diff options
-rw-r--r-- | doc/protocol/rfc2459.txt | 7227 | ||||
-rw-r--r-- | doc/protocol/rfc3280.txt | 7227 |
2 files changed, 7227 insertions, 7227 deletions
diff --git a/doc/protocol/rfc2459.txt b/doc/protocol/rfc2459.txt deleted file mode 100644 index 6e3e753039..0000000000 --- a/doc/protocol/rfc2459.txt +++ /dev/null @@ -1,7227 +0,0 @@ - - - - - - -Network Working Group R. Housley -Request for Comments: 2459 SPYRUS -Category: Standards Track W. Ford - VeriSign - W. Polk - NIST - D. Solo - Citicorp - January 1999 - - - Internet X.509 Public Key Infrastructure - Certificate and CRL Profile - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (1999). All Rights Reserved. - -Abstract - - This memo profiles the X.509 v3 certificate and X.509 v2 CRL for use - in the Internet. An overview of the approach and model are provided - as an introduction. The X.509 v3 certificate format is described in - detail, with additional information regarding the format and - semantics of Internet name forms (e.g., IP addresses). Standard - certificate extensions are described and one new Internet-specific - extension is defined. A required set of certificate extensions is - specified. The X.509 v2 CRL format is described and a required - extension set is defined as well. An algorithm for X.509 certificate - path validation is described. Supplemental information is provided - describing the format of public keys and digital signatures in X.509 - certificates for common Internet public key encryption algorithms - (i.e., RSA, DSA, and Diffie-Hellman). ASN.1 modules and examples are - provided in the appendices. - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119. - - - - - -Housley, et. al. Standards Track [Page 1] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - Please send comments on this document to the ietf-pkix@imc.org mail - list. - - - - TTTTaaaabbbblllleeee ooooffff CCCCoooonnnntttteeeennnnttttssss - - - - 1 Introduction ................................................ 5 - 2 Requirements and Assumptions ................................ 6 - 2.1 Communication and Topology ................................ 6 - 2.2 Acceptability Criteria .................................... 7 - 2.3 User Expectations ......................................... 7 - 2.4 Administrator Expectations ................................ 7 - 3 Overview of Approach ........................................ 7 - 3.1 X.509 Version 3 Certificate ............................... 9 - 3.2 Certification Paths and Trust ............................. 10 - 3.3 Revocation ................................................ 12 - 3.4 Operational Protocols ..................................... 13 - 3.5 Management Protocols ...................................... 13 - 4 Certificate and Certificate Extensions Profile .............. 15 - 4.1 Basic Certificate Fields .................................. 15 - 4.1.1 Certificate Fields ...................................... 16 - 4.1.1.1 tbsCertificate ........................................ 16 - 4.1.1.2 signatureAlgorithm .................................... 16 - 4.1.1.3 signatureValue ........................................ 17 - 4.1.2 TBSCertificate .......................................... 17 - 4.1.2.1 Version ............................................... 17 - 4.1.2.2 Serial number ......................................... 18 - 4.1.2.3 Signature ............................................. 18 - 4.1.2.4 Issuer ................................................ 18 - 4.1.2.5 Validity .............................................. 21 - 4.1.2.5.1 UTCTime ............................................. 22 - 4.1.2.5.2 GeneralizedTime ..................................... 22 - 4.1.2.6 Subject ............................................... 22 - 4.1.2.7 Subject Public Key Info ............................... 23 - 4.1.2.8 Unique Identifiers .................................... 24 - 4.1.2.9 Extensions ............................................. 24 - 4.2 Certificate Extensions .................................... 24 - 4.2.1 Standard Extensions ..................................... 25 - 4.2.1.1 Authority Key Identifier .............................. 25 - 4.2.1.2 Subject Key Identifier ................................ 26 - 4.2.1.3 Key Usage ............................................. 27 - 4.2.1.4 Private Key Usage Period .............................. 29 - 4.2.1.5 Certificate Policies .................................. 29 - 4.2.1.6 Policy Mappings ....................................... 31 - 4.2.1.7 Subject Alternative Name .............................. 32 - - - -Housley, et. al. Standards Track [Page 2] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - 4.2.1.8 Issuer Alternative Name ............................... 34 - 4.2.1.9 Subject Directory Attributes .......................... 34 - 4.2.1.10 Basic Constraints .................................... 35 - 4.2.1.11 Name Constraints ..................................... 35 - 4.2.1.12 Policy Constraints ................................... 37 - 4.2.1.13 Extended key usage field ............................. 38 - 4.2.1.14 CRL Distribution Points .............................. 39 - 4.2.2 Private Internet Extensions ............................. 40 - 4.2.2.1 Authority Information Access .......................... 41 - 5 CRL and CRL Extensions Profile .............................. 42 - 5.1 CRL Fields ................................................ 43 - 5.1.1 CertificateList Fields .................................. 43 - 5.1.1.1 tbsCertList ........................................... 44 - 5.1.1.2 signatureAlgorithm .................................... 44 - 5.1.1.3 signatureValue ........................................ 44 - 5.1.2 Certificate List "To Be Signed" ......................... 44 - 5.1.2.1 Version ............................................... 45 - 5.1.2.2 Signature ............................................. 45 - 5.1.2.3 Issuer Name ........................................... 45 - 5.1.2.4 This Update ........................................... 45 - 5.1.2.5 Next Update ........................................... 45 - 5.1.2.6 Revoked Certificates .................................. 46 - 5.1.2.7 Extensions ............................................ 46 - 5.2 CRL Extensions ............................................ 46 - 5.2.1 Authority Key Identifier ................................ 47 - 5.2.2 Issuer Alternative Name ................................. 47 - 5.2.3 CRL Number .............................................. 47 - 5.2.4 Delta CRL Indicator ..................................... 48 - 5.2.5 Issuing Distribution Point .............................. 48 - 5.3 CRL Entry Extensions ...................................... 49 - 5.3.1 Reason Code ............................................. 50 - 5.3.2 Hold Instruction Code ................................... 50 - 5.3.3 Invalidity Date ......................................... 51 - 5.3.4 Certificate Issuer ...................................... 51 - 6 Certificate Path Validation ................................. 52 - 6.1 Basic Path Validation ..................................... 52 - 6.2 Extending Path Validation ................................. 56 - 7 Algorithm Support ........................................... 57 - 7.1 One-way Hash Functions .................................... 57 - 7.1.1 MD2 One-way Hash Function ............................... 57 - 7.1.2 MD5 One-way Hash Function ............................... 58 - 7.1.3 SHA-1 One-way Hash Function ............................. 58 - 7.2 Signature Algorithms ...................................... 58 - 7.2.1 RSA Signature Algorithm ................................. 59 - 7.2.2 DSA Signature Algorithm ................................. 60 - 7.3 Subject Public Key Algorithms ............................. 60 - 7.3.1 RSA Keys ................................................ 61 - 7.3.2 Diffie-Hellman Key Exchange Key ......................... 61 - - - -Housley, et. al. Standards Track [Page 3] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - 7.3.3 DSA Signature Keys ...................................... 63 - 8 References .................................................. 64 - 9 Intellectual Property Rights ................................ 66 - 10 Security Considerations .................................... 67 - Appendix A. ASN.1 Structures and OIDs ......................... 70 - A.1 Explicitly Tagged Module, 1988 Syntax ...................... 70 - A.2 Implicitly Tagged Module, 1988 Syntax ...................... 84 - Appendix B. 1993 ASN.1 Structures and OIDs .................... 91 - B.1 Explicitly Tagged Module, 1993 Syntax ...................... 91 - B.2 Implicitly Tagged Module, 1993 Syntax ...................... 108 - Appendix C. ASN.1 Notes ....................................... 116 - Appendix D. Examples .......................................... 117 - D.1 Certificate ............................................... 117 - D.2 Certificate ............................................... 120 - D.3 End-Entity Certificate Using RSA .......................... 123 - D.4 Certificate Revocation List ............................... 126 - Appendix E. Authors' Addresses ................................ 128 - Appendix F. Full Copyright Statement .......................... 129 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Housley, et. al. Standards Track [Page 4] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -1 Introduction - - This specification is one part of a family of standards for the X.509 - Public Key Infrastructure (PKI) for the Internet. This specification - is a standalone document; implementations of this standard may - proceed independent from the other parts. - - This specification profiles the format and semantics of certificates - and certificate revocation lists for the Internet PKI. Procedures - are described for processing of certification paths in the Internet - environment. Encoding rules are provided for popular cryptographic - algorithms. Finally, ASN.1 modules are provided in the appendices - for all data structures defined or referenced. - - The specification describes the requirements which inspire the - creation of this document and the assumptions which affect its scope - in Section 2. Section 3 presents an architectural model and - describes its relationship to previous IETF and ISO/IEC/ITU - standards. In particular, this document's relationship with the IETF - PEM specifications and the ISO/IEC/ITU X.509 documents are described. - - The specification profiles the X.509 version 3 certificate in Section - 4, and the X.509 version 2 certificate revocation list (CRL) in - Section 5. The profiles include the identification of ISO/IEC/ITU and - ANSI extensions which may be useful in the Internet PKI. The profiles - are presented in the 1988 Abstract Syntax Notation One (ASN.1) rather - than the 1994 syntax used in the ISO/IEC/ITU standards. - - This specification also includes path validation procedures in - Section 6. These procedures are based upon the ISO/IEC/ITU - definition, but the presentation assumes one or more self-signed - trusted CA certificates. Implementations are required to derive the - same results but are not required to use the specified procedures. - - Section 7 of the specification describes procedures for - identification and encoding of public key materials and digital - signatures. Implementations are not required to use any particular - cryptographic algorithms. However, conforming implementations which - use the identified algorithms are required to identify and encode the - public key materials and digital signatures as described. - - Finally, four appendices are provided to aid implementers. Appendix - A contains all ASN.1 structures defined or referenced within this - specification. As above, the material is presented in the 1988 - Abstract Syntax Notation One (ASN.1) rather than the 1994 syntax. - Appendix B contains the same information in the 1994 ASN.1 notation - as a service to implementers using updated toolsets. However, - Appendix A takes precedence in case of conflict. Appendix C contains - - - -Housley, et. al. Standards Track [Page 5] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - notes on less familiar features of the ASN.1 notation used within - this specification. Appendix D contains examples of a conforming - certificate and a conforming CRL. - -2 Requirements and Assumptions - - The goal of this specification is to develop a profile to facilitate - the use of X.509 certificates within Internet applications for those - communities wishing to make use of X.509 technology. Such - applications may include WWW, electronic mail, user authentication, - and IPsec. In order to relieve some of the obstacles to using X.509 - certificates, this document defines a profile to promote the - development of certificate management systems; development of - application tools; and interoperability determined by policy. - - Some communities will need to supplement, or possibly replace, this - profile in order to meet the requirements of specialized application - domains or environments with additional authorization, assurance, or - operational requirements. However, for basic applications, common - representations of frequently used attributes are defined so that - application developers can obtain necessary information without - regard to the issuer of a particular certificate or certificate - revocation list (CRL). - - A certificate user should review the certificate policy generated by - the certification authority (CA) before relying on the authentication - or non-repudiation services associated with the public key in a - particular certificate. To this end, this standard does not - prescribe legally binding rules or duties. - - As supplemental authorization and attribute management tools emerge, - such as attribute certificates, it may be appropriate to limit the - authenticated attributes that are included in a certificate. These - other management tools may provide more appropriate methods of - conveying many authenticated attributes. - -2.1 Communication and Topology - - The users of certificates will operate in a wide range of - environments with respect to their communication topology, especially - users of secure electronic mail. This profile supports users without - high bandwidth, real-time IP connectivity, or high connection - availability. In addition, the profile allows for the presence of - firewall or other filtered communication. - - - - - - - -Housley, et. al. Standards Track [Page 6] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - This profile does not assume the deployment of an X.500 Directory - system. The profile does not prohibit the use of an X.500 Directory, - but other means of distributing certificates and certificate - revocation lists (CRLs) may be used. - -2.2 Acceptability Criteria - - The goal of the Internet Public Key Infrastructure (PKI) is to meet - the needs of deterministic, automated identification, authentication, - access control, and authorization functions. Support for these - services determines the attributes contained in the certificate as - well as the ancillary control information in the certificate such as - policy data and certification path constraints. - -2.3 User Expectations - - Users of the Internet PKI are people and processes who use client - software and are the subjects named in certificates. These uses - include readers and writers of electronic mail, the clients for WWW - browsers, WWW servers, and the key manager for IPsec within a router. - This profile recognizes the limitations of the platforms these users - employ and the limitations in sophistication and attentiveness of the - users themselves. This manifests itself in minimal user - configuration responsibility (e.g., trusted CA keys, rules), explicit - platform usage constraints within the certificate, certification path - constraints which shield the user from many malicious actions, and - applications which sensibly automate validation functions. - -2.4 Administrator Expectations - - As with user expectations, the Internet PKI profile is structured to - support the individuals who generally operate CAs. Providing - administrators with unbounded choices increases the chances that a - subtle CA administrator mistake will result in broad compromise. - Also, unbounded choices greatly complicate the software that shall - process and validate the certificates created by the CA. - -3 Overview of Approach - - Following is a simplified view of the architectural model assumed by - the PKIX specifications. - - - - - - - - - - -Housley, et. al. Standards Track [Page 7] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - +---+ - | C | +------------+ - | e | <-------------------->| End entity | - | r | Operational +------------+ - | t | transactions ^ - | | and management | Management - | / | transactions | transactions - | | | PKI users - | C | v - | R | -------------------+--+-----------+---------------- - | L | ^ ^ - | | | | PKI management - | | v | entities - | R | +------+ | - | e | <---------------------| RA | <---+ | - | p | Publish certificate +------+ | | - | o | | | - | s | | | - | I | v v - | t | +------------+ - | o | <------------------------------| CA | - | r | Publish certificate +------------+ - | y | Publish CRL ^ - | | | - +---+ Management | - transactions | - v - +------+ - | CA | - +------+ - - Figure 1 - PKI Entities - - The components in this model are: - - end entity: user of PKI certificates and/or end user system that - is the subject of a certificate; - CA: certification authority; - RA: registration authority, i.e., an optional system to - which a CA delegates certain management functions; - repository: a system or collection of distributed systems that - store certificates and CRLs and serves as a means of - distributing these certificates and CRLs to end - entities. - - - - - - - -Housley, et. al. Standards Track [Page 8] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -3.1 X.509 Version 3 Certificate - - Users of a public key shall be confident that the associated private - key is owned by the correct remote subject (person or system) with - which an encryption or digital signature mechanism will be used. - This confidence is obtained through the use of public key - certificates, which are data structures that bind public key values - to subjects. The binding is asserted by having a trusted CA - digitally sign each certificate. The CA may base this assertion upon - technical means (a.k.a., proof of posession through a challenge- - response protocol), presentation of the private key, or on an - assertion by the subject. A certificate has a limited valid lifetime - which is indicated in its signed contents. Because a certificate's - signature and timeliness can be independently checked by a - certificate-using client, certificates can be distributed via - untrusted communications and server systems, and can be cached in - unsecured storage in certificate-using systems. - - ITU-T X.509 (formerly CCITT X.509) or ISO/IEC/ITU 9594-8, which was - first published in 1988 as part of the X.500 Directory - recommendations, defines a standard certificate format [X.509]. The - certificate format in the 1988 standard is called the version 1 (v1) - format. When X.500 was revised in 1993, two more fields were added, - resulting in the version 2 (v2) format. These two fields may be used - to support directory access control. - - The Internet Privacy Enhanced Mail (PEM) RFCs, published in 1993, - include specifications for a public key infrastructure based on X.509 - v1 certificates [RFC 1422]. The experience gained in attempts to - deploy RFC 1422 made it clear that the v1 and v2 certificate formats - are deficient in several respects. Most importantly, more fields - were needed to carry information which PEM design and implementation - experience has proven necessary. In response to these new - requirements, ISO/IEC/ITU and ANSI X9 developed the X.509 version 3 - (v3) certificate format. The v3 format extends the v2 format by - adding provision for additional extension fields. Particular - extension field types may be specified in standards or may be defined - and registered by any organization or community. In June 1996, - standardization of the basic v3 format was completed [X.509]. - - ISO/IEC/ITU and ANSI X9 have also developed standard extensions for - use in the v3 extensions field [X.509][X9.55]. These extensions can - convey such data as additional subject identification information, - key attribute information, policy information, and certification path - constraints. - - - - - - -Housley, et. al. Standards Track [Page 9] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - However, the ISO/IEC/ITU and ANSI X9 standard extensions are very - broad in their applicability. In order to develop interoperable - implementations of X.509 v3 systems for Internet use, it is necessary - to specify a profile for use of the X.509 v3 extensions tailored for - the Internet. It is one goal of this document to specify a profile - for Internet WWW, electronic mail, and IPsec applications. - Environments with additional requirements may build on this profile - or may replace it. - -3.2 Certification Paths and Trust - - A user of a security service requiring knowledge of a public key - generally needs to obtain and validate a certificate containing the - required public key. If the public-key user does not already hold an - assured copy of the public key of the CA that signed the certificate, - the CA's name, and related information (such as the validity period - or name constraints), then it might need an additional certificate to - obtain that public key. In general, a chain of multiple certificates - may be needed, comprising a certificate of the public key owner (the - end entity) signed by one CA, and zero or more additional - certificates of CAs signed by other CAs. Such chains, called - certification paths, are required because a public key user is only - initialized with a limited number of assured CA public keys. - - There are different ways in which CAs might be configured in order - for public key users to be able to find certification paths. For - PEM, RFC 1422 defined a rigid hierarchical structure of CAs. There - are three types of PEM certification authority: - - (a) Internet Policy Registration Authority (IPRA): This - authority, operated under the auspices of the Internet Society, - acts as the root of the PEM certification hierarchy at level 1. - It issues certificates only for the next level of authorities, - PCAs. All certification paths start with the IPRA. - - (b) Policy Certification Authorities (PCAs): PCAs are at level 2 - of the hierarchy, each PCA being certified by the IPRA. A PCA - shall establish and publish a statement of its policy with respect - to certifying users or subordinate certification authorities. - Distinct PCAs aim to satisfy different user needs. For example, - one PCA (an organizational PCA) might support the general - electronic mail needs of commercial organizations, and another PCA - (a high-assurance PCA) might have a more stringent policy designed - for satisfying legally binding digital signature requirements. - - - - - - - -Housley, et. al. Standards Track [Page 10] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - (c) Certification Authorities (CAs): CAs are at level 3 of the - hierarchy and can also be at lower levels. Those at level 3 are - certified by PCAs. CAs represent, for example, particular - organizations, particular organizational units (e.g., departments, - groups, sections), or particular geographical areas. - - RFC 1422 furthermore has a name subordination rule which requires - that a CA can only issue certificates for entities whose names are - subordinate (in the X.500 naming tree) to the name of the CA itself. - The trust associated with a PEM certification path is implied by the - PCA name. The name subordination rule ensures that CAs below the PCA - are sensibly constrained as to the set of subordinate entities they - can certify (e.g., a CA for an organization can only certify entities - in that organization's name tree). Certificate user systems are able - to mechanically check that the name subordination rule has been - followed. - - The RFC 1422 uses the X.509 v1 certificate formats. The limitations - of X.509 v1 required imposition of several structural restrictions to - clearly associate policy information or restrict the utility of - certificates. These restrictions included: - - (a) a pure top-down hierarchy, with all certification paths - starting from IPRA; - - (b) a naming subordination rule restricting the names of a CA's - subjects; and - - (c) use of the PCA concept, which requires knowledge of individual - PCAs to be built into certificate chain verification logic. - Knowledge of individual PCAs was required to determine if a chain - could be accepted. - - With X.509 v3, most of the requirements addressed by RFC 1422 can be - addressed using certificate extensions, without a need to restrict - the CA structures used. In particular, the certificate extensions - relating to certificate policies obviate the need for PCAs and the - constraint extensions obviate the need for the name subordination - rule. As a result, this document supports a more flexible - architecture, including: - - (a) Certification paths may start with a public key of a CA in a - user's own domain, or with the public key of the top of a - hierarchy. Starting with the public key of a CA in a user's own - domain has certain advantages. In some environments, the local - domain is the most trusted. - - - - - -Housley, et. al. Standards Track [Page 11] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - (b) Name constraints may be imposed through explicit inclusion of - a name constraints extension in a certificate, but are not - required. - - (c) Policy extensions and policy mappings replace the PCA - concept, which permits a greater degree of automation. The - application can determine if the certification path is acceptable - based on the contents of the certificates instead of a priori - knowledge of PCAs. This permits automation of certificate chain - processing. - -3.3 Revocation - - When a certificate is issued, it is expected to be in use for its - entire validity period. However, various circumstances may cause a - certificate to become invalid prior to the expiration of the validity - period. Such circumstances include change of name, change of - association between subject and CA (e.g., an employee terminates - employment with an organization), and compromise or suspected - compromise of the corresponding private key. Under such - circumstances, the CA needs to revoke the certificate. - - X.509 defines one method of certificate revocation. This method - involves each CA periodically issuing a signed data structure called - a certificate revocation list (CRL). A CRL is a time stamped list - identifying revoked certificates which is signed by a CA and made - freely available in a public repository. Each revoked certificate is - identified in a CRL by its certificate serial number. When a - certificate-using system uses a certificate (e.g., for verifying a - remote user's digital signature), that system not only checks the - certificate signature and validity but also acquires a suitably- - recent CRL and checks that the certificate serial number is not on - that CRL. The meaning of "suitably-recent" may vary with local - policy, but it usually means the most recently-issued CRL. A CA - issues a new CRL on a regular periodic basis (e.g., hourly, daily, or - weekly). An entry is added to the CRL as part of the next update - following notification of revocation. An entry may be removed from - the CRL after appearing on one regularly scheduled CRL issued beyond - the revoked certificate's validity period. - - An advantage of this revocation method is that CRLs may be - distributed by exactly the same means as certificates themselves, - namely, via untrusted communications and server systems. - - One limitation of the CRL revocation method, using untrusted - communications and servers, is that the time granularity of - revocation is limited to the CRL issue period. For example, if a - revocation is reported now, that revocation will not be reliably - - - -Housley, et. al. Standards Track [Page 12] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - notified to certificate-using systems until the next periodic CRL is - issued -- this may be up to one hour, one day, or one week depending - on the frequency that the CA issues CRLs. - - As with the X.509 v3 certificate format, in order to facilitate - interoperable implementations from multiple vendors, the X.509 v2 CRL - format needs to be profiled for Internet use. It is one goal of this - document to specify that profile. However, this profile does not - require CAs to issue CRLs. Message formats and protocols supporting - on-line revocation notification may be defined in other PKIX - specifications. On-line methods of revocation notification may be - applicable in some environments as an alternative to the X.509 CRL. - On-line revocation checking may significantly reduce the latency - between a revocation report and the distribution of the information - to relying parties. Once the CA accepts the report as authentic and - valid, any query to the on-line service will correctly reflect the - certificate validation impacts of the revocation. However, these - methods impose new security requirements; the certificate validator - shall trust the on-line validation service while the repository does - not need to be trusted. - -3.4 Operational Protocols - - Operational protocols are required to deliver certificates and CRLs - (or status information) to certificate using client systems. - Provision is needed for a variety of different means of certificate - and CRL delivery, including distribution procedures based on LDAP, - HTTP, FTP, and X.500. Operational protocols supporting these - functions are defined in other PKIX specifications. These - specifications may include definitions of message formats and - procedures for supporting all of the above operational environments, - including definitions of or references to appropriate MIME content - types. - -3.5 Management Protocols - - Management protocols are required to support on-line interactions - between PKI user and management entities. For example, a management - protocol might be used between a CA and a client system with which a - key pair is associated, or between two CAs which cross-certify each - other. The set of functions which potentially need to be supported - by management protocols include: - - (a) registration: This is the process whereby a user first makes - itself known to a CA (directly, or through an RA), prior to that - CA issuing a certificate or certificates for that user. - - - - - -Housley, et. al. Standards Track [Page 13] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - (b) initialization: Before a client system can operate securely - it is necessary to install key materials which have the - appropriate relationship with keys stored elsewhere in the - infrastructure. For example, the client needs to be securely - initialized with the public key and other assured information of - the trusted CA(s), to be used in validating certificate paths. - Furthermore, a client typically needs to be initialized with its - own key pair(s). - - (c) certification: This is the process in which a CA issues a - certificate for a user's public key, and returns that certificate - to the user's client system and/or posts that certificate in a - repository. - - (d) key pair recovery: As an option, user client key materials - (e.g., a user's private key used for encryption purposes) may be - backed up by a CA or a key backup system. If a user needs to - recover these backed up key materials (e.g., as a result of a - forgotten password or a lost key chain file), an on-line protocol - exchange may be needed to support such recovery. - - (e) key pair update: All key pairs need to be updated regularly, - i.e., replaced with a new key pair, and new certificates issued. - - (f) revocation request: An authorized person advises a CA of an - abnormal situation requiring certificate revocation. - - (g) cross-certification: Two CAs exchange information used in - establishing a cross-certificate. A cross-certificate is a - certificate issued by one CA to another CA which contains a CA - signature key used for issuing certificates. - - Note that on-line protocols are not the only way of implementing the - above functions. For all functions there are off-line methods of - achieving the same result, and this specification does not mandate - use of on-line protocols. For example, when hardware tokens are - used, many of the functions may be achieved as part of the physical - token delivery. Furthermore, some of the above functions may be - combined into one protocol exchange. In particular, two or more of - the registration, initialization, and certification functions can be - combined into one protocol exchange. - - The PKIX series of specifications may define a set of standard - message formats supporting the above functions in future - specifications. In that case, the protocols for conveying these - messages in different environments (e.g., on-line, file transfer, e- - mail, and WWW) will also be described in those specifications. - - - - -Housley, et. al. Standards Track [Page 14] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -4 Certificate and Certificate Extensions Profile - - This section presents a profile for public key certificates that will - foster interoperability and a reusable PKI. This section is based - upon the X.509 v3 certificate format and the standard certificate - extensions defined in [X.509]. The ISO/IEC/ITU documents use the - 1993 version of ASN.1; while this document uses the 1988 ASN.1 - syntax, the encoded certificate and standard extensions are - equivalent. This section also defines private extensions required to - support a PKI for the Internet community. - - Certificates may be used in a wide range of applications and - environments covering a broad spectrum of interoperability goals and - a broader spectrum of operational and assurance requirements. The - goal of this document is to establish a common baseline for generic - applications requiring broad interoperability and limited special - purpose requirements. In particular, the emphasis will be on - supporting the use of X.509 v3 certificates for informal Internet - electronic mail, IPsec, and WWW applications. - -4.1 Basic Certificate Fields - - The X.509 v3 certificate basic syntax is as follows. For signature - calculation, the certificate is encoded using the ASN.1 distinguished - encoding rules (DER) [X.208]. ASN.1 DER encoding is a tag, length, - value encoding system for each element. - - Certificate ::= SEQUENCE { - tbsCertificate TBSCertificate, - signatureAlgorithm AlgorithmIdentifier, - signatureValue BIT STRING } - - TBSCertificate ::= SEQUENCE { - version [0] EXPLICIT Version DEFAULT v1, - serialNumber CertificateSerialNumber, - signature AlgorithmIdentifier, - issuer Name, - validity Validity, - subject Name, - subjectPublicKeyInfo SubjectPublicKeyInfo, - issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, - -- If present, version shall be v2 or v3 - subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, - -- If present, version shall be v2 or v3 - extensions [3] EXPLICIT Extensions OPTIONAL - -- If present, version shall be v3 - } - - - - -Housley, et. al. Standards Track [Page 15] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - Version ::= INTEGER { v1(0), v2(1), v3(2) } - - CertificateSerialNumber ::= INTEGER - - Validity ::= SEQUENCE { - notBefore Time, - notAfter Time } - - Time ::= CHOICE { - utcTime UTCTime, - generalTime GeneralizedTime } - - UniqueIdentifier ::= BIT STRING - - SubjectPublicKeyInfo ::= SEQUENCE { - algorithm AlgorithmIdentifier, - subjectPublicKey BIT STRING } - - Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension - - Extension ::= SEQUENCE { - extnID OBJECT IDENTIFIER, - critical BOOLEAN DEFAULT FALSE, - extnValue OCTET STRING } - - The following items describe the X.509 v3 certificate for use in the - Internet. - -4.1.1 Certificate Fields - - The Certificate is a SEQUENCE of three required fields. The fields - are described in detail in the following subsections. - -4.1.1.1 tbsCertificate - - The field contains the names of the subject and issuer, a public key - associated with the subject, a validity period, and other associated - information. The fields are described in detail in section 4.1.2; - the tbscertificate may also include extensions which are described in - section 4.2. - -4.1.1.2 signatureAlgorithm - - The signatureAlgorithm field contains the identifier for the - cryptographic algorithm used by the CA to sign this certificate. - Section 7.2 lists the supported signature algorithms. - - An algorithm identifier is defined by the following ASN.1 structure: - - - -Housley, et. al. Standards Track [Page 16] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - AlgorithmIdentifier ::= SEQUENCE { - algorithm OBJECT IDENTIFIER, - parameters ANY DEFINED BY algorithm OPTIONAL } - - The algorithm identifier is used to identify a cryptographic - algorithm. The OBJECT IDENTIFIER component identifies the algorithm - (such as DSA with SHA-1). The contents of the optional parameters - field will vary according to the algorithm identified. Section 7.2 - lists the supported algorithms for this specification. - - This field MUST contain the same algorithm identifier as the - signature field in the sequence tbsCertificate (see sec. 4.1.2.3). - -4.1.1.3 signatureValue - - The signatureValue field contains a digital signature computed upon - the ASN.1 DER encoded tbsCertificate. The ASN.1 DER encoded - tbsCertificate is used as the input to the signature function. This - signature value is then ASN.1 encoded as a BIT STRING and included in - the Certificate's signature field. The details of this process are - specified for each of the supported algorithms in Section 7.2. - - By generating this signature, a CA certifies the validity of the - information in the tbsCertificate field. In particular, the CA - certifies the binding between the public key material and the subject - of the certificate. - -4.1.2 TBSCertificate - - The sequence TBSCertificate contains information associated with the - subject of the certificate and the CA who issued it. Every - TBSCertificate contains the names of the subject and issuer, a public - key associated with the subject, a validity period, a version number, - and a serial number; some may contain optional unique identifier - fields. The remainder of this section describes the syntax and - semantics of these fields. A TBSCertificate may also include - extensions. Extensions for the Internet PKI are described in Section - 4.2. - -4.1.2.1 Version - - This field describes the version of the encoded certificate. When - extensions are used, as expected in this profile, use X.509 version 3 - (value is 2). If no extensions are present, but a UniqueIdentifier - is present, use version 2 (value is 1). If only basic fields are - present, use version 1 (the value is omitted from the certificate as - the default value). - - - - -Housley, et. al. Standards Track [Page 17] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - Implementations SHOULD be prepared to accept any version certificate. - At a minimum, conforming implementations MUST recognize version 3 - certificates. - - Generation of version 2 certificates is not expected by - implementations based on this profile. - -4.1.2.2 Serial number - - The serial number is an integer assigned by the CA to each - certificate. It MUST be unique for each certificate issued by a - given CA (i.e., the issuer name and serial number identify a unique - certificate). - -4.1.2.3 Signature - - This field contains the algorithm identifier for the algorithm used - by the CA to sign the certificate. - - This field MUST contain the same algorithm identifier as the - signatureAlgorithm field in the sequence Certificate (see sec. - 4.1.1.2). The contents of the optional parameters field will vary - according to the algorithm identified. Section 7.2 lists the - supported signature algorithms. - -4.1.2.4 Issuer - - The issuer field identifies the entity who has signed and issued the - certificate. The issuer field MUST contain a non-empty distinguished - name (DN). The issuer field is defined as the X.501 type Name. - [X.501] Name is defined by the following ASN.1 structures: - - Name ::= CHOICE { - RDNSequence } - - RDNSequence ::= SEQUENCE OF RelativeDistinguishedName - - RelativeDistinguishedName ::= - SET OF AttributeTypeAndValue - - AttributeTypeAndValue ::= SEQUENCE { - type AttributeType, - value AttributeValue } - - AttributeType ::= OBJECT IDENTIFIER - - AttributeValue ::= ANY DEFINED BY AttributeType - - - - -Housley, et. al. Standards Track [Page 18] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - DirectoryString ::= CHOICE { - teletexString TeletexString (SIZE (1..MAX)), - printableString PrintableString (SIZE (1..MAX)), - universalString UniversalString (SIZE (1..MAX)), - utf8String UTF8String (SIZE (1.. MAX)), - bmpString BMPString (SIZE (1..MAX)) } - - The Name describes a hierarchical name composed of attributes, such - as country name, and corresponding values, such as US. The type of - the component AttributeValue is determined by the AttributeType; in - general it will be a DirectoryString. - - The DirectoryString type is defined as a choice of PrintableString, - TeletexString, BMPString, UTF8String, and UniversalString. The - UTF8String encoding is the preferred encoding, and all certificates - issued after December 31, 2003 MUST use the UTF8String encoding of - DirectoryString (except as noted below). Until that date, conforming - CAs MUST choose from the following options when creating a - distinguished name, including their own: - - (a) if the character set is sufficient, the string MAY be - represented as a PrintableString; - - (b) failing (a), if the BMPString character set is sufficient the - string MAY be represented as a BMPString; and - - (c) failing (a) and (b), the string MUST be represented as a - UTF8String. If (a) or (b) is satisfied, the CA MAY still choose - to represent the string as a UTF8String. - - Exceptions to the December 31, 2003 UTF8 encoding requirements are as - follows: - - (a) CAs MAY issue "name rollover" certificates to support an - orderly migration to UTF8String encoding. Such certificates would - include the CA's UTF8String encoded name as issuer and and the old - name encoding as subject, or vice-versa. - - (b) As stated in section 4.1.2.6, the subject field MUST be - populated with a non-empty distinguished name matching the - contents of the issuer field in all certificates issued by the - subject CA regardless of encoding. - - The TeletexString and UniversalString are included for backward - compatibility, and should not be used for certificates for new - subjects. However, these types may be used in certificates where the - name was previously established. Certificate users SHOULD be - prepared to receive certificates with these types. - - - -Housley, et. al. Standards Track [Page 19] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - In addition, many legacy implementations support names encoded in the - ISO 8859-1 character set (Latin1String) but tag them as - TeletexString. The Latin1String includes characters used in Western - European countries which are not part of the TeletexString charcter - set. Implementations that process TeletexString SHOULD be prepared - to handle the entire ISO 8859-1 character set.[ISO 8859-1] - - As noted above, distinguished names are composed of attributes. This - specification does not restrict the set of attribute types that may - appear in names. However, conforming implementations MUST be - prepared to receive certificates with issuer names containing the set - of attribute types defined below. This specification also recommends - support for additional attribute types. - - Standard sets of attributes have been defined in the X.500 series of - specifications.[X.520] Implementations of this specification MUST be - prepared to receive the following standard attribute types in issuer - names: country, organization, organizational-unit, distinguished name - qualifier, state or province name, and common name (e.g., "Susan - Housley"). In addition, implementations of this specification SHOULD - be prepared to receive the following standard attribute types in - issuer names: locality, title, surname, given name, initials, and - generation qualifier (e.g., "Jr.", "3rd", or "IV"). The syntax and - associated object identifiers (OIDs) for these attribute types are - provided in the ASN.1 modules in Appendices A and B. - - In addition, implementations of this specification MUST be prepared - to receive the domainComponent attribute, as defined in [RFC 2247]. - The Domain (Nameserver) System (DNS) provides a hierarchical resource - labeling system. This attribute provides is a convenient mechanism - for organizations that wish to use DNs that parallel their DNS names. - This is not a replacement for the dNSName component of the - alternative name field. Implementations are not required to convert - such names into DNS names. The syntax and associated OID for this - attribute type is provided in the ASN.1 modules in Appendices A and - B. - - Certificate users MUST be prepared to process the issuer - distinguished name and subject distinguished name (see sec. 4.1.2.6) - fields to perform name chaining for certification path validation - (see section 6). Name chaining is performed by matching the issuer - distinguished name in one certificate with the subject name in a CA - certificate. - - This specification requires only a subset of the name comparison - functionality specified in the X.500 series of specifications. The - requirements for conforming implementations are as follows: - - - - -Housley, et. al. Standards Track [Page 20] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - (a) attribute values encoded in different types (e.g., - PrintableString and BMPString) may be assumed to represent - different strings; - - (b) attribute values in types other than PrintableString are case - sensitive (this permits matching of attribute values as binary - objects); - - (c) attribute values in PrintableString are not case sensitive - (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and - - (d) attribute values in PrintableString are compared after - removing leading and trailing white space and converting internal - substrings of one or more consecutive white space characters to a - single space. - - These name comparison rules permit a certificate user to validate - certificates issued using languages or encodings unfamiliar to the - certificate user. - - In addition, implementations of this specification MAY use these - comparison rules to process unfamiliar attribute types for name - chaining. This allows implementations to process certificates with - unfamiliar attributes in the issuer name. - - Note that the comparison rules defined in the X.500 series of - specifications indicate that the character sets used to encode data - in distinguished names are irrelevant. The characters themselves are - compared without regard to encoding. Implementations of the profile - are permitted to use the comparison algorithm defined in the X.500 - series. Such an implementation will recognize a superset of name - matches recognized by the algorithm specified above. - -4.1.2.5 Validity - - The certificate validity period is the time interval during which the - CA warrants that it will maintain information about the status of the - certificate. The field is represented as a SEQUENCE of two dates: - the date on which the certificate validity period begins (notBefore) - and the date on which the certificate validity period ends - (notAfter). Both notBefore and notAfter may be encoded as UTCTime or - GeneralizedTime. - - CAs conforming to this profile MUST always encode certificate - validity dates through the year 2049 as UTCTime; certificate validity - dates in 2050 or later MUST be encoded as GeneralizedTime. - - - - - -Housley, et. al. Standards Track [Page 21] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -4.1.2.5.1 UTCTime - - The universal time type, UTCTime, is a standard ASN.1 type intended - for international applications where local time alone is not - adequate. UTCTime specifies the year through the two low order - digits and time is specified to the precision of one minute or one - second. UTCTime includes either Z (for Zulu, or Greenwich Mean Time) - or a time differential. - - For the purposes of this profile, UTCTime values MUST be expressed - Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are - YYMMDDHHMMSSZ), even where the number of seconds is zero. Conforming - systems MUST interpret the year field (YY) as follows: - - Where YY is greater than or equal to 50, the year shall be - interpreted as 19YY; and - - Where YY is less than 50, the year shall be interpreted as 20YY. - -4.1.2.5.2 GeneralizedTime - - The generalized time type, GeneralizedTime, is a standard ASN.1 type - for variable precision representation of time. Optionally, the - GeneralizedTime field can include a representation of the time - differential between local and Greenwich Mean Time. - - For the purposes of this profile, GeneralizedTime values MUST be - expressed Greenwich Mean Time (Zulu) and MUST include seconds (i.e., - times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. - GeneralizedTime values MUST NOT include fractional seconds. - -4.1.2.6 Subject - - The subject field identifies the entity associated with the public - key stored in the subject public key field. The subject name may be - carried in the subject field and/or the subjectAltName extension. If - the subject is a CA (e.g., the basic constraints extension, as - discussed in 4.2.1.10, is present and the value of cA is TRUE,) then - the subject field MUST be populated with a non-empty distinguished - name matching the contents of the issuer field (see sec. 4.1.2.4) in - all certificates issued by the subject CA. If subject naming - information is present only in the subjectAltName extension (e.g., a - key bound only to an email address or URI), then the subject name - MUST be an empty sequence and the subjectAltName extension MUST be - critical. - - - - - - -Housley, et. al. Standards Track [Page 22] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - Where it is non-empty, the subject field MUST contain an X.500 - distinguished name (DN). The DN MUST be unique for each subject - entity certified by the one CA as defined by the issuer name field. A - CA may issue more than one certificate with the same DN to the same - subject entity. - - The subject name field is defined as the X.501 type Name. - Implementation requirements for this field are those defined for the - issuer field (see sec. 4.1.2.4). When encoding attribute values of - type DirectoryString, the encoding rules for the issuer field MUST be - implemented. Implementations of this specification MUST be prepared - to receive subject names containing the attribute types required for - the issuer field. Implementations of this specification SHOULD be - prepared to receive subject names containing the recommended - attribute types for the issuer field. The syntax and associated - object identifiers (OIDs) for these attribute types are provided in - the ASN.1 modules in Appendices A and B. Implementations of this - specification MAY use these comparison rules to process unfamiliar - attribute types (i.e., for name chaining). This allows - implementations to process certificates with unfamiliar attributes in - the subject name. - - In addition, legacy implementations exist where an RFC 822 name is - embedded in the subject distinguished name as an EmailAddress - attribute. The attribute value for EmailAddress is of type IA5String - to permit inclusion of the character '@', which is not part of the - PrintableString character set. EmailAddress attribute values are not - case sensitive (e.g., "fanfeedback@redsox.com" is the same as - "FANFEEDBACK@REDSOX.COM"). - - Conforming implementations generating new certificates with - electronic mail addresses MUST use the rfc822Name in the subject - alternative name field (see sec. 4.2.1.7) to describe such - identities. Simultaneous inclusion of the EmailAddress attribute in - the subject distinguished name to support legacy implementations is - deprecated but permitted. - -4.1.2.7 Subject Public Key Info - - This field is used to carry the public key and identify the algorithm - with which the key is used. The algorithm is identified using the - AlgorithmIdentifier structure specified in section 4.1.1.2. The - object identifiers for the supported algorithms and the methods for - encoding the public key materials (public key and parameters) are - specified in section 7.3. - - - - - - -Housley, et. al. Standards Track [Page 23] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -4.1.2.8 Unique Identifiers - - These fields may only appear if the version is 2 or 3 (see sec. - 4.1.2.1). The subject and issuer unique identifiers are present in - the certificate to handle the possibility of reuse of subject and/or - issuer names over time. This profile recommends that names not be - reused for different entities and that Internet certificates not make - use of unique identifiers. CAs conforming to this profile SHOULD NOT - generate certificates with unique identifiers. Applications - conforming to this profile SHOULD be capable of parsing unique - identifiers and making comparisons. - -4.1.2.9 Extensions - - This field may only appear if the version is 3 (see sec. 4.1.2.1). - If present, this field is a SEQUENCE of one or more certificate - extensions. The format and content of certificate extensions in the - Internet PKI is defined in section 4.2. - -4.2 Standard Certificate Extensions - - The extensions defined for X.509 v3 certificates provide methods for - associating additional attributes with users or public keys and for - managing the certification hierarchy. The X.509 v3 certificate - format also allows communities to define private extensions to carry - information unique to those communities. Each extension in a - certificate may be designated as critical or non-critical. A - certificate using system MUST reject the certificate if it encounters - a critical extension it does not recognize; however, a non-critical - extension may be ignored if it is not recognized. The following - sections present recommended extensions used within Internet - certificates and standard locations for information. Communities may - elect to use additional extensions; however, caution should be - exercised in adopting any critical extensions in certificates which - might prevent use in a general context. - - Each extension includes an OID and an ASN.1 structure. When an - extension appears in a certificate, the OID appears as the field - extnID and the corresponding ASN.1 encoded structure is the value of - the octet string extnValue. Only one instance of a particular - extension may appear in a particular certificate. For example, a - certificate may contain only one authority key identifier extension - (see sec. 4.2.1.1). An extension includes the boolean critical, with - a default value of FALSE. The text for each extension specifies the - acceptable values for the critical field. - - - - - - -Housley, et. al. Standards Track [Page 24] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - Conforming CAs MUST support key identifiers (see sec. 4.2.1.1 and - 4.2.1.2), basic constraints (see sec. 4.2.1.10), key usage (see sec. - 4.2.1.3), and certificate policies (see sec. 4.2.1.5) extensions. If - the CA issues certificates with an empty sequence for the subject - field, the CA MUST support the subject alternative name extension - (see sec. 4.2.1.7). Support for the remaining extensions is - OPTIONAL. Conforming CAs may support extensions that are not - identified within this specification; certificate issuers are - cautioned that marking such extensions as critical may inhibit - interoperability. - - At a minimum, applications conforming to this profile MUST recognize - the extensions which must or may be critical in this specification. - These extensions are: key usage (see sec. 4.2.1.3), certificate - policies (see sec. 4.2.1.5), the subject alternative name (see sec. - 4.2.1.7), basic constraints (see sec. 4.2.1.10), name constraints - (see sec. 4.2.1.11), policy constraints (see sec. 4.2.1.12), and - extended key usage (see sec. 4.2.1.13). - - In addition, this profile RECOMMENDS application support for the - authority and subject key identifier (see sec. 4.2.1.1 and 4.2.1.2) - extensions. - -4.2.1 Standard Extensions - - This section identifies standard certificate extensions defined in - [X.509] for use in the Internet PKI. Each extension is associated - with an OID defined in [X.509]. These OIDs are members of the id-ce - arc, which is defined by the following: - - id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} - -4.2.1.1 Authority Key Identifier - - The authority key identifier extension provides a means of - identifying the public key corresponding to the private key used to - sign a certificate. This extension is used where an issuer has - multiple signing keys (either due to multiple concurrent key pairs or - due to changeover). The identification may be based on either the - key identifier (the subject key identifier in the issuer's - certificate) or on the issuer name and serial number. - - The keyIdentifier field of the authorityKeyIdentifier extension MUST - be included in all certificates generated by conforming CAs to - facilitate chain building. There is one exception; where a CA - distributes its public key in the form of a "self-signed" - certificate, the authority key identifier may be omitted. In this - case, the subject and authority key identifiers would be identical. - - - -Housley, et. al. Standards Track [Page 25] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - The value of the keyIdentifier field SHOULD be derived from the - public key used to verify the certificate's signature or a method - that generates unique values. Two common methods for generating key - identifiers from the public key are described in (sec. 4.2.1.2). One - common method for generating unique values isdescribed in (sec. - 4.2.1.2). Where a key identifier has not been previously - established, this specification recommends use of one of these - methods for generating keyIdentifiers. - - This profile recommends support for the key identifier method by all - certificate users. - - This extension MUST NOT be marked critical. - - id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } - - AuthorityKeyIdentifier ::= SEQUENCE { - keyIdentifier [0] KeyIdentifier OPTIONAL, - authorityCertIssuer [1] GeneralNames OPTIONAL, - authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } - - KeyIdentifier ::= OCTET STRING - -4.2.1.2 Subject Key Identifier - - The subject key identifier extension provides a means of identifying - certificates that contain a particular public key. - - To facilitate chain building, this extension MUST appear in all con- - forming CA certificates, that is, all certificates including the - basic constraints extension (see sec. 4.2.1.10) where the value of cA - is TRUE. The value of the subject key identifier MUST be the value - placed in the key identifier field of the Authority Key Identifier - extension (see sec. 4.2.1.1) of certificates issued by the subject of - this certificate. - - For CA certificates, subject key identifiers SHOULD be derived from - the public key or a method that generates unique values. Two common - methods for generating key identifiers from the public key are: - - (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the - value of the BIT STRING subjectPublicKey (excluding the tag, - length, and number of unused bits). - - (2) The keyIdentifier is composed of a four bit type field with - the value 0100 followed by the least significant 60 bits of the - SHA-1 hash of the value of the BIT STRING subjectPublicKey. - - - - -Housley, et. al. Standards Track [Page 26] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - One common method for generating unique values is a monotomically - increasing sequence of integers. - - For end entity certificates, the subject key identifier extension - provides a means for identifying certificates containing the - particular public key used in an application. Where an end entity has - obtained multiple certificates, especially from multiple CAs, the - subject key identifier provides a means to quickly identify the set - of certificates containing a particular public key. To assist - applications in identificiation the appropriate end entity - certificate, this extension SHOULD be included in all end entity - certificates. - - For end entity certificates, subject key identifiers SHOULD be - derived from the public key. Two common methods for generating key - identifiers from the public key are identifed above. - - Where a key identifier has not been previously established, this - specification recommends use of one of these methods for generating - keyIdentifiers. - - This extension MUST NOT be marked critical. - - id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } - - SubjectKeyIdentifier ::= KeyIdentifier - -4.2.1.3 Key Usage - - The key usage extension defines the purpose (e.g., encipherment, - signature, certificate signing) of the key contained in the - certificate. The usage restriction might be employed when a key that - could be used for more than one operation is to be restricted. For - example, when an RSA key should be used only for signing, the - digitalSignature and/or nonRepudiation bits would be asserted. - Likewise, when an RSA key should be used only for key management, the - keyEncipherment bit would be asserted. When used, this extension - SHOULD be marked critical. - - id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } - - KeyUsage ::= BIT STRING { - digitalSignature (0), - nonRepudiation (1), - keyEncipherment (2), - dataEncipherment (3), - keyAgreement (4), - keyCertSign (5), - - - -Housley, et. al. Standards Track [Page 27] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - cRLSign (6), - encipherOnly (7), - decipherOnly (8) } - - - Bits in the KeyUsage type are used as follows: - - The digitalSignature bit is asserted when the subject public key - is used with a digital signature mechanism to support security - services other than non-repudiation (bit 1), certificate signing - (bit 5), or revocation information signing (bit 6). Digital - signature mechanisms are often used for entity authentication and - data origin authentication with integrity. - - The nonRepudiation bit is asserted when the subject public key is - used to verify digital signatures used to provide a non- - repudiation service which protects against the signing entity - falsely denying some action, excluding certificate or CRL signing. - - The keyEncipherment bit is asserted when the subject public key is - used for key transport. For example, when an RSA key is to be - used for key management, then this bit shall asserted. - - The dataEncipherment bit is asserted when the subject public key - is used for enciphering user data, other than cryptographic keys. - - The keyAgreement bit is asserted when the subject public key is - used for key agreement. For example, when a Diffie-Hellman key is - to be used for key management, then this bit shall asserted. - - The keyCertSign bit is asserted when the subject public key is - used for verifying a signature on certificates. This bit may only - be asserted in CA certificates. - - The cRLSign bit is asserted when the subject public key is used - for verifying a signature on revocation information (e.g., a CRL). - - The meaning of the encipherOnly bit is undefined in the absence of - the keyAgreement bit. When the encipherOnly bit is asserted and - the keyAgreement bit is also set, the subject public key may be - used only for enciphering data while performing key agreement. - - The meaning of the decipherOnly bit is undefined in the absence of - the keyAgreement bit. When the decipherOnly bit is asserted and - the keyAgreement bit is also set, the subject public key may be - used only for deciphering data while performing key agreement. - - - - - -Housley, et. al. Standards Track [Page 28] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - This profile does not restrict the combinations of bits that may be - set in an instantiation of the keyUsage extension. However, - appropriate values for keyUsage extensions for particular algorithms - are specified in section 7.3. - -4.2.1.4 Private Key Usage Period - - This profile recommends against the use of this extension. CAs - conforming to this profile MUST NOT generate certificates with - critical private key usage period extensions. - - The private key usage period extension allows the certificate issuer - to specify a different validity period for the private key than the - certificate. This extension is intended for use with digital - signature keys. This extension consists of two optional components, - notBefore and notAfter. The private key associated with the - certificate should not be used to sign objects before or after the - times specified by the two components, respectively. CAs conforming - to this profile MUST NOT generate certificates with private key usage - period extensions unless at least one of the two components is - present. - - Where used, notBefore and notAfter are represented as GeneralizedTime - and MUST be specified and interpreted as defined in section - 4.1.2.5.2. - - id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } - - PrivateKeyUsagePeriod ::= SEQUENCE { - notBefore [0] GeneralizedTime OPTIONAL, - notAfter [1] GeneralizedTime OPTIONAL } - -4.2.1.5 Certificate Policies - - The certificate policies extension contains a sequence of one or more - policy information terms, each of which consists of an object - identifier (OID) and optional qualifiers. These policy information - terms indicate the policy under which the certificate has been issued - and the purposes for which the certificate may be used. Optional - qualifiers, which may be present, are not expected to change the - definition of the policy. - - Applications with specific policy requirements are expected to have a - list of those policies which they will accept and to compare the - policy OIDs in the certificate to that list. If this extension is - critical, the path validation software MUST be able to interpret this - extension (including the optional qualifier), or MUST reject the - certificate. - - - -Housley, et. al. Standards Track [Page 29] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - To promote interoperability, this profile RECOMMENDS that policy - information terms consist of only an OID. Where an OID alone is - insufficient, this profile strongly recommends that use of qualifiers - be limited to those identified in this section. - - This specification defines two policy qualifier types for use by - certificate policy writers and certificate issuers. The qualifier - types are the CPS Pointer and User Notice qualifiers. - - The CPS Pointer qualifier contains a pointer to a Certification - Practice Statement (CPS) published by the CA. The pointer is in the - form of a URI. - - User notice is intended for display to a relying party when a - certificate is used. The application software SHOULD display all - user notices in all certificates of the certification path used, - except that if a notice is duplicated only one copy need be - displayed. To prevent such duplication, this qualifier SHOULD only - be present in end-entity certificates and CA certificates issued to - other organizations. - - The user notice has two optional fields: the noticeRef field and the - explicitText field. - - The noticeRef field, if used, names an organization and - identifies, by number, a particular textual statement prepared by - that organization. For example, it might identify the - organization "CertsRUs" and notice number 1. In a typical - implementation, the application software will have a notice file - containing the current set of notices for CertsRUs; the - application will extract the notice text from the file and display - it. Messages may be multilingual, allowing the software to select - the particular language message for its own environment. - - An explicitText field includes the textual statement directly in - the certificate. The explicitText field is a string with a - maximum size of 200 characters. - - If both the noticeRef and explicitText options are included in the - one qualifier and if the application software can locate the notice - text indicated by the noticeRef option then that text should be - displayed; otherwise, the explicitText string should be displayed. - - id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } - - certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation - - - - - -Housley, et. al. Standards Track [Page 30] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - PolicyInformation ::= SEQUENCE { - policyIdentifier CertPolicyId, - policyQualifiers SEQUENCE SIZE (1..MAX) OF - PolicyQualifierInfo OPTIONAL } - - CertPolicyId ::= OBJECT IDENTIFIER - - PolicyQualifierInfo ::= SEQUENCE { - policyQualifierId PolicyQualifierId, - qualifier ANY DEFINED BY policyQualifierId } - - -- policyQualifierIds for Internet policy qualifiers - - id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } - id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } - id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } - - PolicyQualifierId ::= - OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) - - Qualifier ::= CHOICE { - cPSuri CPSuri, - userNotice UserNotice } - - CPSuri ::= IA5String - - UserNotice ::= SEQUENCE { - noticeRef NoticeReference OPTIONAL, - explicitText DisplayText OPTIONAL} - - NoticeReference ::= SEQUENCE { - organization DisplayText, - noticeNumbers SEQUENCE OF INTEGER } - - DisplayText ::= CHOICE { - visibleString VisibleString (SIZE (1..200)), - bmpString BMPString (SIZE (1..200)), - utf8String UTF8String (SIZE (1..200)) } - -4.2.1.6 Policy Mappings - - This extension is used in CA certificates. It lists one or more - pairs of OIDs; each pair includes an issuerDomainPolicy and a - subjectDomainPolicy. The pairing indicates the issuing CA considers - its issuerDomainPolicy equivalent to the subject CA's - subjectDomainPolicy. - - - - - -Housley, et. al. Standards Track [Page 31] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - The issuing CA's users may accept an issuerDomainPolicy for certain - applications. The policy mapping tells the issuing CA's users which - policies associated with the subject CA are comparable to the policy - they accept. - - This extension may be supported by CAs and/or applications, and it - MUST be non-critical. - - id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } - - PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { - issuerDomainPolicy CertPolicyId, - subjectDomainPolicy CertPolicyId } - -4.2.1.7 Subject Alternative Name - - The subject alternative names extension allows additional identities - to be bound to the subject of the certificate. Defined options - include an Internet electronic mail address, a DNS name, an IP - address, and a uniform resource identifier (URI). Other options - exist, including completely local definitions. Multiple name forms, - and multiple instances of each name form, may be included. Whenever - such identities are to be bound into a certificate, the subject - alternative name (or issuer alternative name) extension MUST be used. - - Because the subject alternative name is considered to be - definitiviely bound to the public key, all parts of the subject - alternative name MUST be verified by the CA. - - Further, if the only subject identity included in the certificate is - an alternative name form (e.g., an electronic mail address), then the - subject distinguished name MUST be empty (an empty sequence), and the - subjectAltName extension MUST be present. If the subject field - contains an empty sequence, the subjectAltName extension MUST be - marked critical. - - When the subjectAltName extension contains an Internet mail address, - the address MUST be included as an rfc822Name. The format of an - rfc822Name is an "addr-spec" as defined in RFC 822 [RFC 822]. An - addr-spec has the form "local-part@domain". Note that an addr-spec - has no phrase (such as a common name) before it, has no comment (text - surrounded in parentheses) after it, and is not surrounded by "<" and - ">". Note that while upper and lower case letters are allowed in an - RFC 822 addr-spec, no significance is attached to the case. - - When the subjectAltName extension contains a iPAddress, the address - MUST be stored in the octet string in "network byte order," as - specified in RFC 791 [RFC 791]. The least significant bit (LSB) of - - - -Housley, et. al. Standards Track [Page 32] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - each octet is the LSB of the corresponding byte in the network - address. For IP Version 4, as specified in RFC 791, the octet string - MUST contain exactly four octets. For IP Version 6, as specified in - RFC 1883, the octet string MUST contain exactly sixteen octets [RFC - 1883]. - - When the subjectAltName extension contains a domain name service - label, the domain name MUST be stored in the dNSName (an IA5String). - The name MUST be in the "preferred name syntax," as specified by RFC - 1034 [RFC 1034]. Note that while upper and lower case letters are - allowed in domain names, no signifigance is attached to the case. In - addition, while the string " " is a legal domain name, subjectAltName - extensions with a dNSName " " are not permitted. Finally, the use of - the DNS representation for Internet mail addresses (wpolk.nist.gov - instead of wpolk@nist.gov) is not permitted; such identities are to - be encoded as rfc822Name. - - When the subjectAltName extension contains a URI, the name MUST be - stored in the uniformResourceIdentifier (an IA5String). The name MUST - be a non-relative URL, and MUST follow the URL syntax and encoding - rules specified in [RFC 1738]. The name must include both a scheme - (e.g., "http" or "ftp") and a scheme-specific-part. The scheme- - specific-part must include a fully qualified domain name or IP - address as the host. - - As specified in [RFC 1738], the scheme name is not case-sensitive - (e.g., "http" is equivalent to "HTTP"). The host part is also not - case-sensitive, but other components of the scheme-specific-part may - be case-sensitive. When comparing URIs, conforming implementations - MUST compare the scheme and host without regard to case, but assume - the remainder of the scheme-specific-part is case sensitive. - - Subject alternative names may be constrained in the same manner as - subject distinguished names using the name constraints extension as - described in section 4.2.1.11. - - If the subjectAltName extension is present, the sequence MUST contain - at least one entry. Unlike the subject field, conforming CAs MUST - NOT issue certificates with subjectAltNames containing empty - GeneralName fields. For example, an rfc822Name is represented as an - IA5String. While an empty string is a valid IA5String, such an - rfc822Name is not permitted by this profile. The behavior of clients - that encounter such a certificate when processing a certificication - path is not defined by this profile. - - - - - - - -Housley, et. al. Standards Track [Page 33] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - Finally, the semantics of subject alternative names that include - wildcard characters (e.g., as a placeholder for a set of names) are - not addressed by this specification. Applications with specific - requirements may use such names but shall define the semantics. - - - id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } - - SubjectAltName ::= GeneralNames - - GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName - - GeneralName ::= CHOICE { - otherName [0] OtherName, - rfc822Name [1] IA5String, - dNSName [2] IA5String, - x400Address [3] ORAddress, - directoryName [4] Name, - ediPartyName [5] EDIPartyName, - uniformResourceIdentifier [6] IA5String, - iPAddress [7] OCTET STRING, - registeredID [8] OBJECT IDENTIFIER} - - OtherName ::= SEQUENCE { - type-id OBJECT IDENTIFIER, - value [0] EXPLICIT ANY DEFINED BY type-id } - - EDIPartyName ::= SEQUENCE { - nameAssigner [0] DirectoryString OPTIONAL, - partyName [1] DirectoryString } - -4.2.1.8 Issuer Alternative Names - - As with 4.2.1.7, this extension is used to associate Internet style - identities with the certificate issuer. Issuer alternative names MUST - be encoded as in 4.2.1.7. - - Where present, this extension SHOULD NOT be marked critical. - - id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } - - IssuerAltName ::= GeneralNames - -4.2.1.9 Subject Directory Attributes - - The subject directory attributes extension is not recommended as an - essential part of this profile, but it may be used in local - environments. This extension MUST be non-critical. - - - -Housley, et. al. Standards Track [Page 34] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } - - SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute - -4.2.1.10 Basic Constraints - - The basic constraints extension identifies whether the subject of the - certificate is a CA and how deep a certification path may exist - through that CA. - - The pathLenConstraint field is meaningful only if cA is set to TRUE. - In this case, it gives the maximum number of CA certificates that may - follow this certificate in a certification path. A value of zero - indicates that only an end-entity certificate may follow in the path. - Where it appears, the pathLenConstraint field MUST be greater than or - equal to zero. Where pathLenConstraint does not appear, there is no - limit to the allowed length of the certification path. - - This extension MUST appear as a critical extension in all CA - certificates. This extension SHOULD NOT appear in end entity - certificates. - - id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } - - BasicConstraints ::= SEQUENCE { - cA BOOLEAN DEFAULT FALSE, - pathLenConstraint INTEGER (0..MAX) OPTIONAL } - -4.2.1.11 Name Constraints - - The name constraints extension, which MUST be used only in a CA - certificate, indicates a name space within which all subject names in - subsequent certificates in a certification path shall be located. - Restrictions may apply to the subject distinguished name or subject - alternative names. Restrictions apply only when the specified name - form is present. If no name of the type is in the certificate, the - certificate is acceptable. - - Restrictions are defined in terms of permitted or excluded name - subtrees. Any name matching a restriction in the excludedSubtrees - field is invalid regardless of information appearing in the - permittedSubtrees. This extension MUST be critical. - - Within this profile, the minimum and maximum fields are not used with - any name forms, thus minimum is always zero, and maximum is always - absent. - - - - - -Housley, et. al. Standards Track [Page 35] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - For URIs, the constraint applies to the host part of the name. The - constraint may specify a host or a domain. Examples would be - "foo.bar.com"; and ".xyz.com". When the the constraint begins with - a period, it may be expanded with one or more subdomains. That is, - the constraint ".xyz.com" is satisfied by both abc.xyz.com and - abc.def.xyz.com. However, the constraint ".xyz.com" is not satisfied - by "xyz.com". When the constraint does not begin with a period, it - specifies a host. - - A name constraint for Internat mail addresses may specify a - particular mailbox, all addresses at a particular host, or all - mailboxes in a domain. To indicate a particular mailbox, the - constraint is the complete mail address. For example, "root@xyz.com" - indicates the root mailbox on the host "xyz.com". To indicate all - Internet mail addresses on a particular host, the constraint is - specified as the host name. For example, the constraint "xyz.com" is - satisfied by any mail address at the host "xyz.com". To specify any - address within a domain, the constraint is specified with a leading - period (as with URIs). For example, ".xyz.com" indicates all the - Internet mail addresses in the domain "xyz.com", but Internet mail - addresses on the host "xyz.com". - - DNS name restrictions are expressed as foo.bar.com. Any subdomain - satisfies the name constraint. For example, www.foo.bar.com would - satisfy the constraint but bigfoo.bar.com would not. - - Legacy implementations exist where an RFC 822 name is embedded in the - subject distinguished name in an attribute of type EmailAddress (see - sec. 4.1.2.6). When rfc822 names are constrained, but the certificate - does not include a subject alternative name, the rfc822 name - constraint MUST be applied to the attribute of type EmailAddress in - the subject distinguished name. The ASN.1 syntax for EmailAddress - and the corresponding OID are supplied in Appendix A and B. - - Restrictions of the form directoryName MUST be applied to the subject - field in the certificate and to the subjectAltName extensions of type - directoryName. Restrictions of the form x400Address MUST be applied - to subjectAltName extensions of type x400Address. - - When applying restrictions of the form directoryName, an - implementation MUST compare DN attributes. At a minimum, - implementations MUST perform the DN comparison rules specified in - Section 4.1.2.4. CAs issuing certificates with a restriction of the - form directoryName SHOULD NOT rely on implementation of the full ISO - DN name comparison algorithm. This implies name restrictions shall - be stated identically to the encoding used in the subject field or - subjectAltName extension. - - - - -Housley, et. al. Standards Track [Page 36] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - The syntax of iPAddress MUST be as described in section 4.2.1.7 with - the following additions specifically for Name Constraints. For IPv4 - addresses, the ipAddress field of generalName MUST contain eight (8) - octets, encoded in the style of RFC 1519 (CIDR) to represent an - address range.[RFC 1519] For IPv6 addresses, the ipAddress field - MUST contain 32 octets similarly encoded. For example, a name - constraint for "class C" subnet 10.9.8.0 shall be represented as the - octets 0A 09 08 00 FF FF FF 00, representing the CIDR notation - 10.9.8.0/255.255.255.0. - - The syntax and semantics for name constraints for otherName, - ediPartyName, and registeredID are not defined by this specification. - - id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } - - NameConstraints ::= SEQUENCE { - permittedSubtrees [0] GeneralSubtrees OPTIONAL, - excludedSubtrees [1] GeneralSubtrees OPTIONAL } - - GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree - - GeneralSubtree ::= SEQUENCE { - base GeneralName, - minimum [0] BaseDistance DEFAULT 0, - maximum [1] BaseDistance OPTIONAL } - - BaseDistance ::= INTEGER (0..MAX) - -4.2.1.12 Policy Constraints - - The policy constraints extension can be used in certificates issued - to CAs. The policy constraints extension constrains path validation - in two ways. It can be used to prohibit policy mapping or require - that each certificate in a path contain an acceptable policy - identifier. - - If the inhibitPolicyMapping field is present, the value indicates the - number of additional certificates that may appear in the path before - policy mapping is no longer permitted. For example, a value of one - indicates that policy mapping may be processed in certificates issued - by the subject of this certificate, but not in additional - certificates in the path. - - If the requireExplicitPolicy field is present, subsequent - certificates shall include an acceptable policy identifier. The value - of requireExplicitPolicy indicates the number of additional - certificates that may appear in the path before an explicit policy is - required. An acceptable policy identifier is the identifier of a - - - -Housley, et. al. Standards Track [Page 37] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - policy required by the user of the certification path or the - identifier of a policy which has been declared equivalent through - policy mapping. - - Conforming CAs MUST NOT issue certificates where policy constraints - is a null sequence. That is, at least one of the inhibitPolicyMapping - field or the requireExplicitPolicy field MUST be present. The - behavior of clients that encounter a null policy constraints field is - not addressed in this profile. - - This extension may be critical or non-critical. - - id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } - - PolicyConstraints ::= SEQUENCE { - requireExplicitPolicy [0] SkipCerts OPTIONAL, - inhibitPolicyMapping [1] SkipCerts OPTIONAL } - - SkipCerts ::= INTEGER (0..MAX) - -4.2.1.13 Extended key usage field - - This field indicates one or more purposes for which the certified - public key may be used, in addition to or in place of the basic - purposes indicated in the key usage extension field. This field is - defined as follows: - - id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} - - ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId - - KeyPurposeId ::= OBJECT IDENTIFIER - - Key purposes may be defined by any organization with a need. Object - identifiers used to identify key purposes shall be assigned in - accordance with IANA or ITU-T Rec. X.660 | ISO/IEC/ITU 9834-1. - - This extension may, at the option of the certificate issuer, be - either critical or non-critical. - - If the extension is flagged critical, then the certificate MUST be - used only for one of the purposes indicated. - - If the extension is flagged non-critical, then it indicates the - intended purpose or purposes of the key, and may be used in finding - the correct key/certificate of an entity that has multiple - keys/certificates. It is an advisory field and does not imply that - usage of the key is restricted by the certification authority to the - - - -Housley, et. al. Standards Track [Page 38] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - purpose indicated. Certificate using applications may nevertheless - require that a particular purpose be indicated in order for the - certificate to be acceptable to that application. - - If a certificate contains both a critical key usage field and a - critical extended key usage field, then both fields MUST be processed - independently and the certificate MUST only be used for a purpose - consistent with both fields. If there is no purpose consistent with - both fields, then the certificate MUST NOT be used for any purpose. - - The following key usage purposes are defined by this profile: - - id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } - - id-kp-serverAuth OBJECT IDENTIFIER ::= {id-kp 1} - -- TLS Web server authentication - -- Key usage bits that may be consistent: digitalSignature, - -- keyEncipherment or keyAgreement - -- - id-kp-clientAuth OBJECT IDENTIFIER ::= {id-kp 2} - -- TLS Web client authentication - -- Key usage bits that may be consistent: digitalSignature and/or - -- keyAgreement - -- - id-kp-codeSigning OBJECT IDENTIFIER ::= {id-kp 3} - -- Signing of downloadable executable code - -- Key usage bits that may be consistent: digitalSignature - -- - id-kp-emailProtection OBJECT IDENTIFIER ::= {id-kp 4} - -- E-mail protection - -- Key usage bits that may be consistent: digitalSignature, - -- nonRepudiation, and/or (keyEncipherment - -- or keyAgreement) - -- - id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } - -- Binding the hash of an object to a time from an agreed-upon time - -- source. Key usage bits that may be consistent: digitalSignature, - -- nonRepudiation - -4.2.1.14 CRL Distribution Points - - The CRL distribution points extension identifies how CRL information - is obtained. The extension SHOULD be non-critical, but this profile - recommends support for this extension by CAs and applications. - Further discussion of CRL management is contained in section 5. - - - - - - -Housley, et. al. Standards Track [Page 39] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - If the cRLDistributionPoints extension contains a - DistributionPointName of type URI, the following semantics MUST be - assumed: the URI is a pointer to the current CRL for the associated - reasons and will be issued by the associated cRLIssuer. The expected - values for the URI are those defined in 4.2.1.7. Processing rules for - other values are not defined by this specification. If the - distributionPoint omits reasons, the CRL MUST include revocations for - all reasons. If the distributionPoint omits cRLIssuer, the CRL MUST - be issued by the CA that issued the certificate. - - id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } - - cRLDistributionPoints ::= { - CRLDistPointsSyntax } - - CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint - - DistributionPoint ::= SEQUENCE { - distributionPoint [0] DistributionPointName OPTIONAL, - reasons [1] ReasonFlags OPTIONAL, - cRLIssuer [2] GeneralNames OPTIONAL } - - DistributionPointName ::= CHOICE { - fullName [0] GeneralNames, - nameRelativeToCRLIssuer [1] RelativeDistinguishedName } - - ReasonFlags ::= BIT STRING { - unused (0), - keyCompromise (1), - cACompromise (2), - affiliationChanged (3), - superseded (4), - cessationOfOperation (5), - certificateHold (6) } - -4.2.2 Private Internet Extensions - - This section defines one new extension for use in the Internet Public - Key Infrastructure. This extension may be used to direct - applications to identify an on-line validation service supporting the - issuing CA. As the information may be available in multiple forms, - each extension is a sequence of IA5String values, each of which - represents a URI. The URI implicitly specifies the location and - format of the information and the method for obtaining the - information. - - - - - - -Housley, et. al. Standards Track [Page 40] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - An object identifier is defined for the private extension. The - object identifier associated with the private extension is defined - under the arc id-pe within the id-pkix name space. Any future - extensions defined for the Internet PKI will also be defined under - the arc id-pe. - - id-pkix OBJECT IDENTIFIER ::= - { iso(1) identified-organization(3) dod(6) internet(1) - security(5) mechanisms(5) pkix(7) } - - id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } - -4.2.2.1 Authority Information Access - - The authority information access extension indicates how to access CA - information and services for the issuer of the certificate in which - the extension appears. Information and services may include on-line - validation services and CA policy data. (The location of CRLs is not - specified in this extension; that information is provided by the - cRLDistributionPoints extension.) This extension may be included in - subject or CA certificates, and it MUST be non-critical. - - id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } - - AuthorityInfoAccessSyntax ::= - SEQUENCE SIZE (1..MAX) OF AccessDescription - - AccessDescription ::= SEQUENCE { - accessMethod OBJECT IDENTIFIER, - accessLocation GeneralName } - - id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } - - id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } - - Each entry in the sequence AuthorityInfoAccessSyntax describes the - format and location of additional information about the CA who issued - the certificate in which this extension appears. The type and format - of the information is specified by the accessMethod field; the - accessLocation field specifies the location of the information. The - retrieval mechanism may be implied by the accessMethod or specified - by accessLocation. - - This profile defines one OID for accessMethod. The id-ad-caIssuers - OID is used when the additional information lists CAs that have - issued certificates superior to the CA that issued the certificate - - - - - -Housley, et. al. Standards Track [Page 41] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - containing this extension. The referenced CA Issuers description is - intended to aid certificate users in the selection of a certification - path that terminates at a point trusted by the certificate user. - - When id-ad-caIssuers appears as accessInfoType, the accessLocation - field describes the referenced description server and the access - protocol to obtain the referenced description. The accessLocation - field is defined as a GeneralName, which can take several forms. - Where the information is available via http, ftp, or ldap, - accessLocation MUST be a uniformResourceIdentifier. Where the - information is available via the directory access protocol (dap), - accessLocation MUST be a directoryName. When the information is - available via electronic mail, accessLocation MUST be an rfc822Name. - The semantics of other name forms of accessLocation (when - accessMethod is id-ad-caIssuers) are not defined by this - specification. - - Additional access descriptors may be defined in other PKIX - specifications. - -5 CRL and CRL Extensions Profile - - As described above, one goal of this X.509 v2 CRL profile is to - foster the creation of an interoperable and reusable Internet PKI. - To achieve this goal, guidelines for the use of extensions are - specified, and some assumptions are made about the nature of - information included in the CRL. - - CRLs may be used in a wide range of applications and environments - covering a broad spectrum of interoperability goals and an even - broader spectrum of operational and assurance requirements. This - profile establishes a common baseline for generic applications - requiring broad interoperability. The profile defines a baseline set - of information that can be expected in every CRL. Also, the profile - defines common locations within the CRL for frequently used - attributes as well as common representations for these attributes. - - This profile does not define any private Internet CRL extensions or - CRL entry extensions. - - Environments with additional or special purpose requirements may - build on this profile or may replace it. - - Conforming CAs are not required to issue CRLs if other revocation or - certificate status mechanisms are provided. Conforming CAs that - issue CRLs MUST issue version 2 CRLs, and CAs MUST include the date - by which the next CRL will be issued in the nextUpdate field (see - - - - -Housley, et. al. Standards Track [Page 42] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - sec. 5.1.2.5), the CRL number extension (see sec. 5.2.3) and the - authority key identifier extension (see sec. 5.2.1). Conforming - applications are required to process version 1 and 2 CRLs. - -5.1 CRL Fields - - The X.509 v2 CRL syntax is as follows. For signature calculation, - the data that is to be signed is ASN.1 DER encoded. ASN.1 DER - encoding is a tag, length, value encoding system for each element. - - CertificateList ::= SEQUENCE { - tbsCertList TBSCertList, - signatureAlgorithm AlgorithmIdentifier, - signatureValue BIT STRING } - - TBSCertList ::= SEQUENCE { - version Version OPTIONAL, - -- if present, shall be v2 - signature AlgorithmIdentifier, - issuer Name, - thisUpdate Time, - nextUpdate Time OPTIONAL, - revokedCertificates SEQUENCE OF SEQUENCE { - userCertificate CertificateSerialNumber, - revocationDate Time, - crlEntryExtensions Extensions OPTIONAL - -- if present, shall be v2 - } OPTIONAL, - crlExtensions [0] EXPLICIT Extensions OPTIONAL - -- if present, shall be v2 - } - - -- Version, Time, CertificateSerialNumber, and Extensions - -- are all defined in the ASN.1 in section 4.1 - - -- AlgorithmIdentifier is defined in section 4.1.1.2 - - The following items describe the use of the X.509 v2 CRL in the - Internet PKI. - -5.1.1 CertificateList Fields - - The CertificateList is a SEQUENCE of three required fields. The - fields are described in detail in the following subsections. - - - - - - - -Housley, et. al. Standards Track [Page 43] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -5.1.1.1 tbsCertList - - The first field in the sequence is the tbsCertList. This field is - itself a sequence containing the name of the issuer, issue date, - issue date of the next list, the list of revoked certificates, and - optional CRL extensions. Further, each entry on the revoked - certificate list is defined by a sequence of user certificate serial - number, revocation date, and optional CRL entry extensions. - -5.1.1.2 signatureAlgorithm - - The signatureAlgorithm field contains the algorithm identifier for - the algorithm used by the CA to sign the CertificateList. The field - is of type AlgorithmIdentifier, which is defined in section 4.1.1.2. - Section 7.2 lists the supported algorithms for this specification. - Conforming CAs MUST use the algorithm identifiers presented in - section 7.2 when signing with a supported signature algorithm. - - This field MUST contain the same algorithm identifier as the - signature field in the sequence tbsCertList (see sec. 5.1.2.2). - -5.1.1.3 signatureValue - - The signatureValue field contains a digital signature computed upon - the ASN.1 DER encoded tbsCertList. The ASN.1 DER encoded tbsCertList - is used as the input to the signature function. This signature value - is then ASN.1 encoded as a BIT STRING and included in the CRL's - signatureValue field. The details of this process are specified for - each of the supported algorithms in section 7.2. - -5.1.2 Certificate List "To Be Signed" - - The certificate list to be signed, or TBSCertList, is a SEQUENCE of - required and optional fields. The required fields identify the CRL - issuer, the algorithm used to sign the CRL, the date and time the CRL - was issued, and the date and time by which the CA will issue the next - CRL. - - Optional fields include lists of revoked certificates and CRL - extensions. The revoked certificate list is optional to support the - case where a CA has not revoked any unexpired certificates that it - has issued. The profile requires conforming CAs to use the CRL - extension cRLNumber in all CRLs issued. - - - - - - - - -Housley, et. al. Standards Track [Page 44] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -5.1.2.1 Version - - This optional field describes the version of the encoded CRL. When - extensions are used, as required by this profile, this field MUST be - present and MUST specify version 2 (the integer value is 1). - -5.1.2.2 Signature - - This field contains the algorithm identifier for the algorithm used - to sign the CRL. Section 7.2 lists OIDs for the most popular - signature algorithms used in the Internet PKI. - - This field MUST contain the same algorithm identifier as the - signatureAlgorithm field in the sequence CertificateList (see section - 5.1.1.2). - -5.1.2.3 Issuer Name - - The issuer name identifies the entity who has signed and issued the - CRL. The issuer identity is carried in the issuer name field. - Alternative name forms may also appear in the issuerAltName extension - (see sec. 5.2.2). The issuer name field MUST contain an X.500 - distinguished name (DN). The issuer name field is defined as the - X.501 type Name, and MUST follow the encoding rules for the issuer - name field in the certificate (see sec. 4.1.2.4). - -5.1.2.4 This Update - - This field indicates the issue date of this CRL. ThisUpdate may be - encoded as UTCTime or GeneralizedTime. - - CAs conforming to this profile that issue CRLs MUST encode thisUpdate - as UTCTime for dates through the year 2049. CAs conforming to this - profile that issue CRLs MUST encode thisUpdate as GeneralizedTime for - dates in the year 2050 or later. - - Where encoded as UTCTime, thisUpdate MUST be specified and - interpreted as defined in section 4.1.2.5.1. Where encoded as - GeneralizedTime, thisUpdate MUST be specified and interpreted as - defined in section 4.1.2.5.2. - -5.1.2.5 Next Update - - This field indicates the date by which the next CRL will be issued. - The next CRL could be issued before the indicated date, but it will - not be issued any later than the indicated date. CAs SHOULD issue - CRLs with a nextUpdate time equal to or later than all previous CRLs. - nextUpdate may be encoded as UTCTime or GeneralizedTime. - - - -Housley, et. al. Standards Track [Page 45] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - This profile requires inclusion of nextUpdate in all CRLs issued by - conforming CAs. Note that the ASN.1 syntax of TBSCertList describes - this field as OPTIONAL, which is consistent with the ASN.1 structure - defined in [X.509]. The behavior of clients processing CRLs which - omit nextUpdate is not specified by this profile. - - CAs conforming to this profile that issue CRLs MUST encode nextUpdate - as UTCTime for dates through the year 2049. CAs conforming to this - profile that issue CRLs MUST encode nextUpdate as GeneralizedTime for - dates in the year 2050 or later. - - Where encoded as UTCTime, nextUpdate MUST be specified and - interpreted as defined in section 4.1.2.5.1. Where encoded as - GeneralizedTime, nextUpdate MUST be specified and interpreted as - defined in section 4.1.2.5.2. - -5.1.2.6 Revoked Certificates - - Revoked certificates are listed. The revoked certificates are named - by their serial numbers. Certificates revoked by the CA are uniquely - identified by the certificate serial number. The date on which the - revocation occurred is specified. The time for revocationDate MUST - be expressed as described in section 5.1.2.4. Additional information - may be supplied in CRL entry extensions; CRL entry extensions are - discussed in section 5.3. - -5.1.2.7 Extensions - - This field may only appear if the version is 2 (see sec. 5.1.2.1). - If present, this field is a SEQUENCE of one or more CRL extensions. - CRL extensions are discussed in section 5.2. - -5.2 CRL Extensions - - The extensions defined by ANSI X9 and ISO/IEC/ITU for X.509 v2 CRLs - [X.509] [X9.55] provide methods for associating additional attributes - with CRLs. The X.509 v2 CRL format also allows communities to define - private extensions to carry information unique to those communities. - Each extension in a CRL may be designated as critical or non- - critical. A CRL validation MUST fail if it encounters a critical - extension which it does not know how to process. However, an - unrecognized non-critical extension may be ignored. The following - subsections present those extensions used within Internet CRLs. - Communities may elect to include extensions in CRLs which are not - defined in this specification. However, caution should be exercised - in adopting any critical extensions in CRLs which might be used in a - general context. - - - - -Housley, et. al. Standards Track [Page 46] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - Conforming CAs that issue CRLs are required to include the authority - key identifier (see sec. 5.2.1) and the CRL number (see sec. 5.2.3) - extensions in all CRLs issued. - -5.2.1 Authority Key Identifier - - The authority key identifier extension provides a means of - identifying the public key corresponding to the private key used to - sign a CRL. The identification can be based on either the key - identifier (the subject key identifier in the CRL signer's - certificate) or on the issuer name and serial number. This extension - is especially useful where an issuer has more than one signing key, - either due to multiple concurrent key pairs or due to changeover. - - Conforming CAs MUST use the key identifier method, and MUST include - this extension in all CRLs issued. - - The syntax for this CRL extension is defined in section 4.2.1.1. - -5.2.2 Issuer Alternative Name - - The issuer alternative names extension allows additional identities - to be associated with the issuer of the CRL. Defined options include - an rfc822 name (electronic mail address), a DNS name, an IP address, - and a URI. Multiple instances of a name and multiple name forms may - be included. Whenever such identities are used, the issuer - alternative name extension MUST be used. - - The issuerAltName extension SHOULD NOT be marked critical. - - The OID and syntax for this CRL extension are defined in section - 4.2.1.8. - -5.2.3 CRL Number - - The CRL number is a non-critical CRL extension which conveys a - monotonically increasing sequence number for each CRL issued by a CA. - This extension allows users to easily determine when a particular CRL - supersedes another CRL. CAs conforming to this profile MUST include - this extension in all CRLs. - - id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } - - cRLNumber ::= INTEGER (0..MAX) - - - - - - - -Housley, et. al. Standards Track [Page 47] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -5.2.4 Delta CRL Indicator - - The delta CRL indicator is a critical CRL extension that identifies a - delta-CRL. The use of delta-CRLs can significantly improve - processing time for applications which store revocation information - in a format other than the CRL structure. This allows changes to be - added to the local database while ignoring unchanged information that - is already in the local database. - - When a delta-CRL is issued, the CAs MUST also issue a complete CRL. - - The value of BaseCRLNumber identifies the CRL number of the base CRL - that was used as the starting point in the generation of this delta- - CRL. The delta-CRL contains the changes between the base CRL and the - current CRL issued along with the delta-CRL. It is the decision of a - CA as to whether to provide delta-CRLs. Again, a delta-CRL MUST NOT - be issued without a corresponding complete CRL. The value of - CRLNumber for both the delta-CRL and the corresponding complete CRL - MUST be identical. - - A CRL user constructing a locally held CRL from delta-CRLs MUST - consider the constructed CRL incomplete and unusable if the CRLNumber - of the received delta-CRL is more than one greater than the CRLnumber - of the delta-CRL last processed. - - id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } - - deltaCRLIndicator ::= BaseCRLNumber - - BaseCRLNumber ::= CRLNumber - -5.2.5 Issuing Distribution Point - - The issuing distribution point is a critical CRL extension that - identifies the CRL distribution point for a particular CRL, and it - indicates whether the CRL covers revocation for end entity - certificates only, CA certificates only, or a limitied set of reason - codes. Although the extension is critical, conforming - implementations are not required to support this extension. - - The CRL is signed using the CA's private key. CRL Distribution - Points do not have their own key pairs. If the CRL is stored in the - X.500 Directory, it is stored in the Directory entry corresponding to - the CRL distribution point, which may be different than the Directory - entry of the CA. - - - - - - -Housley, et. al. Standards Track [Page 48] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - The reason codes associated with a distribution point shall be - specified in onlySomeReasons. If onlySomeReasons does not appear, the - distribution point shall contain revocations for all reason codes. - CAs may use CRL distribution points to partition the CRL on the basis - of compromise and routine revocation. In this case, the revocations - with reason code keyCompromise (1) and cACompromise (2) appear in one - distribution point, and the revocations with other reason codes - appear in another distribution point. - - Where the issuingDistributionPoint extension contains a URL, the - following semantics MUST be assumed: the object is a pointer to the - most current CRL issued by this CA. The URI schemes ftp, http, - mailto [RFC1738] and ldap [RFC1778] are defined for this purpose. - The URI MUST be an absolute, not relative, pathname and MUST specify - the host. - - id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } - - issuingDistributionPoint ::= SEQUENCE { - distributionPoint [0] DistributionPointName OPTIONAL, - onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, - onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, - onlySomeReasons [3] ReasonFlags OPTIONAL, - indirectCRL [4] BOOLEAN DEFAULT FALSE } - -5.3 CRL Entry Extensions - - The CRL entry extensions already defined by ANSI X9 and ISO/IEC/ITU - for X.509 v2 CRLs provide methods for associating additional - attributes with CRL entries [X.509] [X9.55]. The X.509 v2 CRL format - also allows communities to define private CRL entry extensions to - carry information unique to those communities. Each extension in a - CRL entry may be designated as critical or non-critical. A CRL - validation MUST fail if it encounters a critical CRL entry extension - which it does not know how to process. However, an unrecognized - non-critical CRL entry extension may be ignored. The following - subsections present recommended extensions used within Internet CRL - entries and standard locations for information. Communities may - elect to use additional CRL entry extensions; however, caution should - be exercised in adopting any critical extensions in CRL entries which - might be used in a general context. - - All CRL entry extensions used in this specification are non-critical. - Support for these extensions is optional for conforming CAs and - applications. However, CAs that issue CRLs SHOULD include reason - codes (see sec. 5.3.1) and invalidity dates (see sec. 5.3.3) whenever - this information is available. - - - - -Housley, et. al. Standards Track [Page 49] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -5.3.1 Reason Code - - The reasonCode is a non-critical CRL entry extension that identifies - the reason for the certificate revocation. CAs are strongly - encouraged to include meaningful reason codes in CRL entries; - however, the reason code CRL entry extension SHOULD be absent instead - of using the unspecified (0) reasonCode value. - - id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 } - - -- reasonCode ::= { CRLReason } - - CRLReason ::= ENUMERATED { - unspecified (0), - keyCompromise (1), - cACompromise (2), - affiliationChanged (3), - superseded (4), - cessationOfOperation (5), - certificateHold (6), - removeFromCRL (8) } - -5.3.2 Hold Instruction Code - - The hold instruction code is a non-critical CRL entry extension that - provides a registered instruction identifier which indicates the - action to be taken after encountering a certificate that has been - placed on hold. - - id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } - - holdInstructionCode ::= OBJECT IDENTIFIER - - The following instruction codes have been defined. Conforming - applications that process this extension MUST recognize the following - instruction codes. - - holdInstruction OBJECT IDENTIFIER ::= - { iso(1) member-body(2) us(840) x9-57(10040) 2 } - - id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1} - id-holdinstruction-callissuer - OBJECT IDENTIFIER ::= {holdInstruction 2} - id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3} - - Conforming applications which encounter an id-holdinstruction- - callissuer MUST call the certificate issuer or reject the - certificate. Conforming applications which encounter an id- - - - -Housley, et. al. Standards Track [Page 50] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - holdinstruction-reject MUST reject the certificate. The hold - instruction id-holdinstruction-none is semantically equivalent to the - absence of a holdInstructionCode, and its use is strongly deprecated - for the Internet PKI. - -5.3.3 Invalidity Date - - The invalidity date is a non-critical CRL entry extension that - provides the date on which it is known or suspected that the private - key was compromised or that the certificate otherwise became invalid. - This date may be earlier than the revocation date in the CRL entry, - which is the date at which the CA processed the revocation. When a - revocation is first posted by a CA in a CRL, the invalidity date may - precede the date of issue of earlier CRLs, but the revocation date - SHOULD NOT precede the date of issue of earlier CRLs. Whenever this - information is available, CAs are strongly encouraged to share it - with CRL users. - - The GeneralizedTime values included in this field MUST be expressed - in Greenwich Mean Time (Zulu), and MUST be specified and interpreted - as defined in section 4.1.2.5.2. - - id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } - - invalidityDate ::= GeneralizedTime - -5.3.4 Certificate Issuer - - This CRL entry extension identifies the certificate issuer associated - with an entry in an indirect CRL, i.e. a CRL that has the indirectCRL - indicator set in its issuing distribution point extension. If this - extension is not present on the first entry in an indirect CRL, the - certificate issuer defaults to the CRL issuer. On subsequent entries - in an indirect CRL, if this extension is not present, the certificate - issuer for the entry is the same as that for the preceding entry. - This field is defined as follows: - - id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } - - certificateIssuer ::= GeneralNames - - If used by conforming CAs that issue CRLs, this extension is always - critical. If an implementation ignored this extension it could not - correctly attribute CRL entries to certificates. This specification - RECOMMENDS that implementations recognize this extension. - - - - - - -Housley, et. al. Standards Track [Page 51] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -6 Certification Path Validation - - Certification path validation procedures for the Internet PKI are - based on section 12.4.3 of [X.509]. Certification path processing - verifies the binding between the subject distinguished name and/or - subject alternative name and subject public key. The binding is - limited by constraints which are specified in the certificates which - comprise the path. The basic constraints and policy constraints - extensions allow the certification path processing logic to automate - the decision making process. - - This section describes an algorithm for validating certification - paths. Conforming implementations of this specification are not - required to implement this algorithm, but MUST be functionally - equivalent to the external behavior resulting from this procedure. - Any algorithm may be used by a particular implementation so long as - it derives the correct result. - - In section 6.1, the text describes basic path validation. This text - assumes that all valid paths begin with certificates issued by a - single "most-trusted CA". The algorithm requires the public key of - the CA, the CA's name, the validity period of the public key, and any - constraints upon the set of paths which may be validated using this - key. - - The "most-trusted CA" is a matter of policy: it could be a root CA in - a hierarchical PKI; the CA that issued the verifier's own - certificate(s); or any other CA in a network PKI. The path - validation procedure is the same regardless of the choice of "most- - trusted CA." - - section 6.2 describes extensions to the basic path validation - algorithm. Two specific cases are discussed: the case where paths may - begin with one of several trusted CAs; and where compatibility with - the PEM architecture is required. - -6.1 Basic Path Validation - - The text assumes that the trusted public key (and related - information) is contained in a "self-signed" certificate. This - simplifies the description of the path processing procedure. Note - that the signature on the self-signed certificate does not provide - any security services. The trusted public key (and related - information) may be obtained in other formats; the information is - trusted because of other procedures used to obtain and protect it. - - - - - - -Housley, et. al. Standards Track [Page 52] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - The goal of path validation is to verify the binding between a - subject distinguished name or subject alternative name and subject - public key, as represented in the "end entity" certificate, based on - the public key of the "most-trusted CA". This requires obtaining a - sequence of certificates that support that binding. The procedures - performed to obtain this sequence is outside the scope of this - section. - - The following text also assumes that certificates do not use subject - or unique identifier fields or private critical extensions, as - recommended within this profile. However, if these components appear - in certificates, they MUST be processed. Finally, policy qualifiers - are also neglected for the sake of clarity. - - A certification path is a sequence of n certificates where: - - * for all x in {1,(n-1)}, the subject of certificate x is the - issuer of certificate x+1. - * certificate x=1 is the the self-signed certificate, and - * certificate x=n is the end entity certificate. - - This section assumes the following inputs are provided to the path - processing logic: - - (a) a certification path of length n; - - (b) a set of initial policy identifiers (each comprising a - sequence of policy element identifiers), which identifies one or - more certificate policies, any one of which would be acceptable - for the purposes of certification path processing, or the special - value "any-policy"; - - (c) the current date/time (if not available internally to the - certification path processing module); and - - (d) the time, T, for which the validity of the path should be - determined. (This may be the current date/time, or some point in - the past.) - - From the inputs, the procedure intializes five state variables: - - (a) acceptable policy set: A set of certificate policy - identifiers comprising the policy or policies recognized by the - public key user together with policies deemed equivalent through - policy mapping. The initial value of the acceptable policy set is - the special value "any-policy". - - - - - -Housley, et. al. Standards Track [Page 53] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - (b) constrained subtrees: A set of root names defining a set of - subtrees within which all subject names in subsequent certificates - in the certification path shall fall. The initial value is - "unbounded". - - (c) excluded subtrees: A set of root names defining a set of - subtrees within which no subject name in subsequent certificates - in the certification path may fall. The initial value is "empty". - - (d) explicit policy: an integer which indicates if an explicit - policy identifier is required. The integer indicates the first - certificate in the path where this requirement is imposed. Once - set, this variable may be decreased, but may not be increased. - (That is, if a certificate in the path requires explicit policy - identifiers, a later certificate can not remove this requirement.) - The initial value is n+1. - - (e) policy mapping: an integer which indicates if policy mapping - is permitted. The integer indicates the last certificate on which - policy mapping may be applied. Once set, this variable may be - decreased, but may not be increased. (That is, if a certificate in - the path specifies policy mapping is not permitted, it can not be - overriden by a later certificate.) The initial value is n+1. - - The actions performed by the path processing software for each - certificate i=1 through n are described below. The self-signed - certificate is certificate i=1, the end entity certificate is i=n. - The processing is performed sequentially, so that processing - certificate i affects the state variables for processing certificate - (i+1). Note that actions (h) through (m) are not applied to the end - entity certificate (certificate n). - - The path processing actions to be performed are: - - (a) Verify the basic certificate information, including: - - (1) the certificate was signed using the subject public key - from certificate i-1 (in the special case i=1, this step may be - omitted; if not, use the subject public key from the same - certificate), - - (2) the certificate validity period includes time T, - - (3) the certificate had not been revoked at time T and is not - currently on hold status that commenced before time T, (this - may be determined by obtaining the appropriate CRL or status - information, or by out-of-band mechanisms), and - - - - -Housley, et. al. Standards Track [Page 54] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - (4) the subject and issuer names chain correctly (that is, the - issuer of this certificate was the subject of the previous - certificate.) - - (b) Verify that the subject name and subjectAltName extension - (critical or noncritical) is consistent with the constrained - subtrees state variables. - - (c) Verify that the subject name and subjectAltName extension - (critical or noncritical) is consistent with the excluded subtrees - state variables. - - (d) Verify that policy information is consistent with the initial - policy set: - - (1) if the explicit policy state variable is less than or equal - to i, a policy identifier in the certificate shall be in the - initial policy set; and - - (2) if the policy mapping variable is less than or equal to i, - the policy identifier may not be mapped. - - (e) Verify that policy information is consistent with the - acceptable policy set: - - (1) if the certificate policies extension is marked critical, - the intersection of the policies extension and the acceptable - policy set shall be non-null; - - (2) the acceptable policy set is assigned the resulting - intersection as its new value. - - (g) Verify that the intersection of the acceptable policy set and - the initial policy set is non-null. - - (h) Recognize and process any other critical extension present in - the certificate. - - (i) Verify that the certificate is a CA certificate (as specified - in a basicConstraints extension or as verified out-of-band). - - (j) If permittedSubtrees is present in the certificate, set the - constrained subtrees state variable to the intersection of its - previous value and the value indicated in the extension field. - - (k) If excludedSubtrees is present in the certificate, set the - excluded subtrees state variable to the union of its previous - value and the value indicated in the extension field. - - - -Housley, et. al. Standards Track [Page 55] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - (l) If a policy constraints extension is included in the - certificate, modify the explicit policy and policy mapping state - variables as follows: - - (1) If requireExplicitPolicy is present and has value r, the - explicit policy state variable is set to the minimum of its - current value and the sum of r and i (the current certificate - in the sequence). - - (2) If inhibitPolicyMapping is present and has value q, the - policy mapping state variable is set to the minimum of its - current value and the sum of q and i (the current certificate - in the sequence). - - (m) If a key usage extension is marked critical, ensure the - keyCertSign bit is set. - - If any one of the above checks fail, the procedure terminates, - returning a failure indication and an appropriate reason. If none of - the above checks fail on the end-entity certificate, the procedure - terminates, returning a success indication together with the set of - all policy qualifier values encountered in the set of certificates. - -6.2 Extending Path Validation - - The path validation algorithm presented in 6.1 is based on several - simplifying assumptions (e.g., a single trusted CA that starts all - valid paths). This algorithm may be extended for cases where the - assumptions do not hold. - - This procedure may be extended for multiple trusted CAs by providing - a set of self-signed certificates to the validation module. In this - case, a valid path could begin with any one of the self-signed - certificates. Limitations in the trust paths for any particular key - may be incorporated into the self-signed certificate's extensions. In - this way, the self-signed certificates permit the path validation - module to automatically incorporate local