| < draft-ietf-pkix-new-part1-09.txt | draft-ietf-pkix-new-part1-10.txt > | |||
|---|---|---|---|---|
| skipping to change at page 1, line 13 ¶ | skipping to change at page 1, line 13 ¶ | |||
| PKIX Working Group R. Housley (RSA Laboratories) | PKIX Working Group R. Housley (RSA Laboratories) | |||
| Internet Draft W. Ford (VeriSign) | Internet Draft W. Ford (VeriSign) | |||
| W. Polk (NIST) | W. Polk (NIST) | |||
| D. Solo (Citigroup) | D. Solo (Citigroup) | |||
| expires in six months October 2001 | expires in six months October 2001 | |||
| Internet X.509 Public Key Infrastructure | Internet X.509 Public Key Infrastructure | |||
| Certificate and CRL Profile | Certificate and CRL Profile | |||
| <draft-ietf-pkix-new-part1-09.txt> | <draft-ietf-pkix-new-part1-10.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||
| all provisions of Section 10 of RFC2026. Internet-Drafts are working | all provisions of Section 10 of RFC2026. Internet-Drafts are working | |||
| documents of the Internet Engineering Task Force (IETF), its areas, | documents of the Internet Engineering Task Force (IETF), its areas, | |||
| and its working groups. Note that other groups may also distribute | and its working groups. Note that other groups may also distribute | |||
| working documents as Internet-Drafts. | working documents as Internet-Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| skipping to change at page 1, line 44 ¶ | skipping to change at page 1, line 44 ¶ | |||
| To view the entire list of current Internet-Drafts, please check the | To view the entire list of current Internet-Drafts, please check the | |||
| "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow | "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow | |||
| Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern | Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern | |||
| Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific | Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific | |||
| Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). | Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). | |||
| Copyright (C) The Internet Society (2001). All Rights Reserved. | Copyright (C) The Internet Society (2001). All Rights Reserved. | |||
| Abstract | Abstract | |||
| This is the ninth draft of a specification based upon RFC 2459. When | This is the tenth draft of a specification based upon RFC 2459. When | |||
| complete, this specification will obsolete RFC 2459. | complete, this specification will obsolete RFC 2459. | |||
| Please send comments on this document to the ietf-pkix@imc.org mail | Please send comments on this document to the ietf-pkix@imc.org mail | |||
| list. | list. | |||
| This memo profiles the X.509 v3 certificate and X.509 v2 CRL for use | This memo profiles the X.509 v3 certificate and X.509 v2 CRL for use | |||
| in the Internet. An overview of the approach and model are provided | in the Internet. An overview of the approach and model are provided | |||
| as an introduction. The X.509 v3 certificate format is described in | as an introduction. The X.509 v3 certificate format is described in | |||
| detail, with additional information regarding the format and | detail, with additional information regarding the format and | |||
| semantics of Internet name forms (e.g., IP addresses). Standard | semantics of Internet name forms (e.g., IP addresses). Standard | |||
| skipping to change at page 4, line 13 ¶ | skipping to change at page 4, line 13 ¶ | |||
| 4.2.1.14 CRL Distribution Points . . . . . . . . . . . . . . . . . 43 | 4.2.1.14 CRL Distribution Points . . . . . . . . . . . . . . . . . 43 | |||
