| < draft-ietf-pkix-sonof3039-05.txt | draft-ietf-pkix-sonof3039-06.txt > | |||
|---|---|---|---|---|
| PKIX Working Group S. Santesson (Microsoft) | PKIX Working Group S. Santesson (Microsoft) | |||
| INTERNET-DRAFT M. Nystrom (RSA Security) | INTERNET-DRAFT M. Nystrom (RSA Security) | |||
| Expires August 2004 T. Polk (NIST) | Expires August 2004 T. Polk (NIST) | |||
| February 2004 | February 2004 | |||
| Internet X.509 Public Key Infrastructure: | Internet X.509 Public Key Infrastructure: | |||
| Qualified Certificates Profile | Qualified Certificates Profile | |||
| <draft-ietf-pkix-sonOf3039-05.txt> | <draft-ietf-pkix-sonOf3039-06.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||
| all provisions of Section 10 of RFC2026. | all provisions of Section 10 of RFC2026. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that other | Task Force (IETF), its areas, and its working groups. Note that other | |||
| groups may also distribute working documents as Internet-Drafts. | groups may also distribute working documents as Internet-Drafts. | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1 Introduction ................................................ 3 | 1 Introduction ................................................ 3 | |||
| 1.1 Changes since RFC 3039 ................................... 3 | 1.1 Changes since RFC 3039 ................................... 3 | |||
| 1.2 Definitions .............................................. 4 | 1.2 Definitions .............................................. 4 | |||
| 2 Requirements and Assumptions ................................ 4 | 2 Requirements and Assumptions ................................ 4 | |||
| 2.1 Properties ................................................ 5 | 2.1 Properties ................................................ 5 | |||
| 2.2 Statement of Purpose ...................................... 5 | 2.2 Statement of Purpose ...................................... 5 | |||
| 2.3 Policy Issues ............................................. 6 | 2.3 Policy Issues ............................................. 6 | |||
| 2.4 Uniqueness of names ....................................... 6 | 2.4 Uniqueness of names ....................................... 6 | |||
| 3 Certificate and Certificate Extensions Profile .............. 7 | 3 Certificate and Certificate Extensions Profile .............. 6 | |||
| 3.1 Basic Certificate Fields .................................. 7 | 3.1 Basic Certificate Fields .................................. 6 | |||
| 3.1.1 Issuer .................................................. 7 | 3.1.1 Issuer .................................................. 7 | |||
| 3.1.2 Subject ................................................. 7 | 3.1.2 Subject ................................................. 7 | |||
| 3.2 Certificate Extensions .................................... 10 | 3.2 Certificate Extensions .................................... 9 | |||
| 3.2.1 Subject Alternative Name ................................ 10 | 3.2.1 Subject Alternative Name ................................ 9 | |||
| 3.2.2 Subject Directory Attributes ............................ 10 | 3.2.2 Subject Directory Attributes ............................ 9 | |||
| 3.2.3 Certificate Policies .................................... 11 | 3.2.3 Certificate Policies .................................... 11 | |||
| 3.2.4 Key Usage ............................................... 12 | 3.2.4 Key Usage ............................................... 11 | |||
| 3.2.5 Biometric Information ................................... 12 | 3.2.5 Biometric Information ................................... 11 | |||
| 3.2.6 Qualified Certificate Statements ........................ 13 | 3.2.6 Qualified Certificate Statements ........................ 13 | |||
| 4 Security Considerations ..................................... 16 | 4 Security Considerations ..................................... 16 | |||
| 5 References .................................................. 17 | 5 References .................................................. 17 | |||
| 6 Intellectual Property Rights ................................ 18 | 6 Intellectual Property Rights ................................ 18 | |||
| A ASN.1 definitions ........................................... 19 | A ASN.1 definitions ........................................... 19 | |||
| A.1 1988 ASN.1 Module (Normative).............................. 19 | A.1 1988 ASN.1 Module (Normative).............................. 19 | |||
| A.2 1997 ASN.1 Module (Informative)............................ 22 | A.2 1997 ASN.1 Module (Informative)............................ 21 | |||
| B A Note on Attributes ........................................ 25 | B A Note on Attributes ........................................ 25 | |||
| C. Example Certificate ........................................ 26 | C Example Certificate ......................................... 25 | |||
| C.1 ASN.1 Structure ........................................... 26 | C.1 ASN.1 Structure ........................................... 26 | |||
| C.1.1 Extensions ............................................... 26 | C.1.1 Extensions ............................................... 26 | |||
| C.1.2 The certificate .......................................... 28 | C.1.2 The certificate .......................................... 27 | |||
| C.2 ASN.1 Dump ................................................ 31 | C.2 ASN.1 Dump ................................................ 29 | |||
| C.3 DER-encoding .............................................. 34 | C.3 DER-encoding .............................................. 32 | |||
| C.4 CA's public key ........................................... 34 | C.4 CA's public key ........................................... 33 | |||
| Authors' Addresses ............................................. 35 | Authors' Addresses ............................................. 33 | |||
| Full Copyright Statement ....................................... 36 | Full Copyright Statement ....................................... 34 | |||
| 1 Introduction | 1 Introduction | |||
| This specification is one part of a family of standards for the X.509 | This specification is one part of a family of standards for the X.509 | |||
| Public Key Infrastructure (PKI) for the Internet. It is based on RFC | Public Key Infrastructure (PKI) for the Internet. It is based on RFC | |||
| 3280, which defines underlying certificate formats and semantics | 3280, which defines underlying certificate formats and semantics | |||
| needed for a full implementation of this standard. | needed for a full implementation of this standard. | |||
| This profile includes specific mechanisms intended for use with | This profile includes specific mechanisms intended for use with | |||
| Qualified Certificates. The term Qualified Certificates and the | Qualified Certificates. The term Qualified Certificates and the | |||
| assumptions that affects the scope of this document are discussed in | assumptions that affects the scope of this document are discussed in | |||
| Section 2. | Section 2. | |||
| Section 3 defines requirements on certificate information content. | Section 3 defines requirements on certificate information content. | |||
| This profile addresses two fields in the basic certificate as well as | This specification provides profiles for two certificate fields: | |||
| five certificate extensions. The certificate fields are the subject | issuer and subject; it also provides profiles for four certificate | |||
| and issuer fields. The certificate extensions are subject directory | extensions defined in RFC 3280: subject alternate name, subject | |||
| attributes, certificate policies, key usage, a certificate extension | directory attributes, certificate policies and key usage; and it | |||
| for storage of biometric data and a certificate extension for storage | defines two additional extensions: biometric information and | |||
