| < draft-ietf-pkix-pi-10.txt | draft-ietf-pkix-pi-11.txt > | |||
|---|---|---|---|---|
| PKIX Working Group D. Pinkas (Bull) | PKIX Working Group D. Pinkas (Bull) | |||
| INTERNET-DRAFT T. Gindin (IBM) | INTERNET-DRAFT T. Gindin (IBM) | |||
| Expires: January 2005 July 2004 | Expires: March 2005 September 2004 | |||
| Target category: Standard Track | Target category: Standard Track | |||
| Internet X.509 Public Key Infrastructure | Internet X.509 Public Key Infrastructure | |||
| Permanent Identifier | Permanent Identifier | |||
| <draft-ietf-pkix-pi-11.txt> | ||||
| <draft-ietf-pkix-pi-10.txt> | ||||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance with | By submitting this Internet-Draft, each co-editor certifies that | |||
| all provisions of Section 10 of [RFC 2026]. | he is not aware of any related applicable patent or other IPR | |||
| claims, and that any of which he may become aware will be disclosed | ||||
| until publication of the draft as an RFC, in accordance with | ||||
| section 6 of BCP 79 [RFC 3668]. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that other | Task Force (IETF), its areas, and its working groups. Note that other | |||
| groups may also distribute working documents as Internet-Drafts. | groups may also distribute working documents as Internet-Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.html. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| Copyright (C) The Internet Society (2002). All Rights Reserved. | ||||
| Please send comments on this document to the ietf-pkix@imc.org | Please send comments on this document to the ietf-pkix@imc.org | |||
| mailing list. | mailing list. | |||
| Abstract | Abstract | |||
| This document define a new form of name, called permanent | This document define a new form of name, called permanent | |||
| identifier, that may be included in the subjectAltName extension | identifier, that may be included in the subjectAltName extension | |||
| of a public key certificate issued to an entity. | of a public key certificate issued to an entity. | |||
| The permanent identifier is an optional feature that may be used | The permanent identifier is an optional feature that may be used | |||
| skipping to change at page 2, line 5 ¶ | skipping to change at page 2, line 5 ¶ | |||
| same entity, even if they contain different subject name (DNs) or | same entity, even if they contain different subject name (DNs) or | |||
| different names in the subjectAltName extension, or if the name | different names in the subjectAltName extension, or if the name | |||
| or the affiliation of that entity stored in the subject or another | or the affiliation of that entity stored in the subject or another | |||
| name form in the subjectAltName extension has changed. | name form in the subjectAltName extension has changed. | |||
| The subject name, carried in the subject field, is only unique | The subject name, carried in the subject field, is only unique | |||
| for each subject entity certified by the one CA as defined by the | for each subject entity certified by the one CA as defined by the | |||
| issuer name field. However, the new name form can carry a | issuer name field. However, the new name form can carry a | |||
| name that is unique for each subject entity certified by a CA. | name that is unique for each subject entity certified by a CA. | |||
| Permanent Identifier September 2004 | ||||
| Table of Contents | ||||
| 1. Introduction...............................................2 | ||||
| 2. Definition of a Permanent Identifier.......................3 | ||||
| 3. IANA Considerations........................................5 | ||||
| 4. Security considerations....................................6 | ||||
| 5. References.................................................7 | ||||
| 5.1 Normative...............................................7 | ||||
| 5.2 Informative.............................................7 | ||||
| 6. Author's Addresses.........................................8 | ||||
| 7. Intellectual Property Rights...............................8 | ||||
| Appendix A. ASN.1 syntax............................................9 | ||||
| A.1 1988 ASN.1 Module.....................................10 | ||||
| A.2 1993 ASN.1 Module.....................................11 | ||||
| Appendix B. OID's for organizations................................12 | ||||
| B.1 Using IANA (Internet Assigned Numbers Authority).......12 | ||||
| B.2 Using an ISO member body...............................12 | ||||
| B.3 Using an ICD (International Code Designator) from | ||||
| British Standards Institution to specify a new or | ||||
| an existing identification scheme......................13 | ||||
| Full Copyright Statement...........................................14 | ||||
| 1 Introduction | 1 Introduction | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119. | document are to be interpreted as described in RFC 2119. | |||
| This specification is based on RFC 3280, which defines underlying | This specification is based on RFC 3280, which defines underlying | |||
| certificate formats and semantics needed for a full implementation | certificate formats and semantics needed for a full implementation | |||
| of this standard. | of this standard. | |||
| skipping to change at page 2, line 37 ¶ | skipping to change at page 3, line 5 ¶ | |||
| For employees of a company or organization, the person may get | For employees of a company or organization, the person may get | |||
| a different position within the same company and thus will | a different position within the same company and thus will | |||
| move from one organization unit to another one. Including the | move from one organization unit to another one. Including the | |||
| organization unit in the name may however be very useful to | organization unit in the name may however be very useful to | |||
| allow the relying parties (RP's) using that certificate to | allow the relying parties (RP's) using that certificate to | |||
| identify the right individual. | identify the right individual. | |||
