diff options
Diffstat (limited to 'doc/protocol/rfc3039.txt')
-rw-r--r-- | doc/protocol/rfc3039.txt | 1963 |
1 files changed, 0 insertions, 1963 deletions
diff --git a/doc/protocol/rfc3039.txt b/doc/protocol/rfc3039.txt deleted file mode 100644 index 983dc156c3..0000000000 --- a/doc/protocol/rfc3039.txt +++ /dev/null @@ -1,1963 +0,0 @@ - - - - - - -Network Working Group S. Santesson -Request for Comments: 3039 AddTrust -Category: Standards Track W. Polk - NIST - P. Barzin - SECUDE - M. Nystrom - RSA Security - January 2001 - - - Internet X.509 Public Key Infrastructure - Qualified Certificates Profile - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (2001). All Rights Reserved. - -Abstract - - This document forms a certificate profile for Qualified Certificates, - based on RFC 2459, for use in the Internet. The term Qualified - Certificate is used to describe a certificate with a certain - qualified status within applicable governing law. Further, Qualified - Certificates are issued exclusively to physical persons. - - The goal of this document is to define a general syntax independent - of local legal requirements. The profile is however designed to - allow further profiling in order to meet specific local needs. - - It is important to note that the profile does not define any legal - requirements for Qualified Certificates. - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119. - - - - - - - -Santesson, et al. Standards Track [Page 1] - -RFC 3039 Qualified Certificates Profile January 2001 - - -Table of Contents - - 1 Introduction ................................................ 2 - 2 Requirements and Assumptions ................................ 3 - 2.1 Properties ................................................ 4 - 2.2 Statement of Purpose ...................................... 5 - 2.3 Policy Issues ............................................. 5 - 2.4 Uniqueness of names ....................................... 5 - 3 Certificate and Certificate Extensions Profile .............. 6 - 3.1 Basic Certificate Fields .................................. 6 - 3.1.1 Issuer .................................................. 6 - 3.1.2 Subject ................................................. 6 - 3.2 Certificate Extensions .................................... 9 - 3.2.1 Subject Directory Attributes ............................ 9 - 3.2.2 Certificate Policies .................................... 10 - 3.2.3 Key Usage ............................................... 10 - 3.2.4 Biometric Information ................................... 11 - 3.2.5 Qualified Certificate Statements ........................ 12 - 4 Security Considerations ..................................... 14 - 5 References .................................................. 15 - 6 Intellectual Property Rights ................................ 16 - A ASN.1 definitions ........................................... 17 - A.1 1988 ASN.1 Module ......................................... 17 - A.2 1993 ASN.1 Module ......................................... 19 - B A Note on Attributes ........................................ 24 - C. Example Certificate ........................................ 24 - C.1 ASN.1 Structure ........................................... 25 - C.1.1 Extensions ............................................... 25 - C.1.2 The certificate .......................................... 27 - C.2 ASN.1 Dump ................................................ 29 - C.3 DER-encoding .............................................. 32 - C.4 CA's public key ........................................... 33 - Authors' Addresses ............................................. 34 - Full Copyright Statement ....................................... 35 - -1 Introduction - - This specification is one part of a family of standards for the X.509 - Public Key Infrastructure (PKI) for the Internet. It is based on RFC - 2459, which defines underlying certificate formats and semantics - needed for a full implementation of this standard. - - The standard profiles the format for a specific type of certificates - named Qualified Certificates. The term Qualified Certificates and - the assumptions that affects the scope of this document are discussed - in Section 2. - - - - - -Santesson, et al. Standards Track [Page 2] - -RFC 3039 Qualified Certificates Profile January 2001 - - - Section 3 defines requirements on information content in Qualified - Certificates. This profile addresses two fields in the basic - certificate as well as five certificate extensions. The certificate - fields are the subject and issuer fields. The certificate extensions - are subject directory attributes, certificate policies, key usage, a - private extension for storage of biometric data and a private - extension for storage of statements related to Qualified - Certificates. The private extensions are presented in the 1993 - Abstract Syntax Notation One (ASN.1), but in conformance with RFC - 2459 the 1988 ASN.1 module in Appendix A contains all normative - definitions (the 1993 module in Appendix A is informative). - - In Section 4, some security considerations are discussed in order to - clarify the security context in which Qualified Certificates are - assumed to be utilized. Section 5 contains the references. - - Appendix A contains all relevant ASN.1 [X.680] structures that are - not already defined in RFC 2459. Appendix B contains a note on - attributes. Appendix C contains an example certificate. Appendix D - contains authors' addresses and Appendix E contains the IETF - Copyright Statement. - - It should be noted that this specification does not define the - specific semantics of Qualified Certificates, and does not define the - policies that should be used with them. That is, this document - defines what information should go into Qualified Certificates, but - not what that information means. A system that uses Qualified - Certificates must define its own semantics for the information in - Qualified Certificates. It is expected that laws and corporate - policies will make these definitions. - -2 Requirements and Assumptions - - The term "Qualified Certificate" has been used by the European - Commission to describe a certain type of certificates with specific - relevance for European legislation. This specification is intended - to support this class of certificates, but its scope is not limited - to this application. - - Within this standard the term "Qualified Certificate" is used more - generally, describing the format for a certificate whose primary - purpose is identifying a person with high level of assurance in - public non-repudiation services. The actual mechanisms that will - decide whether a certificate should or should not be considered to be - a "Qualified Certificate" in regard to any legislation are outside - the scope of this standard. - - - - - -Santesson, et al. Standards Track [Page 3] - -RFC 3039 Qualified Certificates Profile January 2001 - - - Harmonization in the field of Qualified Certificates is essential - within several aspects that fall outside the scope of RFC 2459. The - most important aspects that affect the scope of this specification - are: - - - Definition of names and identity information in order to identify - the associated subject in a uniform way. - - - Definition of information which identifies the CA and the - jurisdiction under which the CA operates when issuing a particular - certificate. - - - Definition of key usage extension usage for Qualified - Certificates. - - - Definition of information structure for storage of biometric - information. - - - Definition of a standardized way to store predefined statements - with relevance for Qualified Certificates. - - - Requirements for critical extensions. - -2.1 Properties - - A Qualified Certificate as defined in this standard is assumed to - have the following properties: - - - The certificate is issued by a CA that makes a public statement - that the certificate serves the purpose of a Qualified - Certificate, as discussed in Section 2.2 - - - The certificate indicates a certificate policy consistent with - liabilities, practices and procedures undertaken by the CA, as - discussed in 2.3 - - - The certificate is issued to a natural person (living human - being). - - - The certificate contains an identity based on a pseudonym or a - real name of the subject. - - - - - - - - - - -Santesson, et al. Standards Track [Page 4] - -RFC 3039 Qualified Certificates Profile January 2001 - - -2.2 Statement of Purpose - - For a certificate to serve the purpose of being a Qualified - Certificate, this profile assumes that the CA will have to include in - the certificate information that explicitly defines this intent. - - The function of this information is thus to assist any concerned - entity in evaluating the risk associated with creating or accepting - signatures that are based on a Qualified Certificate. - - This profile defines two complementary ways to include this - information: - - - As information defined by a certificate policy included in the - certificate policies extension, and - - - As a statement included in the Qualified Certificates Statements - extension. - -2.3 Policy Issues - - Certain policy aspects define the context in which this profile is to - be understood and used. It is however outside the scope of this - profile to specify any policies or legal aspects that will govern - services that issue or utilize certificates according to this - profile. - - It is however assumed that the issuing CA will undertake to follow a - publicly available certificate policy that is consistent with its - liabilities, practices and procedures. - -2.4 Uniqueness of names - - Distinguished name is originally defined in X.501 [X.501] as a - representation of a directory name, defined as a construct that - identifies a particular object from among the set of all objects. An - object can be assigned a distinguished name without being represented - by an entry in the Directory, but this name is then the name its - object entry could have had if it were represented in the Directory. - In the context of qualified certificates, a distinguished name - denotes a set of attribute values [X.501] which forms a name that is - unambiguous within a certain domain that forms either a real or a - virtual DIT (Directory Information Tree)[X.501]. In the case of - subject names the domain is assumed to be at least the issuing domain - of the CA. The distinguished name MUST be unique for each subject - entity certified by the one CA as defined by the issuer name field, - during the whole life time of the CA. - - - - -Santesson, et al. Standards Track [Page 5] - -RFC 3039 Qualified Certificates Profile January 2001 - - -3 Certificate and Certificate Extensions Profile - - This section defines a profile for Qualified Certificates. The - profile is based on the Internet certificate profile RFC 2459 which - in turn is based on the X.509 version 3 format. For full - implementation of this section implementers are REQUIRED to consult - the underlying formats and semantics defined in RFC 2459. - - ASN.1 definitions relevant for this section that are not supplied by - RFC 2459 are supplied in Appendix A. - -3.1 Basic Certificate Fields - - This specification provides additional details regarding the contents - of two fields in the basic certificate. These fields are the issuer - and subject fields. - -3.1.1 Issuer - - The issuer field SHALL identify the organization responsible for - issuing the certificate. The name SHOULD be an officially registered - name of the organization. - - The identity of the issuer SHALL be specified using an appropriate - subset of the following attributes: - - domainComponent; - countryName; - stateOrProvinceName; - organizationName; - localityName; and - serialNumber. - - Additional attributes MAY be present but they SHOULD NOT be necessary - to identify the issuing organization. - - Attributes present in the issuer field SHOULD be consistent with the - laws under which the issuer operates. - - A relying party MAY have to consult associated certificate policies - and/or the issuer's CPS, in order to determine the semantics of name - fields and the laws under which the issuer operates. - -3.1.2 Subject - - The subject field of a certificate compliant with this profile SHALL - contain a distinguished name of the subject (see 2.4 for definition - of distinguished name). - - - -Santesson, et al. Standards Track [Page 6] - -RFC 3039 Qualified Certificates Profile January 2001 - - - The subject field SHALL contain an appropriate subset of the - following attributes: - - countryName; - commonName; - surname; - givenName; - pseudonym; - serialNumber; - organizationName; - organizationalUnitName; - stateOrProvinceName - localityName and - postalAddress. - - Other attributes may be present but MUST NOT be necessary to - distinguish the subject name from other subject names within the - issuer domain. - - Of these attributes, the subject field SHALL include at least one of - the following: - - Choice I: commonName - Choice II: givenName - Choice III: pseudonym - - The countryName attribute value specifies a general context in which - other attributes are to be understood. The country attribute does - not necessarily indicate the subject's country of citizenship or - country of residence, nor does it have to indicate the country of - issuance. - - Note: Many X.500 implementations require the presence of countryName - in the DIT. In cases where the subject name, as specified in the - subject field, specifies a public X.500 directory entry, the - countryName attribute SHOULD always be present. - - The commonName attribute value SHALL, when present, contain a name of - the subject. This MAY be in the subject's preferred presentation - format, or a format preferred by the CA, or some other format. - Pseudonyms, nicknames and names with spelling other than defined by - the registered name MAY be used. To understand the nature of the - name presented in commonName, complying applications MAY have to - examine present values of the givenName and surname attributes, or - the pseudonym attribute. - - - - - - -Santesson, et al. Standards Track [Page 7] - -RFC 3039 Qualified Certificates Profile January 2001 - - - Note: Many client implementations presuppose the presence of the - commonName attribute value in the subject field and use this value to - display the subject's name regardless of present givenName, surname - or pseudonym attribute values. - - The surname and givenName attribute types SHALL, if present, contain - the registered name of the subject, in accordance with the laws under - which the CA prepares the certificate. These