| of statements related to Qualified Certificates. The certificate | qualified certificate statements. The certificate extensions are | |||
| extensions are presented in the 1997 Abstract Syntax Notation One | presented in the 1997 Abstract Syntax Notation One (ASN.1), but in | |||
| (ASN.1), but in conformance with RFC 3280 the 1988 ASN.1 module in | conformance with RFC 3280 the 1988 ASN.1 module in Appendix A | |||
| Appendix A contains all normative definitions (the 1997 module in | contains all normative definitions (the 1997 module in Appendix A is | |||
| Appendix A is informative). | informative). | |||
| In Section 4, some security considerations are discussed in order to | In Section 4, some security considerations are discussed in order to | |||
| clarify the security context in which the standard may be utilized. | clarify the security context in which the standard may be utilized. | |||
| Section 5 contains the references. | Section 5 contains the references. | |||
| Appendix A contains all relevant ASN.1 [X.680] structures that are | Appendix A contains all relevant ASN.1 [X.680] structures that are | |||
| not already defined in RFC 3280. Appendix B contains a note on | not already defined in RFC 3280. Appendix B contains a note on | |||
| attributes. Appendix C contains an example certificate. Appendix D | attributes. Appendix C contains an example certificate. Appendix D | |||
| contains authors' addresses and Appendix E contains the IETF | contains authors' addresses and Appendix E contains the IETF | |||
| Copyright Statement. | Copyright Statement. | |||
| skipping to change at page 3, line 50 ¶ | skipping to change at page 3, line 50 ¶ | |||
| This specification obsoletes RFC 3039. This specification differs | This specification obsoletes RFC 3039. This specification differs | |||
| from RFC 3039 in the following basic areas: | from RFC 3039 in the following basic areas: | |||
| * Some editorial clarifications has been made to introductory | * Some editorial clarifications has been made to introductory | |||
| sections to clarify that this profile is generally applicable to a | sections to clarify that this profile is generally applicable to a | |||
| broad type of certificates even if its prime purpose is to | broad type of certificates even if its prime purpose is to | |||
| facilitate issuance of Qualified Certificates. | facilitate issuance of Qualified Certificates. | |||
| * To align with RFC 3280, support for domainComponent and title | * To align with RFC 3280, support for domainComponent and title | |||
| attribues in subject names are included, and postalAddress is no | attributes in subject names are included, and postalAddress is no | |||
| longer supported. | longer supported. | |||
| * To align with actual usage, support for the title attribute in | * To align with actual usage, support for the title attribute in | |||
| the subject directory attributes extension is no longer supported. | the subject directory attributes extension is no longer supported. | |||
| * To better facilitate broad applicability of this profile some | * To better facilitate broad applicability of this profile some | |||
| constraints on key usage settings in the key usage extension have | constraints on key usage settings in the key usage extension have | |||
| been removed. | been removed. | |||
| * A new qc-Statement reflecting this second version of the profile | * A new qc-Statement reflecting this second version of the profile | |||
| skipping to change at page 7, line 18 ¶ | skipping to change at page 6, line 39 ¶ | |||
| is based on the Internet certificate profile RFC 3280 which in turn | is based on the Internet certificate profile RFC 3280 which in turn | |||
| is based on the X.509 version 3 format. For full implementation of | is based on the X.509 version 3 format. For full implementation of | |||
| this section implementers are REQUIRED to consult the underlying | this section implementers are REQUIRED to consult the underlying | |||
| formats and semantics defined in RFC 3280. | formats and semantics defined in RFC 3280. | |||
| ASN.1 definitions relevant for this section that are not supplied by | ASN.1 definitions relevant for this section that are not supplied by | |||
| RFC 3280 are supplied in Appendix A. | RFC 3280 are supplied in Appendix A. | |||
| 3.1 Basic Certificate Fields | 3.1 Basic Certificate Fields | |||
| This specification provides additional details regarding the contents | This section provides additional details regarding the contents of | |||
| of two fields in the basic certificate. These fields are the issuer | two fields in the basic certificate. These fields are the issuer and | |||
| and subject fields. | subject fields. | |||
| 3.1.1 Issuer | 3.1.1 Issuer | |||
| The issuer field SHALL identify the organization responsible for | The issuer field SHALL identify the organization responsible for | |||
| issuing the certificate. The name SHOULD be an officially registered | issuing the certificate. The name SHOULD be an officially registered | |||
| name of the organization. | name of the organization. | |||
| The distinguished name of the issuer SHALL be specified using an | The distinguished name of the issuer SHALL be specified using an | |||
| appropriate subset of the following attributes: | appropriate subset of the following attributes: | |||
| skipping to change at page 9, line 8 ¶ | skipping to change at page 8, line 33 ¶ | |||
| The commonName attribute value SHALL, when present, contain a name | The commonName attribute value SHALL, when present, contain a name | |||
| of the subject. This MAY be in the subject's preferred | of the subject. This MAY be in the subject's preferred | |||
| presentation format, or a format preferred by the CA, or some | presentation format, or a format preferred by the CA, or some | |||
| other format. Pseudonyms, nicknames and names with spelling other | other format. Pseudonyms, nicknames and names with spelling other | |||
| than defined by the registered name MAY be used. To understand | than defined by the registered name MAY be used. To understand | |||
| the nature of the name presented in commonName, complying | the nature of the name presented in commonName, complying | |||
| applications MAY have to examine present values of the givenName | applications MAY have to examine present values of the givenName | |||
| and surname attributes, or the pseudonym attribute. | and surname attributes, or the pseudonym attribute. | |||
| Note: Many client implementations presuppose the presence of the | Note: Many client implementations presuppose the presence of the | |||
| commonName attribute value in the subject field and use this value | commonName attribute value in the subject field and use this value to | |||
| to display the subject's name regardless of present givenName, | display the subject's name regardless of present givenName, surname | |||
| surname or pseudonym attribute values. | or pseudonym attribute values. | |||
| The surname and givenName attribute types SHALL be used in the | The surname and givenName attribute types SHALL be used in the | |||
| subject field if neither the commonName attribute nor the | subject field if neither the commonName attribute nor the | |||
| pseudonym attribute is present. In cases where the subject only | pseudonym attribute is present. In cases where the subject only | |||
| has a givenName the surname attribute SHALL be omitted. | has a givenName the surname attribute SHALL be omitted. | |||
| The pseudonym attribute type SHALL, if present, contain a | The pseudonym attribute type SHALL, if present, contain a | |||
| pseudonym of the subject. Use of the pseudonym attribute MUST NOT | pseudonym of the subject. Use of the pseudonym attribute MUST NOT | |||
| be combined with use of any of the attributes surname and/or | be combined with use of any of the attributes surname and/or | |||
| givenName. | givenName. | |||
| skipping to change at page 10, line 10 ¶ | skipping to change at page 9, line 35 ¶ | |||
