The PKI page

This page contains links to various sites and documents which are related to Public Key Infrastructure (PKI) stuff, especially links to all Certification Authorities (CAs) I'm aware of. Some links may be missing, other links may be out of date so please check back from time to time since I'm irregularly updating this page which by definition is far from being complete. Please let me know about missing links.

This page was last updated on January 5th, 2009 (!) - new links are marked as

Jump directly to the following sections:

• List of Certification Authorities
  • PGP Certification Authorities
  • CAs accredited by the German Digital Signature Act ("Signaturgesetz")
  • CAs accredited by the Italian Digital Signature Act
  • CAs licensed by the Utah Digital Signature Act
  • CAs licensed by Washington State's Electronic Authentication Act
  • CAs licensed by Oregon's Electronic Signature Act
  • CAs licensed by the North Carolina Electronic Commerce Act
  • CAs licensed by California's Digital Signature Regulations
  • CAs licensed by Nebraska's Digital Signatures Act
  • PKI Service Providers approved by the Texas Digital Signature Rule
  • Information related to the European Directive for Electronic Signatures
  • CAs licensed under the Gvmt of India IT Act 2000
  • CAs licensed under the Polish Digital Signature Law
  • TTPs registered under the Dutch Wet Elektronische Handtekeningen
  • CAs registered under the Turkish Elektronic Signature Law

• Other sites with useful information
  • Cryptography
  • Digital Signatures
  • PGP / OpenPGP / GPG
  • General World Wide Web Security
  • Secure Socket Layer (SSL) / Transport Layer Security (TLS)
  • MIME Security
  • DNSSEC resources
  • Secure Electronic Transactions (SET)
  • Implementations / (open source) Toolkits / Products / Vendors
  • Literature / Articles / Publications / RFCs
    • PKIX
    • S/MIME
    • TLS
  • Miscellaneous PKI and Security stuff

List of Certification Authorities:

• DFN - PKI
• IPRA: Internet PCA Registration Authority (MIT)
• CREN (US Corporation for Research and Educational Networking) CA
• VeriSign, Inc. and its Certificate Practice Statement (CPS), ECA and IECA Certificates for U.S. Government contractors
• SET Demo Certificate Selection from VeriSign, Inc.
• TradeAuthority
• Thawte Certification Division
• Initiative for Computer Authentication Technology (ICAT) (Alternative site)
• Free certificates by Entrust Technologies
• Spyrus Certification Authorities (Australia)
• Net.Registry (IBM)
• BiNARY SuRGEONS: Certification Services
• SoftForum CA
• Government of Canada Public Key Infrastructure
• AD AEQUITATEM (Univ. of Zaragoza, Spain)
• SISCER (Spain)
• Internet Publishing Services (IPS) (note: Spanish language!)
• SIA CA (note: Italian language!)
• CertCo
• IKS Certification Authority
• CompuSource
• CARYNET Security
• KeyPOST (Australia Post)
• BankGate
• Entropia Internet CA
• KAIST network CA (note: Korean language!)
• PVT CA (note: Czech language!)
• South African Certification Agency
• Telecom Italia Net CA (note: Italian language!)
• World Wide Wedlin CA
• Swisskey (discontinued)
• Australian Government Public Key Authority
• NLsign (note: Dutch language!)
• SSB - SpA CA (note: Italian language!)
• Agencia de Certificación Electrónica
• Laboratorio de Criptología (note: Spanish language!)
• Interneto Projektai (note: Lithuanian language!)
• University of Torino (note: Italian language!)
• The USERTRUST Network
• GlobalSign
• Netrust
• Baycorp ID Services Ltd
• Certplus
• Controller of Certification Authorities (Gov. of Singapore)
• CrossCert (Korean Electronic Certification Authority)
• Equifax Secure
• Security Domain Pty Limited
• Certificates Australia Pty Limited
• a-sign (note: German language!)
• FP5 Certification Service (Fifth Framework Programme of the European Community)
• WIS@key
• Tele Danmark certificeringscenter (note: Danish language!)
• AlphaTrust
• ACES - Access Certificates for Electronic Services (US General Services Administration)
• WildID LLC
• TI-TC Trustcenter of the Institute for Telematics (note: German language!)
• EuroPKI
• SURFnet PCA (note: Dutch language!)
• Väestörekisterikeskus: The Finnish Population Register Centre's CA (note: mostly Finnish language!)
• FESTE (note: Spanish language!)
• Powszechne Centrum Certyfikacji
• Acepta.com (Autoridad Certificadora) (note: Spanish language!)
• E-certify Corporation
• ACES: Access Certificates for Electronic Services
• ORC's DoD IECA: Interim External Certification Authority
• freecerts.com: free WAP test certificates
• beTRUSTed (now called: Cybertrust)
• The European Bridge-CA: for organizations and public administrations
• Certall Finland Oy
• DoD PKI (DoD PKI External CAs)
• a-trust (note: German language!)
• Health eSignature Authority Pty Ltd
• ID.Safe
• IG tOP: Trägerschaft öffentliche PKI Schweiz (note: German language!)
• QuoVadis Limited: Bermuda Digital CA
• Certipor: Sociedade Portuguesa de Certificados Digitais, S.A.
• Acertia (note: Spanish language!)
• ICP-Brasil (note: Portuguese language!)
• Identrus
• E-Commerce PKI CA
• Certeca (Offshore CA)
• Digital Signature Trust Company
• BCA: US DoD Bridge Certification Authority Technology Demonstration
• MEDePass, Inc.
• euSign S.A.
• TrustCenter berlin.de (note: German language!)
• Ezitrust
• Keystorm
• Geotrust
• SignGATE (Korea Information CA, Inc.)
• SignKorea
• YESSIGN (note: Korean language!)
• Korea Certification Authority Central
• NCASign (note: Korean language!)
• The Federal Bridge-CA (NIST)
• Belgacom E-Trust
• SafeWeb (note: Portuguese language!)
• PKI - Infraestructura de Firma Digital para el Sector Publico - Argentina (note: Spanish language!)
• OpenCerts
• SwUPKI: PKI for Universities and University Colleges in Sweden
• SIGEN-CA (Slovenia)
• SIGOV-CA (Slovenia)
• Gatekeeper (Australia)
• Portas
• CAcert
• SwisSsign
• SSLpartner
• Scandtrust
• InstantSSL (Comodo Group)
• DigiCert, Inc.
• EuropePKI
• DTCA: D.Trust Certifikacna Autorita (note: Slovakian language!)
• Centrum Certyfikacji Signet (note: Polish language!)
• PKI der FhG (note: German language!)
• Sonera CA (note: Finnish language!)
• Certificado Digital S.A. (note: Spanish language!)
• Post.Trust
• steria (note: Swedish language!)
• NetLock Tanúsítványkiadó Központ (CA)
• CryptGuard.com
• ComSign
• Union Trust Network (Ukraine)
• LuxTrust S.A. (note: French language!)
• Certicamara S.A. (note: Spanish language!)
• Carillon.CA
• StartCom Free SSL Certification Authority
• Finansiell ID-Teknik BID AB
• CertiPath: "the world's first commercial PKI bridge"
• AeroTrust Digital Certification Service
• XMPP Intermediate CA
• CA/Browser Forum
• Digi-Sign, The Certificate Corporation
• Skaitmeninio Sertifikavimo Centras (note: Lithuanian language!)
• NETCA (note: Chinese language!)
• AOL Root Certifier Authority Website and AOL Member Security PKI