| For citizens, an individual may change their name by legal | For citizens, an individual may change their name by legal | |||
| processes, especially as a result of marriage. | processes, especially as a result of marriage. | |||
| Permanent Identifier September 2004 | ||||
| Any certificate subject identified by geographical location may | Any certificate subject identified by geographical location may | |||
| relocate and change at least some of the location attributes | relocate and change at least some of the location attributes | |||
| (e.g. country name, state or province, locality, or street). | (e.g. country name, state or province, locality, or street). | |||
| A permanent identifier consists of an identifier value assigned | A permanent identifier consists of an identifier value assigned | |||
| within a given naming space by the organization which is | within a given naming space by the organization which is | |||
| authoritative for that naming space. The organization assigning | authoritative for that naming space. The organization assigning | |||
| the identifier value may be the CA that has issued the certificate | the identifier value may be the CA that has issued the certificate | |||
| or a different organization called an Assigner Authority. | or a different organization called an Assigner Authority. | |||
| skipping to change at page 3, line 37 ¶ | skipping to change at page 4, line 5 ¶ | |||
| A CA which includes a permanent identifier in a certificate is | A CA which includes a permanent identifier in a certificate is | |||
| certifying that any public key certificate containing the same | certifying that any public key certificate containing the same | |||
| values for that identifier refers to the same entity. | values for that identifier refers to the same entity. | |||
| The use of a permanent identifier is OPTIONAL. The permanent | The use of a permanent identifier is OPTIONAL. The permanent | |||
| identifier is defined as follows: | identifier is defined as follows: | |||
| id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 } | id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 } | |||
| Permanent Identifier September 2004 | ||||
| PermanentIdentifier ::= SEQUENCE { | PermanentIdentifier ::= SEQUENCE { | |||
| identifierValue UTF8String OPTIONAL | identifierValue UTF8String OPTIONAL, | |||
| -- if absent, use the serialNumber attribute | -- if absent, use a serialNumber attribute, | |||
| if there is a single such attribute present | -- if there is such an attribute present | |||
| in the subject DN | -- in the subject DN | |||
| assigner OBJECT IDENTIFIER OPTIONAL, | assigner OBJECT IDENTIFIER OPTIONAL | |||
| -- if absent, the assigner is | -- if absent, the assigner is | |||
| the certificate issuer | -- the certificate issuer | |||
| } | } | |||
| The identifierValue field is optional. | The identifierValue field is optional. | |||
| When the identifierValue field is present, then the identifierValue | When the identifierValue field is present, then the identifierValue | |||
| supports one syntax: UTF8String. | supports one syntax: UTF8String. | |||
| When the identifierValue field is absent, then the serialNumber | When the identifierValue field is absent, then the value of the | |||
| attribute from the subject DN is the value to be taken for the | serialNumber attribute from the deepest RDN of the subject DN is | |||
| identifierValue. In such a case, there MUST NOT more than one | the value to be taken for the identifierValue. In such a case, | |||
| serialNumber attribute in the subject DN, otherwise the | there MUST be at least one serialNumber attribute in the subject DN, | |||
| PermanentIdentifier SHALL NOT be used. | otherwise the PermanentIdentifier SHALL NOT be used. | |||
| The assigner field is optional. | The assigner field is optional. | |||
| When the assigner field is present, then it is an OID which | When the assigner field is present, then it is an OID which | |||
| identifies both the Assigner Authority and the type of that field. | identifies a naming space, i.e. both an Assigner Authority and the | |||
| In such a case, the identifierValue field MUST be present. | type of that field. Characteristically, the prefix of the OID | |||
| Characteristically, the prefix of the OID identifies the Assigner | identifies the Assigner Authority, and a suffix is used to identify | |||
| Authority, and a suffix is used to identify the type of permanent | the type of permanent identifier. | |||
| identifier. | ||||
| When the assigner field is absent, then the permanent identifier is | When the assigner field is absent, then the permanent identifier is | |||
| locally unique to the CA. | locally unique to the CA. | |||
| Only the following three combinations are allowed : | The various combinations are detailed below: | |||
| 1- Both the assigner and the identifierValue fields are present: | 1- Both the assigner and the identifierValue fields are present: | |||
| The assigner field identifies the Assigner Authority and the type | The identifierValue is the value for that type of identifier. The | |||
| of permanent identifier being identified. The identifierValue is | assigner field identifies the Assigner Authority and the type | |||
| the value for that type of identifier. The permanent identifier is | of permanent identifier being identified. | |||
| globally unique among all CAs. In such a case, two permanent | ||||
| identifiers of this type match if and only if the contents of the | The permanent identifier is globally unique among all CAs. In such | |||
| identifierValue field in the two permanent identifiers consist of | a case, two permanent identifiers of this type match if and only if | |||
| the same Unicode code points presented in the same order and the | their assigner fields match and the contents of the identifierValue | |||
| assigner field match. | field in the two permanent identifiers consist of the same Unicode | |||
| code points presented in the same order. | ||||
| 2 - The assigner field is absent and the identifierValue field is | 2 - The assigner field is absent and the identifierValue field is | |||
| present: | present: | |||