| localityName attribute values SHALL be associated with the | localityName attribute values SHALL be associated with the | |||
| specified organization. The type of association between the | specified organization. The type of association between the | |||
| stateOrProvinceName and the localityName and either the subject or | stateOrProvinceName and the localityName and either the subject or | |||
| the organizationName is beyond the scope of this document. | the organizationName is beyond the scope of this document. | |||
| Compliant implementations SHALL be able to interpret the attributes | Compliant implementations SHALL be able to interpret the attributes | |||
| named in this section. | named in this section. | |||
| 3.2 Certificate Extensions | 3.2 Certificate Extensions | |||
| This specification provides profiles for two certificate fields: | This section provides additional details regarding the contents of | |||
| issuer and subject; it also provides profiles for four certificate | four certificate extensions defined in RFC 3280: Subject Alternative | |||
| extensions defined in RFC 3280: subject alternate name, subject | Name, Subject directory attributes, Certificate policies and Key | |||
| directory attributes, certificate policies and key usage. This | usage. This section also defines two additional extensions: biometric | |||
| specification defines two additional extensions: biometric | ||||
| information and qualified certificate statements. | information and qualified certificate statements. | |||
| 3.2.1 Subject Alternative Name | 3.2.1 Subject Alternative Name | |||
| If the subjectAltName extension is present and it contains a | If the subjectAltName extension is present and it contains a | |||
| directoryName name, then the directoryName MUST follow the | directoryName name, then the directoryName MUST follow the | |||
| conventions specified in section 3.1.2 of this profile. | conventions specified in section 3.1.2 of this profile. | |||
| 3.2.2 Subject Directory Attributes | 3.2.2 Subject Directory Attributes | |||
| skipping to change at page 12, line 26 ¶ | skipping to change at page 11, line 49 ¶ | |||
| 3.2.5 Biometric Information | 3.2.5 Biometric Information | |||
| This section defines an extension for storage of biometric | This section defines an extension for storage of biometric | |||
| information. Biometric information is stored in the form of a hash | information. Biometric information is stored in the form of a hash | |||
| of a biometric template. | of a biometric template. | |||
| The purpose of this extension is to provide means for authentication | The purpose of this extension is to provide means for authentication | |||
| of biometric information. The biometric information that corresponds | of biometric information. The biometric information that corresponds | |||
| to the stored hash is not stored in this extension, but the extension | to the stored hash is not stored in this extension, but the extension | |||
| MAY include an URI referencing a file containing this information. | MAY include an URI (sourceDataUri) referencing a file containing this | |||
| If included, this URI does not imply that this is the only way to | information. | |||
| access this information. | ||||
| It is RECOMMENDED that biometric information in this extension is | If included, the URI MUST use the HTTP scheme (http://) [HTTP/1.1] or | |||
| the HTTPS scheme (https://) [RFC 2818]. Since the fact that | ||||
| identifying data is being checked may itself be sensitive | ||||
| information, those deploying this mechanism may also wish to consider | ||||
| using URIs which cannot be easily tied by outsiders to the identities | ||||
| of those whose information is being retrieved. | ||||
| Use of the URI option presumes that data encoding format of the file | ||||
| content is determined through means outside the scope of this | ||||
| specification, such as file naming conventions and metadata inside | ||||
| the file. Use of this URI option does not imply that it is the only | ||||
| way to access this information. | ||||
| It is RECOMMENDED that biometric information in this extension be | ||||
| limited to information types suitable for human verification, i.e., | limited to information types suitable for human verification, i.e., | |||
| where the decision of whether the information is an accurate | where the decision of whether the information is an accurate | |||
| representation of the subject is naturally performed by a person. | representation of the subject is naturally performed by a person. | |||
| This implies a usage where the biometric information is represented | This implies a usage where the biometric information is represented | |||
| by, for example, a graphical image displayed to the relying party, | by, for example, a graphical image displayed to the relying party, | |||
| which MAY be used by the relying party to enhance identification of | which MAY be used by the relying party to enhance identification of | |||
| the subject. | the subject. | |||
| This extension MUST NOT be marked critical. | This extension MUST NOT be marked critical. | |||
| skipping to change at page 13, line 21 ¶ | skipping to change at page 13, line 8 ¶ | |||
| handwritten-signature(1)} (picture|handwritten-signature,...) | handwritten-signature(1)} (picture|handwritten-signature,...) | |||
| The predefined biometric type picture, when present, SHALL identify | The predefined biometric type picture, when present, SHALL identify | |||
| that the source picture is in the form of a displayable graphical | that the source picture is in the form of a displayable graphical | |||
| image of the subject. The hash of the graphical image SHALL be | image of the subject. The hash of the graphical image SHALL be | |||
| calculated over the whole referenced image file. | calculated over the whole referenced image file. | |||
| The predefined biometric type handwritten-signature, when present, | The predefined biometric type handwritten-signature, when present, | |||
| SHALL identify that the source data is in the form of a displayable | SHALL identify that the source data is in the form of a displayable | |||
| graphical image of the subject's handwritten signature. The hash of | graphical image of the subject's handwritten signature. The hash of | |||
| the graphical image SHALL only be calculated over the image data | the graphical image SHALL be calculated over the whole referenced | |||
| excluding any labels defining the image type. | image file. | |||
| 3.2.6 Qualified Certificate Statements | 3.2.6 Qualified Certificate Statements | |||
| This section defines an extension for inclusion of statements | This section defines an extension for inclusion of statements | |||
| defining explicit properties of the certificate. | defining explicit properties of the certificate. | |||
| A statement suitable for inclusion in this extension MAY be a | A statement suitable for inclusion in this extension MAY be a | |||
| statement by the issuer that the certificate is issued as a Qualified | statement by the issuer that the certificate is issued as a Qualified | |||
| Certificate in accordance with a particular legal system (as | Certificate in accordance with a particular legal system (as | |||
| discussed in Section 2.2). | discussed in Section 2.2). | |||
| skipping to change at page 14, line 18 ¶ | skipping to change at page 14, line 4 ¶ | |||
| IDENTIFIED BY id-pe-qcStatements } | IDENTIFIED BY id-pe-qcStatements } | |||
| -- NOTE: This extension does not allow to mix critical and | -- NOTE: This extension does not allow to mix critical and | |||
| -- non-critical Qualified Certificate Statements. Either all | -- non-critical Qualified Certificate Statements. Either all | |||
| -- statements must be critical or all statements must be | -- statements must be critical or all statements must be | |||
| -- non-critical. | -- non-critical. | |||
| id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 } | id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 } | |||