| 4.2.1.15 Inhibit Any-Policy . . . . . . . . . . . . . . . . . . . . 44 | 4.2.1.15 Inhibit Any-Policy . . . . . . . . . . . . . . . . . . . . 44 | |||
| 4.2.1.16 Freshest CRL . . . . . . . . . . . . . . . . . . . . . . . 45 | 4.2.1.16 Freshest CRL . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 4.2.2 Internet Certificate Extensions . . . . . . . . . . . . . . . 45 | 4.2.2 Internet Certificate Extensions . . . . . . . . . . . . . . . 45 | |||
| 4.2.2.1 Authority Information Access . . . . . . . . . . . . . . . 45 | 4.2.2.1 Authority Information Access . . . . . . . . . . . . . . . 45 | |||
| 4.2.2.2 Subject Information Access . . . . . . . . . . . . . . . . 47 | 4.2.2.2 Subject Information Access . . . . . . . . . . . . . . . . 47 | |||
| 5 CRL and CRL Extensions Profile . . . . . . . . . . . . . . . . . 48 | 5 CRL and CRL Extensions Profile . . . . . . . . . . . . . . . . . 48 | |||
| 5.1 CRL Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 49 | 5.1 CRL Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||
| 5.1.1 CertificateList Fields . . . . . . . . . . . . . . . . . . . 50 | 5.1.1 CertificateList Fields . . . . . . . . . . . . . . . . . . . 50 | |||
| 5.1.1.1 tbsCertList . . . . . . . . . . . . . . . . . . . . . . . . 50 | 5.1.1.1 tbsCertList . . . . . . . . . . . . . . . . . . . . . . . . 50 | |||
| 5.1.1.2 signatureAlgorithm . . . . . . . . . . . . . . . . . . . . 50 | 5.1.1.2 signatureAlgorithm . . . . . . . . . . . . . . . . . . . . 51 | |||
| 5.1.1.3 signatureValue . . . . . . . . . . . . . . . . . . . . . . 51 | 5.1.1.3 signatureValue . . . . . . . . . . . . . . . . . . . . . . 51 | |||
| 5.1.2 Certificate List "To Be Signed" . . . . . . . . . . . . . . . 51 | 5.1.2 Certificate List "To Be Signed" . . . . . . . . . . . . . . . 52 | |||
| 5.1.2.1 Version . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | 5.1.2.1 Version . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||
| 5.1.2.2 Signature . . . . . . . . . . . . . . . . . . . . . . . . . 52 | 5.1.2.2 Signature . . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||
| 5.1.2.3 Issuer Name . . . . . . . . . . . . . . . . . . . . . . . . 52 | 5.1.2.3 Issuer Name . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||
| 5.1.2.4 This Update . . . . . . . . . . . . . . . . . . . . . . . . 52 | 5.1.2.4 This Update . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||
| 5.1.2.5 Next Update . . . . . . . . . . . . . . . . . . . . . . . . 52 | 5.1.2.5 Next Update . . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| 5.1.2.6 Revoked Certificates . . . . . . . . . . . . . . . . . . . 53 | 5.1.2.6 Revoked Certificates . . . . . . . . . . . . . . . . . . . 53 | |||
| 5.1.2.7 Extensions . . . . . . . . . . . . . . . . . . . . . . . . 53 | 5.1.2.7 Extensions . . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| 5.2 CRL Extensions . . . . . . . . . . . . . . . . . . . . . . . . 53 | 5.2 CRL Extensions . . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 5.2.1 Authority Key Identifier . . . . . . . . . . . . . . . . . . 54 | 5.2.1 Authority Key Identifier . . . . . . . . . . . . . . . . . . 54 | |||
| 5.2.2 Issuer Alternative Name . . . . . . . . . . . . . . . . . . . 54 | 5.2.2 Issuer Alternative Name . . . . . . . . . . . . . . . . . . . 54 | |||
| 5.2.3 CRL Number . . . . . . . . . . . . . . . . . . . . . . . . . 54 | 5.2.3 CRL Number . . . . . . . . . . . . . . . . . . . . . . . . . 55 | |||
| 5.2.4 Delta CRL Indicator . . . . . . . . . . . . . . . . . . . . . 55 | 5.2.4 Delta CRL Indicator . . . . . . . . . . . . . . . . . . . . . 55 | |||
| 5.2.5 Issuing Distribution Point . . . . . . . . . . . . . . . . . 58 | 5.2.5 Issuing Distribution Point . . . . . . . . . . . . . . . . . 58 | |||
