< draft-ietf-sidr-res-certs-07.txt   draft-ietf-sidr-res-certs-08.txt >
SIDR G. Huston SIDR G. Huston
Internet-Draft G. Michaelson Internet-Draft G. Michaelson
Intended status: Standards Track R. Loomans Intended status: Standards Track R. Loomans
Expires: December 31, 2007 APNIC Expires: January 29, 2008 APNIC
June 29, 2007 July 28, 2007
A Profile for X.509 PKIX Resource Certificates A Profile for X.509 PKIX Resource Certificates
draft-ietf-sidr-res-certs-07.txt draft-ietf-sidr-res-certs-08.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 31, 2007. This Internet-Draft will expire on January 29, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document defines a standard profile for X.509 certificates for This document defines a standard profile for X.509 certificates for
the purposes of supporting validation of assertions of "right-to-use" the purposes of supporting validation of assertions of "right-to-use"
of an Internet Number Resource (IP Addresses and Autonomous System of an Internet Number Resource (IP Addresses and Autonomous System
Numbers). This profile is used to convey the issuer's authorization Numbers). This profile is used to convey the issuer's authorization
of the subject to be regarded as the current holder of a "right-of- of the subject to be regarded as the current holder of a "right-of-
use" of the IP addresses and AS numbers that are described in the use" of the IP addresses and AS numbers that are described in the
issued Resource Certificate. issued certificate.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. Describing Resources in Certificates . . . . . . . . . . . . . 5 2. Describing Resources in Certificates . . . . . . . . . . . . . 5
3. Resource Certificate Fields . . . . . . . . . . . . . . . . . 6 3. Resource Certificate Fields . . . . . . . . . . . . . . . . . 6
3.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. Serial number . . . . . . . . . . . . . . . . . . . . . . 6 3.2. Serial number . . . . . . . . . . . . . . . . . . . . . . 6
3.3. Signature Algorithm . . . . . . . . . . . . . . . . . . . 6 3.3. Signature Algorithm . . . . . . . . . . . . . . . . . . . 6
skipping to change at page 2, line 28 skipping to change at page 2, line 28
3.8. Subject Public Key Info . . . . . . . . . . . . . . . . . 8 3.8. Subject Public Key Info . . . . . . . . . . . . . . . . . 8
3.9. Resource Certificate Version 3 Extension Fields . . . . . 8 3.9. Resource Certificate Version 3 Extension Fields . . . . . 8
3.9.1. Basic Constraints . . . . . . . . . . . . . . . . . . 9 3.9.1. Basic Constraints . . . . . . . . . . . . . . . . . . 9
3.9.2. Subject Key Identifier . . . . . . . . . . . . . . . . 9 3.9.2. Subject Key Identifier . . . . . . . . . . . . . . . . 9
3.9.3. Authority Key Identifier . . . . . . . . . . . . . . . 9 3.9.3. Authority Key Identifier . . . . . . . . . . . . . . . 9
3.9.4. Key Usage . . . . . . . . . . . . . . . . . . . . . . 10 3.9.4. Key Usage . . . . . . . . . . . . . . . . . . . . . . 10
3.9.5. CRL Distribution Points . . . . . . . . . . . . . . . 10 3.9.5. CRL Distribution Points . . . . . . . . . . . . . . . 10
3.9.6. Authority Information Access . . . . . . . . . . . . . 11 3.9.6. Authority Information Access . . . . . . . . . . . . . 11
3.9.7. Subject Information Access . . . . . . . . . . . . . . 11 3.9.7. Subject Information Access . . . . . . . . . . . . . . 11
3.9.8. Certificate Policies . . . . . . . . . . . . . . . . . 12 3.9.8. Certificate Policies . . . . . . . . . . . . . . . . . 12
3.9.9. Subject Alternate Name . . . . . . . . . . . . . . . . 12 3.9.9. IP Resources . . . . . . . . . . . . . . . . . . . . . 12
3.9.10. IP Resources . . . . . . . . . . . . . . . . . . . . . 12 3.9.10. AS Resources . . . . . . . . . . . . . . . . . . . . . 13
3.9.11. AS Resources . . . . . . . . . . . . . . . . . . . . . 13
4. Resource Certificate Revocation List Profile . . . . . . . . . 13 4. Resource Certificate Revocation List Profile . . . . . . . . . 13
4.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Issuer Name . . . . . . . . . . . . . . . . . . . . . . . 14 4.2. Issuer Name . . . . . . . . . . . . . . . . . . . . . . . 14
4.3. This Update . . . . . . . . . . . . . . . . . . . . . . . 14 4.3. This Update . . . . . . . . . . . . . . . . . . . . . . . 14
4.4. Next Update . . . . . . . . . . . . . . . . . . . . . . . 14 4.4. Next Update . . . . . . . . . . . . . . . . . . . . . . . 14
4.5. Signature . . . . . . . . . . . . . . . . . . . . . . . . 14 4.5. Signature . . . . . . . . . . . . . . . . . . . . . . . . 14
4.6. Revoked Certificate List . . . . . . . . . . . . . . . . . 14 4.6. Revoked Certificate List . . . . . . . . . . . . . . . . . 14
4.6.1. Serial Number . . . . . . . . . . . . . . . . . . . . 14 4.6.1. Serial Number . . . . . . . . . . . . . . . . . . . . 14
4.6.2. Revocation Date . . . . . . . . . . . . . . . . . . . 14 4.6.2. Revocation Date . . . . . . . . . . . . . . . . . . . 14
4.7. CRL Extensions . . . . . . . . . . . . . . . . . . . . . . 15 4.7. CRL Extensions . . . . . . . . . . . . . . . . . . . . . . 15
skipping to change at page 3, line 10 skipping to change at page 3, line 9
5.2.2. Resource Certificate Request Control Fields . . . . . 18 5.2.2. Resource Certificate Request Control Fields . . . . . 18
5.3. Certificate Extension Attributes in Certificate 5.3. Certificate Extension Attributes in Certificate
Requests . . . . . . . . . . . . . . . . . . . . . . . . . 18 Requests . . . . . . . . . . . . . . . . . . . . . . . . . 18