| QCStatements ::= SEQUENCE OF QCStatement | QCStatements ::= SEQUENCE OF QCStatement | |||
| QCStatement ::= SEQUENCE { | QCStatement ::= SEQUENCE { | |||
| statementId QC-STATEMENT.&Id({SupportedStatements}), | statementId QC-STATEMENT.&Id({SupportedStatements}), | |||
| statementInfo QC-STATEMENT.&Type | statementInfo QC-STATEMENT.&Type | |||
| ({SupportedStatements}{@statementId}) OPTIONAL } | ({SupportedStatements}{@statementId}) OPTIONAL } | |||
| SupportedStatements QC-STATEMENT ::= { qcStatement-1,...} | SupportedStatements QC-STATEMENT ::= { qcStatement-1,...} | |||
| 3.2.6.1 Predefined Statements | 3.2.6.1 Predefined Statements | |||
| The certificate statement (id-qcs-pkixQCSyntax-v1), identifies | The certificate statement (id-qcs-pkixQCSyntax-v1), identifies | |||
| conformance with section 3 of the obsoleted RFC 3039 (Version 1). | conformance with requirements defined in the obsoleted RFC 3039 | |||
| This statement is provided for identification of old certificates | (Version 1). This statement is thus provided for identification of | |||
| issued in conformance with RFC 3039. This statement MUST NOT be | old certificates issued in conformance with RFC 3039. This statement | |||
| included in certificates issued in accordance with this profile. | MUST NOT be included in certificates issued in accordance with this | |||
| profile. | ||||
| This profile includes a new qualified certificate statement | This profile includes a new qualified certificate statement | |||
| (identified by the OID id-qcs-pkixQCSyntax-v2), identifying | (identified by the OID id-qcs-pkixQCSyntax-v2), identifying | |||
| conformance with section 3 of this profile. This Qualified | conformance with requirements defined in this profile. This | |||
| Certificate profile is referred to as version 2 while RFC 3039 is | Qualified Certificate profile is referred to as version 2 while RFC | |||
| referred to as version 1. | 3039 is referred to as version 1. | |||
| qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation | qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation | |||
| IDENTIFIED BY id-qcs-pkixQCSyntax-v1 } | IDENTIFIED BY id-qcs-pkixQCSyntax-v1 } | |||
| -- This statement identifies conformance with syntax and | -- This statement identifies conformance with requirements | |||
| -- semantics defined in RFC 3039 (Version 1). This statement may | -- defined in RFC 3039 (Version 1). This statement may | |||
| -- optionally contain additional semantics information as | -- optionally contain additional semantics information as | |||
| -- specified below. | -- specified below. | |||
| qcStatement-2 QC-STATEMENT ::= { SYNTAX SemanticsInformation | qcStatement-2 QC-STATEMENT ::= { SYNTAX SemanticsInformation | |||
| IDENTIFIED BY id-qcs-pkixQCSyntax-v2 } | IDENTIFIED BY id-qcs-pkixQCSyntax-v2 } | |||
| -- This statement identifies conformance with syntax and | -- This statement identifies conformance with requirements | |||
| -- semantics defined in this Qualified Certificate profile | -- defined in this Qualified Certificate profile | |||
| -- (Version 2). This statement may optionally contain | -- (Version 2). This statement may optionally contain | |||
| -- additional semantics information as specified below. | -- additional semantics information as specified below. | |||
| SemanticsInformation ::= SEQUENCE { | SemanticsInformation ::= SEQUENCE { | |||
| semanticsIdentifier OBJECT IDENTIFIER OPTIONAL, | semanticsIdentifier OBJECT IDENTIFIER OPTIONAL, | |||
| nameRegistrationAuthorities NameRegistrationAuthorities | nameRegistrationAuthorities NameRegistrationAuthorities | |||
| OPTIONAL } | OPTIONAL } | |||
| (WITH COMPONENTS {..., semanticsIdentifier PRESENT}| | (WITH COMPONENTS {..., semanticsIdentifier PRESENT}| | |||
| WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT}) | WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT}) | |||
| skipping to change at page 17, line 5 ¶ | skipping to change at page 17, line 5 ¶ | |||
| they represent the same physical entity is dependent on the semantics | they represent the same physical entity is dependent on the semantics | |||
| of the subjects' names. The semantics of a particular attribute may | of the subjects' names. The semantics of a particular attribute may | |||
| be different for different issuers. Comparing names without | be different for different issuers. Comparing names without | |||
| knowledge of the semantics of names in these particular certificates | knowledge of the semantics of names in these particular certificates | |||
| may provide misleading results. | may provide misleading results. | |||
| This specification is a profile of RFC 3280. The security | This specification is a profile of RFC 3280. The security | |||
| considerations section of that document applies to this specification | considerations section of that document applies to this specification | |||
| as well. | as well. | |||
| 5 References | 5 References | |||
| Normative references | Normative references | |||
| [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC 2119] S. Bradner, "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC 2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S. | [RFC 2247] S. Kille, M. Wahl, A. Grimstad, R. Huber and S. | |||
| Sataluri, "Using Domains in LDAP/X.500 Distinguished | Sataluri, "Using Domains in LDAP/X.500 Distinguished | |||
| Names", RFC 2247, January 1998. | Names", RFC 2247, January 1998. | |||
| [RFC 2818] E. Rescorla, "HTTP Over TLS", RFC 2818, May 2000 | ||||
| [RFC 2985] M. Nystrom and B. Kaliski, "PKCS #9: Selected Object | ||||
| Classes and Attribute Types Version 2.0", RFC 2985, | ||||
| November 2000. | ||||
| [RFC 3280] R. Housley, W. Polk, W. Ford, and D. Solo, "Internet | [RFC 3280] R. Housley, W. Polk, W. Ford, and D. Solo, "Internet | |||
| X.509 Public Key Infrastructure: Certificate and | X.509 Public Key Infrastructure: Certificate and | |||
| Certificate Revocation List (CRL) Profile", RFC 3280, | Certificate Revocation List (CRL) Profile", RFC 3280, | |||
| April 2002. | April 2002. | |||
| [RFC 2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object | ||||
| Classes and Attribute Types Version 2.0", RFC 2985, | ||||
| November 2000. | ||||
| [X.509] ITU-T Recommendation X.509 (2000) | ISO/IEC 9594-8:2001, | [X.509] ITU-T Recommendation X.509 (2000) | ISO/IEC 9594-8:2001, | |||
| Information technology - Open Systems Interconnection - | Information technology - Open Systems Interconnection - | |||
| The Directory: Public-key and attribute certificate | The Directory: Public-key and attribute certificate | |||
| frameworks | frameworks | |||
| [X.520] ITU-T Recommendation X.520 (2001) | ISO/IEC 9594-6:2001, | [X.520] ITU-T Recommendation X.520 (2001) | ISO/IEC 9594-6:2001, | |||
| Information Technology - Open Systems Interconnection - | Information Technology - Open Systems Interconnection - | |||
| The Directory: Selected Attribute Types, 2001. | The Directory: Selected Attribute Types, 2001. | |||
| [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002), | [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002), | |||
| Information Technology - Abstract Syntax Notation One, | Information Technology - Abstract Syntax Notation One, | |||
| 2002. | 2002. | |||
| [ISO 3166] ISO 3166-1:1997, Codes for the representation of names | [ISO 3166] ISO 3166-1:1997, Codes for the representation of names | |||
| of countries, 1997. | of countries, 1997. | |||
| [HTTP/1.1] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, | ||||
| L. Masinter, P. Leach and T. Berners-Lee, "Hypertext | ||||
| Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | ||||
| Informative references | Informative references | |||
| [X.501] ITU-T recommendation X.501 (2001) | ISO/IEC 9594-2:2001, | [X.501] ITU-T recommendation X.501 (2001) | ISO/IEC 9594-2:2001, | |||
| Information Technology - Open Systems Interconnection - | Information Technology - Open Systems Interconnection - | |||
| The Directory: Models, 2001. | The Directory: Models, 2001. | |||