attributes SHALL be - used in the subject field if the commonName attribute is not present. - In cases where the subject only has a single name registered, the - givenName attribute SHALL be used and the surname attribute SHALL be - omitted. - - The pseudonym attribute type SHALL, if present, contain a pseudonym - of the subject. Use of the pseudonym attribute MUST NOT be combined - with use of any of the attributes surname and/or givenName. - - The serialNumber attribute type SHALL, when present, be used to - differentiate between names where the subject field would otherwise - be identical. This attribute has no defined semantics beyond - ensuring uniqueness of subject names. It MAY contain a number or - code assigned by the CA or an identifier assigned by a government or - civil authority. It is the CA's responsibility to ensure that the - serialNumber is sufficient to resolve any subject name collisions. - - The organizationName and the organizationalUnitName attribute types - SHALL, when present, be used to store the name and relevant - information of an organization with which the subject is associated. - The type of association between the organization and the subject is - beyond the scope of this document. - - The postalAddress, the stateOrProvinceName and the localityName - attribute types SHALL, when present, be used to store address and - geographical information with which the subject is associated. If an - organizationName value also is present then the postalAddress, - stateOrProvinceName and localityName attribute values SHALL be - associated with the specified organization. The type of association - between the postalAddress, stateOrProvinceName and the localityName - and either the subject or the organizationName is beyond the scope of - this document. - - Compliant implementations SHALL be able to interpret the attributes - named in this section. - - - - - - - - -Santesson, et al. Standards Track [Page 8] - -RFC 3039 Qualified Certificates Profile January 2001 - - -3.2 Certificate Extensions - - This specification provides additional details regarding the contents - of five certificate extensions. These extensions are the subject - directory attributes, certificate policies, key usage, private - extension for biometric information and private extension for - Qualified Certificate statements. - -3.2.1 Subject Directory Attributes - - The subjectDirectoryAttributes extension MAY contain additional - attributes, associated with the subject, as complement to present - information in the subject field and the subject alternative name - extension. - - Attributes suitable for storage in this extension are attributes, - which are not part of the subject's distinguished name, but which MAY - still be useful for other purposes (e.g., authorization). - - This extension MUST NOT be marked critical. - - Compliant implementations SHALL be able to interpret the following - attributes: - - title; - dateOfBirth; - placeOfBirth; - gender; - countryOfCitizenship; and - countryOfResidence. - - Other attributes MAY be included according to local definitions. - - The title attribute type SHALL, when present, be used to store a - designated position or function of the subject within the - organization specified by present organizational attributes in the - subject field. The association between the title, the subject and - the organization is beyond the scope of this document. - - The dateOfBirth attribute SHALL, when present, contain the value of - the date of birth of the subject. The manner in which the date of - birth is associated with the subject is outside the scope of this - document. - - The placeOfBirth attribute SHALL, when present, contain the value of - the place of birth of the subject. The manner in which the place of - birth is associated with the subject is outside the scope of this - document. - - - -Santesson, et al. Standards Track [Page 9] - -RFC 3039 Qualified Certificates Profile January 2001 - - - The gender attribute SHALL, when present, contain the value of the - gender of the subject. For females the value "F" (or "f") and for - males the value "M" (or "m") have to be used. The manner in which - the gender is associated with the subject is outside the scope of - this document. - - The countryOfCitizenship attribute SHALL, when present, contain the - identifier of at least one of the subject's claimed countries of - citizenship at the time that the certificate was issued. If the - subject is a citizen of more than one country, more than one country - MAY be present. Determination of citizenship is a matter of law and - is outside the scope of this document. - - The countryOfResidence attribute SHALL, when present, contain the - value of at least one country in which the subject is resident. If - the subject is a resident of more than one country, more than one - country MAY be present. Determination of residence is a matter of - law and is outside the scope of this document. - -3.2.2 Certificate Policies - - The certificate policies extension SHALL contain the identifier of at - least one certificate policy which reflects the practices and - procedures undertaken by the CA. The certificate policy extension - MAY be marked critical. - - Information provided by the issuer stating the purpose of the - certificate as discussed in Section 2.2 SHOULD be evident through - indicated policies. - - The certificate policies extension SHOULD include all policy - information needed for validation of the certificate. If policy - information is included in the QCStatements extension (see 3.2.5), - then this information SHOULD also be defined by indicated policies. - - Certificate policies MAY be combined with any qualifier defined in - RFC 2459. - -3.2.3 Key Usage - - The key usage extension SHALL be present. If the key usage - nonRepudiation bit is asserted then it SHOULD NOT be combined with - any other key usage , i.e., if set, the key usage non-repudiation - SHOULD be set exclusively. - - The key usage extension MAY be marked critical. - - - - - -Santesson, et al. Standards Track [Page 10] - -RFC 3039 Qualified Certificates Profile January 2001 - - -3.2.4 Biometric Information - - This section defines an extension for storage of biometric - information. Biometric information is stored in the form of a hash - of a biometric template. - - The purpose of this extension is to provide means for authentication - of biometric information. The biometric information that corresponds - to the stored hash is not stored in this extension, but the extension - MAY include an URI pointing to a location where this information can - be obtained. If included, this URI does not imply that this is the - only way to access this information. - - It is RECOMMENDED that biometric information in this extension is - limited to information types suitable for human verification, i.e., - where the decision of whether the information is an accurate - representation of the subject is naturally performed by a person. - This implies a usage where the biometric information is represented - by, for example, a graphical image displayed to the relying party, - which MAY be used by the relying party to enhance identification of - the subject. - - This extension MUST NOT be marked critical. - - biometricInfo EXTENSION ::= { - SYNTAX BiometricSyntax - IDENTIFIED BY