| The Assigner Authority is the CA that has issued the certificate. | The Assigner Authority is the CA that has issued the certificate. | |||
| The identifierValue is given by the CA and the permanent identifier | The identifierValue is given by the CA and the permanent identifier | |||
| is only local to the CA that has issued the certificate. In such | is only local to the CA that has issued the certificate. | |||
| a case, two permanent identifiers of this type match if and only if | ||||
| the issuer DN's in the certificates which contain them match using | Permanent Identifier September 2004 | |||
| the distinguishedNameMatch rule, as defined in X.501 and the two | ||||
| values of the identifierValue field consist of the same Unicode | In such a case, two permanent identifiers of this type match if and | |||
| code points presented in the same order. | only if the issuer DN's in the certificates which contain them | |||
| match using the distinguishedNameMatch rule, as defined in X.501 , | ||||
| and the two values of the identifierValue field consist of the same | ||||
| Unicode code points presented in the same order. | ||||
| 3 - Both the assigner and the identifierValue fields are absent: | 3 - Both the assigner and the identifierValue fields are absent: | |||
| The value of the single serialNumber attribute included in the | If there are one or more RDNs containing a serialNumber attribute | |||
| subject DN SHALL be considered as the identifier value assigned | (alone or accompanied by other attributes), then the value | |||
| within the naming space of the certificate issuer. The permanent | contained in the serialNumber of the deepest such RDN SHALL be | |||
| identifier is only local to the CA that has issued the certificate. | used as the identifierValue; otherwise, the Permanent Identifier | |||
| In such a case, two permanent identifiers of this type match if | definition is invalid and the Permanent Identifier SHALL NOT be | |||
| and only if the issuer DN's in the certificates which contain them | used. | |||
| match and the serialNumber attributes within the subject DN's of | ||||
| those same certificates also match using the caseIgnoreMatch rule. | ||||
| The following combination is NOT allowed: | The permanent identifier is only local to the CA that has issued | |||
| The assigner field is present and the identifierValue field is | the certificate. In such a case, two permanent identifiers of this | |||
| absent. | type match if and only if the issuer DN's in the certificates which | |||
| contain them match and the serialNumber attributes within the | ||||
| subject DN's of those same certificates also match using the | ||||
| caseIgnoreMatch rule. | ||||
| 4 - The assigner field is present and the identifierValue field is | ||||
| absent: | ||||
| If there are one or more RDNs containing a serialNumber attribute | ||||
| (alone or accompanied by other attributes), then the value | ||||
| contained in the serialNumber of the deepest such RDN SHALL be | ||||
| used as the identifierValue; otherwise, the Permanent Identifier | ||||
| definition is invalid and the Permanent Identifier SHALL not be | ||||
| used. | ||||
| The assigner field identifies the Assigner Authority and the type | ||||
| of permanent identifier being identified. | ||||
| The permanent identifier is globally unique among all CAs. In such | ||||
| a case, two permanent identifiers of this type match if and only if | ||||
| their assigner fields match and the contents the serialNumber | ||||
| attributes within the subject DN's of those same certificates match | ||||
| using the caseIgnoreMatch rule. | ||||
| Note: the full arc of the object identifier used to identify the | Note: the full arc of the object identifier used to identify the | |||
| permanent identifier name form is derived using: | permanent identifier name form is derived using: | |||
| id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) | id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) } | dod(6) internet(1) security(5) mechanisms(5) pkix(7) } | |||
| id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms | id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms | |||
| 3. Security considerations | 3. IANA Considerations | |||
| No IANA actions are necessary. However, a Private Enterprise Number may be used | ||||
| to construct an OID for the assigner field (see Annex B1). | ||||
| Permanent Identifier September 2004 | ||||
| 4. Security considerations | ||||
| A given entity may have at an instant of time or at different | A given entity may have at an instant of time or at different | |||
| instants of time multiple forms of identities. If the permanent | instants of time multiple forms of identities. If the permanent | |||
| identifier is locally unique to the CA (i.e. identifierType is not | identifier is locally unique to the CA (i.e. the assigner field is | |||
| present), then two certificates from the same CA can be compared. | not present), then two certificates from the same CA can be | |||
| compared. | ||||
| When they contain two identical permanent identifiers, then a | When they contain two identical permanent identifiers, then a | |||
| relying party may determine that they refer to the same entity. | relying party may determine that they refer to the same entity. | |||
| If the permanent identifier is globally unique among all CAs (i.e. | If the permanent identifier is globally unique among all CAs (i.e. | |||
| identifierType is present), then two certificates from different | the assigner field is present), then two certificates from different | |||
| CAs can be compared. When they contain two identical permanent | CAs can be compared. When they contain two identical permanent | |||
| identifiers, then a relying party may determine that they refer to | identifiers, then a relying party may determine that they refer to | |||
| the same entity. It is the responsibility of the CA to verify that | the same entity. It is the responsibility of the CA to verify that | |||
| the permanent identifier being included in the certificate refers | the permanent identifier being included in the certificate refers | |||