| [EU-ESDIR] Directive 1999/93/EC of the European Parliament and of | [EU-ESDIR] Directive 1999/93/EC of the European Parliament and of | |||
| the Council of 13 December 1999 on a Community framework | the Council of 13 December 1999 on a Community framework | |||
| for electronic signatures, 1999. | for electronic signatures, 1999. | |||
| 6 Intellectual Property Rights | [RFC 2253] Wahl, M., Kille, S., and T. Howes, "Lightweight Directory | |||
| Access Protocol (v3): UTF-8 String Representation of | ||||
| Distinguished Names," RFC 2253, December 1997. | ||||
| 6 Intellectual Property Rights | ||||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| intellectual property or other rights that might be claimed to | intellectual property or other rights that might be claimed to | |||
| pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
| this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
| might or might not be available; neither does it represent that it | might or might not be available; neither does it represent that it | |||
| has made any effort to identify any such rights. Information on the | has made any effort to identify any such rights. Information on the | |||
| IETF's procedures with respect to rights in standards-track and | IETF's procedures with respect to rights in standards-track and | |||
| standards related documentation can be found in BCP-11. Copies of | standards related documentation can be found in BCP-11. Copies of | |||
| claims of rights made available for publication and any assurances of | claims of rights made available for publication and any assurances of | |||
| skipping to change at page 19, line 5 ¶ | skipping to change at page 19, line 5 ¶ | |||
| obtain a general license or permission for the use of such | obtain a general license or permission for the use of such | |||
| proprietary rights by implementors or users of this specification can | proprietary rights by implementors or users of this specification can | |||
| be obtained from the IETF Secretariat. | be obtained from the IETF Secretariat. | |||
| The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
| rights which may cover technology that may be required to practice | rights which may cover technology that may be required to practice | |||
| this standard. Please address the information to the IETF Executive | this standard. Please address the information to the IETF Executive | |||
| Director. | Director. | |||
| A. ASN.1 definitions | A ASN.1 definitions | |||
| As in RFC 3280, ASN.1 modules are supplied in two different variants | As in RFC 3280, ASN.1 modules are supplied in two different variants | |||
| of the ASN.1 syntax. | of the ASN.1 syntax. | |||
| Appendix A.1 is in the 1988 syntax, and does not use macros. However, | Appendix A.1 is in the 1988 syntax, and does not use macros. However, | |||
| since the module imports type definitions from modules in RFC 3280 | since the module imports type definitions from modules in RFC 3280 | |||
| which are not completely in the 1988 syntax, the same comments as in | which are not completely in the 1988 syntax, the same comments as in | |||
| RFC 3280 regarding its use applies here as well; i.e., Appendix A.1 | RFC 3280 regarding its use applies here as well; i.e., Appendix A.1 | |||
| may be parsed by an 1988 ASN.1-parser by removing the definitions for | may be parsed by an 1988 ASN.1-parser by removing the definitions for | |||
| the UNIVERSAL types and all references to them in RFC 3280's 1988 | the UNIVERSAL types and all references to them in RFC 3280's 1988 | |||
| skipping to change at page 21, line 16 ¶ | skipping to change at page 21, line 16 ¶ | |||
| id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3} | id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3} | |||
| QCStatements ::= SEQUENCE OF QCStatement | QCStatements ::= SEQUENCE OF QCStatement | |||
| QCStatement ::= SEQUENCE { | QCStatement ::= SEQUENCE { | |||
| statementId OBJECT IDENTIFIER, | statementId OBJECT IDENTIFIER, | |||
| statementInfo ANY DEFINED BY statementId OPTIONAL} | statementInfo ANY DEFINED BY statementId OPTIONAL} | |||
| -- QC statements | -- QC statements | |||
| id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 } | id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 } | |||
| -- This statement identifies conformance with syntax and | -- This statement identifies conformance with requirements | |||
| -- semantics defined in RFC 3039 (Version 1). This statement may | -- defined in RFC 3039 (Version 1). This statement may | |||
| -- optionally contain additional semantics information as specified | -- optionally contain additional semantics information as specified | |||
| -- below. | -- below. | |||
| id-qcs-pkixQCSyntax-v2 OBJECT IDENTIFIER ::= { id-qcs 2 } | id-qcs-pkixQCSyntax-v2 OBJECT IDENTIFIER ::= { id-qcs 2 } | |||
| -- This statement identifies conformance with syntax and | -- This statement identifies conformance with requirements | |||
| -- semantics defined in this Qualified Certificate profile | -- defined in this Qualified Certificate profile | |||
| -- (Version 2). This statement may optionally contain | -- (Version 2). This statement may optionally contain | |||
| -- additional semantics information as specified below. | -- additional semantics information as specified below. | |||
| SemanticsInformation ::= SEQUENCE { | SemanticsInformation ::= SEQUENCE { | |||
| semanticsIndentifier OBJECT IDENTIFIER OPTIONAL, | semanticsIndentifier OBJECT IDENTIFIER OPTIONAL, | |||
| nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL | nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL | |||
| } -- At least one field shall be present | } -- At least one field shall be present | |||
| NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName | NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName | |||
| skipping to change at page 24, line 47 ¶ | skipping to change at page 24, line 30 ¶ | |||
| ({SupportedStatements}{@statementId}) OPTIONAL } | ({SupportedStatements}{@statementId}) OPTIONAL } | |||
| QC-STATEMENT ::= CLASS { | QC-STATEMENT ::= CLASS { | |||
| &id OBJECT IDENTIFIER UNIQUE, | &id OBJECT IDENTIFIER UNIQUE, | |||
| &Type OPTIONAL } | &Type OPTIONAL } | |||
| WITH SYNTAX { | WITH SYNTAX { | |||
| [SYNTAX &Type] IDENTIFIED BY &id } | [SYNTAX &Type] IDENTIFIED BY &id } | |||
| qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation | qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation | |||
| IDENTIFIED BY id-qcs-pkixQCSyntax-v1} | IDENTIFIED BY id-qcs-pkixQCSyntax-v1} | |||
| -- This statement identifies conformance with syntax and | -- This statement identifies conformance with requirements | |||
| -- semantics defined in RFC 3039 (Version 1). This statement | -- defined in RFC 3039 (Version 1). This statement | |||
| -- may optionally contain additional semantics information | -- may optionally contain additional semantics information | |||
| -- as specified below. | -- as specified below. | |||
| qcStatement-2 QC-STATEMENT ::= { SYNTAX SemanticsInformation | qcStatement-2 QC-STATEMENT ::= { SYNTAX SemanticsInformation | |||
| IDENTIFIED BY id-qcs-pkixQCSyntax-v2} | IDENTIFIED BY id-qcs-pkixQCSyntax-v2} | |||
| -- This statement identifies conformance with syntax and | -- This statement identifies conformance with requirements | |||
| -- semantics defined in this Qualified Certificate profile | -- defined in this Qualified Certificate profile | |||
| -- (Version 2). This statement may optionally contain | -- (Version 2). This statement may optionally contain | |||
| -- additional semantics information as specified below. | -- additional semantics information as specified below. | |||
| SemanticsInformation ::= SEQUENCE { | SemanticsInformation ::= SEQUENCE { | |||
| semanticsIdentifier OBJECT IDENTIFIER OPTIONAL, | semanticsIdentifier OBJECT IDENTIFIER OPTIONAL, | |||
| nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL | nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL | |||