PGP Certification Authorities:

• DFN - PKI
• c't - Krypto-Kampagne (note: German language!)
• IKS Certification Authority
• AD Certification Service (note: German language!)
• Powszechne Centrum Certyfikacji
• CAcert

CAs accredited by the German Digital Signature Law ("Signaturgesetz")

• The Root CA: Bundesnetzagentur (Regulierungsbehörde) (note: German language!)
  • Produktzentrum TeleSec der Deutschen Telekom AG
  • Bundesnotarkammer
  • DATEV eG Zertifizierungsstelle
  • D-Trust GmbH
  • Deutsche Post Com GmbH Geschäftsfeld Signtrust
  • TC TrustCenter GmbH
  • DGN Deutsches Gesundheitsnetz Service GmbH
  • AuthentiDate International AG (qualified time stamps only)
  • Deutscher Sparkassen Verlag GmbH
  • medisign GmbH

  • (Deutsche Rentenversicherung Bund)

• T7 - ISIS (Industrial Signature Interoperability Specification, note: obsolete - this is now ISIS-MTT)
  • ISIS-MTT Testbed
• Rahmenwerk für die einheitliche Spezifizierung der Einsatzbedingungen für Signaturanwendungskomponenten (note: German language!)

CAs accredited by the Italian Digital Signature Law

• Elenco pubblico dei certificatori attivi (note: Italian language!)
  • Societa Interbancaria per l'Automazione - Cedborsa S.p.A. (SIA S.p.A.) (note: Italian language!)
  • SOCIETA' per i SERVIZI BANCARI - SSB S.p.A. (note: Italian language!)
  • BNL Multiservizi S.p.A. (note: Italian language!)
  • Infocamere SC.p.A. (note: Italian language!)
  • Finital - Finanziaria Italiana S.p.A. (note: Italian language!)
  • Saritel S.p.A. (note: Italian language!)
  • Postecom S.p.A. (note: Italian language!)
  • Societa per Azioni Servizi Centralizzati - Seceti S.p.A. (note: Italian language!)
  • Centro Tecnico per la RUPA (note: Italian language!)
  • In.Te.S.A. S.p.A. (note: Italian language!)
  • ENEL.IT S.p.A. (note: Italian language!)
  • Trust Italia S.p.A. (note: Italian language!)
  • Cedacrinord S.p.A. (note: Italian language!)
  • ACTALIS S.p.A. (note: Italian language!)

CAs licensed by the Utah Digital Signature Act

• Digital Signature Trust Company
• Universal Secured Enryption Repository Company
• VeriSign, Inc.