| to the subject being certified. | to the subject being certified. | |||
| The permanent identifier identifies the entity, irrespective of any | The permanent identifier identifies the entity, irrespective of any | |||
| attribute extension. When a public key certificate contains | attribute extension. When a public key certificate contains | |||
| attribute extensions, the permanent identifier, if present, should | attribute extensions, the permanent identifier, if present, should | |||
| not be used for access control purposes but only for audit purposes. | not be used for access control purposes but only for audit purposes. | |||
| The reason is that since these attributes may change, access could | The reason is that since these attributes may change, access could | |||
| be granted on attributes that were originally present in a | be granted on attributes that were originally present in a | |||
| certificate issued to that entity but are no longer present in the | certificate issued to that entity but are no longer present in the | |||
| current certificate. | current certificate. | |||
| Subject names in certificates are chosen by the issuing CA and are | Subject names in certificates are chosen by the issuing CA and are | |||
| mandated to be unique for each CA; so there can be no name collision | mandated to be unique for each CA; so there can be no name collision | |||
| between subject names from the same CA. These names may be an | between subject names from the same CA. These names may be an | |||
| end-entity name, when the certificate is a leaf certificate or a | end-entity name when the certificate is a leaf certificate, or a | |||
| CA name, when it is a CA certificate. | CA name, when it is a CA certificate. | |||
| Since a name is only unique towards its superior CA, unless some | Since a name is only unique towards its superior CA, unless some | |||
| naming constraints are being used, a name would only be guaranteed | naming constraints are being used, a name would only be guaranteed | |||
| to be globally unique when considered to include a sequence of all | to be globally unique when considered to include a sequence of all | |||
| the names of the superior CAs. Thus, two certificates that are | the names of the superior CAs. Thus, two certificates that are | |||
| issued under the same issuer DN and which contain the same | issued under the same issuer DN and which contain the same | |||
| permanent identifier extension without a identifierType do not | permanent identifier extension without an assigner field do not | |||
| necessarily refer to the same entity. | necessarily refer to the same entity. | |||
| Additional checks need to be done, e.g. to check if the public key | Additional checks need to be done, e.g. to check if the public key | |||
| values of the two CAs which have issued the certificates to be | values of the two CAs which have issued the certificates to be | |||
| compared are identical or if the sequence of CA names in the | compared are identical or if the sequence of CA names in the | |||
| certification path from the trust anchor to the CA are identical. | certification path from the trust anchor to the CA are identical. | |||
| When the above checks fail, the permanents identifiers may still | When the above checks fail, the permanents identifiers may still | |||
| match if there has been a CA key rollover. In such a case the | match if there has been a CA key rollover. In such a case the | |||
| checking is more complicated. | checking is more complicated. | |||
| Permanent Identifier September 2004 | ||||
| The certification of different CAs with the same DN by different | The certification of different CAs with the same DN by different | |||
| CAs has other negative consequences in various parts of the PKI, | CAs has other negative consequences in various parts of the PKI, | |||
| notably rendering the IssuerAndSerialNumber structure in RFC 2630 | notably rendering the IssuerAndSerialNumber structure in [RFC 3852] | |||
| section 5.3 ambiguous. | section 10.2.4 ambiguous. | |||
| The permanent identifier allows organizations to create links | The permanent identifier allows organizations to create links | |||
| between different certificates associated with an entity issued | between different certificates associated with an entity issued | |||
| with or without overlapping validity periods. This ability to link | with or without overlapping validity periods. This ability to link | |||
| different certificates may conflict with privacy. It is therefore | different certificates may conflict with privacy. It is therefore | |||
| important that a CA clearly disclose any plans to issue certificates | important that a CA clearly disclose any plans to issue certificates | |||
| which include a permanent identifier to potential subjects of those | which include a permanent identifier to potential subjects of those | |||
| certificates. | certificates. | |||
| 4. References | 5. References | |||
| 4.1. Normative | 5.1. Normative | |||
| [RFC 2026] S. Bradner, "The Internet Standards Process - Revision 3" | [RFC 3667] S. Bradner. BCP 78. IETF Rights in Contributions, | |||
| November 1996. | February 2004. | |||
| [RFC 3668]. S. Bradner. BCP 79. Intellectual Property Rights in | ||||
| IETF Technology, February 2004. | ||||
| [RFC 2119] S. Bradner, "Key words for use in RFCs to Indicate | [RFC 2119] S. Bradner, "Key words for use in RFCs to Indicate | |||
| Requirement Levels", March 1997. | Requirement Levels", March 1997. | |||
| [RFC 3280] R. Housley, W. Ford, W. Polk, and D. Solo, "Internet X.509 | [RFC 3280] R. Housley, W. Ford, W. Polk, and D. Solo, "Internet X.509 | |||
| Public Key Infrastructure: Certificate and CRL Profile", April 2002. | Public Key Infrastructure: Certificate and CRL Profile", April 2002. | |||
| [Unicode] The Unicode Consortium, "The Unicode Standard, Version | [Unicode] The Unicode Consortium, "The Unicode Standard, Version | |||
| 3.2.0" is defined by "The Unicode Standard, Version 3.0" | 3.2.0" is defined by "The Unicode Standard, Version 3.0" | |||