| }(WITH COMPONENTS {..., semanticsIdentifier PRESENT}| | }(WITH COMPONENTS {..., semanticsIdentifier PRESENT}| | |||
| WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT}) | WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT}) | |||
| NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName | NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName | |||
| -- The following information object set is defined to constrain the | -- The following information object set is defined to constrain the | |||
| -- set of attributes applications are required to recognize as QCSs. | -- set of attributes applications are required to recognize as QCSs. | |||
| SupportedStatements QC-STATEMENT ::= { | SupportedStatements QC-STATEMENT ::= { | |||
| qcStatement-1 | | qcStatement-1 | | |||
| qcStatement-2 , ... -- For future extensions -- } | qcStatement-2 , ... -- For future extensions -- } | |||
| END | END | |||
| B. A Note on Attributes | B A Note on Attributes | |||
| This document defines several new attributes, both for use in the | This document defines several new attributes, both for use in the | |||
| subject field of issued certificates and in the | subject field of issued certificates and in the | |||
| subjectDirectoryAttributes extension. A complete definition of these | subjectDirectoryAttributes extension. A complete definition of these | |||
| new attributes (including matching rules), along with object classes | new attributes (including matching rules), along with object classes | |||
| to support them in LDAP-accessible directories, can be found in [PKCS | to support them in LDAP-accessible directories, can be found in [PKCS | |||
| 9]. | 9]. | |||
| C. Example Certificate | C Example Certificate | |||
| This section contains the ASN.1 structure, an ASN.1 dump, and the | This section contains the ASN.1 structure, an ASN.1 dump, and the | |||
| DER-encoding of a certificate issued in conformance with this | DER-encoding of a certificate issued in conformance with this | |||
| profile. The example has been developed with the help of the OSS | profile. The example has been developed with the help of the OSS | |||
| ASN.1 compiler. The certificate has the following characteristics: | ASN.1 compiler. The certificate has the following characteristics: | |||
| 1. The certificate is signed with RSA and the SHA-1 hash | 1. The certificate is signed with RSA and the SHA-1 hash | |||
| algorithm | algorithm | |||
| 2. The issuer's distinguished name is O=GMD - Forschungszentrum | 2. The issuer's distinguished name is (using the syntax specified | |||
| Informationstechnik GmbH; C=DE | in [RFC 2253]): | |||
| 3. The subject's distinguished name is CN=Petra M. Barzin, O=GMD | O=GMD - Forschungszentrum Informationstechnik GmbH, C=DE | |||
| 3. The subject's distinguished name is (using the syntax specified | ||||
| in [RFC 2253]): GN=Petra+SN=Barzin, O=GMD | ||||
| - Forschungszentrum Informationstechnik GmbH, C=DE | - Forschungszentrum Informationstechnik GmbH, C=DE | |||
| 4. The certificate was issued on May 1, 2000 and will expire on | 4. The certificate was issued on 1 February, 2004 and will expire on | |||
| November 1, 2000 | 1 February, 2008 | |||
| 5. The certificate contains a 1024 bit RSA key | 5. The certificate contains a 1024 bit RSA key | |||
| 6. The certificate includes a critical key usage extension | 6. The certificate includes a critical key usage extension | |||
| exclusively indicating non-repudiation | exclusively indicating non-repudiation | |||
| 7. The certificate includes a certificate policy identifier | 7. The certificate includes a certificate policy identifier | |||
| extension indicating the practices and procedures undertaken | extension indicating the practices and procedures undertaken | |||
| by the issuing CA (object identifier 1.3.36.8.1.1). The | by the issuing CA (object identifier 1.3.36.8.1.1). The | |||
| certificate policy object identifier is defined by TeleTrust, | certificate policy object identifier is defined by TeleTrust, | |||
| Germany. It is required to be set in a certificate conformant | Germany. | |||
| to the German digital signature law. | ||||
| 8. The certificate includes a subject directory attributes | 8. The certificate includes a subject directory attributes | |||
| extension containing the following attributes: | extension containing the following attributes: | |||
| surname: Barzin | ||||
| given name: Petra | ||||
| date of birth: October, 14th 1971 | date of birth: October, 14th 1971 | |||
| place of birth: Darmstadt | place of birth: Darmstadt | |||
| country of citizenship:Germany | country of citizenship:Germany | |||
| gender: Female | gender: Female | |||
| 9. The certificate includes a qualified statement certificate | 9. The certificate includes a qualified statement certificate | |||
| extension indicating that the naming registration authority's | extension indicating that the naming registration authority's | |||
| name as "municipality@darmstadt.de". | name as "municipality@darmstadt.de". | |||
| 10. The certificate includes, in conformance with RFC 3280, an | 10. The certificate includes, in conformance with RFC 3280, an | |||
| authority key identifier extension. | authority key identifier extension. | |||
| C.1 ASN.1 Structure | C.1 ASN.1 Structure | |||
| C.1.1 Extensions | C.1.1 Extensions | |||
| Since extensions are DER-encoded already when placed in the structure | Since extensions are DER-encoded already when placed in the structure | |||
| to be signed, they are for clarity shown here in the value notation | to be signed, they are for clarity shown here in the value notation | |||
| defined in [X.680]. | defined in [X.680]. | |||
| C.1.1.1 The subjectDirectoryAttributes extension | C.1.1.1 The subjectDirectoryAttributes extension | |||
| petrasSubjDirAttrs AttributesSyntax ::= { | certSubjDirAttrs AttributesSyntax ::= { | |||
| { | { | |||
| type id-pda-countryOfCitizenship, | type id-pda-countryOfCitizenship, | |||
| values { | values { | |||
| PrintableString : "DE" | PrintableString : "DE" | |||
| } | } | |||
| }, | }, | |||
| { | { | |||
| type id-pda-gender, | type id-pda-gender, | |||
| values { | values { | |||
| PrintableString : "F" | PrintableString : "F" | |||
| } | } | |||
| }, | }, | |||
| { | { | |||
| type id-pda-dateOfBirth, | type id-pda-dateOfBirth, | |||
| values { | values { | |||
| GeneralizedTime : "197110140000Z" | GeneralizedTime : "197110141200Z" | |||
| } | } | |||
| }, | }, | |||
| { | { | |||
| type id-pda-placeOfBirth, | type id-pda-placeOfBirth, | |||
| values { | values { | |||
| DirectoryString : utf8String : "Darmstadt" | DirectoryString : utf8String : "Darmstadt" | |||
| } | } | |||
| } | } | |||
| } | } | |||
| C.1.1.2 The keyUsage extension | C.1.1.2 The keyUsage extension | |||
| petrasKeyUsage KeyUsage ::= {nonRepudiation} | certKeyUsage KeyUsage ::= {nonRepudiation} | |||
| C.1.1.3 The certificatePolicies extension | C.1.1.3 The certificatePolicies extension | |||
| petrasCertificatePolicies CertificatePoliciesSyntax ::= { | certCertificatePolicies CertificatePoliciesSyntax ::= { | |||
| { | { | |||
| policyIdentifier {1 3 36 8 1 1} | policyIdentifier {1 3 36 8 1 1} | |||
| } | } | |||
| } | } | |||
| C.1.1.4 The qcStatements extension | C.1.1.4 The qcStatements extension | |||
| petrasQCStatement QCStatements ::= { | certQCStatement QCStatements ::= { | |||
| { | { | |||
| statementId id-qcs-pkixQCSyntax-v1, | statementId id-qcs-pkixQCSyntax-v2, | |||
| statementInfo SemanticsInformation : { | statementInfo SemanticsInformation : { | |||
| nameRegistrationAuthorities { | nameRegistrationAuthorities { | |||
| rfc822Name : "municipality@darmstadt.de" | rfc822Name : "municipality@darmstadt.de" | |||
| } | } | |||
| } | } | |||
| }} | } | |||
| } | ||||
| C.1.1.5 The authorityKeyIdentifier extension | C.1.1.5 The authorityKeyIdentifier extension | |||
| petrasAKI AuthorityKeyIdentifier ::= { | certAKI AuthorityKeyIdentifier ::= { | |||
| keyIdentifier '000102030405060708090A0B0C0D0E0FFEDCBA98'H | keyIdentifier '000102030405060708090A0B0C0D0E0FFEDCBA98'H | |||