id-pe-biometricInfo } - - id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2} - - BiometricSyntax ::= SEQUENCE OF BiometricData - - BiometricData ::= SEQUENCE { - typeOfBiometricData TypeOfBiometricData, - hashAlgorithm AlgorithmIdentifier, - biometricDataHash OCTET STRING, - sourceDataUri IA5String OPTIONAL } - - TypeOfBiometricData ::= CHOICE { - predefinedBiometricType PredefinedBiometricType, - biometricDataID OBJECT IDENTIFIER } - - PredefinedBiometricType ::= INTEGER { picture(0), - handwritten-signature(1)} (picture|handwritten-signature,...) - - - - - - - -Santesson, et al. Standards Track [Page 11] - -RFC 3039 Qualified Certificates Profile January 2001 - - - The predefined biometric type picture, when present, SHALL identify - that the source picture is in the form of a displayable graphical - image of the subject. The hash of the graphical image SHALL only be - calculated over the image data excluding any labels defining the - image type. - - The predefined biometric type handwritten-signature, when present, - SHALL identify that the source data is in the form of a displayable - graphical image of the subject's handwritten signature. The hash of - the graphical image SHALL only be calculated over the image data - excluding any labels defining the image type. - -3.2.5 Qualified Certificate Statements - - This section defines an extension for inclusion of defined statements - related to Qualified Certificates. - - A typical statement suitable for inclusion in this extension MAY be a - statement by the issuer that the certificate is issued as a Qualified - Certificate in accordance with a particular legal system (as - discussed in Section 2.2). - - Other statements suitable for inclusion in this extension MAY be - statements related to the applicable legal jurisdiction within which - the certificate is issued. As an example this MAY include a maximum - reliance limit for the certificate indicating restrictions on CA's - liability. - - Each statement SHALL include an object identifier for the statement - and MAY also include optional qualifying data contained in the - statementInfo parameter. - - If the statementInfo parameter is included then the object identifier - of the statement SHALL define the syntax and SHOULD define the - semantics of this parameter. If the object identifier does not - define the semantics, a relying party may have to consult a relevant - certificate policy or CPS to determine the exact semantics. - - This extension may be critical or non-critical. If the extension is - critical, this means that all statements included in the extension - are regarded as critical. - - qcStatements EXTENSION ::= { - SYNTAX QCStatements - IDENTIFIED BY id-pe-qcStatements } - - id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 } - - - - -Santesson, et al. Standards Track [Page 12] - -RFC 3039 Qualified Certificates Profile January 2001 - - - QCStatements ::= SEQUENCE OF QCStatement - - QCStatement ::= SEQUENCE { - statementId QC-STATEMENT.&Id({SupportedStatements}), - statementInfo QC-STATEMENT.&Type - ({SupportedStatements}{@statementId}) OPTIONAL } - - SupportedStatements QC-STATEMENT ::= { qcStatement-1,...} - -3.2.5.1 Predefined Statements - - This profile includes one predefined object identifier (id-qcs- - pkixQCSyntax-v1), identifying conformance with syntax and semantics - defined in this profile. This Qualified Certificate profile is - referred to as version 1. - - qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation - IDENTIFIED BY id-qcs-pkixQCSyntax-v1 } - -- This statement identifies conformance with syntax and - -- semantics defined in this Qualified Certificate profile - -- (Version 1). The SemanticsInformation may optionally contain - -- additional semantics information as specified. - - SemanticsInformation ::= SEQUENCE { - semanticsIdentifier OBJECT IDENTIFIER OPTIONAL, - nameRegistrationAuthorities NameRegistrationAuthorities - OPTIONAL } - (WITH COMPONENTS {..., semanticsIdentifier PRESENT}| - WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT}) - - NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF - GeneralName - - The SementicsInformation component identified by id-qcs- - pkixQCSyntax-v1 MAY contain a semantics identifier and MAY identify - one or more name registration authorities. - - The semanticsIdentifier component, if present, SHALL contain an OID, - defining semantics for attributes and names in basic certificate - fields and certificate extensions. The OID may define semantics for - all, or for a subgroup of all present attributes and/or names. - - The NameRegistrationAuthorities component, if present, SHALL contain - a name of one or more name registration authorities, responsible for - registration of attributes or names associated with the subject. The - association between an identified name registration authority and - present attributes MAY be defined by a semantics identifier OID, by a - certificate policy (or CPS) or some other implicit factors. - - - -Santesson, et al. Standards Track [Page 13] - -RFC 3039 Qualified Certificates Profile January 2001 - - - If a value of type SemanticsInformation is present in a QCStatement - then at least one of the fields semanticsIdentifier and - nameRegistrationAuthorities must be present, as indicated. - -4 Security Considerations - - The legal value of a digital signature that is validated with a - Qualified Certificate will be highly dependent upon the policy - governing the use of the associated private key. Both the private - key holder as well as the relying party should make sure that the - private key is used only with the consent of the legitimate key - holder. - - Since the public keys are for public use with legal implications for - involved parties, certain conditions should exist before CAs issue - certificates as Qualified Certificates. The associated private keys - must be unique for the subject, and must be maintained under the - subject's sole control. That is, a CA should not issue a qualified - certificate if the means to use the private key is not protected - against unintended usage. This implies that the CA have some - knowledge about the subject's cryptographic module. - - The CA must further verify that the public key contained in the - certificate is legitimately representing the subject. - - CAs should not issue CA certificates with policy mapping extensions - indicating acceptance of another CA's policy unless these conditions - are met. - - Combining the nonRepudiation bit in the keyUsage certificate - extension with other keyUsage bits may have security implications and - this specification therefore recommends against such practices. - - The ability to compare two qualified certificates to determine if - they represent the same physical entity is dependent on the semantics - of the subjects' names. The semantics of a particular attribute may - be different for different issuers. Comparing names without - knowledge of the semantics of names in these particular certificates - may provide misleading results. - - This specification is a profile of RFC 2459. The security - considerations section of that document applies to this specification - as well. - - - - - - - - -Santesson, et al. Standards Track [Page 14] - -RFC 3039 Qualified Certificates Profile January 2001 - - -5 References - - [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997. - - [RFC 2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S. - Sataluri, "Using Domains in LDAP/X.500 Distinguished - Names", RFC 2247, January 1998. - - [RFC 2459] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet - X.509 Public Key Infrastructure: Certificate and CRL - Profile", RFC 2459, January 1999. - - [RFC 2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object - Classes and Attribute Types Version 2.0", RFC 2985, - November 2000. - - [X.501] ITU-T Recommendation X.501: Information Technology - Open - Systems Interconnection - The Directory: Models, June - 1993. - - [X.509] ITU-T Recommendation X.509: Information Technology - Open - Systems Interconnection - The Directory: Authentication - Framework, June 1997. - - [X.520] ITU-T Recommendation X.520: Information Technology - Open - Systems Interconnection - The Directory: Selected - Attribute Types, June 1993. - - [X.680] ITU-T Recommendation X.680: Information Technology - - Abstract Syntax Notation One, 1997. - - [ISO 3166] ISO Standard 3166: Codes for the representation of names - of countries, 1993. - - - - - - - - - - - - - - - - - -Santesson, et al. Standards Track [Page 15] - -RFC 3039 Qualified Certificates Profile January 2001 - - -6 Intellectual Property Rights - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards related documentation can be found in BCP-11. Copies of - claims of rights made available for publication and any assurances of - licenses to be made available, or the result of an attempt made to - obtain a general license or permission for the use of such - proprietary rights by implementors or users of this specification can - be obtained from the IETF Secretariat. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights which may cover technology that may be required to practice - this standard. Please address the information to the IETF Executive - Director. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Santesson, et al. Standards Track [Page 16] - -RFC 3039 Qualified Certificates Profile January 2001 - - -A. ASN.1 definitions - - As in RFC 2459, ASN.1 modules are supplied in two different variants - of the ASN.1 syntax. - - Appendix A.1 is in the 1988 syntax, and does not use macros. - However, since the module imports type definitions from modules in - RFC 2459 which are not completely in the 1988 syntax, the same - comments as in RFC 2459 regarding its use applies here as well; i.e., - Appendix A.1 may be parsed by an 1988 ASN.1-parser by removing the - definitions for the UNIVERSAL types and all references to them in RFC - 2459's 1988 modules. - - Appendix A.2 is in the 1993 syntax. However, since the module - imports type definitions from modules in RFC 2459 which are not - completely in the 1993 syntax, the same comments as in RFC 2459 - regarding its use applies here as well; i.e., Appendix A.2 may be - parsed by an 1993 ASN.1-parser by removing the UTF8String choice from - the definition of DirectoryString in the module PKIX1Explicit93 in - RFC 2459. Appendix A.2 may be parsed "as is" by an 1997 ASN.1 - parser, however. - - In case of discrepancies between these modules, the 1988 module is - the normative one. - -A.1 1988 ASN.1 Module - -PKIXqualified88 {iso(1) identified-organization(3) dod(6) - internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-mod-qualified-cert-88(10) } - -DEFINITIONS EXPLICIT TAGS ::= - -BEGIN - --- EXPORTS ALL -- - -IMPORTS - -GeneralName - FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) - internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-pkix1-implicit-88(2)} - -AlgorithmIdentifier, DirectoryString, Attribute, AttributeType, - id-pkix, id-pe, id-at - FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) - internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - - - -Santesson, et al. Standards Track [Page 17] - -RFC 3039 Qualified Certificates Profile January 2001 - - - id-pkix1-explicit-88(1)}; - --- Locally defined OIDs - --- Arc for QC personal data attributes -id-pda OBJECT IDENTIFIER ::= { id-pkix 9 } --- Arc for QC statements -id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 } - --- Attributes - -id-at-serialNumber AttributeType ::= { id-at 5 } -SerialNumber ::= PrintableString (SIZE(1..64)) - -id-at-postalAddress AttributeType ::= { id-at 16 } -PostalAddress ::= SEQUENCE SIZE (1..6) OF DirectoryString - -id-at-pseudonym AttributeType ::= { id-at 65 } -Pseudonym ::= DirectoryString - -domainComponent AttributeType ::= - { 0 9 2342 19200300 100 1 25 } -DomainComponent ::= IA5String - -id-pda-dateOfBirth AttributeType ::= { id-pda 1 } -DateOfBirth ::= GeneralizedTime - -id-pda-placeOfBirth AttributeType ::= { id-pda 2 } -PlaceOfBirth ::= DirectoryString - -id-pda-gender AttributeType ::= { id-pda 3 } -Gender ::= PrintableString (SIZE(1)) - -- "M", "F", "m" or "f" - -id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 } -CountryOfCitizenship ::= PrintableString (SIZE (2)) - -- ISO 3166 Country Code - -id-pda-countryOfResidence AttributeType ::= { id-pda 5 } -CountryOfResidence ::= PrintableString (SIZE (2)) - -- ISO 3166 Country Code - --- Private extensions - --- Biometric info extension - -id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2} - - - - -Santesson, et al. Standards Track [Page 18] - -RFC 3039 Qualified Certificates Profile January 2001 - - -BiometricSyntax ::= SEQUENCE OF BiometricData - -BiometricData ::= SEQUENCE { - typeOfBiometricData TypeOfBiometricData, - hashAlgorithm AlgorithmIdentifier, - biometricDataHash OCTET STRING, - sourceDataUri IA5String OPTIONAL } - -TypeOfBiometricData ::= CHOICE { - predefinedBiometricType PredefinedBiometricType, - biometricDataOid OBJECT IDENTIFIER } - -PredefinedBiometricType ::= INTEGER { - picture(0),handwritten-signature(1)} - (picture|handwritten-signature) - --- QC Statements Extension - -id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3} - -QCStatements ::= SEQUENCE OF QCStatement - -QCStatement ::= SEQUENCE { - statementId OBJECT IDENTIFIER, - statementInfo ANY DEFINED BY statementId OPTIONAL} - --- QC statements -id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 } - --- This statement identifies conformance with syntax and --- semantics defined in this Qualified Certificate profile --- (Version 1). This statement may optionally contain --- additional semantics information as specified below. - -SemanticsInformation ::= SEQUENCE { - semanticsIndentifier OBJECT IDENTIFIER OPTIONAL, - nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL - } -- At least one field shall be present - -NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName - -END - -A.2 1993 ASN.1 Module - -PKIXqualified93 {iso(1) identified-organization(3) dod(6) - internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-mod-qualified-cert-93(11) } - - - -Santesson, et al. Standards Track [Page 19] - -RFC 3039 Qualified Certificates Profile January 2001 - - -DEFINITIONS EXPLICIT TAGS ::= - -BEGIN - --- EXPORTS ALL -- - -IMPORTS - -authorityKeyIdentifier, subjectKeyIdentifier, keyUsage, - extendedKeyUsage, privateKeyUsagePeriod, certificatePolicies, - policyMappings, subjectAltName, issuerAltName, basicConstraints, - nameConstraints, policyConstraints, cRLDistributionPoints, - subjectDirectoryAttributes, authorityInfoAccess, GeneralName, - OTHER-NAME - FROM PKIX1Implicit93 {iso(1) identified-organization(3) dod(6) - internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-pkix1-implicit-93(4)} - -id-pkix, AlgorithmIdentifier, ATTRIBUTE, Extension, EXTENSION, - DirectoryString{}, ub-name, id-pe, id-at, id-at-commonName, - id-at-surname, id-at-countryName, id-at-localityName, - id-at-stateOrProvinceName, id-at-organizationName, - id-at-organizationalUnitName, id-at-givenName, id-at-dnQualifier, - pkcs9email, title, organizationName, organizationalUnitName, - stateOrProvinceName, localityName, countryName, - generationQualifier, dnQualifier, initials, givenName, surname, - commonName, name - FROM PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) - internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-pkix1-explicit-93(3)}; - --- Object Identifiers - --- Externally defined OIDs -id-at-serialNumber OBJECT IDENTIFIER ::= { id-at 5} -id-at-postalAddress OBJECT IDENTIFIER ::= { id-at 16 } -id-at-pseudonym OBJECT IDENTIFIER ::= { id-at 65 } -id-domainComponent OBJECT IDENTIFIER ::= { 0 9 2342 19200300 100 1 25 } - --- Locally defined OIDs - --- Arc for QC personal data attributes - -id-pda OBJECT IDENTIFIER ::= { id-pkix 9 } --- Arc for QC statements -id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 } - --- Private extensions - - - -Santesson, et al. Standards Track [Page 20] - -RFC 3039 Qualified Certificates Profile January 2001 - - -id-pe-biometricInfo OBJECT IDENTIFIER ::= { id-pe 2 } -id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 } - --- Personal data attributes -id-pda-dateOfBirth OBJECT IDENTIFIER ::= { id-pda 1 } -id-pda-placeOfBirth OBJECT IDENTIFIER ::= { id-pda 2 } -id-pda-gender OBJECT IDENTIFIER ::= { id-pda 3 } -id-pda-countryOfCitizenship OBJECT IDENTIFIER ::= { id-pda 4 } -id-pda-countryOfResidence OBJECT IDENTIFIER ::= { id-pda 5 } - --- QC statements -id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 } - --- Object Sets - --- The following information object set is defined to constrain the --- set of legal certificate extensions. Note that this set is an --- extension of the ExtensionSet defined in RFC 2459. -ExtensionSet EXTENSION ::= { - authorityKeyIdentifier | - subjectKeyIdentifier | - keyUsage | - extendedKeyUsage | - privateKeyUsagePeriod | - certificatePolicies | - policyMappings | - subjectAltName | - issuerAltName | - basicConstraints | - nameConstraints | - policyConstraints | - cRLDistributionPoints | - subjectDirectoryAttributes | - authorityInfoAccess | - biometricInfo | - qcStatements, ... } - --- The following information object set is defined to constrain the --- set of attributes applications are required to recognize in --- distinguished names. The set may of course be augmented to meet --- local requirements. Note that deleting members of the set may --- prevent interoperability with conforming implementations, and that --- this set is an extension of the SupportedAttributes set in RFC 2459. - -SupportedAttributes ATTRIBUTE ::= { - countryName | commonName | surname | givenName | pseudonym | - serialNumber | organizationName | organizationalUnitName | - stateOrProvinceName | localityName | postalAddress | - - - -Santesson, et al. Standards Track [Page 21] - -RFC 3039 Qualified Certificates Profile January 2001 - - - pkcs9email | domainComponent | dnQualifier, - ... -- For future extensions -- } - --- The following information object set is defined to constrain the --- set of attributes applications are required to recognize in --- subjectDirectoryAttribute extensions. The set may be augmented to --- meet local requirements. Note that deleting members of the set --- may prevent interoperability with conforming implementations. -PersonalDataAttributeSet ATTRIBUTE ::= { - title | dateOfBirth | placeOfBirth | gender | countryOfCitizenship | - countryOfResidence, ... } - --- Attributes - --- serialNumber from X.520 -serialNumber ATTRIBUTE ::= { - WITH SYNTAX PrintableString (SIZE(1..64)) - ID id-at-serialNumber } - --- postalAddress from X.520 -postalAddress ATTRIBUTE ::= { - WITH SYNTAX SEQUENCE SIZE (1..6) OF DirectoryString { 30 } - ID id-at-postalAddress } - --- pseudonym from (forthcoming) X.520) -pseudonym ATTRIBUTE ::= { - WITH SYNTAX DirectoryString { ub-name } - ID id-at-pseudonym } - --- domainComponent from RFC 2247 -domainComponent ATTRIBUTE ::= { - WITH SYNTAX IA5String - ID id-domainComponent } - -dateOfBirth ATTRIBUTE ::= { - WITH SYNTAX GeneralizedTime - ID id-pda-dateOfBirth } - -placeOfBirth ATTRIBUTE ::= { - WITH SYNTAX DirectoryString { ub-name } - ID id-pda-placeOfBirth } - -gender ATTRIBUTE ::= { - WITH SYNTAX PrintableString (SIZE(1) ^ FROM("M"|"F"|"m"|"f")) - ID id-pda-gender } - -countryOfCitizenship ATTRIBUTE ::= { - WITH SYNTAX PrintableString (SIZE (2)) - - - -Santesson, et al. Standards Track [Page 22] - -RFC 3039 Qualified Certificates Profile January 2001 - - - (CONSTRAINED BY { -- ISO 3166 codes only -- }) - ID id-pda-countryOfCitizenship } - -countryOfResidence ATTRIBUTE ::= { - WITH SYNTAX PrintableString (SIZE (2)) - (CONSTRAINED BY { -- ISO 3166 codes only -- }) - ID id-pda-countryOfResidence } - --- Private extensions - --- Biometric info extension - -biometricInfo EXTENSION ::= { - SYNTAX BiometricSyntax - IDENTIFIED BY id-pe-biometricInfo } - -BiometricSyntax ::= SEQUENCE OF BiometricData - -BiometricData ::= SEQUENCE { - typeOfBiometricData TypeOfBiometricData, - hashAlgorithm AlgorithmIdentifier, - biometricDataHash OCTET STRING, - sourceDataUri IA5String OPTIONAL, - ... -- For future extensions -- } - -TypeOfBiometricData ::= CHOICE { - predefinedBiometricType PredefinedBiometricType, - biometricDataOid OBJECT IDENTIFIER } - -PredefinedBiometricType ::= INTEGER { picture(0), - handwritten-signature(1)} (picture|handwritten-signature,...) - --- QC Statements Extension - -qcStatements EXTENSION ::= { - SYNTAX QCStatements - IDENTIFIED BY id-pe-qcStatements } - -QCStatements ::= SEQUENCE OF QCStatement - -QCStatement ::= SEQUENCE { - statementId QC-STATEMENT.&id({SupportedStatements}), - statementInfo QC-STATEMENT.&Type - ({SupportedStatements}{@statementId}) OPTIONAL } - -QC-STATEMENT ::= CLASS { - &id OBJECT IDENTIFIER UNIQUE, - &Type OPTIONAL } - - - -Santesson, et al. Standards Track [Page 23] - -RFC 3039 Qualified Certificates Profile January 2001 - - -WITH SYNTAX { - [SYNTAX &Type] IDENTIFIED BY &id } - -qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation - IDENTIFIED BY id-qcs-pkixQCSyntax-v1} - -- This statement identifies conformance with syntax and - -- semantics defined in this Qualified Certificate profile - -- (Version 1). The SemanticsInformation may optionally contain - -- additional semantics information as specified. - -SemanticsInformation ::= SEQUENCE { - semanticsIdentifier OBJECT IDENTIFIER OPTIONAL, - nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL - }(WITH COMPONENTS {..., semanticsIdentifier PRESENT}| - WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT}) - -NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName - --- The following information object set is defined to constrain the --- set of attributes applications are required to recognize as QCSs. -SupportedStatements QC-STATEMENT ::= { - qcStatement-1, ... -- For future extensions -- } - -END - -B. A Note on Attributes - - This document defines several new attributes, both for use in the - subject field of issued certificates