| (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended | (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended | |||
| by the "Unicode Standard Annex #27: Unicode 3.1" | by the "Unicode Standard Annex #27: Unicode 3.1" | |||
| (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard | (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard | |||
| Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). | Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). | |||
| [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) - | [ISO10646] Universal Multiple-Octet Coded Character Set (UCS) - | |||
| Architecture and Basic Multilingual Plane, ISO/IEC 10646-1: 1993. | Architecture and Basic Multilingual Plane, ISO/IEC 10646-1: 1993. | |||
| [UTF-8] RFC 2279. F. Yergeau. UTF-8, a transformation format of | [UTF-8] RFC 2279. F. Yergeau. UTF-8, a transformation format of | |||
| ISO 10646, January 1998. | ISO 10646, January 1998. | |||
| 4.2. Informative | [X.501] ITU-T Rec X.501 | ISO 9594-2: 2001 Information technology. | |||
| Open Systems Interconnection. The Directory: Models | ||||
| [X.501] ITU-T Recommendation X.501 (1997 E): Information Technology | 5.2. Informative | |||
| - Open Systems Interconnection - The Directory: Models, June 1997. | ||||
| [RFC 3852] R.Housley. Cryptographic Message Syntax (CMS), July 2004. | ||||
| [X.509] ITU-T Recommendation X.509 (1997 E): Information Technology | [X.509] ITU-T Recommendation X.509 (1997 E): Information Technology | |||
| - Open Systems Interconnection - The Directory: Authentication | - Open Systems Interconnection - The Directory: Authentication | |||
| Framework, June 1997. | Framework, June 1997. | |||
| Permanent Identifier September 2004 | ||||
| [X.520] ITU-T Recommendation X.520: Information Technology - Open | [X.520] ITU-T Recommendation X.520: Information Technology - Open | |||
| Systems Interconnection - The Directory: Selected Attribute Types, | Systems Interconnection - The Directory: Selected Attribute Types, | |||
| June 1997. | June 1997. | |||
| [X.660] ITU-T Recommendation X.660: Information Technology - | [X.660] ITU-T Recommendation X.660: Information Technology - | |||
| Open Systems Interconnection - Procedures for the Operation of | Open Systems Interconnection - Procedures for the Operation of | |||
| OSI Registration Authorities: General Procedures, 1992. | OSI Registration Authorities: General Procedures, 1992. | |||
| [X.680] ITU-T Recommendation X.680: Information Technology - | [X.680] ITU-T Recommendation X.680: Information Technology - | |||
| Abstract Syntax Notation One, 1997. | Abstract Syntax Notation One, 1997. | |||
| 5. Author's Addresses | 6. Author's Addresses | |||
| Denis Pinkas | Denis Pinkas | |||
| Bull | Bull | |||
| Rue Jean-Jaurˆs. BP 68 | Rue Jean-Jaurˆs. BP 68 | |||
| 78340 Les Clayes-sous-Bois | 78340 Les Clayes-sous-Bois | |||
| FRANCE | FRANCE | |||
| Email: Denis.Pinkas@bull.net | Email: Denis.Pinkas@bull.net | |||
| Thomas Gindin | Thomas Gindin | |||
| IBM Corporation | IBM Corporation | |||
| 6710 Rockledge Drive | 6710 Rockledge Drive | |||
| Bethesda, MD 20817 | Bethesda, MD 20817 | |||
| USA | USA | |||
| Email: tgindin@us.ibm.com | Email: tgindin@us.ibm.com | |||
| 6. Intellectual Property Rights | 7. Intellectual Property Rights | |||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| intellectual property or other rights that might be claimed to | intellectual property or other rights that might be claimed to | |||
| pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
| this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
| might or might not be available; neither does it represent that it | might or might not be available; neither does it represent that it | |||
| has made any effort to identify any such rights. Information on the | has made any effort to identify any such rights. Information on the | |||
| IETF's procedures with respect to rights in standards-track and | IETF's procedures with respect to rights in standards-track and | |||
| standards related documentation can be found in BCP-11. Copies of | standards related documentation can be found in BCP-11. Copies of | |||
| claims of rights made available for publication and any assurances of | claims of rights made available for publication and any assurances of | |||
| licenses to be made available, or the result of an attempt made to | licenses to be made available, or the result of an attempt made to | |||
| obtain a general license or permission for the use of such | obtain a general license or permission for the use of such | |||
| proprietary rights by implementors or users of this specification | proprietary rights by implementors or users of this specification | |||
| can be obtained from the IETF Secretariat. | can be obtained from the IETF Secretariat. | |||
| The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
| rights which may cover technology that may be required to practice | rights which may cover technology that may be required to practice | |||
| this standard. Please address the information to the IETF Executive | this standard. Please address the information to the IETF Executive | |||
| Director. | Director. | |||
| APPENDIX A | Permanent Identifier September 2004 | |||
| ASN.1 definitions | APPENDIX A. ASN.1 syntax | |||
| As in RFC 3280, ASN.1 modules are supplied in two different variants | As in RFC 2459, ASN.1 modules are supplied in two different variants | |||
| of the ASN.1 syntax. | of the ASN.1 syntax. | |||
| This section describes data objects used by conforming PKI components | This section describes data objects used by conforming PKI components | |||
| in an "ASN.1-like" syntax. This syntax is a hybrid of the 1988 and | in an "ASN.1-like" syntax. This syntax is a hybrid of the 1988 and | |||
| 1993 ASN.1 syntaxes. The 1988 ASN.1 syntax is augmented with 1993 | 1993 ASN.1 syntaxes. The 1988 ASN.1 syntax is augmented with 1993 | |||
| the UNIVERSAL Type UTF8String. | the UNIVERSAL Type UTF8String. | |||
| The ASN.1 syntax does not permit the inclusion of type statements in | The ASN.1 syntax does not permit the inclusion of type statements in | |||