| } | } | |||
| C.1.2 The certificate | C.1.2 The certificate | |||
| The signed portion of the certificate is shown here in the value | The signed portion of the certificate is shown here in the value | |||
| notation defined in [X.680]. Note that extension values are already | notation defined in [X.680]. Note that extension values are already | |||
| DER encoded in this structure. Some values have been truncated for | DER encoded in this structure. Some values have been truncated for | |||
| readability purposes. | readability purposes. | |||
| { | certCertInfo CertificateInfo ::= { | |||
| version v3, | version v3, | |||
| serialNumber 1234567890, | serialNumber 1234567890, | |||
| signature | signature | |||
| { | { | |||
| algorithm { 1 2 840 113549 1 1 5 }, | algorithm { 1 2 840 113549 1 1 5 }, | |||
| parameters RSAParams : NULL | parameters RSAParams : NULL | |||
| }, | }, | |||
| issuer rdnSequence : | issuer rdnSequence : | |||
| { | { | |||
| { | { | |||
| skipping to change at page 28, line 38 ¶ | skipping to change at page 28, line 4 ¶ | |||
| { | { | |||
| { | { | |||
| type { 2 5 4 6 }, | type { 2 5 4 6 }, | |||
| value PrintableString : "DE" | value PrintableString : "DE" | |||
| } | } | |||
| }, | }, | |||
| { | { | |||
| { | { | |||
| type { 2 5 4 10 }, | type { 2 5 4 10 }, | |||
| value UTF8String : | value UTF8String : | |||
| "GMD - Forschungszentrum Informationstechnik GmbH" | "GMD - Forschungszentrum Informationstechnik GmbH" | |||
| } | } | |||
| } | } | |||
| }, | }, | |||
| validity | validity | |||
| { | { | |||
| notBefore utcTime : "000501100000Z", | notBefore utcTime : "040201100000Z", | |||
| notAfter utcTime : "001101100000Z" | notAfter utcTime : "080201100000Z" | |||
| }, | }, | |||
| subject rdnSequence : | subject rdnSequence : | |||
| { | { | |||
| { | { | |||
| { | { | |||
| type { 2 5 4 6 }, | type { 2 5 4 6 }, | |||
| value PrintableString : "DE" | value PrintableString : "DE" | |||
| } | } | |||
| }, | }, | |||
| { | { | |||
| skipping to change at page 29, line 33 ¶ | skipping to change at page 28, line 47 ¶ | |||
| } | } | |||
| } | } | |||
| }, | }, | |||
| subjectPublicKeyInfo | subjectPublicKeyInfo | |||
| { | { | |||
| algorithm | algorithm | |||
| { | { | |||
| algorithm { 1 2 840 113549 1 1 1 }, | algorithm { 1 2 840 113549 1 1 1 }, | |||
| parameters RSAParams : NULL | parameters RSAParams : NULL | |||
| }, | }, | |||
| subjectPublicKey '00110000 10000001 10000111 00000010 1000 ...'B | subjectPublicKey '30818902818100DCE74CD5...0203010001'H | |||
| }, | }, | |||
| extensions | extensions | |||
| { | { | |||
| { | { | |||
| extnId { 2 5 29 9 }, -- subjectDirectoryAttributes | extnId { 2 5 29 9 }, -- subjectDirectoryAttributes | |||
| extnValue '305B301006082B06010505070904310413024445300F0 ...'H | extnValue '305B301006082B0601050507090...7374616474'H | |||
| }, | }, | |||
| { | { | |||
| extnId { 2 5 29 15 }, -- keyUsage | extnId { 2 5 29 15 }, -- keyUsage | |||
| critical TRUE, | critical TRUE, | |||
| extnValue '03020640'H | extnValue '03020640'H | |||
| }, | }, | |||
| { | { | |||
| extnId { 2 5 29 32 }, -- certificatePolicies | extnId { 2 5 29 32 }, -- certificatePolicies | |||
| extnValue '3009300706052B24080101'H | extnValue '3009300706052B24080101'H | |||
| }, | }, | |||
| { | { | |||
| extnId { 2 5 29 35 }, -- authorityKeyIdentifier | extnId { 2 5 29 35 }, -- authorityKeyIdentifier | |||
| extnValue '30168014000102030405060708090A0B0C0D0E0FFEDCBA98'H | extnValue '30168014000102030405060708090A0B0C0D0E0FFEDCBA98'H | |||
| }, | }, | |||
| { | { | |||
| extnId { 1 3 6 1 5 5 7 1 3 }, -- qcStatements | extnId { 1 3 6 1 5 5 7 1 3 }, -- qcStatements | |||
| extnValue '302B302906082B06010505070B01301D301B81196D756 ...'H | extnValue '302B302906082B06010505070B0...4742E6465 'H | |||
| } | } | |||
| } | } | |||
| } | } | |||
| C.2 ASN.1 dump | C.2 ASN.1 dump | |||
| This section contains an ASN.1 dump of the signed portion of the | This section contains an ASN.1 dump of the signed portion of the | |||
| certificate. Some values has been truncated for readability | certificate. Some values have been truncated for readability | |||
| purposes. | purposes. | |||
| TBSCertificate SEQUENCE: tag = [UNIVERSAL 16] constructed; | CertificateInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 633 | |||
| length = 631 | ||||
| version : tag = [0] constructed; length = 3 | version : tag = [0] constructed; length = 3 | |||
| Version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 | Version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 | |||
| 2 | 2 | |||
| serialNumber CertificateSerialNumber INTEGER: tag = [UNIVERSAL 2] | serialNumber CertificateSerialNumber INTEGER: tag = [UNIVERSAL 2] | |||
| primitive; length = 4 | primitive; length = 4 | |||
| 1234567890 | 1234567890 | |||
| signature AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16] | signature AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16] | |||
| constructed; length = 13 | constructed; length = 13 | |||
| algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 9 | primitive; length = 9 | |||
| { 1 2 840 113549 1 1 5 } | { 1 2 840 113549 1 1 5 } | |||
| parameters OpenType: NULL: tag = [UNIVERSAL 5] primitive; | parameters OpenType | |||
| length = 0 | ||||
| NULL | NULL | |||
| issuer Name CHOICE | issuer Name CHOICE | |||
| rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] | rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] | |||
| constructed; length = 72 | constructed; length = 72 | |||
| RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] | RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] | |||
| constructed; length = 11 | constructed; length = 11 | |||
| AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | |||
| constructed; length = 9 | constructed; length = 9 | |||
| type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 3 | primitive; length = 3 | |||
| { 2 5 4 6 } | { 2 5 4 6 } -- id-at-countryName | |||
| value OpenType: PrintableString: tag = [UNIVERSAL 19] | value PrintableString | |||
| primitive; length = 2 | ||||
| "DE" | "DE" | |||
| RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] | RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] | |||
| constructed; length = 57 | constructed; length = 57 | |||
| AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | |||
| constructed; length = 55 | constructed; length = 55 | |||
| type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 3 | primitive; length = 3 | |||
| { 2 5 4 10 } | { 2 5 4 10 } -- id-at-organizationName | |||
| value OpenType : UTF8String: tag = [UNIVERSAL 12] | value UTF8String | |||
| primitive; length = 48 | "GMD Forschungszentrum Informationstechnik GmbH" | |||
| 0x474d44202d20466f72736368756e67737a656e7472756d2049... | validity Validity SEQUENCE: tag = [UNIVERSAL 16] | |||
| validity Validity SEQUENCE: tag = [UNIVERSAL 16] constructed; | constructed; length = 30 | |||
| length = 30 | ||||
| notBefore Time CHOICE | notBefore Time CHOICE | |||
| utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13 | utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13 | |||
| 000501100000Z | 040201100000Z | |||
| notAfter Time CHOICE | notAfter Time CHOICE | |||
| utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13 | utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13 | |||
| 001101100000Z | 080201100000Z | |||
| subject Name CHOICE | subject Name CHOICE | |||
| rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] | rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] | |||
| constructed; length = 101 | constructed; length = 101 | |||
| RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] | RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] | |||
| constructed; length = 11 | constructed; length = 11 | |||
| AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | |||
| constructed; length = 9 | constructed; length = 9 | |||
| type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 3 | primitive; length = 3 | |||
| { 2 5 4 6 } | { 2 5 4 6 } -- id-at-countryName | |||