| 5.2.6 Freshest CRL . . . . . . . . . . . . . . . . . . . . . . . . 59 | 5.2.6 Freshest CRL . . . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| 5.3 CRL Entry Extensions . . . . . . . . . . . . . . . . . . . . . 59 | 5.3 CRL Entry Extensions . . . . . . . . . . . . . . . . . . . . . 60 | |||
| 5.3.1 Reason Code . . . . . . . . . . . . . . . . . . . . . . . . . 60 | 5.3.1 Reason Code . . . . . . . . . . . . . . . . . . . . . . . . . 60 | |||
| 5.3.2 Hold Instruction Code . . . . . . . . . . . . . . . . . . . . 60 | 5.3.2 Hold Instruction Code . . . . . . . . . . . . . . . . . . . . 61 | |||
| 5.3.3 Invalidity Date . . . . . . . . . . . . . . . . . . . . . . . 61 | 5.3.3 Invalidity Date . . . . . . . . . . . . . . . . . . . . . . . 61 | |||
| 5.3.4 Certificate Issuer . . . . . . . . . . . . . . . . . . . . . 61 | 5.3.4 Certificate Issuer . . . . . . . . . . . . . . . . . . . . . 62 | |||
| 6 Certificate Path Validation . . . . . . . . . . . . . . . . . . . 62 | 6 Certificate Path Validation . . . . . . . . . . . . . . . . . . . 62 | |||
| 6.1 Basic Path Validation . . . . . . . . . . . . . . . . . . . . . 63 | 6.1 Basic Path Validation . . . . . . . . . . . . . . . . . . . . . 63 | |||
| 6.1.1 Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 | 6.1.1 Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 | |||
| 6.1.2 Initialization . . . . . . . . . . . . . . . . . . . . . . . 66 | 6.1.2 Initialization . . . . . . . . . . . . . . . . . . . . . . . 67 | |||
| 6.1.3 Basic Certificate Processing . . . . . . . . . . . . . . . . 69 | 6.1.3 Basic Certificate Processing . . . . . . . . . . . . . . . . 69 | |||
| 6.1.4 Preparation for Certificate i+1 . . . . . . . . . . . . . . . 74 | 6.1.4 Preparation for Certificate i+1 . . . . . . . . . . . . . . . 74 | |||
| 6.1.5 Wrap-up procedure . . . . . . . . . . . . . . . . . . . . . . 77 | 6.1.5 Wrap-up procedure . . . . . . . . . . . . . . . . . . . . . . 77 | |||
| 6.1.6 Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 | 6.1.6 Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 | |||
| 6.2 Extending Path Validation . . . . . . . . . . . . . . . . . . . 79 | 6.2 Extending Path Validation . . . . . . . . . . . . . . . . . . . 79 | |||
| 6.3 CRL Validation . . . . . . . . . . . . . . . . . . . . . . . . 80 | 6.3 CRL Validation . . . . . . . . . . . . . . . . . . . . . . . . 80 | |||
| 6.3.1 Revocation Inputs . . . . . . . . . . . . . . . . . . . . . . 80 | 6.3.1 Revocation Inputs . . . . . . . . . . . . . . . . . . . . . . 80 | |||
| 6.3.2 Initialization and Revocation State Variables . . . . . . . . 81 | 6.3.2 Initialization and Revocation State Variables . . . . . . . . 81 | |||
| 6.3.3 CRL Processing . . . . . . . . . . . . . . . . . . . . . . . 81 | 6.3.3 CRL Processing . . . . . . . . . . . . . . . . . . . . . . . 81 | |||
| 7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 | 7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 | |||
| 8 Intellectual Property Rights . . . . . . . . . . . . . . . . . . 87 | 8 Intellectual Property Rights . . . . . . . . . . . . . . . . . . 87 | |||
| 9 Security Considerations . . . . . . . . . . . . . . . . . . . . . 87 | 9 Security Considerations . . . . . . . . . . . . . . . . . . . . . 87 | |||
| Appendix A. ASN.1 Structures and OIDs . . . . . . . . . . . . . . . 91 | Appendix A. ASN.1 Structures and OIDs . . . . . . . . . . . . . . . 91 | |||
| A.1 Explicitly Tagged Module, 1988 Syntax . . . . . . . . . . . . . 91 | A.1 Explicitly Tagged Module, 1988 Syntax . . . . . . . . . . . . . 91 | |||
| A.2 Implicitly Tagged Module, 1988 Syntax . . . . . . . . . . . . . 104 | A.2 Implicitly Tagged Module, 1988 Syntax . . . . . . . . . . . . . 105 | |||
| Appendix B. ASN.1 Notes . . . . . . . . . . . . . . . . . . . . . . 111 | Appendix B. ASN.1 Notes . . . . . . . . . . . . . . . . . . . . . . 112 | |||
| Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . . 113 | Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . . 114 | |||
| C.1 DSA Self-Signed Certificate . . . . . . . . . . . . . . . . . . 114 | C.1 DSA Self-Signed Certificate . . . . . . . . . . . . . . . . . . 115 | |||
| C.2 End Entity Certificate Using DSA . . . . . . . . . . . . . . . 117 | C.2 End Entity Certificate Using DSA . . . . . . . . . . . . . . . 118 | |||
| C.3 End Entity Certificate Using RSA . . . . . . . . . . . . . . . 120 | C.3 End Entity Certificate Using RSA . . . . . . . . . . . . . . . 121 | |||
| C.4 Certificate Revocation List . . . . . . . . . . . . . . . . . . 124 | C.4 Certificate Revocation List . . . . . . . . . . . . . . . . . . 125 | |||
| Appendix D. Author Addresses . . . . . . . . . . . . . . . . . . . 127 | Appendix D. Author Addresses . . . . . . . . . . . . . . . . . . . 128 | |||
| Appendix E. Full Copyright Statement . . . . . . . . . . . . . . . 127 | Appendix E. Full Copyright Statement . . . . . . . . . . . . . . . 128 | |||
| 1 Introduction | 1 Introduction | |||
| This specification is one part of a family of standards for the X.509 | This specification is one part of a family of standards for the X.509 | |||
| Public Key Infrastructure (PKI) for the Internet. This specification | Public Key Infrastructure (PKI) for the Internet. This specification | |||
| is a standalone document; implementations of this standard may | is a standalone document; implementations of this standard may | |||
| proceed independent from the other parts. | proceed independent from the other parts. | |||
| This specification profiles the format and semantics of certificates | This specification profiles the format and semantics of certificates | |||
| and certificate revocation lists for the Internet PKI. Procedures | and certificate revocation lists for the Internet PKI. Procedures | |||
| are described for processing of certification paths in the Internet | are described for processing of certification paths in the Internet | |||
| skipping to change at page 46, line 23 ¶ | skipping to change at page 46, line 23 ¶ | |||
| SEQUENCE SIZE (1..MAX) OF AccessDescription | SEQUENCE SIZE (1..MAX) OF AccessDescription | |||
| AccessDescription ::= SEQUENCE { | AccessDescription ::= SEQUENCE { | |||
| accessMethod OBJECT IDENTIFIER, | accessMethod OBJECT IDENTIFIER, | |||
| accessLocation GeneralName } | accessLocation GeneralName } | |||
| id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } | id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } | |||
| id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } | id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } | |||
| id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } | ||||
| Each entry in the sequence AuthorityInfoAccessSyntax describes the | Each entry in the sequence AuthorityInfoAccessSyntax describes the | |||
| format and location of additional information provided by the CA who | format and location of additional information provided by the CA who | |||
| issued the certificate in which this extension appears. The type and | issued the certificate in which this extension appears. The type and | |||
| format of the information is specified by the accessMethod field; the | format of the information is specified by the accessMethod field; the | |||
| accessLocation field specifies the location of the information. The | accessLocation field specifies the location of the information. The | |||
| retrieval mechanism may be implied by the accessMethod or specified | retrieval mechanism may be implied by the accessMethod or specified | |||
| by accessLocation. | by accessLocation. | |||
