Standard: X.509

Sponsor: ITU (International Telecommunications Union)

Description: X.509 is the international standard for digital certificates used to authenticate digital signatures. Trusted third parties - known as Certificate Authorities (CA) - maintain and make the "certificates" accessible (e.g., in an LDAP or X.500 directory), thereby vouching for the authenticity of the signatures.

Relationship to Records Management: To the degree that strong authentication is required to authenticate E-records via digital signatures, the signatures themselves must be validated. Moreover, the original source documents by which the X.509 certificates are authenticated should be maintained as records for an appropriate period.

Problems/Issues/Weaknesses: Many E-records may not warrant strong authentication. Privacy advocates are concerned about any system that automates the identification of individuals and links them to records of their activities. Prospective Certificate Authorities may be dissuaded from offering such services due to the risk of liability for fraud and misuse. Vendors are offering other alternatives, including various biometric measures iris, face, and fingerprint scans as well as electronically captured handwritten signatures.

The Government Paperwork Elimination Act (GPEA) requires that multiple forms of user authentication be supported for forms that are submitted 50,000 or more times. However, it seems that digital signatures supported by X.509 certificates might be the single, common means of user authentication that should be widely supported for all E-forms and other authenticated documents, regardless of any other means that may also be supported for any particular application.

GSA's ACES project aims to foster the establishment of CAs for private citizens, and the PKI Technical Working Group at NIST is working toward a "bridge" mechanism to provide for digital signature services across Federal agencies.  Due to the widespread use of proprietary systems, technical interoperability is a major challenge.

Closely Related Standards: LDAP and X.500

Links to More Information:

Overview of Certification Systems: X.509, CA, PGP and SKIP, by E. Gerck, Copyright © 1997 by E. Gerck and MCG, published in April 17, 1997 by the MCG http://www.iks-jena.de/mitarb/lutz/certification/mc/cert.htm

A Survey of Public Key Infrastructures, thesis by Marc Branchaud <marcnarc@xcert.com> August 14, 1997, Chapter 6, X.509 http://www1.xcert.com/~marcnarc//PKI/thesis/x509.html

Table of Contents http://www1.xcert.com/~marcnarc//PKI/thesis/contents.html

ITU X.509 THE DIRECTORY - AUTHENTICATION FRAMEWORK - DATA COMMUNICATION NETWORKS DIRECTORY (Study Group VII) 1989 http://www-library.itsi.disa.mil/org/ituccitt/x_509.html

Table of Contents and Summary of Recommendation X.509 (08/97) http://www.itu.int/itudoc/itu-t/rec/x/x500up/s_x509.html

Proposed Methods to use X.509 Attribute Certificates to store biometric templates http://www.biometrics.org/html/x.509.html

X.509 and Supply Chain Management (SCM) http://www.independent-micro.com/term/docs/X/x509.htm or http://www.certicom.ca/rsa99/presentations/pitfalls/tsld011.htm

Public-Key Infrastructure (X.509) (pkix) http://www.cs-ipv6.lancs.ac.uk/ipv6/documents/standards/general-comms/ietf/pkix/pkix-charter.txt

Please convey corrections, updates, or suggested enhancements in this summary to: Owen_Ambur@fws.gov


Back to FIRM Standards Summaries Index