6. Resource Certificate Validation . . . . . . . . . . . . . . . 20 6. Resource Certificate Validation . . . . . . . . . . . . . . . 20
6.1. Trust Anchors for Resource Certificates . . . . . . . . . 20 6.1. Trust Anchors for Resource Certificates . . . . . . . . . 20
6.2. Resource Extension Validation . . . . . . . . . . . . . . 21 6.2. Resource Extension Validation . . . . . . . . . . . . . . 21
6.3. Resource Certificate Path Validation . . . . . . . . . . . 22 6.3. Resource Certificate Path Validation . . . . . . . . . . . 22
7. Security Considerations . . . . . . . . . . . . . . . . . . . 23 7. Security Considerations . . . . . . . . . . . . . . . . . . . 23
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24
10. Normative References . . . . . . . . . . . . . . . . . . . . . 24 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
10.1. Normative References . . . . . . . . . . . . . . . . . . . 24
10.2. Informative References . . . . . . . . . . . . . . . . . . 25
Appendix A. Example Resource Certificate . . . . . . . . . . . . 25 Appendix A. Example Resource Certificate . . . . . . . . . . . . 25
Appendix B. Example Certificate Revocation List . . . . . . . . . 27 Appendix B. Example Certificate Revocation List . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28
Intellectual Property and Copyright Statements . . . . . . . . . . 30 Intellectual Property and Copyright Statements . . . . . . . . . . 30
1. Introduction 1. Introduction
This document defines a standard profile for X.509 certificates for This document defines a standard profile for X.509 certificates for
use in the context of certification of IP Addresses and AS Numbers. use in the context of certification of IP Addresses and AS Numbers.
These Resource Certificates are X.509 certificates that conform to Such certificates are termed here "Resource Certificates." Resource
the PKIX profile [RFC3280], and also conform to the constraints Certificates are X.509 certificates that conform to the PKIX profile
specified in this profile. Resource Certificates attest that the [RFC3280], and also conform to the constraints specified in this
issuer has granted the subject a "right-to-use" for a listed set of profile. Resource Certificates attest that the issuer has granted
IP addresses and Autonomous System numbers. the subject a "right-to-use" for a listed set of IP addresses and
Autonomous System numbers.
A Resource Certificate describes an action by a certificate issuer A Resource Certificate describes an action by a certificate issuer
that binds a list of IP Address blocks and AS Numbers to the subject that binds a list of IP Address blocks and AS Numbers to the subject
of the certificate. The binding is identified by the association of of the issued certificate. The binding is identified by the
the subject's private key with the subject's public key contained in association of the subject's private key with the subject's public
the Resource Certificate, signed by the private key of the key contained in the Resource Certificate, as signed by the private
certificate's issuer. key of the certificate's issuer.
In the context of the public Internet, and the use of public number In the context of the public Internet, and the use of public number
resources within this context, it is intended that Resource resources within this context, it is intended that Resource
Certificates are used in a manner that is explicitly aligned to the Certificates are used in a manner that is explicitly aligned to the
public number resource distribution function. Specifically, when a public number resource distribution function. Specifically, when a
number resource is allocated or assigned by a number registry to an number resource is allocated or assigned by a number registry to an
entity, this allocation is described by an associated Resource entity, this allocation is described by an associated Resource
Certificate. This certificate is issued by the number registry, and Certificate. This certificate is issued by the number registry, and
the subject's public key that is being certified by the issuer the subject's public key that is being certified by the issuer
corresponds to the public key part of a public / private key pair corresponds to the public key part of a public / private key pair
skipping to change at page 5, line 24 skipping to change at page 5, line 25
It is assumed that the reader is familiar with the terms and concepts It is assumed that the reader is familiar with the terms and concepts
described in "Internet X.509 Public Key Infrastructure Certificate described in "Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile" [RFC3280], "X.509 and Certificate Revocation List (CRL) Profile" [RFC3280], "X.509
Extensions for IP Addresses and AS Identifiers" [RFC3779], "Internet Extensions for IP Addresses and AS Identifiers" [RFC3779], "Internet
Protocol" [RFC0791], "Internet Protocol Version 6 (IPv6) Addressing Protocol" [RFC0791], "Internet Protocol Version 6 (IPv6) Addressing
Architecture" [RFC4291], "Internet Registry IP Allocation Guidelines" Architecture" [RFC4291], "Internet Registry IP Allocation Guidelines"
[RFC2050], and related regional Internet registry address management [RFC2050], and related regional Internet registry address management
policy documents. policy documents.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119. document are to be interpreted as described in RFC 2119.