CAs licensed by Washington State's Electronic Authentication Act

• ID Certify, Inc.
• VeriSign, Inc.
• Digital Signature Trust Company

CAs licensed by Oregon's Electronic Signature Act

• VeriSign, Inc.
• Digital Signature Trust Company

CAs licensed by the North Carolina Electronic Commerce Act

• VeriSign, Inc.
• Digital Signature Trust Company

CAs licensed by California's Digital Signature Regulations

• VeriSign, Inc.
• Digital Signature Trust Company
• ID Certify, Inc.
• Entrust Technologies, Inc.

CAs licensed by Nebraska's Digital Signatures Act

• VeriSign, Inc.
• Digital Signature Trust Company
• ID Certify, Inc.

PKI Service Providers approved by the Texas Digital Signature Rule

• VeriSign, Inc.
• Entrust

Information and documents related to the European Directive for Electronic Signatures

• The European Commission: Information Society Website
• EESSI: The European Electronic Signature Standardization Initiative
• ETSI: European Telecommunications Standards Institute
• CEN/ISSS E-Sign: European Committee for Standardization (another site)
• European Commission: Information Society Directorate-General

• The Electronic Signatures Regulations 2002 (UK)
• Supervisory Authority for Electronic Signatures (Austria): List of certification-service-providers in Austria
• Status of notification of legal acts implementing the electronic signatures directive
• FESA: Forum of European Supervisory Authorities for Electronic Signatures
• Study report: The legal and market aspects of electronic signatures (PDF version, accompanying website, accompanying website)
• VITAS: Voluntary Trust-service Approval Schemes common interest group
• Prestataire de service de certification (Luxembourg)
• Position paper on the e-signatures review by the American chamber of commerce
• Swiss Accreditation Service (SAS): List of bodies which are entitled to issue and administer qualified electronic certificates
  • Swisscom Digital Certificate Service
  • QuoVadis Trustlink Schweiz AG
• eSignatures Standardisation survey

CAs licensed under the Gvmt of India IT Act 2000

• Controller of CAs
  • IDRBT CA
  • TCS Certifying Authority (CA) Services
  • National Informatics Center CA
  • SafeScrypt
  • MTNL TrustLine CA
  • iCert CA (Customs & Central Excise)
  • (n)Code Solutions CA (GNFC)

CAs licensed under the Polish Digital Signature Law

• Unizeto CERTUM CA
• Sigillum Polskie Centrum Certyfikacji Elektronicznej (note: Polish language!)
• Centrum Certyfikacji Signet (note: Polish language!)
• KIR S.A. (note: Polish language!)

TTPs registered under the Dutch Wet Elektronische Handtekeningen

• Unieke Zorgverlener Identificatie Register (note: Dutch language!)
• PinkRoccade CSP (note: Dutch language!)
• DigiNotar B.V. (note: Dutch language!)

CAs registered under the Turkish Elektronic Signature Law

• ESHS'ler (note: Turkish language!)
  • Elektronik Bilgi Güvenligi A.S. (note: Turkish language!)
  • TUBITAK-UEKAE (note: Turkish language!)
  • TürkTrust Bilgi, Iletisim ve Bilisim Güvenligi Hizmetleri A.S. (note: Turkish language!)
  • EBG Bilisim Teknolojileri ve Hizmetleri A.S.(E-Tugra) (note: Turkish language!)

Other sites with useful information:

Here are some more links to sites I find interesting.

Cryptography:

• International Cryptography Pages
• RSA Laboratories' "CryptoBytes" technical newsletter
• The "CRYPT NEWSLETTER" Homepage
• Crypto Law Survey (Bert-Jaap Koops)
• Cryptography Export Control Archives
• European Cryptography Resources
• Commercial Encryption Export Controls (BXA)
• The Worldwide Cryptography Debate
• European expert hearing on digital signatures and encryption (Copenhagen, April 23-24 1998)
• Counterpane Internet Security, Inc. (Bruce Schneier)
• Computational number theory and data security
• Handbook of Applied Cryptography (Menezes, van Oorschot, Vanstone)
• Cryptography Publishing Project
• Cryptographic Software Export Controls in the EU (thesis by Simo-Pekka Parviainen)
• Stegdetect
• NIST's Key Management Standards
• ID-PKC: IDentity-based Public Key Cryptography (CESG)

Digital Signatures:

• Digital Signature Law Survey
• EFGA: Digital Signature Section
• Summary of international legislation
• Tutorial on Digital Signatures
• Digital Signature Links
• Internet Law & Policy Forum (ILPF): Digital Signature Working Group
• Digital Signature Guidelines
• ICC: General Usage for International Digitally Ensured Commerce
• European Commission Legal Advisory Board: Digital Signatures and Encryption
• W3: Digital Signature Initiative
• UNITED NATIONS (UNCITRAL): Draft Uniform Rules On Electronic Signatures
• Baker & McKenzie: E-Signatures and D-Signatures
• S.761: Electronic Signatures in Global and National Commerce Act (US federal)
• Bill 88: Electronic Commerce Act, 2000 (Canada)
• Projekt ArchiSig
• Fst Ricerca (note: Italian language!)
• Leitfaden Elektronische Signatur (note: German language!)
• Federal, State and International Electronic Signature Laws
• signaturrecht.de (note: German language!)