| the ASN.1 module, and the 1993 ASN.1 standard does not permit use of | the ASN.1 module, and the 1993 ASN.1 standard does not permit use of | |||
| the new UNIVERSAL types in modules using the 1988 syntax. As a | the new UNIVERSAL types in modules using the 1988 syntax. As a | |||
| result, this module does not conform to either version of the ASN.1 | result, this module does not conform to either version of the ASN.1 | |||
| standard. | standard. | |||
| Appendix A.1 may be parsed by an 1988 ASN.1-parser by replacing the | Appendix A.1 may be parsed by an 1988 ASN.1-parser by replacing the | |||
| definitions for the UNIVERSAL Types with the 1988 catch-all "ANY". | definitions for the UNIVERSAL Types with the 1988 catch-all "ANY". | |||
| Appendix A.2 may be parsed by an 1993 ASN.1-parser by removing the | Appendix A.2 may be parsed by an 1993 ASN.1-parser by removing the | |||
| UTF8String choice from the definition of IdentifierValue in the | UTF8String choice from the definition of IdentifierValue in the | |||
| module. Appendix A.2 may be parsed "as is" by an 1997 ASN.1 parser. | module. Appendix A.2 may be parsed "as is" by an 1997-compliant | |||
| ASN.1 parser. | ||||
| In case of discrepancies between these modules, the 1988 module is | In case of discrepancies between these modules, the 1988 module is | |||
| the normative one. | the normative one. | |||
| Permanent Identifier July 2004 | Permanent Identifier September 2004 | |||
| APPENDIX A.1. 1988 ASN.1 Module | APPENDIX A.1. 1988 ASN.1 Module | |||
| PKIXpermanentidentifier88 {iso(1) identified-organization(3) dod(6) | PKIXpermanentidentifier88 {iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-perm-id-88(28) } | id-mod-perm-id-88(28) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| skipping to change at page 9, line 31 ¶ | skipping to change at page 10, line 31 ¶ | |||
| -- UTF8String, / move hyphens before slash if UTF8String does not | -- UTF8String, / move hyphens before slash if UTF8String does not | |||
| -- resolve with your compiler | -- resolve with your compiler | |||
| -- The content of this type conforms to RFC 2279. | -- The content of this type conforms to RFC 2279. | |||
| id-pkix | id-pkix | |||
| FROM PKIX1Explicit88 { iso(1) identified-organization(3) | FROM PKIX1Explicit88 { iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | dod(6) internet(1) security(5) mechanisms(5) pkix(7) | |||
| id-mod(0) id-pkix1-explicit(18) } ; | id-mod(0) id-pkix1-explicit(18) } ; | |||
| -- from [RFC 3280] | -- from [RFC 3280] | |||
| -- Object Identifiers | -- Permanent identifier Object Identifier and Syntax | |||
| -- Arc for other name forms | ||||
| id-on OBJECT IDENTIFIER ::= { id-pkix 8 } | id-on OBJECT IDENTIFIER ::= { id-pkix 8 } | |||
| -- permanent identifier | ||||
| id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 } | id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 } | |||
| id-mod-perm-id-88 OBJECT IDENTIFIER ::= { id-mod 28 } | ||||
| PermanentIdentifier ::= SEQUENCE { | PermanentIdentifier ::= SEQUENCE { | |||
| identifierValue UTF8String OPTIONAL, | identifierValue UTF8String OPTIONAL, | |||
| -- if absent, use the serialNumber attribute | -- if absent, use the serialNumber attribute | |||
| if there is a single such attribute present | -- if there is a single such attribute present | |||
| in the subject DN | -- in the subject DN | |||
| assigner OBJECT IDENTIFIER OPTIONAL | assigner OBJECT IDENTIFIER OPTIONAL | |||
| -- if absent, the assigner is | -- if absent, the assigner is | |||
| the certificate issuer | -- the certificate issuer | |||
| } | } | |||
| END | END | |||
| Permanent Identifier September 2004 | ||||
| APPENDIX A.2. 1993 ASN.1 Module | APPENDIX A.2. 1993 ASN.1 Module | |||
| PKIXpermanentidentifier93 {iso(1) identified-organization(3) dod(6) | PKIXpermanentidentifier93 {iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-perm-id-93(29) } | id-mod-perm-id-93(29) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL -- | -- EXPORTS ALL -- | |||
| IMPORTS | IMPORTS | |||
| id-pkix | id-pkix | |||
| FROM PKIX1Explicit88 { iso(1) identified-organization(3) | FROM PKIX1Explicit88 { iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | dod(6) internet(1) security(5) mechanisms(5) pkix(7) | |||
| id-mod(0) id-pkix1-explicit(18) } ; | id-mod(0) id-pkix1-explicit(18) } | |||
| -- from [RFC 3280] | -- from [RFC 3280] | |||
| -- Object Identifiers | ATTRIBUTE | |||
| FROM InformationFramework {joint-iso-itu-t ds(5) module(1) | ||||
| informationFramework(1) 4}; | ||||
| -- from [X.501] | ||||
| -- Permanent identifier Object Identifiers | ||||
| -- Arc for other name forms | ||||
| id-on OBJECT IDENTIFIER ::= { id-pkix 8 } | id-on OBJECT IDENTIFIER ::= { id-pkix 8 } | |||
| id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 } | id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 } | |||
| id-mod-perm-id-93 OBJECT IDENTIFIER ::= { id-mod 29 } | ||||
| -- permanent identifier | -- Permanent Identifier | |||
| permanentIdentifier ATTRIBUTE ::= { | permanentIdentifier ATTRIBUTE ::= { | |||
| WITH SYNTAX PermanentIdentifier | WITH SYNTAX PermanentIdentifier | |||
| ID id-on-permanentIdentifier } | ID id-on-permanentIdentifier } | |||
| PermanentIdentifier ::= SEQUENCE { | PermanentIdentifier ::= SEQUENCE { | |||
| identifierValue UTF8String OPTIONAL, | identifierValue UTF8String OPTIONAL, | |||
| -- if absent, use the serialNumber attribute | -- if absent, use the serialNumber attribute | |||
| if there is a single such attribute present | -- if there is a single such attribute present | |||
| in the subject DN | -- in the subject DN | |||
| assigner OBJECT IDENTIFIER OPTIONAL | assigner OBJECT IDENTIFIER OPTIONAL | |||
| -- if absent, the assigner is | -- if absent, the assigner is | |||
| the certificate issuer | -- the certificate issuer | |||
| } | } | |||
| END | END | |||
| Permanent Identifier September 2004 | ||||
| APPENDIX B. OID's for organizations | APPENDIX B. OID's for organizations | |||
| In order to obtain an OID for an identifier type, organizations need | In order to construct an OID for the assigner field, organizations need | |||
