with a C API. However, there are several differences between libpkix and CML, including:

  • libpkix is implemented in C; CML is implemented in C++
  • libpkix asks each Portability Layer to provide their own certificate parsing code, thereby minimizing duplication of code; CML uses the eSNACC ASN.1 library, thereby duplicating code and forcing the developer to support two different code bases for certificate parsing
  • libpkix validates the chain of certificates as it is being built, allowing it to quickly reject paths that will never be valid; CML does some basic validation as it builds, but postpones most of it until after the path has been built, potentially leading to serious performance issues
  • libpkix also provides superior performance, thread-handling, and pluggability.

The CertPath API defines interfaces and abstract classes for creating, building, and validating certification paths in compliance with RFC 3280. The CertPath API was introduced into the core package in the JavaTM 2 Platform, Standard Edition, v1.4.0. The main difference here is that libpkix is implemented in C, while CertPath is implemented in the JavaTM programming language. Applications that prefer to use a C API/implementation will choose libpkix over CertPath.

Q: What Open Source license are you using?

We are using a modified BSD license. This is a true Open Source license with no "viral" effects.

Q: Who can use this code?

This code can be used, modified, and redistributed by commercial or non-commercial developers without license fees, subject to the terms of our license.

Q: How can I help?

Download the docs and read them. Download the code and try it out. Finish implementing the code. If you'd like to get involved, please mail the project administrator.

Copyright 2004 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.

Sun, Sun Microsystems, the Sun Logo, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the US and other countries.

Last Updated On: Wed Jun 9, 2004 11:51:57 AM