2. Describing Resources in Certificates 2. Describing Resources in Certificates
The framework for describing an association between the subject of a The framework for describing an association between the subject of a
certificate and the resources currently under the subject's current certificate and the resources currently under the subject's control
control is described in [RFC3779]. is described in [RFC3779].
There are three aspects of this resource extension that are noted in There are three aspects of this resource extension that are noted in
this profile: this profile:
1. RFC 3779 notes that a resource extension SHOULD be a CRITICAL 1. RFC 3779 notes that a resource extension SHOULD be a CRITICAL
extension to the X.509 Certificate. This Resource Certificate extension to the X.509 Certificate. This Resource Certificate
profile further specifies that the use of this certificate profile further specifies that the use of this certificate
extension MUST be used in all Resource Certificates and MUST be extension MUST be used in all Resource Certificates and MUST be
marked as CRITICAL. marked as CRITICAL.
skipping to change at page 10, line 39 skipping to change at page 10, line 39
mechanism is a single RSYNC URI ("rsync://") [rsync] that references mechanism is a single RSYNC URI ("rsync://") [rsync] that references
a single inclusive CRL for each issuer. a single inclusive CRL for each issuer.
In this profile the certificate issuer is also the CRL issuer, In this profile the certificate issuer is also the CRL issuer,
implying at the CRLIssuer sub field MUST be omitted, and the implying at the CRLIssuer sub field MUST be omitted, and the
distributionPoint sub-field MUST be present. The Reasons sub-field distributionPoint sub-field MUST be present. The Reasons sub-field
MUST be omitted. MUST be omitted.
The distributionPoint MUST contain general names, and MUST NOT The distributionPoint MUST contain general names, and MUST NOT
contain a nameRelativeToCRLIssuer. The type of the general name MUST contain a nameRelativeToCRLIssuer. The type of the general name MUST
be of type URI. In this profile, the scope of the CRL is specified be of type URI.
to be all certificates issued by this CA issuer using a given key
pair. The sequence of distributionPoint values MUST contain only a In this profile, the scope of the CRL is specified to be all
single DistributionPointName set. The DistributionPointName set MAY certificates issued by this CA issuer using a given key pair.
contain more than one URI value. An RSYNC URI MUST be present in the
The sequence of distributionPoint values MUST contain only a single
DistributionPointName set. The DistributionPointName set MAY contain
more than one URI value. An RSYNC URI MUST be present in the
DistributionPointName set, and reference the most recent instance of DistributionPointName set, and reference the most recent instance of
this issuer's certificate revocation list. Other access form URIs this issuer's certificate revocation list. Other access form URIs
MAY be used in addition to the RSYNC URI. MAY be used in addition to the RSYNC URI.
This extension MUST be present and it is non-critical. There is one This extension MUST be present and it is non-critical. There is one
exception; where a CA distributes its public key in the form of a exception; where a CA distributes its public key in the form of a
"self-signed" certificate, the CRLDP MUST be omitted. "self-signed" certificate, the CRLDP MUST be omitted.
3.9.6. Authority Information Access 3.9.6. Authority Information Access
skipping to change at page 11, line 30 skipping to change at page 11, line 32
Other access method URIs referencing the same object MAY also be Other access method URIs referencing the same object MAY also be
included in the value sequence of this extension. included in the value sequence of this extension.
When an Issuer re-issues a CA certificate, the subordinate When an Issuer re-issues a CA certificate, the subordinate
certificates need to reference this new certificate via the AIA certificates need to reference this new certificate via the AIA
field. In order to avoid the situation where a certificate re- field. In order to avoid the situation where a certificate re-
issuance necessarily implies a requirement to re-issue all issuance necessarily implies a requirement to re-issue all
subordinate certificates, CA Certificate issuers SHOULD use a subordinate certificates, CA Certificate issuers SHOULD use a
persistent URL name scheme for issued certificates. This implies persistent URL name scheme for issued certificates. This implies
that re-issued certificates overwrite previously issued certificates that re-issued certificates overwrite previously issued certificates
to the same subject, and use the same publication name as previously to the same subject in the publication repository, and use the same
issued certificates. In this way subordinate certificates can publication name as previously issued certificates. In this way
maintain a constant AIA field value and need not be re-issued due subordinate certificates can maintain a constant AIA field value and
solely to a re-issue of the superior certificate. The issuers' need not be re-issued due solely to a re-issue of the superior
policy with respect to the persistence of name objects of issued certificate. The issuers' policy with respect to the persistence of
certificates MUST be specified in the Issuer's Certificate Practice name objects of issued certificates MUST be specified in the Issuer's
Statement. Certificate Practice Statement.
This extension is non-critical. This extension is non-critical.