| first to have a registered OID for themselves (or must use a permanent | first to have a registered OID for themselves. In some cases, OID's are | |||
| URI). In some cases, OID's are provided for free. In other cases a | provided for free. In other cases a one-time fee is required. The main | |||
| one-time fee is required. The main difference lies in the nature of | difference lies in the nature of the information that is collected at | |||
| the information that is collected at the time of registration and how | the time of registration and how this information is verified for its | |||
| this information is verified for its accuracy. | accuracy. | |||
| B.1. Using IANA (Internet Assigned Numbers Authority) | B.1. Using IANA (Internet Assigned Numbers Authority) | |||
| The application form for a Private Enterprise Number in the IANA's | The application form for a Private Enterprise Number in the IANA's | |||
| OID list is: http://www.iana.org/cgi-bin/enterprise.pl. | OID list is: http://www.iana.org/cgi-bin/enterprise.pl. | |||
| Currently IANA assigns numbers for free. The IANA-registered Private | Currently IANA assigns numbers for free. The IANA-registered Private | |||
| Enterprises prefix is: iso.org.dod.internet.private.enterprise | Enterprises prefix is: iso.org.dod.internet.private.enterprise | |||
| (1.3.6.1.4.1) | (1.3.6.1.4.1) | |||
| These numbers are used, among other things, for defining private | These numbers are used, among other things, for defining private | |||
| SNMP MIBs. | SNMP MIBs. | |||
| The official assignments under this OID are stored in the IANA file | The official assignments under this OID are stored in the IANA file | |||
| "enterprise-numbers" available at: | "enterprise-numbers" available at: | |||
| ftp://ftp.isi.edu/in-notes/iana/assignments/enterprise-numbers | http://www.iana.org/assignments/enterprise-numbers | |||
| B.2. Using an ISO member body | B.2. Using an ISO member body | |||
| ISO has defined the OID structure in a such a way so that every ISO | ISO has defined the OID structure in a such a way so that every ISO | |||
| member-body has its own unique OID. Then every ISO member-body is free | member-body has its own unique OID. Then every ISO member-body is free | |||
| to allocate its own arc space below. | to allocate its own arc space below. | |||
| Organizations and enterprises may contact the ISO member-body where | Organizations and enterprises may contact the ISO member-body where | |||
| their organization or enterprise is established to obtain an | their organization or enterprise is established to obtain an | |||
| organization/enterprise OID. | organization/enterprise OID. | |||
| skipping to change at page 12, line 4 ¶ | skipping to change at page 13, line 4 ¶ | |||
| per-inquiry basis. The use of OID's from an ISO member organization | per-inquiry basis. The use of OID's from an ISO member organization | |||
| which does not publish such a registry may impose extra costs on the | which does not publish such a registry may impose extra costs on the | |||
| CA that needs to make sure that the OID corresponds to the registered | CA that needs to make sure that the OID corresponds to the registered | |||
| organization. | organization. | |||
| As an example, AFNOR (Association Francaise de Normalisation - the | As an example, AFNOR (Association Francaise de Normalisation - the | |||
| French organization that is a member of ISO) has defined an arc to | French organization that is a member of ISO) has defined an arc to | |||
| allocate OID's for companies: | allocate OID's for companies: | |||
| {iso (1) member-body (2) fr (250) type-org (1) organisation (n)} | {iso (1) member-body (2) fr (250) type-org (1) organisation (n)} | |||
| Permanent Identifier September 2004 | ||||
| B.3. Using an ICD (International Code Designator) from British Standards | B.3. Using an ICD (International Code Designator) from British Standards | |||
| Institution to specify a new or an existing identification scheme | Institution to specify a new or an existing identification scheme | |||
| The International Code Designator (ICD) is used to uniquely identify an | The International Code Designator (ICD) is used to uniquely identify an | |||
| ISO 6523 compliant organization identification scheme. ISO 6523 is a | ISO 6523 compliant organization identification scheme. ISO 6523 is a | |||
| standard that defines the proper structure of an identifier and the | standard that defines the proper structure of an identifier and the | |||
| registration procedure for an ICD. | registration procedure for an ICD. The conjunction of the ICD with an | |||
| identifier issued by the registration authority is worldwide unique. | ||||
| The conjunction of the ICD with an identifier issued by the registration | ||||
| authority is worldwide unique. | ||||
| The basic structure of the code contains the following components: | The basic structure of the code contains the following components: | |||
| - the ICD value: The International Code Designator issued to the | - the ICD value: The International Code Designator issued to the | |||
| identification scheme makes the identifier worldwide unique | identification scheme makes the identifier worldwide unique | |||
| (up to 4 digits), | (up to 4 digits), | |||
| - the Organization, usually a company or governmental body | - the Organization, usually a company or governmental body | |||
| (up to 35 characters), | (up to 35 characters), | |||
| - an Organization Part (OPI - Organization Part Identifier). | - an Organization Part (OPI - Organization Part Identifier). | |||
| An identifier allocated to a particular Organization Part | An identifier allocated to a particular Organization Part | |||
| (optional, up to 35 characters) | (optional, up to 35 characters) | |||
| The ICD is also equivalent to an object identifier (OID) under the arc | The ICD is also equivalent to an object identifier (OID) under the arc | |||
| {1(iso). 3(identified organization)}. | {1(iso). 3(identified organization)}. | |||
