| < draft-ietf-pkix-new-part1-10.txt | draft-ietf-pkix-new-part1-11.txt > | |||
|---|---|---|---|---|
| skipping to change at page 1, line 13 ¶ | skipping to change at page 1, line 13 ¶ | |||
| PKIX Working Group R. Housley (RSA Laboratories) | PKIX Working Group R. Housley (RSA Laboratories) | |||
| Internet Draft W. Ford (VeriSign) | Internet Draft W. Ford (VeriSign) | |||
| W. Polk (NIST) | W. Polk (NIST) | |||
| D. Solo (Citigroup) | D. Solo (Citigroup) | |||
| expires in six months October 2001 | expires in six months October 2001 | |||
| Internet X.509 Public Key Infrastructure | Internet X.509 Public Key Infrastructure | |||
| Certificate and CRL Profile | Certificate and CRL Profile | |||
| <draft-ietf-pkix-new-part1-10.txt> | <draft-ietf-pkix-new-part1-11.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||
| all provisions of Section 10 of RFC2026. Internet-Drafts are working | all provisions of Section 10 of RFC2026. Internet-Drafts are working | |||
| documents of the Internet Engineering Task Force (IETF), its areas, | documents of the Internet Engineering Task Force (IETF), its areas, | |||
| and its working groups. Note that other groups may also distribute | and its working groups. Note that other groups may also distribute | |||
| working documents as Internet-Drafts. | working documents as Internet-Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| skipping to change at page 1, line 44 ¶ | skipping to change at page 1, line 44 ¶ | |||
| To view the entire list of current Internet-Drafts, please check the | To view the entire list of current Internet-Drafts, please check the | |||
| "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow | "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow | |||
| Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern | Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern | |||
| Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific | Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific | |||
| Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). | Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). | |||
| Copyright (C) The Internet Society (2001). All Rights Reserved. | Copyright (C) The Internet Society (2001). All Rights Reserved. | |||
| Abstract | Abstract | |||
| This is the tenth draft of a specification based upon RFC 2459. When | When complete, this specification will obsolete RFC 2459. | |||
| complete, this specification will obsolete RFC 2459. | ||||
| Please send comments on this document to the ietf-pkix@imc.org mail | Please send comments on this document to the ietf-pkix@imc.org mail | |||
| list. | list. | |||
| This memo profiles the X.509 v3 certificate and X.509 v2 CRL for use | This memo profiles the X.509 v3 certificate and X.509 v2 CRL for use | |||
| in the Internet. An overview of the approach and model are provided | in the Internet. An overview of the approach and model are provided | |||
| as an introduction. The X.509 v3 certificate format is described in | as an introduction. The X.509 v3 certificate format is described in | |||
| detail, with additional information regarding the format and | detail, with additional information regarding the format and | |||
| semantics of Internet name forms (e.g., IP addresses). Standard | semantics of Internet name forms (e.g., IP addresses). Standard | |||
| certificate extensions are described and one new Internet-specific | certificate extensions are described and one new Internet-specific | |||
| skipping to change at page 46, line 4 ¶ | skipping to change at page 46, line 4 ¶ | |||
| id-pkix OBJECT IDENTIFIER ::= | id-pkix OBJECT IDENTIFIER ::= | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) } | security(5) mechanisms(5) pkix(7) } | |||
| id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } | id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } | |||
| 4.2.2.1 Authority Information Access | 4.2.2.1 Authority Information Access | |||
| The authority information access extension indicates how to access CA | The authority information access extension indicates how to access CA | |||
| information and services for the issuer of the certificate in which | information and services for the issuer of the certificate in which | |||
| the extension appears. Information and services may include on-line | the extension appears. Information and services may include on-line | |||
| validation services and CA policy data. (The location of CRLs is not | validation services and CA policy data. (The location of CRLs is not | |||
| specified in this extension; that information is provided by the | specified in this extension; that information is provided by the | |||
| cRLDistributionPoints extension.) This extension may be included in | cRLDistributionPoints extension.) This extension may be included in | |||
| subject or CA certificates, and it MUST be non-critical. | subject or CA certificates, and it MUST be non-critical. | |||
| id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } | id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } | |||
| AuthorityInfoAccessSyntax ::= | AuthorityInfoAccessSyntax ::= | |||
| SEQUENCE SIZE (1..MAX) OF AccessDescription | SEQUENCE SIZE (1..MAX) OF AccessDescription | |||
| skipping to change at page 46, line 26 ¶ | skipping to change at page 46, line 26 ¶ | |||
| accessMethod OBJECT IDENTIFIER, | accessMethod OBJECT IDENTIFIER, | |||
| accessLocation GeneralName } | accessLocation GeneralName } | |||
| id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } | id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } | |||
| id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } | id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } | |||
| id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } | id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } | |||
| Each entry in the sequence AuthorityInfoAccessSyntax describes the | Each entry in the sequence AuthorityInfoAccessSyntax describes the | |||
| format and location of additional information provided by the CA who | format and location of additional information provided by the CA that | |||
| issued the certificate in which this extension appears. The type and | issued the certificate in which this extension appears. The type and | |||
| format of the information is specified by the accessMethod field; the | format of the information is specified by the accessMethod field; the | |||