3.9.7. Subject Information Access 3.9.7. Subject Information Access
This field (SIA) identifies the location of information and services This field (SIA) identifies the location of information and services
relating to the subject of the certificate in which the SIA extension relating to the subject of the certificate in which the SIA extension
appears. Where the Subject is a CA in this profile, this information appears. Where the Subject is a CA in this profile, this information
and service collection will include all current valid certificates and service collection will include all current valid certificates
that have been issued by this subject that are signed with the that have been issued by this subject that are signed with the
skipping to change at page 12, line 39 skipping to change at page 12, line 42
This extension MUST reference the Resource Certificate Policy, using This extension MUST reference the Resource Certificate Policy, using
the OID Policy Identifier value of "1.3.6.1.5.5.7.14.2". This field the OID Policy Identifier value of "1.3.6.1.5.5.7.14.2". This field
MUST be present and MUST contain only this value for Resource MUST be present and MUST contain only this value for Resource
Certificates. Certificates.
PolicyQualifiers MUST NOT be used in this profile. PolicyQualifiers MUST NOT be used in this profile.
This extension MUST be present and it is critical. This extension MUST be present and it is critical.
3.9.9. Subject Alternate Name 3.9.9. IP Resources
This is an optional extension, and MAY contain an X.501 Name as
supplied by the subject in the Certificate Request, or as assigned by
the issuer.
3.9.10. IP Resources
This field contains the list of IP address resources as per This field contains the list of IP address resources as per
[RFC3779]. The value may specify the "inherit" element for a [RFC3779]. The value may specify the "inherit" element for a
particular AFI value. In the context of resource certificates particular AFI value. In the context of resource certificates
describing public number resources for use in the public Internet, describing public number resources for use in the public Internet,
the SAFI value MUST NOT be used. All Resource Certificates MUST the SAFI value MUST NOT be used. All Resource Certificates MUST
include an IP Resources extension, an AS Resources extension, or both include an IP Resources extension, an AS Resources extension, or both
extensions. extensions.
This extension, if present, MUST be marked critical. This extension, if present, MUST be marked critical.
3.9.11. AS Resources 3.9.10. AS Resources
This field contains the list of AS number resources as per [RFC3779], This field contains the list of AS number resources as per [RFC3779],
or may specify the "inherit" element. RDI values are NOT supported or may specify the "inherit" element. RDI values are NOT supported
in this profile and MUST NOT be used. All Resource Certificates MUST in this profile and MUST NOT be used. All Resource Certificates MUST
include an IP Resources extension, an AS Resources extension, or both include an IP Resources extension, an AS Resources extension, or both
extensions. extensions.
This extension, if present, MUST be marked critical. This extension, if present, MUST be marked critical.
4. Resource Certificate Revocation List Profile 4. Resource Certificate Revocation List Profile
Each CA MUST issue a version 2 Certificate Revocation List (CRL), Each CA MUST issue a version 2 Certificate Revocation List (CRL),
consistent with [RFC3280]. The CRL issuer is the CA, and no indirect consistent with [RFC3280]. The CRL issuer is the CA, and no indirect
CRLs are supported in this profile. The scope of the CRL MUST be CRLs are supported in this profile.
"all certificates issued by this CA using a given key pair". The
contents of the CRL are a list of all non-expired certificates issued
by the CA using a given key pair that have been revoked by the CA.
An entry MUST NOT be removed from the CRL until it appears on one An entry MUST NOT be removed from the CRL until it appears on one
regularly scheduled CRL issued beyond the revoked certificate's regularly scheduled CRL issued beyond the revoked certificate's
validity period. validity period.
This profile does not allow issuance of Delta CRLs. This profile does not allow issuance of Delta CRLs.
The scope of the CRL MUST be "all certificates issued by this CA
using a given key pair". The contents of the CRL are a list of all
non-expired certificates issued by the CA using a given key pair that
have been revoked by the CA.
The profile allows the issuance of multiple current CRLs with The profile allows the issuance of multiple current CRLs with
different scope by a single CA, with the scope being defined by the different scope by a single CA, with the scope being defined by the
key pair used by the CA. key pair used by the CA.
No CRL fields other than those listed here are permitted in CRLs No CRL fields other than those listed here are permitted in CRLs
issued under this profile. Unless otherwise indicated, these fields issued under this profile. Unless otherwise indicated, these fields
MUST be present in the CRL. Where two or more CRLs issued by a MUST be present in the CRL. Where two or more CRLs issued by a
single CA with the same scope, the CRL with the highest value of the single CA with the same scope, the CRL with the highest value of the
"CRL Number" field supersedes all other CRLs issued by this CA. "CRL Number" field supersedes all other CRLs issued by this CA.
skipping to change at page 15, line 36 skipping to change at page 15, line 36
number of positive integers for a given CA and scope. This extension number of positive integers for a given CA and scope. This extension
allows users to easily determine when a particular CRL supersedes allows users to easily determine when a particular CRL supersedes
another CRL. The highest CRL Number value supersedes all other CRLs another CRL. The highest CRL Number value supersedes all other CRLs
issued by the CA with the same scope. issued by the CA with the same scope.
This extension is non-critical. This extension is non-critical.