PGP / OpenPGP / GPG:

• The international PGP Home Page
• The domain pgp.net
• PGP Keyserver
• PGP Web of Trust Statistics
• RFC 1991: "PGP Message Exchange Formats"
• RFC 2015: "MIME Security with Pretty Good Privacy (PGP)"
• PGP Corporation
• PGP Attack FAQ
• PGP International
• Robert (Guerra)'s PGP Links
• RFC 4880: "OpenPGP Message Format"
• PGP DH vs. RSA FAQ
• GnuPG - the GNU Privacy Guard
• Key experiments: How PGP Deals With Manipulated Keys
• Experimental PGP key path finder
• PGPdump Interface
• The DSA Flaw in OpenPGP
• PGP Keyring Analysis
• GPGrelay
• Crypt::OpenPGP
• A security analysis of PGP
• CKS: CryptNET Key Server
• RFC 3156: "MIME Security with OpenPGP"
• Public Key Servers
• Tom McCune's page for PGP
• NAI Letter sent to PGP Customers on Feb, 26th (R.I.P. PGP)
• OpenPKSD
• SKS: the synchronizing keyserver
• OpenCDK
• PKS: OpenPGP Key Server
• onak: OpenPGP Key Server

General World Wide Web Security:

• The World Wide Web Security FAQ
• Java Security FAQ
• Terisa Systems
• IBM's Surf'N'Sign: Signing Documents on the Web
• Tha Java Security Hotlist
• WWW Security Pointers
• Java Security Resources
• Java Filter
• Java Security: Chronology of security-related bugs (Sun)

Secure Socket Layer (SSL) / Transport Layer Security (TLS):

• SSL Protocol Version 2.0 (Draft)
• SSL Protocol Version 3.0 (Draft)
• Netscape Certificate Specifications
• SSLeay and SSLapps FAQ
• SSL-Talk FAQ
• SSLeay Certificate Cookbook (F. J. Hirsch)
• SSLeay 0.6.6 documentation including libcrypto docs
• Introducing SSL and Certificates using SSLeay (F. J. Hirsch)
• Setting up your own certification environment using SSLeay 0.8.1 and MSIE 4.0 (Samuel Liddicott)
• Set up your own CA using free software (Marint Ouwehand)
• Mozilla Crypto Group
• OpenSSL PKCS#12 Program FAQ (Stephen Henson)
• Enabling Network Security with SSLeay
• Test the strength of your browser's crypto
• OpenSSL: The Open Source toolkit for SSL/TLS
• Introduction to SSL
• RFC 2246: "The TLS Protocol Version 1.0"
• BSAFE patches for SSLeay
• PureTLS - free Java-only implementation of SSLv3 and TLSv1
• More SSL related applications from the OpenSSL web site
• pilotSSLeay: port of SSLeay-0.8.1 to the Pilot
• ssldump: SSLv3/TLS network protocol analyzer
• OpenSSL for Win32
• A design weakness of SSL/TLS (H. Krawczyk)
• GNU TLS library
• OpenSSL Examples
• OpenSSL based PKI
• SSLbar
• Which SSL: SSL Certificate Buyers Guide (Comodo Group)
• SSL Certificate Assistant
• SSL Guide
• SSL Shopper

MIME Security:

• Information on S/MIME (IMC)
• S/MIME Freeware Library (SFL)
• S/MIME Mail Security (IETF)
• S/MIME and OpenPGP
• NIST S/MIME Activities
• S/MIME Interop Matrix
• PM-S/MIME: S/MIME Plugin for Pegasus Mail

DNSSEC resources:

• DNS Security (DNSSEC) in CAIRN
• NLnet Labs DNSSEC resources
• IETF: DNS Extensions (dnsext) System Security
• NIC-SE: Reports on DNSSEC
• Report from the Workshop on DNSSEC, Sweden
• DNSsec Internet Drafts
• DNSSEC Related Links
• DNSSEC Paper
• DNSSEC - Software Integration
• Report on IIS DNSSEC Workshop
• Thesis on DNSSEC (M. Gieben)
• DNSSEC.net
• DNSSEC at University of Murcia

Secure Electronic Transactions (SET):

• SET Specification by MasterCard and Visa

Implementations / (open source) Toolkits / Products / Vendors:

