Skip to content
QPKI

Standards Reference

Standards Reference

Section titled “Standards Reference”

1. Implemented Standards

Section titled “1. Implemented Standards”

1.1 X.509 & PKI Services

Section titled “1.1 X.509 & PKI Services”
StandardTitleLink
RFC 2986PKCS #10: Certification Request Syntax Specificationdatatracker
RFC 3161Internet X.509 PKI Time-Stamp Protocol (TSP)datatracker
RFC 3739Internet X.509 PKI Qualified Certificates Profiledatatracker
RFC 4055Additional Algorithms for RSA Cryptography in X.509datatracker
RFC 5280Internet X.509 PKI Certificate and CRL Profiledatatracker
RFC 6960Online Certificate Status Protocol (OCSP)datatracker
RFC 8017PKCS #1: RSA Cryptography Specifications Version 2.2datatracker

1.2 Post-Quantum Cryptography

Section titled “1.2 Post-Quantum Cryptography”
StandardTitleLink
FIPS 203Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)csrc.nist.gov
FIPS 204Module-Lattice-Based Digital Signature Standard (ML-DSA)csrc.nist.gov
FIPS 205Stateless Hash-Based Digital Signature Standard (SLH-DSA)csrc.nist.gov
RFC 9881Use of ML-DSA in X.509 Certificatesdatatracker
RFC 9883Use of ML-KEM in Certification Request Attestationdatatracker

1.3 Hybrid & Composite

Section titled “1.3 Hybrid & Composite”
StandardTitleLink
ITU-T X.509 §9.8Catalyst certificates (alternative signature extensions)itu.int
RFC 9763Certificate Binding for Multi-Authenticationdatatracker
draft-ietf-lamps-pq-composite-sigsComposite ML-DSA Signatures for X.509datatracker

1.4 CMS & S/MIME

Section titled “1.4 CMS & S/MIME”
StandardTitleLink
RFC 5083CMS Authenticated-Enveloped-Data Content Typedatatracker
RFC 5652Cryptographic Message Syntax (CMS)datatracker
RFC 8419Use of EdDSA Signatures in CMSdatatracker
RFC 8550S/MIME Version 4.0 Certificate Handlingdatatracker
RFC 8551S/MIME Version 4.0 Message Specificationdatatracker
RFC 9629Using Key Encapsulation Mechanisms in CMSdatatracker
RFC 9814Use of SLH-DSA in CMSdatatracker
RFC 9882Use of ML-DSA in CMSdatatracker

1.5 COSE / CBOR

Section titled “1.5 COSE / CBOR”
StandardTitleLink
RFC 8392CBOR Web Token (CWT)datatracker
RFC 8949Concise Binary Object Representation (CBOR)datatracker
RFC 9052COSE: Structures and Processdatatracker
RFC 9053COSE: Initial Algorithmsdatatracker
RFC 9360COSE Header Parameters for X.509 Certificatesdatatracker
draft-ietf-cose-dilithiumML-DSA for JOSE and COSEdatatracker

1.6 TLS & SSH

Section titled “1.6 TLS & SSH”
StandardTitleLink
RFC 5246TLS Protocol Version 1.2datatracker
RFC 8446TLS Protocol Version 1.3datatracker
OpenSSH PROTOCOL.certkeysOpenSSH Certificate Key Formatgithub

1.7 Compliance & Security

Section titled “1.7 Compliance & Security”
StandardTitleLink
FIPS 140-3Security Requirements for Cryptographic Modulescsrc.nist.gov
NIST SP 800-57Recommendation for Key Managementcsrc.nist.gov
EU 910/2014eIDAS Regulationeur-lex
ETSI EN 319 401General Policy Requirements for Trust Service Providersetsi.org
ETSI EN 319 412-5QCStatements Extension for Qualified Certificatesetsi.org
ETSI EN 319 422Time-Stamping Protocol and Token Profilesetsi.org

2. OID Registry

Section titled “2. OID Registry”

2.1 Classical Algorithm OIDs

Section titled “2.1 Classical Algorithm OIDs”
AlgorithmOID
RSA1.2.840.113549.1.1.1
ECDSA P-2561.2.840.10045.3.1.7
ECDSA P-3841.3.132.0.34
ECDSA P-5211.3.132.0.35
Ed255191.3.101.112

2.2 Post-Quantum Algorithm OIDs

Section titled “2.2 Post-Quantum Algorithm OIDs”
AlgorithmOID
ML-DSA-442.16.840.1.101.3.4.3.17
ML-DSA-652.16.840.1.101.3.4.3.18
ML-DSA-872.16.840.1.101.3.4.3.19
SLH-DSA-SHA2-128s2.16.840.1.101.3.4.3.20
SLH-DSA-SHA2-128f2.16.840.1.101.3.4.3.21
SLH-DSA-SHA2-192s2.16.840.1.101.3.4.3.22
SLH-DSA-SHA2-192f2.16.840.1.101.3.4.3.23
SLH-DSA-SHA2-256s2.16.840.1.101.3.4.3.24
SLH-DSA-SHA2-256f2.16.840.1.101.3.4.3.25
ML-KEM-5122.16.840.1.101.3.4.4.1
ML-KEM-7682.16.840.1.101.3.4.4.2
ML-KEM-10242.16.840.1.101.3.4.4.3

2.3 Hybrid Extension OIDs

Section titled “2.3 Hybrid Extension OIDs”

Catalyst (ITU-T X.509 §9.8):

OIDName
2.5.29.72AltSubjectPublicKeyInfo
2.5.29.73AltSignatureAlgorithm
2.5.29.74AltSignatureValue

Composite (IANA-allocated):

AlgorithmOID
MLDSA65-ECDSA-P256-SHA5121.3.6.1.5.5.7.6.45
MLDSA65-ECDSA-P384-SHA5121.3.6.1.5.5.7.6.46
MLDSA87-ECDSA-P521-SHA5121.3.6.1.5.5.7.6.54

2.4 X.509 Extension OIDs

Section titled “2.4 X.509 Extension OIDs”
OIDNameUsage
2.5.29.14Subject Key IdentifierCertificate extension
2.5.29.15Key UsageCertificate extension
2.5.29.17Subject Alternative NameCertificate extension
2.5.29.19Basic ConstraintsCertificate extension
2.5.29.31CRL Distribution PointsCertificate extension
2.5.29.35Authority Key IdentifierCertificate extension
2.5.29.37Extended Key UsageCertificate extension

3. File Formats

Section titled “3. File Formats”

3.1 Private Keys

Section titled “3.1 Private Keys”
  • Format: PEM (PKCS#8)
  • Encryption: Optional AES-256-CBC with PBKDF2
  • Header: -----BEGIN PRIVATE KEY----- or -----BEGIN ENCRYPTED PRIVATE KEY-----

3.2 Certificates

Section titled “3.2 Certificates”
  • Format: PEM (X.509)
  • Header: -----BEGIN CERTIFICATE-----

3.3 Certificate Revocation Lists

Section titled “3.3 Certificate Revocation Lists”
  • Format: PEM and DER
  • Header: -----BEGIN X509 CRL-----

See Also

Section titled “See Also”