security policy and - requirements. - - It is also possible to specify an extended version of the above - certification path processing procedure which results in default - behavior identical to the rules of PEM [RFC 1422]. In this extended - version, additional inputs to the procedure are a list of one or more - Policy Certification Authorities (PCAs) names and an indicator of the - position in the certification path where the PCA is expected. At the - nominated PCA position, the CA name is compared against this list. - If a recognized PCA name is found, then a constraint of - SubordinateToCA is implicitly assumed for the remainder of the - - - -Housley, et. al. Standards Track [Page 56] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - certification path and processing continues. If no valid PCA name is - found, and if the certification path cannot be validated on the basis - of identified policies, then the certification path is considered - invalid. - -7 Algorithm Support - - This section describes cryptographic algorithms which may be used - with this profile. The section describes one-way hash functions and - digital signature algorithms which may be used to sign certificates - and CRLs, and identifies OIDs for public keys contained in a - certificate. - - Conforming CAs and applications are not required to support the - algorithms or algorithm identifiers described in this section. - However, conforming CAs and applications that use the algorithms - identified here MUST support them as specified. - -7.1 One-way Hash Functions - - This section identifies one-way hash functions for use in the - Internet PKI. One-way hash functions are also called message digest - algorithms. SHA-1 is the preferred one-way hash function for the - Internet PKI. However, PEM uses MD2 for certificates [RFC 1422] [RFC - 1423] and MD5 is used in other legacy applications. For this reason, - MD2 and MD5 are included in this profile. - -7.1.1 MD2 One-way Hash Function - - MD2 was developed by Ron Rivest for RSA Data Security. RSA Data - Security has not placed the MD2 algorithm in the public domain. - Rather, RSA Data Security has granted license to use MD2 for non- - commercial Internet Privacy-Enhanced Mail. For this reason, MD2 may - continue to be used with PEM certificates, but SHA-1 is preferred. - MD2 produces a 128-bit "hash" of the input. MD2 is fully described - in RFC 1319 [RFC 1319]. - - At the Selected Areas in Cryptography '95 conference in May 1995, - Rogier and Chauvaud presented an attack on MD2 that can nearly find - collisions [RC95]. Collisions occur when one can find two different - messages that generate the same message digest. A checksum operation - in MD2 is the only remaining obstacle to the success of the attack. - For this reason, the use of MD2 for new applications is discouraged. - It is still reasonable to use MD2 to verify existing signatures, as - the ability to find collisions in MD2 does not enable an attacker to - find new messages having a previously computed hash value. - - - - - -Housley, et. al. Standards Track [Page 57] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -7.1.2 MD5 One-way Hash Function - - MD5 was developed by Ron Rivest for RSA Data Security. RSA Data - Security has placed the MD5 algorithm in the public domain. MD5 - produces a 128-bit "hash" of the input. MD5 is fully described in - RFC 1321 [RFC 1321]. - - Den Boer and Bosselaers [DB94] have found pseudo-collisions for MD5, - but there are no other known cryptanalytic results. The use of MD5 - for new applications is discouraged. It is still reasonable to use - MD5 to verify existing signatures. - -7.1.3 SHA-1 One-way Hash Function - - SHA-1 was developed by the U.S. Government. SHA-1 produces a 160-bit - "hash" of the input. SHA-1 is fully described in FIPS 180-1 [FIPS - 180-1]. - - SHA-1 is the one-way hash function of choice for use with both the - RSA and DSA signature algorithms (see sec. 7.2). - -7.2 Signature Algorithms - - Certificates and CRLs described by this standard may be signed with - any public key signature algorithm. The certificate or CRL indicates - the algorithm through an algorithm identifier which appears in the - signatureAlgorithm field in a Certificate or CertificateList. This - algorithm identifier is an OID and has optionally associated - parameters. This section identifies algorithm identifiers and - parameters that shall be used in the signatureAlgorithm field in a - Certificate or CertificateList. - - RSA and DSA are the most popular signature algorithms used in the - Internet. Signature algorithms are always used in conjunction with a - one-way hash function identified in section 7.1. - - The signature algorithm and one-way hash function used to sign a - certificate or CRL is indicated by use of an algorithm identifier. - An algorithm identifier is an OID, and may include associated - parameters. This section identifies OIDS for RSA and DSA. The - contents of the parameters component for each algorithm vary; details - are provided for each algorithm. - - The data to be signed (e.g., the one-way hash function output value) - is formatted for the signature algorithm to be used. Then, a private - key operation (e.g., RSA encryption) is performed to generate the - - - - - -Housley, et. al. Standards Track [Page 58] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - signature value. This signature value is then ASN.1 encoded as a BIT - STRING and included in the Certificate or CertificateList in the - signature field. - -7.2.1 RSA Signature Algorithm - - A patent statement regarding the RSA algorithm can be found at the - end of this profile. - - The RSA algorithm is named for its inventors: Rivest, Shamir, and - Adleman. This profile includes three signature algorithms based on - the RSA asymmetric encryption algorithm. The signature algorithms - combine RSA with either the MD2, MD5, or the SHA-1 one-way hash - functions. - - The signature algorithm with MD2 and the RSA encryption algorithm is - defined in PKCS #1 [RFC 2313]. As defined in RFC 2313, the ASN.1 OID - used to identify this signature algorithm is: - - md2WithRSAEncryption OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) - pkcs-1(1) 2 } - - The signature algorithm with MD5 and the RSA encryption algorithm is - defined in PKCS #1 [RFC 2313]. As defined in RFC 2313, the ASN.1 OID - used to identify this signature algorithm is: - - md5WithRSAEncryption OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) - pkcs-1(1) 4 } - - The signature algorithm with SHA-1 and the RSA encryption algorithm - is implemented using the padding and encoding conventions described - in PKCS #1 [RFC 2313]. The message digest is computed using the SHA-1 - hash algorithm. The ASN.1 object identifier used to identify this - signature algorithm is: - - sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) - pkcs-1(1) 5 } - - When any of these three OIDs appears within the ASN.1 type - AlgorithmIdentifier, the parameters component of that type shall be - the ASN.1 type NULL. - - The RSA signature generation process and the encoding of the result - is described in detail in RFC 2313. - - - - -Housley, et. al. Standards Track [Page 59] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -7.2.2 DSA Signature Algorithm - - A patent statement regarding the DSA can be found at the end of this - profile. - - The Digital Signature Algorithm (DSA) is also called the Digital - Signature Standard (DSS). DSA was developed by the U.S. Government, - and DSA is used in conjunction with the the SHA-1 one-way hash - function. DSA is fully described in FIPS 186 [FIPS 186]. The ASN.1 - OIDs used to identify this signature algorithm are: - - id-dsa-with-sha1 ID ::= { - iso(1) member-body(2) us(840) x9-57 (10040) - x9cm(4) 3 } - - Where the id-dsa-with-sha1 algorithm identifier appears as the - algorithm field in an AlgorithmIdentifier, the encoding shall omit - the parameters field. That is, the AlgorithmIdentifier shall be a - SEQUENCE of one component - the OBJECT IDENTIFIER id-dsa-with-sha1. - - The DSA parameters in the subjectPublicKeyInfo field of the - certificate of the issuer shall apply to the verification of the - signature. - - When signing, the DSA algorithm generates two values. These values - are commonly referred to as r and s. To easily transfer these two - values as one signature, they shall be ASN.1 encoded using the - following ASN.1 structure: - - Dss-Sig-Value ::= SEQUENCE { - r INTEGER, - s INTEGER } - -7.3 Subject Public Key Algorithms - - Certificates described by this profile may convey a public key for - any public key algorithm. The certificate indicates the algorithm - through an algorithm identifier. This algorithm identifier is an OID - and optionally associated parameters. - - This section identifies preferred OIDs and parameters for the RSA, - DSA, and Diffie-Hellman algorithms. Conforming CAs shall use the - identified OIDs when issuing certificates containing public keys for - these algorithms. Conforming applications supporting any of these - algorithms shall, at a minimum, recognize the OID identified in this - section. - - - - - -Housley, et. al. Standards Track [Page 60] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -7.3.1 RSA Keys - - The OID rsaEncryption identifies RSA public keys. - - pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) - rsadsi(113549) pkcs(1) 1 } - - rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1} - - The rsaEncryption OID is intended to be used in the algorithm field - of a value of type AlgorithmIdentifier. The parameters field shall - have ASN.1 type NULL for this algorithm identifier. - - The RSA public key shall be encoded using the ASN.1 type - RSAPublicKey: - - RSAPublicKey ::= SEQUENCE { - modulus INTEGER, -- n - publicExponent INTEGER -- e -- } - - where modulus is the modulus n, and publicExponent is the public - exponent e. The DER encoded RSAPublicKey is the value of the BIT - STRING subjectPublicKey. - - This OID is used in public key certificates for both RSA signature - keys and RSA encryption keys. The intended application for the key - may be indicated in the key usage field (see sec. 4.2.1.3). The use - of a single key for both signature and encryption purposes is not - recommended, but is not forbidden. - - If the keyUsage extension is present in an end entity certificate - which conveys an RSA public key, any combination of the following - values may be present: digitalSignature; nonRepudiation; - keyEncipherment; and dataEncipherment. If the keyUsage extension is - present in a CA certificate which conveys an RSA public key, any - combination of the following values may be present: - digitalSignature; nonRepudiation; keyEncipherment; dataEncipherment; - keyCertSign; and cRLSign. However, this specification RECOMMENDS - that if keyCertSign or cRLSign is present, both keyEncipherment and - dataEncipherment should not be present. - -7.3.2 Diffie-Hellman Key Exchange Key - - The Diffie-Hellman OID supported by this profile is defined by ANSI - X9.42 [X9.42]. - - dhpublicnumber OBJECT IDENTIFIER ::= { iso(1) member-body(2) - us(840) ansi-x942(10046) number-type(2) 1 } - - - -Housley, et. al. Standards Track [Page 61] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - The dhpublicnumber OID is intended to be used in the algorithm field - of a value of type AlgorithmIdentifier. The parameters field of that - type, which has the algorithm-specific syntax ANY DEFINED BY - algorithm, have the ASN.1 type DomainParameters for this algorithm. - - DomainParameters ::= SEQUENCE { - p INTEGER, -- odd prime, p=jq +1 - g INTEGER, -- generator, g - q INTEGER, -- factor of p-1 - j INTEGER OPTIONAL, -- subgroup factor - validationParms ValidationParms OPTIONAL } - - ValidationParms ::= SEQUENCE { - seed BIT STRING, - pgenCounter INTEGER } - - The fields of type DomainParameters have the following meanings: - - p identifies the prime p defining the Galois field; - - g specifies the generator of the multiplicative subgroup of order - g; - - q specifies the prime factor of p-1; - - j optionally specifies the value that satisfies the equation - p=jq+1 to support the optional verification of group parameters; - - seed optionally specifies the bit string parameter used as the - seed for the system parameter generation process; and - - pgenCounter optionally specifies the integer value output as part - of the of the system parameter prime generation process. - - If either of the parameter generation components (pgencounter or - seed) is provided, the other shall be present as well. - - The Diffie-Hellman public key shall be ASN.1 encoded as an INTEGER; - this encoding shall be used as the contents (i.e., the value) of the - subjectPublicKey component (a BIT STRING) of the subjectPublicKeyInfo - data element. - - DHPublicKey ::= INTEGER -- public key, y = g^x mod p - - - - - - - - -Housley, et. al. Standards Track [Page 62] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - If the keyUsage extension is present in a certificate which conveys a - DH public key, the following values may be present: keyAgreement; - encipherOnly; and decipherOnly. At most one of encipherOnly and - decipherOnly shall be asserted in keyUsage extension. - -7.3.3 DSA Signature Keys - - The Digital Signature Algorithm (DSA) is also known as the Digital - Signature Standard (DSS). The DSA OID supported by this profile is - - id-dsa ID ::= { iso(1) member-body(2) us(840) x9-57(10040) - x9cm(4) 1 } - - The id-dsa algorithm syntax includes optional parameters. These - parameters are commonly referred to as p, q, and g. When omitted, - the parameters component shall be omitted entirely. That is, the - AlgorithmIdentifier shall be a SEQUENCE of one component - the OBJECT - IDENTIFIER id-dsa. - - If the DSA algorithm parameters are present in the - subjectPublicKeyInfo AlgorithmIdentifier, the parameters are included - using the following ASN.1 structure: - - Dss-Parms ::= SEQUENCE { - p INTEGER, - q INTEGER, - g INTEGER } - - - If the DSA algorithm parameters are absent from the - subjectPublicKeyInfo AlgorithmIdentifier and the CA signed the - subject certificate using DSA, then the certificate issuer's DSA - parameters apply to the subject's DSA key. If the DSA algorithm - parameters are absent from the subjectPublicKeyInfo - AlgorithmIdentifier and the CA signed the subject certificate using a - signature algorithm other than DSA, then the subject's DSA parameters - are distributed by other means. If the subjectPublicKeyInfo - AlgorithmIdentifier field omits the parameters component and the CA - signed the subject with a signature algorithm other than DSA, then - clients shall reject the certificate. - - When signing, DSA algorithm generates two values. These values are - commonly referred to as r and s. To easily transfer these two values - as one signature, they are ASN.1 encoded using the following ASN.1 - structure: - - - - - - -Housley, et. al. Standards Track [Page 63] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - Dss-Sig-Value ::= SEQUENCE { - r INTEGER, - s INTEGER } - - The encoded signature is conveyed as the value of the BIT STRING - signature in a Certificate or CertificateList. - - The DSA public key shall be ASN.1 DER encoded as an INTEGER; this - encoding shall be used as the contents (i.e., the value) of the - subjectPublicKey component (a BIT STRING) of the SubjectPublicKeyInfo - data element. - - DSAPublicKey ::= INTEGER -- public key, Y - - If the keyUsage extension is present in an end entity certificate - which conveys a DSA public key, any combination of the following - values may be present: digitalSignature; and nonRepudiation. - - If the keyUsage extension is present in an CA certificate which - conveys a DSA public key, any combination of the following values may - be present: digitalSignature; nonRepudiation; keyCertSign; and - cRLSign. - -8 References - - [FIPS 180-1] Federal Information Processing Standards Publication - (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995. - [Supersedes FIPS PUB 180 dated 11 May 1993.] - - [FIPS 186] Federal Information Processing Standards Publication - (FIPS PUB) 186, Digital Signature Standard, 18 May - 1994. - - [RC95] Rogier, N. and Chauvaud, P., "The compression function - of MD2 is not collision free," Presented at Selected - Areas in Cryptography '95, May 1995. - - [RFC 791] Postel, J., "Internet Protocol", STD 5, RFC 791, - September 1981. - - [RFC 822] Crocker, D., "Standard for the format of ARPA Internet - text messages", STD 11, RFC 822, August 1982. - - [RFC 1034] Mockapetris, P., "Domain names - concepts and - facilities", STD 13, RFC 1034, November 1987. - - [RFC 1319] Kaliski, B., "The MD2 Message-Digest Algorithm," RFC - 1319, April 1992. - - - -Housley, et. al. Standards Track [Page 64] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - [RFC 1321] Rivest, R., "The MD5 Message-Digest Algorithm," RFC - 1321, April 1992. - - [RFC 1422] Kent, S., "Privacy Enhancement for Internet Electronic - Mail: Part II: Certificate-Based Key Management," RFC - 1422, February 1993. - - [RFC 1423] Balenson, D., "Privacy Enhancement for Internet - Electronic Mail: Part III: Algorithms, Modes, and - Identifiers," RFC 1423, February 1993. - - [RFC 1519] Fuller, V., Li, T., Yu, J. and K. Varadhan. "Classless - Inter-Domain Routing (CIDR): an Address Assignment and - Aggregation Strategy", RFC 1519, September 1993. - - [RFC 1738] Berners-Lee, T., Masinter L., and M. McCahill. - "Uniform Resource Locators (URL)", RFC 1738, December - 1994. - - [RFC 1778] Howes, T., Kille S., Yeong, W. and C. Robbins. "The - String Representation of Standard Attribute Syntaxes," - RFC 1778, March 1995. - - [RFC 1883] Deering, S. and R. Hinden. "Internet Protocol, Version - 6 (IPv6) Specification", RFC 1883, December 1995. - - [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997. - - [RFC 2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S. - Sataluri. "Using Domains in LDAP/X.500 Distinguished - Names", RFC 2247, January 1998. - - [RFC 2277] Alvestrand, H., "IETF Policy on Character Sets and - Languages", RFC 2277, January 1998. - - [RFC 2279] Yergeau, F., "UTF-8, a transformation format of ISO - 10646", RFC 2279, January 1998. - - [RFC 2313] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC - 2313, March 1998. - - [SDN.701] SDN.701, "Message Security Protocol 4.0", Revision A - 1997-02-06. - - [X.208] CCITT Recommendation X.208: Specification of Abstract - Syntax Notation One (ASN.1), 1988. - - - - -Housley, et. al. Standards Track [Page 65] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - [X.501] ITU-T Recommendation X.501: Information Technology - - Open Systems Interconnection - The Directory: Models, - 1993. - - [X.509] ITU-T Recommendation X.509 (1997 E): Information - Technology - Open Systems Interconnection - The - Directory: Authentication Framework, June 1997. - - [X.520] ITU-T Recommendation X.520: Information Technology - - Open Systems Interconnection - The Directory: Selected - Attribute Types, 1993. - - [X9.42] ANSI X9.42-199x, Public Key Cryptography for The - Financial Services Industry: Agreement of Symmetric - Algorithm Keys Using Diffie-Hellman (Working Draft), - December 1997. - - [X9.55] ANSI X9.55-1995, Public Key Cryptography For The - Financial Services Industry: Extensions To Public Key - Certificates And Certificate Revocation Lists, 8 - December, 1995. - - [X9.57] ANSI X9.57-199x, Public Key Cryptography For The - Financial Services Industry: Certificate Management - (Working Draft), 21 June, 1996. - -9 Intellectual Property Rights - - The IETF has been notified of intellectual property rights claimed in - regard to some or all of the specification contained in this - document. For more information consult the online list of claimed - rights. - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards-related documentation can be found in BCP-11. Copies of - claims of rights made available for publication and any assurances of - licenses to be made available, or the result of an attempt made to - - - - - - - - -Housley, et. al. Standards Track [Page 66] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - obtain a general license or permission for the use of such - proprietary rights by implementors or users of this specification can - be obtained from the IETF Secretariat. - -10 Security Considerations - - The majority of this specification is devoted to the format and - content of certificates and CRLs. Since certificates and CRLs are - digitally signed, no additional integrity service is necessary. - Neither certificates nor CRLs need be kept secret, and unrestricted - and anonymous access to certificates and CRLs has no security - implications. - - However, security factors outside the scope of this specification - will affect the assurance provided to certificate users. This - section highlights critical issues that should be considered by - implementors, administrators, and users. - - The procedures performed by CAs and RAs to validate the binding of - the subject's identity of their public key greatly affect the - assurance that should be placed in the certificate. Relying parties - may wish to review the CA's certificate practice statement. This may - be particularly important when issuing certificates to other CAs. - - The use of a single key pair for both signature and other purposes is - strongly discouraged. Use of separate key pairs for signature and key - management provides several benefits to the users. The ramifications - associated with loss or disclosure of a signature key are different - from loss or disclosure of a key management key. Using separate key - pairs permits a balanced and flexible response. Similarly, different - validity periods or key lengths for each key pair may be appropriate - in some application environments. Unfortunately, some legacy - applications (e.g., SSL) use a single key pair for signature and key - management. - - The protection afforded private keys is a critical factor in - maintaining security. On a small scale, failure of users to protect - their private keys will permit an attacker to masquerade as them, or - decrypt their personal information. On a larger scale, compromise of - a CA's private signing key may have a catastrophic effect. If an - attacker obtains the private key unnoticed, the attacker may issue - bogus certificates and CRLs. Existence of bogus certificates and - CRLs will undermine confidence in the system. If the compromise is - detected, all certificates issued to the CA shall be revoked, - preventing services between its users and users of other CAs. - Rebuilding after such a compromise will be problematic, so CAs are - advised to implement a combination of strong technical measures - (e.g., tamper-resistant cryptographic modules) and appropriate - - - -Housley, et. al. Standards Track [Page 67] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - management procedures (e.g., separation of duties) to avoid such an - incident. - - Loss of a CA's private signing key may also be problematic. The CA - would not be able to produce CRLs or perform normal key rollover. - CAs are advised to maintain secure backup for signing keys. The - security of the key backup procedures is a critical factor in - avoiding key compromise. - - The availability and freshness of revocation information will affect - the degree of assurance that should be placed in a certificate. - While certificates expire naturally, events may occur during its - natural lifetime which negate the binding between the subject and - public key. If revocation information is untimely or unavailable, - the assurance associated with the binding is clearly reduced. - Similarly, implementations of the Path Validation mechanism described - in section 6 that omit revocation checking provide less assurance - than those that support it. - - The path validation algorithm depends on the certain knowledge of the - public keys (and other information) about one or more trusted CAs. - The decision to trust a CA is an important decision as it ultimately - determines the trust afforded a certificate. The authenticated - distribution of trusted CA public keys (usually in the form of a - "self-signed" certificate) is a security critical out of band process - that is beyond the scope of this specification. - - In addition, where a key compromise or CA failure occurs for a - trusted CA, the user will need to modify the information provided to - the path validation routine. Selection of too many trusted CAs will - make the trusted CA information difficult to maintain. On the other - hand, selection of only one trusted CA may limit users to a closed - community of users until a global PKI emerges. - - The quality of implementations that process certificates may also - affect the degree of assurance provided. The path validation - algorithm described in section 6 relies upon the integrity of the - trusted CA information, and especially the integrity of the public - keys associated with the trusted CAs. By substituting public keys - for which an attacker has the private key, an attacker could trick - the user into accepting false certificates. - - The binding between a key and certificate subject cannot be stronger - than the cryptographic module implementation and algorithms used to - generate the signature. Short key lengths or weak hash algorithms - will limit the utility of a certificate. CAs are encouraged to note - advances in cryptology so they can employ strong cryptographic - techniques. In addition, CAs should decline to issue certificates to - - - -Housley, et. al. Standards Track [Page 68] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - CAs or end entities that generate weak signatures. - - Inconsistent application of name comparison rules may result in - acceptance of invalid X.509 certification paths, or rejection of - valid ones. The X.500 series of specifications defines rules for - comparing distinguished names require comparison of strings without - regard to case, character set, multi-character white space substring, - or leading and trailing white space. This specification relaxes - these requirements, requiring support for binary comparison at a - minimum. - - CAs shall encode the distinguished name in the subject field of a CA - certificate identically to the distinguished name in the issuer field - in certificates issued by the latter CA. If CAs use different - encodings, implementations of this specification may fail to - recognize name chains for paths that include this certificate. As a - consequence, valid paths could be rejected. - - In addition, name constraints for distinguished names shall be stated - identically to the encoding used in the subject field or - subjectAltName extension. If not, (1) name constraints stated as - excludedSubTrees will not match and invalid paths will be accepted - and (2) name constraints expressed as permittedSubtrees will not - match and valid paths will be rejected. To avoid acceptance of - invalid paths, CAs should state name constraints for distinguished - names as permittedSubtrees where ever possible. - - - - - - - - - - - - - - - - - - - - - - - - - -Housley, et. al. Standards Track [Page 69] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -Appendix A. Psuedo-ASN.1 Structures and OIDs - - This section describes data objects used by conforming PKI components - in an "ASN.1-like" syntax. This syntax is a hybrid of the 1988 and - 1993 ASN.1 syntaxes. The 1988 ASN.1 syntax is augmented with 1993 - UNIVERSAL Types UniversalString, BMPString and UTF8String. - - The ASN.1 syntax does not permit the inclusion of type statements in - the ASN.1 module, and the 1993 ASN.1 standard does not permit use of - the new UNIVERSAL types in modules using the 1988 syntax. As a - result, this module does not conform to either version of the ASN.1 - standard. - - This appendix may be converted into 1988 ASN.1 by replacing the - defintions for the UNIVERSAL Types with the 1988 catch-all "ANY". - -A.1 Explicitly Tagged Module, 1988 Syntax - -PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1) - security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)} - - -DEFINITIONS EXPLICIT TAGS ::= - -BEGIN - --- EXPORTS ALL -- - --- IMPORTS NONE -- - --- UNIVERSAL Types defined in '93 and '98 ASN.1 --- but required by this specification - -UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING - -- UniversalString is defined in ASN.1:1993 - -BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING - -- BMPString is the subtype of UniversalString and models - -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1 - -UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING - -- The content of this type conforms to RFC 2279. - --- --- PKIX specific OIDs - -id-pkix OBJECT IDENTIFIER ::= - { iso(1) identified-organization(3) dod(6) internet(1) - - - -Housley, et. al. Standards Track [Page 70] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - security(5) mechanisms(5) pkix(7) } --- PKIX arcs - -id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } - -- arc for private certificate extensions -id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } - -- arc for policy qualifier types -id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } - -- arc for extended key purpose OIDS -id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } - -- arc for access descriptors - --- policyQualifierIds for Internet policy qualifiers - -id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } - -- OID for CPS qualifier -id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } - -- OID for user notice qualifier - --- access descriptor definitions - -id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } -id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } - --- attribute data types -- - -Attribute ::= SEQUENCE { - type AttributeType, - values SET OF AttributeValue - -- at least one value is required -- } - -AttributeType ::= OBJECT IDENTIFIER - -AttributeValue ::= ANY - -AttributeTypeAndValue ::= SEQUENCE { - type AttributeType, - value AttributeValue } - --- suggested naming attributes: Definition of the following --- information object set may be augmented to meet local --- requirements. Note that deleting members of the set may --- prevent interoperability with conforming implementations. --- presented in pairs: the AttributeType followed by the --- type definition for the corresponding AttributeValue - ---Arc for standard naming attributes -id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4} - - - -Housley, et. al. Standards Track [Page 71] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - --- Attributes of type NameDirectoryString -id-at-name AttributeType ::= {id-at 41} -id-at-surname AttributeType ::= {id-at 4} -id-at-givenName AttributeType ::= {id-at 42} -id-at-initials AttributeType ::= {id-at 43} -id-at-generationQualifier AttributeType ::= {id-at 44} - -X520name ::= CHOICE { - teletexString TeletexString (SIZE (1..ub-name)), - printableString PrintableString (SIZE (1..ub-name)), - universalString UniversalString (SIZE (1..ub-name)), - utf8String UTF8String (SIZE (1..ub-name)), - bmpString BMPString (SIZE(1..ub-name)) } - --- - -id-at-commonName AttributeType ::= {id-at 3} - -X520CommonName ::= CHOICE { - teletexString TeletexString (SIZE (1..ub-common-name)), - printableString PrintableString (SIZE (1..ub-common-name)), - universalString UniversalString (SIZE (1..ub-common-name)), - utf8String UTF8String (SIZE (1..ub-common-name)), - bmpString BMPString (SIZE(1..ub-common-name)) } - --- - -id-at-localityName AttributeType ::= {id-at 7} - -X520LocalityName ::= CHOICE { - teletexString TeletexString (SIZE (1..ub-locality-name)), - printableString PrintableString (SIZE (1..ub-locality-name)), - universalString UniversalString (SIZE (1..ub-locality-name)), - utf8String UTF8String (SIZE (1..ub-locality-name)), - bmpString BMPString (SIZE(1..ub-locality-name)) } - --- - -id-at-stateOrProvinceName AttributeType ::= {id-at 8} - -X520StateOrProvinceName ::= CHOICE { - teletexString TeletexString (SIZE (1..ub-state-name)), - printableString PrintableString (SIZE (1..ub-state-name)), - universalString UniversalString (SIZE (1..ub-state-name)), - utf8String UTF8String (SIZE (1..ub-state-name)), - bmpString BMPString (SIZE(1..ub-state-name)) } - --- - - - -Housley, et. al. Standards Track [Page 72] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -id-at-organizationName AttributeType ::= {id-at 10} - -X520OrganizationName ::= CHOICE { - teletexString TeletexString (SIZE (1..ub-organization-name)), - printableString PrintableString (SIZE (1..ub-organization-name)), - universalString UniversalString (SIZE (1..ub-organization-name)), - utf8String UTF8String (SIZE (1..ub-organization-name)), - bmpString BMPString (SIZE(1..ub-organization-name)) } - --- - -id-at-organizationalUnitName AttributeType ::= {id-at 11} - -X520OrganizationalUnitName ::= CHOICE { - teletexString TeletexString (SIZE (1..ub-organizational-unit-name)), - printableString PrintableString - (SIZE (1..ub-organizational-unit-name)), - universalString UniversalString - (SIZE (1..ub-organizational-unit-name)), - utf8String UTF8String (SIZE (1..ub-organizational-unit-name)), - bmpString BMPString (SIZE(1..ub-organizational-unit-name)) } - --- - -id-at-title AttributeType ::= {id-at 12} - -X520Title ::= CHOICE { - teletexString TeletexString (SIZE (1..ub-title)), - printableString PrintableString (SIZE (1..ub-title)), - universalString UniversalString (SIZE (1..ub-title)), - utf8String UTF8String (SIZE (1..ub-title)), - bmpString BMPString (SIZE(1..ub-title)) } - --- - -id-at-dnQualifier AttributeType ::= {id-at 46} -X520dnQualifier ::= PrintableString - -id-at-countryName AttributeType ::= {id-at 6} -X520countryName ::= PrintableString (SIZE (2)) -- IS 3166 codes - - - -- Legacy attributes - -pkcs-9 OBJECT IDENTIFIER ::= - { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } - -emailAddress AttributeType ::= { pkcs-9 1 } - - - -Housley, et. al. Standards Track [Page 73] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length)) - --- naming data types -- - -Name ::= CHOICE { -- only one possibility for now -- - rdnSequence RDNSequence } - -RDNSequence ::= SEQUENCE OF RelativeDistinguishedName - -DistinguishedName ::= RDNSequence - -RelativeDistinguishedName ::= - SET SIZE (1 .. MAX) OF AttributeTypeAndValue - --- Directory string type -- - -DirectoryString ::= CHOICE { - teletexString TeletexString (SIZE (1..MAX)), - printableString PrintableString (SIZE (1..MAX)), - universalString UniversalString (SIZE (1..MAX)), - utf8String UTF8String (SIZE (1..MAX)), - bmpString BMPString (SIZE(1..MAX)) } - --- certificate and CRL specific structures begin here - -Certificate ::= SEQUENCE { - tbsCertificate TBSCertificate, - signatureAlgorithm AlgorithmIdentifier, - signature BIT STRING } - -TBSCertificate ::= SEQUENCE { - version [0] Version DEFAULT v1, - serialNumber CertificateSerialNumber, - signature AlgorithmIdentifier, - issuer Name, - validity Validity, - subject Name, - subjectPublicKeyInfo SubjectPublicKeyInfo, - issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, - -- If present, version shall be v2 or v3 - subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, - -- If present, version shall be v2 or v3 - extensions [3] Extensions OPTIONAL - -- If present, version shall be v3 -- } - -Version ::= INTEGER { v1(0), v2(1), v3(2) } - -CertificateSerialNumber ::= INTEGER - - - -Housley, et. al. Standards Track [Page 74] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -Validity ::= SEQUENCE { - notBefore Time, - notAfter Time } - -Time ::= CHOICE { - utcTime UTCTime, - generalTime GeneralizedTime } - -UniqueIdentifier ::= BIT STRING - -SubjectPublicKeyInfo ::= SEQUENCE { - algorithm AlgorithmIdentifier, - subjectPublicKey BIT STRING } - -Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension - -Extension ::= SEQUENCE { - extnID OBJECT IDENTIFIER, - critical BOOLEAN DEFAULT FALSE, - extnValue OCTET STRING } - --- CRL structures - -CertificateList ::= SEQUENCE { - tbsCertList TBSCertList, - signatureAlgorithm AlgorithmIdentifier, - signature BIT STRING } - -TBSCertList ::= SEQUENCE { - version Version OPTIONAL, - -- if present, shall be v2 - signature AlgorithmIdentifier, - issuer Name, - thisUpdate Time, - nextUpdate Time OPTIONAL, - revokedCertificates SEQUENCE OF SEQUENCE { - userCertificate CertificateSerialNumber, - revocationDate Time, - crlEntryExtensions Extensions OPTIONAL - -- if present, shall be v2 - } OPTIONAL, - crlExtensions [0] Extensions OPTIONAL - -- if present, shall be v2 -- } - --- Version, Time, CertificateSerialNumber, and Extensions were --- defined earlier for use in the certificate structure - -AlgorithmIdentifier ::= SEQUENCE { - - - -Housley, et. al. Standards Track [Page 75] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - algorithm OBJECT IDENTIFIER, - parameters ANY DEFINED BY algorithm OPTIONAL } - -- contains a value of the type - -- registered for use with the - -- algorithm object identifier value - --- Algorithm OIDs and parameter structures - -pkcs-1 OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } - -rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } - -md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } - -md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } - -sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } - -id-dsa-with-sha1 OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 } - -Dss-Sig-Value ::= SEQUENCE { - r INTEGER, - s INTEGER } - -dhpublicnumber OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } - -DomainParameters ::= SEQUENCE { - p INTEGER, -- odd prime, p=jq +1 - g INTEGER, -- generator, g - q INTEGER, -- factor of p-1 - j INTEGER OPTIONAL, -- subgroup factor, j>= 2 - validationParms ValidationParms OPTIONAL } - -ValidationParms ::= SEQUENCE { - seed BIT STRING, - pgenCounter INTEGER } - -id-dsa OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } - -Dss-Parms ::= SEQUENCE { - p INTEGER, - q INTEGER, - g INTEGER } - - - - -Housley, et. al. Standards Track [Page 76] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - --- x400 address syntax starts here --- OR Names - -ORAddress ::= SEQUENCE { - built-in-standard-attributes BuiltInStandardAttributes, - built-in-domain-defined-attributes - BuiltInDomainDefinedAttributes OPTIONAL, - -- see also teletex-domain-defined-attributes - extension-attributes ExtensionAttributes OPTIONAL } --- The OR-address is semantically absent from the OR-name if the --- built-in-standard-attribute sequence is empty and the --- built-in-domain-defined-attributes and extension-attributes are --- both omitted. - --- Built-in Standard Attributes - -BuiltInStandardAttributes ::= SEQUENCE { - country-name CountryName OPTIONAL, - administration-domain-name AdministrationDomainName OPTIONAL, - network-address [0] NetworkAddress OPTIONAL, - -- see also extended-network-address - terminal-identifier [1] TerminalIdentifier OPTIONAL, - private-domain-name [2] PrivateDomainName OPTIONAL, - organization-name [3] OrganizationName OPTIONAL, - -- see also teletex-organization-name - numeric-user-identifier [4] NumericUserIdentifier OPTIONAL, - personal-name [5] PersonalName OPTIONAL, - -- see also teletex-personal-name - organizational-unit-names [6] OrganizationalUnitNames OPTIONAL - -- see also teletex-organizational-unit-names -- } - -CountryName ::= [APPLICATION 1] CHOICE { - x121-dcc-code NumericString - (SIZE (ub-country-name-numeric-length)), - iso-3166-alpha2-code PrintableString - (SIZE (ub-country-name-alpha-length)) } - -AdministrationDomainName ::= [APPLICATION 2] CHOICE { - numeric NumericString (SIZE (0..ub-domain-name-length)), - printable PrintableString (SIZE (0..ub-domain-name-length)) } - -NetworkAddress ::= X121Address -- see also extended-network-address - -X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) - -TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length)) - -PrivateDomainName ::= CHOICE { - - - -Housley, et. al. Standards Track [Page 77] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - numeric NumericString (SIZE (1..ub-domain-name-length)), - printable PrintableString (SIZE (1..ub-domain-name-length)) } - -OrganizationName ::= PrintableString - (SIZE (1..ub-organization-name-length)) --- see also teletex-organization-name - -NumericUserIdentifier ::= NumericString - (SIZE (1..ub-numeric-user-id-length)) - -PersonalName ::= SET { - surname [0] PrintableString (SIZE (1..ub-surname-length)), - given-name [1] PrintableString - (SIZE (1..ub-given-name-length)) OPTIONAL, - initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL, - generation-qualifier [3] PrintableString - (SIZE (1..ub-generation-qualifier-length)) OPTIONAL } --- see also teletex-personal-name - -OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) - OF OrganizationalUnitName --- see also teletex-organizational-unit-names - -OrganizationalUnitName ::= PrintableString (SIZE - (1..ub-organizational-unit-name-length)) - --- Built-in Domain-defined Attributes - -BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE - (1..ub-domain-defined-attributes) OF - BuiltInDomainDefinedAttribute - -BuiltInDomainDefinedAttribute ::= SEQUENCE { - type PrintableString (SIZE - (1..ub-domain-defined-attribute-type-length)), - value PrintableString (SIZE - (1..ub-domain-defined-attribute-value-length))} - --- Extension Attributes - -ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF - ExtensionAttribute - -ExtensionAttribute ::= SEQUENCE { - extension-attribute-type [0] INTEGER (0..ub-extension-attributes), - extension-attribute-value [1] - ANY DEFINED BY extension-attribute-type } - - - - -Housley, et. al. Standards Track [Page 78] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - --- Extension types and attribute values --- - -common-name INTEGER ::= 1 - -CommonName ::= PrintableString (SIZE (1..ub-common-name-length)) - -teletex-common-name INTEGER ::= 2 - -TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length)) - -teletex-organization-name INTEGER ::= 3 - -TeletexOrganizationName ::= - TeletexString (SIZE (1..ub-organization-name-length)) - -teletex-personal-name INTEGER ::= 4 - -TeletexPersonalName ::= SET { - surname [0] TeletexString (SIZE (1..ub-surname-length)), - given-name [1] TeletexString - (SIZE (1..ub-given-name-length)) OPTIONAL, - initials [2] TeletexString (SIZE (1..ub-initials-length)) OPTIONAL, - generation-qualifier [3] TeletexString (SIZE - (1..ub-generation-qualifier-length)) OPTIONAL } - -teletex-organizational-unit-names INTEGER ::= 5 - -TeletexOrganizationalUnitNames ::= SEQUENCE SIZE - (1..ub-organizational-units) OF TeletexOrganizationalUnitName - -TeletexOrganizationalUnitName ::= TeletexString - (SIZE (1..ub-organizational-unit-name-length)) - -pds-name INTEGER ::= 7 - -PDSName ::= PrintableString (SIZE (1..ub-pds-name-length)) - -physical-delivery-country-name INTEGER ::= 8 - -PhysicalDeliveryCountryName ::= CHOICE { - x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)), - iso-3166-alpha2-code PrintableString - (SIZE (ub-country-name-alpha-length)) } - -postal-code INTEGER ::= 9 - -PostalCode ::= CHOICE { - - - -Housley, et. al. Standards Track [Page 79] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - numeric-code NumericString (SIZE (1..ub-postal-code-length)), - printable-code PrintableString (SIZE (1..ub-postal-code-length)) } - -physical-delivery-office-name INTEGER ::= 10 - -PhysicalDeliveryOfficeName ::= PDSParameter - -physical-delivery-office-number INTEGER ::= 11 - -PhysicalDeliveryOfficeNumber ::= PDSParameter - -extension-OR-address-components INTEGER ::= 12 - -ExtensionORAddressComponents ::= PDSParameter - -physical-delivery-personal-name INTEGER ::= 13 - -PhysicalDeliveryPersonalName ::= PDSParameter - -physical-delivery-organization-name INTEGER ::= 14 - -PhysicalDeliveryOrganizationName ::= PDSParameter - -extension-physical-delivery-address-components INTEGER ::= 15 - -ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter - -unformatted-postal-address INTEGER ::= 16 - -UnformattedPostalAddress ::= SET { - printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF - PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL, - teletex-string TeletexString - (SIZE (1..ub-unformatted-address-length)) OPTIONAL } - -street-address INTEGER ::= 17 - -StreetAddress ::= PDSParameter - -post-office-box-address INTEGER ::= 18 - -PostOfficeBoxAddress ::= PDSParameter - -poste-restante-address INTEGER ::= 19 - -PosteRestanteAddress ::= PDSParameter - -unique-postal-name INTEGER ::= 20 - - - -Housley, et. al. Standards Track [Page 80] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -UniquePostalName ::= PDSParameter - -local-postal-attributes INTEGER ::= 21 - -LocalPostalAttributes ::= PDSParameter - -PDSParameter ::= SET { - printable-string PrintableString - (SIZE(1..ub-pds-parameter-length)) OPTIONAL, - teletex-string TeletexString - (SIZE(1..ub-pds-parameter-length)) OPTIONAL } - -extended-network-address INTEGER ::= 22 - -ExtendedNetworkAddress ::= CHOICE { - e163-4-address SEQUENCE { - number [0] NumericString (SIZE (1..ub-e163-4-number-length)), - sub-address [1] NumericString - (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL }, - psap-address [0] PresentationAddress } - -PresentationAddress ::= SEQUENCE { - pSelector [0] EXPLICIT OCTET STRING OPTIONAL, - sSelector [1] EXPLICIT OCTET STRING OPTIONAL, - tSelector [2] EXPLICIT OCTET STRING OPTIONAL, - nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING } - -terminal-type INTEGER ::= 23 - -TerminalType ::= INTEGER { - telex (3), - teletex (4), - g3-facsimile (5), - g4-facsimile (6), - ia5-terminal (7), - videotex (8) } (0..ub-integer-options) - --- Extension Domain-defined Attributes - -teletex-domain-defined-attributes INTEGER ::= 6 - -TeletexDomainDefinedAttributes ::= SEQUENCE SIZE - (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute - -TeletexDomainDefinedAttribute ::= SEQUENCE { - type TeletexString - (SIZE (1..ub-domain-defined-attribute-type-length)), - value TeletexString - - - -Housley, et. al. Standards Track [Page 81] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - (SIZE (1..ub-domain-defined-attribute-value-length)) } - --- specifications of Upper Bounds shall be regarded as mandatory --- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter --- Upper Bounds - --- Upper Bounds -ub-name INTEGER ::= 32768 -ub-common-name INTEGER ::= 64 -ub-locality-name INTEGER ::= 128 -ub-state-name INTEGER ::= 128 -ub-organization-name INTEGER ::= 64 -ub-organizational-unit-name INTEGER ::= 64 -ub-title INTEGER ::= 64 -ub-match INTEGER ::= 128 - -ub-emailaddress-length INTEGER ::= 128 - -ub-common-name-length INTEGER ::= 64 -ub-country-name-alpha-length INTEGER ::= 2 -ub-country-name-numeric-length INTEGER ::= 3 -ub-domain-defined-attributes INTEGER ::= 4 -ub-domain-defined-attribute-type-length INTEGER ::= 8 -ub-domain-defined-attribute-value-length INTEGER ::= 128 -ub-domain-name-length INTEGER ::= 16 -ub-extension-attributes INTEGER ::= 256 -ub-e163-4-number-length INTEGER ::= 15 -ub-e163-4-sub-address-length INTEGER ::= 40 -ub-generation-qualifier-length INTEGER ::= 3 -ub-given-name-length INTEGER ::= 16 -ub-initials-length INTEGER ::= 5 -ub-integer-options INTEGER ::= 256 -ub-numeric-user-id-length INTEGER ::= 32 -ub-organization-name-length INTEGER ::= 64 -ub-organizational-unit-name-length INTEGER ::= 32 -ub-organizational-units INTEGER ::= 4 -ub-pds-name-length INTEGER ::= 16 -ub-pds-parameter-length INTEGER ::= 30 -ub-pds-physical-address-lines INTEGER ::= 6 -ub-postal-code-length INTEGER ::= 16 -ub-surname-length INTEGER ::= 40 -ub-terminal-id-length INTEGER ::= 24 -ub-unformatted-address-length INTEGER ::= 180 -ub-x121-address-length INTEGER ::= 16 - --- Note - upper bounds on string types, such as TeletexString, are --- measured in characters. Excepting PrintableString or IA5String, a --- significantly greater number of octets will be required to hold - - - -Housley, et. al. Standards Track [Page 82] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - --- such a value. As a minimum, 16 octets, or twice the specified upper --- bound, whichever is the larger, should be allowed for TeletexString. --- For UTF8String or UniversalString at least four times the upper --- bound should be allowed. - -END - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Housley, et. al. Standards Track [Page 83] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -A.2 Implicitly Tagged Module, 1988 Syntax - -PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1) - security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2)} - -DEFINITIONS IMPLICIT TAGS ::= - -BEGIN - --- EXPORTS ALL -- - -IMPORTS - id-pkix, id-pe, id-qt, id-kp, id-qt-unotice, id-qt-cps, - id-ad, id-ad-ocsp, id-ad-caIssuers, - -- delete following line if "new" types are supported -- - BMPString, UniversalString, UTF8String, -- end "new" types - ORAddress, Name, RelativeDistinguishedName, - CertificateSerialNumber, - CertificateList, AlgorithmIdentifier, ub-name, - Attribute, DirectoryString - FROM PKIX1Explicit88 {iso(1) identified-organization(3) - dod(6) internet(1) security(5) mechanisms(5) pkix(7) - id-mod(0) id-pkix1-explicit(1)}; - - --- ISO arc for standard certificate and CRL extensions - -id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} - --- authority key identifier OID and syntax - -id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } - -AuthorityKeyIdentifier ::= SEQUENCE { - keyIdentifier [0] KeyIdentifier OPTIONAL, - authorityCertIssuer [1] GeneralNames OPTIONAL, - authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } - -- authorityCertIssuer and authorityCertSerialNumber shall both - -- be present or both be absent - -KeyIdentifier ::= OCTET STRING - --- subject key identifier OID and syntax - -id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } - -SubjectKeyIdentifier ::= KeyIdentifier - - - - -Housley, et. al. Standards Track [Page 84] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - --- key usage extension OID and syntax - -id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } - -KeyUsage ::= BIT STRING { - digitalSignature (0), - nonRepudiation (1), - keyEncipherment (2), - dataEncipherment (3), - keyAgreement (4), - keyCertSign (5), - cRLSign (6), - encipherOnly (7), - decipherOnly (8) } - --- private key usage period extension OID and syntax - -id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } - -PrivateKeyUsagePeriod ::= SEQUENCE { - notBefore [0] GeneralizedTime OPTIONAL, - notAfter [1] GeneralizedTime OPTIONAL } - -- either notBefore or notAfter shall be present - --- certificate policies extension OID and syntax - -id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } - -CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation - -PolicyInformation ::= SEQUENCE { - policyIdentifier CertPolicyId, - policyQualifiers SEQUENCE SIZE (1..MAX) OF - PolicyQualifierInfo OPTIONAL } - -CertPolicyId ::= OBJECT IDENTIFIER - -PolicyQualifierInfo ::= SEQUENCE { - policyQualifierId PolicyQualifierId, - qualifier ANY DEFINED BY policyQualifierId } - --- Implementations that recognize additional policy qualifiers shall --- augment the following definition for PolicyQualifierId - -PolicyQualifierId ::= - OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) - --- CPS pointer qualifier - - - -Housley, et. al. Standards Track [Page 85] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -CPSuri ::= IA5String - --- user notice qualifier - -UserNotice ::= SEQUENCE { - noticeRef NoticeReference OPTIONAL, - explicitText DisplayText OPTIONAL} - -NoticeReference ::= SEQUENCE { - organization DisplayText, - noticeNumbers SEQUENCE OF INTEGER } - -DisplayText ::= CHOICE { - visibleString VisibleString (SIZE (1..200)), - bmpString BMPString (SIZE (1..200)), - utf8String UTF8String (SIZE (1..200)) } - --- policy mapping extension OID and syntax - -id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } - -PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { - issuerDomainPolicy CertPolicyId, - subjectDomainPolicy CertPolicyId } - --- subject alternative name extension OID and syntax - -id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } - -SubjectAltName ::= GeneralNames - -GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName - -GeneralName ::= CHOICE { - otherName [0] AnotherName, - rfc822Name [1] IA5String, - dNSName [2] IA5String, - x400Address [3] ORAddress, - directoryName [4] Name, - ediPartyName [5] EDIPartyName, - uniformResourceIdentifier [6] IA5String, - iPAddress [7] OCTET STRING, - registeredID [8] OBJECT IDENTIFIER } - --- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as --- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax - -AnotherName ::= SEQUENCE { - - - -Housley, et. al. Standards Track [Page 86] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - type-id OBJECT IDENTIFIER, - value [0] EXPLICIT ANY DEFINED BY type-id } - -EDIPartyName ::= SEQUENCE { - nameAssigner [0] DirectoryString OPTIONAL, - partyName [1] DirectoryString } - --- issuer alternative name extension OID and syntax - -id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } - -IssuerAltName ::= GeneralNames - -id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } - -SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute - --- basic constraints extension OID and syntax - -id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } - -BasicConstraints ::= SEQUENCE { - cA BOOLEAN DEFAULT FALSE, - pathLenConstraint INTEGER (0..MAX) OPTIONAL } - --- name constraints extension OID and syntax - -id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } - -NameConstraints ::= SEQUENCE { - permittedSubtrees [0] GeneralSubtrees OPTIONAL, - excludedSubtrees [1] GeneralSubtrees OPTIONAL } - -GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree - -GeneralSubtree ::= SEQUENCE { - base GeneralName, - minimum [0] BaseDistance DEFAULT 0, - maximum [1] BaseDistance OPTIONAL } - -BaseDistance ::= INTEGER (0..MAX) - --- policy constraints extension OID and syntax - -id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } - -PolicyConstraints ::= SEQUENCE { - requireExplicitPolicy [0] SkipCerts OPTIONAL, - - - -Housley, et. al. Standards Track [Page 87] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - inhibitPolicyMapping [1] SkipCerts OPTIONAL } - -SkipCerts ::= INTEGER (0..MAX) - --- CRL distribution points extension OID and syntax - -id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} - -CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint - -DistributionPoint ::= SEQUENCE { - distributionPoint [0] DistributionPointName OPTIONAL, - reasons [1] ReasonFlags OPTIONAL, - cRLIssuer [2] GeneralNames OPTIONAL } - -DistributionPointName ::= CHOICE { - fullName [0] GeneralNames, - nameRelativeToCRLIssuer [1] RelativeDistinguishedName } - -ReasonFlags ::= BIT STRING { - unused (0), - keyCompromise (1), - cACompromise (2), - affiliationChanged (3), - superseded (4), - cessationOfOperation (5), - certificateHold (6) } - --- extended key usage extension OID and syntax - -id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} - -ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId - -KeyPurposeId ::= OBJECT IDENTIFIER - --- extended key purpose OIDs -id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } -id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } -id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-kp 5 } -id-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-kp 6 } -id-kp-ipsecUser OBJECT IDENTIFIER ::= { id-kp 7 } -id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } - --- authority info access - - - - -Housley, et. al. Standards Track [Page 88] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } - -AuthorityInfoAccessSyntax ::= - SEQUENCE SIZE (1..MAX) OF AccessDescription - -AccessDescription ::= SEQUENCE { - accessMethod OBJECT IDENTIFIER, - accessLocation GeneralName } - --- CRL number extension OID and syntax - -id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } - -CRLNumber ::= INTEGER (0..MAX) - --- issuing distribution point extension OID and syntax - -id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } - -IssuingDistributionPoint ::= SEQUENCE { - distributionPoint [0] DistributionPointName OPTIONAL, - onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, - onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, - onlySomeReasons [3] ReasonFlags OPTIONAL, - indirectCRL [4] BOOLEAN DEFAULT FALSE } - - -id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } - --- deltaCRLIndicator ::= BaseCRLNumber - -BaseCRLNumber ::= CRLNumber - --- CRL reasons extension OID and syntax - -id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } - -CRLReason ::= ENUMERATED { - unspecified (0), - keyCompromise (1), - cACompromise (2), - affiliationChanged (3), - superseded (4), - cessationOfOperation (5), - certificateHold (6), - removeFromCRL (8) } - --- certificate issuer CRL entry extension OID and syntax - - - -Housley, et. al. Standards Track [Page 89] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } - -CertificateIssuer ::= GeneralNames - --- hold instruction extension OID and syntax - -id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } - -HoldInstructionCode ::= OBJECT IDENTIFIER - --- ANSI x9 holdinstructions - --- ANSI x9 arc holdinstruction arc -holdInstruction OBJECT IDENTIFIER ::= - {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} - --- ANSI X9 holdinstructions referenced by this standard -id-holdinstruction-none OBJECT IDENTIFIER ::= - {holdInstruction 1} -- deprecated -id-holdinstruction-callissuer OBJECT IDENTIFIER ::= - {holdInstruction 2} -id-holdinstruction-reject OBJECT IDENTIFIER ::= - {holdInstruction 3} - --- invalidity date CRL entry extension OID and syntax - -id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } - -InvalidityDate ::= GeneralizedTime - -END - - - - - - - - - - - - - - - - - - - - -Housley, et. al. Standards Track [Page 90] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -Appendix B. 1993 ASN.1 Structures and OIDs - - -B.1 Explicitly Tagged Module, 1993 Syntax - -PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) internet(1) - security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-93(3)} - - -DEFINITIONS EXPLICIT TAGS ::= - -BEGIN - --- EXPORTS ALL -- - -IMPORTS - authorityKeyIdentifier, subjectKeyIdentifier, keyUsage, - extendedKeyUsage, privateKeyUsagePeriod, certificatePolicies, - policyMappings, subjectAltName, issuerAltName, - basicConstraints, nameConstraints, policyConstraints, - cRLDistributionPoints, subjectDirectoryAttributes, - cRLNumber, reasonCode, instructionCode, invalidityDate, - issuingDistributionPoint, certificateIssuer, - deltaCRLIndicator, authorityInfoAccess, id-ce - FROM PKIX1Implicit93 {iso(1) identified-organization(3) - dod(6) internet(1) security(5) mechanisms(5) pkix(7) - id-mod(0) id-pkix1-implicit-93(4)} ; - --- - -- Locally defined OIDs -- - -id-pkix OBJECT IDENTIFIER ::= - { iso(1) identified-organization(3) dod(6) internet(1) - security(5) mechanisms(5) pkix(7) } - --- PKIX arcs --- arc for private certificate extensions -id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } - -- arc for policy qualifier types -id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } --- arc for extended key purpose OIDS -id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } --- arc for access descriptors -id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } - --- policyQualifierIds for Internet policy qualifiers -id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } - -- OID for CPS qualifier - - - -Housley, et. al. Standards Track [Page 91] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } - -- OID for user notice qualifier - --- based on excerpts from AuthenticationFramework --- {joint-iso-ccitt ds(5) modules(1) authenticationFramework(7) 2} - - -- Public Key Certificate -- - -Certificate ::= SIGNED { SEQUENCE { - version [0] Version DEFAULT v1, - serialNumber CertificateSerialNumber, - signature AlgorithmIdentifier, - issuer Name, - validity Validity, - subject Name, - subjectPublicKeyInfo SubjectPublicKeyInfo, - issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL, - ---if present, version shall be v2 or v3-- - subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL, - ---if present, version shall be v2 or v3-- - extensions [3] Extensions OPTIONAL - --if present, version shall be v3--} } - -UniqueIdentifier ::= BIT STRING - -Version ::= INTEGER { v1(0), v2(1), v3(2) } - -CertificateSerialNumber ::= INTEGER - -Validity ::= SEQUENCE { - notBefore Time, - notAfter Time } - -Time ::= CHOICE { - utcTime UTCTime, - generalTime GeneralizedTime } - -SubjectPublicKeyInfo ::= SEQUENCE{ - algorithm AlgorithmIdentifier, - subjectPublicKey BIT STRING} - -Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension - -Extension ::= SEQUENCE { - extnId EXTENSION.&id ({ExtensionSet}), - critical BOOLEAN DEFAULT FALSE, - extnValue OCTET STRING } - -- contains a DER encoding of a value of type - - - -Housley, et. al. Standards Track [Page 92] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - -- &ExtnType for the - -- extension object identified by extnId -- - --- The following information object set is defined to constrain the --- set of legal certificate extensions. - -ExtensionSet EXTENSION ::= { authorityKeyIdentifier | - subjectKeyIdentifier | - keyUsage | - extendedKeyUsage | - privateKeyUsagePeriod | - certificatePolicies | - policyMappings | - subjectAltName | - issuerAltName | - basicConstraints | - nameConstraints | - policyConstraints | - cRLDistributionPoints | - subjectDirectoryAttributes | - authorityInfoAccess } - -EXTENSION ::= CLASS { - &id OBJECT IDENTIFIER UNIQUE, - &ExtnType } -WITH SYNTAX { - SYNTAX &ExtnType - IDENTIFIED BY &id } - - -- Certificate Revocation List -- - -CertificateList ::= SIGNED { SEQUENCE { - version Version OPTIONAL, -- if present, shall be v2 - signature AlgorithmIdentifier, - issuer Name, - thisUpdate Time, - nextUpdate Time OPTIONAL, - revokedCertificates SEQUENCE OF SEQUENCE { - userCertificate CertificateSerialNumber, - revocationDate Time, - crlEntryExtensions EntryExtensions OPTIONAL } OPTIONAL, - crlExtensions [0] CRLExtensions OPTIONAL }} - -CRLExtensions ::= SEQUENCE SIZE (1..MAX) OF CRLExtension - -CRLExtension ::= SEQUENCE { - extnId EXTENSION.