• SECUDE
• NCSA httpd - Using PGP/PEM encryption
• RSA Euro - Cryptography for the World
• SESAME: Cryptographic applications (secure site)
• Information about TIS/MOSS (TIS)
• SSR: Secure Socket Relay
• Frontier Technolgies: e-Lock (alternative site)
• cryptlib: freely available Encryption Toolkit (Peter Gutmann)
• Apache-SSL: Secure Webserver (Ben Laurie)
• SSLeay
• mod_ssl: Apache interface to SSLeay
• Java Security Toolkit (TU Graz)
• Tools from Diversinet Corp.
• Jonah PKIX: a freeware PKIX (see below) reference implementation (IBM)
• Jonah PKIX: same as above but internationally available! (note: site seems to be dead!)
• J/CA Certification Toolkit (Phaos Corp.)
• Entrust Technologies
• Oscar - DSTC's Public Key Infrastructure Project
• Entegrity Solutions Corp
• Structured Arts Computing Corp
• OpenCA Labs
• OpenXPKI
• SHYM Technology
• pyCA - Software for running a certificate authority
• JCSI - DSTC's Java Crypto and Security Implementation
• Nexus
• Radicchio
• Sendmail-TLS
• Alphaworks/IBM: KeyMan PKI client side management tool
• R&L GmbH: safeX
• M2Crypto Cryptography, SSL and S/MIMEv2 for Python
• NSS + PSM Open Source PKI projects on Mozilla
• Safelayer Secure Communications S. A. (and their TrustedX platform)
• Conclusive Logic, Inc.
• SSH Certificate Toolkit
• Kyberpass Corporation
• PHAOS Technology
• Celo Communications
• KeyTrust Certificate Explorer (note: German language!)
• Capslock
• Valimo Wireless Oy
• Cylink
• Awanim
• CrypTool: comprehensive open-source e-learning program for cryptography and cryptanalysis
• IDX-PKI
• Biodata Systems GmbH
• Certicom Corp.
• ValiCert
• .pkicomplete
• Java Certification Path API
• trustsuite.de (note: German language!)
• timeproof
• e-Security, Inc.
• Hush Communications
• PKI Group Test (The NSS Group)
• db-order (note: German language!)
• upki
• CertPath APIs (as part of J2SE 1.4)
• BERViewer
• Project Ägypten: Free Software SPHINX Clients
• EJBCA: J2EE Certificate Authority
• AET Europe BV (Advanced Encryption Technology)
• Utimaco Safeware
• HYPERTRUST
• FlexiProvider
• ArticSoft
• SECUonline AG
• gpkcs11
• ValiCert ASN.1 Parser
• CryptoEx
• Tekki
• pki.ssh.com
• C&A
• nCipher
• KSIGN Co. Ltd. (Korea)
• Dreamsecurity Co. Ltd. (Korea)
• INITECH Co. Ltd. (Korea)
• OnePKI
• GUIdumpASN
• Tellus Technologies
• CPKtec
• BCQRE (note: Korean language!)
• Glück & Kanja Technology AG
• CSP: Certificate Service Provider
• e-CryptIt Engine 7.0
• SimpleCA (another site)
• Evidian
• NewPKI
• Chrysalis-ITS
• Fortrus WebPKI
• Guardeonic
• Evincible
• Libgcrypt
• Ascertia Corp.
• Rainbow CryptoSwift
• AEP SureWare Keyper
• CML: Certificate Management Library
• Oasis Digital Signature Services
• Teraview
• DigiStamp
• Signature Perfect KG
• XCA (XCA at soureforge)
• Tarmin Solutions Ltd.
• M2Crypto
• IT Solution GmbH Software for qualified signatures according to German and Austrian Signature Law (Note: German language!)
• PCP: Pure Crypto Project (R. Senderek)
• CoreStreet, Ltd.
• Pi3Web Certification Authority
• eTrust PKI (Computer Associates)
• eTrust OSCPro (Computer Associates)
• Valimo Wireless Ltd.
• Netscape Certificate Server
• Raak Technologies
• Safeway
• Diginus Ltd.
• yaSSL
• cv cryptovision gmbh
• PKI SOFTWARE HOUSE: proCertum products
• mozcert: Mozilla/Firefox enhancement
• Clarios Corp.
• Eracom Technologies
• EldoS
• XiCrypt Technologies
• roCA: read-only CA
• Zertificon Solutions GmbH
• AgileCO eTRUST
• Direct2GOV
• UMU-PKIv6 (University of Murcia)
• WISeKey, SA
• CertiVeR: Certificate Validation and Revocation service
• Key Manager (Firefox Add-On)
• XML Digital Signature Tool (Firefox Add-On)
• xyzmo
• SimpleAuthority
• TrustWeaver On Demand Repository
• CRYPTOLOG S.A.S
• gnoMint: x509 CA management tool for GTK/Gnome environments

Literature / Articles / Publications / RFCs:

• X.509 specification (including latest drafts on X.509v4)
• PKI-related activities at NIST (also from the DFN-PCA FTP-Server)
• Secure E-mail (Presentation given by Harald T. Alvestrand)
• Sirene Publications
• Certified Electronic Mail (CEM)
• W3: Electronic Payment Schemes (Phillip Hallam-Baker)
• Security and Encryption Links (Peter Gutmann)
• Excellent X.509 Style Guide (Peter Gutmann)
• Center for Standards (DISA): PKI Standardization Home Page
• Publications on Java Security et al. (SIP)
• Rethinking PKI and digital certificates --- building in privacy (Thesis of Stefan Brands)
• Compliance Defects in Public-Key Cryptography (D. Davis)
• Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure (B. Schneier, C. Ellison)
  • ...and a response to 10 Risks of PKI (A. Perez)
  • ...and another response to 10 Risks of PKI (B. Laurie)
• The OpenSource PKI book
• The Public-Key Cryptography Standards (PKCS)
• Conventional PKI: An Artefact Ill-Fitted to the Needs of the Information Society (Roger Clark)
• Excerpts from "The Design and Verification of a Cryptographic Security Architecture" (PhD thesis, Peter Gutmann)
• PKI Publications from ETH, Zürich
• Public Key Cryptography based on Braid Groups
• The Ten Minute CEO Briefing on PKI... (note: site seems to be dead!)
• The Shocking Truth About Digital Signatures and Internet Commerce (J. Winn)
• PKI Policy Pitfalls (M. Bobbitt)
• List of CA's
• An introduction to PKI (and more PKI white papers)
• White Papers on PKI
• Digital Certificates (Roedy Green)
• Implementation Problems on PKI
• PKI Policy in the Business Environment (J. Sabo, Y. Dzambasow)
• Vergleichbarkeit von PKI-Policies mittels XML (note: German language!)
• Non-Repudiation in the Digital Environment (A. McCullagh, W. Caelli)
• The Liability Regime for Certification Authorities Towards Third Parties Outwith the EC Directive in England and Germany Compared (S. Hindelang)
• Solar Trust Model (M. Clifford)
• Networking in The Solar Trust Model: Determining Optimal Trust Paths in a Decentralized Trust Network (M. Clifford)
• A vulnerability assessment of roaming soft certificate PKI solutions (S. Wilson)
• PKI Certificate Revocation (Master thesis, A. Arnes)
• Misc PKI publications (Stephen Wilson, see also his "Babysteps")
• Comparison Of Secure Email Technologies X.509 / PKI, PGP, and IBE (Ed Gerck)
• PKI tutorials by Carillon.CA
• Die qualifizierte Signatur - Vorteile und Fallbeispiele :-) (note: German language!)
• Microsoft Windows Root Certificate Security Issues (Paul Hoffman)
• MD5 considered harmful today - Creating a rogue CA certificate (Alexander Sotirov et al)

  RFCs and internet drafts:

• The IETF Security Area and related IETF working groups
  • PKIX: Public Key Infrastructure (X.509)
    • RFC 2459: "Certificate and CRL Profile"
    • RFC 2510: "Certificate Management Protocols"
    • RFC 2511: "Certificate Request Message Format"
    • RFC 2527: "Certificate Policy and Certification Practices Framework"
    • RFC 2528: "Representation of Key Exchange Algorithm (KEA) Keys in Internet X.509 Public Key Infrastructure Certificates"
    • RFC 2559: "Operational Protocols - LDAPv2"
    • RFC 2560: "Online Certificate Status Protocol - OCSP"
    • RFC 2585: "Operational Protocols - FTP and HTTP"
    • RFC 2587: "LDAPv2 Schema"
    • RFC 2797: "Certificate Management Messages over CMS"
    • RFC 2875: "Diffie-Hellman Proof-of-Possession Algorithms"
    • RFC 3029: "Data Validation and Certification Server Protocols"
    • RFC 3039: "Qualified Certificates Profile"
    • RFC 3161: "Time-Stamp Protocol (TSP)"
    • RFC 3279: "Algorithms and Identifiers for the PKIX Certificate and Certificate Revocation List (CRL) Profile"
    • RFC 3280: "Certificate and CRL Profile"
    • RFC 3281: "An Internet Attribute Certificate Profile for Authorization"
    • RFC 3379: "Delegated Path Validation and Delegated Path Discovery Protocol Requirements"
    • RFC 3628: "Policy Requirements for Time-Stamping Authorities (TSAs)"
    • RFC 3647: "Certificate Policy and Certification Practices Framework"
    • RFC 3709: "Logotypes in X.509 Certificates"
    • RFC 3739: "Qualified Certificates Profile"
    • RFC 3770: "Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN)"
    • RFC 3779: "X.509 Extensions for IP Addresses and AS Identifiers"
    • RFC 3820: "Proxy Certificate Profile"
    • RFC 3874: "A 224-bit One-way Hash Function: SHA-224"
    • RFC 4043: "Permanent Identifier"
    • RFC 4055: "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"
    • RFC 4158: "Certification Path Building"
    • RFC 4210: "Certificate Management Protocol (CMP)"
    • RFC 4211: "Certificate Request Message Format (CRMF)"
    • RFC 4212: "Alternative Certificate Formats for the Public-Key Infrastructure Using X.509 (PKIX) Certificate Management Protocols"
    • RFC 4325: "Authority Information Access Certificate Revocation List (CRL) Extension"
    • RFC 4386: "Repository Locator Service"
    • RFC 4387: "Operational Protocols: Certificate Store Access via HTTP"
    • RFC 4476: "Attribute Certificate (AC) Policies Extension"
    • RFC 4491: "Using the GOST 28147-89, GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001 Algorithms with PKIX"
    • RFC 4630: "Update to DirectoryString Processing in the PKIX Certificate and Certificate Revocation List (CRL) Profile"
    • RFC 4683: "Subject Identification Method (SIM)"
    • RFC 4985: "Subject Alternative Name for Expression of Service Name"
    • RFC 5019: "The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments"
    • RFC 5055: "Server-Based Certificate Validation Protocol (SCVP)"
    • RFC 5272: "Certificate Management over CMS (CMC)"
    • RFC 5273: "Certificate Management over CMS (CMC): Transport Protocols"
    • RFC 5274: "Certificate Management Messages over CMS (CMC): Compliance Requirements"
    • RFC 5276: "Using the Server-Based Certificate Validation Protocol (SCVP) to Convey Long-Term Evidence Records"
    • RFC 5280: "Certificate and Certificate Revocation List (CRL) Profile"