| On behalf of ISO, British Standards Institution (BSI) is the | On behalf of ISO, British Standards Institution (BSI) is the | |||
| Registration Authority for organizations under the arc {iso (1) org(3)}. | Registration Authority for organizations under the arc {iso (1) org(3)}. | |||
| This means BSI registers code issuing authorities (=organizations) by | This means BSI registers code issuing authorities (organizations) by | |||
| ICD values which are equivalent to OIDs of the form {iso (1) org(3) | ICD values which are equivalent to OIDs of the form {iso (1) org(3) | |||
| icd(xxxx)}. The corresponding IdentifierValue is the code value of the | icd(xxxx)}. The corresponding IdentifierValue is the code value of the | |||
| scheme identified by icd(xxxx). | scheme identified by icd(xxxx). | |||
| Example: | As an example, the ICD 0012 was allocated to European Computer | |||
| Manufacturers Association: ECMA. Thus the OID for ECMA is | ||||
| The ICD 0012 was allocated to European Computer Manufacturers | {iso(1) org(3) ecma(12)}. | |||
| Association : ECMA. Thus the OID is 1(iso). 3(identified organization). | ||||
| 12. | ||||
| For registration with BSI, a "Sponsoring Authority" has to vouch for the | For registration with BSI, a "Sponsoring Authority" has to vouch for the | |||
| Applying organization. Registration is not free. Recognized "Sponsoring | Applying organization. Registration is not free. Recognized "Sponsoring | |||
| Authorities" are: ISO Technical Committees or (Sub)Committees, Member | Authorities" are: ISO Technical Committees or (Sub)Committees, Member | |||
| Bodies of ISO or International Organizations having a liaison status | Bodies of ISO or International Organizations having a liaison status | |||
| with ISO or with any of its Technical (Sub)Committees. | with ISO or with any of its Technical (Sub)Committees. | |||
| An example of a Sponsoring Authority is the EDIRA Association | An example of a Sponsoring Authority is the EDIRA Association | |||
| (EDI/EC Registration Authority, web: http://www.edira.org, | (EDI/EC Registration Authority, web: http://www.edira.org, | |||
| email:info@edira.org). | email:info@edira.org). | |||
| The numerical list of all ICDs that have been issued is posted on its | The numerical list of all ICDs that have been issued is posted on its | |||
| webpage: http://www.edira.org/documents.htm#icd-List | webpage: http://www.edira.org/documents.htm#icd-List | |||
| Note: IANA owns ICD code 0090, but that (presumably) it isn't intending | ||||
| to use it for the present purpose. | ||||
| Permanent Identifier September 2004 | ||||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The Internet Society (2004). All Rights Reserved. | Copyright (C) The Internet Society (2004). All Rights Reserved. | |||
| This document and translations of it may be copied and furnished to | This document and translations of it may be copied and furnished to | |||
| others, and derivative works that comment on or otherwise explain it | others, and derivative works that comment on or otherwise explain it | |||
| or assist in its implementation may be prepared, copied, published | or assist in its implementation may be prepared, copied, published | |||
| and distributed, in whole or in part, without restriction of any | and distributed, in whole or in part, without restriction of any | |||
| kind, provided that the above copyright notice and this paragraph are | kind, provided that the above copyright notice and this paragraph are | |||
| included on all such copies and derivative works. In addition, the | included on all such copies and derivative works. In addition, the | |||
| skipping to change at page 13, line 25 ¶ | skipping to change at page 14, line 28 ¶ | |||
| in part without inclusion of the copyright notice. However, this | in part without inclusion of the copyright notice. However, this | |||
| document itself may not be modified in any way, such as by removing | document itself may not be modified in any way, such as by removing | |||
| the copyright notice or references to the Internet Society or other | the copyright notice or references to the Internet Society or other | |||
| Internet organizations, except as needed for the purpose of | Internet organizations, except as needed for the purpose of | |||
| developing Internet standards in which case the procedures for | developing Internet standards in which case the procedures for | |||
| copyrights defined in the Internet Standards process shall be | copyrights defined in the Internet Standards process shall be | |||
| followed, or as required to translate it into languages other than | followed, or as required to translate it into languages other than | |||
| English. | English. | |||
| The limited permissions granted above are perpetual and will not be | The limited permissions granted above are perpetual and will not be | |||
| revoked by the Internet Society or its successors or assigns. This | revoked by the Internet Society or its successors or assigns. | |||
| document and the information contained herein is provided on an "AS | ||||
| IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK | This document is subject to the rights, licenses and restrictions | |||
| FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT | contained in BCP 78 [RFC 3667], and except as set forth therein, | |||
| LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL | the authors retain all their rights." | |||
| NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY | ||||
| OR FITNESS FOR A PARTICULAR PURPOSE. | This document and the information contained herein are provided | |||
| on an"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE | ||||
| REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND | ||||
| THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, | ||||
| EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT | ||||
| THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR | ||||
| ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A | ||||
| PARTICULAR PURPOSE. | ||||
| End of changes. 67 change blocks. | ||||
| 114 lines changed or deleted | 191 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||