5. Resource Certificate Request Profile 5. Resource Certificate Request Profile
A resource certificate request MAY use either of PKCS#10 or A resource certificate request MAY use either of PKCS#10 or
Certificate Request Message Format (CRMF). There is no requirement Certificate Request Message Format (CRMF). A CA Issuer MUST support
for a CA Issuer to support both request formats, and the choice of PKCS#10 and a CA Issuer may, with mutual consent of the subject,
formats is a matter for the Issuer and Subject to resolve. support CRMF.
5.1. PCKS#10 Profile 5.1. PCKS#10 Profile
This profile refines the specification in [RFC2986], as it relates to This profile refines the specification in [RFC2986], as it relates to
Resource Certificates. A Certificate Request Message object, Resource Certificates. A Certificate Request Message object,
formatted according to PKCS#10, is passed to a Certificate Authority formatted according to PKCS#10, is passed to a Certificate Authority
as the initial step in issuing a certificate. as the initial step in issuing a certificate.
This request may be conveyed to the CA via a Registration Authority This request may be conveyed to the CA via a Registration Authority
(RA), acting under the direction of a Subject. (RA), acting under the direction of a Subject.
skipping to change at page 16, line 16 skipping to change at page 16, line 16
5.1.1. PKCS#10 Resource Certificate Request Template Fields 5.1.1. PKCS#10 Resource Certificate Request Template Fields
This profile applies the following additional constraints to fields This profile applies the following additional constraints to fields
that may appear in a CertificationRequestInfo: that may appear in a CertificationRequestInfo:
Version Version
This field is mandatory and MUST have the value 0. This field is mandatory and MUST have the value 0.
Subject Subject
The CA SHOULD consider this name as the subject's suggestion, but This field is optional. If present, the value of this field
the CA is NOT bound to honour this suggestion, as the subject name SHOULD be empty, in which case the issuer MUST generate a subject
MUST be unique per issuer in certificates issued by this issuer. name that is unique in the context of certificates issued by this
This field MAY be empty, in which case the issuer MUST generate a issuer. If the value of this field is non-empty, then the CA MAY
subject name that is unique in the context of certificates issued consider the value of this field as the subject's suggested
by this issuer. subject name, but the CA is NOT bound to honour this suggestion,
as the subject name MUST be unique per issuer in certificates
issued by this issuer.
SubjectPublicKeyInfo SubjectPublicKeyInfo
This field specifies the subject's public key and the algorithm This field specifies the subject's public key and the algorithm
with which the key is used. The public key algorithm MUST be RSA, with which the key is used. The public key algorithm MUST be RSA,
and the OID for the algorithm is 1.2.840.113549.1.1.1. This field and the OID for the algorithm is 1.2.840.113549.1.1.1. This field
also includes a bit-string representation of the entity's public also includes a bit-string representation of the entity's public
key. For the RSA public-key algorithm the bit string contains the key. For the RSA public-key algorithm the bit string contains the
DER encoding of a value of PKCS #1 type RSAPublicKey. DER encoding of a value of PKCS #1 type RSAPublicKey.
Attributes Attributes
skipping to change at page 18, line 5 skipping to change at page 18, line 5
Issuer Issuer
This field is assigned by the CA and MUST be omitted in this This field is assigned by the CA and MUST be omitted in this
profile. profile.
Validity Validity
This field MAY be omitted. If omitted, the CA will issue a This field MAY be omitted. If omitted, the CA will issue a
Certificate with Validity dates as determined by the CA. If Certificate with Validity dates as determined by the CA. If
specified, then the CA MAY override the requested values with specified, then the CA MAY override the requested values with
dates as determined by the CA. dates as determined by the CA.
Subject As the subject name is assigned by the CA, this field MAY be Subject
omitted, in which case the subject name will be generated by the This field is optional. If present, the value of this field
CA. If specified, the CA SHOULD consider this as the subject's SHOULD be empty, in which case the issuer MUST generate a subject
suggestion, but the CA is NOT bound to honour this suggestion. name that is unique in the context of certificates issued by this
issuer. If the value of this field is non-empty, then the CA MAY
consider the value of this field as the subject's suggested
subject name, but the CA is NOT bound to honour this suggestion,
as the subject name MUST be unique per issuer in certificates
issued by this issuer.
PublicKey PublicKey
This field MUST be present. This field MUST be present.
extensions extensions
This attribute contains X509v3 Certificate Extensions. The This attribute contains X509v3 Certificate Extensions. The
profile for extensions in certificate requests is specified in profile for extensions in certificate requests is specified in
Section 5.3. Section 5.3.
5.2.2. Resource Certificate Request Control Fields 5.2.2. Resource Certificate Request Control Fields
The following control fields are supported in this profile: The following control fields are supported in this profile:
Authenticator Control Authenticator Control
It is noted that the intended model of authentication of the It is noted that the intended model of authentication of the
subject is a long term one, and the advice as offered in [RFC4211] subject is a long term one, and the advice as offered in [RFC4211]
is that the Authenticator Control field be used. is that the Authenticator Control field be used.
[Note - not for publication: The method of generation and
authentication of this field is not specified in this document.
It is assumed that the Certificate Issuer and subject have
securely exchanged credentials using some other mechanism and the
Authenticator Control shall reference these credentials. The
desirable properties include the ability to validate the subject
and the authenticity of the provided public key. An alternative
is to remove this control field from this profile and defer
authentication of the request to some unspecified external
mechanism.]