&id ({CRLExtensionSet}), - critical BOOLEAN DEFAULT FALSE, - - - -Housley, et. al. Standards Track [Page 93] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - extnValue OCTET STRING } - -- contains a DER encoding of a value of type - -- &ExtnType for the - -- extension object identified by extnId -- - --- The following information object set is defined to constrain the --- set of legal CRL extensions. - -CRLExtensionSet EXTENSION ::= { authorityKeyIdentifier | - issuerAltName | - cRLNumber | - deltaCRLIndicator | - issuingDistributionPoint } - --- EXTENSION defined above for certificates - -EntryExtensions ::= SEQUENCE SIZE (1..MAX) OF EntryExtension - -EntryExtension ::= SEQUENCE { - extnId EXTENSION.&id ({EntryExtensionSet}), - critical BOOLEAN DEFAULT FALSE, - extnValue OCTET STRING } - -- contains a DER encoding of a value of type - -- &ExtnType for the - -- extension object identified by extnId -- - --- The following information object set is defined to constrain the --- set of legal CRL entry extensions. - -EntryExtensionSet EXTENSION ::= { reasonCode | - instructionCode | - invalidityDate | - certificateIssuer } - - -- information object classes used in the defintion -- - -- of certificates and CRLs -- - --- Parameterized Type SIGNED -- - - SIGNED { ToBeSigned } ::= SEQUENCE { - toBeSigned ToBeSigned, - algorithm AlgorithmIdentifier, - signature BIT STRING - } - --- Definition of AlgorithmIdentifier --- ISO definition was: --- - - - -Housley, et. al. Standards Track [Page 94] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - --- AlgorithmIdentifier ::= SEQUENCE { --- algorithm ALGORITHM.&id({SupportedAlgorithms}), --- parameters ALGORITHM.&Type({SupportedAlgorithms} --- { @algorithm}) OPTIONAL } --- Definition of ALGORITHM --- ALGORITHM ::= TYPE-IDENTIFIER - --- The following PKIX definition replaces the X.509 definition --- - -AlgorithmIdentifier ::= SEQUENCE { - algorithm ALGORITHM-ID.&id({SupportedAlgorithms}), - parameters ALGORITHM-ID.&Type({SupportedAlgorithms} - { @algorithm}) OPTIONAL } - --- Definition of ALGORITHM-ID - - ALGORITHM-ID ::= CLASS { - &id OBJECT IDENTIFIER UNIQUE, - &Type OPTIONAL - } - WITH SYNTAX { OID &id [PARMS &Type] } - --- The definition of SupportedAlgorithms may be modified as this --- document does not specify a mandatory algorithm set. In addition, --- the set is specified as extensible, since additional algorithms --- may be supported - -SupportedAlgorithms ALGORITHM-ID ::= { ..., -- extensible - rsaPublicKey | - rsaSHA-1 | - rsaMD5 | - rsaMD2 | - dssPublicKey | - dsaSHA-1 | - dhPublicKey } - --- OIDs and parameter structures for ALGORITHM-IDs used --- in this specification - -rsaPublicKey ALGORITHM-ID ::= { OID rsaEncryption PARMS NULL } - -rsaSHA-1 ALGORITHM-ID ::= { OID sha1WithRSAEncryption PARMS NULL } - -rsaMD5 ALGORITHM-ID ::= { OID md5WithRSAEncryption PARMS NULL } - -rsaMD2 ALGORITHM-ID ::= { OID md2WithRSAEncryption PARMS NULL } - - - - -Housley, et. al. Standards Track [Page 95] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -dssPublicKey ALGORITHM-ID ::= { OID id-dsa PARMS Dss-Parms } - -dsaSHA-1 ALGORITHM-ID ::= { OID id-dsa-with-sha1 } - -dhPublicKey ALGORITHM-ID ::= {OID dhpublicnumber PARMS DomainParameters} - --- algorithm identifiers and parameter structures - -pkcs-1 OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } - -rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } - -md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } - -md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } - -sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } - -id-dsa-with-sha1 OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 } - -Dss-Sig-Value ::= SEQUENCE { - r INTEGER, - s INTEGER } - -dhpublicnumber OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } - -DomainParameters ::= SEQUENCE { - p INTEGER, -- odd prime, p=jq +1 - g INTEGER, -- generator, g - q INTEGER, -- factor of p-1 - j INTEGER OPTIONAL, -- subgroup factor, j>= 2 - validationParms ValidationParms OPTIONAL } - -ValidationParms ::= SEQUENCE { - seed BIT STRING, - pgenCounter INTEGER } - -id-dsa OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } - -Dss-Parms ::= SEQUENCE { - p INTEGER, - q INTEGER, - g INTEGER } - - - - -Housley, et. al. Standards Track [Page 96] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - -- The ASN.1 in this section supports the Name type - -- and the directoryAttribute extension - --- attribute data types -- - -Attribute ::= SEQUENCE { - type ATTRIBUTE.&id ({SupportedAttributes}), - values SET SIZE (1 .. MAX) OF ATTRIBUTE.&Type - ({SupportedAttributes}{@type})} - -AttributeTypeAndValue ::= SEQUENCE { - type ATTRIBUTE.&id ({SupportedAttributes}), - value ATTRIBUTE.&Type ({SupportedAttributes}{@type})} - --- naming data types -- - -Name ::= CHOICE { -- only one possibility for now -- - rdnSequence RDNSequence } - -RDNSequence ::= SEQUENCE OF RelativeDistinguishedName - -RelativeDistinguishedName ::= - SET SIZE (1 .. MAX) OF AttributeTypeAndValue - -ID ::= OBJECT IDENTIFIER - --- ATTRIBUTE information object class specification --- Note: This has been greatly simplified for PKIX !! - -ATTRIBUTE ::= CLASS { - &Type, - &id OBJECT IDENTIFIER UNIQUE } -WITH SYNTAX { - WITH SYNTAX &Type ID &id } - --- suggested naming attributes --- Definition of the following information object set may be --- augmented to meet local requirements. Note that deleting --- members of the set may prevent interoperability with --- conforming implementations. - -SupportedAttributes ATTRIBUTE ::= { - name | commonName | surname | givenName | initials | - generationQualifier | dnQualifier | countryName | - localityName | stateOrProvinceName | organizationName | - organizationalUnitName | title | pkcs9email } - -name ATTRIBUTE ::= { - - - -Housley, et. al. Standards Track [Page 97] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - WITH SYNTAX DirectoryString { ub-name } - ID id-at-name } - -commonName ATTRIBUTE ::= { - WITH SYNTAX DirectoryString {ub-common-name} - ID id-at-commonName } - -surname ATTRIBUTE ::= { - WITH SYNTAX DirectoryString {ub-name} - ID id-at-surname } - -givenName ATTRIBUTE ::= { - WITH SYNTAX DirectoryString {ub-name} - ID id-at-givenName } - -initials ATTRIBUTE ::= { - WITH SYNTAX DirectoryString {ub-name} - ID id-at-initials } - -generationQualifier ATTRIBUTE ::= { - WITH SYNTAX DirectoryString {ub-name} - ID id-at-generationQualifier} - -dnQualifier ATTRIBUTE ::= { - WITH SYNTAX PrintableString - ID id-at-dnQualifier } - - -countryName ATTRIBUTE ::= { - WITH SYNTAX PrintableString (SIZE (2)) - -- IS 3166 codes only - ID id-at-countryName } - -localityName ATTRIBUTE ::= { - WITH SYNTAX DirectoryString {ub-locality-name} - ID id-at-localityName } - -stateOrProvinceName ATTRIBUTE ::= { - WITH SYNTAX DirectoryString {ub-state-name} - ID id-at-stateOrProvinceName } - -organizationName ATTRIBUTE ::= { - WITH SYNTAX DirectoryString {ub-organization-name} - ID id-at-organizationName } - -organizationalUnitName ATTRIBUTE ::= { - WITH SYNTAX DirectoryString {ub-organizational-unit-name} - ID id-at-organizationalUnitName } - - - -Housley, et. al. Standards Track [Page 98] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -title ATTRIBUTE ::= { - WITH SYNTAX DirectoryString {ub-title} - ID id-at-title } - - -- Legacy attributes - -pkcs9email ATTRIBUTE ::= { - WITH SYNTAX PHGString, - ID emailAddress } - -PHGString ::= IA5String (SIZE(1..ub-emailaddress-length)) - -pkcs-9 OBJECT IDENTIFIER ::= - { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } - -emailAddress OBJECT IDENTIFIER ::= { pkcs-9 1 } - - -- object identifiers for Name type and directory attribute support - --- Object identifier assignments -- - -id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4} - --- Attributes -- - -id-at-commonName OBJECT IDENTIFIER ::= {id-at 3} -id-at-surname OBJECT IDENTIFIER ::= {id-at 4} -id-at-countryName OBJECT IDENTIFIER ::= {id-at 6} -id-at-localityName OBJECT IDENTIFIER ::= {id-at 7} -id-at-stateOrProvinceName OBJECT IDENTIFIER ::= {id-at 8} -id-at-organizationName OBJECT IDENTIFIER ::= {id-at 10} -id-at-organizationalUnitName OBJECT IDENTIFIER ::= {id-at 11} -id-at-title OBJECT IDENTIFIER ::= {id-at 12} -id-at-name OBJECT IDENTIFIER ::= {id-at 41} -id-at-givenName OBJECT IDENTIFIER ::= {id-at 42} -id-at-initials OBJECT IDENTIFIER ::= {id-at 43} -id-at-generationQualifier OBJECT IDENTIFIER ::= {id-at 44} -id-at-dnQualifier OBJECT IDENTIFIER ::= {id-at 46} - --- Directory string type, used extensively in Name types -- - -DirectoryString { INTEGER:maxSize } ::= CHOICE { - teletexString TeletexString (SIZE (1..maxSize)), - printableString PrintableString (SIZE (1..maxSize)), - universalString UniversalString (SIZE (1..maxSize)), - bmpString BMPString (SIZE(1..maxSize)), - utf8String UTF8String (SIZE(1..maxSize)) - } - - - -Housley, et. al. Standards Track [Page 99] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - -- End of ASN.1 for Name type and directory attribute support -- - - -- The ASN.1 in this section supports X.400 style names -- - -- for implementations that use the x400Address component -- - -- of GeneralName. -- - -ORAddress ::= SEQUENCE { - built-in-standard-attributes BuiltInStandardAttributes, - built-in-domain-defined-attributes - BuiltInDomainDefinedAttributes OPTIONAL, - -- see also teletex-domain-defined-attributes - extension-attributes ExtensionAttributes OPTIONAL } - --- The OR-address is semantically absent from the OR-name if the --- built-in-standard-attribute sequence is empty and the --- built-in-domain-defined-attributes and extension-attributes are --- both omitted. - --- Built-in Standard Attributes - -BuiltInStandardAttributes ::= SEQUENCE { - country-name CountryName OPTIONAL, - administration-domain-name AdministrationDomainName OPTIONAL, - network-address [0] NetworkAddress OPTIONAL, - -- see also extended-network-address - terminal-identifier [1] TerminalIdentifier OPTIONAL, - private-domain-name [2] PrivateDomainName OPTIONAL, - organization-name [3] OrganizationName OPTIONAL, - -- see also teletex-organization-name - numeric-user-identifier [4] NumericUserIdentifier OPTIONAL, - personal-name [5] PersonalName OPTIONAL, - -- see also teletex-personal-name - organizational-unit-names [6] OrganizationalUnitNames OPTIONAL - -- see also teletex-organizational-unit-names -- } - -CountryName ::= [APPLICATION 1] CHOICE { - x121-dcc-code NumericString - (SIZE (ub-country-name-numeric-length)), - iso-3166-alpha2-code PrintableString - (SIZE (ub-country-name-alpha-length)) } - -AdministrationDomainName ::= [APPLICATION 2] CHOICE { - numeric NumericString (SIZE (0..ub-domain-name-length)), - printable PrintableString (SIZE (0..ub-domain-name-length)) } - -NetworkAddress ::= X121Address --- see also extended-network-address - - - - -Housley, et. al. Standards Track [Page 100] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) - -TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length)) - -PrivateDomainName ::= CHOICE { - numeric NumericString (SIZE (1..ub-domain-name-length)), - printable PrintableString (SIZE (1..ub-domain-name-length)) } - -OrganizationName ::= PrintableString - (SIZE (1..ub-organization-name-length)) --- see also teletex-organization-name - -NumericUserIdentifier ::= NumericString - (SIZE (1..ub-numeric-user-id-length)) - -PersonalName ::= SET { - surname [0] PrintableString (SIZE (1..ub-surname-length)), - given-name [1] PrintableString - (SIZE (1..ub-given-name-length)) OPTIONAL, - initials [2] PrintableString - (SIZE (1..ub-initials-length)) OPTIONAL, - generation-qualifier [3] PrintableString - (SIZE (1..ub-generation-qualifier-length)) OPTIONAL} --- see also teletex-personal-name - -OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) - OF OrganizationalUnitName --- see also teletex-organizational-unit-names - -OrganizationalUnitName ::= PrintableString (SIZE - (1..ub-organizational-unit-name-length)) - --- Built-in Domain-defined Attributes -BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE - (1..ub-domain-defined-attributes) OF - BuiltInDomainDefinedAttribute - -BuiltInDomainDefinedAttribute ::= SEQUENCE { - type PrintableString (SIZE - (1..ub-domain-defined-attribute-type-length)), - value PrintableString (SIZE - (1..ub-domain-defined-attribute-value-length)) } - --- Extension Attributes - -ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) - OF ExtensionAttribute -ExtensionAttribute ::= SEQUENCE { - - - -Housley, et. al. Standards Track [Page 101] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - extension-attribute-type [0] EXTENSION-ATTRIBUTE.&id - ({ExtensionAttributeTable}), - extension-attribute-value [1] EXTENSION-ATTRIBUTE.&Type - ({ExtensionAttributeTable} {@extension-attribute-type}) } - -EXTENSION-ATTRIBUTE ::= CLASS { - &id INTEGER (0..ub-extension-attributes) UNIQUE, - &Type } -WITH SYNTAX {&Type IDENTIFIED BY &id} - -ExtensionAttributeTable EXTENSION-ATTRIBUTE ::= { - common-name | - teletex-common-name | - teletex-organization-name | - teletex-personal-name | - teletex-organizational-unit-names | - teletex-domain-defined-attributes | - pds-name | - physical-delivery-country-name | - postal-code | - physical-delivery-office-name | - physical-delivery-office-number | - extension-OR-address-components | - physical-delivery-personal-name | - physical-delivery-organization-name | - extension-physical-delivery-address-components | - unformatted-postal-address | - street-address | - post-office-box-address | - poste-restante-address | - unique-postal-name | - local-postal-attributes | - extended-network-address | - terminal-type } - --- Extension Standard Attributes - -common-name EXTENSION-ATTRIBUTE ::= {CommonName IDENTIFIED BY 1} - -CommonName ::= PrintableString (SIZE (1..ub-common-name-length)) - -teletex-common-name EXTENSION-ATTRIBUTE ::= - {TeletexCommonName IDENTIFIED BY 2} - -TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length)) - -teletex-organization-name EXTENSION-ATTRIBUTE ::= - {TeletexOrganizationName IDENTIFIED BY 3} - - - -Housley, et. al. Standards Track [Page 102] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -TeletexOrganizationName ::= - TeletexString (SIZE (1..ub-organization-name-length)) - -teletex-personal-name EXTENSION-ATTRIBUTE ::= - {TeletexPersonalName IDENTIFIED BY 4} - -TeletexPersonalName ::= SET { - surname [0] TeletexString (SIZE (1..ub-surname-length)), - given-name [1] TeletexString - (SIZE (1..ub-given-name-length)) OPTIONAL, - initials [2] TeletexString (SIZE (1..ub-initials-length)) OPTIONAL, - generation-qualifier [3] TeletexString (SIZE - (1..ub-generation-qualifier-length)) OPTIONAL } - -teletex-organizational-unit-names EXTENSION-ATTRIBUTE ::= - {TeletexOrganizationalUnitNames IDENTIFIED BY 5} - -TeletexOrganizationalUnitNames ::= SEQUENCE SIZE - (1..ub-organizational-units) OF TeletexOrganizationalUnitName - -TeletexOrganizationalUnitName ::= TeletexString - (SIZE (1..ub-organizational-unit-name-length)) - -pds-name EXTENSION-ATTRIBUTE ::= {PDSName IDENTIFIED BY 7} - -PDSName ::= PrintableString (SIZE (1..ub-pds-name-length)) - -physical-delivery-country-name EXTENSION-ATTRIBUTE ::= - {PhysicalDeliveryCountryName IDENTIFIED BY 8} - -PhysicalDeliveryCountryName ::= CHOICE { - x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)), - iso-3166-alpha2-code PrintableString - (SIZE (ub-country-name-alpha-length)) } - -postal-code EXTENSION-ATTRIBUTE ::= {PostalCode IDENTIFIED BY 9} - -PostalCode ::= CHOICE { - numeric-code NumericString (SIZE (1..ub-postal-code-length)), - printable-code PrintableString (SIZE (1..ub-postal-code-length)) } - -physical-delivery-office-name EXTENSION-ATTRIBUTE ::= - {PhysicalDeliveryOfficeName IDENTIFIED BY 10} - -PhysicalDeliveryOfficeName ::= PDSParameter - -physical-delivery-office-number EXTENSION-ATTRIBUTE ::= - {PhysicalDeliveryOfficeNumber IDENTIFIED BY 11} - - - -Housley, et. al. Standards Track [Page 103] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -PhysicalDeliveryOfficeNumber ::= PDSParameter - -extension-OR-address-components EXTENSION-ATTRIBUTE ::= - {ExtensionORAddressComponents IDENTIFIED BY 12} - -ExtensionORAddressComponents ::= PDSParameter - -physical-delivery-personal-name EXTENSION-ATTRIBUTE ::= - {PhysicalDeliveryPersonalName IDENTIFIED BY 13} - -PhysicalDeliveryPersonalName ::= PDSParameter - -physical-delivery-organization-name EXTENSION-ATTRIBUTE ::= - {PhysicalDeliveryOrganizationName IDENTIFIED BY 14} - -PhysicalDeliveryOrganizationName ::= PDSParameter - -extension-physical-delivery-address-components EXTENSION-ATTRIBUTE ::= - {ExtensionPhysicalDeliveryAddressComponents IDENTIFIED BY 15} - -ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter - -unformatted-postal-address EXTENSION-ATTRIBUTE ::= - {UnformattedPostalAddress IDENTIFIED BY 16} - -UnformattedPostalAddress ::= SET { - printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF - PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL, - teletex-string TeletexString (SIZE - (1..ub-unformatted-address-length)) OPTIONAL } - -street-address EXTENSION-ATTRIBUTE ::= - {StreetAddress IDENTIFIED BY 17} - -StreetAddress ::= PDSParameter - -post-office-box-address EXTENSION-ATTRIBUTE ::= - {PostOfficeBoxAddress IDENTIFIED BY 18} - -PostOfficeBoxAddress ::= PDSParameter - -poste-restante-address EXTENSION-ATTRIBUTE ::= - {PosteRestanteAddress IDENTIFIED BY 19} - -PosteRestanteAddress ::= PDSParameter - -unique-postal-name EXTENSION-ATTRIBUTE ::= - {UniquePostalName IDENTIFIED BY 20} - - - -Housley, et. al. Standards Track [Page 104] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -UniquePostalName ::= PDSParameter - -local-postal-attributes EXTENSION-ATTRIBUTE ::= - {LocalPostalAttributes IDENTIFIED BY 21} - -LocalPostalAttributes ::= PDSParameter - -PDSParameter ::= SET { - printable-string PrintableString - (SIZE(1..ub-pds-parameter-length)) OPTIONAL, - teletex-string TeletexString - (SIZE(1..ub-pds-parameter-length)) OPTIONAL } - -extended-network-address EXTENSION-ATTRIBUTE ::= - {ExtendedNetworkAddress IDENTIFIED BY 22} - -ExtendedNetworkAddress ::= CHOICE { - e163-4-address SEQUENCE { - number [0] NumericString - (SIZE (1..ub-e163-4-number-length)), - sub-address [1] NumericString - (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL}, - psap-address [0] PresentationAddress } - -PresentationAddress ::= SEQUENCE { - pSelector [0] EXPLICIT OCTET STRING OPTIONAL, - sSelector [1] EXPLICIT OCTET STRING OPTIONAL, - tSelector [2] EXPLICIT OCTET STRING OPTIONAL, - nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING} - - -terminal-type EXTENSION-ATTRIBUTE ::= {TerminalType IDENTIFIED BY 23} - -TerminalType ::= INTEGER { - telex (3), - teletex (4), - g3-facsimile (5), - g4-facsimile (6), - ia5-terminal (7), - videotex (8) } (0..ub-integer-options) - --- Extension Domain-defined Attributes - -teletex-domain-defined-attributes EXTENSION-ATTRIBUTE ::= - {TeletexDomainDefinedAttributes IDENTIFIED BY 6} - -TeletexDomainDefinedAttributes ::= SEQUENCE SIZE - (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute - - - -Housley, et. al. Standards Track [Page 105] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -TeletexDomainDefinedAttribute ::= SEQUENCE { - type TeletexString - (SIZE (1..ub-domain-defined-attribute-type-length)), - value TeletexString - (SIZE (1..ub-domain-defined-attribute-value-length)) } - --- specifications of Upper Bounds --- shall be regarded as mandatory --- from Annex B of ITU-T X.411 --- Reference Definition of MTS Parameter Upper Bounds - --- Upper Bounds -ub-name INTEGER ::= 32768 -ub-common-name INTEGER ::= 64 -ub-locality-name INTEGER ::= 128 -ub-state-name INTEGER ::= 128 -ub-organization-name INTEGER ::= 64 -ub-organizational-unit-name INTEGER ::= 64 -ub-title INTEGER ::= 64 -ub-match INTEGER ::= 128 - -ub-emailaddress-length INTEGER ::= 128 - -ub-common-name-length INTEGER ::= 64 -ub-country-name-alpha-length INTEGER ::= 2 -ub-country-name-numeric-length INTEGER ::= 3 -ub-domain-defined-attributes INTEGER ::= 4 -ub-domain-defined-attribute-type-length INTEGER ::= 8 -ub-domain-defined-attribute-value-length INTEGER ::= 128 -ub-domain-name-length INTEGER ::= 16 -ub-extension-attributes INTEGER ::= 256 -ub-e163-4-number-length INTEGER ::= 15 -ub-e163-4-sub-address-length INTEGER ::= 40 -ub-generation-qualifier-length INTEGER ::= 3 -ub-given-name-length INTEGER ::= 16 -ub-initials-length INTEGER ::= 5 -ub-integer-options INTEGER ::= 256 -ub-numeric-user-id-length INTEGER ::= 32 -ub-organization-name-length INTEGER ::= 64 -ub-organizational-unit-name-length INTEGER ::= 32 -ub-organizational-units INTEGER ::= 4 -ub-pds-name-length INTEGER ::= 16 -ub-pds-parameter-length INTEGER ::= 30 -ub-pds-physical-address-lines INTEGER ::= 6 -ub-postal-code-length INTEGER ::= 16 -ub-surname-length INTEGER ::= 40 -ub-terminal-id-length INTEGER ::= 24 -ub-unformatted-address-length INTEGER ::= 180 - - - -Housley, et. al. Standards Track [Page 106] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -ub-x121-address-length INTEGER ::= 16 - --- Note - upper bounds on TeletexString are measured in characters. --- A significantly greater number of octets will be required to hold --- such a value. As a minimum, 16 octets, or twice the specified upper --- bound, whichever is the larger, should be allowed. - -END - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Housley, et. al. Standards Track [Page 107] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -B.2 Implicitly Tagged Module, 1993 Syntax - - -PKIX1Implicit93 {iso(1) identified-organization(3) dod(6) internet(1) - security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-93(4)} - -DEFINITIONS IMPLICIT TAGS::= - -BEGIN - ---EXPORTS ALL -- - -IMPORTS - id-pe, id-qt, id-kp, id-ad, id-qt-unotice, - ORAddress, Name, RelativeDistinguishedName, - CertificateSerialNumber, CertificateList, - AlgorithmIdentifier, ub-name, DirectoryString, - Attribute, EXTENSION - FROM PKIX1Explicit93 {iso(1) identified-organization(3) - dod(6) internet(1) security(5) mechanisms(5) pkix(7) - id-mod(0) id-pkix1-explicit-93(3)}; - --- Key and policy information extensions -- - -authorityKeyIdentifier EXTENSION ::= { - SYNTAX AuthorityKeyIdentifier - IDENTIFIED BY id-ce-authorityKeyIdentifier } - -AuthorityKeyIdentifier ::= SEQUENCE { - keyIdentifier [0] KeyIdentifier OPTIONAL, - authorityCertIssuer [1] GeneralNames OPTIONAL, - authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } - ( WITH COMPONENTS {..., authorityCertIssuer PRESENT, - authorityCertSerialNumber PRESENT} | - WITH COMPONENTS {..., authorityCertIssuer ABSENT, - authorityCertSerialNumber ABSENT} ) - -KeyIdentifier ::= OCTET STRING - -subjectKeyIdentifier EXTENSION ::= { - SYNTAX SubjectKeyIdentifier - IDENTIFIED BY id-ce-subjectKeyIdentifier } - -SubjectKeyIdentifier ::= KeyIdentifier - -keyUsage EXTENSION ::= { - SYNTAX KeyUsage - IDENTIFIED BY id-ce-keyUsage } - - - -Housley, et. al. Standards Track [Page 108] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -KeyUsage ::= BIT STRING { - digitalSignature (0), - nonRepudiation (1), - keyEncipherment (2), - dataEncipherment (3), - keyAgreement (4), - keyCertSign (5), - cRLSign (6), - encipherOnly (7), - decipherOnly (8) } - -extendedKeyUsage EXTENSION ::= { - SYNTAX SEQUENCE SIZE (1..MAX) OF KeyPurposeId - IDENTIFIED BY id-ce-extKeyUsage } - -KeyPurposeId ::= OBJECT IDENTIFIER - --- PKIX-defined extended key purpose OIDs -id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } -id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } -id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } -id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } -id-kp-ipsecEndSystem OBJECT IDENTIFIER ::= { id-kp 5 } -id-kp-ipsecTunnel OBJECT IDENTIFIER ::= { id-kp 6 } -id-kp-ipsecUser OBJECT IDENTIFIER ::= { id-kp 7 } -id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } - -privateKeyUsagePeriod EXTENSION ::= { - SYNTAX PrivateKeyUsagePeriod - IDENTIFIED BY { id-ce-privateKeyUsagePeriod } } - -PrivateKeyUsagePeriod ::= SEQUENCE { - notBefore [0] GeneralizedTime OPTIONAL, - notAfter [1] GeneralizedTime OPTIONAL } - ( WITH COMPONENTS {..., notBefore PRESENT} | - WITH COMPONENTS {..., notAfter PRESENT} ) - -certificatePolicies EXTENSION ::= { - SYNTAX CertificatePoliciesSyntax - IDENTIFIED BY id-ce-certificatePolicies } - -CertificatePoliciesSyntax ::= - SEQUENCE SIZE (1..MAX) OF PolicyInformation - -PolicyInformation ::= SEQUENCE { - policyIdentifier CertPolicyId, - policyQualifiers SEQUENCE SIZE (1..MAX) OF - PolicyQualifierInfo OPTIONAL } - - - -Housley, et. al. Standards Track [Page 109] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -CertPolicyId ::= OBJECT IDENTIFIER - -PolicyQualifierInfo ::= SEQUENCE { - policyQualifierId CERT-POLICY-QUALIFIER.&id - ({SupportedPolicyQualifiers}), - qualifier CERT-POLICY-QUALIFIER.&Qualifier - ({SupportedPolicyQualifiers} - {@policyQualifierId})OPTIONAL } - -SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::= { noticeToUser | - pointerToCPS } - -CERT-POLICY-QUALIFIER ::= CLASS { - &id OBJECT IDENTIFIER UNIQUE, - &Qualifier OPTIONAL } -WITH SYNTAX { - POLICY-QUALIFIER-ID &id - [QUALIFIER-TYPE &Qualifier] } - -policyMappings EXTENSION ::= { - SYNTAX PolicyMappingsSyntax - IDENTIFIED BY id-ce-policyMappings } - -PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { - issuerDomainPolicy CertPolicyId, - subjectDomainPolicy CertPolicyId } - --- Certificate subject and certificate issuer attributes extensions -- - -subjectAltName EXTENSION ::= { - SYNTAX GeneralNames - IDENTIFIED BY id-ce-subjectAltName } - -GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName - -GeneralName ::= CHOICE { - otherName [0] INSTANCE OF OTHER-NAME, - rfc822Name [1] IA5String, - dNSName [2] IA5String, - x400Address [3] ORAddress, - directoryName [4] Name, - ediPartyName [5] EDIPartyName, - uniformResourceIdentifier [6] IA5String, - iPAddress [7] OCTET STRING, - registeredID [8] OBJECT IDENTIFIER } - -OTHER-NAME ::= TYPE-IDENTIFIER - - - - -Housley, et. al. Standards Track [Page 110] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -EDIPartyName ::= SEQUENCE { - nameAssigner [0] DirectoryString {ub-name} OPTIONAL, - partyName [1] DirectoryString {ub-name} } - -issuerAltName EXTENSION ::= { - SYNTAX GeneralNames - IDENTIFIED BY id-ce-issuerAltName } - -subjectDirectoryAttributes EXTENSION ::= { - SYNTAX AttributesSyntax - IDENTIFIED BY id-ce-subjectDirectoryAttributes } - -AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute - --- Certification path constraints extensions -- - -basicConstraints EXTENSION ::= { - SYNTAX BasicConstraintsSyntax - IDENTIFIED BY id-ce-basicConstraints } - -BasicConstraintsSyntax ::= SEQUENCE { - cA BOOLEAN DEFAULT FALSE, - pathLenConstraint INTEGER (0..MAX) OPTIONAL } - -nameConstraints EXTENSION ::= { - SYNTAX NameConstraintsSyntax - IDENTIFIED BY id-ce-nameConstraints } - -NameConstraintsSyntax ::= SEQUENCE { - permittedSubtrees [0] GeneralSubtrees OPTIONAL, - excludedSubtrees [1] GeneralSubtrees OPTIONAL } - -GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree - -GeneralSubtree ::= SEQUENCE { - base GeneralName, - minimum [0] BaseDistance DEFAULT 0, - maximum [1] BaseDistance OPTIONAL } - -BaseDistance ::= INTEGER (0..MAX) - -policyConstraints EXTENSION ::= { - SYNTAX PolicyConstraintsSyntax - IDENTIFIED BY id-ce-policyConstraints } - -PolicyConstraintsSyntax ::= SEQUENCE { - requireExplicitPolicy [0] SkipCerts OPTIONAL, - inhibitPolicyMapping [1] SkipCerts OPTIONAL } - - - -Housley, et. al. Standards Track [Page 111] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -SkipCerts ::= INTEGER (0..MAX) - --- Basic CRL extensions -- - -cRLNumber EXTENSION ::= { - SYNTAX CRLNumber - IDENTIFIED BY id-ce-cRLNumber } - -CRLNumber ::= INTEGER (0..MAX) - -reasonCode EXTENSION ::= { - SYNTAX CRLReason - IDENTIFIED BY id-ce-reasonCode } - -CRLReason ::= ENUMERATED { - unspecified (0), - keyCompromise (1), - cACompromise (2), - affiliationChanged (3), - superseded (4), - cessationOfOperation (5), - certificateHold (6), - removeFromCRL (8) } - -instructionCode EXTENSION ::= { - SYNTAX HoldInstruction - IDENTIFIED BY id-ce-instructionCode } - -HoldInstruction ::= OBJECT IDENTIFIER - --- holdinstructions described in this specification, from ANSI x9 - --- ANSI x9 arc holdinstruction arc -holdInstruction OBJECT IDENTIFIER ::= { - joint-iso-ccitt(2) member-body(2) us(840) x9cm(10040) 2} - --- ANSI X9 holdinstructions referenced by this standard -id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1} -id-holdinstruction-callissuer OBJECT IDENTIFIER ::= {holdInstruction 2} -id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3} - -invalidityDate EXTENSION ::= { - SYNTAX GeneralizedTime - IDENTIFIED BY id-ce-invalidityDate } - --- CRL distribution points and delta-CRL extensions -- - -cRLDistributionPoints EXTENSION ::= { - - - -Housley, et. al. Standards Track [Page 112] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - SYNTAX CRLDistPointsSyntax - IDENTIFIED BY id-ce-cRLDistributionPoints } - -CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint - -DistributionPoint ::= SEQUENCE { - distributionPoint [0] DistributionPointName OPTIONAL, - reasons [1] ReasonFlags OPTIONAL, - cRLIssuer [2] GeneralNames OPTIONAL } - -DistributionPointName ::= CHOICE { - fullName [0] GeneralNames, - nameRelativeToCRLIssuer [1] RelativeDistinguishedName } - -ReasonFlags ::= BIT STRING { - unused (0), - keyCompromise (1), - caCompromise (2), - affiliationChanged (3), - superseded (4), - cessationOfOperation (5), - certificateHold (6) } - -issuingDistributionPoint EXTENSION ::= { - SYNTAX IssuingDistPointSyntax - IDENTIFIED BY id-ce-issuingDistributionPoint } - -IssuingDistPointSyntax ::= SEQUENCE { - distributionPoint [0] DistributionPointName OPTIONAL, - onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, - onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, - onlySomeReasons [3] ReasonFlags OPTIONAL, - indirectCRL [4] BOOLEAN DEFAULT FALSE } - -certificateIssuer EXTENSION ::= { - SYNTAX GeneralNames - IDENTIFIED BY id-ce-certificateIssuer } - -deltaCRLIndicator EXTENSION ::= { - SYNTAX BaseCRLNumber - IDENTIFIED BY id-ce-deltaCRLIndicator } - -BaseCRLNumber ::= CRLNumber - --- Object identifier assignments for ISO certificate extensions -- -id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} - -id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9} - - - -Housley, et. al. Standards Track [Page 113] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14} -id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15} -id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16} -id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17} -id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18} -id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19} -id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20} -id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21} -id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23} -id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24} -id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27} -id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28} -id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29} -id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30} -id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} -id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32} -id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33} -id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36} -id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35} -id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} - --- PKIX 1 extensions - -authorityInfoAccess EXTENSION ::= { - SYNTAX AuthorityInfoAccessSyntax - IDENTIFIED BY id-pe-authorityInfoAccess } - -AuthorityInfoAccessSyntax ::= - SEQUENCE SIZE (1..MAX) OF AccessDescription - -AccessDescription ::= SEQUENCE { - accessMethod OBJECT IDENTIFIER, - accessLocation GeneralName } - -id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } - -id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } -id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } - --- PKIX policy qualifier definitions - -noticeToUser CERT-POLICY-QUALIFIER ::= { - POLICY-QUALIFIER-ID id-qt-cps QUALIFIER-TYPE CPSuri} - -pointerToCPS CERT-POLICY-QUALIFIER ::= { - POLICY-QUALIFIER-ID id-qt-unotice QUALIFIER-TYPE UserNotice} - -id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } - - - -Housley, et. al. Standards Track [Page 114] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } - -CPSuri ::= IA5String - -UserNotice ::= SEQUENCE { - noticeRef NoticeReference OPTIONAL, - explicitText DisplayText OPTIONAL} - -NoticeReference ::= SEQUENCE { - organization DisplayText, - noticeNumbers SEQUENCE OF INTEGER } - -DisplayText ::= CHOICE { - visibleString VisibleString (SIZE (1..200)), - bmpString BMPString (SIZE (1..200)), - utf8String UTF8String (SIZE (1..200)) } - - -END - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Housley, et. al. Standards Track [Page 115] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -Appendix C. ASN.1 Notes - - The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 - constructs. A valid ASN.1 sequence will have zero or more entries. - The SIZE (1..MAX) construct constrains the sequence to have at least - one entry. MAX indicates the upper bound is unspecified. - Implementations are free to choose an upper bound that suits their - environment. - - The construct "positiveInt ::= INTEGER (0..MAX)" defines positiveInt - as a subtype of INTEGER containing integers greater than or equal to - zero. The upper bound is unspecified. Implementations are free to - select an upper bound that suits their environment. - - The character string type PrintableString supports a very basic Latin - character set: the lower case letters 'a' through 'z', upper case - letters 'A' through 'Z', the digits '0' through '9', eleven special - characters ' " ( ) + , - . / : ? and space. - - The character string type TeletexString is a superset of - PrintableString. TeletexString supports a fairly standard (ascii- - like) Latin character set, Latin characters with non-spacing accents - and Japanese characters. - - The character string type UniversalString supports any of the - characters allowed by ISO 10646-1. ISO 10646 is the Universal - multiple-octet coded Character Set (UCS). ISO 10646-1 specifes the - architecture and the "basic multilingual plane" - a large standard - character set which includes all major world character standards. - - The character string type UTF8String will be introduced in the 1998 - version of ASN.1. UTF8String is a universal type and has been - assigned tag number 12. The content of UTF8String was defined by RFC - 2044 and updated in RFC 2279, "UTF-8, a transformation Format of ISP - 10646." ISO is expected to formally add UTF8String to the list of - choices for DirectoryString in 1998 as well. - - In anticipation of these changes, and in conformance with IETF Best - Practices codified in RFC 2277, IETF Policy on Character Sets and - Languages, this document includes UTF8String as a choice in - DirectoryString and the CPS qualifier extensions. - - - - - - - - - - -Housley, et. al. Standards Track [Page 116] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -Appendix D. Examples - - This section contains four examples: three certificates and a CRL. - The first two certificates and the CRL comprise a minimal - certification path. - - Section D.1 contains an annotated hex dump of a "self-signed" - certificate issued by a CA whose distinguished name is - cn=us,o=gov,ou=nist. The certificate contains a DSA public key with - parameters, and is signed by the corresponding DSA private key. - - Section D.2 contains an annotated hex dump of an end-entity - certificate. The end entity certificate contains a DSA public key, - and is signed by the private key corresponding to the "self-signed" - certificate in section D.1. - - Section D.3 contains a dump of an end entity certificate which - contains an RSA public key and is signed with RSA and MD5. This - certificate is not part of the minimal certification path. - - Section D.4 contains an annotated hex dump of a CRL. The CRL is - issued by the CA whose distinguished name is cn=us,o=gov,ou=nist and - the list of revoked certificates includes the end entity certificate - presented in D.2. - -D.1 Certificate - - This section contains an annotated hex dump of a 699 byte version 3 - certificate. The certificate contains the following information: - (a) the serial number is 17 (11 hex); - (b) the certificate is signed with DSA and the SHA-1 hash algorithm; - (c) the issuer's distinguished name is OU=nist; O=gov; C=US - (d) and the subject's distinguished name is OU=nist; O=gov; C=US - (e) the certificate was issued on June 30, 1997 and will expire on - December 31, 1997; - (f) the certificate contains a 1024 bit DSA public key with - parameters; - (g) the certificate contains a subject key identifier extension; and - (h) the certificate is a CA certificate (as indicated through the - basic constraints extension.) - -0000 30 82 02 b7 695: SEQUENCE -0004 30 82 02 77 631: . SEQUENCE tbscertificate -0008 a0 03 3: . . [0] -0010 02 01 1: . . . INTEGER 2 - : 02 -0013 02 01 1: . . INTEGER 17 - : 11 - - - -Housley, et. al. Standards Track [Page 117] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -0016 30 09 9: . . SEQUENCE -0018 06 07 7: . . . OID 1.2.840.10040.4.3: dsa-with-sha - : 2a 86 48 ce 38 04 03 -0027 30 2a 42: . . SEQUENCE -0029 31 0b 11: . . . SET -0031 30 09 9: . . . . SEQUENCE -0033 06 03 3: . . . . . OID 2.5.4.6: C - : 55 04 06 -0038 13 02 2: . . . . . PrintableString 'US' - : 55 53 -0042 31 0c 12: . . . SET -0044 30 0a 10: . . . . SEQUENCE -0046 06 03 3: . . . . . OID 2.5.4.10: O - : 55 04 0a -0051 13 03 3: . . . . . PrintableString 'gov' - : 67 6f 76 -0056 31 0d 13: . . . SET -0058 30 0b 11: . . . . SEQUENCE -0060 06 03 3: . . . . . OID 2.5.4.11: OU - : 55 04 0b -0065 13 04 4: . . . . . PrintableString 'nist' - : 6e 69 73 74 -0071 30 1e 30: . . SEQUENCE -0073 17 0d 13: . . . UTCTime '970630000000Z' - : 39 37 30 36 33 30 30 30 30 30 30 30 5a -0088 17 0d 13: . . . UTCTime '971231000000Z' - : 39 37 31 32 33 31 30 30 30 30 30 30 5a -0103 30 2a 42: . . SEQUENCE -0105 31 0b 11: . . . SET -0107 30 09 9: . . . . SEQUENCE -0109 06 03 3: . . . . . OID 2.5.4.6: C - : 55 04 06 -0114 13 02 2: . . . . . PrintableString 'US' - : 55 53 -0118 31 0c 12: . . . SET -0120 30 0a 10: . . . . SEQUENCE -0122 06 03 3: . . . . . OID 2.5.4.10: O - : 55 04 0a -0127 13 03 3: . . . . . PrintableString 'gov' - : 67 6f 76 -0132 31 0d 13: . . . SET -0134 30 0b 11: . . . . SEQUENCE -0136 06 03 3: . . . . . OID 2.5.4.11: OU - : 55 04 0b -0141 13 04 4: . . . . . PrintableString 'nist' - : 6e 69 73 74 -0147 30 82 01 b4 436: . . SEQUENCE -0151 30 82 01 29 297: . . . SEQUENCE - - - -Housley, et. al. Standards Track [Page 118] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -0155 06 07 7: . . . . OID 1.2.840.10040.4.1: dsa - : 2a 86 48 ce 38 04 01 -0164 30 82 01 1c 284: . . . . SEQUENCE -0168 02 81 80 128: . . . . . INTEGER - : d4 38 02 c5 35 7b d5 0b a1 7e 5d 72 59 63 55 d3 - : 45 56 ea e2 25 1a 6b c5 a4 ab aa 0b d4 62 b4 d2 - : 21 b1 95 a2 c6 01 c9 c3 fa 01 6f 79 86 83 3d 03 - : 61 e1 f1 92 ac bc 03 4e 89 a3 c9 53 4a f7 e2 a6 - : 48 cf 42 1e 21 b1 5c 2b 3a 7f ba be 6b 5a f7 0a - : 26 d8 8e 1b eb ec bf 1e 5a 3f 45 c0 bd 31 23 be - : 69 71 a7 c2 90 fe a5 d6 80 b5 24 dc 44 9c eb 4d - : f9 da f0 c8 e8 a2 4c 99 07 5c 8e 35 2b 7d 57 8d -0299 02 14 20: . . . . . INTEGER - : a7 83 9b f3 bd 2c 20 07 fc 4c e7 e8 9f f3 39 83 - : 51 0d dc dd -0321 02 81 80 128: . . . . . INTEGER - : 0e 3b 46 31 8a 0a 58 86 40 84 e3 a1 22 0d 88 ca - : 90 88 57 64 9f 01 21 e0 15 05 94 24 82 e2 10 90 - : d9 e1 4e 10 5c e7 54 6b d4 0c 2b 1b 59 0a a0 b5 - : a1 7d b5 07 e3 65 7c ea 90 d8 8e 30 42 e4 85 bb - : ac fa 4e 76 4b 78 0e df 6c e5 a6 e1 bd 59 77 7d - : a6 97 59 c5 29 a7 b3 3f 95 3e 9d f1 59 2d f7 42 - : 87 62 3f f1 b8 6f c7 3d 4b b8 8d 74 c4 ca 44 90 - : cf 67 db de 14 60 97 4a d1 f7 6d 9e 09 94 c4 0d -0452 03 81 84 132: . . . BIT STRING (0 unused bits) - : 02 81 80 aa 98 ea 13 94 a2 db f1 5b 7f 98 2f 78 - : e7 d8 e3 b9 71 86 f6 80 2f 40 39 c3 da 3b 4b 13 - : 46 26 ee 0d 56 c5 a3 3a 39 b7 7d 33 c2 6b 5c 77 - : 92 f2 55 65 90 39 cd 1a 3c 86 e1 32 eb 25 bc 91 - : c4 ff 80 4f 36 61 bd cc e2 61 04 e0 7e 60 13 ca - : c0 9c dd e0 ea 41 de 33 c1 f1 44 a9 bc 71 de cf - : 59 d4 6e da 44 99 3c 21 64 e4 78 54 9d d0 7b ba - : 4e f5 18 4d 5e 39 30 bf e0 d1 f6 f4 83 25 4f 14 - : aa 71 e1 -0587 a3 32 50: . . [3] -0589 30 30 48: . . . SEQUENCE -0591 30 0f 9: . . . . SEQUENCE -0593 06 03 3: . . . . . OID 2.5.29.19: basicConstraints - : 55 1d 13 -0598 01 01 1: . . . . . TRUE - : ff -0601 04 05 5: . . . . . OCTET STRING - : 30 03 01 01 ff -0608 30 1d 29: . SEQUENCE -0610 06 03 3: . . . . . OID 2.5.29.14: subjectKeyIdentifier - : 55 1d 0e -0615 04 16 22: . . . . . OCTET STRING - : 04 14 e7 26 c5 54 cd 5b a3 6f 35 68 95 aa d5 ff - - - -Housley, et. al. Standards Track [Page 119] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - : 1c 21 e4 22 75 d6 -0639 30 09 9: . SEQUENCE -0641 06 07 7: . . OID 1.2.840.10040.4.3: dsa-with-sha - : 2a 86 48 ce 38 04 03 -0650 03 2f 47: . BIT STRING (0 unused bits) - : 30 2c 02 14 a0 66 c1 76 33 99 13 51 8d 93 64 2f - : ca 13 73 de 79 1a 7d 33 02 14 5d 90 f6 ce 92 4a - : bf 29 11 24 80 28 a6 5a 8e 73 b6 76 02 68 - -D.2 Certificate - - This section contains an annotated hex dump of a 730 byte version 3 - certificate. The certificate contains the following information: - (a) the serial number is 18 (12 hex); - (b) the certificate is signed with DSA and the SHA-1 hash algorithm; - (c) the issuer's distinguished name is OU=nist; O=gov; C=US - (d) and the subject's distinguished name is CN=Tim Polk; OU=nist; - O=gov; C=US - (e) the certificate was valid from July 30, 1997 through December 1, - 1997; - (f) the certificate contains a 1024 bit DSA public key; - (g) the certificate is an end entity certificate, as the basic - constraints extension is not present; - (h) the certificate contains an authority key identifier extension; - and - (i) the certificate includes one alternative name - an RFC 822 - address. - -0000 30 82 02 d6 726: SEQUENCE -0004 30 82 02 96 662: . SEQUENCE -0008 a0 03 3: . . [0] -0010 02 01 1: . . . INTEGER 2 - : 02 -0013 02 01 1: . . INTEGER 18 - : 12 -0016 30 09 9: . . SEQUENCE -0018 06 07 7: . . . OID 1.2.840.10040.4.3: dsa-with-sha - : 2a 86 48 ce 38 04 03 -0027 30 2a 42: . . SEQUENCE -0029 31 0b 11: . . . SET -0031 30 09 9: . . . . SEQUENCE -0033 06 03 3: . . . . . OID 2.5.4.6: C - : 55 04 06 -0038 13 02 2: . . . . . PrintableString 'US' - : 55 53 -0042 31 0c 12: . . . SET -0044 30 0a 10: . . . . SEQUENCE -0046 06 03 3: . . . . . OID 2.5.4.10: O - - - -Housley, et. al. Standards Track [Page 120] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - : 55 04 0a -0051 13 03 3: . . . . . PrintableString 'gov' - : 67 6f 76 -0056 31 0d 13: . . . SET -0058 30 0b 11: . . . . SEQUENCE -0060 06 03 3: . . . . . OID 2.5.4.11: OU - : 55 04 0b -0065 13 04 4: . . . . . PrintableString 'nist' - : 6e 69 73 74 -0071 30 1e 30: . . SEQUENCE -0073 17 0d 13: . . . UTCTime '970730000000Z' - : 39 37 30 37 33 30 30 30 30 30 30 30 5a -0088 17 0d 13: . . . UTCTime '971201000000Z' - : 39 37 31 32 30 31 30 30 30 30 30 30 5a -0103 30 3d 61: . . SEQUENCE -0105 31 0b 11: . . . SET -0107 30 09 9: . . . . SEQUENCE -0109 06 03 3: . . . . . OID 2.5.4.6: C - : 55 04 06 -0114 13 02 2: . . . . . PrintableString 'US' - : 55 53 -0118 31 0c 12: . . . SET -0120 30 0a 10: . . . . SEQUENCE -0122 06 03 3: . . . . . OID 2.5.4.10: O - : 55 04 0a -0127 13 03 3: . . . . . PrintableString 'gov' - : 67 6f 76 -0132 31 0d 13: . . . SET -0134 30 0b 11: . . . . SEQUENCE -0136 06 03 3: . . . . . OID 2.5.4.11: OU - : 55 04 0b -0141 13 04 4: . . . . . PrintableString 'nist' - : 6e 69 73 74 -0147 31 11 17: . . . SET -0149 30 0f 15: . . . . SEQUENCE -0151 06 03 3: . . . . . OID 2.5.4.3: CN - : 55 04 03 -0156 13 08 8: . . . . . PrintableString 'Tim Polk' - : 54 69 6d 20 50 6f 6c 6b -0166 30 82 01 b4 436: . . SEQUENCE -0170 30 82 01 29 297: . . . SEQUENCE -0174 06 07 7: . . . . OID 1.2.840.10040.4.1: dsa - : 2a 86 48 ce 38 04 01 -0183 30 82 01 1c 284: . . . . SEQUENCE -0187 02 81 80 128: . . . . . INTEGER - : d4 38 02 c5 35 7b d5 0b a1 7e 5d 72 59 63 55 d3 - : 45 56 ea e2 25 1a 6b c5 a4 ab aa 0b d4 62 b4 d2 - : 21 b1 95 a2 c6 01 c9 c3 fa 01 6f 79 86 83 3d 03 - - - -Housley, et. al. Standards Track [Page 121] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - : 61 e1 f1 92 ac bc 03 4e 89 a3 c9 53 4a f7 e2 a6 - : 48 cf 42 1e 21 b1 5c 2b 3a 7f ba be 6b 5a f7 0a - : 26 d8 8e 1b eb ec bf 1e 5a 3f 45 c0 bd 31 23 be - : 69 71 a7 c2 90 fe a5 d6 80 b5 24 dc 44 9c eb 4d - : f9 da f0 c8 e8 a2 4c 99 07 5c 8e 35 2b 7d 57 8d -0318 02 14 20: . . . . . INTEGER - : a7 83 9b f3 bd 2c 20 07 fc 4c e7 e8 9f f3 39 83 - : 51 0d dc dd -0340 02 81 80 128: . . . . . INTEGER - : 0e 3b 46 31 8a 0a 58 86 40 84 e3 a1 22 0d 88 ca - : 90 88 57 64 9f 01 21 e0 15 05 94 24 82 e2 10 90 - : d9 e1 4e 10 5c e7 54 6b d4 0c 2b 1b 59 0a a0 b5 - : a1 7d b5 07 e3 65 7c ea 90 d8 8e 30 42 e4 85 bb - : ac fa 4e 76 4b 78 0e df 6c e5 a6 e1 bd 59 77 7d - : a6 97 59 c5 29 a7 b3 3f 95 3e 9d f1 59 2d f7 42 - : 87 62 3f f1 b8 6f c7 3d 4b b8 8d 74 c4 ca 44 90 - : cf 67 db de 14 60 97 4a d1 f7 6d 9e 09 94 c4 0d -0471 03 81 84 132: . . . BIT STRING (0 unused bits) - : 02 81 80 a8 63 b1 60 70 94 7e 0b 86 08 93 0c 0d - : 08 12 4a 58 a9 af 9a 09 38 54 3b 46 82 fb 85 0d - : 18 8b 2a 77 f7 58 e8 f0 1d d2 18 df fe e7 e9 35 - : c8 a6 1a db 8d 3d 3d f8 73 14 a9 0b 39 c7 95 f6 - : 52 7d 2d 13 8c ae 03 29 3c 4e 8c b0 26 18 b6 d8 - : 11 1f d4 12 0c 13 ce 3f f1 c7 05 4e df e1 fc 44 - : fd 25 34 19 4a 81 0d dd 98 42 ac d3 b6 91 0c 7f - : 16 72 a3 a0 8a d7 01 7f fb 9c 93 e8 99 92 c8 42 - : 47 c6 43 -0606 a3 3e 62: . . [3] -0608 30 3c 60: . . . SEQUENCE -0610 30 19 25: . . . . SEQUENCE -0612 06 03 3: . . . . . OID 2.5.29.17: subjectAltName - : 55 1d 11 -0617 04 12 18: . . . . . OCTET STRING - : 30 10 81 0e 77 70 6f 6c 6b 40 6e 69 73 74 2e 67 - : 6f 76 -0637 30 1f 31: . . . . SEQUENCE -0639 06 03 3: . . . . . OID 2.5.29.35: subjectAltName - : 55 1d 23 -0644 04 18 24: . . . . . OCTET STRING - : 30 16 80 14 e7 26 c5 54 cd 5b a3 6f 35 68 95 aa - : d5 ff 1c 21 e4 22 75 d6 -0670 30 09 9: . SEQUENCE -0672 06 07 7: . . OID 1.2.840.10040.4.3: dsa-with-sha - : 2a 86 48 ce 38 04 03 -0681 03 2f 47: . BIT STRING (0 unused bits) - : 30 2c 02 14 3c 02 e0 ab d9 5d 05 77 75 15 71 58 - : 92 29 48 c4 1c 54 df fc 02 14 5b da 53 98 7f c5 - : 33 df c6 09 b2 7a e3 6f 97 70 1e 14 ed 94 - - - -Housley, et. al. Standards Track [Page 122] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -D.3 End-Entity Certificate Using RSA - - This section contains an annotated hex dump of a 675 byte version 3 - certificate. The certificate contains the following information: - (a) the serial number is 256; - (b) the certificate is signed with RSA and the MD2 hash algorithm; - (c) the issuer's distinguished name is OU=Dept. Arquitectura de - Computadors; O=Universitat Politecnica de Catalunya; C=ES - (d) and the subject's distinguished name is CN=Francisco Jordan; - OU=Dept. Arquitectura de Computadors; O=Universitat Politecnica de - Catalunya; C=ES - (e) the certificate was issued on May 21, 1996 and expired on May 21, - 1997; - (f) the certificate contains a 768 bit RSA public key; - (g) the certificate is an end entity certificate (not a CA - certificate); - (h) the certificate includes an alternative subject name and an - alternative issuer name - bothe are URLs; - (i) the certificate include an authority key identifier and - certificate policies extensions; and - (j) the certificate includes a critical key usage extension - specifying the public is intended for generation of digital - signatures. - -0000 30 80 : SEQUENCE (size undefined) -0002 30 82 02 40 576: . SEQUENCE -0006 a0 03 3: . . [0] -0008 02 01 1: . . . INTEGER 2 - : 02 -0011 02 02 2: . . INTEGER 256 - : 01 00 -0015 30 0d 13: . . SEQUENCE -0017 06 09 9: . . . OID 1.2.840.113549.1.1.2: - MD2WithRSAEncryption - : 2a 86 48 86 f7 0d 01 01 02 -0028 05 00 0: . . . NULL -0030 30 68 88: . . SEQUENCE -0032 31 0b 11: . . . SET -0034 30 09 9: . . . . SEQUENCE -0036 06 03 3: . . . . . OID 2.5.4.6: C - : 55 04 06 -0041 13 02 2: . . . . . PrintableString 'ES' - : 45 53 -0045 31 2d 45: . . . SET -0047 30 2b 43: . . . . SEQUENCE -0049 06 03 3: . . . . . OID 2.5.4.10: O - : 55 04 0a -0054 13 24 36: . . . . . PrintableString - - - -Housley, et. al. Standards Track [Page 123] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - 'Universitat Politecnica de Catalunya' - : 55 6e 69 76 65 72 73 69 74 61 74 20 50 6f 6c 69 - : 74 65 63 6e 69 63 61 20 64 65 20 43 61 74 61 6c - : 75 6e 79 61 -0092 31 2a 42: . . . SET -0094 30 28 40: . . . . SEQUENCE -0096 06 03 3: . . . . . OID 2.5.4.11: OU - : 55 04 0b -0101 13 21 33: . . . . . PrintableString - 'OU=Dept. Arquitectura de Computadors' - : 44 65 70 74 2e 20 41 72 71 75 69 74 65 63 74 75 - : 72 61 20 64 65 20 43 6f 6d 70 75 74 61 64 6f 72 - : 73 -0136 30 1e 30: . . SEQUENCE -0138 17 0d 13: . . . UTCTime '960521095826Z' - : 39 36 30 37 32 32 31 37 33 38 30 32 5a -0153 17 0d 13: . . . UTCTime '979521095826Z' - : 39 37 30 37 32 32 31 37 33 38 30 32 5a -0168 30 81 83 112: . . SEQUENCE -0171 31 0b 11: . . . SET -0173 30 09 9: . . . . SEQUENCE -0175 06 03 3: . . . . . OID 2.5.4.6: C - : 55 04 06 -0180 13 02 2: . . . . . PrintableString 'ES' - : 45 53 -0184 31 2d 12: . . . SET -0186 30 2b 16: . . . . SEQUENCE -0188 06 03 3: . . . . . OID 2.5.4.10: O - : 55 04 0a -0193 13 24 36: . . . . . PrintableString - 'Universitat Politecnica de Catalunya' - : 55 6e 69 76 65 72 73 69 74 61 74 20 50 6f 6c 69 - : 74 65 63 6e 69 63 61 20 64 65 20 43 61 74 61 6c - : 75 6e 79 61 -0231 31 2a 42: . . . SET -0233 30 28 40: . . . . SEQUENCE -0235 06 03 3: . . . . . OID 2.5.4.11: OU - : 55 04 0b -0240 13 21 33: . . . . . PrintableString - 'Dept. Arquitectura de Computadors' - : 44 65 70 74 2e 20 41 72 71 75 69 74 65 63 74 75 - : 72 61 20 64 65 20 43 6f 6d 70 75 74 61 64 6f 72 - : 73 -0275 31 19 22: . . . SET -0277 30 17 20: . . . . SEQUENCE -0279 06 03 3: . . . . . OID 2.5.4.3: CN - : 55 04 03 -0284 13 10 16: . . . . . PrintableString 'Francisco Jordan' - - - -Housley, et. al. Standards Track [Page 124] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - - : 46 72 61 6e 63 69 73 63 6f 20 4a 6f 72 64 61 6e -0302 30 7c 2: . . SEQUENCE -0304 30 0d 13: . . . SEQUENCE -0306 06 09 9: . . . . OID 1.2.840.113549.1.1.1: RSAEncryption - : 2a 86 48 86 f7 0d 01 01 01 -0317 05 00 0: . . . . NULL -0319 03 6b 107: . . . BIT STRING - : 00 (0 unused bits) - : 30 68 02 61 00 be aa 8b 77 54 a3 af ca 77 9f 2f - : b0 cf 43 88 ff a6 6d 79 55 5b 61 8c 68 ec 48 1e - : 8a 86 38 a4 fe 19 b8 62 17 1d 9d 0f 47 2c ff 63 - : 8f 29 91 04 d1 52 bc 7f 67 b6 b2 8f 74 55 c1 33 - : 21 6c 8f ab 01 95 24 c8 b2 73 93 9d 22 61 50 a9 - : 35 fb 9d 57 50 32 ef 56 52 50 93 ab b1 88 94 78 - : 56 15 c6 1c 8b 02 03 01 00 01 -0428 a3 81 97 151: . . [3] -0431 30 3c 60: . . . SEQUENCE -0433 30 1f 31: . . . . SEQUENCE -0435 06 03 3: . . . . . OID 2.5.29.35: authorityKeyIdentifier - : 55 1d 23 -0440 04 14 22: . . . . . OCTET STRING - : 30 12 80 10 0e 6b 3a bf 04 ea 04 c3 0e 6b 3a bf - : 04 ea 04 c3 -0464 30 19 25: . . . . SEQUENCE -0466 06 03 3: . . . . . OID 2.5.29.15: keyUsage - : 55 1d 0f -0471 01 01 1: . . . . . TRUE -0474 04 04 4: . . . . . OCTET STRING - : 03 02 07 80 -0480 30 19 25: . . . . SEQUENCE -0482 06 03 3: . . . . . OID 2.5.29.32: certificatePolicies - : 55 1d 20 -0487 04 21 33: . . . . . OCTET STRING - : 30 1f 30 1d 06 04 2a 84 80 00 30 15 30 07 06 05 - : 2a 84 80 00 01 30 0a 06 05 2a 84 80 00 02 02 01 - : 0a -0522 30 1c 28: . . . . SEQUENCE -0524 06 03 3: . . . . . OID 2.5.29.17: subjectAltName - : 55 1d 11 -0529 04 15 21: . . . . . OCTET STRING - : 30 13 86 11 68 74 74 70 3a 2f 2f 61 63 2e 75 70 - : 63 2e 65 73 2f -0552 30 19 25: . . . . SEQUENCE -0554 06 03 3: . . . . . OID 2.5.29.18: issuerAltName - : 55 1d 12 -0559 04 12 18: . . . . . OCTET STRING - : 30 14 86 12 68 74 74 70 3a 2f 2f 77 77 77 2e 75 - : 70 63 2e 65 - - - -Housley, et. al. Standards Track [Page 125] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -0579 30 80 : . SEQUENCE (indefinite length) -0581 06 07 7: . . OID -0583 05 00 0: . . NULL -0585 00 00 0: . . end of contents marker -0587 03 81 81 47: . BIT STRING - : 00 (0 unused bits) - : 5c 01 bd b5 41 88 87 7a 0e d3 0e 6b 3a bf 04 ea - : 04 cb 5f 61 72 3c a3 bd 78 f5 66 17 fe 37 3a ab - : eb 67 bf b7 da a8 38 f6 33 15 71 75 2f b9 8c 91 - : a0 e4 87 ba 4b 43 a0 22 8f d3 a9 86 43 89 e6 50 - : 5c 01 bd b5 41 88 87 7a 0e d3 0e 6b 3a bf 04 ea - : 04 cb 5f 61 72 3c a3 bd 78 f5 66 17 fe 37 3a ab - : eb 67 bf b7 da a8 38 f6 33 15 71 75 2f b9 8c 91 - : a0 e4 87 ba 4b 43 a0 22 8f d3 a9 86 43 89 e6 50 -0637 00 00 0: . . end of contents marker - -D.4 Certificate Revocation List - - This section contains an annotated hex dump of a version 2 CRL with - one extension (cRLNumber). The CRL was issued by OU=nist;O=gov;C=us - on July 7, 1996; the next scheduled issuance was August 7, 1996. The - CRL includes one revoked certificates: serial number 18 (12 hex). - The CRL itself is number 18, and it was signed with DSA and SHA-1. - -0000 30 81 ba 186: SEQUENCE -0003 30 7c 124: . SEQUENCE -0005 02 01 1: . . INTEGER 1 - : 01 -0008 30 09 9: . . SEQUENCE -0010 06 07 7: . . . OID 1.2.840.10040.4.3: dsa-with-sha - : 2a 86 48 ce 38 04 03 -0019 30 2a 42: . . SEQUENCE -0021 31 0b 11: . . . SET -0023 30 09 9: . . . . SEQUENCE -0025 06 03 3: . . . . . OID 2.5.4.6: C - : 55 04 06 -0030 13 02 2: . . . . . PrintableString 'US' - : 55 53 -0034 31 0c 12: . . . SET -0036 30 0a 10: . . . . SEQUENCE -0038 06 03 3: . . . . . OID 2.5.4.10: O - : 55 04 0a -0043 13 03 3: . . . . . PrintableString 'gov' - : 67 6f 76 -0048 31 0d 13: . . . SET -0050 30 0b 11: . . . . SEQUENCE -0052 06 03 3: . . . . . OID 2.5.4.11: OU - : 55 04 0b - - - -Housley, et. al. Standards Track [Page 126] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -0057 13 04 4: . . . . . PrintableString 'nist' - : 6e 69 73 74 -0063 17 0d 13: . . UTCTime '970801000000Z' - : 39 37 30 38 30 31 30 30 30 30 30 30 5a -0078 17 0d 13: . . UTCTime '970808000000Z' - : 39 37 30 38 30 38 30 30 30 30 30 30 5a -0093 30 22 34: . . SEQUENCE -0095 30 20 32: . . . SEQUENCE -0097 02 01 1: . . . . INTEGER 18 - : 12 -0100 17 0d 13: . . . . UTCTime '970731000000Z' - : 39 37 30 37 33 31 30 30 30 30 30 30 5a -0115 30 0c 12: . . . . SEQUENCE -0117 30 0a 10: . . . . . SEQUENCE -0119 06 03 3: . . . . . . OID 2.5.29.21: reasonCode - : 55 1d 15 -0124 04 03 3: . . . . . . OCTET STRING - : 0a 01 01 -0129 30 09 9: . SEQUENCE -0131 06 07 7: . . OID 1.2.840.10040.4.3: dsa-with-sha - : 2a 86 48 ce 38 04 03 -0140 03 2f 47: . BIT STRING (0 unused bits) - : 30 2c 02 14 9e d8 6b c1 7d c2 c4 02 f5 17 84 f9 - : 9f 46 7a ca cf b7 05 8a 02 14 9e 43 39 85 dc ea - : 14 13 72 93 54 5d 44 44 e5 05 fe 73 9a b2 - - - - - - - - - - - - - - - - - - - - - - - - - - -Housley, et. al. Standards Track [Page 127] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -Appendix E. Authors' Addresses - - Russell Housley - SPYRUS - 381 Elden Street - Suite 1120 - Herndon, VA 20170 - USA - - EMail: housley@spyrus.com - - - Warwick Ford - VeriSign, Inc. - One Alewife Center - Cambridge, MA 02140 - USA - - EMail: wford@verisign.com - - - Tim Polk - NIST - Building 820, Room 426 - Gaithersburg, MD 20899 - USA - - EMail: wpolk@nist.gov - - - David Solo - Citicorp - 666 Fifth Ave, 3rd Floor - New York, NY 10103 - USA - - EMail: david.solo@citicorp.com - - - - - - - - - - - - - - -Housley, et. al. Standards Track [Page 128] - -RFC 2459 Internet X.509 Public Key Infrastructure January 1999 - - -Appendix F. Full Copyright Statement - - Copyright (C) The Internet Society (1999). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - - - - - - - - - - - - - - - - - - - - - - - -Housley, et. al. Standards Track [Page 129] - diff --git a/doc/protocol/rfc3280.txt b/doc/protocol/rfc3280.txt new file mode 100644 index 0000000000..433908bb75 --- /dev/null +++ b/doc/protocol/rfc3280.txt @@ -0,0 +1,7227 @@ + + + + + + +Network Working Group R. Housley +Request for Comments: 3280 RSA Laboratories +Obsoletes: 2459 W. Polk +Category: Standards Track NIST + W. Ford + VeriSign + D. Solo + Citigroup + April 2002 + + Internet X.509 Public Key Infrastructure + Certificate and Certificate Revocation List (CRL) Profile + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2002). All Rights Reserved. + +Abstract + + This memo profiles the X.509 v3 certificate and X.509 v2 Certificate + Revocation List (CRL) for use in the Internet. An overview of this + approach and model are provided as an introduction. The X.509 v3 + certificate format is described in detail, with additional + information regarding the format and semantics of Internet name + forms. Standard certificate extensions are described and two + Internet-specific extensions are defined. A set of required + certificate extensions is specified. The X.509 v2 CRL format is + described in detail, and required extensions are defined. An + algorithm for X.509 certification path validation is described. An + ASN.1 module and examples are provided in the appendices. + +Table of Contents + + 1 Introduction . . . . . . . . . . . . . . . . . . . . . . 4 + 2 Requirements and Assumptions . . . . . . . . . . . . . . 5 + 2.1 Communication and Topology . . . . . . . . . . . . . . 6 + 2.2 Acceptability Criteria . . . . . . . . . . . . . . . . 6 + 2.3 User Expectations . . . . . . . . . . . . . . . . . . . 7 + 2.4 Administrator Expectations . . . . . . . . . . . . . . 7 + 3 Overview of Approach . . . . . . . . . . . . . . . . . . 7 + + + +Housley, et. al. Standards Track [Page 1] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + 3.1 X.509 Version 3 Certificate . . . . . . . . . . . . . . 8 + 3.2 Certification Paths and Trust . . . . . . . . . . . . . 9 + 3.3 Revocation . . . . . . . . . . . . . . . . . . . . . . 11 + 3.4 Operational Protocols . . . . . . . . . . . . . . . . . 13 + 3.5 Management Protocols . . . . . . . . . . . . . . . . . 13 + 4 Certificate and Certificate Extensions Profile . . . . . 14 + 4.1 Basic Certificate Fields . . . . . . . . . . . . . . . 15 + 4.1.1 Certificate Fields . . . . . . . . . . . . . . . . . 16 + 4.1.1.1 tbsCertificate . . . . . . . . . . . . . . . . . . 16 + 4.1.1.2 signatureAlgorithm . . . . . . . . . . . . . . . . 16 + 4.1.1.3 signatureValue . . . . . . . . . . . . . . . . . . 16 + 4.1.2 TBSCertificate . . . . . . . . . . . . . . . . . . . 17 + 4.1.2.1 Version . . . . . . . . . . . . . . . . . . . . . . 17 + 4.1.2.2 Serial number . . . . . . . . . . . . . . . . . . . 17 + 4.1.2.3 Signature . . . . . . . . . . . . . . . . . . . . . 18 + 4.1.2.4 Issuer . . . . . . . . . . . . . . . . . . . . . . 18 + 4.1.2.5 Validity . . . . . . . . . . . . . . . . . . . . . 22 + 4.1.2.5.1 UTCTime . . . . . . . . . . . . . . . . . . . . . 22 + 4.1.2.5.2 GeneralizedTime . . . . . . . . . . . . . . . . . 22 + 4.1.2.6 Subject . . . . . . . . . . . . . . . . . . . . . . 23 + 4.1.2.7 Subject Public Key Info . . . . . . . . . . . . . . 24 + 4.1.2.8 Unique Identifiers . . . . . . . . . . . . . . . . 24 + 4.1.2.9 Extensions . . . . . . . . . . . . . . . . . . . . . 24 + 4.2 Certificate Extensions . . . . . . . . . . . . . . . . 24 + 4.2.1 Standard Extensions . . . . . . . . . . . . . . . . . 25 + 4.2.1.1 Authority Key Identifier . . . . . . . . . . . . . 26 + 4.2.1.2 Subject Key Identifier . . . . . . . . . . . . . . 27 + 4.2.1.3 Key Usage . . . . . . . . . . . . . . . . . . . . . 28 + 4.2.1.4 Private Key Usage Period . . . . . . . . . . . . . 29 + 4.2.1.5 Certificate Policies . . . . . . . . . . . . . . . 30 + 4.2.1.6 Policy Mappings . . . . . . . . . . . . . . . . . . 33 + 4.2.1.7 Subject Alternative Name . . . . . . . . . . . . . 33 + 4.2.1.8 Issuer Alternative Name . . . . . . . . . . . . . . 36 + 4.2.1.9 Subject Directory Attributes . . . . . . . . . . . 36 + 4.2.1.10 Basic Constraints . . . . . . . . . . . . . . . . 36 + 4.2.1.11 Name Constraints . . . . . . . . . . . . . . . . . 37 + 4.2.1.12 Policy Constraints . . . . . . . . . . . . . . . . 40 + 4.2.1.13 Extended Key Usage . . . . . . . . . . . . . . . . 40 + 4.2.1.14 CRL Distribution Points . . . . . . . . . . . . . 42 + 4.2.1.15 Inhibit Any-Policy . . . . . . . . . . . . . . . . 44 + 4.2.1.16 Freshest CRL . . . . . . . . . . . . . . . . . . . 44 + 4.2.2 Internet Certificate Extensions . . . . . . . . . . . 45 + 4.2.2.1 Authority Information Access . . . . . . . . . . . 45 + 4.2.2.2 Subject Information Access . . . . . . . . . . . . 46 + 5 CRL and CRL Extensions Profile . . . . . . . . . . . . . 48 + 5.1 CRL Fields . . . . . . . . . . . . . . . . . . . . . . 49 + 5.1.1 CertificateList Fields . . . . . . . . . . . . . . . 50 + 5.1.1.1 tbsCertList . . . . . . . . . . . . . . . . . . . . 50 + + + +Housley, et. al. Standards Track [Page 2] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + 5.1.1.2 signatureAlgorithm . . . . . . . . . . . . . . . . 50 + 5.1.1.3 signatureValue . . . . . . . . . . . . . . . . . . 51 + 5.1.2 Certificate List "To Be Signed" . . . . . . . . . . . 51 + 5.1.2.1 Version . . . . . . . . . . . . . . . . . . . . . . 52 + 5.1.2.2 Signature . . . . . . . . . . . . . . . . . . . . . 52 + 5.1.2.3 Issuer Name . . . . . . . . . . . . . . . . . . . . 52 + 5.1.2.4 This Update . . . . . . . . . . . . . . . . . . . . 52 + 5.1.2.5 Next Update . . . . . . . . . . . . . . . . . . . . 53 + 5.1.2.6 Revoked Certificates . . . . . . . . . . . . . . . 53 + 5.1.2.7 Extensions . . . . . . . . . . . . . . . . . . . . 53 + 5.2 CRL Extensions . . . . . . . . . . . . . . . . . . . . 53 + 5.2.1 Authority Key Identifier . . . . . . . . . . . . . . 54 + 5.2.2 Issuer Alternative Name . . . . . . . . . . . . . . . 54 + 5.2.3 CRL Number . . . . . . . . . . . . . . . . . . . . . 55 + 5.2.4 Delta CRL Indicator . . . . . . . . . . . . . . . . . 55 + 5.2.5 Issuing Distribution Point . . . . . . . . . . . . . 58 + 5.2.6 Freshest CRL . . . . . . . . . . . . . . . . . . . . 59 + 5.3 CRL Entry Extensions . . . . . . . . . . . . . . . . . 60 + 5.3.1 Reason Code . . . . . . . . . . . . . . . . . . . . . 60 + 5.3.2 Hold Instruction Code . . . . . . . . . . . . . . . . 61 + 5.3.3 Invalidity Date . . . . . . . . . . . . . . . . . . . 62 + 5.3.4 Certificate Issuer . . . . . . . . . . . . . . . . . 62 + 6 Certificate Path Validation . . . . . . . . . . . . . . . 62 + 6.1 Basic Path Validation . . . . . . . . . . . . . . . . . 63 + 6.1.1 Inputs . . . . . . . . . . . . . . . . . . . . . . . 66 + 6.1.2 Initialization . . . . . . . . . . . . . . . . . . . 