SPKI

The Simple Public Key Infrastructure (SPKI) IETF Working Group was created in 1996 as an alternative to the PKIX effort. One of the fundamental premises of this group was that X.509 is a complicated and bulky certificate format that, by explicitly binding a key pair to an identity, rests upon an inherently flawed foundation. The proponents of SPKI argue that the concept of a globally unique identity (that is, an X.500 DistinguishedName, as adopted by X.509) will never be realized. Instead, they advocate the idea of the public key as the identity of relevance. Where necessary and meaningful, a name or other identifying information may be associated with the key (building on the work in "SDSI—A Simple Distributed Security Infrastructure" [SDSI]), but this is optional and, in any case, only intended to have local significance.

The SPKI specifications [RFC2692, RFC2693] discuss the concepts and philosophy behind this approach to an Internet PKI and provide the detailed certificate format and processing rules required for implementation (see also [SPKI]). Unlike the initial focus of both X.509 and PKIX, SPKI explicitly encompasses authorization as well as authentication: The sophisticated certificate format makes it possible to express, in a general way, what a key is allowed to do. Such capability unfortunately (and perhaps not surprisingly) has done much to diminish the originally intended simplicity of the Simple Public Key Infrastructure. This has perhaps cost it some credibility and lost it some enthusiasts in specific environments. Nevertheless, the SPKI specifications have reached a level of maturity and stability within the working group, and its proponents have begun to concentrate their efforts on implementation and interoperability testing.