5.3. Certificate Extension Attributes in Certificate Requests 5.3. Certificate Extension Attributes in Certificate Requests
The following extensions MAY appear in a PKCS#10 or CRMF Certificate The following extensions MAY appear in a PKCS#10 or CRMF Certificate
Request. Any other extensions MUST NOT appear in a Certificate Request. Any other extensions MUST NOT appear in a Certificate
Request. This profile places the following additional constraints on Request. This profile places the following additional constraints on
these extensions.: these extensions.:
BasicConstraints BasicConstraints
If this is omitted then the CA will issue an end entity If this is omitted then the CA will issue an end entity
certificate with the BasicConstraints extension not present in the certificate with the BasicConstraints extension not present in the
skipping to change at page 19, line 31 skipping to change at page 19, line 27
AuthorityKeyIdentifier AuthorityKeyIdentifier
This field is assigned by the CA and MUST be omitted in this This field is assigned by the CA and MUST be omitted in this
profile. profile.
KeyUsage KeyUsage
The CA MAY honor KeyUsage extensions of CertificateSigning and The CA MAY honor KeyUsage extensions of CertificateSigning and
CRLSigning if present, as long as this is consistent with the CRLSigning if present, as long as this is consistent with the
BasicConstraints SubjectType sub field, when specified. BasicConstraints SubjectType sub field, when specified.
SubjectInformationAccess SubjectInformationAccess
This field MUST be present when the subject is a CA, and the field This field MAY be present when the subject is a CA, and the field
value SHOULD be honoured by the CA. If the CA is not able to value SHOULD be honoured by the CA. If the CA is not able to
honor the requested field value, then the CA MUST reject the honor the requested field value, then the CA MUST reject the
Certificate Request. Certificate Request.
If the field is not present, then the CA shall interpret the
request as a request by the subject entity to publish subordinate
certificates via the CA, and the CA will place the publication
point in the SIA field of the issued certificate.
This field (SIA) identifies the location of information and This field (SIA) identifies the location of information and
services relating to the subject of the certificate in which the services relating to the subject of the certificate in which the
SIA extension appears. Where the Subject is a CA in this profile, SIA extension appears. Where the Subject is a CA in this profile,
this information and service collection will include all current this information and service collection will include all current
valid certificates that have been issued by this subject that are valid certificates that have been issued by this subject that are
signed with the subject's corresponding private key. signed with the subject's corresponding private key.
This profile uses a URI form of location identification. The This profile uses a URI form of location identification. An RSYNC
preferred URI access mechanism is "rsync", and an RSYNC URI MUST URI MUST be specified, with an access method value of id-ad-
be specified, with an access method value of id-ad-caRepository caRepository when the subject of the certificate is a CA. The
when the subject of the certificate is a CA. The RSYNC URI MUST RSYNC URI MUST reference an object collection rather than an
reference an object collection rather than an individual object individual object and MUST use a trailing '/' in the URI. Other
and MUST use a trailing '/' in the URI. Other access method URIs access method URIs that reference the same location MAY also be
that reference the same location MAY also be included in the value included in the value sequence of this extension. The ordering of
sequence of this extension. The ordering of URIs in this sequence URIs in this sequence reflect the subject's relative preferences
reflect the subject's relative preferences for access methods, for access methods, with the first method in the sequence being
with the first method in the sequence being the most preferred by the most preferred by the Subject.
the Subject.
SubjectAlternateName
This field MAY be present, and the CA MAY use this as the
SubjectAltName in the issued Certificate.
CRLDistributionPoints CRLDistributionPoints
This field is assigned by the CA and MUST be omitted in this This field is assigned by the CA and MUST be omitted in this
profile. profile.
AuthorityInformationAccess AuthorityInformationAccess
This field is assigned by the CA and MUST be omitted in this This field is assigned by the CA and MUST be omitted in this
profile. profile.
CertificatePolicies CertificatePolicies
skipping to change at page 22, line 16 skipping to change at page 22, line 13
sets: sets:
more specific: Given two IP address or AS number contiguous ranges, more specific: Given two IP address or AS number contiguous ranges,
A and B, A is "more specific" than B if range B includes all IP A and B, A is "more specific" than B if range B includes all IP
addresses or AS numbers described by range A, and if range B is addresses or AS numbers described by range A, and if range B is
larger than range A. larger than range A.
equal: Given two IP address or AS number contiguous ranges, A and B, equal: Given two IP address or AS number contiguous ranges, A and B,
A is "equal" to B if range A describes precisely the same A is "equal" to B if range A describes precisely the same
collection of IP addresses or AS numbers as described by range B. collection of IP addresses or AS numbers as described by range B.
The definition of "inheritance" in [RFC3779]is equivalent to this The definition of "inheritance" in [RFC3779] is equivalent to this
"equality" comparison. "equality" comparison.
encompass: Given two IP address and AS number sets X and Y, X encompass: Given two IP address and AS number sets X and Y, X
"encompasses" Y if, for every contiguous range of IP addresses or "encompasses" Y if, for every contiguous range of IP addresses or
AS numbers elements in set Y, the range element is either more AS numbers elements in set Y, the range element is either more
specific than or equal to a contiguous range element within the specific than or equal to a contiguous range element within the
set X. set X.