67 + 6.1.3 Basic Certificate Processing . . . . . . . . . . . . 70 + 6.1.4 Preparation for Certificate i+1 . . . . . . . . . . . 75 + 6.1.5 Wrap-up procedure . . . . . . . . . . . . . . . . . . 78 + 6.1.6 Outputs . . . . . . . . . . . . . . . . . . . . . . . 80 + 6.2 Extending Path Validation . . . . . . . . . . . . . . . 80 + 6.3 CRL Validation . . . . . . . . . . . . . . . . . . . . 81 + 6.3.1 Revocation Inputs . . . . . . . . . . . . . . . . . . 82 + 6.3.2 Initialization and Revocation State Variables . . . . 82 + 6.3.3 CRL Processing . . . . . . . . . . . . . . . . . . . 83 + 7 References . . . . . . . . . . . . . . . . . . . . . . . 86 + 8 Intellectual Property Rights . . . . . . . . . . . . . . 88 + 9 Security Considerations . . . . . . . . . . . . . . . . . 89 + Appendix A. ASN.1 Structures and OIDs . . . . . . . . . . . 92 + A.1 Explicitly Tagged Module, 1988 Syntax . . . . . . . . . 92 + A.2 Implicitly Tagged Module, 1988 Syntax . . . . . . . . . 105 + Appendix B. ASN.1 Notes . . . . . . . . . . . . . . . . . . 112 + Appendix C. Examples . . . . . . . . . . . . . . . . . . . 115 + C.1 DSA Self-Signed Certificate . . . . . . . . . . . . . . 115 + C.2 End Entity Certificate Using DSA . . . . . . . . . . . 119 + C.3 End Entity Certificate Using RSA . . . . . . . . . . . 122 + C.4 Certificate Revocation List . . . . . . . . . . . . . . 126 + Author Addresses . . . . . . . . . . . . . . . . . . . . . . 128 + + + +Housley, et. al. Standards Track [Page 3] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + Full Copyright Statement . . . . . . . . . . . . . . . . . . 129 + +1 Introduction + + This specification is one part of a family of standards for the X.509 + Public Key Infrastructure (PKI) for the Internet. + + This specification profiles the format and semantics of certificates + and certificate revocation lists (CRLs) for the Internet PKI. + Procedures are described for processing of certification paths in the + Internet environment. Finally, ASN.1 modules are provided in the + appendices for all data structures defined or referenced. + + Section 2 describes Internet PKI requirements, and the assumptions + which affect the scope of this document. Section 3 presents an + architectural model and describes its relationship to previous IETF + and ISO/IEC/ITU-T standards. In particular, this document's + relationship with the IETF PEM specifications and the ISO/IEC/ITU-T + X.509 documents are described. + + Section 4 profiles the X.509 version 3 certificate, and section 5 + profiles the X.509 version 2 CRL. The profiles include the + identification of ISO/IEC/ITU-T and ANSI extensions which may be + useful in the Internet PKI. The profiles are presented in the 1988 + Abstract Syntax Notation One (ASN.1) rather than the 1997 ASN.1 + syntax used in the most recent ISO/IEC/ITU-T standards. + + Section 6 includes certification path validation procedures. These + procedures are based upon the ISO/IEC/ITU-T definition. + Implementations are REQUIRED to derive the same results but are not + required to use the specified procedures. + + Procedures for identification and encoding of public key materials + and digital signatures are defined in [PKIXALGS]. Implementations of + this specification are not required to use any particular + cryptographic algorithms. However, conforming implementations which + use the algorithms identified in [PKIXALGS] MUST identify and encode + the public key materials and digital signatures as described in that + specification. + + Finally, three appendices are provided to aid implementers. Appendix + A contains all ASN.1 structures defined or referenced within this + specification. As above, the material is presented in the 1988 + ASN.1. Appendix B contains notes on less familiar features of the + ASN.1 notation used within this specification. Appendix C contains + examples of a conforming certificate and a conforming CRL. + + + + + +Housley, et. al. Standards Track [Page 4] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + This specification obsoletes RFC 2459. This specification differs + from RFC 2459 in five basic areas: + + * To promote interoperable implementations, a detailed algorithm + for certification path validation is included in section 6.1 of + this specification; RFC 2459 provided only a high-level + description of path validation. + + * An algorithm for determining the status of a certificate using + CRLs is provided in section 6.3 of this specification. This + material was not present in RFC 2459. + + * To accommodate new usage models, detailed information describing + the use of delta CRLs is provided in Section 5 of this + specification. + + * Identification and encoding of public key materials and digital + signatures are not included in this specification, but are now + described in a companion specification [PKIXALGS]. + + * Four additional extensions are specified: three certificate + extensions and one CRL extension. The certificate extensions are + subject info access, inhibit any-policy, and freshest CRL. The + freshest CRL extension is also defined as a CRL extension. + + * Throughout the specification, clarifications have been + introduced to enhance consistency with the ITU-T X.509 + specification. X.509 defines the certificate and CRL format as + well as many of the extensions that appear in this specification. + These changes were introduced to improve the likelihood of + interoperability between implementations based on this + specification with implementations based on the ITU-T + specification. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119. + +2 Requirements and Assumptions + + The goal of this specification is to develop a profile to facilitate + the use of X.509 certificates within Internet applications for those + communities wishing to make use of X.509 technology. Such + applications may include WWW, electronic mail, user authentication, + and IPsec. In order to relieve some of the obstacles to using X.509 + + + + + + +Housley, et. al. Standards Track [Page 5] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + certificates, this document defines a profile to promote the + development of certificate management systems; development of + application tools; and interoperability determined by policy. + + Some communities will need to supplement, or possibly replace, this + profile in order to meet the requirements of specialized application + domains or environments with additional authorization, assurance, or + operational requirements. However, for basic applications, common + representations of frequently used attributes are defined so that + application developers can obtain necessary information without + regard to the issuer of a particular certificate or certificate + revocation list (CRL). + + A certificate user should review the certificate policy generated by + the certification authority (CA) before relying on the authentication + or non-repudiation services associated with the public key in a + particular certificate. To this end, this standard does not + prescribe legally binding rules or duties. + + As supplemental authorization and attribute management tools emerge, + such as attribute certificates, it may be appropriate to limit the + authenticated attributes that are included in a certificate. These + other management tools may provide more appropriate methods of + conveying many authenticated attributes. + +2.1 Communication and Topology + + The users of certificates will operate in a wide range of + environments with respect to their communication topology, especially + users of secure electronic mail. This profile supports users without + high bandwidth, real-time IP connectivity, or high connection + availability. In addition, the profile allows for the presence of + firewall or other filtered communication. + + This profile does not assume the deployment of an X.500 Directory + system or a LDAP directory system. The profile does not prohibit the + use of an X.500 Directory or a LDAP directory; however, any means of + distributing certificates and certificate revocation lists (CRLs) may + be used. + +2.2 Acceptability Criteria + + The goal of the Internet Public Key Infrastructure (PKI) is to meet + the needs of deterministic, automated identification, authentication, + access control, and authorization functions. Support for these + services determines the attributes contained in the certificate as + well as the ancillary control information in the certificate such as + policy data and certification path constraints. + + + +Housley, et. al. Standards Track [Page 6] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +2.3 User Expectations + + Users of the Internet PKI are people and processes who use client + software and are the subjects named in certificates. These uses + include readers and writers of electronic mail, the clients for WWW + browsers, WWW servers, and the key manager for IPsec within a router. + This profile recognizes the limitations of the platforms these users + employ and the limitations in sophistication and attentiveness of the + users themselves. This manifests itself in minimal user + configuration responsibility (e.g., trusted CA keys, rules), explicit + platform usage constraints within the certificate, certification path + constraints which shield the user from many malicious actions, and + applications which sensibly automate validation functions. + +2.4 Administrator Expectations + + As with user expectations, the Internet PKI profile is structured to + support the individuals who generally operate CAs. Providing + administrators with unbounded choices increases the chances that a + subtle CA administrator mistake will result in broad compromise. + Also, unbounded choices greatly complicate the software that process + and validate the certificates created by the CA. + +3 Overview of Approach + + Following is a simplified view of the architectural model assumed by + the PKIX specifications. + + The components in this model are: + + end entity: user of PKI certificates and/or end user system that is + the subject of a certificate; + CA: certification authority; + RA: registration authority, i.e., an optional system to which + a CA delegates certain management functions; + CRL issuer: an optional system to which a CA delegates the + publication of certificate revocation lists; + repository: a system or collection of distributed systems that stores + certificates and CRLs and serves as a means of + distributing these certificates and CRLs to end entities. + + Note that an Attribute Authority (AA) might also choose to delegate + the publication of CRLs to a CRL issuer. + + + + + + + + +Housley, et. al. Standards Track [Page 7] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + +---+ + | C | +------------+ + | e | <-------------------->| End entity | + | r | Operational +------------+ + | t | transactions ^ + | i | and management | Management + | f | transactions | transactions PKI + | i | | users + | c | v + | a | ======================= +--+------------+ ============== + | t | ^ ^ + | e | | | PKI + | | v | management + | & | +------+ | entities + | | <---------------------| RA |<----+ | + | C | Publish certificate +------+ | | + | R | | | + | L | | | + | | v v + | R | +------------+ + | e | <------------------------------| CA | + | p | Publish certificate +------------+ + | o | Publish CRL ^ ^ + | s | | | Management + | i | +------------+ | | transactions + | t | <--------------| CRL Issuer |<----+ | + | o | Publish CRL +------------+ v + | r | +------+ + | y | | CA | + +---+ +------+ + + Figure 1 - PKI Entities + +3.1 X.509 Version 3 Certificate + + Users of a public key require confidence that the associated private + key is owned by the correct remote subject (person or system) with + which an encryption or digital signature mechanism will be used. + This confidence is obtained through the use of public key + certificates, which are data structures that bind public key values + to subjects. The binding is asserted by having a trusted CA + digitally sign each certificate. The CA may base this assertion upon + technical means (a.k.a., proof of possession through a challenge- + response protocol), presentation of the private key, or on an + assertion by the subject. A certificate has a limited valid lifetime + which is indicated in its signed contents. Because a certificate's + signature and timeliness can be independently checked by a + certificate-using client, certificates can be distributed via + + + +Housley, et. al. Standards Track [Page 8] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + untrusted communications and server systems, and can be cached in + unsecured storage in certificate-using systems. + + ITU-T X.509 (formerly CCITT X.509) or ISO/IEC 9594-8, which was first + published in 1988 as part of the X.500 Directory recommendations, + defines a standard certificate format [X.509]. The certificate + format in the 1988 standard is called the version 1 (v1) format. + When X.500 was revised in 1993, two more fields were added, resulting + in the version 2 (v2) format. + + The Internet Privacy Enhanced Mail (PEM) RFCs, published in 1993, + include specifications for a public key infrastructure based on X.509 + v1 certificates [RFC 1422]. The experience gained in attempts to + deploy RFC 1422 made it clear that the v1 and v2 certificate formats + are deficient in several respects. Most importantly, more fields + were needed to carry information which PEM design and implementation + experience had proven necessary. In response to these new + requirements, ISO/IEC, ITU-T and ANSI X9 developed the X.509 version + 3 (v3) certificate format. The v3 format extends the v2 format by + adding provision for additional extension fields. Particular + extension field types may be specified in standards or may be defined + and registered by any organization or community. In June 1996, + standardization of the basic v3 format was completed [X.509]. + + ISO/IEC, ITU-T, and ANSI X9 have also developed standard extensions + for use in the v3 extensions field [X.509][X9.55]. These extensions + can convey such data as additional subject identification + information, key attribute information, policy information, and + certification path constraints. + + However, the ISO/IEC, ITU-T, and ANSI X9 standard extensions are very + broad in their applicability. In order to develop interoperable + implementations of X.509 v3 systems for Internet use, it is necessary + to specify a profile for use of the X.509 v3 extensions tailored for + the Internet. It is one goal of this document to specify a profile + for Internet WWW, electronic mail, and IPsec applications. + Environments with additional requirements may build on this profile + or may replace it. + +3.2 Certification Paths and Trust + + A user of a security service requiring knowledge of a public key + generally needs to obtain and validate a certificate containing the + required public key. If the public key user does not already hold an + assured copy of the public key of the CA that signed the certificate, + the CA's name, and related information (such as the validity period + or name constraints), then it might need an additional certificate to + obtain that public key. In general, a chain of multiple certificates + + + +Housley, et. al. Standards Track [Page 9] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + may be needed, comprising a certificate of the public key owner (the + end entity) signed by one CA, and zero or more additional + certificates of CAs signed by other CAs. Such chains, called + certification paths, are required because a public key user is only + initialized with a limited number of assured CA public keys. + + There are different ways in which CAs might be configured in order + for public key users to be able to find certification paths. For + PEM, RFC 1422 defined a rigid hierarchical structure of CAs. There + are three types of PEM certification authority: + + (a) Internet Policy Registration Authority (IPRA): This + authority, operated under the auspices of the Internet Society, + acts as the root of the PEM certification hierarchy at level 1. + It issues certificates only for the next level of authorities, + PCAs. All certification paths start with the IPRA. + + (b) Policy Certification Authorities (PCAs): PCAs are at level 2 + of the hierarchy, each PCA being certified by the IPRA. A PCA + shall establish and publish a statement of its policy with respect + to certifying users or subordinate certification authorities. + Distinct PCAs aim to satisfy different user needs. For example, + one PCA (an organizational PCA) might support the general + electronic mail needs of commercial organizations, and another PCA + (a high-assurance PCA) might have a more stringent policy designed + for satisfying legally binding digital signature requirements. + + (c) Certification Authorities (CAs): CAs are at level 3 of the + hierarchy and can also be at lower levels. Those at level 3 are + certified by PCAs. CAs represent, for example, particular + organizations, particular organizational units (e.g., departments, + groups, sections), or particular geographical areas. + + RFC 1422 furthermore has a name subordination rule which requires + that a CA can only issue certificates for entities whose names are + subordinate (in the X.500 naming tree) to the name of the CA itself. + The trust associated with a PEM certification path is implied by the + PCA name. The name subordination rule ensures that CAs below the PCA + are sensibly constrained as to the set of subordinate entities they + can certify (e.g., a CA for an organization can only certify entities + in that organization's name tree). Certificate user systems are able + to mechanically check that the name subordination rule has been + followed. + + The RFC 1422 uses the X.509 v1 certificate formats. The limitations + of X.509 v1 required imposition of several structural restrictions to + clearly associate policy information or restrict the utility of + certificates. These restrictions included: + + + +Housley, et. al. Standards Track [Page 10] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (a) a pure top-down hierarchy, with all certification paths + starting from IPRA; + + (b) a naming subordination rule restricting the names of a CA's + subjects; and + + (c) use of the PCA concept, which requires knowledge of + individual PCAs to be built into certificate chain verification + logic. Knowledge of individual PCAs was required to determine if + a chain could be accepted. + + With X.509 v3, most of the requirements addressed by RFC 1422 can be + addressed using certificate extensions, without a need to restrict + the CA structures used. In particular, the certificate extensions + relating to certificate policies obviate the need for PCAs and the + constraint extensions obviate the need for the name subordination + rule. As a result, this document supports a more flexible + architecture, including: + + (a) Certification paths start with a public key of a CA in a + user's own domain, or with the public key of the top of a + hierarchy. Starting with the public key of a CA in a user's own + domain has certain advantages. In some environments, the local + domain is the most trusted. + + (b) Name constraints may be imposed through explicit inclusion of + a name constraints extension in a certificate, but are not + required. + + (c) Policy extensions and policy mappings replace the PCA + concept, which permits a greater degree of automation. The + application can determine if the certification path is acceptable + based on the contents of the certificates instead of a priori + knowledge of PCAs. This permits automation of certification path + processing. + +3.3 Revocation + + When a certificate is issued, it is expected to be in use for its + entire validity period. However, various circumstances may cause a + certificate to become invalid prior to the expiration of the validity + period. Such circumstances include change of name, change of + association between subject and CA (e.g., an employee terminates + employment with an organization), and compromise or suspected + compromise of the corresponding private key. Under such + circumstances, the CA needs to revoke the certificate. + + + + + +Housley, et. al. Standards Track [Page 11] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + X.509 defines one method of certificate revocation. This method + involves each CA periodically issuing a signed data structure called + a certificate revocation list (CRL). A CRL is a time stamped list + identifying revoked certificates which is signed by a CA or CRL + issuer and made freely available in a public repository. Each + revoked certificate is identified in a CRL by its certificate serial + number. When a certificate-using system uses a certificate (e.g., + for verifying a remote user's digital signature), that system not + only checks the certificate signature and validity but also acquires + a suitably-recent CRL and checks that the certificate serial number + is not on that CRL. The meaning of "suitably-recent" may vary with + local policy, but it usually means the most recently-issued CRL. A + new CRL is issued on a regular periodic basis (e.g., hourly, daily, + or weekly). An entry is added to the CRL as part of the next update + following notification of revocation. An entry MUST NOT be removed + from the CRL until it appears on one regularly scheduled CRL issued + beyond the revoked certificate's validity period. + + An advantage of this revocation method is that CRLs may be + distributed by exactly the same means as certificates themselves, + namely, via untrusted servers and untrusted communications. + + One limitation of the CRL revocation method, using untrusted + communications and servers, is that the time granularity of + revocation is limited to the CRL issue period. For example, if a + revocation is reported now, that revocation will not be reliably + notified to certificate-using systems until all currently issued CRLs + are updated -- this may be up to one hour, one day, or one week + depending on the frequency that CRLs are issued. + + As with the X.509 v3 certificate format, in order to facilitate + interoperable implementations from multiple vendors, the X.509 v2 CRL + format needs to be profiled for Internet use. It is one goal of this + document to specify that profile. However, this profile does not + require the issuance of CRLs. Message formats and protocols + supporting on-line revocation notification are defined in other PKIX + specifications. On-line methods of revocation notification may be + applicable in some environments as an alternative to the X.509 CRL. + On-line revocation checking may significantly reduce the latency + between a revocation report and the distribution of the information + to relying parties. Once the CA accepts a revocation report as + authentic and valid, any query to the on-line service will correctly + reflect the certificate validation impacts of the revocation. + However, these methods impose new security requirements: the + certificate validator needs to trust the on-line validation service + while the repository does not need to be trusted. + + + + + +Housley, et. al. Standards Track [Page 12] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +3.4 Operational Protocols + + Operational protocols are required to deliver certificates and CRLs + (or status information) to certificate using client systems. + Provisions are needed for a variety of different means of certificate + and CRL delivery, including distribution procedures based on LDAP, + HTTP, FTP, and X.500. Operational protocols supporting these + functions are defined in other PKIX specifications. These + specifications may include definitions of message formats and + procedures for supporting all of the above operational environments, + including definitions of or references to appropriate MIME content + types. + +3.5 Management Protocols + + Management protocols are required to support on-line interactions + between PKI user and management entities. For example, a management + protocol might be used between a CA and a client system with which a + key pair is associated, or between two CAs which cross-certify each + other. The set of functions which potentially need to be supported + by management protocols include: + + (a) registration: This is the process whereby a user first makes + itself known to a CA (directly, or through an RA), prior to that + CA issuing a certificate or certificates for that user. + + (b) initialization: Before a client system can operate securely + it is necessary to install key materials which have the + appropriate relationship with keys stored elsewhere in the + infrastructure. For example, the client needs to be securely + initialized with the public key and other assured information of + the trusted CA(s), to be used in validating certificate paths. + + Furthermore, a client typically needs to be initialized with its + own key pair(s). + + (c) certification: This is the process in which a CA issues a + certificate for a user's public key, and returns that certificate + to the user's client system and/or posts that certificate in a + repository. + + (d) key pair recovery: As an option, user client key materials + (e.g., a user's private key used for encryption purposes) may be + backed up by a CA or a key backup system. If a user needs to + recover these backed up key materials (e.g., as a result of a + forgotten password or a lost key chain file), an on-line protocol + exchange may be needed to support such recovery. + + + + +Housley, et. al. Standards Track [Page 13] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (e) key pair update: All key pairs need to be updated regularly, + i.e., replaced with a new key pair, and new certificates issued. + + (f) revocation request: An authorized person advises a CA of an + abnormal situation requiring certificate revocation. + + (g) cross-certification: Two CAs exchange information used in + establishing a cross-certificate. A cross-certificate is a + certificate issued by one CA to another CA which contains a CA + signature key used for issuing certificates. + + Note that on-line protocols are not the only way of implementing the + above functions. For all functions there are off-line methods of + achieving the same result, and this specification does not mandate + use of on-line protocols. For example, when hardware tokens are + used, many of the functions may be achieved as part of the physical + token delivery. Furthermore, some of the above functions may be + combined into one protocol exchange. In particular, two or more of + the registration, initialization, and certification functions can be + combined into one protocol exchange. + + The PKIX series of specifications defines a set of standard message + formats supporting the above functions. The protocols for conveying + these messages in different environments (e.g., e-mail, file + transfer, and WWW) are described in those specifications. + +4 Certificate and Certificate Extensions Profile + + This section presents a profile for public key certificates that will + foster interoperability and a reusable PKI. This section is based + upon the X.509 v3 certificate format and the standard certificate + extensions defined in [X.509]. The ISO/IEC and ITU-T documents use + the 1997 version of ASN.1; while this document uses the 1988 ASN.1 + syntax, the encoded certificate and standard extensions are + equivalent. This section also defines private extensions required to + support a PKI for the Internet community. + + Certificates may be used in a wide range of applications and + environments covering a broad spectrum of interoperability goals and + a broader spectrum of operational and assurance requirements. The + goal of this document is to establish a common baseline for generic + applications requiring broad interoperability and limited special + purpose requirements. In particular, the emphasis will be on + supporting the use of X.509 v3 certificates for informal Internet + electronic mail, IPsec, and WWW applications. + + + + + + +Housley, et. al. Standards Track [Page 14] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +4.1 Basic Certificate Fields + + The X.509 v3 certificate basic syntax is as follows. For signature + calculation, the data that is to be signed is encoded using the ASN.1 + distinguished encoding rules (DER) [X.690]. ASN.1 DER encoding is a + tag, length, value encoding system for each element. + + Certificate ::= SEQUENCE { + tbsCertificate TBSCertificate, + signatureAlgorithm AlgorithmIdentifier, + signatureValue BIT STRING } + + TBSCertificate ::= SEQUENCE { + version [0] EXPLICIT Version DEFAULT v1, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier, + issuer Name, + validity Validity, + subject Name, + subjectPublicKeyInfo SubjectPublicKeyInfo, + issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + extensions [3] EXPLICIT Extensions OPTIONAL + -- If present, version MUST be v3 + } + + Version ::= INTEGER { v1(0), v2(1), v3(2) } + + CertificateSerialNumber ::= INTEGER + + Validity ::= SEQUENCE { + notBefore Time, + notAfter Time } + + Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime } + + UniqueIdentifier ::= BIT STRING + + SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier, + subjectPublicKey BIT STRING } + + Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension + + + + +Housley, et. al. Standards Track [Page 15] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + Extension ::= SEQUENCE { + extnID OBJECT IDENTIFIER, + critical BOOLEAN DEFAULT FALSE, + extnValue OCTET STRING } + + The following items describe the X.509 v3 certificate for use in the + Internet. + +4.1.1 Certificate Fields + + The Certificate is a SEQUENCE of three required fields. The fields + are described in detail in the following subsections. + +4.1.1.1 tbsCertificate + + The field contains the names of the subject and issuer, a public key + associated with the subject, a validity period, and other associated + information. The fields are described in detail in section 4.1.2; + the tbsCertificate usually includes extensions which are described in + section 4.2. + +4.1.1.2 signatureAlgorithm + + The signatureAlgorithm field contains the identifier for the + cryptographic algorithm used by the CA to sign this certificate. + [PKIXALGS] lists supported signature algorithms, but other signature + algorithms MAY also be supported. + + An algorithm identifier is defined by the following ASN.1 structure: + + AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY DEFINED BY algorithm OPTIONAL } + + The algorithm identifier is used to identify a cryptographic + algorithm. The OBJECT IDENTIFIER component identifies the algorithm + (such as DSA with SHA-1). The contents of the optional parameters + field will vary according to the algorithm identified. + + This field MUST contain the same algorithm identifier as the + signature field in the sequence tbsCertificate (section 4.1.2.3). + +4.1.1.3 signatureValue + + The signatureValue field contains a digital signature computed upon + the ASN.1 DER encoded tbsCertificate. The ASN.1 DER encoded + tbsCertificate is used as the input to the signature function. This + + + + +Housley, et. al. Standards Track [Page 16] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + signature value is encoded as a BIT STRING and included in the + signature field. The details of this process are specified for each + of algorithms listed in [PKIXALGS]. + + By generating this signature, a CA certifies the validity of the + information in the tbsCertificate field. In particular, the CA + certifies the binding between the public key material and the subject + of the certificate. + +4.1.2 TBSCertificate + + The sequence TBSCertificate contains information associated with the + subject of the certificate and the CA who issued it. Every + TBSCertificate contains the names of the subject and issuer, a public + key associated with the subject, a validity period, a version number, + and a serial number; some MAY contain optional unique identifier + fields. The remainder of this section describes the syntax and + semantics of these fields. A TBSCertificate usually includes + extensions. Extensions for the Internet PKI are described in Section + 4.2. + +4.1.2.1 Version + + This field describes the version of the encoded certificate. When + extensions are used, as expected in this profile, version MUST be 3 + (value is 2). If no extensions are present, but a UniqueIdentifier + is present, the version SHOULD be 2 (value is 1); however version MAY + be 3. If only basic fields are present, the version SHOULD be 1 (the + value is omitted from the certificate as the default value); however + the version MAY be 2 or 3. + + Implementations SHOULD be prepared to accept any version certificate. + At a minimum, conforming implementations MUST recognize version 3 + certificates. + + Generation of version 2 certificates is not expected by + implementations based on this profile. + +4.1.2.2 Serial number + + The serial number MUST be a positive integer assigned by the CA to + each certificate. It MUST be unique for each certificate issued by a + given CA (i.e., the issuer name and serial number identify a unique + certificate). CAs MUST force the serialNumber to be a non-negative + integer. + + + + + + +Housley, et. al. Standards Track [Page 17] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + Given the uniqueness requirements above, serial numbers can be + expected to contain long integers. Certificate users MUST be able to + handle serialNumber values up to 20 octets. Conformant CAs MUST NOT + use serialNumber values longer than 20 octets. + + Note: Non-conforming CAs may issue certificates with serial numbers + that are negative, or zero. Certificate users SHOULD be prepared to + gracefully handle such certificates. + +4.1.2.3 Signature + + This field contains the algorithm identifier for the algorithm used + by the CA to sign the certificate. + + This field MUST contain the same algorithm identifier as the + signatureAlgorithm field in the sequence Certificate (section + 4.1.1.2). The contents of the optional parameters field will vary + according to the algorithm identified. [PKIXALGS] lists the + supported signature algorithms, but other signature algorithms MAY + also be supported. + +4.1.2.4 Issuer + + The issuer field identifies the entity who has signed and issued the + certificate. The issuer field MUST contain a non-empty distinguished + name (DN). The issuer field is defined as the X.501 type Name + [X.501]. Name is defined by the following ASN.1 structures: + + Name ::= CHOICE { + RDNSequence } + + RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + + RelativeDistinguishedName ::= + SET OF AttributeTypeAndValue + + AttributeTypeAndValue ::= SEQUENCE { + type AttributeType, + value AttributeValue } + + AttributeType ::= OBJECT IDENTIFIER + + AttributeValue ::= ANY DEFINED BY AttributeType + + + + + + + + +Housley, et. al. Standards Track [Page 18] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + DirectoryString ::= CHOICE { + teletexString TeletexString (SIZE (1..MAX)), + printableString PrintableString (SIZE (1..MAX)), + universalString UniversalString (SIZE (1..MAX)), + utf8String UTF8String (SIZE (1..MAX)), + bmpString BMPString (SIZE (1..MAX)) } + + The Name describes a hierarchical name composed of attributes, such + as country name, and corresponding values, such as US. The type of + the component AttributeValue is determined by the AttributeType; in + general it will be a DirectoryString. + + The DirectoryString type is defined as a choice of PrintableString, + TeletexString, BMPString, UTF8String, and UniversalString. The + UTF8String encoding [RFC 2279] is the preferred encoding, and all + certificates issued after December 31, 2003 MUST use the UTF8String + encoding of DirectoryString (except as noted below). Until that + date, conforming CAs MUST choose from the following options when + creating a distinguished name, including their own: + + (a) if the character set is sufficient, the string MAY be + represented as a PrintableString; + + (b) failing (a), if the BMPString character set is sufficient the + string MAY be represented as a BMPString; and + + (c) failing (a) and (b), the string MUST be represented as a + UTF8String. If (a) or (b) is satisfied, the CA MAY still choose + to represent the string as a UTF8String. + + Exceptions to the December 31, 2003 UTF8 encoding requirements are as + follows: + + (a) CAs MAY issue "name rollover" certificates to support an + orderly migration to UTF8String encoding. Such certificates would + include the CA's UTF8String encoded name as issuer and and the old + name encoding as subject, or vice-versa. + + (b) As stated in section 4.1.2.6, the subject field MUST be + populated with a non-empty distinguished name matching the + contents of the issuer field in all certificates issued by the + subject CA regardless of encoding. + + The TeletexString and UniversalString are included for backward + compatibility, and SHOULD NOT be used for certificates for new + subjects. However, these types MAY be used in certificates where the + name was previously established. Certificate users SHOULD be + prepared to receive certificates with these types. + + + +Housley, et. al. Standards Track [Page 19] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + In addition, many legacy implementations support names encoded in the + ISO 8859-1 character set (Latin1String) [ISO 8859-1] but tag them as + TeletexString. TeletexString encodes a larger character set than ISO + 8859-1, but it encodes some characters differently. Implementations + SHOULD be prepared to handle both encodings. + + As noted above, distinguished names are composed of attributes. This + specification does not restrict the set of attribute types that may + appear in names. However, conforming implementations MUST be + prepared to receive certificates with issuer names containing the set + of attribute types defined below. This specification RECOMMENDS + support for additional attribute types. + + Standard sets of attributes have been defined in the X.500 series of + specifications [X.520]. Implementations of this specification MUST + be prepared to receive the following standard attribute types in + issuer and subject (section 4.1.2.6) names: + + * country, + * organization, + * organizational-unit, + * distinguished name qualifier, + * state or province name, + * common name (e.g., "Susan Housley"), and + * serial number. + + In addition, implementations of this specification SHOULD be prepared + to receive the following standard attribute types in issuer and + subject names: + + * locality, + * title, + * surname, + * given name, + * initials, + * pseudonym, and + * generation qualifier (e.g., "Jr.", "3rd", or "IV"). + + The syntax and associated object identifiers (OIDs) for these + attribute types are provided in the ASN.1 modules in Appendix A. + + In addition, implementations of this specification MUST be prepared + to receive the domainComponent attribute, as defined in [RFC 2247]. + The Domain Name System (DNS) provides a hierarchical resource + labeling system. This attribute provides a convenient mechanism for + organizations that wish to use DNs that parallel their DNS names. + This is not a replacement for the dNSName component of the + + + + +Housley, et. al. Standards Track [Page 20] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + alternative name field. Implementations are not required to convert + such names into DNS names. The syntax and associated OID for this + attribute type is provided in the ASN.1 modules in Appendix A. + + Certificate users MUST be prepared to process the issuer + distinguished name and subject distinguished name (section 4.1.2.6) + fields to perform name chaining for certification path validation + (section 6). Name chaining is performed by matching the issuer + distinguished name in one certificate with the subject name in a CA + certificate. + + This specification requires only a subset of the name comparison + functionality specified in the X.500 series of specifications. + Conforming implementations are REQUIRED to implement the following + name comparison rules: + + (a) attribute values encoded in different types (e.g., + PrintableString and BMPString) MAY be assumed to represent + different strings; + + (b) attribute values in types other than PrintableString are case + sensitive (this permits matching of attribute values as binary + objects); + + (c) attribute values in PrintableString are not case sensitive + (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and + + (d) attribute values in PrintableString are compared after + removing leading and trailing white space and converting internal + substrings of one or more consecutive white space characters to a + single space. + + These name comparison rules permit a certificate user to validate + certificates issued using languages or encodings unfamiliar to the + certificate user. + + In addition, implementations of this specification MAY use these + comparison rules to process unfamiliar attribute types for name + chaining. This allows implementations to process certificates with + unfamiliar attributes in the issuer name. + + Note that the comparison rules defined in the X.500 series of + specifications indicate that the character sets used to encode data + in distinguished names are irrelevant. The characters themselves are + compared without regard to encoding. Implementations of this profile + are permitted to use the comparison algorithm defined in the X.500 + series. Such an implementation will recognize a superset of name + matches recognized by the algorithm specified above. + + + +Housley, et. al. Standards Track [Page 21] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +4.1.2.5 Validity + + The certificate validity period is the time interval during which the + CA warrants that it will maintain information about the status of the + certificate. The field is represented as a SEQUENCE of two dates: + the date on which the certificate validity period begins (notBefore) + and the date on which the certificate validity period ends + (notAfter). Both notBefore and notAfter may be encoded as UTCTime or + GeneralizedTime. + + CAs conforming to this profile MUST always encode certificate + validity dates through the year 2049 as UTCTime; certificate validity + dates in 2050 or later MUST be encoded as GeneralizedTime. + + The validity period for a certificate is the period of time from + notBefore through notAfter, inclusive. + +4.1.2.5.1 UTCTime + + The universal time type, UTCTime, is a standard ASN.1 type intended + for representation of dates and time. UTCTime specifies the year + through the two low order digits and time is specified to the + precision of one minute or one second. UTCTime includes either Z + (for Zulu, or Greenwich Mean Time) or a time differential. + + For the purposes of this profile, UTCTime values MUST be expressed + Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are + YYMMDDHHMMSSZ), even where the number of seconds is zero. Conforming + systems MUST interpret the year field (YY) as follows: + + Where YY is greater than or equal to 50, the year SHALL be + interpreted as 19YY; and + + Where YY is less than 50, the year SHALL be interpreted as 20YY. + +4.1.2.5.2 GeneralizedTime + + The generalized time type, GeneralizedTime, is a standard ASN.1 type + for variable precision representation of time. Optionally, the + GeneralizedTime field can include a representation of the time + differential between local and Greenwich Mean Time. + + For the purposes of this profile, GeneralizedTime values MUST be + expressed Greenwich Mean Time (Zulu) and MUST include seconds (i.e., + times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. + GeneralizedTime values MUST NOT include fractional seconds. + + + + + +Housley, et. al. Standards Track [Page 22] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +4.1.2.6 Subject + + The subject field identifies the entity associated with the public + key stored in the subject public key field. The subject name MAY be + carried in the subject field and/or the subjectAltName extension. If + the subject is a CA (e.g., the basic constraints extension, as + discussed in 4.2.1.10, is present and the value of cA is TRUE), then + the subject field MUST be populated with a non-empty distinguished + name matching the contents of the issuer field (section 4.1.2.4) in + all certificates issued by the subject CA. If the subject is a CRL + issuer (e.g., the key usage extension, as discussed in 4.2.1.3, is + present and the value of cRLSign is TRUE) then the subject field MUST + be populated with a non-empty distinguished name matching the + contents of the issuer field (section 4.1.2.4) in all CRLs issued by + the subject CRL issuer. If subject naming information is present + only in the subjectAltName extension (e.g., a key bound only to an + email address or URI), then the subject name MUST be an empty + sequence and the subjectAltName extension MUST be critical. + + Where it is non-empty, the subject field MUST contain an X.500 + distinguished name (DN). The DN MUST be unique for each subject + entity certified by the one CA as defined by the issuer name field. + A CA MAY issue more than one certificate with the same DN to the same + subject entity. + + The subject name field is defined as the X.501 type Name. + Implementation requirements for this field are those defined for the + issuer field (section 4.1.2.4). When encoding attribute values of + type DirectoryString, the encoding rules for the issuer field MUST be + implemented. Implementations of this specification MUST be prepared + to receive subject names containing the attribute types required for + the issuer field. Implementations of this specification SHOULD be + prepared to receive subject names containing the recommended + attribute types for the issuer field. The syntax and associated + object identifiers (OIDs) for these attribute types are provided in + the ASN.1 modules in Appendix A. Implementations of this + specification MAY use these comparison rules to process unfamiliar + attribute types (i.e., for name chaining). This allows + implementations to process certificates with unfamiliar attributes in + the subject name. + + In addition, legacy implementations exist where an RFC 822 name is + embedded in the subject distinguished name as an EmailAddress + attribute. The attribute value for EmailAddress is of type IA5String + to permit inclusion of the character '@', which is not part of the + PrintableString character set. EmailAddress attribute values are not + case sensitive (e.g., "fanfeedback@redsox.com" is the same as + "FANFEEDBACK@REDSOX.COM"). + + + +Housley, et. al. Standards Track [Page 23] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + Conforming implementations generating new certificates with + electronic mail addresses MUST use the rfc822Name in the subject + alternative name field (section 4.2.1.7) to describe such identities. + Simultaneous inclusion of the EmailAddress attribute in the subject + distinguished name to support legacy implementations is deprecated + but permitted. + +4.1.2.7 Subject Public Key Info + + This field is used to carry the public key and identify the algorithm + with which the key is used (e.g., RSA, DSA, or Diffie-Hellman). The + algorithm is identified using the AlgorithmIdentifier structure + specified in section 4.1.1.2. The object identifiers for the + supported algorithms and the methods for encoding the public key + materials (public key and parameters) are specified in [PKIXALGS]. + +4.1.2.8 Unique Identifiers + + These fields MUST only appear if the version is 2 or 3 (section + 4.1.2.1). These fields MUST NOT appear if the version is 1. The + subject and issuer unique identifiers are present in the certificate + to handle the possibility of reuse of subject and/or issuer names + over time. This profile RECOMMENDS that names not be reused for + different entities and that Internet certificates not make use of + unique identifiers. CAs conforming to this profile SHOULD NOT + generate certificates with unique identifiers. Applications + conforming to this profile SHOULD be capable of parsing unique + identifiers. + +4.1.2.9 Extensions + + This field MUST only appear if the version is 3 (section 4.1.2.1). + If present, this field is a SEQUENCE of one or more certificate + extensions. The format and content of certificate extensions in the + Internet PKI is defined in section 4.2. + +4.2 Certificate Extensions + + The extensions defined for X.509 v3 certificates provide methods for + associating additional attributes with users or public keys and for + managing a certification hierarchy. The X.509 v3 certificate format + also allows communities to define private extensions to carry + information unique to those communities. Each extension in a + certificate is designated as either critical or non-critical. A + certificate using system MUST reject the certificate if it encounters + a critical extension it does not recognize; however, a non-critical + extension MAY be ignored if it is not recognized. The following + sections present recommended extensions used within Internet + + + +Housley, et. al. Standards Track [Page 24] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + certificates and standard locations for information. Communities may + elect to use additional extensions; however, caution ought to be + exercised in adopting any critical extensions in certificates which + might prevent use in a general context. + + Each extension includes an OID and an ASN.1 structure. When an + extension appears in a certificate, the OID appears as the field + extnID and the corresponding ASN.1 encoded structure is the value of + the octet string extnValue. A certificate MUST NOT include more than + one instance of a particular extension. For example, a certificate + may contain only one authority key identifier extension (section + 4.2.1.1). An extension includes the boolean critical, with a default + value of FALSE. The text for each extension specifies the acceptable + values for the critical field. + + Conforming CAs MUST support key identifiers (sections 4.2.1.1 and + 4.2.1.2), basic constraints (section 4.2.1.10), key usage (section + 4.2.1.3), and certificate policies (section 4.2.1.5) extensions. If + the CA issues certificates with an empty sequence for the subject + field, the CA MUST support the subject alternative name extension + (section 4.2.1.7). Support for the remaining extensions is OPTIONAL. + Conforming CAs MAY support extensions that are not identified within + this specification; certificate issuers are cautioned that marking + such extensions as critical may inhibit interoperability. + + At a minimum, applications conforming to this profile MUST recognize + the following extensions: key usage (section 4.2.1.3), certificate + policies (section 4.2.1.5), the subject alternative name (section + 4.2.1.7), basic constraints (section 4.2.1.10), name constraints + (section 4.2.1.11), policy constraints (section 4.2.1.12), extended + key usage (section 4.2.1.13), and inhibit any-policy (section + 4.2.1.15). + + In addition, applications conforming to this profile SHOULD recognize + the authority and subject key identifier (sections 4.2.1.1 and + 4.2.1.2), and policy mapping (section 4.2.1.6) extensions. + +4.2.1 Standard Extensions + + This section identifies standard certificate extensions defined in + [X.509] for use in the Internet PKI. Each extension is associated + with an OID defined in [X.509]. These OIDs are members of the id-ce + arc, which is defined by the following: + + id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 } + + + + + + +Housley, et. al. Standards Track [Page 25] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +4.2.1.1 Authority Key Identifier + + The authority key identifier extension provides a means of + identifying the public key corresponding to the private key used to + sign a certificate. This extension is used where an issuer has + multiple signing keys (either due to multiple concurrent key pairs or + due to changeover). The identification MAY be based on either the + key identifier (the subject key identifier in the issuer's + certificate) or on the issuer name and serial number. + + The keyIdentifier field of the authorityKeyIdentifier extension MUST + be included in all certificates generated by conforming CAs to + facilitate certification path construction. There is one exception; + where a CA distributes its public key in the form of a "self-signed" + certificate, the authority key identifier MAY be omitted. The + signature on a self-signed certificate is generated with the private + key associated with the certificate's subject public key. (This + proves that the issuer possesses both the public and private keys.) + In this case, the subject and authority key identifiers would be + identical, but only the subject key identifier is needed for + certification path building. + + The value of the keyIdentifier field SHOULD be derived from the + public key used to verify the certificate's signature or a method + that generates unique values. Two common methods for generating key + identifiers from the public key, and one common method for generating + unique values, are described in section 4.2.1.2. Where a key + identifier has not been previously established, this specification + RECOMMENDS use of one of these methods for generating keyIdentifiers. + Where a key identifier has been previously established, the CA SHOULD + use the previously established identifier. + + This profile RECOMMENDS support for the key identifier method by all + certificate users. + + This extension MUST NOT be marked critical. + + id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } + + AuthorityKeyIdentifier ::= SEQUENCE { + keyIdentifier [0] KeyIdentifier OPTIONAL, + authorityCertIssuer [1] GeneralNames OPTIONAL, + authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } + + KeyIdentifier ::= OCTET STRING + + + + + + +Housley, et. al. Standards Track [Page 26] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +4.2.1.2 Subject Key Identifier + + The subject key identifier extension provides a means of identifying + certificates that contain a particular public key. + + To facilitate certification path construction, this extension MUST + appear in all conforming CA certificates, that is, all certificates + including the basic constraints extension (section 4.2.1.10) where + the value of cA is TRUE. The value of the subject key identifier + MUST be the value placed in the key identifier field of the Authority + Key Identifier extension (section 4.2.1.1) of certificates issued by + the subject of this certificate. + + For CA certificates, subject key identifiers SHOULD be derived from + the public key or a method that generates unique values. Two common + methods for generating key identifiers from the public key are: + + (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the + value of the BIT STRING subjectPublicKey (excluding the tag, + length, and number of unused bits). + + (2) The keyIdentifier is composed of a four bit type field with + the value 0100 followed by the least significant 60 bits of the + SHA-1 hash of the value of the BIT STRING subjectPublicKey + (excluding the tag, length, and number of unused bit string bits). + + One common method for generating unique values is a monotonically + increasing sequence of integers. + + For end entity certificates, the subject key identifier extension + provides a means for identifying certificates containing the + particular public key used in an application. Where an end entity + has obtained multiple certificates, especially from multiple CAs, the + subject key identifier provides a means to quickly identify the set + of certificates containing a particular public key. To assist + applications in identifying the appropriate end entity certificate, + this extension SHOULD be included in all end entity certificates. + + For end entity certificates, subject key identifiers SHOULD be + derived from the public key. Two common methods for generating key + identifiers from the public key are identified above. + + Where a key identifier has not been previously established, this + specification RECOMMENDS use of one of these methods for generating + keyIdentifiers. Where a key identifier has been previously + established, the CA SHOULD use the previously established identifier. + + This extension MUST NOT be marked critical. + + + +Housley, et. al. Standards Track [Page 27] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } + + SubjectKeyIdentifier ::= KeyIdentifier + +4.2.1.3 Key Usage + + The key usage extension defines the purpose (e.g., encipherment, + signature, certificate signing) of the key contained in the + certificate. The usage restriction might be employed when a key that + could be used for more than one operation is to be restricted. For + example, when an RSA key should be used only to verify signatures on + objects other than public key certificates and CRLs, the + digitalSignature and/or nonRepudiation bits would be asserted. + Likewise, when an RSA key should be used only for key management, the + keyEncipherment bit would be asserted. + + This extension MUST appear in certificates that contain public keys + that are used to validate digital signatures on other public key + certificates or CRLs. When this extension appears, it SHOULD be + marked critical. + + id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } + + KeyUsage ::= BIT STRING { + digitalSignature (0), + nonRepudiation (1), + keyEncipherment (2), + dataEncipherment (3), + keyAgreement (4), + keyCertSign (5), + cRLSign (6), + encipherOnly (7), + decipherOnly (8) } + + Bits in the KeyUsage type are used as follows: + + The digitalSignature bit is asserted when the subject public key + is used with a digital signature mechanism to support security + services other than certificate signing (bit 5), or CRL signing + (bit 6). Digital signature mechanisms are often used for entity + authentication and data origin authentication with integrity. + + The nonRepudiation bit is asserted when the subject public key is + used to verify digital signatures used to provide a non- + repudiation service which protects against the signing entity + falsely denying some action, excluding certificate or CRL signing. + In the case of later conflict, a reliable third party may + determine the authenticity of the signed data. + + + +Housley, et. al. Standards Track [Page 28] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + Further distinctions between the digitalSignature and + nonRepudiation bits may be provided in specific certificate + policies. + + The keyEncipherment bit is asserted when the subject public key is + used for key transport. For example, when an RSA key is to be + used for key management, then this bit is set. + + The dataEncipherment bit is asserted when the subject public key + is used for enciphering user data, other than cryptographic keys. + + The keyAgreement bit is asserted when the subject public key is + used for key agreement. For example, when a Diffie-Hellman key is + to be used for key management, then this bit is set. + + The keyCertSign bit is asserted when the subject public key is + used for verifying a signature on public key certificates. If the + keyCertSign bit is asserted, then the cA bit in the basic + constraints extension (section 4.2.1.10) MUST also be asserted. + + The cRLSign bit is asserted when the subject public key is used + for verifying a signature on certificate revocation list (e.g., a + CRL, delta CRL, or an ARL). This bit MUST be asserted in + certificates that are used to verify signatures on CRLs. + + The meaning of the encipherOnly bit is undefined in the absence of + the keyAgreement bit. When the encipherOnly bit is asserted and + the keyAgreement bit is also set, the subject public key may be + used only for enciphering data while performing key agreement. + + The meaning of the decipherOnly bit is undefined in the absence of + the keyAgreement bit. When the decipherOnly bit is asserted and + the keyAgreement bit is also set, the subject public key may be + used only for deciphering data while performing key agreement. + + This profile does not restrict the combinations of bits that may be + set in an instantiation of the keyUsage extension. However, + appropriate values for keyUsage extensions for particular algorithms + are specified in [PKIXALGS]. + +4.2.1.4 Private Key Usage Period + + This extension SHOULD NOT be used within the Internet PKI. CAs + conforming to this profile MUST NOT generate certificates that + include a critical private key usage period extension. + + + + + + +Housley, et. al. Standards Track [Page 29] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + The private key usage period extension allows the certificate issuer + to specify a different validity period for the private key than the + certificate. This extension is intended for use with digital + signature keys. This extension consists of two optional components, + notBefore and notAfter. The private key associated with the + certificate SHOULD NOT be used to sign objects before or after the + times specified by the two components, respectively. CAs conforming + to this profile MUST NOT generate certificates with private key usage + period extensions unless at least one of the two components is + present and the extension is non-critical. + + Where used, notBefore and notAfter are represented as GeneralizedTime + and MUST be specified and interpreted as defined in section + 4.1.2.5.2. + + id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } + + PrivateKeyUsagePeriod ::= SEQUENCE { + notBefore [0] GeneralizedTime OPTIONAL, + notAfter [1] GeneralizedTime OPTIONAL } + +4.2.1.5 Certificate Policies + + The certificate policies extension contains a sequence of one or more + policy information terms, each of which consists of an object + identifier (OID) and optional qualifiers. Optional qualifiers, which + MAY be present, are not expected to change the definition of the + policy. + + In an end entity