  • S/MIME: S/MIME Mail Security
    • RFC 2311: "S/MIME Version 2 Message Specification"
    • RFC 2312: "S/MIME Version 2 Certificate Handling"
    • RFC 2630: "Cryptographic Message Syntax"
    • RFC 2631: "Diffie-Hellman Key Agreement Method"
    • RFC 2632: "S/MIME Version 3 Certificate Handling"
    • RFC 2633: "S/MIME Version 3 Message Specification"
    • RFC 2634: "Enhanced Security Services for S/MIME"
    • RFC 2785: "Methods for Avoiding the 'Small-Subgroup' Attacks on the Diffie-Hellman Key Agreement Method for S/MIME"
    • RFC 2876: "Use of the KEA and SKIPJACK Algorithms in CMS"
    • RFC 2984: "Use of the CAST-128 Encryption Algorithm in CMS"
    • RFC 3058: "Use of the IDEA Encryption Algorithm in CMS"
    • RFC 3125: "Electronic Signature Policies"
    • RFC 3126: "Electronic Signature Formats for long term electronic signatures"
    • RFC 3183: "Domain Security Services using S/MIME"
    • RFC 3185: "Reuse of CMS Content Encryption Keys"
    • RFC 3211: "Password-based Encryption for CMS"
    • RFC 3217: "Triple-DES and RC2 Key Wrapping "
    • RFC 3218: "Preventing the Million Message Attack on Cryptographic Message Syntax"
    • RFC 3274: "Compressed Data Content Type for CMS"
    • RFC 3278: "Use of Elliptic Curve Cryptography (ECC) Algorithms in CMS"
    • RFC 3369: "Cryptographic Message (CMS)Syntax"
    • RFC 3370: "Cryptographic Message Syntax (CMS) Algorithms"
    • RFC 3394: "Advanced Encryption Standard (AES) Key Wrap Algorithm"
    • RFC 3537: "Wrapping a Hashed Message Authentication Code (HMAC) key ..."
    • RFC 3560: "Use of the RSAES-OAEP Key Transport Algorithm in CMS"
    • RFC 3565: "Use of the Advanced Encryption Standard (AES) Encryption Algorithm in CMS"
    • RFC 3657: "Use of the Camellia Encryption Algorithm in Cryptographic Message Syntax (CMS)"
    • RFC 3850: "S/MIME Version 3.1 Certificate Handling"
    • RFC 3851: "S/MIME Version 3.1 Certificate Message Specification"
    • RFC 3852: "Cryptographic Message Syntax (CMS)"
    • RFC 3854: "Securing X.400 Content with S/MIME"
    • RFC 3855: "Transporting S/MIME Objects in X.400"
    • RFC 4010: "Use of the SEED Encryption Algorithm in Cryptographic Message Syntax (CMS)"
    • RFC 4056: "Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS)"
    • RFC 4134: "Examples of S/MIME Messages"
    • RFC 4262: "X.509 Certificate Extension for Secure/Multipurpose Internet Mail Extensions (S/MIME) Capabilities"
    • RFC 4490: "Using the GOST 28147-89, GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001 Algorithms with Cryptographic Message Syntax (CMS)"
    • RFC 4853: "Cryptographic Message Syntax (CMS) Multiple Signer Clarification"
    • RFC 5035: "Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility"
    • RFC 5083: "Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type"
    • RFC 5084: "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)"
    • RFC 5126: "CMS Advanced Electronic Signatures (CAdES)"
    • RFC 5275: "CMS Symmetric Key Management and Distribution"

  • TLS: Transport Layer Security
    • RFC 2246: "The TLS Protocol Version 1.0"
    • RFC 2712: "Addition of Kerberos Cipher Suites to TLS"
    • RFC 2817: "Upgrading to TLS Within HTTP/1.1"
    • RFC 2818: "HTTP Over TLS"
    • RFC 2830: "LDAP v3: Extension for Transport Layer Security"
    • RFC 3268: "Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)"
    • RFC 3546: "Transport Layer Security (TLS) Extensions"
    • RFC 3749: "Transport Layer Security Protocol Compression Methods"
    • RFC 4132: "Addition of Camellia Cipher Suites to Transport Layer Security (TLS)"
    • RFC 4261: "Common Open Policy Service (COPS) Over Transport Layer Security (TLS)"
    • RFC 4279: "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)"
    • RFC 4346: "The Transport Layer Security (TLS) Protocol Version 1.1"
    • RFC 4366: "Transport Layer Security (TLS) Extensions"
    • RFC 4492: "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)"
    • RFC 4507: "Transport Layer Security (TLS) Session Resumption without Server-Side State"
    • RFC 4642: "Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)"
    • RFC 4680: "TLS Handshake Message for Supplemental Data"
    • RFC 4681: "TLS User Mapping Extension"
    • RFC 4785: "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for TLS"
    • RFC 5054: "Using the Secure Remote Password (SRP) Protocol for TLS Authentication"
    • RFC 5077: "Transport Layer Security (TLS) Session Resumption without Server-Side State"
    • RFC 5081: "Using OpenPGP Keys for Transport Layer Security (TLS) Authentication"
    • RFC 5246: "The Transport Layer Security (TLS) Protocol Version 1.2"
    • RFC 5281: "Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)"
    • RFC 5288: "AES Galois Counter Mode (GCM) Cipher Suites for TLS"
    • RFC 5289: "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)"

