History of X.509 in Timeline

Share: FB Share X Share Reddit Share Reddit Share
By Popular Timelines Editorial Team  · Updated:
X.509

X.509 is a comprehensive international standard that defines the format for public key certificates used in Public Key Infrastructure (PKI). Its primary purpose is to bind a public key to a specific identity—such as a user, device, or service—via a digital signature from a trusted Certificate Authority (CA). The standard specifies data structures for certificates, certificate revocation lists (CRLs), and attribute certificates. By utilizing a hierarchical trust model, X.509 ensures secure communication, data integrity, and authentication across various digital platforms, including SSL/TLS for web security, VPNs, and secure email (S/MIME). It relies on ASN.1 notation for data encoding, providing a standardized framework that allows disparate systems to verify identities globally.

July 3, 1988: Initial Issuance of the X.509 Standard

On July 3, 1988, the X.509 standard was officially issued in conjunction with the X.500 directory services standard. The primary objective of its creation was to facilitate secure user access to information resources and to mitigate the risks of cryptographic man-in-the-middle attacks through a structured hierarchical system of certificate authorities.

1995: Formation of the PKIX Working Group

In 1995, the Internet Engineering Task Force (IETF) teamed up with the National Institute of Standards and Technology to establish the Public-Key Infrastructure (X.509) working group, which became widely known as PKIX.

September 2002: Publication of Understanding Certification Path Construction

In September 2002, the PKI Forum published a document titled Understanding Certification Path Construction, which outlined technical best practices for managing key transitions in public key infrastructure, specifically detailing how to use cross-signing between old and new key pairs.

2004: Usage status of X.509 in peer-to-peer contexts

As of 2004, while X.509 version 3 could technically support peer-to-peer or OpenPGP-like web of trust topologies, it was rarely implemented or utilized in that specific manner.

2011: CA/Browser Forum Baseline Requirements Implementation

In 2011, the CA/Browser Forum introduced a mandatory requirement in Section 7.1 of its Baseline Requirements for certificate authorities to include entropy in serial numbers, a security measure implemented in 2011 to mitigate the risk of hash collision exploits during the certificate signing process.

June 2014: Conclusion of the PKIX Working Group

The PKIX working group, which was responsible for developing standards for X.509 deployment and internet protocols, officially concluded its operations in June 2014.

2014: Retrieval of PKI Forum guidance document

In 2014, the instructional document concerning X.509 certification path construction provided by the PKI Forum was retrieved for documentation and archival purposes.

2016: Prohibition of SHA-1 Certificates

Starting January 1, 2016, the industry Baseline Requirements officially prohibited the issuance of new digital certificates utilizing the SHA-1 hashing algorithm.

May 2017: Browser Rejection of SHA-1 Certificates

By May 2017, the transition away from SHA-1 was finalized across major web browsers as both Edge and Safari joined other platforms in rejecting certificates that utilized the SHA-1 algorithm.

2019: Archival of Certification Path Construction document

In 2019, the document regarding Certification Path Construction was officially archived, preserving the 2002 guidance on PKI key transitions for future reference.

2019: Removal of Extended Validation Visual Indicators

Throughout 2019, major web browsers shifted their policy regarding Extended Validation (EV) certificates. Following research indicating that EV certificates were ineffective and potentially exploitable by criminals to deceive users, browsers like Chromium and Firefox removed prominent URL bar visual indicators and began hiding EV identity information within sub-menus in a neutral format.

September 2021: OpenSSL 3.0 Release

In September 2021, the release of OpenSSL version 3.0 marked a significant security shift, as the software began rejecting SHA-1 certificates by default.