Validation of a certificate's resource extension in the context of an Validation of a certificate's resource extension in the context of an
ordered certificate sequence of {1,2, ... , n} where '1'is issued by ordered certificate sequence of {1,2, ... , n} where '1'is issued by
a trust anchor and 'n' is the target certificate, and where the a trust anchor and 'n' is the target certificate, and where the
skipping to change at page 24, line 22 skipping to change at page 24, line 19
[Note to IANA, to be removed prior to publication: there are no IANA [Note to IANA, to be removed prior to publication: there are no IANA
considerations stated in this version of the document.] considerations stated in this version of the document.]
9. Acknowledgements 9. Acknowledgements
The authors would like to acknowledge the valued contributions from The authors would like to acknowledge the valued contributions from
Stephen Kent, Robert Kisteleki, Randy Bush, Russ Housley, Ricardo Stephen Kent, Robert Kisteleki, Randy Bush, Russ Housley, Ricardo
Patara and Rob Austein in the preparation and subsequent review of Patara and Rob Austein in the preparation and subsequent review of
this document. this document.
10. Normative References 10. References
10.1. Normative References
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
September 1981. September 1981.
[RFC2050] Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D., and [RFC2050] Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D., and
J. Postel, "INTERNET REGISTRY IP ALLOCATION GUIDELINES", J. Postel, "INTERNET REGISTRY IP ALLOCATION GUIDELINES",
BCP 12, RFC 2050, November 1996. BCP 12, RFC 2050, November 1996.
[RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object
Classes and Attribute Types Version 2.0", RFC 2985,
November 2000.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
November 2000.
[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", RFC 3280, Certificate Revocation List (CRL) Profile", RFC 3280,
April 2002. April 2002.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, June 2004. Addresses and AS Identifiers", RFC 3779, June 2004.
[RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional
Algorithms and Identifiers for RSA Cryptography for use in Algorithms and Identifiers for RSA Cryptography for use in
the Internet X.509 Public Key Infrastructure Certificate the Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile", RFC 4055, and Certificate Revocation List (CRL) Profile", RFC 4055,
June 2005. June 2005.
[RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R.
Nicholas, "Internet X.509 Public Key Infrastructure:
Certification Path Building", RFC 4158, September 2005.
[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure
Certificate Request Message Format (CRMF)", RFC 4211, Certificate Request Message Format (CRMF)", RFC 4211,
September 2005. September 2005.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006. Architecture", RFC 4291, February 2006.
10.2. Informative References
[RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object
Classes and Attribute Types Version 2.0", RFC 2985,
November 2000.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
November 2000.
[RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R.
Nicholas, "Internet X.509 Public Key Infrastructure:
Certification Path Building", RFC 4158, September 2005.
[rsync] Tridgell, A., "rsync", April 2006, [rsync] Tridgell, A., "rsync", April 2006,
<http://samba.anu.edu.au/rsync/>. <http://samba.anu.edu.au/rsync/>.
Appendix A. Example Resource Certificate Appendix A. Example Resource Certificate
The following is an example Resource Certificate. The following is an example Resource Certificate.
Certificate Name: hu9fdDBq60mrk7cPRuX2DYuXSRQ-3.cer Certificate Name: hu9fdDBq60mrk7cPRuX2DYuXSRQ-3.cer