certificate, these policy information terms indicate + the policy under which the certificate has been issued and the + purposes for which the certificate may be used. In a CA certificate, + these policy information terms limit the set of policies for + certification paths which include this certificate. When a CA does + not wish to limit the set of policies for certification paths which + include this certificate, it MAY assert the special policy anyPolicy, + with a value of { 2 5 29 32 0 }. + + Applications with specific policy requirements are expected to have a + list of those policies which they will accept and to compare the + policy OIDs in the certificate to that list. If this extension is + critical, the path validation software MUST be able to interpret this + extension (including the optional qualifier), or MUST reject the + certificate. + + To promote interoperability, this profile RECOMMENDS that policy + information terms consist of only an OID. Where an OID alone is + insufficient, this profile strongly recommends that use of qualifiers + + + +Housley, et. al. Standards Track [Page 30] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + be limited to those identified in this section. When qualifiers are + used with the special policy anyPolicy, they MUST be limited to the + qualifiers identified in this section. + + This specification defines two policy qualifier types for use by + certificate policy writers and certificate issuers. The qualifier + types are the CPS Pointer and User Notice qualifiers. + + The CPS Pointer qualifier contains a pointer to a Certification + Practice Statement (CPS) published by the CA. The pointer is in the + form of a URI. Processing requirements for this qualifier are a + local matter. No action is mandated by this specification regardless + of the criticality value asserted for the extension. + + User notice is intended for display to a relying party when a + certificate is used. The application software SHOULD display all + user notices in all certificates of the certification path used, + except that if a notice is duplicated only one copy need be + displayed. To prevent such duplication, this qualifier SHOULD only + be present in end entity certificates and CA certificates issued to + other organizations. + + The user notice has two optional fields: the noticeRef field and the + explicitText field. + + The noticeRef field, if used, names an organization and + identifies, by number, a particular textual statement prepared by + that organization. For example, it might identify the + organization "CertsRUs" and notice number 1. In a typical + implementation, the application software will have a notice file + containing the current set of notices for CertsRUs; the + application will extract the notice text from the file and display + it. Messages MAY be multilingual, allowing the software to select + the particular language message for its own environment. + + An explicitText field includes the textual statement directly in + the certificate. The explicitText field is a string with a + maximum size of 200 characters. + + If both the noticeRef and explicitText options are included in the + one qualifier and if the application software can locate the notice + text indicated by the noticeRef option, then that text SHOULD be + displayed; otherwise, the explicitText string SHOULD be displayed. + + Note: While the explicitText has a maximum size of 200 characters, + some non-conforming CAs exceed this limit. Therefore, certificate + users SHOULD gracefully handle explicitText with more than 200 + characters. + + + +Housley, et. al. Standards Track [Page 31] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } + + anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificate-policies 0 } + + certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + + PolicyInformation ::= SEQUENCE { + policyIdentifier CertPolicyId, + policyQualifiers SEQUENCE SIZE (1..MAX) OF + PolicyQualifierInfo OPTIONAL } + + CertPolicyId ::= OBJECT IDENTIFIER + + PolicyQualifierInfo ::= SEQUENCE { + policyQualifierId PolicyQualifierId, + qualifier ANY DEFINED BY policyQualifierId } + + -- policyQualifierIds for Internet policy qualifiers + + id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } + id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } + id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } + + PolicyQualifierId ::= + OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) + + Qualifier ::= CHOICE { + cPSuri CPSuri, + userNotice UserNotice } + + CPSuri ::= IA5String + + UserNotice ::= SEQUENCE { + noticeRef NoticeReference OPTIONAL, + explicitText DisplayText OPTIONAL} + + NoticeReference ::= SEQUENCE { + organization DisplayText, + noticeNumbers SEQUENCE OF INTEGER } + + DisplayText ::= CHOICE { + ia5String IA5String (SIZE (1..200)), + visibleString VisibleString (SIZE (1..200)), + bmpString BMPString (SIZE (1..200)), + utf8String UTF8String (SIZE (1..200)) } + + + + + + +Housley, et. al. Standards Track [Page 32] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +4.2.1.6 Policy Mappings + + This extension is used in CA certificates. It lists one or more + pairs of OIDs; each pair includes an issuerDomainPolicy and a + subjectDomainPolicy. The pairing indicates the issuing CA considers + its issuerDomainPolicy equivalent to the subject CA's + subjectDomainPolicy. + + The issuing CA's users might accept an issuerDomainPolicy for certain + applications. The policy mapping defines the list of policies + associated with the subject CA that may be accepted as comparable to + the issuerDomainPolicy. + + Each issuerDomainPolicy named in the policy mapping extension SHOULD + also be asserted in a certificate policies extension in the same + certificate. Policies SHOULD NOT be mapped either to or from the + special value anyPolicy (section 4.2.1.5). + + This extension MAY be supported by CAs and/or applications, and it + MUST be non-critical. + + id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } + + PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + issuerDomainPolicy CertPolicyId, + subjectDomainPolicy CertPolicyId } + +4.2.1.7 Subject Alternative Name + + The subject alternative names extension allows additional identities + to be bound to the subject of the certificate. Defined options + include an Internet electronic mail address, a DNS name, an IP + address, and a uniform resource identifier (URI). Other options + exist, including completely local definitions. Multiple name forms, + and multiple instances of each name form, MAY be included. Whenever + such identities are to be bound into a certificate, the subject + alternative name (or issuer alternative name) extension MUST be used; + however, a DNS name MAY be represented in the subject field using the + domainComponent attribute as described in section 4.1.2.4. + + Because the subject alternative name is considered to be definitively + bound to the public key, all parts of the subject alternative name + MUST be verified by the CA. + + Further, if the only subject identity included in the certificate is + an alternative name form (e.g., an electronic mail address), then the + subject distinguished name MUST be empty (an empty sequence), and the + + + + +Housley, et. al. Standards Track [Page 33] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + subjectAltName extension MUST be present. If the subject field + contains an empty sequence, the subjectAltName extension MUST be + marked critical. + + When the subjectAltName extension contains an Internet mail address, + the address MUST be included as an rfc822Name. The format of an + rfc822Name is an "addr-spec" as defined in RFC 822 [RFC 822]. An + addr-spec has the form "local-part@domain". Note that an addr-spec + has no phrase (such as a common name) before it, has no comment (text + surrounded in parentheses) after it, and is not surrounded by "<" and + ">". Note that while upper and lower case letters are allowed in an + RFC 822 addr-spec, no significance is attached to the case. + + When the subjectAltName extension contains a iPAddress, the address + MUST be stored in the octet string in "network byte order," as + specified in RFC 791 [RFC 791]. The least significant bit (LSB) of + each octet is the LSB of the corresponding byte in the network + address. For IP Version 4, as specified in RFC 791, the octet string + MUST contain exactly four octets. For IP Version 6, as specified in + RFC 1883, the octet string MUST contain exactly sixteen octets [RFC + 1883]. + + When the subjectAltName extension contains a domain name system + label, the domain name MUST be stored in the dNSName (an IA5String). + The name MUST be in the "preferred name syntax," as specified by RFC + 1034 [RFC 1034]. Note that while upper and lower case letters are + allowed in domain names, no signifigance is attached to the case. In + addition, while the string " " is a legal domain name, subjectAltName + extensions with a dNSName of " " MUST NOT be used. Finally, the use + of the DNS representation for Internet mail addresses (wpolk.nist.gov + instead of wpolk@nist.gov) MUST NOT be used; such identities are to + be encoded as rfc822Name. + + Note: work is currently underway to specify domain names in + international character sets. Such names will likely not be + accommodated by IA5String. Once this work is complete, this profile + will be revisited and the appropriate functionality will be added. + + When the subjectAltName extension contains a URI, the name MUST be + stored in the uniformResourceIdentifier (an IA5String). The name + MUST NOT be a relative URL, and it MUST follow the URL syntax and + encoding rules specified in [RFC 1738]. The name MUST include both a + scheme (e.g., "http" or "ftp") and a scheme-specific-part. The + scheme-specific-part MUST include a fully qualified domain name or IP + address as the host. + + + + + + +Housley, et. al. Standards Track [Page 34] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + As specified in [RFC 1738], the scheme name is not case-sensitive + (e.g., "http" is equivalent to "HTTP"). The host part is also not + case-sensitive, but other components of the scheme-specific-part may + be case-sensitive. When comparing URIs, conforming implementations + MUST compare the scheme and host without regard to case, but assume + the remainder of the scheme-specific-part is case sensitive. + + When the subjectAltName extension contains a DN in the directoryName, + the DN MUST be unique for each subject entity certified by the one CA + as defined by the issuer name field. A CA MAY issue more than one + certificate with the same DN to the same subject entity. + + The subjectAltName MAY carry additional name types through the use of + the otherName field. The format and semantics of the name are + indicated through the OBJECT IDENTIFIER in the type-id field. The + name itself is conveyed as value field in otherName. For example, + Kerberos [RFC 1510] format names can be encoded into the otherName, + using using a Kerberos 5 principal name OID and a SEQUENCE of the + Realm and the PrincipalName. + + Subject alternative names MAY be constrained in the same manner as + subject distinguished names using the name constraints extension as + described in section 4.2.1.11. + + If the subjectAltName extension is present, the sequence MUST contain + at least one entry. Unlike the subject field, conforming CAs MUST + NOT issue certificates with subjectAltNames containing empty + GeneralName fields. For example, an rfc822Name is represented as an + IA5String. While an empty string is a valid IA5String, such an + rfc822Name is not permitted by this profile. The behavior of clients + that encounter such a certificate when processing a certificication + path is not defined by this profile. + + Finally, the semantics of subject alternative names that include + wildcard characters (e.g., as a placeholder for a set of names) are + not addressed by this specification. Applications with specific + requirements MAY use such names, but they must define the semantics. + + id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } + + SubjectAltName ::= GeneralNames + + GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + + + + + + + + +Housley, et. al. Standards Track [Page 35] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + GeneralName ::= CHOICE { + otherName [0] OtherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER } + + OtherName ::= SEQUENCE { + type-id OBJECT IDENTIFIER, + value [0] EXPLICIT ANY DEFINED BY type-id } + + EDIPartyName ::= SEQUENCE { + nameAssigner [0] DirectoryString OPTIONAL, + partyName [1] DirectoryString } + +4.2.1.8 Issuer Alternative Names + + As with 4.2.1.7, this extension is used to associate Internet style + identities with the certificate issuer. Issuer alternative names + MUST be encoded as in 4.2.1.7. + + Where present, this extension SHOULD NOT be marked critical. + + id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } + + IssuerAltName ::= GeneralNames + +4.2.1.9 Subject Directory Attributes + + The subject directory attributes extension is used to convey + identification attributes (e.g., nationality) of the subject. The + extension is defined as a sequence of one or more attributes. This + extension MUST be non-critical. + + id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } + + SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute + +4.2.1.10 Basic Constraints + + The basic constraints extension identifies whether the subject of the + certificate is a CA and the maximum depth of valid certification + paths that include this certificate. + + + + +Housley, et. al. Standards Track [Page 36] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + The cA boolean indicates whether the certified public key belongs to + a CA. If the cA boolean is not asserted, then the keyCertSign bit in + the key usage extension MUST NOT be asserted. + + The pathLenConstraint field is meaningful only if the cA boolean is + asserted and the key usage extension asserts the keyCertSign bit + (section 4.2.1.3). In this case, it gives the maximum number of non- + self-issued intermediate certificates that may follow this + certificate in a valid certification path. A certificate is self- + issued if the DNs that appear in the subject and issuer fields are + identical and are not empty. (Note: The last certificate in the + certification path is not an intermediate certificate, and is not + included in this limit. Usually, the last certificate is an end + entity certificate, but it can be a CA certificate.) A + pathLenConstraint of zero indicates that only one more certificate + may follow in a valid certification path. Where it appears, the + pathLenConstraint field MUST be greater than or equal to zero. Where + pathLenConstraint does not appear, no limit is imposed. + + This extension MUST appear as a critical extension in all CA + certificates that contain public keys used to validate digital + signatures on certificates. This extension MAY appear as a critical + or non-critical extension in CA certificates that contain public keys + used exclusively for purposes other than validating digital + signatures on certificates. Such CA certificates include ones that + contain public keys used exclusively for validating digital + signatures on CRLs and ones that contain key management public keys + used with certificate enrollment protocols. This extension MAY + appear as a critical or non-critical extension in end entity + certificates. + + CAs MUST NOT include the pathLenConstraint field unless the cA + boolean is asserted and the key usage extension asserts the + keyCertSign bit. + + id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } + + BasicConstraints ::= SEQUENCE { + cA BOOLEAN DEFAULT FALSE, + pathLenConstraint INTEGER (0..MAX) OPTIONAL } + +4.2.1.11 Name Constraints + + The name constraints extension, which MUST be used only in a CA + certificate, indicates a name space within which all subject names in + subsequent certificates in a certification path MUST be located. + Restrictions apply to the subject distinguished name and apply to + subject alternative names. Restrictions apply only when the + + + +Housley, et. al. Standards Track [Page 37] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + specified name form is present. If no name of the type is in the + certificate, the certificate is acceptable. + + Name constraints are not applied to certificates whose issuer and + subject are identical (unless the certificate is the final + certificate in the path). (This could prevent CAs that use name + constraints from employing self-issued certificates to implement key + rollover.) + + Restrictions are defined in terms of permitted or excluded name + subtrees. Any name matching a restriction in the excludedSubtrees + field is invalid regardless of information appearing in the + permittedSubtrees. This extension MUST be critical. + + Within this profile, the minimum and maximum fields are not used with + any name forms, thus minimum MUST be zero, and maximum MUST be + absent. + + For URIs, the constraint applies to the host part of the name. The + constraint MAY specify a host or a domain. Examples would be + "foo.bar.com"; and ".xyz.com". When the the constraint begins with + a period, it MAY be expanded with one or more subdomains. That is, + the constraint ".xyz.com" is satisfied by both abc.xyz.com and + abc.def.xyz.com. However, the constraint ".xyz.com" is not satisfied + by "xyz.com". When the constraint does not begin with a period, it + specifies a host. + + A name constraint for Internet mail addresses MAY specify a + particular mailbox, all addresses at a particular host, or all + mailboxes in a domain. To indicate a particular mailbox, the + constraint is the complete mail address. For example, "root@xyz.com" + indicates the root mailbox on the host "xyz.com". To indicate all + Internet mail addresses on a particular host, the constraint is + specified as the host name. For example, the constraint "xyz.com" is + satisfied by any mail address at the host "xyz.com". To specify any + address within a domain, the constraint is specified with a leading + period (as with URIs). For example, ".xyz.com" indicates all the + Internet mail addresses in the domain "xyz.com", but not Internet + mail addresses on the host "xyz.com". + + DNS name restrictions are expressed as foo.bar.com. Any DNS name + that can be constructed by simply adding to the left hand side of the + name satisfies the name constraint. For example, www.foo.bar.com + would satisfy the constraint but foo1.bar.com would not. + + Legacy implementations exist where an RFC 822 name is embedded in the + subject distinguished name in an attribute of type EmailAddress + (section 4.1.2.6). When rfc822 names are constrained, but the + + + +Housley, et. al. Standards Track [Page 38] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + certificate does not include a subject alternative name, the rfc822 + name constraint MUST be applied to the attribute of type EmailAddress + in the subject distinguished name. The ASN.1 syntax for EmailAddress + and the corresponding OID are supplied in Appendix A. + + Restrictions of the form directoryName MUST be applied to the subject + field in the certificate and to the subjectAltName extensions of type + directoryName. Restrictions of the form x400Address MUST be applied + to subjectAltName extensions of type x400Address. + + When applying restrictions of the form directoryName, an + implementation MUST compare DN attributes. At a minimum, + implementations MUST perform the DN comparison rules specified in + Section 4.1.2.4. CAs issuing certificates with a restriction of the + form directoryName SHOULD NOT rely on implementation of the full ISO + DN name comparison algorithm. This implies name restrictions MUST be + stated identically to the encoding used in the subject field or + subjectAltName extension. + + The syntax of iPAddress MUST be as described in section 4.2.1.7 with + the following additions specifically for Name Constraints. For IPv4 + addresses, the ipAddress field of generalName MUST contain eight (8) + octets, encoded in the style of RFC 1519 (CIDR) to represent an + address range [RFC 1519]. For IPv6 addresses, the ipAddress field + MUST contain 32 octets similarly encoded. For example, a name + constraint for "class C" subnet 10.9.8.0 is represented as the octets + 0A 09 08 00 FF FF FF 00, representing the CIDR notation + 10.9.8.0/255.255.255.0. + + The syntax and semantics for name constraints for otherName, + ediPartyName, and registeredID are not defined by this specification. + + id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } + + NameConstraints ::= SEQUENCE { + permittedSubtrees [0] GeneralSubtrees OPTIONAL, + excludedSubtrees [1] GeneralSubtrees OPTIONAL } + + GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree + + GeneralSubtree ::= SEQUENCE { + base GeneralName, + minimum [0] BaseDistance DEFAULT 0, + maximum [1] BaseDistance OPTIONAL } + + BaseDistance ::= INTEGER (0..MAX) + + + + + +Housley, et. al. Standards Track [Page 39] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +4.2.1.12 Policy Constraints + + The policy constraints extension can be used in certificates issued + to CAs. The policy constraints extension constrains path validation + in two ways. It can be used to prohibit policy mapping or require + that each certificate in a path contain an acceptable policy + identifier. + + If the inhibitPolicyMapping field is present, the value indicates the + number of additional certificates that may appear in the path before + policy mapping is no longer permitted. For example, a value of one + indicates that policy mapping may be processed in certificates issued + by the subject of this certificate, but not in additional + certificates in the path. + + If the requireExplicitPolicy field is present, the value of + requireExplicitPolicy indicates the number of additional certificates + that may appear in the path before an explicit policy is required for + the entire path. When an explicit policy is required, it is + necessary for all certificates in the path to contain an acceptable + policy identifier in the certificate policies extension. An + acceptable policy identifier is the identifier of a policy required + by the user of the certification path or the identifier of a policy + which has been declared equivalent through policy mapping. + + Conforming CAs MUST NOT issue certificates where policy constraints + is a empty sequence. That is, at least one of the + inhibitPolicyMapping field or the requireExplicitPolicy field MUST be + present. The behavior of clients that encounter a empty policy + constraints field is not addressed in this profile. + + This extension MAY be critical or non-critical. + + id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } + + PolicyConstraints ::= SEQUENCE { + requireExplicitPolicy [0] SkipCerts OPTIONAL, + inhibitPolicyMapping [1] SkipCerts OPTIONAL } + + SkipCerts ::= INTEGER (0..MAX) + +4.2.1.13 Extended Key Usage + + This extension indicates one or more purposes for which the certified + public key may be used, in addition to or in place of the basic + purposes indicated in the key usage extension. In general, this + extension will appear only in end entity certificates. This + extension is defined as follows: + + + +Housley, et. al. Standards Track [Page 40] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } + + ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId + + KeyPurposeId ::= OBJECT IDENTIFIER + + Key purposes may be defined by any organization with a need. Object + identifiers used to identify key purposes MUST be assigned in + accordance with IANA or ITU-T Recommendation X.660 [X.660]. + + This extension MAY, at the option of the certificate issuer, be + either critical or non-critical. + + If the extension is present, then the certificate MUST only be used + for one of the purposes indicated. If multiple purposes are + indicated the application need not recognize all purposes indicated, + as long as the intended purpose is present. Certificate using + applications MAY require that a particular purpose be indicated in + order for the certificate to be acceptable to that application. + + If a CA includes extended key usages to satisfy such applications, + but does not wish to restrict usages of the key, the CA can include + the special keyPurposeID anyExtendedKeyUsage. If the + anyExtendedKeyUsage keyPurposeID is present, the extension SHOULD NOT + be critical. + + If a certificate contains both a key usage extension and an extended + key usage extension, then both extensions MUST be processed + independently and the certificate MUST only be used for a purpose + consistent with both extensions. If there is no purpose consistent + with both extensions, then the certificate MUST NOT be used for any + purpose. + + The following key usage purposes are defined: + + anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } + + id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } + + id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } + -- TLS WWW server authentication + -- Key usage bits that may be consistent: digitalSignature, + -- keyEncipherment or keyAgreement + + id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } + -- TLS WWW client authentication + -- Key usage bits that may be consistent: digitalSignature + -- and/or keyAgreement + + + +Housley, et. al. Standards Track [Page 41] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } + -- Signing of downloadable executable code + -- Key usage bits that may be consistent: digitalSignature + + id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } + -- E-mail protection + -- Key usage bits that may be consistent: digitalSignature, + -- nonRepudiation, and/or (keyEncipherment or keyAgreement) + + id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } + -- Binding the hash of an object to a time + -- Key usage bits that may be consistent: digitalSignature + -- and/or nonRepudiation + + id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } + -- Signing OCSP responses + -- Key usage bits that may be consistent: digitalSignature + -- and/or nonRepudiation + +4.2.1.14 CRL Distribution Points + + The CRL distribution points extension identifies how CRL information + is obtained. The extension SHOULD be non-critical, but this profile + RECOMMENDS support for this extension by CAs and applications. + Further discussion of CRL management is contained in section 5. + + The cRLDistributionPoints extension is a SEQUENCE of + DistributionPoint. A DistributionPoint consists of three fields, + each of which is optional: distributionPoint, reasons, and cRLIssuer. + While each of these fields is optional, a DistributionPoint MUST NOT + consist of only the reasons field; either distributionPoint or + cRLIssuer MUST be present. If the certificate issuer is not the CRL + issuer, then the cRLIssuer field MUST be present and contain the Name + of the CRL issuer. If the certificate issuer is also the CRL issuer, + then the cRLIssuer field MUST be omitted and the distributionPoint + field MUST be present. If the distributionPoint field is omitted, + cRLIssuer MUST be present and include a Name corresponding to an + X.500 or LDAP directory entry where the CRL is located. + + When the distributionPoint field is present, it contains either a + SEQUENCE of general names or a single value, nameRelativeToCRLIssuer. + If the cRLDistributionPoints extension contains a general name of + type URI, the following semantics MUST be assumed: the URI is a + pointer to the current CRL for the associated reasons and will be + issued by the associated cRLIssuer. The expected values for the URI + are those defined in 4.2.1.7. Processing rules for other values are + not defined by this specification. + + + + +Housley, et. al. Standards Track [Page 42] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + If the DistributionPointName contains multiple values, each name + describes a different mechanism to obtain the same CRL. For example, + the same CRL could be available for retrieval through both LDAP and + HTTP. + + If the DistributionPointName contains the single value + nameRelativeToCRLIssuer, the value provides a distinguished name + fragment. The fragment is appended to the X.500 distinguished name + of the CRL issuer to obtain the distribution point name. If the + cRLIssuer field in the DistributionPoint is present, then the name + fragment is appended to the distinguished name that it contains; + otherwise, the name fragment is appended to the certificate issuer + distinguished name. The DistributionPointName MUST NOT use the + nameRealtiveToCRLIssuer alternative when cRLIssuer contains more than + one distinguished name. + + If the DistributionPoint omits the reasons field, the CRL MUST + include revocation information for all reasons. + + The cRLIssuer identifies the entity who signs and issues the CRL. If + present, the cRLIssuer MUST contain at least one an X.500 + distinguished name (DN), and MAY also contain other name forms. + Since the cRLIssuer is compared to the CRL issuer name, the X.501 + type Name MUST follow the encoding rules for the issuer name field in + the certificate (section 4.1.2.4). + + id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } + + CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + + DistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + reasons [1] ReasonFlags OPTIONAL, + cRLIssuer [2] GeneralNames OPTIONAL } + + DistributionPointName ::= CHOICE { + fullName [0] GeneralNames, + nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + + + + + + + + + + + + + +Housley, et. al. Standards Track [Page 43] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + ReasonFlags ::= BIT STRING { + unused (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + privilegeWithdrawn (7), + aACompromise (8) } + +4.2.1.15 Inhibit Any-Policy + + The inhibit any-policy extension can be used in certificates issued + to CAs. The inhibit any-policy indicates that the special anyPolicy + OID, with the value { 2 5 29 32 0 }, is not considered an explicit + match for other certificate policies. The value indicates the number + of additional certificates that may appear in the path before + anyPolicy is no longer permitted. For example, a value of one + indicates that anyPolicy may be processed in certificates issued by + the subject of this certificate, but not in additional certificates + in the path. + + This extension MUST be critical. + + id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } + + InhibitAnyPolicy ::= SkipCerts + + SkipCerts ::= INTEGER (0..MAX) + +4.2.1.16 Freshest CRL (a.k.a. Delta CRL Distribution Point) + + The freshest CRL extension identifies how delta CRL information is + obtained. The extension MUST be non-critical. Further discussion of + CRL management is contained in section 5. + + The same syntax is used for this extension and the + cRLDistributionPoints extension, and is described in section + 4.2.1.14. The same conventions apply to both extensions. + + id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } + + FreshestCRL ::= CRLDistributionPoints + + + + + + + +Housley, et. al. Standards Track [Page 44] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +4.2.2 Private Internet Extensions + + This section defines two extensions for use in the Internet Public + Key Infrastructure. These extensions may be used to direct + applications to on-line information about the issuing CA or the + subject. As the information may be available in multiple forms, each + extension is a sequence of IA5String values, each of which represents + a URI. The URI implicitly specifies the location and format of the + information and the method for obtaining the information. + + An object identifier is defined for the private extension. The + object identifier associated with the private extension is defined + under the arc id-pe within the arc id-pkix. Any future extensions + defined for the Internet PKI are also expected to be defined under + the arc id-pe. + + id-pkix OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) } + + id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } + +4.2.2.1 Authority Information Access + + The authority information access extension indicates how to access CA + information and services for the issuer of the certificate in which + the extension appears. Information and services may include on-line + validation services and CA policy data. (The location of CRLs is not + specified in this extension; that information is provided by the + cRLDistributionPoints extension.) This extension may be included in + end entity or CA certificates, and it MUST be non-critical. + + id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } + + AuthorityInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + + AccessDescription ::= SEQUENCE { + accessMethod OBJECT IDENTIFIER, + accessLocation GeneralName } + + id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } + + id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } + + id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } + + + + + +Housley, et. al. Standards Track [Page 45] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + Each entry in the sequence AuthorityInfoAccessSyntax describes the + format and location of additional information provided by the CA that + issued the certificate in which this extension appears. The type and + format of the information is specified by the accessMethod field; the + accessLocation field specifies the location of the information. The + retrieval mechanism may be implied by the accessMethod or specified + by accessLocation. + + This profile defines two accessMethod OIDs: id-ad-caIssuers and + id-ad-ocsp. + + The id-ad-caIssuers OID is used when the additional information lists + CAs that have issued certificates superior to the CA that issued the + certificate containing this extension. The referenced CA issuers + description is intended to aid certificate users in the selection of + a certification path that terminates at a point trusted by the + certificate user. + + When id-ad-caIssuers appears as accessMethod, the accessLocation + field describes the referenced description server and the access + protocol to obtain the referenced description. The accessLocation + field is defined as a GeneralName, which can take several forms. + Where the information is available via http, ftp, or ldap, + accessLocation MUST be a uniformResourceIdentifier. Where the + information is available via the Directory Access Protocol (DAP), + accessLocation MUST be a directoryName. The entry for that + directoryName contains CA certificates in the crossCertificatePair + attribute. When the information is available via electronic mail, + accessLocation MUST be an rfc822Name. The semantics of other + id-ad-caIssuers accessLocation name forms are not defined. + + The id-ad-ocsp OID is used when revocation information for the + certificate containing this extension is available using the Online + Certificate Status Protocol (OCSP) [RFC 2560]. + + When id-ad-ocsp appears as accessMethod, the accessLocation field is + the location of the OCSP responder, using the conventions defined in + [RFC 2560]. + + Additional access descriptors may be defined in other PKIX + specifications. + +4.2.2.2 Subject Information Access + + The subject information access extension indicates how to access + information and services for the subject of the certificate in which + the extension appears. When the subject is a CA, information and + services may include certificate validation services and CA policy + + + +Housley, et. al. Standards Track [Page 46] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + data. When the subject is an end entity, the information describes + the type of services offered and how to access them. In this case, + the contents of this extension are defined in the protocol + specifications for the suported services. This extension may be + included in subject or CA certificates, and it MUST be non-critical. + + id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } + + SubjectInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + + AccessDescription ::= SEQUENCE { + accessMethod OBJECT IDENTIFIER, + accessLocation GeneralName } + + Each entry in the sequence SubjectInfoAccessSyntax describes the + format and location of additional information provided by the subject + of the certificate in which this extension appears. The type and + format of the information is specified by the accessMethod field; the + accessLocation field specifies the location of the information. The + retrieval mechanism may be implied by the accessMethod or specified + by accessLocation. + + This profile defines one access method to be used when the subject is + a CA, and one access method to be used when the subject is an end + entity. Additional access methods may be defined in the future in + the protocol specifications for other services. + + The id-ad-caRepository OID is used when the subject is a CA, and + publishes its certificates and CRLs (if issued) in a repository. The + accessLocation field is defined as a GeneralName, which can take + several forms. Where the information is available via http, ftp, or + ldap, accessLocation MUST be a uniformResourceIdentifier. Where the + information is available via the directory access protocol (dap), + accessLocation MUST be a directoryName. When the information is + available via electronic mail, accessLocation MUST be an rfc822Name. + The semantics of other name forms of of accessLocation (when + accessMethod is id-ad-caRepository) are not defined by this + specification. + + The id-ad-timeStamping OID is used when the subject offers + timestamping services using the Time Stamp Protocol defined in + [PKIXTSA]. Where the timestamping services are available via http or + ftp, accessLocation MUST be a uniformResourceIdentifier. Where the + timestamping services are available via electronic mail, + accessLocation MUST be an rfc822Name. Where timestamping services + + + + + +Housley, et. al. Standards Track [Page 47] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + are available using TCP/IP, the dNSName or ipAddress name forms may + be used. The semantics of other name forms of accessLocation (when + accessMethod is id-ad-timeStamping) are not defined by this + specification. + + Additional access descriptors may be defined in other PKIX + specifications. + + id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } + + id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 } + + id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 } + +5 CRL and CRL Extensions Profile + + As discussed above, one goal of this X.509 v2 CRL profile is to + foster the creation of an interoperable and reusable Internet PKI. + To achieve this goal, guidelines for the use of extensions are + specified, and some assumptions are made about the nature of + information included in the CRL. + + CRLs may be used in a wide range of applications and environments + covering a broad spectrum of interoperability goals and an even + broader spectrum of operational and assurance requirements. This + profile establishes a common baseline for generic applications + requiring broad interoperability. The profile defines a set of + information that can be expected in every CRL. Also, the profile + defines common locations within the CRL for frequently used + attributes as well as common representations for these attributes. + + CRL issuers issue CRLs. In general, the CRL issuer is the CA. CAs + publish CRLs to provide status information about the certificates + they issued. However, a CA may delegate this responsibility to + another trusted authority. Whenever the CRL issuer is not the CA + that issued the certificates, the CRL is referred to as an indirect + CRL. + + Each CRL has a particular scope. The CRL scope is the set of + certificates that could appear on a given CRL. For example, the + scope could be "all certificates issued by CA X", "all CA + certificates issued by CA X", "all certificates issued by CA X that + have been revoked for reasons of key compromise and CA compromise", + or could be a set of certificates based on arbitrary local + information, such as "all certificates issued to the NIST employees + located in Boulder". + + + + + +Housley, et. al. Standards Track [Page 48] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + A complete CRL lists all unexpired certificates, within its scope, + that have been revoked for one of the revocation reasons covered by + the CRL scope. The CRL issuer MAY also generate delta CRLs. A delta + CRL only lists those certificates, within its scope, whose revocation + status has changed since the issuance of a referenced complete CRL. + The referenced complete CRL is referred to as a base CRL. The scope + of a delta CRL MUST be the same as the base CRL that it references. + + This profile does not define any private Internet CRL extensions or + CRL entry extensions. + + Environments with additional or special purpose requirements may + build on this profile or may replace it. + + Conforming CAs are not required to issue CRLs if other revocation or + certificate status mechanisms are provided. When CRLs are issued, + the CRLs MUST be version 2 CRLs, include the date by which the next + CRL will be issued in the nextUpdate field (section 5.1.2.5), include + the CRL number extension (section 5.2.3), and include the authority + key identifier extension (section 5.2.1). Conforming applications + that support CRLs are REQUIRED to process both version 1 and version + 2 complete CRLs that provide revocation information for all + certificates issued by one CA. Conforming applications are NOT + REQUIRED to support processing of delta CRLs, indirect CRLs, or CRLs + with a scope other than all certificates issued by one CA. + +5.1 CRL Fields + + The X.509 v2 CRL syntax is as follows. For signature calculation, + the data that is to be signed is ASN.1 DER encoded. ASN.1 DER + encoding is a tag, length, value encoding system for each element. + + CertificateList ::= SEQUENCE { + tbsCertList TBSCertList, + signatureAlgorithm AlgorithmIdentifier, + signatureValue BIT STRING } + + + + + + + + + + + + + + + +Housley, et. al. Standards Track [Page 49] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + TBSCertList ::= SEQUENCE { + version Version OPTIONAL, + -- if present, MUST be v2 + signature AlgorithmIdentifier, + issuer Name, + thisUpdate Time, + nextUpdate Time OPTIONAL, + revokedCertificates SEQUENCE OF SEQUENCE { + userCertificate CertificateSerialNumber, + revocationDate Time, + crlEntryExtensions Extensions OPTIONAL + -- if present, MUST be v2 + } OPTIONAL, + crlExtensions [0] EXPLICIT Extensions OPTIONAL + -- if present, MUST be v2 + } + + -- Version, Time, CertificateSerialNumber, and Extensions + -- are all defined in the ASN.1 in section 4.1 + + -- AlgorithmIdentifier is defined in section 4.1.1.2 + + The following items describe the use of the X.509 v2 CRL in the + Internet PKI. + +5.1.1 CertificateList Fields + + The CertificateList is a SEQUENCE of three required fields. The + fields are described in detail in the following subsections. + +5.1.1.1 tbsCertList + + The first field in the sequence is the tbsCertList. This field is + itself a sequence containing the name of the issuer, issue date, + issue date of the next list, the optional list of revoked + certificates, and optional CRL extensions. When there are no revoked + certificates, the revoked certificates list is absent. When one or + more certificates are revoked, each entry on the revoked certificate + list is defined by a sequence of user certificate serial number, + revocation date, and optional CRL entry extensions. + +5.1.1.2 signatureAlgorithm + + The signatureAlgorithm field contains the algorithm identifier for + the algorithm used by the CRL issuer to sign the CertificateList. + The field is of type AlgorithmIdentifier, which is defined in section + 4.1.1.2. [PKIXALGS] lists the supported algorithms for this + specification, but other signature algorithms MAY also be supported. + + + +Housley, et. al. Standards Track [Page 50] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + This field MUST contain the same algorithm identifier as the + signature field in the sequence tbsCertList (section 5.1.2.2). + +5.1.1.3 signatureValue + + The signatureValue field contains a digital signature computed upon + the ASN.1 DER encoded tbsCertList. The ASN.1 DER encoded tbsCertList + is used as the input to the signature function. This signature value + is encoded as a BIT STRING and included in the CRL signatureValue + field. The details of this process are specified for each of the + supported algorithms in [PKIXALGS]. + + CAs that are also CRL issuers MAY use one private key to digitally + sign certificates and CRLs, or MAY use separate private keys to + digitally sign certificates and CRLs. When separate private keys are + employed, each of the public keys associated with these private keys + is placed in a separate certificate, one with the keyCertSign bit set + in the key usage extension, and one with the cRLSign bit set in the + key usage extension (section 4.2.1.3). When separate private keys + are employed, certificates issued by the CA contain one authority key + identifier, and the corresponding CRLs contain a different authority + key identifier. The use of separate CA certificates for validation + of certificate signatures and CRL signatures can offer improved + security characteristics; however, it imposes a burden on + applications, and it might limit interoperability. Many applications + construct a certification path, and then validate the certification + path (section 6). CRL checking in turn requires a separate + certification path to be constructed and validated for the CA's CRL + signature validation certificate. Applications that perform CRL + checking MUST support certification path validation when certificates + and CRLs are digitally signed with the same CA private key. These + applications SHOULD support certification path validation when + certificates and CRLs are digitally signed with different CA private + keys. + +5.1.2 Certificate List "To Be Signed" + + The certificate list to be signed, or TBSCertList, is a sequence of + required and optional fields. The required fields identify the CRL + issuer, the algorithm used to sign the CRL, the date and time the CRL + was issued, and the date and time by which the CRL issuer will issue + the next CRL. + + Optional fields include lists of revoked certificates and CRL + extensions. The revoked certificate list is optional to support the + case where a CA has not revoked any unexpired certificates that it + + + + + +Housley, et. al. Standards Track [Page 51] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + has issued. The profile requires conforming CRL issuers to use the + CRL number and authority key identifier CRL extensions in all CRLs + issued. + +5.1.2.1 Version + + This optional field describes the version of the encoded CRL. When + extensions are used, as required by this profile, this field MUST be + present and MUST specify version 2 (the integer value is 1). + +5.1.2.2 Signature + + This field contains the algorithm identifier for the algorithm used + to sign the CRL. [PKIXALGS] lists OIDs for the most popular + signature algorithms used in the Internet PKI. + + This field MUST contain the same algorithm identifier as the + signatureAlgorithm field in the sequence CertificateList (section + 5.1.1.2). + +5.1.2.3 Issuer Name + + The issuer name identifies the entity who has signed and issued the + CRL. The issuer identity is carried in the issuer name field. + Alternative name forms may also appear in the issuerAltName extension + (section 5.2.2). The issuer name field MUST contain an X.500 + distinguished name (DN). The issuer name field is defined as the + X.501 type Name, and MUST follow the encoding rules for the issuer + name field in the certificate (section 4.1.2.4). + +5.1.2.4 This Update + + This field indicates the issue date of this CRL. ThisUpdate may be + encoded as UTCTime or GeneralizedTime. + + CRL issuers conforming to this profile MUST encode thisUpdate as + UTCTime for dates through the year 2049. CRL issuers conforming to + this profile MUST encode thisUpdate as GeneralizedTime for dates in + the year 2050 or later. + + Where encoded as UTCTime, thisUpdate MUST be specified and + interpreted as defined in section 4.1.2.5.1. Where encoded as + GeneralizedTime, thisUpdate MUST be specified and interpreted as + defined in section 4.1.2.5.2. + + + + + + + +Housley, et. al. Standards Track [Page 52] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +5.1.2.5 Next Update + + This field indicates the date by which the next CRL will be issued. + The next CRL could be issued before the indicated date, but it will + not be issued any later than the indicated date. CRL issuers SHOULD + issue CRLs with a nextUpdate time equal to or later than all previous + CRLs. nextUpdate may be encoded as UTCTime or GeneralizedTime. + + This profile requires inclusion of nextUpdate in all CRLs issued by + conforming CRL issuers. Note that the ASN.1 syntax of TBSCertList + describes this field as OPTIONAL, which is consistent with the ASN.1 + structure defined in [X.509]. The behavior of clients processing + CRLs which omit nextUpdate is not specified by this profile. + + CRL issuers conforming to this profile MUST encode nextUpdate as + UTCTime for dates through the year 2049. CRL issuers conforming to + this profile MUST encode nextUpdate as GeneralizedTime for dates in + the year 2050 or later. + + Where encoded as UTCTime, nextUpdate MUST be specified and + interpreted as defined in section 4.1.2.5.1. Where encoded as + GeneralizedTime, nextUpdate MUST be specified and interpreted as + defined in section 4.1.2.5.2. + +5.1.2.6 Revoked Certificates + + When there are no revoked certificates, the revoked certificates list + MUST be absent. Otherwise, revoked certificates are listed by their + serial numbers. Certificates revoked by the CA are uniquely + identified by the certificate serial number. The date on which the + revocation occurred is specified. The time for revocationDate MUST + be expressed as described in section 5.1.2.4. Additional information + may be supplied in CRL entry extensions; CRL entry extensions are + discussed in section 5.3. + +5.1.2.7 Extensions + + This field may only appear if the version is 2 (section 5.1.2.1). If + present, this field is a sequence of one or more CRL extensions. CRL + extensions are discussed in section 5.2. + +5.2 CRL Extensions + + The extensions defined by ANSI X9, ISO/IEC, and ITU-T for X.509 v2 + CRLs [X.509] [X9.55] provide methods for associating additional + attributes with CRLs. The X.509 v2 CRL format also allows + communities to define private extensions to carry information unique + to those communities. Each extension in a CRL may be designated as + + + +Housley, et. al. Standards Track [Page 53] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + critical or non-critical. A CRL validation MUST fail if it + encounters a critical extension which it does not know how to + process. However, an unrecognized non-critical extension may be + ignored. The following subsections present those extensions used + within Internet CRLs. Communities may elect to include extensions in + CRLs which are not defined in this specification. However, caution + should be exercised in adopting any critical extensions in CRLs which + might be used in a general context. + + Conforming CRL issuers are REQUIRED to include the authority key + identifier (section 5.2.1) and the CRL number (section 5.2.3) + extensions in all CRLs issued. + +5.2.1 Authority Key Identifier + + The authority key identifier extension provides a means of + identifying the public key corresponding to the private key used to + sign a CRL. The identification can be based on either the key + identifier (the subject key identifier in the CRL signer's + certificate) or on the issuer name and serial number. This extension + is especially useful where an issuer has more than one signing key, + either due to multiple concurrent key pairs or due to changeover. + + Conforming CRL issuers MUST use the key identifier method, and MUST + include this extension in all CRLs issued. + + The syntax for this CRL extension is defined in section 4.2.1.1. + +5.2.2 Issuer Alternative Name + + The issuer alternative names extension allows additional identities + to be associated with the issuer of the CRL. Defined options include + an rfc822 name (electronic mail address), a DNS name, an IP address, + and a URI. Multiple instances of a name and multiple name forms may + be included. Whenever such identities are used, the issuer + alternative name extension MUST be used; however, a DNS name MAY be + represented in the issuer field using the domainComponent attribute + as described in section 4.1.2.4. + + The issuerAltName extension SHOULD NOT be marked critical. + + The OID and syntax for this CRL extension are defined in section + 4.2.1.8. + + + + + + + + +Housley, et. al. Standards Track [Page 54] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +5.2.3 CRL Number + + The CRL number is a non-critical CRL extension which conveys a + monotonically increasing sequence number for a given CRL scope and + CRL issuer. This extension allows users to easily determine when a + particular CRL supersedes another CRL. CRL numbers also support the + identification of complementary complete CRLs and delta CRLs. CRL + issuers conforming to this profile MUST include this extension in all + CRLs. + + If a CRL issuer generates delta CRLs in addition to complete CRLs for + a given scope, the complete CRLs and delta CRLs MUST share one + numbering sequence. If a delta CRL and a complete CRL that cover the + same scope are issued at the same time, they MUST have the same CRL + number and provide the same revocation information. That is, the + combination of the delta CRL and an acceptable complete CRL MUST + provide the same revocation information as the simultaneously issued + complete CRL. + + If a CRL issuer generates two CRLs (two complete CRLs, two delta + CRLs, or a complete CRL and a delta CRL) for the same scope at + different times, the two CRLs MUST NOT have the same CRL number. + That is, if the this update field (section 5.1.2.4) in the two CRLs + are not identical, the CRL numbers MUST be different. + + Given the requirements above, CRL numbers can be expected to contain + long integers. CRL verifiers MUST be able to handle CRLNumber values + up to 20 octets. Conformant CRL issuers MUST NOT use CRLNumber + values longer than 20 octets. + + id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } + + CRLNumber ::= INTEGER (0..MAX) + +5.2.4 Delta CRL Indicator + + The delta CRL indicator is a critical CRL extension that identifies a + CRL as being a delta CRL. Delta CRLs contain updates to revocation + information previously distributed, rather than all the information + that would appear in a complete CRL. The use of delta CRLs can + significantly reduce network load and processing time in some + environments. Delta CRLs are generally smaller than the CRLs they + update, so applications that obtain delta CRLs consume less network + bandwidth than applications that obtain the corresponding complete + CRLs. Applications which store revocation information in a format + other than the CRL structure can add new revocation information to + the local database without reprocessing information. + + + + +Housley, et. al. Standards Track [Page 55] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + The delta CRL indicator extension contains the single value of type + BaseCRLNumber. The CRL number identifies the CRL, complete for a + given scope, that was used as the starting point in the generation of + this delta CRL. A conforming CRL issuer MUST publish the referenced + base CRL as a complete CRL. The delta CRL contains all updates to + the revocation status for that same scope. The combination of a + delta CRL plus the referenced base CRL is equivalent to a complete + CRL, for the applicable scope, at the time of publication of the + delta CRL. + + When a conforming CRL issuer generates a delta CRL, the delta CRL + MUST include a critical delta CRL indicator extension. + + When a delta CRL is issued, it MUST cover the same set of reasons and + the same set of certificates that were covered by the base CRL it + references. That is, the scope of the delta CRL MUST be the same as + the scope of the complete CRL referenced as the base. The referenced + base CRL and the delta CRL MUST omit the issuing distribution point + extension or contain identical issuing distribution point extensions. + Further, the CRL issuer MUST use the same private key to sign the + delta CRL and any complete CRL that it can be used to update. + + An application that supports delta CRLs can construct a CRL that is + complete for a given scope by combining a delta CRL for that scope + with either an issued CRL that is complete for that scope or a + locally constructed CRL that is complete for that scope. + + When a delta CRL is combined with a complete CRL or a locally + constructed CRL, the resulting locally constructed CRL has the CRL + number specified in the CRL number extension found in the delta CRL + used in its construction. In addition, the resulting locally + constructed CRL has the thisUpdate and nextUpdate times specified in + the corresponding fields of the delta CRL used in its construction. + In addition, the locally constructed CRL inherits the issuing + distribution point from the delta CRL. + + A complete CRL and a delta CRL MAY be combined if the following four + conditions are satisfied: + + (a) The complete CRL and delta CRL have the same issuer. + + (b) The complete CRL and delta CRL have the same scope. The two + CRLs have the same scope if either of the following conditions are + met: + + (1) The issuingDistributionPoint extension is omitted from + both the complete CRL and the delta CRL. + + + + +Housley, et. al. Standards Track [Page 56] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (2) The issuingDistributionPoint extension is present in both + the complete CRL and the delta CRL, and the values for each of + the fields in the extensions are the same in both CRLs. + + (c) The CRL number of the complete CRL is equal to or greater + than the BaseCRLNumber specified in the delta CRL. That is, the + complete CRL contains (at a minimum) all the revocation + information held by the referenced base CRL. + + (d) The CRL number of the complete CRL is less than the CRL + number of the delta CRL. That is, the delta CRL follows the + complete CRL in the numbering sequence. + + CRL issuers MUST ensure that the combination of a delta CRL and any + appropriate complete CRL accurately reflects the current revocation + status. The CRL issuer MUST include an entry in the delta CRL for + each certificate within the scope of the delta CRL whose status has + changed since the generation of the referenced base CRL: + + (a) If the certificate is revoked for a reason included in the + scope of the CRL, list the certificate as revoked. + + (b) If the certificate is valid and was listed on the referenced + base CRL or any subsequent CRL with reason code certificateHold, + and the reason code certificateHold is included in the scope of + the CRL, list the certificate with the reason code removeFromCRL. + + (c) If the certificate is revoked for a reason outside the scope + of the CRL, but the certificate was listed on the referenced base + CRL or any subsequent CRL with a reason code included in the scope + of this CRL, list the certificate as revoked but omit the reason + code. + + (d) If the certificate is revoked for a reason outside the scope + of the CRL and the certificate was neither listed on the + referenced base CRL nor any subsequent CRL with a reason code + included in the scope of this CRL, do not list the certificate on + this CRL. + + The status of a certificate is considered to have changed if it is + revoked, placed on hold, released from hold, or if its revocation + reason changes. + + It is appropriate to list a certificate with reason code + removeFromCRL on a delta CRL even if the certificate was not on hold + in the referenced base CRL. If the certificate was placed on hold in + + + + + +Housley, et. al. Standards Track [Page 57] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + any CRL issued after the base but before this delta CRL and then + released from hold, it MUST be listed on the delta CRL with + revocation reason removeFromCRL. + + A CRL issuer MAY optionally list a certificate on a delta CRL with + reason code removeFromCRL if the notAfter time specified in the + certificate precedes the thisUpdate time specified in the delta CRL + and the certificate was listed on the referenced base CRL or in any + CRL issued after the base but before this delta CRL. + + If a certificate revocation notice first appears on a delta CRL, then + it is possible for the certificate validity period to expire before + the next complete CRL for the same scope is issued. In this case, + the revocation notice MUST be included in all subsequent delta CRLs + until the revocation notice is included on at least one explicitly + issued complete CRL for this scope. + + An application that supports delta CRLs MUST be able to construct a + current complete CRL by combining a previously issued complete CRL + and the most current delta CRL. An application that supports delta + CRLs MAY also be able to construct a current complete CRL by + combining a previously locally constructed complete CRL and the + current delta CRL. A delta CRL is considered to be the current one + if the current time is between the times contained in the thisUpdate + and nextUpdate fields. Under some circumstances, the CRL issuer may + publish one or more delta CRLs before indicated by the nextUpdate + field. If more than one current delta CRL for a given scope is + encountered, the application SHOULD consider the one with the latest + value in thisUpdate to be the most current one. + + id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } + + BaseCRLNumber ::= CRLNumber + +5.2.5 Issuing Distribution Point + + The issuing distribution point is a critical CRL extension that + identifies the CRL distribution point and scope for a particular CRL, + and it indicates whether the CRL covers revocation for end entity + certificates only, CA certificates only, attribute certificates only, + + or a limited set of reason codes. Although the extension is + critical, conforming implementations are not required to support this + extension. + + + + + + + +Housley, et. al. Standards Track [Page 58] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + The CRL is signed using the CRL issuer's private key. CRL + Distribution Points do not have their own key pairs. If the CRL is + stored in the X.500 Directory, it is stored in the Directory entry + corresponding to the CRL distribution point, which may be different + than the Directory entry of the CRL issuer. + + The reason codes associated with a distribution point MUST be + specified in onlySomeReasons. If onlySomeReasons does not appear, + the distribution point MUST contain revocations for all reason codes. + CAs may use CRL distribution points to partition the CRL on the basis + of compromise and routine revocation. In this case, the revocations + with reason code keyCompromise (1), cACompromise (2), and + aACompromise (8) appear in one distribution point, and the + revocations with other reason codes appear in another distribution + point. + + If the distributionPoint field is present and contains a URI, the + following semantics MUST be assumed: the object is a pointer to the + most current CRL issued by this CRL issuer. The URI schemes ftp, + http, mailto [RFC1738] and ldap [RFC1778] are defined for this + purpose. The URI MUST be an absolute pathname, not a relative + pathname, and MUST specify the host. + + If the distributionPoint field is absent, the CRL MUST contain + entries for all revoked unexpired certificates issued by the CRL + issuer, if any, within the scope of the CRL. + + The CRL issuer MUST assert the indirectCRL boolean, if the scope of + the CRL includes certificates issued by authorities other than the + CRL issuer. The authority responsible for each entry is indicated by + the certificate issuer CRL entry extension (section 5.3.4). + + id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } + + issuingDistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, + onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, + onlySomeReasons [3] ReasonFlags OPTIONAL, + indirectCRL [4] BOOLEAN DEFAULT FALSE, + onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE } + +5.2.6 Freshest CRL (a.k.a. Delta CRL Distribution Point) + + The freshest CRL extension identifies how delta CRL information for + this complete CRL is obtained. The extension MUST be non-critical. + This extension MUST NOT appear in delta CRLs. + + + + +Housley, et. al. Standards Track [Page 59] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + The same syntax is used for this extension as the + cRLDistributionPoints certificate extension, and is described in + section 4.2.1.14. However, only the distribution point field is + meaningful in this context. The reasons and CRLIssuer fields MUST be + omitted from this CRL extension. + + Each distribution point name provides the location at which a delta + CRL for this complete CRL can be found. The scope of these delta + CRLs MUST be the same as the scope of this complete CRL. The + contents of this CRL extension are only used to locate delta CRLs; + the contents are not used to validate the CRL or the referenced delta + CRLs. The encoding conventions defined for distribution points in + section 4.2.1.14 apply to this extension. + + id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } + + FreshestCRL ::= CRLDistributionPoints + +5.3 CRL Entry Extensions + + The CRL entry extensions defined by ISO/IEC, ITU-T, and ANSI X9 for + X.509 v2 CRLs provide methods for associating additional attributes + with CRL entries [X.509] [X9.55]. The X.509 v2 CRL format also + allows communities to define private CRL entry extensions to carry + information unique to those communities. Each extension in a CRL + entry may be designated as critical or non-critical. A CRL + validation MUST fail if it encounters a critical CRL entry extension + which it does not know how to process. However, an unrecognized non- + critical CRL entry extension may be ignored. The following + subsections present recommended extensions used within Internet CRL + entries and standard locations for information. Communities may + elect to use additional CRL entry extensions; however, caution should + be exercised in adopting any critical extensions in CRL entries which + might be used in a general context. + + All CRL entry extensions used in this specification are non-critical. + Support for these extensions is optional for conforming CRL issuers + and applications. However, CRL issuers SHOULD include reason codes + (section 5.3.1) and invalidity dates (section 5.3.3) whenever this + information is available. + +5.3.1 Reason Code + + The reasonCode is a non-critical CRL entry extension that identifies + the reason for the certificate revocation. CRL issuers are strongly + encouraged to include meaningful reason codes in CRL entries; + however, the reason code CRL entry extension SHOULD be absent instead + of using the unspecified (0) reasonCode value. + + + +Housley, et. al. Standards Track [Page 60] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 } + + -- reasonCode ::= { CRLReason } + + CRLReason ::= ENUMERATED { + unspecified (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + removeFromCRL (8), + privilegeWithdrawn (9), + aACompromise (10) } + +5.3.2 Hold Instruction Code + + The hold instruction code is a non-critical CRL entry extension that + provides a registered instruction identifier which indicates the + action to be taken after encountering a certificate that has been + placed on hold. + + id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } + + holdInstructionCode ::= OBJECT IDENTIFIER + + The following instruction codes have been defined. Conforming + applications that process this extension MUST recognize the following + instruction codes. + + holdInstruction OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) x9-57(10040) 2 } + + id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1} + id-holdinstruction-callissuer + OBJECT IDENTIFIER ::= {holdInstruction 2} + id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3} + + Conforming applications which encounter an id-holdinstruction- + callissuer MUST call the certificate issuer or reject the + certificate. Conforming applications which encounter an id- + holdinstruction-reject MUST reject the certificate. The hold + instruction id-holdinstruction-none is semantically equivalent to the + absence of a holdInstructionCode, and its use is strongly deprecated + for the Internet PKI. + + + + + +Housley, et. al. Standards Track [Page 61] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +5.3.3 Invalidity Date + + The invalidity date is a non-critical CRL entry extension that + provides the date on which it is known or suspected that the private + key was compromised or that the certificate otherwise became invalid. + This date may be earlier than the revocation date in the CRL entry, + which is the date at which the CA processed the revocation. When a + revocation is first posted by a CRL issuer in a CRL, the invalidity + date may precede the date of issue of earlier CRLs, but the + revocation date SHOULD NOT precede the date of issue of earlier CRLs. + Whenever this information is available, CRL issuers are strongly + encouraged to share it with CRL users. + + The GeneralizedTime values included in this field MUST be expressed + in Greenwich Mean Time (Zulu), and MUST be specified and interpreted + as defined in section 4.1.2.5.2. + + id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } + + invalidityDate ::= GeneralizedTime + +5.3.4 Certificate Issuer + + This CRL entry extension identifies the certificate issuer associated + with an entry in an indirect CRL, that is, a CRL that has the + indirectCRL indicator set in its issuing distribution point + extension. If this extension is not present on the first entry in an + indirect CRL, the certificate issuer defaults to the CRL issuer. On + subsequent entries in an indirect CRL, if this extension is not + present, the certificate issuer for the entry is the same as that for + the preceding entry. This field is defined as follows: + + id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } + + certificateIssuer ::= GeneralNames + + If used by conforming CRL issuers, this extension MUST always be + critical. If an implementation ignored this extension it could not + correctly attribute CRL entries to certificates. This specification + RECOMMENDS that implementations recognize this extension. + +6 Certification Path Validation + + Certification path validation procedures for the Internet PKI are + based on the algorithm supplied in [X.509]. Certification path + processing verifies the binding between the subject distinguished + name and/or subject alternative name and subject public key. The + binding is limited by constraints which are specified in the + + + +Housley, et. al. Standards Track [Page 62] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + certificates which comprise the path and inputs which are specified + by the relying party. The basic constraints and policy constraints + extensions allow the certification path processing logic to automate + the decision making process. + + This section describes an algorithm for validating certification + paths. Conforming implementations of this specification are not + required to implement this algorithm, but MUST provide functionality + equivalent to the external behavior resulting from this procedure. + Any algorithm may be used by a particular implementation so long as + it derives the correct result. + + In section 6.1, the text describes basic path validation. Valid + paths begin with certificates issued by a trust anchor. The + algorithm requires the public key of the CA, the CA's name, and any + constraints upon the set of paths which may be validated using this + key. + + The selection of a trust anchor is a matter of policy: it could be + the top CA in a hierarchical PKI; the CA that issued the verifier's + own certificate(s); or any other CA in a network PKI. The path + validation procedure is the same regardless of the choice of trust + anchor. In addition, different applications may rely on different + trust anchor, or may accept paths that begin with any of a set of + trust anchor. + + Section 6.2 describes methods for using the path validation algorithm + in specific implementations. Two specific cases are discussed: the + case where paths may begin with one of several trusted CAs; and where + compatibility with the PEM architecture is required. + + Section 6.3 describes the steps necessary to determine if a + certificate is revoked or on hold status when CRLs are the revocation + mechanism used by the certificate issuer. + +6.1 Basic Path Validation + + This text describes an algorithm for X.509 path processing. A + conformant implementation MUST include an X.509 path processing + procedure that is functionally equivalent to the external behavior of + this algorithm. However, support for some of the certificate + extensions processed in this algorithm are OPTIONAL for compliant + implementations. Clients that do not support these extensions MAY + omit the corresponding steps in the path validation algorithm. + + + + + + + +Housley, et. al. Standards Track [Page 63] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + For example, clients are NOT REQUIRED to support the policy mapping + extension. Clients that do not support this extension MAY omit the + path validation steps where policy mappings are processed. Note that + clients MUST reject the certificate if it contains an unsupported + critical extension. + + The algorithm presented in this section validates the certificate + with respect to the current date and time. A conformant + implementation MAY also support validation with respect to some point + in the past. Note that mechanisms are not available for validating a + certificate with respect to a time outside the certificate validity + period. + + The trust anchor is an input to the algorithm. There is no + requirement that the same trust anchor be used to validate all + certification paths. Different trust anchors MAY be used to validate + different paths, as discussed further in Section 6.2. + + The primary goal of path validation is to verify the binding between + a subject distinguished name or a subject alternative name and + subject public key, as represented in the end entity certificate, + based on the public key of the trust anchor. This requires obtaining + a sequence of certificates that support that binding. The procedure + performed to obtain this sequence of certificates is outside the + scope of this specification. + + To meet this goal, the path validation process verifies, among other + things, that a prospective certification path (a sequence of n + certificates) satisfies the following conditions: + + (a) for all x in {1, ..., n-1}, the subject of certificate x is + the issuer of certificate x+1; + + (b) certificate 1 is issued by the trust anchor; + + (c) certificate n is the certificate to be validated; and + + (d) for all x in {1, ..., n}, the certificate was valid at the + time in question. + + When the trust anchor is provided in the form of a self-signed + certificate, this self-signed certificate is not included as part of + the prospective certification path. Information about trust anchors + are provided as inputs to the certification path validation algorithm + (section 6.1.1). + + + + + + +Housley, et. al. Standards Track [Page 64] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + A particular certification path may not, however, be appropriate for + all applications. Therefore, an application MAY augment this + algorithm to further limit the set of valid paths. The path + validation process also determines the set of certificate policies + that are valid for this path, based on the certificate policies + extension, policy mapping extension, policy constraints extension, + and inhibit any-policy extension. To achieve this, the path + validation algorithm constructs a valid policy tree. If the set of + certificate policies that are valid for this path is not empty, then + the result will be a valid policy tree of depth n, otherwise the + result will be a null valid policy tree. + + A certificate is self-issued if the DNs that appear in the subject + and issuer fields are identical and are not empty. In general, the + issuer and subject of the certificates that make up a path are + different for each certificate. However, a CA may issue a + certificate to itself to support key rollover or changes in + certificate policies. These self-issued certificates are not counted + when evaluating path length or name constraints. + + This section presents the algorithm in four basic steps: (1) + initialization, (2) basic certificate processing, (3) preparation for + the next certificate, and (4) wrap-up. Steps (1) and (4) are + performed exactly once. Step (2) is performed for all certificates + in the path. Step (3) is performed for all certificates in the path + except the final certificate. Figure 2 provides a high-level + flowchart of this algorithm. + + + + + + + + + + + + + + + + + + + + + + + + +Housley, et. al. Standards Track [Page 65] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + +-------+ + | START | + +-------+ + | + V + +----------------+ + | Initialization | + +----------------+ + | + +<--------------------+ + | | + V | + +----------------+ | + | Process Cert | | + +----------------+ | + | | + V | + +================+ | + | IF Last Cert | | + | in Path | | + +================+ | + | | | + THEN | | ELSE | + V V | + +----------------+ +----------------+ | + | Wrap up | | Prepare for | | + +----------------+ | Next Cert | | + | +----------------+ | + V | | + +-------+ +--------------+ + | STOP | + +-------+ + + + Figure 2. Certification Path Processing Flowchart + +6.1.1 Inputs + + This algorithm assumes the following seven inputs are provided to the + path processing logic: + + (a) a prospective certification path of length n. + + (b) the current date/time. + + + + + + + +Housley, et. al. Standards Track [Page 66] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (c) user-initial-policy-set: A set of certificate policy + identifiers naming the policies that are acceptable to the + certificate user. The user-initial-policy-set contains the + special value any-policy if the user is not concerned about + certificate policy. + + (d) trust anchor information, describing a CA that serves as a + trust anchor for the certification path. The trust anchor + information includes: + + (1) the trusted issuer name, + + (2) the trusted public key algorithm, + + (3) the trusted public key, and + + (4) optionally, the trusted public key parameters associated + with the public key. + + The trust anchor information may be provided to the path + processing procedure in the form of a self-signed certificate. + The trusted anchor information is trusted because it was delivered + to the path processing procedure by some trustworthy out-of-band + procedure. If the trusted public key algorithm requires + parameters, then the parameters are provided along with the + trusted public key. + + (e) initial-policy-mapping-inhibit, which indicates if policy + mapping is allowed in the certification path. + + (f) initial-explicit-policy, which indicates if the path must be + valid for at least one of the certificate policies in the user- + initial-policy-set. + + (g) initial-any-policy-inhibit, which indicates whether the + anyPolicy OID should be processed if it is included in a + certificate. + +6.1.2 Initialization + + This initialization phase establishes eleven state variables based + upon the seven inputs: + + (a) valid_policy_tree: A tree of certificate policies with their + optional qualifiers; each of the leaves of the tree represents a + valid policy at this stage in the certification path validation. + If valid policies exist at this stage in the certification path + validation, the depth of the tree is equal to the number of + + + +Housley, et. al. Standards Track [Page 67] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + certificates in the chain that have been processed. If valid + policies do not exist at this stage in the certification path + validation, the tree is set to NULL. Once the tree is set to + NULL, policy processing ceases. + + Each node in the valid_policy_tree includes four data objects: the + valid policy, a set of associated policy qualifiers, a set of one + or more expected policy values, and a criticality indicator. If + the node is at depth x, the components of the node have the + following semantics: + + (1) The valid_policy is a single policy OID representing a + valid policy for the path of length x. + + (2) The qualifier_set is a set of policy qualifiers associated + with the valid policy in certificate x. + + (3) The criticality_indicator indicates whether the + certificate policy extension in certificate x was marked as + critical. + + (4) The expected_policy_set contains one or more policy OIDs + that would satisfy this policy in the certificate x+1. + + The initial value of the valid_policy_tree is a single node with + valid_policy anyPolicy, an empty qualifier_set, an + expected_policy_set with the single value anyPolicy, and a + criticality_indicator of FALSE. This node is considered to be at + depth zero. + + Figure 3 is a graphic representation of the initial state of the + valid_policy_tree. Additional figures will use this format to + describe changes in the valid_policy_tree during path processing. + + +----------------+ + | anyPolicy | <---- valid_policy + +----------------+ + | {} | <---- qualifier_set + +----------------+ + | FALSE | <---- criticality_indicator + +----------------+ + | {anyPolicy} | <---- expected_policy_set + +----------------+ + + Figure 3. Initial value of the valid_policy_tree state variable + + + + + + +Housley, et. al. Standards Track [Page 68] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (b) permitted_subtrees: A set of root names for each name type + (e.g., X.500 distinguished names, email addresses, or ip + addresses) defining a set of subtrees within which all subject + names in subsequent certificates in the certification path MUST + fall. This variable includes a set for each name type: the + initial value for the set for Distinguished Names is the set of + all Distinguished names; the initial value for the set of RFC822 + names is the set of all RFC822 names, etc. + + (c) excluded_subtrees: A set of root names for each name type + (e.g., X.500 distinguished names, email addresses, or ip + addresses) defining a set of subtrees within which no subject name + in subsequent certificates in the certification path may fall. + This variable includes a set for each name type, and the initial + value for each set is empty. + + (d) explicit_policy: an integer which indicates if a non-NULL + valid_policy_tree is required. The integer indicates the number of + non-self-issued certificates to be processed before this + requirement is imposed. Once set, this variable may be decreased, + but may not be increased. That is, if a certificate in the path + requires a non-NULL valid_policy_tree, a later certificate can not + remove this requirement. If initial-explicit-policy is set, then + the initial value is 0, otherwise the initial value is n+1. + + (e) inhibit_any-policy: an integer which indicates whether the + anyPolicy policy identifier is considered a match. The integer + indicates the number of non-self-issued certificates to be + processed before the anyPolicy OID, if asserted in a certificate, + is ignored. Once set, this variable may be decreased, but may not + be increased. That is, if a certificate in the path inhibits + processing of anyPolicy, a later certificate can not permit it. + If initial-any-policy-inhibit is set, then the initial value is 0, + otherwise the initial value is n+1. + + (f) policy_mapping: an integer which indicates if policy mapping + is permitted. The integer indicates the number of non-self-issued + certificates to be processed before policy mapping is inhibited. + Once set, this variable may be decreased, but may not be + increased. That is, if a certificate in the path specifies policy + mapping is not permitted, it can not be overridden by a later + certificate. If initial-policy-mapping-inhibit is set, then the + initial value is 0, otherwise the initial value is n+1. + + (g) working_public_key_algorithm: the digital signature algorithm + used to verify the signature of a certificate. The + working_public_key_algorithm is initialized from the trusted + public key algorithm provided in the trust anchor information. + + + +Housley, et. al. Standards Track [Page 69] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (h) working_public_key: the public key used to verify the + signature of a certificate. The working_public_key is initialized + from the trusted public key provided in the trust anchor + information. + + (i) working_public_key_parameters: parameters associated with the + current public key, that may be required to verify a signature + (depending upon the algorithm). The working_public_key_parameters + variable is initialized from the trusted public key parameters + provided in the trust anchor information. + + (j) working_issuer_name: the issuer distinguished name expected + in the next certificate in the chain. The working_issuer_name is + initialized to the trusted issuer provided in the trust anchor + information. + + (k) max_path_length: this integer is initialized to n, is + decremented for each non-self-issued certificate in the path, and + may be reduced to the value in the path length constraint field + within the basic constraints extension of a CA certificate. + + Upon completion of the initialization steps, perform the basic + certificate processing steps specified in 6.1.3. + +6.1.3 Basic Certificate Processing + + The basic path processing actions to be performed for certificate i + (for all i in [1..n]) are listed below. + + (a) Verify the basic certificate information. The certificate + MUST satisfy each of the following: + + (1) The certificate was signed with the + working_public_key_algorithm using the working_public_key and + the working_public_key_parameters. + + (2) The certificate validity period includes the current time. + + (3) At the current time, the certificate is not revoked and is + not on hold status. This may be determined by obtaining the + appropriate CRL (section 6.3), status information, or by out- + of-band mechanisms. + + (4) The certificate issuer name is the working_issuer_name. + + + + + + + +Housley, et. al. Standards Track [Page 70] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (b) If certificate i is self-issued and it is not the final + certificate in the path, skip this step for certificate i. + Otherwise, verify that the subject name is within one of the + permitted_subtrees for X.500 distinguished names, and verify that + each of the alternative names in the subjectAltName extension + (critical or non-critical) is within one of the permitted_subtrees + for that name type. + + (c) If certificate i is self-issued and it is not the final + certificate in the path, skip this step for certificate i. + Otherwise, verify that the subject name is not within one of the + excluded_subtrees for X.500 distinguished names, and verify that + each of the alternative names in the subjectAltName extension + (critical or non-critical) is not within one of the + excluded_subtrees for that name type. + + (d) If the certificate policies extension is present in the + certificate and the valid_policy_tree is not NULL, process the + policy information by performing the following steps in order: + + (1) For each policy P not equal to anyPolicy in the + certificate policies extension, let P-OID denote the OID in + policy P and P-Q denote the qualifier set for policy P. + Perform the following steps in order: + + (i) If the valid_policy_tree includes a node of depth i-1 + where P-OID is in the expected_policy_set, create a child + node as follows: set the valid_policy to OID-P; set the + qualifier_set to P-Q, and set the expected_policy_set to + {P-OID}. + + For example, consider a valid_policy_tree with a node of + depth i-1 where the expected_policy_set is {Gold, White}. + Assume the certificate policies Gold and Silver appear in + the certificate policies extension of certificate i. The + Gold policy is matched but the Silver policy is not. This + rule will generate a child node of depth i for the Gold + policy. The result is shown as Figure 4. + + + + + + + + + + + + + +Housley, et. al. Standards Track [Page 71] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + +-----------------+ + | Red | + +-----------------+ + | {} | + +-----------------+ node of depth i-1 + | FALSE | + +-----------------+ + | {Gold, White} | + +-----------------+ + | + | + | + V + +-----------------+ + | Gold | + +-----------------+ + | {} | + +-----------------+ node of depth i + | uninitialized | + +-----------------+ + | {Gold} | + +-----------------+ + + Figure 4. Processing an exact match + + (ii) If there was no match in step (i) and the + valid_policy_tree includes a node of depth i-1 with the + valid policy anyPolicy, generate a child node with the + following values: set the valid_policy to P-OID; set the + qualifier_set to P-Q, and set the expected_policy_set to + {P-OID}. + + For example, consider a valid_policy_tree with a node of + depth i-1 where the valid_policy is anyPolicy. Assume the + certificate policies Gold and Silver appear in the + certificate policies extension of certificate i. The Gold + policy does not have a qualifier, but the Silver policy has + the qualifier Q-Silver. If Gold and Silver were not matched + in (i) above, this rule will generate two child nodes of + depth i, one for each policy. The result is shown as Figure + 5. + + + + + + + + + + +Housley, et. al. Standards Track [Page 72] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + +-----------------+ + | anyPolicy | + +-----------------+ + | {} | + +-----------------+ node of depth i-1 + | FALSE | + +-----------------+ + | {anyPolicy} | + +-----------------+ + / \ + / \ + / \ + / \ + +-----------------+ +-----------------+ + | Gold | | Silver | + +-----------------+ +-----------------+ + | {} | | {Q-Silver} | + +-----------------+ nodes of +-----------------+ + | uninitialized | depth i | uninitialized | + +-----------------+ +-----------------+ + | {Gold} | | {Silver} | + +-----------------+ +-----------------+ + + Figure 5. Processing unmatched policies when a leaf node + specifies anyPolicy + + (2) If the certificate policies extension includes the policy + anyPolicy with the qualifier set AP-Q and either (a) + inhibit_any-policy is greater than 0 or (b) i<n and the + certificate is self-issued, then: + + For each node in the valid_policy_tree of depth i-1, for each + value in the expected_policy_set (including anyPolicy) that + does not appear in a child node, create a child node with the + following values: set the valid_policy to the value from the + expected_policy_set in the parent node; set the qualifier_set + to AP-Q, and set the expected_policy_set to the value in the + valid_policy from this node. + + For example, consider a valid_policy_tree with a node of depth + i-1 where the expected_policy_set is {Gold, Silver}. Assume + anyPolicy appears in the certificate policies extension of + certificate i, but Gold and Silver do not. This rule will + generate two child nodes of depth i, one for each policy. The + result is shown below as Figure 6. + + + + + + +Housley, et. al. Standards Track [Page 73] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + +-----------------+ + | Red | + +-----------------+ + | {} | + +-----------------+ node of depth i-1 + | FALSE | + +-----------------+ + | {Gold, Silver} | + +-----------------+ + / \ + / \ + / \ + / \ + +-----------------+ +-----------------+ + | Gold | | Silver | + +-----------------+ +-----------------+ + | {} | | {} | + +-----------------+ nodes of +-----------------+ + | uninitialized | depth i | uninitialized | + +-----------------+ +-----------------+ + | {Gold} | | {Silver} | + +-----------------+ +-----------------+ + + Figure 6. Processing unmatched policies when the certificate + policies extension specifies anyPolicy + + (3) If there is a node in the valid_policy_tree of depth i-1 + or less without any child nodes, delete that node. Repeat this + step until there are no nodes of depth i-1 or less without + children. + + For example, consider the valid_policy_tree shown in Figure 7 + below. The two nodes at depth i-1 that are marked with an 'X' + have no children, and are deleted. Applying this rule to the + resulting tree will cause the node at depth i-2 that is marked + with an 'Y' to be deleted. The following application of the + rule does not cause any nodes to be deleted, and this step is + complete. + + + + + + + + + + + + + +Housley, et. al. Standards Track [Page 74] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + +-----------+ + | | node of depth i-3 + +-----------+ + / | \ + / | \ + / | \ + +-----------+ +-----------+ +-----------+ + | | | | | Y | nodes of + +-----------+ +-----------+ +-----------+ depth i-2 + / \ | | + / \ | | + / \ | | + +-----------+ +-----------+ +-----------+ +-----------+ nodes of + | | | X | | | | X | depth + +-----------+ +-----------+ +-----------+ +-----------+ i-1 + | / | \ + | / | \ + | / | \ + +-----------+ +-----------+ +-----------+ +-----------+ nodes of + | | | | | | | | depth + +-----------+ +-----------+ +-----------+ +-----------+ i + + Figure 7. Pruning the valid_policy_tree + + (4) If the certificate policies extension was marked as + critical, set the criticality_indicator in all nodes of depth i + to TRUE. If the certificate policies extension was not marked + critical, set the criticality_indicator in all nodes of depth i + to FALSE. + + (e) If the certificate policies extension is not present, set the + valid_policy_tree to NULL. + + (f) Verify that either explicit_policy is greater than 0 or the + valid_policy_tree is not equal to NULL; + + If any of steps (a), (b), (c), or (f) fails, the procedure + terminates, returning a failure indication and an appropriate reason. + + If i is not equal to n, continue by performing the preparatory steps + listed in 6.1.4. If i is equal to n, perform the wrap-up steps + listed in 6.1.5. + +6.1.4 Preparation for Certificate i+1 + + To prepare for processing of certificate i+1, perform the following + steps for certificate i: + + + + +Housley, et. al. Standards Track [Page 75] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (a) If a policy mapping extension is present, verify that the + special value anyPolicy does not appear as an issuerDomainPolicy + or a subjectDomainPolicy. + + (b) If a policy mapping extension is present, then for each + issuerDomainPolicy ID-P in the policy mapping extension: + + (1) If the policy_mapping variable is greater than 0, for each + node in the valid_policy_tree of depth i where ID-P is the + valid_policy, set expected_policy_set to the set of + subjectDomainPolicy values that are specified as equivalent to + ID-P by the policy mapping extension. + + If no node of depth i in the valid_policy_tree has a + valid_policy of ID-P but there is a node of depth i with a + valid_policy of anyPolicy, then generate a child node of the + node of depth i-1 that has a valid_policy of anyPolicy as + follows: + + (i) set the valid_policy to ID-P; + + (ii) set the qualifier_set to the qualifier set of the + policy anyPolicy in the certificate policies extension of + certificate i; + + (iii) set the criticality_indicator to the criticality of + the certificate policies extension of certificate i; + + (iv) and set the expected_policy_set to the set of + subjectDomainPolicy values that are specified as equivalent + to ID-P by the policy mappings extension. + + (2) If the policy_mapping variable is equal to 0: + + (i) delete each node of depth i in the valid_policy_tree + where ID-P is the valid_policy. + + (ii) If there is a node in the valid_policy_tree of depth + i-1 or less without any child nodes, delete that node. + Repeat this step until there are no nodes of depth i-1 or + less without children. + + (c) Assign the certificate subject name to working_issuer_name. + + (d) Assign the certificate subjectPublicKey to + working_public_key. + + + + + +Housley, et. al. Standards Track [Page 76] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (e) If the subjectPublicKeyInfo field of the certificate contains + an algorithm field with non-null parameters, assign the parameters + to the working_public_key_parameters variable. + + If the subjectPublicKeyInfo field of the certificate contains an + algorithm field with null parameters or parameters are omitted, + compare the certificate subjectPublicKey algorithm to the + working_public_key_algorithm. If the certificate subjectPublicKey + algorithm and the working_public_key_algorithm are different, set + the working_public_key_parameters to null. + + (f) Assign the certificate subjectPublicKey algorithm to the + working_public_key_algorithm variable. + + (g) If a name constraints extension is included in the + certificate, modify the permitted_subtrees and excluded_subtrees + state variables as follows: + + (1) If permittedSubtrees is present in the certificate, set + the permitted_subtrees state variable to the intersection of + its previous value and the value indicated in the extension + field. If permittedSubtrees does not include a particular name + type, the permitted_subtrees state variable is unchanged for + that name type. For example, the intersection of nist.gov and + csrc.nist.gov is csrc.nist.gov. And, the intersection of + nist.gov and rsasecurity.com is the empty set. + + (2) If excludedSubtrees is present in the certificate, set the + excluded_subtrees state variable to the union of its previous + value and the value indicated in the extension field. If + excludedSubtrees does not include a particular name type, the + excluded_subtrees state variable is unchanged for that name + type. For example, the union of the name spaces nist.gov and + csrc.nist.gov is nist.gov. And, the union of nist.gov and + rsasecurity.com is both name spaces. + + (h) If the issuer and subject names are not identical: + + (1) If explicit_policy is not 0, decrement explicit_policy by + 1. + + (2) If policy_mapping is not 0, decrement policy_mapping by 1. + + (3) If inhibit_any-policy is not 0, decrement inhibit_any- + policy by 1. + + + + + + +Housley, et. al. Standards Track [Page 77] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (i) If a policy constraints extension is included in the + certificate, modify the explicit_policy and policy_mapping state + variables as follows: + + (1) If requireExplicitPolicy is present and is less than + explicit_policy, set explicit_policy to the value of + requireExplicitPolicy. + + (2) If inhibitPolicyMapping is present and is less than + policy_mapping, set policy_mapping to the value of + inhibitPolicyMapping. + + (j) If the inhibitAnyPolicy extension is included in the + certificate and is less than inhibit_any-policy, set inhibit_any- + policy to the value of inhibitAnyPolicy. + + (k) Verify that the certificate is a CA certificate (as specified + in a basicConstraints extension or as verified out-of-band). + + (l) If the certificate was not self-issued, verify that + max_path_length is greater than zero and decrement max_path_length + by 1. + + (m) If pathLengthConstraint is present in the certificate and is + less than max_path_length, set max_path_length to the value of + pathLengthConstraint. + + (n) If a key usage extension is present, verify that the + keyCertSign bit is set. + + (o) Recognize and process any other critical extension present in + the certificate. Process any other recognized non-critical + extension present in the certificate. + + If check (a), (k), (l), (n) or (o) fails, the procedure terminates, + returning a failure indication and an appropriate reason. + + If (a), (k), (l), (n) and (o) have completed successfully, increment + i and perform the basic certificate processing specified in 6.1.3. + +6.1.5 Wrap-up procedure + + To complete the processing of the end entity certificate, perform the + following steps for certificate n: + + (a) If certificate n was not self-issued and explicit_policy is + not 0, decrement explicit_policy by 1. + + + + +Housley, et. al. Standards Track [Page 78] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (b) If a policy constraints extension is included in the + certificate and requireExplicitPolicy is present and has a value + of 0, set the explicit_policy state variable to 0. + + (c) Assign the certificate subjectPublicKey to + working_public_key. + + (d) If the subjectPublicKeyInfo field of the certificate contains + an algorithm field with non-null parameters, assign the parameters + to the working_public_key_parameters variable. + + If the subjectPublicKeyInfo field of the certificate contains an + algorithm field with null parameters or parameters are omitted, + compare the certificate subjectPublicKey algorithm to the + working_public_key_algorithm. If the certificate subjectPublicKey + algorithm and the working_public_key_algorithm are different, set + the working_public_key_parameters to null. + + (e) Assign the certificate subjectPublicKey algorithm to the + working_public_key_algorithm variable. + + (f) Recognize and process any other critical extension present in + the certificate n. Process any other recognized non-critical + extension present in certificate n. + + (g) Calculate the intersection of the valid_policy_tree and the + user-initial-policy-set, as follows: + + (i) If the valid_policy_tree is NULL, the intersection is + NULL. + + (ii) If the valid_policy_tree is not NULL and the user- + initial-policy-set is any-policy, the intersection is the + entire valid_policy_tree. + + (iii) If the valid_policy_tree is not NULL and the user- + initial-policy-set is not any-policy, calculate the + intersection of the valid_policy_tree and the user-initial- + policy-set as follows: + + 1. Determine the set of policy nodes whose parent nodes + have a valid_policy of anyPolicy. This is the + valid_policy_node_set. + + 2. If the valid_policy of any node in the + valid_policy_node_set is not in the user-initial-policy-set + and is not anyPolicy, delete this node and all its children. + + + + +Housley, et. al. Standards Track [Page 79] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + 3. If the valid_policy_tree includes a node of depth n with + the valid_policy anyPolicy and the user-initial-policy-set + is not any-policy perform the following steps: + + a. Set P-Q to the qualifier_set in the node of depth n + with valid_policy anyPolicy. + + b. For each P-OID in the user-initial-policy-set that is + not the valid_policy of a node in the + valid_policy_node_set, create a child node whose parent + is the node of depth n-1 with the valid_policy anyPolicy. + Set the values in the child node as follows: set the + valid_policy to P-OID; set the qualifier_set to P-Q; copy + the criticality_indicator from the node of depth n with + the valid_policy anyPolicy; and set the + expected_policy_set to {P-OID}. + + c. Delete the node of depth n with the valid_policy + anyPolicy. + + 4. If there is a node in the valid_policy_tree of depth n-1 + or less without any child nodes, delete that node. Repeat + this step until there are no nodes of depth n-1 or less + without children. + + If either (1) the value of explicit_policy variable is greater than + zero, or (2) the valid_policy_tree is not NULL, then path processing + has succeeded. + +6.1.6 Outputs + + If path processing succeeds, the procedure terminates, returning a + success indication together with final value of the + valid_policy_tree, the working_public_key, the + working_public_key_algorithm, and the working_public_key_parameters. + +6.2 Using the Path Validation Algorithm + + The path validation algorithm describes the process of validating a + single certification path. While each certification path begins with + a specific trust anchor, there is no requirement that all + certification paths validated by a particular system share a single + trust anchor. An implementation that supports multiple trust anchors + MAY augment the algorithm presented in section 6.1 to further limit + the set of valid certification paths which begin with a particular + trust anchor. For example, an implementation MAY modify the + algorithm to apply name constraints to a specific trust anchor during + the initialization phase, or the application MAY require the presence + + + +Housley, et. al. Standards Track [Page 80] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + of a particular alternative name form in the end entity certificate, + or the application MAY impose requirements on application-specific + extensions. Thus, the path validation algorithm presented in section + 6.1 defines the minimum conditions for a path to be considered valid. + + The selection of one or more trusted CAs is a local decision. A + system may provide any one of its trusted CAs as the trust anchor for + a particular path. The inputs to the path validation algorithm may + be different for each path. The inputs used to process a path may + reflect application-specific requirements or limitations in the trust + accorded a particular trust anchor. For example, a trusted CA may + only be trusted for a particular certificate policy. This + restriction can be expressed through the inputs to the path + validation procedure. + + It is also possible to specify an extended version of the above + certification path processing procedure which results in default + behavior identical to the rules of PEM [RFC 1422]. In this extended + version, additional inputs to the procedure are a list of one or more + Policy Certification Authority (PCA) names and an indicator of the + position in the certification path where the PCA is expected. At the + nominated PCA position, the CA name is compared against this list. + If a recognized PCA name is found, then a constraint of + SubordinateToCA is implicitly assumed for the remainder of the + certification path and processing continues. If no valid PCA name is + found, and if the certification path cannot be validated on the basis + of identified policies, then the certification path is considered + invalid. + +6.3 CRL Validation + + This section describes the steps necessary to determine if a + certificate is revoked or on hold status when CRLs are the revocation + mechanism used by the certificate issuer. Conforming implementations + that support CRLs are not required to implement this algorithm, but + they MUST be functionally equivalent to the external behavior + resulting from this procedure. Any algorithm may be used by a + particular implementation so long as it derives the correct result. + + This algorithm assumes that all of the needed CRLs are available in a + local cache. Further, if the next update time of a CRL has passed, + the algorithm assumes a mechanism to fetch a current CRL and place it + in the local CRL cache. + + This algorithm defines a set of inputs, a set of state variables, and + processing steps that are performed for each certificate in the path. + The algorithm output is the revocation status of the certificate. + + + + +Housley, et. al. Standards Track [Page 81] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +6.3.1 Revocation Inputs + + To support revocation processing, the algorithm requires two inputs: + + (a) certificate: The algorithm requires the certificate serial + number and issuer name to determine whether a certificate is on a + particular CRL. The basicConstraints extension is used to + determine whether the supplied certificate is associated with a CA + or an end entity. If present, the algorithm uses the + cRLDistributionsPoint and freshestCRL extensions to determine + revocation status. + + (b) use-deltas: This boolean input determines whether delta CRLs + are applied to CRLs. + + Note that implementations supporting legacy PKIs, such as RFC 1422 + and X.509 version 1, will need an additional input indicating + whether the supplied certificate is associated with a CA or an end + entity. + +6.3.2 Initialization and Revocation State Variables + + To support CRL processing, the algorithm requires the following state + variables: + + (a) reasons_mask: This variable contains the set of revocation + reasons supported by the CRLs and delta CRLs processed so far. + The legal members of the set are the possible revocation reason + values: unspecified, keyCompromise, caCompromise, + affiliationChanged, superseded, cessationOfOperation, + certificateHold, privilegeWithdrawn, and aACompromise. The + special value all-reasons is used to denote the set of all legal + members. This variable is initialized to the empty set. + + (b) cert_status: This variable contains the status of the + certificate. This variable may be assigned one of the following + values: unspecified, keyCompromise, caCompromise, + affiliationChanged, superseded, cessationOfOperation, + certificateHold, removeFromCRL, privilegeWithdrawn, aACompromise, + the special value UNREVOKED, or the special value UNDETERMINED. + This variable is initialized to the special value UNREVOKED. + + (c) interim_reasons_mask: This contains the set of revocation + reasons supported by the CRL or delta CRL currently being + processed. + + + + + + +Housley, et. al. Standards Track [Page 82] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + Note: In some environments, it is not necessary to check all reason + codes. For example, some environments are only concerned with + caCompromise and keyCompromise for CA certificates. This algorithm + checks all reason codes. Additional processing and state variables + may be necessary to limit the checking to a subset of the reason + codes. + +6.3.3 CRL Processing + + This algorithm begins by assuming the certificate is not revoked. + The algorithm checks one or more CRLs until either the certificate + status is determined to be revoked or sufficient CRLs have been + checked to cover all reason codes. + + For each distribution point (DP) in the certificate CRL distribution + points extension, for each corresponding CRL in the local CRL cache, + while ((reasons_mask is not all-reasons) and (cert_status is + UNREVOKED)) perform the following: + + (a) Update the local CRL cache by obtaining a complete CRL, a + delta CRL, or both, as required: + + (1) If the current time is after the value of the CRL next + update field, then do one of the following: + + (i) If use-deltas is set and either the certificate or the + CRL contains the freshest CRL extension, obtain a delta CRL + with the a next update value that is after the current time + and can be used to update the locally cached CRL as + specified in section 5.2.4. + + (ii) Update the local CRL cache with a current complete + CRL, verify that the current time is before the next update + value in the new CRL, and continue processing with the new + CRL. If use-deltas is set, then obtain the current delta + CRL that can be used to update the new locally cached + complete CRL as specified in section 5.2.4. + + (2) If the current time is before the value of the next update + field and use-deltas is set, then obtain the current delta CRL + that can be used to update the locally cached complete CRL as + specified in section 5.2.4. + + (b) Verify the issuer and scope of the complete CRL as follows: + + + + + + + +Housley, et. al. Standards Track [Page 83] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (1) If the DP includes cRLIssuer, then verify that the issuer + field in the complete CRL matches cRLIssuer in the DP and that + the complete CRL contains an issuing distribution point + extension with the indrectCRL boolean asserted. Otherwise, + verify that the CRL issuer matches the certificate issuer. + + (2) If the complete CRL includes an issuing distribution point + (IDP) CRL extension check the following: + + (i) If the distribution point name is present in the IDP + CRL extension and the distribution field is present in the + DP, then verify that one of the names in the IDP matches one + of the names in the DP. If the distribution point name is + present in the IDP CRL extension and the distribution field + is omitted from the DP, then verify that one of the names in + the IDP matches one of the names in the cRLIssuer field of + the DP. + + (ii) If the onlyContainsUserCerts boolean is asserted in + the IDP CRL extension, verify that the certificate does not + include the basic constraints extension with the cA boolean + asserted. + + (iii) If the onlyContainsCACerts boolean is asserted in the + IDP CRL extension, verify that the certificate includes the + basic constraints extension with the cA boolean asserted. + + (iv) Verify that the onlyContainsAttributeCerts boolean is + not asserted. + + (c) If use-deltas is set, verify the issuer and scope of the + delta CRL as follows: + + (1) Verify that the delta CRL issuer matches complete CRL + issuer. + + (2) If the complete CRL includes an issuing distribution point + (IDP) CRL extension, verify that the delta CRL contains a + matching IDP CRL extension. If the complete CRL omits an IDP + CRL extension, verify that the delta CRL also omits an IDP CRL + extension. + + (3) Verify that the delta CRL authority key identifier + extension matches complete CRL authority key identifier + extension. + + + + + + +Housley, et. al. Standards Track [Page 84] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (d) Compute the interim_reasons_mask for this CRL as follows: + + (1) If the issuing distribution point (IDP) CRL extension is + present and includes onlySomeReasons and the DP includes + reasons, then set interim_reasons_mask to the intersection of + reasons in the DP and onlySomeReasons in IDP CRL extension. + + (2) If the IDP CRL extension includes onlySomeReasons but the + DP omits reasons, then set interim_reasons_mask to the value of + onlySomeReasons in IDP CRL extension. + + (3) If the IDP CRL extension is not present or omits + onlySomeReasons but the DP includes reasons, then set + interim_reasons_mask to the value of DP reasons. + + (4) If the IDP CRL extension is not present or omits + onlySomeReasons and the DP omits reasons, then set + interim_reasons_mask to the special value all-reasons. + + (e) Verify that interim_reasons_mask includes one or more reasons + that is not included in the reasons_mask. + + (f) Obtain and validate the certification path for the complete CRL + issuer. If a key usage extension is present in the CRL issuer's + certificate, verify that the cRLSign bit is set. + + (g) Validate the signature on the complete CRL using the public key + validated in step (f). + + (h) If use-deltas is set, then validate the signature on the delta + CRL using the public key validated in step (f). + + (i) If use-deltas is set, then search for the certificate on the + delta CRL. If an entry is found that matches the certificate issuer + and serial number as described in section 5.3.4, then set the + cert_status variable to the indicated reason as follows: + + (1) If the reason code CRL entry extension is present, set the + cert_status variable to the value of the reason code CRL entry + extension. + + (2) If the reason code CRL entry extension is not present, set + the cert_status variable to the value unspecified. + + + + + + + + +Housley, et. al. Standards Track [Page 85] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (j) If (cert_status is UNREVOKED), then search for the + certificate on the complete CRL. If an entry is found that + matches the certificate issuer and serial number as described in + section 5.3.4, then set the cert_status variable to the indicated + reason as described in step (i). + + (k) If (cert_status is removeFromCRL), then set cert_status to + UNREVOKED. + + If ((reasons_mask is all-reasons) OR (cert_status is not UNREVOKED)), + then the revocation status has been determined, so return + cert_status. + + If the revocation status has not been determined, repeat the process + above with any available CRLs not specified in a distribution point + but issued by the certificate issuer. For the processing of such a + CRL, assume a DP with both the reasons and the cRLIssuer fields + omitted and a distribution point name of the certificate issuer. + That is, the sequence of names in fullName is generated from the + certificate issuer field as well as the certificate issuerAltName + extension. If the revocation status remains undetermined, then + return the cert_status UNDETERMINED. + +7 References + + [ISO 10646] ISO/IEC 10646-1:1993. International Standard -- + Information technology -- Universal Multiple-Octet Coded + Character Set (UCS) -- Part 1: Architecture and Basic + Multilingual Plane. + + [RFC 791] Postel, J., "Internet Protocol", STD 5, RFC 791, + September 1981. + + [RFC 822] Crocker, D., "Standard for the format of ARPA Internet + text messages", STD 11, RFC 822, August 1982. + + [RFC 1034] Mockapetris, P., "Domain Names - Concepts and + Facilities", STD 13, RFC 1034, November 1987. + + [RFC 1422] Kent, S., "Privacy Enhancement for Internet Electronic + Mail: Part II: Certificate-Based Key Management," RFC + 1422, February 1993. + + [RFC 1423] Balenson, D., "Privacy Enhancement for Internet + Electronic Mail: Part III: Algorithms, Modes, and + Identifiers," RFC 1423, February 1993. + + + + + +Housley, et. al. Standards Track [Page 86] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + [RFC 1510] Kohl, J. and C. Neuman, "The Kerberos Network + Authentication Service (V5)," RFC 1510, September 1993. + + [RFC 1519] Fuller, V., T. Li, J. Yu and K. Varadhan, "Classless + Inter-Domain Routing (CIDR): An Address Assignment and + Aggregation Strategy", RFC 1519, September 1993. + + [RFC 1738] Berners-Lee, T., L. Masinter and M. McCahill, "Uniform + Resource Locators (URL)", RFC 1738, December 1994. + + [RFC 1778] Howes, T., S. Kille, W. Yeong and C. Robbins, "The String + Representation of Standard Attribute Syntaxes," RFC 1778, + March 1995. + + [RFC 1883] Deering, S. and R. Hinden. "Internet Protocol, Version 6 + (IPv6) Specification", RFC 1883, December 1995. + + [RFC 2044] F. Yergeau, F., "UTF-8, a transformation format of + Unicode and ISO 10646", RFC 2044, October 1996. + + [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC 2247] Kille, S., M. Wahl, A. Grimstad, R. Huber and S. + Sataluri, "Using Domains in LDAP/X.500 Distinguished + Names", RFC 2247, January 1998. + + [RFC 2252] Wahl, M., A. Coulbeck, T. Howes and S. Kille, + "Lightweight Directory Access Protocol (v3): Attribute + Syntax Definitions", RFC 2252, December 1997. + + [RFC 2277] Alvestrand, H., "IETF Policy on Character Sets and + Languages", BCP 18, RFC 2277, January 1998. + + [RFC 2279] Yergeau, F., "UTF-8, a transformation format of ISO + 10646", RFC 2279, January 1998. + + [RFC 2459] Housley, R., W. Ford, W. Polk and D. Solo, "Internet + X.509 Public Key Infrastructure: Certificate and CRL + Profile", RFC 2459, January 1999. + + [RFC 2560] Myers, M., R. Ankney, A. Malpani, S. Galperin and C. + Adams, "Online Certificate Status Protocal - OCSP", June + 1999. + + [SDN.701] SDN.701, "Message Security Protocol 4.0", Revision A, + 1997-02-06. + + + + +Housley, et. al. Standards Track [Page 87] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + [X.501] ITU-T Recommendation X.501: Information Technology - Open + Systems Interconnection - The Directory: Models, 1993. + + [X.509] ITU-T Recommendation X.509 (1997 E): Information + Technology - Open Systems Interconnection - The + Directory: Authentication Framework, June 1997. + + [X.520] ITU-T Recommendation X.520: Information Technology - Open + Systems Interconnection - The Directory: Selected + Attribute Types, 1993. + + [X.660] ITU-T Recommendation X.660 Information Technology - ASN.1 + encoding rules: Specification of Basic Encoding Rules + (BER), Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER), 1997. + + [X.690] ITU-T Recommendation X.690 Information Technology - Open + Systems Interconnection - Procedures for the operation of + OSI Registration Authorities: General procedures, 1992. + + [X9.55] ANSI X9.55-1995, Public Key Cryptography For The + Financial Services Industry: Extensions To Public Key + Certificates And Certificate Revocation Lists, 8 + December, 1995. + + [PKIXALGS] Bassham, L., Polk, W. and R. Housley, "Algorithms and + Identifiers for the Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation + Lists (CRL) Profile", RFC 3279, April 2002. + + [PKIXTSA] Adams, C., Cain, P., Pinkas, D. and R. Zuccherato, + "Internet X.509 Public Key Infrastructure Time-Stamp + Protocol (TSP)", RFC 3161, August 2001. + +8 Intellectual Property Rights + + The IETF has been notified of intellectual property rights claimed in + regard to some or all of the specification contained in this + document. For more information consult the online list of claimed + rights (see http://www.ietf.org/ipr.html). + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + + + +Housley, et. al. Standards Track [Page 88] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + standards-related documentation can be found in BCP 11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementors or users of this specification can + be obtained from the IETF Secretariat. + +9 Security Considerations + + The majority of this specification is devoted to the format and + content of certificates and CRLs. Since certificates and CRLs are + digitally signed, no additional integrity service is necessary. + Neither certificates nor CRLs need be kept secret, and unrestricted + and anonymous access to certificates and CRLs has no security + implications. + + However, security factors outside the scope of this specification + will affect the assurance provided to certificate users. This + section highlights critical issues to be considered by implementers, + administrators, and users. + + The procedures performed by CAs and RAs to validate the binding of + the subject's identity to their public key greatly affect the + assurance that ought to be placed in the certificate. Relying + parties might wish to review the CA's certificate practice statement. + This is particularly important when issuing certificates to other + CAs. + + The use of a single key pair for both signature and other purposes is + strongly discouraged. Use of separate key pairs for signature and + key management provides several benefits to the users. The + ramifications associated with loss or disclosure of a signature key + are different from loss or disclosure of a key management key. Using + separate key pairs permits a balanced and flexible response. + Similarly, different validity periods or key lengths for each key + pair may be appropriate in some application environments. + Unfortunately, some legacy applications (e.g., SSL) use a single key + pair for signature and key management. + + The protection afforded private keys is a critical security factor. + On a small scale, failure of users to protect their private keys will + permit an attacker to masquerade as them, or decrypt their personal + information. On a larger scale, compromise of a CA's private signing + key may have a catastrophic effect. If an attacker obtains the + private key unnoticed, the attacker may issue bogus certificates and + CRLs. Existence of bogus certificates and CRLs will undermine + confidence in the system. If such a compromise is detected, all + certificates issued to the compromised CA MUST be revoked, preventing + + + +Housley, et. al. Standards Track [Page 89] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + services between its users and users of other CAs. Rebuilding after + such a compromise will be problematic, so CAs are