Project Links
Home
FAQ
Architecture
Programmer's Guide
Implementation Guidelines
Project Page
CVS Tree
License
Contributor Form
Hosted By SourceForge.net
Frequently Asked Questions
libpkix- What is PKIX?
- Why is RFC 3280 important?
- What are the benefits of libpkix?
- Hasn't this been done before?
- What Open Source license are you using?
- Who can use this code?
- How can I help?
PKIX is an acronym for Public Key Infrastructure (X.509). PKIX is an IETF Working Group whose charter includes the development of Internet standards needed to support a PKI based on X.509. The libpkix library implements the PKIX standards relevant to certificate chain validation and construction (namely, RFC 3280).
RFC 3280 provides a stable and clearly defined standard for certificate chain validation. Getting consistent support for RFC 3280 into applications will reduce interoperability problems related to certificate handling(affecting crucial protocols such as SSL).
RFC 3280 includes important features (like name constraints and support for bridge CAs) that enable organizations to cross-certify while limiting the risk due to this cross-certification. The U.S. Government Federal Bridge CA and other substantial PKI deployments depend on these features.
Q:What are the benefits of libpkix?
Through libpkix, we hope to help address several problems that have slowed PKI deployment: poor interoperability due to non-standard certificate chain validation and lack of application support for PKI. These are not the only obstacles to PKI usage, but they are substantial ones.
Applications using libpkix are provided with consistent support for RFC 3280, reducing interoperability problems related to certificate handling (affecting crucial protocols such as SSL). At the same time, libpkix makes it much easier for application developers to include high-quality certificate chain validation and building in their applications.
Q: Hasn't this been done before?
There are two comparable projects we are aware of: Certificate Management Library (CML) and the Certification Path API (CertPath).
CML provides a freely available 3280-compliant path validation and building library with a C API. However, there are several differences between libpkix and CML, including:
- libpkix is implemented in C; CML is implemented in C++
- libpkix asks each Portability Layer to provide their own certificate parsing code, thereby minimizing duplication of code; CML uses the eSNACC ASN.1 library, thereby duplicating code and forcing the developer to support two different code bases for certificate parsing
- libpkix validates the chain of certificates as it is being built, allowing it to quickly reject paths that will never be valid; CML does some basic validation as it builds, but postpones most of it until after the path has been built, potentially leading to serious performance issues
- libpkix also provides superior performance, thread-handling, and pluggability.
The CertPath API defines interfaces and abstract classes for creating, building, and validating certification paths in compliance with RFC 3280. The CertPath API was introduced into the core java.security.cert package in the JavaTM 2 Platform, Standard Edition, v1.4.0. The main difference here is that libpkix is implemented in C, while CertPath is implemented in the JavaTM programming language. Applications that prefer to use a C API/implementation will choose libpkix over CertPath.
Q: What Open Source license are you using?
We are using a modified BSD license. This is a true Open Source license with no "viral" effects.
This code can be used, modified, and redistributed by commercial or non-commercial developers without license fees, subject to the terms of our license.
Download the docs and read them. Download the code and try it out. Finish implementing the code. If you'd like to get involved, please mail the project administrator.