Data: Data:
skipping to change at page 25, line 50 skipping to change at page 26, line 4
8b:97:49:14 8b:97:49:14
Subject Key Identifier g(SKI): Subject Key Identifier g(SKI):
hu9fdDBq60mrk7cPRuX2DYuXSRQ hu9fdDBq60mrk7cPRuX2DYuXSRQ
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: Modulus: RSA Public Key: Modulus:
c1:25:a1:b0:db:89:83:a0:fc:f1:c0:e4:7b:93:76:c1: c1:25:a1:b0:db:89:83:a0:fc:f1:c0:e4:7b:93:76:c1:
59:b7:0d:ac:25:25:ed:88:ce:00:03:ea:99:1a:9a:2a: 59:b7:0d:ac:25:25:ed:88:ce:00:03:ea:99:1a:9a:2a:
0e:10:2e:5f:c0:45:87:47:81:7b:1d:4d:44:aa:65:a3: 0e:10:2e:5f:c0:45:87:47:81:7b:1d:4d:44:aa:65:a3:
f8:07:84:32:ea:04:70:27:05:2b:79:26:e6:e6:3a:cb: f8:07:84:32:ea:04:70:27:05:2b:79:26:e6:e6:3a:cb:
b2:9a:65:6c:c1:4e:d7:35:fb:f6:41:1e:8b:1c:b8:e4:
b2:9a:65:6c:c1:4e:d7:35:fb:f6:41:1e:8b:1c:b8:e4:
5a:3a:d6:d0:7b:82:9a:23:03:f8:05:4c:68:42:67:fe: 5a:3a:d6:d0:7b:82:9a:23:03:f8:05:4c:68:42:67:fe:
e7:45:d9:2c:a6:d1:b3:da:cf:ad:77:c5:80:d2:e3:1e: e7:45:d9:2c:a6:d1:b3:da:cf:ad:77:c5:80:d2:e3:1e:
4d:e8:bf:a2:f2:44:10:b2:2f:61:bc:f4:89:31:54:7c: 4d:e8:bf:a2:f2:44:10:b2:2f:61:bc:f4:89:31:54:7c:
56:47:d5:b1:c3:48:26:95:93:c9:6f:70:14:4d:ac:a5: 56:47:d5:b1:c3:48:26:95:93:c9:6f:70:14:4d:ac:a5:
c2:8e:3d:1f:6d:f8:d4:93:9d:14:c7:15:c7:34:8e:ba: c2:8e:3d:1f:6d:f8:d4:93:9d:14:c7:15:c7:34:8e:ba:
dd:70:b3:c2:2b:08:78:59:97:dd:e4:34:c7:d8:de:5c: dd:70:b3:c2:2b:08:78:59:97:dd:e4:34:c7:d8:de:5c:
f7:94:6f:95:59:ba:29:65:f5:98:15:8f:8e:57:59:5d: f7:94:6f:95:59:ba:29:65:f5:98:15:8f:8e:57:59:5d:
92:1f:64:2f:b5:3d:69:2e:69:83:c2:10:c6:aa:8e:03: 92:1f:64:2f:b5:3d:69:2e:69:83:c2:10:c6:aa:8e:03:
d5:69:11:bd:0d:b5:d8:27:6c:74:2f:60:47:dd:2e:87: d5:69:11:bd:0d:b5:d8:27:6c:74:2f:60:47:dd:2e:87:
24:c2:36:68:2b:3c:fd:bd:22:57:a9:4d:e8:86:3c:27: 24:c2:36:68:2b:3c:fd:bd:22:57:a9:4d:e8:86:3c:27:
skipping to change at page 26, line 39 skipping to change at page 26, line 40
Authority Info Access: caIssuers - Authority Info Access: caIssuers -
rsync://repository.apnic.net/APNIC/ rsync://repository.apnic.net/APNIC/
pvpjvwUeQix2e54X8fGbhmdYMo0/ pvpjvwUeQix2e54X8fGbhmdYMo0/
q66IrWSGuBE7jqx8PAUHAlHCqRw.cer q66IrWSGuBE7jqx8PAUHAlHCqRw.cer
Authority Key Identifier: Key Identifier: Authority Key Identifier: Key Identifier:
ab:ae:88:ad:64:86:b8:11:3b:8e:ac:7c:3c:05:07:02: ab:ae:88:ad:64:86:b8:11:3b:8e:ac:7c:3c:05:07:02:
51:c2:a9:1c 51:c2:a9:1c
Authority Key Identifier: Key Identifier g(AKI): Authority Key Identifier: Key Identifier g(AKI):
q66IrWSGuBE7jqx8PAUHAlHCqRw q66IrWSGuBE7jqx8PAUHAlHCqRw
Certificate Policies: 1.3.6.1.5.5.7.14.2 Certificate Policies: 1.3.6.1.5.5.7.14.2
IPv4: 202.12.27.0-202.12.29.255, 202.12.31.0/24, IPv4: 192.0.2.0/24,
203.119.0.0/24, 203.119.42.0/23 IPv6: 2001:DB8::/32
IPv6: 2001:dc0::/32
ASNum: 4608, 4777, 9545, 18366-18370 ASNum: 4608, 4777, 9545, 18366-18370
Signature: Signature:
c5:e7:b2:f3:62:cb:e3:bc:50:1e:6b:90:13:19:f4:5b: c5:e7:b2:f3:62:cb:e3:bc:50:1e:6b:90:13:19:f4:5b:
4a:1c:1c:ab:b5:de:b1:a4:22:e0:28:f5:3b:d0:8c:59: 4a:1c:1c:ab:b5:de:b1:a4:22:e0:28:f5:3b:d0:8c:59:
0f:85:f2:06:a6:ae:22:e6:d0:99:fe:cb:eb:1d:6a:e2: 0f:85:f2:06:a6:ae:22:e6:d0:99:fe:cb:eb:1d:6a:e2:
a3:f1:a2:25:95:ec:a7:7d:96:35:dc:16:a7:2f:f5:b7: a3:f1:a2:25:95:ec:a7:7d:96:35:dc:16:a7:2f:f5:b7:
11:ba:97:05:57:5f:5d:07:5a:c8:19:c8:27:d3:f7:a3: 11:ba:97:05:57:5f:5d:07:5a:c8:19:c8:27:d3:f7:a3:
92:66:cb:98:2d:e1:7f:a8:25:96:ab:af:ed:87:02:28: 92:66:cb:98:2d:e1:7f:a8:25:96:ab:af:ed:87:02:28:
f5:ae:b6:e3:0c:f7:18:82:70:82:f4:76:54:06:b9:9f: f5:ae:b6:e3:0c:f7:18:82:70:82:f4:76:54:06:b9:9f:
e1:a5:f7:ae:72:dd:ee:f0:d4:d2:78:bb:61:73:cf:51: e1:a5:f7:ae:72:dd:ee:f0:d4:d2:78:bb:61:73:cf:51:
 End of changes. 31 change blocks. 
103 lines changed or deleted 103 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/