advised to + implement a combination of strong technical measures (e.g., tamper- + resistant cryptographic modules) and appropriate management + procedures (e.g., separation of duties) to avoid such an incident. + + Loss of a CA's private signing key may also be problematic. The CA + would not be able to produce CRLs or perform normal key rollover. + CAs SHOULD maintain secure backup for signing keys. The security of + the key backup procedures is a critical factor in avoiding key + compromise. + + The availability and freshness of revocation information affects the + degree of assurance that ought to be placed in a certificate. While + certificates expire naturally, events may occur during its natural + lifetime which negate the binding between the subject and public key. + If revocation information is untimely or unavailable, the assurance + associated with the binding is clearly reduced. Relying parties + might not be able to process every critical extension that can appear + in a CRL. CAs SHOULD take extra care when making revocation + information available only through CRLs that contain critical + extensions, particularly if support for those extensions is not + mandated by this profile. For example, if revocation information is + supplied using a combination of delta CRLs and full CRLs, and the + delta CRLs are issued more frequently than the full CRLs, then + relying parties that cannot handle the critical extensions related to + delta CRL processing will not be able to obtain the most recent + revocation information. Alternatively, if a full CRL is issued + whenever a delta CRL is issued, then timely revocation information + will be available to all relying parties. Similarly, implementations + of the certification path validation mechanism described in section 6 + that omit revocation checking provide less assurance than those that + support it. + + The certification path validation algorithm depends on the certain + knowledge of the public keys (and other information) about one or + more trusted CAs. The decision to trust a CA is an important + decision as it ultimately determines the trust afforded a + certificate. The authenticated distribution of trusted CA public + keys (usually in the form of a "self-signed" certificate) is a + security critical out-of-band process that is beyond the scope of + this specification. + + In addition, where a key compromise or CA failure occurs for a + trusted CA, the user will need to modify the information provided to + the path validation routine. Selection of too many trusted CAs makes + + + + + +Housley, et. al. Standards Track [Page 90] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + the trusted CA information difficult to maintain. On the other hand, + selection of only one trusted CA could limit users to a closed + community of users. + + The quality of implementations that process certificates also affects + the degree of assurance provided. The path validation algorithm + described in section 6 relies upon the integrity of the trusted CA + information, and especially the integrity of the public keys + associated with the trusted CAs. By substituting public keys for + which an attacker has the private key, an attacker could trick the + user into accepting false certificates. + + The binding between a key and certificate subject cannot be stronger + than the cryptographic module implementation and algorithms used to + generate the signature. Short key lengths or weak hash algorithms + will limit the utility of a certificate. CAs are encouraged to note + advances in cryptology so they can employ strong cryptographic + techniques. In addition, CAs SHOULD decline to issue certificates to + CAs or end entities that generate weak signatures. + + Inconsistent application of name comparison rules can result in + acceptance of invalid X.509 certification paths, or rejection of + valid ones. The X.500 series of specifications defines rules for + comparing distinguished names that require comparison of strings + without regard to case, character set, multi-character white space + substring, or leading and trailing white space. This specification + relaxes these requirements, requiring support for binary comparison + at a minimum. + + CAs MUST encode the distinguished name in the subject field of a CA + certificate identically to the distinguished name in the issuer field + in certificates issued by that CA. If CAs use different encodings, + implementations might fail to recognize name chains for paths that + include this certificate. As a consequence, valid paths could be + rejected. + + In addition, name constraints for distinguished names MUST be stated + identically to the encoding used in the subject field or + subjectAltName extension. If not, then name constraints stated as + excludedSubTrees will not match and invalid paths will be accepted + and name constraints expressed as permittedSubtrees will not match + and valid paths will be rejected. To avoid acceptance of invalid + paths, CAs SHOULD state name constraints for distinguished names as + permittedSubtrees wherever possible. + + + + + + + +Housley, et. al. Standards Track [Page 91] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +Appendix A. Psuedo-ASN.1 Structures and OIDs + + This section describes data objects used by conforming PKI components + in an "ASN.1-like" syntax. This syntax is a hybrid of the 1988 and + 1993 ASN.1 syntaxes. The 1988 ASN.1 syntax is augmented with 1993 + UNIVERSAL Types UniversalString, BMPString and UTF8String. + + The ASN.1 syntax does not permit the inclusion of type statements in + the ASN.1 module, and the 1993 ASN.1 standard does not permit use of + the new UNIVERSAL types in modules using the 1988 syntax. As a + result, this module does not conform to either version of the ASN.1 + standard. + + This appendix may be converted into 1988 ASN.1 by replacing the + definitions for the UNIVERSAL Types with the 1988 catch-all "ANY". + +A.1 Explicitly Tagged Module, 1988 Syntax + +PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } + +DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL -- + +-- IMPORTS NONE -- + +-- UNIVERSAL Types defined in 1993 and 1998 ASN.1 +-- and required by this specification + +UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING + -- UniversalString is defined in ASN.1:1993 + +BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING + -- BMPString is the subtype of UniversalString and models + -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1 + +UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING + -- The content of this type conforms to RFC 2279. + +-- PKIX specific OIDs + +id-pkix OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) } + + + + +Housley, et. al. Standards Track [Page 92] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +-- PKIX arcs + +id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } + -- arc for private certificate extensions +id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } + -- arc for policy qualifier types +id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } + -- arc for extended key purpose OIDS +id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } + -- arc for access descriptors + +-- policyQualifierIds for Internet policy qualifiers + +id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } + -- OID for CPS qualifier +id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } + -- OID for user notice qualifier + +-- access descriptor definitions + +id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } +id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } +id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 } +id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 } + +-- attribute data types + +Attribute ::= SEQUENCE { + type AttributeType, + values SET OF AttributeValue } + -- at least one value is required + +AttributeType ::= OBJECT IDENTIFIER + +AttributeValue ::= ANY + +AttributeTypeAndValue ::= SEQUENCE { + type AttributeType, + value AttributeValue } + +-- suggested naming attributes: Definition of the following +-- information object set may be augmented to meet local +-- requirements. Note that deleting members of the set may +-- prevent interoperability with conforming implementations. +-- presented in pairs: the AttributeType followed by the +-- type definition for the corresponding AttributeValue +--Arc for standard naming attributes +id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } + + + +Housley, et. al. Standards Track [Page 93] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +-- Naming attributes of type X520name + +id-at-name AttributeType ::= { id-at 41 } +id-at-surname AttributeType ::= { id-at 4 } +id-at-givenName AttributeType ::= { id-at 42 } +id-at-initials AttributeType ::= { id-at 43 } +id-at-generationQualifier AttributeType ::= { id-at 44 } + +X520name ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-name)), + printableString PrintableString (SIZE (1..ub-name)), + universalString UniversalString (SIZE (1..ub-name)), + utf8String UTF8String (SIZE (1..ub-name)), + bmpString BMPString (SIZE (1..ub-name)) } + +-- Naming attributes of type X520CommonName + +id-at-commonName AttributeType ::= { id-at 3 } + +X520CommonName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-common-name)), + printableString PrintableString (SIZE (1..ub-common-name)), + universalString UniversalString (SIZE (1..ub-common-name)), + utf8String UTF8String (SIZE (1..ub-common-name)), + bmpString BMPString (SIZE (1..ub-common-name)) } + +-- Naming attributes of type X520LocalityName + +id-at-localityName AttributeType ::= { id-at 7 } + +X520LocalityName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-locality-name)), + printableString PrintableString (SIZE (1..ub-locality-name)), + universalString UniversalString (SIZE (1..ub-locality-name)), + utf8String UTF8String (SIZE (1..ub-locality-name)), + bmpString BMPString (SIZE (1..ub-locality-name)) } + +-- Naming attributes of type X520StateOrProvinceName + +id-at-stateOrProvinceName AttributeType ::= { id-at 8 } + +X520StateOrProvinceName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-state-name)), + printableString PrintableString (SIZE (1..ub-state-name)), + universalString UniversalString (SIZE (1..ub-state-name)), + utf8String UTF8String (SIZE (1..ub-state-name)), + bmpString BMPString (SIZE(1..ub-state-name)) } + + + + +Housley, et. al. Standards Track [Page 94] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +-- Naming attributes of type X520OrganizationName + +id-at-organizationName AttributeType ::= { id-at 10 } + +X520OrganizationName ::= CHOICE { + teletexString TeletexString + (SIZE (1..ub-organization-name)), + printableString PrintableString + (SIZE (1..ub-organization-name)), + universalString UniversalString + (SIZE (1..ub-organization-name)), + utf8String UTF8String + (SIZE (1..ub-organization-name)), + bmpString BMPString + (SIZE (1..ub-organization-name)) } + +-- Naming attributes of type X520OrganizationalUnitName + +id-at-organizationalUnitName AttributeType ::= { id-at 11 } + +X520OrganizationalUnitName ::= CHOICE { + teletexString TeletexString + (SIZE (1..ub-organizational-unit-name)), + printableString PrintableString + (SIZE (1..ub-organizational-unit-name)), + universalString UniversalString + (SIZE (1..ub-organizational-unit-name)), + utf8String UTF8String + (SIZE (1..ub-organizational-unit-name)), + bmpString BMPString + (SIZE (1..ub-organizational-unit-name)) } + +-- Naming attributes of type X520Title + +id-at-title AttributeType ::= { id-at 12 } + +X520Title ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-title)), + printableString PrintableString (SIZE (1..ub-title)), + universalString UniversalString (SIZE (1..ub-title)), + utf8String UTF8String (SIZE (1..ub-title)), + bmpString BMPString (SIZE (1..ub-title)) } + +-- Naming attributes of type X520dnQualifier + +id-at-dnQualifier AttributeType ::= { id-at 46 } + +X520dnQualifier ::= PrintableString + + + +Housley, et. al. Standards Track [Page 95] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +-- Naming attributes of type X520countryName (digraph from IS 3166) + +id-at-countryName AttributeType ::= { id-at 6 } + +X520countryName ::= PrintableString (SIZE (2)) + +-- Naming attributes of type X520SerialNumber + +id-at-serialNumber AttributeType ::= { id-at 5 } + +X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number)) + +-- Naming attributes of type X520Pseudonym + +id-at-pseudonym AttributeType ::= { id-at 65 } + +X520Pseudonym ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-pseudonym)), + printableString PrintableString (SIZE (1..ub-pseudonym)), + universalString UniversalString (SIZE (1..ub-pseudonym)), + utf8String UTF8String (SIZE (1..ub-pseudonym)), + bmpString BMPString (SIZE (1..ub-pseudonym)) } + +-- Naming attributes of type DomainComponent (from RFC 2247) + +id-domainComponent AttributeType ::= + { 0 9 2342 19200300 100 1 25 } + +DomainComponent ::= IA5String + +-- Legacy attributes + +pkcs-9 OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } + +id-emailAddress AttributeType ::= { pkcs-9 1 } + +EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length)) + +-- naming data types -- + +Name ::= CHOICE { -- only one possibility for now -- + rdnSequence RDNSequence } + +RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + +DistinguishedName ::= RDNSequence + + + + +Housley, et. al. Standards Track [Page 96] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +RelativeDistinguishedName ::= + SET SIZE (1 .. MAX) OF AttributeTypeAndValue + +-- Directory string type -- + +DirectoryString ::= CHOICE { + teletexString TeletexString (SIZE (1..MAX)), + printableString PrintableString (SIZE (1..MAX)), + universalString UniversalString (SIZE (1..MAX)), + utf8String UTF8String (SIZE (1..MAX)), + bmpString BMPString (SIZE (1..MAX)) } + +-- certificate and CRL specific structures begin here + +Certificate ::= SEQUENCE { + tbsCertificate TBSCertificate, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING } + +TBSCertificate ::= SEQUENCE { + version [0] Version DEFAULT v1, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier, + issuer Name, + validity Validity, + subject Name, + subjectPublicKeyInfo SubjectPublicKeyInfo, + issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + extensions [3] Extensions OPTIONAL + -- If present, version MUST be v3 -- } + +Version ::= INTEGER { v1(0), v2(1), v3(2) } + +CertificateSerialNumber ::= INTEGER + +Validity ::= SEQUENCE { + notBefore Time, + notAfter Time } + +Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime } + +UniqueIdentifier ::= BIT STRING + + + + +Housley, et. al. Standards Track [Page 97] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier, + subjectPublicKey BIT STRING } + +Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension + +Extension ::= SEQUENCE { + extnID OBJECT IDENTIFIER, + critical BOOLEAN DEFAULT FALSE, + extnValue OCTET STRING } + +-- CRL structures + +CertificateList ::= SEQUENCE { + tbsCertList TBSCertList, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING } + +TBSCertList ::= SEQUENCE { + version Version OPTIONAL, + -- if present, MUST be v2 + signature AlgorithmIdentifier, + issuer Name, + thisUpdate Time, + nextUpdate Time OPTIONAL, + revokedCertificates SEQUENCE OF SEQUENCE { + userCertificate CertificateSerialNumber, + revocationDate Time, + crlEntryExtensions Extensions OPTIONAL + -- if present, MUST be v2 + } OPTIONAL, + crlExtensions [0] Extensions OPTIONAL } + -- if present, MUST be v2 + +-- Version, Time, CertificateSerialNumber, and Extensions were +-- defined earlier for use in the certificate structure + +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY DEFINED BY algorithm OPTIONAL } + -- contains a value of the type + -- registered for use with the + -- algorithm object identifier value + +-- X.400 address syntax starts here + + + + + + +Housley, et. al. Standards Track [Page 98] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +ORAddress ::= SEQUENCE { + built-in-standard-attributes BuiltInStandardAttributes, + built-in-domain-defined-attributes + BuiltInDomainDefinedAttributes OPTIONAL, + -- see also teletex-domain-defined-attributes + extension-attributes ExtensionAttributes OPTIONAL } + +-- Built-in Standard Attributes + +BuiltInStandardAttributes ::= SEQUENCE { + country-name CountryName OPTIONAL, + administration-domain-name AdministrationDomainName OPTIONAL, + network-address [0] IMPLICIT NetworkAddress OPTIONAL, + -- see also extended-network-address + terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL, + private-domain-name [2] PrivateDomainName OPTIONAL, + organization-name [3] IMPLICIT OrganizationName OPTIONAL, + -- see also teletex-organization-name + numeric-user-identifier [4] IMPLICIT NumericUserIdentifier + OPTIONAL, + personal-name [5] IMPLICIT PersonalName OPTIONAL, + -- see also teletex-personal-name + organizational-unit-names [6] IMPLICIT OrganizationalUnitNames + OPTIONAL } + -- see also teletex-organizational-unit-names + +CountryName ::= [APPLICATION 1] CHOICE { + x121-dcc-code NumericString + (SIZE (ub-country-name-numeric-length)), + iso-3166-alpha2-code PrintableString + (SIZE (ub-country-name-alpha-length)) } + +AdministrationDomainName ::= [APPLICATION 2] CHOICE { + numeric NumericString (SIZE (0..ub-domain-name-length)), + printable PrintableString (SIZE (0..ub-domain-name-length)) } + +NetworkAddress ::= X121Address -- see also extended-network-address + +X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) + +TerminalIdentifier ::= PrintableString (SIZE +(1..ub-terminal-id-length)) + +PrivateDomainName ::= CHOICE { + numeric NumericString (SIZE (1..ub-domain-name-length)), + printable PrintableString (SIZE (1..ub-domain-name-length)) } + + + + + +Housley, et. al. Standards Track [Page 99] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +OrganizationName ::= PrintableString + (SIZE (1..ub-organization-name-length)) + -- see also teletex-organization-name + +NumericUserIdentifier ::= NumericString + (SIZE (1..ub-numeric-user-id-length)) + +PersonalName ::= SET { + surname [0] IMPLICIT PrintableString + (SIZE (1..ub-surname-length)), + given-name [1] IMPLICIT PrintableString + (SIZE (1..ub-given-name-length)) OPTIONAL, + initials [2] IMPLICIT PrintableString + (SIZE (1..ub-initials-length)) OPTIONAL, + generation-qualifier [3] IMPLICIT PrintableString + (SIZE (1..ub-generation-qualifier-length)) + OPTIONAL } + -- see also teletex-personal-name + +OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) + OF OrganizationalUnitName + -- see also teletex-organizational-unit-names + +OrganizationalUnitName ::= PrintableString (SIZE + (1..ub-organizational-unit-name-length)) + +-- Built-in Domain-defined Attributes + +BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE + (1..ub-domain-defined-attributes) OF + BuiltInDomainDefinedAttribute + +BuiltInDomainDefinedAttribute ::= SEQUENCE { + type PrintableString (SIZE + (1..ub-domain-defined-attribute-type-length)), + value PrintableString (SIZE + (1..ub-domain-defined-attribute-value-length)) } + +-- Extension Attributes + +ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF + ExtensionAttribute + +ExtensionAttribute ::= SEQUENCE { + extension-attribute-type [0] IMPLICIT INTEGER + (0..ub-extension-attributes), + extension-attribute-value [1] + ANY DEFINED BY extension-attribute-type } + + + +Housley, et. al. Standards Track [Page 100] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +-- Extension types and attribute values + +common-name INTEGER ::= 1 + +CommonName ::= PrintableString (SIZE (1..ub-common-name-length)) + +teletex-common-name INTEGER ::= 2 + +TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length)) + +teletex-organization-name INTEGER ::= 3 + +TeletexOrganizationName ::= + TeletexString (SIZE (1..ub-organization-name-length)) + +teletex-personal-name INTEGER ::= 4 + +TeletexPersonalName ::= SET { + surname [0] IMPLICIT TeletexString + (SIZE (1..ub-surname-length)), + given-name [1] IMPLICIT TeletexString + (SIZE (1..ub-given-name-length)) OPTIONAL, + initials [2] IMPLICIT TeletexString + (SIZE (1..ub-initials-length)) OPTIONAL, + generation-qualifier [3] IMPLICIT TeletexString + (SIZE (1..ub-generation-qualifier-length)) + OPTIONAL } + +teletex-organizational-unit-names INTEGER ::= 5 + +TeletexOrganizationalUnitNames ::= SEQUENCE SIZE + (1..ub-organizational-units) OF TeletexOrganizationalUnitName + +TeletexOrganizationalUnitName ::= TeletexString + (SIZE (1..ub-organizational-unit-name-length)) + +pds-name INTEGER ::= 7 + +PDSName ::= PrintableString (SIZE (1..ub-pds-name-length)) + +physical-delivery-country-name INTEGER ::= 8 + +PhysicalDeliveryCountryName ::= CHOICE { + x121-dcc-code NumericString (SIZE +(ub-country-name-numeric-length)), + iso-3166-alpha2-code PrintableString + (SIZE (ub-country-name-alpha-length)) } + + + + +Housley, et. al. Standards Track [Page 101] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +postal-code INTEGER ::= 9 + +PostalCode ::= CHOICE { + numeric-code NumericString (SIZE (1..ub-postal-code-length)), + printable-code PrintableString (SIZE (1..ub-postal-code-length)) } + +physical-delivery-office-name INTEGER ::= 10 + +PhysicalDeliveryOfficeName ::= PDSParameter + +physical-delivery-office-number INTEGER ::= 11 + +PhysicalDeliveryOfficeNumber ::= PDSParameter + +extension-OR-address-components INTEGER ::= 12 + +ExtensionORAddressComponents ::= PDSParameter + +physical-delivery-personal-name INTEGER ::= 13 + +PhysicalDeliveryPersonalName ::= PDSParameter + +physical-delivery-organization-name INTEGER ::= 14 + +PhysicalDeliveryOrganizationName ::= PDSParameter + +extension-physical-delivery-address-components INTEGER ::= 15 + +ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter + +unformatted-postal-address INTEGER ::= 16 + +UnformattedPostalAddress ::= SET { + printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) + OF PrintableString (SIZE (1..ub-pds-parameter-length)) + OPTIONAL, + teletex-string TeletexString + (SIZE (1..ub-unformatted-address-length)) OPTIONAL } + +street-address INTEGER ::= 17 + +StreetAddress ::= PDSParameter + +post-office-box-address INTEGER ::= 18 + +PostOfficeBoxAddress ::= PDSParameter + +poste-restante-address INTEGER ::= 19 + + + +Housley, et. al. Standards Track [Page 102] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +PosteRestanteAddress ::= PDSParameter + +unique-postal-name INTEGER ::= 20 + +UniquePostalName ::= PDSParameter + +local-postal-attributes INTEGER ::= 21 + +LocalPostalAttributes ::= PDSParameter + +PDSParameter ::= SET { + printable-string PrintableString + (SIZE(1..ub-pds-parameter-length)) OPTIONAL, + teletex-string TeletexString + (SIZE(1..ub-pds-parameter-length)) OPTIONAL } + +extended-network-address INTEGER ::= 22 + +ExtendedNetworkAddress ::= CHOICE { + e163-4-address SEQUENCE { + number [0] IMPLICIT NumericString + (SIZE (1..ub-e163-4-number-length)), + sub-address [1] IMPLICIT NumericString + (SIZE (1..ub-e163-4-sub-address-length)) + OPTIONAL }, + psap-address [0] IMPLICIT PresentationAddress } + +PresentationAddress ::= SEQUENCE { + pSelector [0] EXPLICIT OCTET STRING OPTIONAL, + sSelector [1] EXPLICIT OCTET STRING OPTIONAL, + tSelector [2] EXPLICIT OCTET STRING OPTIONAL, + nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING } + +terminal-type INTEGER ::= 23 + +TerminalType ::= INTEGER { + telex (3), + teletex (4), + g3-facsimile (5), + g4-facsimile (6), + ia5-terminal (7), + videotex (8) } (0..ub-integer-options) + +-- Extension Domain-defined Attributes + +teletex-domain-defined-attributes INTEGER ::= 6 + + + + + +Housley, et. al. Standards Track [Page 103] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +TeletexDomainDefinedAttributes ::= SEQUENCE SIZE + (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute + +TeletexDomainDefinedAttribute ::= SEQUENCE { + type TeletexString + (SIZE (1..ub-domain-defined-attribute-type-length)), + value TeletexString + (SIZE (1..ub-domain-defined-attribute-value-length)) } + +-- specifications of Upper Bounds MUST be regarded as mandatory +-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter +-- Upper Bounds + +-- Upper Bounds +ub-name INTEGER ::= 32768 +ub-common-name INTEGER ::= 64 +ub-locality-name INTEGER ::= 128 +ub-state-name INTEGER ::= 128 +ub-organization-name INTEGER ::= 64 +ub-organizational-unit-name INTEGER ::= 64 +ub-title INTEGER ::= 64 +ub-serial-number INTEGER ::= 64 +ub-match INTEGER ::= 128 +ub-emailaddress-length INTEGER ::= 128 +ub-common-name-length INTEGER ::= 64 +ub-country-name-alpha-length INTEGER ::= 2 +ub-country-name-numeric-length INTEGER ::= 3 +ub-domain-defined-attributes INTEGER ::= 4 +ub-domain-defined-attribute-type-length INTEGER ::= 8 +ub-domain-defined-attribute-value-length INTEGER ::= 128 +ub-domain-name-length INTEGER ::= 16 +ub-extension-attributes INTEGER ::= 256 +ub-e163-4-number-length INTEGER ::= 15 +ub-e163-4-sub-address-length INTEGER ::= 40 +ub-generation-qualifier-length INTEGER ::= 3 +ub-given-name-length INTEGER ::= 16 +ub-initials-length INTEGER ::= 5 +ub-integer-options INTEGER ::= 256 +ub-numeric-user-id-length INTEGER ::= 32 +ub-organization-name-length INTEGER ::= 64 +ub-organizational-unit-name-length INTEGER ::= 32 +ub-organizational-units INTEGER ::= 4 +ub-pds-name-length INTEGER ::= 16 +ub-pds-parameter-length INTEGER ::= 30 +ub-pds-physical-address-lines INTEGER ::= 6 +ub-postal-code-length INTEGER ::= 16 +ub-pseudonym INTEGER ::= 128 +ub-surname-length INTEGER ::= 40 + + + +Housley, et. al. Standards Track [Page 104] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +ub-terminal-id-length INTEGER ::= 24 +ub-unformatted-address-length INTEGER ::= 180 +ub-x121-address-length INTEGER ::= 16 + +-- Note - upper bounds on string types, such as TeletexString, are +-- measured in characters. Excepting PrintableString or IA5String, a +-- significantly greater number of octets will be required to hold +-- such a value. As a minimum, 16 octets, or twice the specified +-- upper bound, whichever is the larger, should be allowed for +-- TeletexString. For UTF8String or UniversalString at least four +-- times the upper bound should be allowed. + +END + +A.2 Implicitly Tagged Module, 1988 Syntax + +PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } + +DEFINITIONS IMPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL -- + +IMPORTS + id-pe, id-kp, id-qt-unotice, id-qt-cps, + -- delete following line if "new" types are supported -- + BMPString, UTF8String, -- end "new" types -- + ORAddress, Name, RelativeDistinguishedName, + CertificateSerialNumber, Attribute, DirectoryString + FROM PKIX1Explicit88 { iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-explicit(18) }; + + +-- ISO arc for standard certificate and CRL extensions + +id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} + +-- authority key identifier OID and syntax + +id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } + + + + + + + + +Housley, et. al. Standards Track [Page 105] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +AuthorityKeyIdentifier ::= SEQUENCE { + keyIdentifier [0] KeyIdentifier OPTIONAL, + authorityCertIssuer [1] GeneralNames OPTIONAL, + authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } + -- authorityCertIssuer and authorityCertSerialNumber MUST both + -- be present or both be absent + +KeyIdentifier ::= OCTET STRING + +-- subject key identifier OID and syntax + +id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } + +SubjectKeyIdentifier ::= KeyIdentifier + +-- key usage extension OID and syntax + +id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } + +KeyUsage ::= BIT STRING { + digitalSignature (0), + nonRepudiation (1), + keyEncipherment (2), + dataEncipherment (3), + keyAgreement (4), + keyCertSign (5), + cRLSign (6), + encipherOnly (7), + decipherOnly (8) } + +-- private key usage period extension OID and syntax + +id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } + +PrivateKeyUsagePeriod ::= SEQUENCE { + notBefore [0] GeneralizedTime OPTIONAL, + notAfter [1] GeneralizedTime OPTIONAL } + -- either notBefore or notAfter MUST be present + +-- certificate policies extension OID and syntax + +id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } + +anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } + +CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + +PolicyInformation ::= SEQUENCE { + + + +Housley, et. al. Standards Track [Page 106] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + policyIdentifier CertPolicyId, + policyQualifiers SEQUENCE SIZE (1..MAX) OF + PolicyQualifierInfo OPTIONAL } + +CertPolicyId ::= OBJECT IDENTIFIER + +PolicyQualifierInfo ::= SEQUENCE { + policyQualifierId PolicyQualifierId, + qualifier ANY DEFINED BY policyQualifierId } + +-- Implementations that recognize additional policy qualifiers MUST +-- augment the following definition for PolicyQualifierId + +PolicyQualifierId ::= + OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) + +-- CPS pointer qualifier + +CPSuri ::= IA5String + +-- user notice qualifier + +UserNotice ::= SEQUENCE { + noticeRef NoticeReference OPTIONAL, + explicitText DisplayText OPTIONAL} + +NoticeReference ::= SEQUENCE { + organization DisplayText, + noticeNumbers SEQUENCE OF INTEGER } + +DisplayText ::= CHOICE { + ia5String IA5String (SIZE (1..200)), + visibleString VisibleString (SIZE (1..200)), + bmpString BMPString (SIZE (1..200)), + utf8String UTF8String (SIZE (1..200)) } + +-- policy mapping extension OID and syntax + +id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } + +PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + issuerDomainPolicy CertPolicyId, + subjectDomainPolicy CertPolicyId } + +-- subject alternative name extension OID and syntax + +id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } + + + + +Housley, et. al. Standards Track [Page 107] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +SubjectAltName ::= GeneralNames + +GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + +GeneralName ::= CHOICE { + otherName [0] AnotherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER } + +-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as +-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax + +AnotherName ::= SEQUENCE { + type-id OBJECT IDENTIFIER, + value [0] EXPLICIT ANY DEFINED BY type-id } + +EDIPartyName ::= SEQUENCE { + nameAssigner [0] DirectoryString OPTIONAL, + partyName [1] DirectoryString } + +-- issuer alternative name extension OID and syntax + +id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } + +IssuerAltName ::= GeneralNames + +id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } + +SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute + +-- basic constraints extension OID and syntax + +id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } + +BasicConstraints ::= SEQUENCE { + cA BOOLEAN DEFAULT FALSE, + pathLenConstraint INTEGER (0..MAX) OPTIONAL } + +-- name constraints extension OID and syntax + +id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } + + + + +Housley, et. al. Standards Track [Page 108] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +NameConstraints ::= SEQUENCE { + permittedSubtrees [0] GeneralSubtrees OPTIONAL, + excludedSubtrees [1] GeneralSubtrees OPTIONAL } + +GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree + +GeneralSubtree ::= SEQUENCE { + base GeneralName, + minimum [0] BaseDistance DEFAULT 0, + maximum [1] BaseDistance OPTIONAL } + +BaseDistance ::= INTEGER (0..MAX) + +-- policy constraints extension OID and syntax + +id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } + +PolicyConstraints ::= SEQUENCE { + requireExplicitPolicy [0] SkipCerts OPTIONAL, + inhibitPolicyMapping [1] SkipCerts OPTIONAL } + +SkipCerts ::= INTEGER (0..MAX) + +-- CRL distribution points extension OID and syntax + +id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} + +CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + +DistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + reasons [1] ReasonFlags OPTIONAL, + cRLIssuer [2] GeneralNames OPTIONAL } + +DistributionPointName ::= CHOICE { + fullName [0] GeneralNames, + nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + +ReasonFlags ::= BIT STRING { + unused (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + privilegeWithdrawn (7), + aACompromise (8) } + + + +Housley, et. al. Standards Track [Page 109] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +-- extended key usage extension OID and syntax + +id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} + +ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId + + +KeyPurposeId ::= OBJECT IDENTIFIER + +-- permit unspecified key uses + +anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } + +-- extended key purpose OIDs + +id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } +id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } +id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } +id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } +id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } +id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } + +-- inhibit any policy OID and syntax + +id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } + +InhibitAnyPolicy ::= SkipCerts + +-- freshest (delta)CRL extension OID and syntax + +id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } + +FreshestCRL ::= CRLDistributionPoints + +-- authority info access + +id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } + +AuthorityInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + +AccessDescription ::= SEQUENCE { + accessMethod OBJECT IDENTIFIER, + accessLocation GeneralName } + +-- subject info access + +id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } + + + +Housley, et. al. Standards Track [Page 110] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +SubjectInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + +-- CRL number extension OID and syntax + +id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } + +CRLNumber ::= INTEGER (0..MAX) + +-- issuing distribution point extension OID and syntax + +id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } + +IssuingDistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, + onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, + onlySomeReasons [3] ReasonFlags OPTIONAL, + indirectCRL [4] BOOLEAN DEFAULT FALSE, + onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE } + +id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } + +BaseCRLNumber ::= CRLNumber + +-- CRL reasons extension OID and syntax + +id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } + +CRLReason ::= ENUMERATED { + unspecified (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + removeFromCRL (8), + privilegeWithdrawn (9), + aACompromise (10) } + +-- certificate issuer CRL entry extension OID and syntax + +id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } + +CertificateIssuer ::= GeneralNames + +-- hold instruction extension OID and syntax + + + +Housley, et. al. Standards Track [Page 111] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } + +HoldInstructionCode ::= OBJECT IDENTIFIER + +-- ANSI x9 holdinstructions + +-- ANSI x9 arc holdinstruction arc + +holdInstruction OBJECT IDENTIFIER ::= + {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} + +-- ANSI X9 holdinstructions referenced by this standard + +id-holdinstruction-none OBJECT IDENTIFIER ::= + {holdInstruction 1} -- deprecated + +id-holdinstruction-callissuer OBJECT IDENTIFIER ::= + {holdInstruction 2} + +id-holdinstruction-reject OBJECT IDENTIFIER ::= + {holdInstruction 3} + +-- invalidity date CRL entry extension OID and syntax + +id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } + +InvalidityDate ::= GeneralizedTime + +END + +Appendix B. ASN.1 Notes + + CAs MUST force the serialNumber to be a non-negative integer, that + is, the sign bit in the DER encoding of the INTEGER value MUST be + zero - this can be done by adding a leading (leftmost) `00'H octet if + necessary. This removes a potential ambiguity in mapping between a + string of octets and an integer value. + + As noted in section 4.1.2.2, serial numbers can be expected to + contain long integers. Certificate users MUST be able to handle + serialNumber values up to 20 octets in length. Conformant CAs MUST + NOT use serialNumber values longer than 20 octets. + + As noted in section 5.2.3, CRL numbers can be expected to contain + long integers. CRL validators MUST be able to handle cRLNumber + values up to 20 octets in length. Conformant CRL issuers MUST NOT + use cRLNumber values longer than 20 octets. + + + + +Housley, et. al. Standards Track [Page 112] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 + constructs. A valid ASN.1 sequence will have zero or more entries. + The SIZE (1..MAX) construct constrains the sequence to have at least + one entry. MAX indicates the upper bound is unspecified. + Implementations are free to choose an upper bound that suits their + environment. + + The construct "positiveInt ::= INTEGER (0..MAX)" defines positiveInt + as a subtype of INTEGER containing integers greater than or equal to + zero. The upper bound is unspecified. Implementations are free to + select an upper bound that suits their environment. + + The character string type PrintableString supports a very basic Latin + character set: the lower case letters 'a' through 'z', upper case + letters 'A' through 'Z', the digits '0' through '9', eleven special + characters ' = ( ) + , - . / : ? and space. + + Implementers should note that the at sign ('@') and underscore ('_') + characters are not supported by the ASN.1 type PrintableString. + These characters often appear in internet addresses. Such addresses + MUST be encoded using an ASN.1 type that supports them. They are + usually encoded as IA5String in either the emailAddress attribute + within a distinguished name or the rfc822Name field of GeneralName. + Conforming implementations MUST NOT encode strings which include + either the at sign or underscore character as PrintableString. + + The character string type TeletexString is a superset of + PrintableString. TeletexString supports a fairly standard (ASCII- + like) Latin character set, Latin characters with non-spacing accents + and Japanese characters. + + Named bit lists are BIT STRINGs where the values have been assigned + names. This specification makes use of named bit lists in the + definitions for the key usage, CRL distribution points and freshest + CRL certificate extensions, as well as the freshest CRL and issuing + distribution point CRL extensions. When DER encoding a named bit + list, trailing zeroes MUST be omitted. That is, the encoded value + ends with the last named bit that is set to one. + + The character string type UniversalString supports any of the + characters allowed by ISO 10646-1 [ISO 10646]. ISO 10646-1 is the + Universal multiple-octet coded Character Set (UCS). ISO 10646-1 + specifies the architecture and the "basic multilingual plane" -- a + large standard character set which includes all major world character + standards. + + + + + + +Housley, et. al. Standards Track [Page 113] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + The character string type UTF8String was introduced in the 1997 + version of ASN.1, and UTF8String was added to the list of choices for + DirectoryString in the 2001 version of X.520 [X.520]. UTF8String is + a universal type and has been assigned tag number 12. The content of + UTF8String was defined by RFC 2044 [RFC 2044] and updated in RFC 2279 + [RFC 2279]. + + In anticipation of these changes, and in conformance with IETF Best + Practices codified in RFC 2277 [RFC 2277], IETF Policy on Character + Sets and Languages, this document includes UTF8String as a choice in + DirectoryString and the CPS qualifier extensions. + + Implementers should note that the DER encoding of the SET OF values + requires ordering of the encodings of the values. In particular, + this issue arises with respect to distinguished names. + + Implementers should note that the DER encoding of SET or SEQUENCE + components whose value is the DEFAULT omit the component from the + encoded certificate or CRL. For example, a BasicConstraints + extension whose cA value is FALSE would omit the cA boolean from the + encoded certificate. + + Object Identifiers (OIDs) are used throughout this specification to + identify certificate policies, public key and signature algorithms, + certificate extensions, etc. There is no maximum size for OIDs. + This specification mandates support for OIDs which have arc elements + with values that are less than 2^28, that is, they MUST be between 0 + and 268,435,455, inclusive. This allows each arc element to be + represented within a single 32 bit word. Implementations MUST also + support OIDs where the length of the dotted decimal (see [RFC 2252], + section 4.1) string representation can be up to 100 bytes + (inclusive). Implementations MUST be able to handle OIDs with up to + 20 elements (inclusive). CAs SHOULD NOT issue certificates which + contain OIDs that exceed these requirements. Likewise, CRL issuers + SHOULD NOT issue CRLs which contain OIDs that exceed these + requirements. + + Implementors are warned that the X.500 standards community has + developed a series of extensibility rules. These rules determine + when an ASN.1 definition can be changed without assigning a new + object identifier (OID). For example, at least two extension + definitions included in RFC 2459 [RFC 2459], the predecessor to this + profile document, have different ASN.1 definitions in this + specification, but the same OID is used. If unknown elements appear + within an extension, and the extension is not marked critical, those + unknown elements ought to be ignored, as follows: + + (a) ignore all unknown bit name assignments within a bit string; + + + +Housley, et. al. Standards Track [Page 114] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (b) ignore all unknown named numbers in an ENUMERATED type or + INTEGER type that is being used in the enumerated style, provided + the number occurs as an optional element of a SET or SEQUENCE; and + + (c) ignore all unknown elements in SETs, at the end of SEQUENCEs, + or in CHOICEs where the CHOICE is itself an optional element of a + SET or SEQUENCE. + + If an extension containing unexpected values is marked critical, the + implementation MUST reject the certificate or CRL containing the + unrecognized extension. + +Appendix C. Examples + + This section contains four examples: three certificates and a CRL. + The first two certificates and the CRL comprise a minimal + certification path. + + Section C.1 contains an annotated hex dump of a "self-signed" + certificate issued by a CA whose distinguished name is + cn=us,o=gov,ou=nist. The certificate contains a DSA public key with + parameters, and is signed by the corresponding DSA private key. + + Section C.2 contains an annotated hex dump of an end entity + certificate. The end entity certificate contains a DSA public key, + and is signed by the private key corresponding to the "self-signed" + certificate in section C.1. + + Section C.3 contains a dump of an end entity certificate which + contains an RSA public key and is signed with RSA and MD5. This + certificate is not part of the minimal certification path. + + Section C.4 contains an annotated hex dump of a CRL. The CRL is + issued by the CA whose distinguished name is cn=us,o=gov,ou=nist and + the list of revoked certificates includes the end entity certificate + presented in C.2. + + The certificates were processed using Peter Gutman's dumpasn1 utility + to generate the output. The source for the dumpasn1 utility is + available at <http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c>. The + binaries for the certificates and CRLs are available at + <http://csrc.nist.gov/pki/pkixtools>. + +C.1 Certificate + + This section contains an annotated hex dump of a 699 byte version 3 + certificate. The certificate contains the following information: + (a) the serial number is 23 (17 hex); + + + +Housley, et. al. Standards Track [Page 115] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (b) the certificate is signed with DSA and the SHA-1 hash algorithm; + (c) the issuer's distinguished name is OU=NIST; O=gov; C=US + (d) and the subject's distinguished name is OU=NIST; O=gov; C=US + (e) the certificate was issued on June 30, 1997 and will expire on + December 31, 1997; + (f) the certificate contains a 1024 bit DSA public key with + parameters; + (g) the certificate contains a subject key identifier extension + generated using method (1) of section 4.2.1.2; and + (h) the certificate is a CA certificate (as indicated through the + basic constraints extension.) + + 0 30 699: SEQUENCE { + 4 30 635: SEQUENCE { + 8 A0 3: [0] { + 10 02 1: INTEGER 2 + : } + 13 02 1: INTEGER 17 + 16 30 9: SEQUENCE { + 18 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) + : } + 27 30 42: SEQUENCE { + 29 31 11: SET { + 31 30 9: SEQUENCE { + 33 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) + 38 13 2: PrintableString 'US' + : } + : } + 42 31 12: SET { + 44 30 10: SEQUENCE { + 46 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) + 51 13 3: PrintableString 'gov' + : } + : } + 56 31 13: SET { + 58 30 11: SEQUENCE { + 60 06 3: OBJECT IDENTIFIER + : organizationalUnitName (2 5 4 11) + 65 13 4: PrintableString 'NIST' + : } + : } + : } + 71 30 30: SEQUENCE { + 73 17 13: UTCTime '970630000000Z' + 88 17 13: UTCTime '971231000000Z' + : } +103 30 42: SEQUENCE { +105 31 11: SET { + + + +Housley, et. al. Standards Track [Page 116] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +107 30 9: SEQUENCE { +109 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) +114 13 2: PrintableString 'US' + : } + : } +118 31 12: SET { +120 30 10: SEQUENCE { +122 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) +127 13 3: PrintableString 'gov' + : } + : } +132 31 13: SET { +134 30 11: SEQUENCE { +136 06 3: OBJECT IDENTIFIER + : organizationalUnitName (2 5 4 11) +141 13 4: PrintableString 'NIST' + : } + : } + : } +147 30 440: SEQUENCE { +151 30 300: SEQUENCE { +155 06 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1) +164 30 287: SEQUENCE { +168 02 129: INTEGER + : 00 B6 8B 0F 94 2B 9A CE A5 25 C6 F2 ED FC + : FB 95 32 AC 01 12 33 B9 E0 1C AD 90 9B BC + : 48 54 9E F3 94 77 3C 2C 71 35 55 E6 FE 4F + : 22 CB D5 D8 3E 89 93 33 4D FC BD 4F 41 64 + : 3E A2 98 70 EC 31 B4 50 DE EB F1 98 28 0A + : C9 3E 44 B3 FD 22 97 96 83 D0 18 A3 E3 BD + : 35 5B FF EE A3 21 72 6A 7B 96 DA B9 3F 1E + : 5A 90 AF 24 D6 20 F0 0D 21 A7 D4 02 B9 1A + : FC AC 21 FB 9E 94 9E 4B 42 45 9E 6A B2 48 + : 63 FE 43 +300 02 21: INTEGER + : 00 B2 0D B0 B1 01 DF 0C 66 24 FC 13 92 BA + : 55 F7 7D 57 74 81 E5 +323 02 129: INTEGER + : 00 9A BF 46 B1 F5 3F 44 3D C9 A5 65 FB 91 + : C0 8E 47 F1 0A C3 01 47 C2 44 42 36 A9 92 + : 81 DE 57 C5 E0 68 86 58 00 7B 1F F9 9B 77 + : A1 C5 10 A5 80 91 78 51 51 3C F6 FC FC CC + : 46 C6 81 78 92 84 3D F4 93 3D 0C 38 7E 1A + : 5B 99 4E AB 14 64 F6 0C 21 22 4E 28 08 9C + : 92 B9 66 9F 40 E8 95 F6 D5 31 2A EF 39 A2 + : 62 C7 B2 6D 9E 58 C4 3A A8 11 81 84 6D AF + : F8 B4 19 B4 C2 11 AE D0 22 3B AA 20 7F EE + : 1E 57 18 + + + +Housley, et. al. Standards Track [Page 117] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + : } + : } +455 03 133: BIT STRING 0 unused bits, encapsulates { +459 02 129: INTEGER + : 00 B5 9E 1F 49 04 47 D1 DB F5 3A DD CA 04 + : 75 E8 DD 75 F6 9B 8A B1 97 D6 59 69 82 D3 + : 03 4D FD 3B 36 5F 4A F2 D1 4E C1 07 F5 D1 + : 2A D3 78 77 63 56 EA 96 61 4D 42 0B 7A 1D + : FB AB 91 A4 CE DE EF 77 C8 E5 EF 20 AE A6 + : 28 48 AF BE 69 C3 6A A5 30 F2 C2 B9 D9 82 + : 2B 7D D9 C4 84 1F DE 0D E8 54 D7 1B 99 2E + : B3 D0 88 F6 D6 63 9B A7 E2 0E 82 D4 3B 8A + : 68 1B 06 56 31 59 0B 49 EB 99 A5 D5 81 41 + : 7B C9 55 + : } + : } +591 A3 50: [3] { +593 30 48: SEQUENCE { +595 30 29: SEQUENCE { +597 06 3: OBJECT IDENTIFIER + : subjectKeyIdentifier (2 5 29 14) +602 04 22: OCTET STRING, encapsulates { +604 04 20: OCTET STRING + : 86 CA A5 22 81 62 EF AD 0A 89 BC AD 72 41 + : 2C 29 49 F4 86 56 + : } + : } +626 30 15: SEQUENCE { +628 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) +633 01 1: BOOLEAN TRUE +636 04 5: OCTET STRING, encapsulates { +638 30 3: SEQUENCE { +640 01 1: BOOLEAN TRUE + : } + : } + : } + : } + : } + : } +643 30 9: SEQUENCE { +645 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) + : } +654 03 47: BIT STRING 0 unused bits, encapsulates { +657 30 44: SEQUENCE { +659 02 20: INTEGER + : 43 1B CF 29 25 45 C0 4E 52 E7 7D D6 FC B1 + : 66 4C 83 CF 2D 77 +681 02 20: INTEGER + + + +Housley, et. al. Standards Track [Page 118] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + : 0B 5B 9A 24 11 98 E8 F3 86 90 04 F6 08 A9 + : E1 8D A5 CC 3A D4 + : } + : } + : } + +C.2 Certificate + + This section contains an annotated hex dump of a 730 byte version 3 + certificate. The certificate contains the following information: + (a) the serial number is 18 (12 hex); + (b) the certificate is signed with DSA and the SHA-1 hash algorithm; + (c) the issuer's distinguished name is OU=nist; O=gov; C=US + (d) and the subject's distinguished name is CN=Tim Polk; OU=nist; + O=gov; C=US + (e) the certificate was valid from July 30, 1997 through December 1, + 1997; + (f) the certificate contains a 1024 bit DSA public key; + (g) the certificate is an end entity certificate, as the basic + constraints extension is not present; + (h) the certificate contains an authority key identifier extension + matching the subject key identifier of the certificate in Appendix + C.1; and + (i) the certificate includes one alternative name - an RFC 822 + address of "wpolk@nist.gov". + + 0 30 730: SEQUENCE { + 4 30 665: SEQUENCE { + 8 A0 3: [0] { + 10 02 1: INTEGER 2 + : } + 13 02 1: INTEGER 18 + 16 30 9: SEQUENCE { + 18 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) + : } + 27 30 42: SEQUENCE { + 29 31 11: SET { + 31 30 9: SEQUENCE { + 33 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) + 38 13 2: PrintableString 'US' + : } + : } + 42 31 12: SET { + 44 30 10: SEQUENCE { + 46 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) + 51 13 3: PrintableString 'gov' + : } + : } + + + +Housley, et. al. Standards Track [Page 119] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + 56 31 13: SET { + 58 30 11: SEQUENCE { + 60 06 3: OBJECT IDENTIFIER + : organizationalUnitName (2 5 4 11) + 65 13 4: PrintableString 'NIST' + : } + : } + : } + 71 30 30: SEQUENCE { + 73 17 13: UTCTime '970730000000Z' + 88 17 13: UTCTime '971201000000Z' + : } + 103 30 61: SEQUENCE { + 105 31 11: SET { + 107 30 9: SEQUENCE { + 109 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) + 114 13 2: PrintableString 'US' + : } + : } + 118 31 12: SET { + 120 30 10: SEQUENCE { + 122 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) + 127 13 3: PrintableString 'gov' + : } + : } + 132 31 13: SET { + 134 30 11: SEQUENCE { + 136 06 3: OBJECT IDENTIFIER + : organizationalUnitName (2 5 4 11) + 141 13 4: PrintableString 'NIST' + : } + : } + 147 31 17: SET { + 149 30 15: SEQUENCE { + 151 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) + 156 13 8: PrintableString 'Tim Polk' + : } + : } + : } + 166 30 439: SEQUENCE { + 170 30 300: SEQUENCE { + 174 06 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1) + 183 30 287: SEQUENCE { + 187 02 129: INTEGER + : 00 B6 8B 0F 94 2B 9A CE A5 25 C6 F2 ED FC + : FB 95 32 AC 01 12 33 B9 E0 1C AD 90 9B BC + : 48 54 9E F3 94 77 3C 2C 71 35 55 E6 FE 4F + : 22 CB D5 D8 3E 89 93 33 4D FC BD 4F 41 64 + + + +Housley, et. al. Standards Track [Page 120] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + : 3E A2 98 70 EC 31 B4 50 DE EB F1 98 28 0A + : C9 3E 44 B3 FD 22 97 96 83 D0 18 A3 E3 BD + : 35 5B FF EE A3 21 72 6A 7B 96 DA B9 3F 1E + : 5A 90 AF 24 D6 20 F0 0D 21 A7 D4 02 B9 1A + : FC AC 21 FB 9E 94 9E 4B 42 45 9E 6A B2 48 + : 63 FE 43 + 319 02 21: INTEGER + : 00 B2 0D B0 B1 01 DF 0C 66 24 FC 13 92 BA + : 55 F7 7D 57 74 81 E5 + 342 02 129: INTEGER + : 00 9A BF 46 B1 F5 3F 44 3D C9 A5 65 FB 91 + : C0 8E 47 F1 0A C3 01 47 C2 44 42 36 A9 92 + : 81 DE 57 C5 E0 68 86 58 00 7B 1F F9 9B 77 + : A1 C5 10 A5 80 91 78 51 51 3C F6 FC FC CC + : 46 C6 81 78 92 84 3D F4 93 3D 0C 38 7E 1A + : 5B 99 4E AB 14 64 F6 0C 21 22 4E 28 08 9C + : 92 B9 66 9F 40 E8 95 F6 D5 31 2A EF 39 A2 + : 62 C7 B2 6D 9E 58 C4 3A A8 11 81 84 6D AF + : F8 B4 19 B4 C2 11 AE D0 22 3B AA 20 7F EE + : 1E 57 18 + : } + : } + 474 03 132: BIT STRING 0 unused bits, encapsulates { + 478 02 128: INTEGER + : 30 B6 75 F7 7C 20 31 AE 38 BB 7E 0D 2B AB + : A0 9C 4B DF 20 D5 24 13 3C CD 98 E5 5F 6C + : B7 C1 BA 4A BA A9 95 80 53 F0 0D 72 DC 33 + : 37 F4 01 0B F5 04 1F 9D 2E 1F 62 D8 84 3A + : 9B 25 09 5A 2D C8 46 8E 2B D4 F5 0D 3B C7 + : 2D C6 6C B9 98 C1 25 3A 44 4E 8E CA 95 61 + : 35 7C CE 15 31 5C 23 13 1E A2 05 D1 7A 24 + : 1C CB D3 72 09 90 FF 9B 9D 28 C0 A1 0A EC + : 46 9F 0D B8 D0 DC D0 18 A6 2B 5E F9 8F B5 + : 95 BE + : } + : } + 609 A3 62: [3] { + 611 30 60: SEQUENCE { + 613 30 25: SEQUENCE { + 615 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) + 620 04 18: OCTET STRING, encapsulates { + 622 30 16: SEQUENCE { + 624 81 14: [1] 'wpolk@nist.gov' + : } + : } + : } + 640 30 31: SEQUENCE { + 642 06 3: OBJECT IDENTIFIER + + + +Housley, et. al. Standards Track [Page 121] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + : authorityKeyIdentifier (2 5 29 35) + 647 04 24: OCTET STRING, encapsulates { + 649 30 22: SEQUENCE { + 651 80 20: [0] + : 86 CA A5 22 81 62 EF AD 0A 89 BC AD 72 + : 41 2C 29 49 F4 86 56 + : } + : } + : } + : } + : } + : } + 673 30 9: SEQUENCE { + 675 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) + : } + 684 03 48: BIT STRING 0 unused bits, encapsulates { + 687 30 45: SEQUENCE { + 689 02 20: INTEGER + : 36 97 CB E3 B4 2C E1 BB 61 A9 D3 CC 24 CC + : 22 92 9F F4 F5 87 + 711 02 21: INTEGER + : 00 AB C9 79 AF D2 16 1C A9 E3 68 A9 14 10 + : B4 A0 2E FF 22 5A 73 + : } + : } + : } + +C.3 End Entity Certificate Using RSA + + This section contains an annotated hex dump of a 654 byte version 3 + certificate. The certificate contains the following information: + (a) the serial number is 256; + (b) the certificate is signed with RSA and the SHA-1 hash algorithm; + (c) the issuer's distinguished name is OU=NIST; O=gov; C=US + (d) and the subject's distinguished name is CN=Tim Polk; OU=NIST; + O=gov; C=US + (e) the certificate was issued on May 21, 1996 at 09:58:26 and + expired on May 21, 1997 at 09:58:26; + (f) the certificate contains a 1024 bit RSA public key; + (g) the certificate is an end entity certificate (not a CA + certificate); + (h) the certificate includes an alternative subject name of + "<http://www.itl.nist.gov/div893/staff/polk/index.html>" and an + alternative issuer name of "<http://www.nist.gov/>" - both are URLs; + (i) the certificate include an authority key identifier extension + and a certificate policies extension specifying the policy OID + 2.16.840.1.101.3.2.1.48.9; and + + + + +Housley, et. al. Standards Track [Page 122] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + (j) the certificate includes a critical key usage extension + specifying that the public key is intended for verification of + digital signatures. + + 0 30 654: SEQUENCE { + 4 30 503: SEQUENCE { + 8 A0 3: [0] { + 10 02 1: INTEGER 2 + : } + 13 02 2: INTEGER 256 + 17 30 13: SEQUENCE { + 19 06 9: OBJECT IDENTIFIER + : sha1withRSAEncryption (1 2 840 113549 1 1 5) + 30 05 0: NULL + : } + 32 30 42: SEQUENCE { + 34 31 11: SET { + 36 30 9: SEQUENCE { + 38 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) + 43 13 2: PrintableString 'US' + : } + : } + 47 31 12: SET { + 49 30 10: SEQUENCE { + 51 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) + 56 13 3: PrintableString 'gov' + : } + : } + 61 31 13: SET { + 63 30 11: SEQUENCE { + 65 06 3: OBJECT IDENTIFIER + : organizationalUnitName (2 5 4 11) + 70 13 4: PrintableString 'NIST' + : } + : } + : } + 76 30 30: SEQUENCE { + 78 17 13: UTCTime '960521095826Z' + 93 17 13: UTCTime '970521095826Z' + : } +108 30 61: SEQUENCE { +110 31 11: SET { +112 30 9: SEQUENCE { +114 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) +119 13 2: PrintableString 'US' + : } + : } +123 31 12: SET { + + + +Housley, et. al. Standards Track [Page 123] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +125 30 10: SEQUENCE { +127 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) +132 13 3: PrintableString 'gov' + : } + : } +137 31 13: SET { +139 30 11: SEQUENCE { +141 06 3: OBJECT IDENTIFIER + : organizationalUnitName (2 5 4 11) +146 13 4: PrintableString 'NIST' + : } + : } +152 31 17: SET { +154 30 15: SEQUENCE { +156 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) +161 13 8: PrintableString 'Tim Polk' + : } + : } + : } +171 30 159: SEQUENCE { +174 30 13: SEQUENCE { +176 06 9: OBJECT IDENTIFIER + : rsaEncryption (1 2 840 113549 1 1 1) +187 05 0: NULL + : } +189 03 141: BIT STRING 0 unused bits, encapsulates { +193 30 137: SEQUENCE { +196 02 129: INTEGER + : 00 E1 6A E4 03 30 97 02 3C F4 10 F3 B5 1E + : 4D 7F 14 7B F6 F5 D0 78 E9 A4 8A F0 A3 75 + : EC ED B6 56 96 7F 88 99 85 9A F2 3E 68 77 + : 87 EB 9E D1 9F C0 B4 17 DC AB 89 23 A4 1D + : 7E 16 23 4C 4F A8 4D F5 31 B8 7C AA E3 1A + : 49 09 F4 4B 26 DB 27 67 30 82 12 01 4A E9 + : 1A B6 C1 0C 53 8B 6C FC 2F 7A 43 EC 33 36 + : 7E 32 B2 7B D5 AA CF 01 14 C6 12 EC 13 F2 + : 2D 14 7A 8B 21 58 14 13 4C 46 A3 9A F2 16 + : 95 FF 23 +328 02 3: INTEGER 65537 + : } + : } + : } +333 A3 175: [3] { +336 30 172: SEQUENCE { +339 30 63: SEQUENCE { +341 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) +346 04 56: OCTET STRING, encapsulates { +348 30 54: SEQUENCE { + + + +Housley, et. al. Standards Track [Page 124] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +350 86 52: [6] + : 'http://www.itl.nist.gov/div893/staff/' + : 'polk/index.html' + : } + : } + : } +404 30 31: SEQUENCE { +406 06 3: OBJECT IDENTIFIER issuerAltName (2 5 29 18) +411 04 24: OCTET STRING, encapsulates { +413 30 22: SEQUENCE { +415 86 20: [6] 'http://www.nist.gov/' + : } + : } + : } +437 30 31: SEQUENCE { +439 06 3: OBJECT IDENTIFIER + : authorityKeyIdentifier (2 5 29 35) +444 04 24: OCTET STRING, encapsulates { +446 30 22: SEQUENCE { +448 80 20: [0] + : 08 68 AF 85 33 C8 39 4A 7A F8 82 93 8E + : 70 6A 4A 20 84 2C 32 + : } + : } + : } +470 30 23: SEQUENCE { +472 06 3: OBJECT IDENTIFIER + : certificatePolicies (2 5 29 32) +477 04 16: OCTET STRING, encapsulates { +479 30 14: SEQUENCE { +481 30 12: SEQUENCE { +483 06 10: OBJECT IDENTIFIER + : '2 16 840 1 101 3 2 1 48 9' + : } + : } + : } + : } +495 30 14: SEQUENCE { +497 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) +502 01 1: BOOLEAN TRUE +505 04 4: OCTET STRING, encapsulates { +507 03 2: BIT STRING 7 unused bits + : '1'B (bit 0) + : } + : } + : } + : } + : } + + + +Housley, et. al. Standards Track [Page 125] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +511 30 13: SEQUENCE { +513 06 9: OBJECT IDENTIFIER + : sha1withRSAEncryption (1 2 840 113549 1 1 5) +524 05 0: NULL + : } +526 03 129: BIT STRING 0 unused bits + : 1E 07 77 6E 66 B5 B6 B8 57 F0 03 DC 6F 77 + : 6D AF 55 1D 74 E5 CE 36 81 FC 4B C5 F4 47 + : 82 C4 0A 25 AA 8D D6 7D 3A 89 AB 44 34 39 + : F6 BD 61 1A 78 85 7A B8 1E 92 A2 22 2F CE + : 07 1A 08 8E F1 46 03 59 36 4A CB 60 E6 03 + : 40 01 5B 2A 44 D6 E4 7F EB 43 5E 74 0A E6 + : E4 F9 3E E1 44 BE 1F E7 5F 5B 2C 41 8D 08 + : BD 26 FE 6A A6 C3 2F B2 3B 41 12 6B C1 06 + : 8A B8 4C 91 59 EB 2F 38 20 2A 67 74 20 0B + : 77 F3 + : } + +C.4 Certificate Revocation List + + This section contains an annotated hex dump of a version 2 CRL with + one extension (cRLNumber). The CRL was issued by OU=NIST; O=gov; + C=US on August 7, 1997; the next scheduled issuance was September 7, + 1997. The CRL includes one revoked certificates: serial number 18 + (12 hex), which was revoked on July 31, 1997 due to keyCompromise. + The CRL itself is number 18, and it was signed with DSA and SHA-1. + + 0 30 203: SEQUENCE { + 3 30 140: SEQUENCE { + 6 02 1: INTEGER 1 + 9 30 9: SEQUENCE { + 11 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) + : } + 20 30 42: SEQUENCE { + 22 31 11: SET { + 24 30 9: SEQUENCE { + 26 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) + 31 13 2: PrintableString 'US' + : } + : } + 35 31 12: SET { + 37 30 10: SEQUENCE { + 39 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) + 44 13 3: PrintableString 'gov' + : } + : } + 49 31 13: SET { + 51 30 11: SEQUENCE { + + + +Housley, et. al. Standards Track [Page 126] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + + 53 06 3: OBJECT IDENTIFIER + : organizationalUnitName (2 5 4 11) + 58 13 4: PrintableString 'NIST' + : } + : } + : } + 64 17 13: UTCTime '970807000000Z' + 79 17 13: UTCTime '970907000000Z' + 94 30 34: SEQUENCE { + 96 30 32: SEQUENCE { + 98 02 1: INTEGER 18 +101 17 13: UTCTime '970731000000Z' +116 30 12: SEQUENCE { +118 30 10: SEQUENCE { +120 06 3: OBJECT IDENTIFIER cRLReason (2 5 29 21) +125 04 3: OCTET STRING, encapsulates { +127 0A 1: ENUMERATED 1 + : } + : } + : } + : } + : } +130 A0 14: [0] { +132 30 12: SEQUENCE { +134 30 10: SEQUENCE { +136 06 3: OBJECT IDENTIFIER cRLNumber (2 5 29 20) +141 04 3: OCTET STRING, encapsulates { +143 02 1: INTEGER 12 + : } + : } + : } + : } + : } +146 30 9: SEQUENCE { +148 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) + : } +157 03 47: BIT STRING 0 unused bits, encapsulates { +160 30 44: SEQUENCE { +162 02 20: INTEGER + : 22 4E 9F 43 BA 95 06 34 F2 BB 5E 65 DB A6 + : 80 05 C0 3A 29 47 +184 02 20: INTEGER + : 59 1A 57 C9 82 D7 02 21 14 C3 D4 0B 32 1B + : 96 16 B1 1F 46 5A + : } + : } + : } + + + + +Housley, et. al. Standards Track [Page 127] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +Author Addresses + + Russell Housley + RSA Laboratories + 918 Spring Knoll Drive + Herndon, VA 20170 + USA + + EMail: rhousley@rsasecurity.com + + Warwick Ford + VeriSign, Inc. + 401 Edgewater Place + Wakefield, MA 01880 + USA + + EMail: wford@verisign.com + + Tim Polk + NIST + Building 820, Room 426 + Gaithersburg, MD 20899 + USA + + EMail: wpolk@nist.gov + + David Solo + Citigroup + 909 Third Ave, 16th Floor + New York, NY 10043 + USA + + EMail: dsolo@alum.mit.edu + + + + + + + + + + + + + + + + + + +Housley, et. al. Standards Track [Page 128] + +RFC 3280 Internet X.509 Public Key Infrastructure April 2002 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2002). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Housley, et. al. Standards Track [Page 129] + |