| This profile defines one OID for accessMethod. The id-ad-caIssuers | This profile defines two accessMethod OIDs: id-ad-caIssuers and id- | |||
| OID is used when the additional information lists CAs that have | ad-ocsp. | |||
| issued certificates superior to the CA that issued the certificate | ||||
| containing this extension. The referenced CA Issuers description is | ||||
| intended to aid certificate users in the selection of a certification | ||||
| path that terminates at a point trusted by the certificate user. | ||||
| When id-ad-caIssuers appears as accessInfoType, the accessLocation | The id-ad-caIssuers OID is used when the additional information lists | |||
| CAs that have issued certificates superior to the CA that issued the | ||||
| certificate containing this extension. The referenced CA Issuers | ||||
| description is intended to aid certificate users in the selection of | ||||
| a certification path that terminates at a point trusted by the | ||||
| certificate user. | ||||
| When id-ad-caIssuers appears as accessMethod, the accessLocation | ||||
| field describes the referenced description server and the access | field describes the referenced description server and the access | |||
| protocol to obtain the referenced description. The accessLocation | protocol to obtain the referenced description. The accessLocation | |||
| field is defined as a GeneralName, which can take several forms. | field is defined as a GeneralName, which can take several forms. | |||
| Where the information is available via http, ftp, or ldap, | Where the information is available via http, ftp, or ldap, | |||
| accessLocation MUST be a uniformResourceIdentifier. Where the | accessLocation MUST be a uniformResourceIdentifier. Where the | |||
| information is available via the directory access protocol (dap), | information is available via the Directory Access Protocol (DAP), | |||
| accessLocation MUST be a directoryName. When the information is | accessLocation MUST be a directoryName. When the information is | |||
| available via electronic mail, accessLocation MUST be an rfc822Name. | available via electronic mail, accessLocation MUST be an rfc822Name. | |||
| The semantics of other name forms of accessLocation (when | ||||
| accessMethod is id-ad-caIssuers) are not defined by this | The semantics of other id-ad-caIssuers accessLocation name forms are | |||
| specification. | not defined. | |||
| The id-ad-ocsp OID is used when revocation information for the | ||||
| certificate containing this extension is available using the Online | ||||
| Certificate Status Protocol (OCSP) [RFC 2560]. | ||||
| When id-ad-ocsp appears as accessMethod, the accessLocation field is | ||||
| the location of the OCSP responder, using the conventions defined in | ||||
| [RFC 2560]. | ||||
| [RFC 2560] defines the access descriptor for the Online Certificate | [RFC 2560] defines the access descriptor for the Online Certificate | |||
| Status Protocol. When this access descriptor appears in the | Status Protocol. When this access descriptor appears in the | |||
| authority information access extension, this indicates the issuer | authority information access extension, this indicates the issuer | |||
| provides revocation information for this certificate through the | provides revocation information for this certificate through the | |||
| named OCSP service. Additional access descriptors may be defined in | named OCSP service. Additional access descriptors may be defined in | |||
| other PKIX specifications. | other PKIX specifications. | |||
| 4.2.2.2 Subject Information Access | 4.2.2.2 Subject Information Access | |||
| skipping to change at page 95, line 20 ¶ | skipping to change at page 95, line 20 ¶ | |||