| accessLocation field specifies the location of the information. The | accessLocation field specifies the location of the information. The | |||
| retrieval mechanism may be implied by the accessMethod or specified | retrieval mechanism may be implied by the accessMethod or specified | |||
| by accessLocation. | by accessLocation. | |||
| This profile defines two accessMethod OIDs: id-ad-caIssuers and id- | This profile defines two accessMethod OIDs: id-ad-caIssuers and id- | |||
| ad-ocsp. | ad-ocsp. | |||
| The id-ad-caIssuers OID is used when the additional information lists | The id-ad-caIssuers OID is used when the additional information lists | |||
| skipping to change at page 46, line 50 ¶ | skipping to change at page 46, line 50 ¶ | |||
| a certification path that terminates at a point trusted by the | a certification path that terminates at a point trusted by the | |||
| certificate user. | certificate user. | |||
| When id-ad-caIssuers appears as accessMethod, the accessLocation | When id-ad-caIssuers appears as accessMethod, the accessLocation | |||
| field describes the referenced description server and the access | field describes the referenced description server and the access | |||
| protocol to obtain the referenced description. The accessLocation | protocol to obtain the referenced description. The accessLocation | |||
| field is defined as a GeneralName, which can take several forms. | field is defined as a GeneralName, which can take several forms. | |||
| Where the information is available via http, ftp, or ldap, | Where the information is available via http, ftp, or ldap, | |||
| accessLocation MUST be a uniformResourceIdentifier. Where the | accessLocation MUST be a uniformResourceIdentifier. Where the | |||
| information is available via the Directory Access Protocol (DAP), | information is available via the Directory Access Protocol (DAP), | |||
| accessLocation MUST be a directoryName. When the information is | accessLocation MUST be a directoryName. The entry for that | |||
| available via electronic mail, accessLocation MUST be an rfc822Name. | directoryName contains CA certificates in the crossCertificatePair | |||
| attribute. When the information is available via electronic mail, | ||||
| The semantics of other id-ad-caIssuers accessLocation name forms are | accessLocation MUST be an rfc822Name. The semantics of other id-ad- | |||
| not defined. | caIssuers accessLocation name forms are not defined. | |||
| The id-ad-ocsp OID is used when revocation information for the | The id-ad-ocsp OID is used when revocation information for the | |||
| certificate containing this extension is available using the Online | certificate containing this extension is available using the Online | |||
| Certificate Status Protocol (OCSP) [RFC 2560]. | Certificate Status Protocol (OCSP) [RFC 2560]. | |||
| When id-ad-ocsp appears as accessMethod, the accessLocation field is | When id-ad-ocsp appears as accessMethod, the accessLocation field is | |||
| the location of the OCSP responder, using the conventions defined in | the location of the OCSP responder, using the conventions defined in | |||
| [RFC 2560]. | [RFC 2560]. Additional access descriptors may be defined in other | |||
| PKIX specifications. | ||||
| [RFC 2560] defines the access descriptor for the Online Certificate | ||||
| Status Protocol. When this access descriptor appears in the | ||||
| authority information access extension, this indicates the issuer | ||||
| provides revocation information for this certificate through the | ||||
| named OCSP service. Additional access descriptors may be defined in | ||||
| other PKIX specifications. | ||||
| 4.2.2.2 Subject Information Access | 4.2.2.2 Subject Information Access | |||
| The subject information access extension indicates how to access | The subject information access extension indicates how to access | |||
| information and services for the subject of the certificate in which | information and services for the subject of the certificate in which | |||
| the extension appears. When the subject is a CA, information and | the extension appears. When the subject is a CA, information and | |||
| services may include certificate validation services and CA policy | services may include certificate validation services and CA policy | |||
| data. When the subject is an end entity, the information describes | data. When the subject is an end entity, the information describes | |||
| the type of services offered and how to access them. In this case, | the type of services offered and how to access them. In this case, | |||
| the contents of this extension are defined in the protocol | the contents of this extension are defined in the protocol | |||
| skipping to change at page 95, line 22 ¶ | skipping to change at page 95, line 22 ¶ | |||
| X520countryName ::= PrintableString (SIZE (2)) | X520countryName ::= PrintableString (SIZE (2)) | |||
| -- Naming attributes of type X520SerialNumber | -- Naming attributes of type X520SerialNumber | |||
| id-at-serialNumber AttributeType ::= { id-at 5 } | id-at-serialNumber AttributeType ::= { id-at 5 } | |||
| X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number)) | X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number)) | |||
| -- Naming attributes of type X520Pseudonym | -- Naming attributes of type X520Pseudonym | |||
| id-at-localityName AttributeType ::= { id-at 65 } | id-at-pseudonym AttributeType ::= { id-at 65 } | |||
| X520Pseudonym ::= CHOICE { | X520Pseudonym ::= CHOICE { | |||
| teletexString TeletexString (SIZE (1..ub-pseudonym)), | teletexString TeletexString (SIZE (1..ub-pseudonym)), | |||
| printableString PrintableString (SIZE (1..ub-pseudonym)), | printableString PrintableString (SIZE (1..ub-pseudonym)), | |||
| universalString UniversalString (SIZE (1..ub-pseudonym)), | universalString UniversalString (SIZE (1..ub-pseudonym)), | |||
| utf8String UTF8String (SIZE (1..ub-pseudonym)), | utf8String UTF8String (SIZE (1..ub-pseudonym)), | |||
| bmpString BMPString (SIZE (1..ub-pseudonym)) } | bmpString BMPString (SIZE (1..ub-pseudonym)) } | |||
| -- Naming attributes of type DomainComponent (from RFC 2247) | -- Naming attributes of type DomainComponent (from RFC 2247) | |||
| End of changes. 7 change blocks. | ||||
| 19 lines changed or deleted | 12 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||