  • SPKI: Simple Public Key Infrastructure (Note: WG has concluded)
  • OpenPGP: An Open Specification for Pretty Good Privacy
  • IETF/W3C XML Signature WG
  • IPSEC: IP Security Protocol
  • IPSRA: IP Security Remote Access

  • The venerable PEM specification:
    • RFC 1421 --- Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures
    • RFC 1422 --- Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management
    • RFC 1423 --- Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers
    • RFC 1424 --- Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services

  • RFC 1847: "Security Multiparts for MIME"
  • RFC 1848: "MIME Object Security Services (MOSS)"
  • RFC 2015: "MIME Security with Pretty Good Privacy (PGP)"
  • RFC 2480: "Gateways and MIME Security Multiparts"
  • RFC 3156: "MIME Security with OpenPGP"
  • RFC 3174: "US Secure Hash Algorithm 1 (SHA1)"
  • RFC 4523: "Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates"
  • RFC 4945: "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX"
  • RFC 5008: "Suite B in Secure/Multipurpose Internet Mail Extensions (S/MIME)" (NSA)

Miscellaneous PKI and Security stuff:

• TERENA's Security Working Group: WG-SEC
• UKERNA Technology Group Secure Email Project Homepage
• About the Digital Notary Service
• MMMSec: Security in Multimedia - Mail
• Internet Law & Policy Forum (ILPF): CA Working Group
• SPKI: Simple Public Key Infrastrucure (Carl Ellison)
• Electronic Commerce Promotion Council (Japan)
• INFOSEC page from DGXIII of the European Commission
• Meta-Certificate Group
• University of Colorado Certification Practices Statement (DRAFT)
• The Global Trust Register (University of Cambridge)
• Certificate Authority Interoperability Pilot (Internet Council)
• Fortify for Netscape!
• European Certification Authority Forum (ECAF)
• "PKI Architecture" - Network Strategy Report by The Burton Group
• PKI Task Group (Open Group)
• Netscape Object Signing Resources
• The "Thin PKI" concept
• The PKI Forum
• ISETO: The International Secure Electronic Transactions Organisation
• ESCA: Electronic Signatures and Certification Authorities (ITU)
• e-STIO: Electronic Signature Testsuite for Inter-Operability
• Baker & McKenzie: Certification Authorities
• ChamberSign initiative by the British Chambers of Commerce
• The PKI Challenge (EEMA)
• HEPKI: Higher Education PKI
• PKI-COORD: PKI Coordination for Europe
• XKMS: XML Key Management Services (XKMS at w3.org)
• TECS: The Encyclopedia of Computer Security
• WebTrust Program for Certification Authorities
• CertificationAuthorities.com
• globalplatform.org
• SiegeSoft.com (Internet Privacy and Security)
• Project MailTrusT (note: German language!)
• Network and Information Security: Proposal for a European Policy
• ABA's PKI Assessment Guidelines (Draft)
• PKI Symposium 2003 (note: German language!)
• Dartmouth PKI Lab
  • 3^rd Annual PKI Research Workshop
• De Taskforce PKI Overheid (note: Dutch language!)
• Electronic Commerce for Developing Countries (ITU)
• OpenValidation.org (OCSP test responder)
• VPNC: VPN Consortium
• PKC 2002
• tScheme Ltd
• Internet2 PKI Labs
• Healthcare PKI
• vpnlabs.org
• vpnlabs.com
• SSTC: XML-Based Security Services Technical Committee (OASIS)
• xmltrustcenter.org
• pkilaw.com
• SigLab (note: German language!)
• A bridge CA for Europe's public administrations
• Questionnaire on Public Key Infrastructure applications and requirements for the European Academic Networks
• X.509 path validation test suite (NIST)
• PKI Club
• FreeICP Project
• PKICUG (PKI for Closed User Groups)
• Challenge PKI Project
• PKI Interoperability Project (Japan PKI Forum)
• Chinese PKI Forum (note: Chinese language!)
• Asia PKI Forum
• Foro PKI de Mexico (note: Spanish language!)
• Norwegian PKI Forum (note: Norwegian language!)
• SPES project: Setting the Processes for electronic signatures in European cities
• ECRYPT project: European Network of Excellence for Cryptology
• Z1 Global TrustPoint
• AuthenticationWorld
• CA/Browser Forum