| id-at-countryName AttributeType ::= { id-at 6 } | id-at-countryName AttributeType ::= { id-at 6 } | |||
| X520countryName ::= PrintableString (SIZE (2)) | X520countryName ::= PrintableString (SIZE (2)) | |||
| -- Naming attributes of type X520SerialNumber | -- Naming attributes of type X520SerialNumber | |||
| id-at-serialNumber AttributeType ::= { id-at 5 } | id-at-serialNumber AttributeType ::= { id-at 5 } | |||
| X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number)) | X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number)) | |||
| -- Naming attributes of type X520Pseudonym | ||||
| id-at-localityName AttributeType ::= { id-at 65 } | ||||
| X520Pseudonym ::= CHOICE { | ||||
| teletexString TeletexString (SIZE (1..ub-pseudonym)), | ||||
| printableString PrintableString (SIZE (1..ub-pseudonym)), | ||||
| universalString UniversalString (SIZE (1..ub-pseudonym)), | ||||
| utf8String UTF8String (SIZE (1..ub-pseudonym)), | ||||
| bmpString BMPString (SIZE (1..ub-pseudonym)) } | ||||
| -- Naming attributes of type DomainComponent (from RFC 2247) | -- Naming attributes of type DomainComponent (from RFC 2247) | |||
| id-domainComponent AttributeType ::= | id-domainComponent AttributeType ::= | |||
| { 0 9 2342 19200300 100 1 25 } | { 0 9 2342 19200300 100 1 25 } | |||
| DomainComponent ::= IA5String | DomainComponent ::= IA5String | |||
| -- Legacy attributes | -- Legacy attributes | |||
| pkcs-9 OBJECT IDENTIFIER ::= | pkcs-9 OBJECT IDENTIFIER ::= | |||
| skipping to change at page 103, line 31 ¶ | skipping to change at page 103, line 43 ¶ | |||
| ub-initials-length INTEGER ::= 5 | ub-initials-length INTEGER ::= 5 | |||
| ub-integer-options INTEGER ::= 256 | ub-integer-options INTEGER ::= 256 | |||
| ub-numeric-user-id-length INTEGER ::= 32 | ub-numeric-user-id-length INTEGER ::= 32 | |||
| ub-organization-name-length INTEGER ::= 64 | ub-organization-name-length INTEGER ::= 64 | |||
| ub-organizational-unit-name-length INTEGER ::= 32 | ub-organizational-unit-name-length INTEGER ::= 32 | |||
| ub-organizational-units INTEGER ::= 4 | ub-organizational-units INTEGER ::= 4 | |||
| ub-pds-name-length INTEGER ::= 16 | ub-pds-name-length INTEGER ::= 16 | |||
| ub-pds-parameter-length INTEGER ::= 30 | ub-pds-parameter-length INTEGER ::= 30 | |||
| ub-pds-physical-address-lines INTEGER ::= 6 | ub-pds-physical-address-lines INTEGER ::= 6 | |||
| ub-postal-code-length INTEGER ::= 16 | ub-postal-code-length INTEGER ::= 16 | |||
| ub-pseudonym INTEGER ::= 128 | ||||
| ub-surname-length INTEGER ::= 40 | ub-surname-length INTEGER ::= 40 | |||
| ub-terminal-id-length INTEGER ::= 24 | ub-terminal-id-length INTEGER ::= 24 | |||
| ub-unformatted-address-length INTEGER ::= 180 | ub-unformatted-address-length INTEGER ::= 180 | |||
| ub-x121-address-length INTEGER ::= 16 | ub-x121-address-length INTEGER ::= 16 | |||
| -- Note - upper bounds on string types, such as TeletexString, are | -- Note - upper bounds on string types, such as TeletexString, are | |||
| -- measured in characters. Excepting PrintableString or IA5String, a | -- measured in characters. Excepting PrintableString or IA5String, a | |||
| -- significantly greater number of octets will be required to hold | -- significantly greater number of octets will be required to hold | |||
| -- such a value. As a minimum, 16 octets, or twice the specified upper | -- such a value. As a minimum, 16 octets, or twice the specified upper | |||
| -- bound, whichever is the larger, should be allowed for TeletexString. | -- bound, whichever is the larger, should be allowed for TeletexString. | |||
| End of changes. 19 change blocks. | ||||
| 32 lines changed or deleted | 57 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||