and in the - subjectDirectoryAttributes extension. In the interest of conformity, - they have been defined here using the ASN.1 ATTRIBUTE definition from - RFC 2459, which is sufficient for the purposes of this document, but - greatly simplified in comparison with ISO/ITU's definition. A - complete definition of these new attributes (including matching - rules), along with object classes to support them in LDAP-accessible - directories, can be found in [PKCS 9]. - -C. Example Certificate - - This section contains the ASN.1 structure, an ASN.1 dump, and the - DER-encoding of a certificate issued in conformance with this - profile. The example has been developed with the help of the OSS - ASN.1 compiler. The certificate has the following characteristics: - - 1. The certificate is signed with RSA and the SHA-1 hash - algorithm - 2. The issuer's distinguished name is O=GMD - Forschungszentrum - Informationstechnik GmbH; C=DE - - - -Santesson, et al. Standards Track [Page 24] - -RFC 3039 Qualified Certificates Profile January 2001 - - - 3. The subject's distinguished name is CN=Petra M. Barzin, O=GMD - - Forschungszentrum Informationstechnik GmbH, C=DE - 4. The certificate was issued on May 1, 2000 and will expire on - November 1, 2000 - 5. The certificate contains a 1024 bit RSA key - 6. The certificate includes a critical key usage extension - exclusively indicating non-repudiation - 7. The certificate includes a certificate policy identifier - extension indicating the practices and procedures undertaken - by the issuing CA (object identifier 1.3.36.8.1.1). The - certificate policy object identifier is defined by TeleTrust, - Germany. It is required to be set in a certificate conformant - to the German digital signature law. - 8. The certificate includes a subject directory attributes - extension containing the following attributes: - - surname: Barzin - given name: Petra - date of birth: October, 14th 1971 - place of birth: Darmstadt - country of citizenship:Germany - gender: Female - - 9. The certificate includes a qualified statement private - extension indicating that the naming registration authority's - name as "municipality@darmstadt.de". - 10. The certificate includes, in conformance with RFC 2459, an - authority key identifier extension. - -C.1 ASN.1 Structure - -C.1.1 Extensions - - Since extensions are DER-encoded already when placed in the structure - to be signed, they are for clarity shown here in the value notation - defined in [X.680]. - -C.1.1.1 The subjectDirectoryAttributes extension - - petrasSubjDirAttrs AttributesSyntax ::= { - { - type id-pda-countryOfCitizenship, - values { - PrintableString : "DE" - } - }, - { - type id-pda-gender, - - - -Santesson, et al. Standards Track [Page 25] - -RFC 3039 Qualified Certificates Profile January 2001 - - - values { - PrintableString : "F" - } - }, - { - type id-pda-dateOfBirth, - values { - GeneralizedTime : "197110140000Z" - } - }, - { - type id-pda-placeOfBirth, - values { - DirectoryString : utf8String : "Darmstadt" - } - } - } - -C.1.1.2 The keyUsage extension - - petrasKeyUsage KeyUsage ::= {nonRepudiation} - -C.1.1.3 The certificatePolicies extension - - petrasCertificatePolicies CertificatePoliciesSyntax ::= { - { - policyIdentifier {1 3 36 8 1 1} - } - } - -C.1.1.4 The qcStatements extension - - petrasQCStatement QCStatements ::= { - { - statementId id-qcs-pkixQCSyntax-v1, - statementInfo SemanticsInformation : { - nameRegistrationAuthorities { - rfc822Name : "municipality@darmstadt.de" - } - } - } - } - -C.1.1.5 The authorityKeyIdentifier extension - - petrasAKI AuthorityKeyIdentifier ::= { - keyIdentifier '000102030405060708090A0B0C0D0E0FFEDCBA98'H - } - - - -Santesson, et al. Standards Track [Page 26] - -RFC 3039 Qualified Certificates Profile January 2001 - - -C.1.2 The certificate - - The signed portion of the certificate is shown here in the value - notation defined in [X.680]. Note that extension values are already - DER encoded in this structure. Some values has been truncated for - readability purposes. - - { - version v3, - serialNumber 1234567890, - signature - { - algorithm { 1 2 840 113549 1 1 5 }, - parameters RSAParams : NULL - }, - issuer rdnSequence : - { - { - { - type { 2 5 4 6 }, - value PrintableString : "DE" - } - }, - { - { - type { 2 5 4 10 }, - value UTF8String : - "GMD - Forschungszentrum Informationstechnik GmbH" - } - } - }, - validity - { - notBefore utcTime : "000501100000Z", - notAfter utcTime : "001101100000Z" - }, - subject rdnSequence : - { - { - { - type { 2 5 4 6 }, - value PrintableString : "DE" - } - }, - { - { - type { 2 5 4 10 }, - value UTF8String : - - - -Santesson, et al. Standards Track [Page 27] - -RFC 3039 Qualified Certificates Profile January 2001 - - - "GMD Forschungszentrum Informationstechnik GmbH" - } - }, - { - { - type { 2 5 4 4 }, - value UTF8String : "Barzin" - }, - { - type { 2 5 4 42 }, - value UTF8String : "Petra" - } - } - }, - subjectPublicKeyInfo - { - algorithm - { - algorithm { 1 2 840 113549 1 1 1 }, - parameters RSAParams : NULL - }, - subjectPublicKey '00110000 10000001 10000111 00000010 1000 ...'B - }, - extensions - { - { - extnId { 2 5 29 9 }, -- subjectDirectoryAttributes - extnValue '305B301006082B06010505070904310413024445300F0 ...'H - }, - { - extnId { 2 5 29 15 }, -- keyUsage - critical TRUE, - extnValue '03020640'H - }, - { - extnId { 2 5 29 32 }, -- certificatePolicies - extnValue '3009300706052B24080101'H - }, - { - extnId { 2 5 29 35 }, -- authorityKeyIdentifier - extnValue '30168014000102030405060708090A0B0C0D0E0FFEDCBA98'H - }, - { - extnId { 1 3 6 1 5 5 7 1 3 }, -- qcStatements - extnValue '302B302906082B06010505070B01301D301B81196D756 ...'H - } - } - } - - - -Santesson, et al. Standards Track [Page 28] - -RFC 3039 Qualified Certificates Profile January 2001 - - -C.2 ASN.1 dump - - This section contains an ASN.1 dump of the signed portion of the - certificate. Some values has been truncated for readability - purposes. - - TBSCertificate SEQUENCE: tag = [UNIVERSAL 16] constructed; - length = 631 - version : tag = [0] constructed; length = 3 - Version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 - 2 - serialNumber CertificateSerialNumber INTEGER: tag = [UNIVERSAL 2] - primitive; length = 4 - 1234567890 - signature AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16] - constructed; length = 13 - algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 9 - { 1 2 840 113549 1 1 5 } - parameters OpenType: NULL: tag = [UNIVERSAL 5] primitive; - length = 0 - NULL - issuer Name CHOICE - rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] - constructed; length = 72 - RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] - constructed; length = 11 - AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] - constructed; length = 9 - type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 3 - { 2 5 4 6 } - value OpenType: PrintableString: tag = [UNIVERSAL 19] - primitive; length = 2 - "DE" - RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] - constructed; length = 57 - AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] - constructed; length = 55 - type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 3 - { 2 5 4 10 } - value OpenType : UTF8String: tag = [UNIVERSAL 12] - primitive; length = 48 - 0x474d44202d20466f72736368756e67737a656e7472756d2049... - validity Validity SEQUENCE: tag = [UNIVERSAL 16] constructed; - length = 30 - notBefore Time CHOICE - - - -Santesson, et al. Standards Track [Page 29] - -RFC 3039 Qualified Certificates Profile January 2001 - - - utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13 - 000501100000Z - notAfter Time CHOICE - utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13 - 001101100000Z - subject Name CHOICE - rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] - constructed; length = 101 - RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] - constructed; length = 11 - AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] - constructed; length = 9 - type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 3 - { 2 5 4 6 } - value OpenType: PrintableString: tag = [UNIVERSAL 19] - primitive; length = 2 - "DE" - RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] - constructed; length = 55 - AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] - constructed; length = 53 - type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 3 - { 2 5 4 10 } - value OpenType: UTF8String: tag = [UNIVERSAL 12] - primitive; length = 46 - 0x474d4420466f72736368756e67737a656e7472756d20496e66... - RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] - constructed; length = 29 - AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] - constructed; length = 13 - type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 3 - { 2 5 4 4 } - value OpenType: UTF8String: tag = [UNIVERSAL 12] - primitive; length = 6 - 0x4261727a696e - AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] - constructed; length = 12 - type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 3 - { 2 5 4 42 } - value OpenType: UTF8String: tag = [UNIVERSAL 12] - primitive; length = 5 - 0x5065747261 - subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE: tag = - [UNIVERSAL 16] constructed; length = 157 - - - -Santesson, et al. Standards Track [Page 30] - -RFC 3039 Qualified Certificates Profile January 2001 - - - algorithm AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16] - constructed; length = 13 - algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 9 - { 1 2 840 113549 1 1 1 } - parameters OpenType: NULL: tag = [UNIVERSAL 5] primitive; - length = 0 - NULL - subjectPublicKey BIT STRING: tag = [UNIVERSAL 3] primitive; - length = 139 - 0x0030818702818100b8488400d4b6088be48ead459ca19ec717aaf3d1d... - extensions : tag = [3] constructed; length = 233 - Extensions SEQUENCE OF: tag = [UNIVERSAL 16] constructed; - length = 230 - Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; - length = 100 - extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 3 - { 2 5 29 9 } - extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; - length = 93 - 0x305b301006082b06010505070904310413024445300f06082b060... - Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; - length = 14 - extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 3 - { 2 5 29 15 } - critical BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1 - TRUE - extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; - length = 4 - 0x03020640 - Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; - length = 18 - extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 3 - { 2 5 29 32 } - extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; - length = 11 - 0x3009300706052b24080101 - Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; - length = 31 - extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 3 - { 2 5 29 35 } - extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; - length = 24 - 0x30168014000102030405060708090a0b0c0d0e0ffedcba98 - - - -Santesson, et al. Standards Track [Page 31] - -RFC 3039 Qualified Certificates Profile January 2001 - - - Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; - length = 57 - extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; - length = 8 - { 1 3 6 1 5 5 7 1 3 } - extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; - length = 45 - 0x302b302906082b06010505070b01301d301b81196d756e6963697... - -C.3 DER-encoding - - This section contains the full, DER-encoded certificate, in hex. - - 3082030E30820277A0030201020204499602D2300D06092A864886F70D010105 - 05003048310B300906035504061302444531393037060355040A0C30474D4420 - 2D20466F72736368756E67737A656E7472756D20496E666F726D6174696F6E73 - 746563686E696B20476D6248301E170D3030303530313130303030305A170D30 - 30313130313130303030305A3065310B30090603550406130244453137303506 - 0355040A0C2E474D4420466F72736368756E67737A656E7472756D20496E666F - 726D6174696F6E73746563686E696B20476D6248311D300C060355042A0C0550 - 65747261300D06035504040C064261727A696E30819D300D06092A864886F70D - 010101050003818B0030818702818100B8488400D4B6088BE48EAD459CA19EC7 - 17AAF3D1D4EE3ECCA496128A13597D16CC8B85EB37EFCE110C63B01E684E5CF6 - 32291EAC60FD153C266EAAC36AD4CEA92319F9BFDD261AD2BFE41EAB4E17FE67 - 8341EE52D9A0A8B4DEC07B7ACC76762514045CEE9994E0CF37BAE05F8DE33B35 - FF98BCE77742CE4B12273BD122137FE9020105A381E93081E630640603551D09 - 045D305B301006082B06010505070904310413024445300F06082B0601050507 - 09033103130146301D06082B060105050709013111180F313937313130313430 - 30303030305A301706082B06010505070902310B0C094461726D737461647430 - 0E0603551D0F0101FF04040302064030120603551D20040B3009300706052B24 - 080101301F0603551D23041830168014000102030405060708090A0B0C0D0E0F - FEDCBA98303906082B06010505070103042D302B302906082B06010505070B01 - 301D301B81196D756E69636970616C697479406461726D73746164742E646530 - 0D06092A864886F70D01010505000381810048FD14D9AFE961E4321D9AA40CC0 - 1C12893550CF76FBECBDE448926B0AE6F904AB89E7B5F808666FB007218AC18D - 28CE1E2D40FBF8C16B275CBA0547D7885B74059DEC736223368FC1602A510BC1 - EB31E39F3967BE6B413D48BC743A0AB19C57FD20F3B393E8FEBD8B05CAA5007D - AD36F9D789AEF636A0AC0F93BCB3711B5907 - - - - - - - - - - - - - -Santesson, et al. Standards Track [Page 32] - -RFC 3039 Qualified Certificates Profile January 2001 - - -C.4 CA's public RSA key - - This section contains the DER-encoded public RSA key of the CA who - signed the example certificate. It is included with the purpose of - simplifying verifications of the example certificate. - - 30818902818100ad1f35964b3674c807b9f8a645d2c8174e514b69a4b46a7382 - 915abbc44eccede914dae8fcc023abcea9c53380e641795cb0dda664b872fc10 - 9f9bbb852bf42d994f634c681608e388dce240b558513e5b60027bd1a07cef9c - 9b6db37c7e1f1abd238eed96e4b669056b260f55e83f14e6027127c9deb3ad18 - afcd3f8a5f5bf50203010001 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Santesson, et al. Standards Track [Page 33] - -RFC 3039 Qualified Certificates Profile January 2001 - - -Authors' Addresses - - Stefan Santesson - AddTrust AB - P.O. Box 465 - S-201 24 Malmo - Sweden - - EMail: stefan@addtrust.com - - - Tim Polk - NIST - Building 820, Room 426 - Gaithersburg, MD 20899, USA - - EMail: wpolk@nist.gov - - - Petra Barzin - SECUDE - Sicherheitstechnologie Informationssysteme GmbH - Landwehrstrasse 50a - D-64293 Darmstadt - Germany - - EMail: barzin@secude.com - - - Magnus Nystrom - RSA Security AB - Box 10704 - S-121 29 Stockholm - Sweden - - EMail: magnus@rsasecurity.com - - - - - - - - - - - - - - - - -Santesson, et al. Standards Track [Page 34] - -RFC 3039 Qualified Certificates Profile January 2001 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2001). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - -Santesson, et al. Standards Track [Page 35] - |