| value OpenType: PrintableString: tag = [UNIVERSAL 19] | value PrintableString | |||
| primitive; length = 2 | ||||
| "DE" | "DE" | |||
| RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] | RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] | |||
| constructed; length = 55 | constructed; length = 55 | |||
| AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | |||
| constructed; length = 53 | constructed; length = 53 | |||
| type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 3 | primitive; length = 3 | |||
| { 2 5 4 10 } | { 2 5 4 10 } -- id-at-organizationName | |||
| value OpenType: UTF8String: tag = [UNIVERSAL 12] | value UTF8String | |||
| primitive; length = 46 | "GMD Forschungszentrum Informationstechnik GmbH" | |||
| 0x474d4420466f72736368756e67737a656e7472756d20496e66... | ||||
| RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] | RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] | |||
| constructed; length = 29 | constructed; length = 29 | |||
| AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | |||
| constructed; length = 13 | constructed; length = 13 | |||
| type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 3 | primitive; length = 3 | |||
| { 2 5 4 4 } | { 2 5 4 4 } -- id-at-surname | |||
| value OpenType: UTF8String: tag = [UNIVERSAL 12] | value UTF8String | |||
| primitive; length = 6 | "Barzin" | |||
| 0x4261727a696e | ||||
| AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] | |||
| constructed; length = 12 | constructed; length = 12 | |||
| type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 3 | primitive; length = 3 | |||
| { 2 5 4 42 } | { 2 5 4 42 } -- id-at-givenName | |||
| value OpenType: UTF8String: tag = [UNIVERSAL 12] | value UTF8String | |||
| primitive; length = 5 | "Petra" | |||
| 0x5065747261 | subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE: | |||
| subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE: tag = | tag = [UNIVERSAL 16] constructed; length = 159 | |||
| [UNIVERSAL 16] constructed; length = 157 | ||||
| algorithm AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16] | algorithm AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16] | |||
| constructed; length = 13 | constructed; length = 13 | |||
| algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 9 | primitive; length = 9 | |||
| { 1 2 840 113549 1 1 1 } | { 1 2 840 113549 1 1 1 } -- rsaEncryption | |||
| parameters OpenType: NULL: tag = [UNIVERSAL 5] primitive; | parameters OpenType | |||
| length = 0 | ||||
| NULL | NULL | |||
| subjectPublicKey BIT STRING: tag = [UNIVERSAL 3] primitive; | subjectPublicKey BIT STRING: tag = [UNIVERSAL 3] | |||
| length = 139 | primitive; length = 141 | |||
| 0x0030818702818100b8488400d4b6088be48ead459ca19ec717aaf3d1d... | 0x0030818902818100dce74cd5a1d55aeb01cf5ecc20f3c3fca787... | |||
| extensions : tag = [3] constructed; length = 233 | extensions : tag = [3] constructed; length = 233 | |||
| Extensions SEQUENCE OF: tag = [UNIVERSAL 16] constructed; | Extensions SEQUENCE OF: tag = [UNIVERSAL 16] | |||
| length = 230 | constructed; length = 230 | |||
| Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; | Extension SEQUENCE: tag = [UNIVERSAL 16] | |||
| length = 100 | constructed; length = 100 | |||
| extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 3 | primitive; length = 3 | |||
| { 2 5 29 9 } | { 2 5 29 9 } -- id-ce-subjectDirectoryAttributes | |||
| extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; | extnValue OCTET STRING: tag = [UNIVERSAL 4] | |||
| length = 93 | primitive; length = 93 | |||
| 0x305b301006082b06010505070904310413024445300f06082b060... | 0x305b301006082b06010505070904310413024445300f06082... | |||
| Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; | Extension SEQUENCE: tag = [UNIVERSAL 16] | |||
| length = 14 | constructed; length = 14 | |||
| extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | ||||
| extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | primitive; length = 3 | |||
| length = 3 | { 2 5 29 15 } -- id-ce-keyUsage | |||
| { 2 5 29 15 } | ||||
| critical BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1 | critical BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1 | |||
| TRUE | TRUE | |||
| extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; | extnValue OCTET STRING: tag = [UNIVERSAL 4] | |||
| length = 4 | primitive; length = 4 | |||
| 0x03020640 | 0x03020640 | |||
| Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; | Extension SEQUENCE: tag = [UNIVERSAL 16] | |||
| length = 18 | constructed; length = 18 | |||
| extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 3 | primitive; length = 3 | |||
| { 2 5 29 32 } | { 2 5 29 32 } -- id-ce-certificatePolicies | |||
| extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; | extnValue OCTET STRING: tag = [UNIVERSAL 4] | |||
| length = 11 | primitive; length = 11 | |||
| 0x3009300706052b24080101 | 0x3009300706052b24080101 | |||
| Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; | Extension SEQUENCE: tag = [UNIVERSAL 16] | |||
| length = 31 | constructed; length = 31 | |||
| extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 3 | primitive; length = 3 | |||
| { 2 5 29 35 } | { 2 5 29 35 } -- id-ce-authorityKeyIdentifier | |||
| extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; | extnValue OCTET STRING: tag = [UNIVERSAL 4] | |||
| length = 24 | primitive; length = 24 | |||
| 0x30168014000102030405060708090a0b0c0d0e0ffedcba98 | 0x30168014000102030405060708090a0b0c0d0e0ffedcba98 | |||
| Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; | Extension SEQUENCE: tag = [UNIVERSAL 16] | |||
| length = 57 | constructed; length = 57 | |||
| extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; | extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] | |||
| length = 8 | primitive; length = 8 | |||
| { 1 3 6 1 5 5 7 1 3 } | { 1 3 6 1 5 5 7 1 3 } -- id-pe-qcStatements | |||
| extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; | extnValue OCTET STRING: tag = [UNIVERSAL 4] | |||
| length = 45 | primitive; length = 45 | |||
| 0x302b302906082b06010505070b01301d301b81196d756e6963697... | 0x302b302906082b06010505070b02301d301b81196d756e696... | |||
| C.3 DER-encoding | C.3 DER-encoding | |||
| This section contains the full, DER-encoded certificate, in hex. | This section contains the full, DER-encoded certificate, in hex. | |||
| 3082030E30820277A0030201020204499602D2300D06092A864886F70D010105 | 30820310 30820279 A0030201 02020449 9602D230 0D06092A 864886F7 0D010105 | |||
| 05003048310B300906035504061302444531393037060355040A0C30474D4420 | 05003048 310B3009 06035504 06130244 45313930 37060355 040A0C30 474D4420 | |||
| 2D20466F72736368756E67737A656E7472756D20496E666F726D6174696F6E73 | 2D20466F 72736368 756E6773 7A656E74 72756D20 496E666F 726D6174 696F6E73 | |||
| 746563686E696B20476D6248301E170D3030303530313130303030305A170D30 | 74656368 6E696B20 476D6248 301E170D 30343032 30313130 30303030 5A170D30 | |||
| 30313130313130303030305A3065310B30090603550406130244453137303506 | 38303230 31313030 3030305A 3065310B 30090603 55040613 02444531 37303506 | |||
| 0355040A0C2E474D4420466F72736368756E67737A656E7472756D20496E666F | 0355040A 0C2E474D 4420466F 72736368 756E6773 7A656E74 72756D20 496E666F | |||
| 726D6174696F6E73746563686E696B20476D6248311D300C060355042A0C0550 | 726D6174 696F6E73 74656368 6E696B20 476D6248 311D300C 06035504 2A0C0550 | |||
| 65747261300D06035504040C064261727A696E30819D300D06092A864886F70D | 65747261 300D0603 5504040C 06426172 7A696E30 819F300D 06092A86 4886F70D | |||
| 010101050003818B0030818702818100B8488400D4B6088BE48EAD459CA19EC7 | 01010105 0003818D 00308189 02818100 DCE74CD5 A1D55AEB 01CF5ECC 20F3C3FC | |||
| 17AAF3D1D4EE3ECCA496128A13597D16CC8B85EB37EFCE110C63B01E684E5CF6 | A787CFCB 571A21AA 8A20AD5D FF015130 DE724E5E D3F95392 E7BB16C4 A71D0F31 | |||
| 32291EAC60FD153C266EAAC36AD4CEA92319F9BFDD261AD2BFE41EAB4E17FE67 | B3A9926A 8F08EA00 FDC3A8F2 BB016DEC A3B9411B A2599A2A 8CB655C6 DFEA25BF | |||
| 8341EE52D9A0A8B4DEC07B7ACC76762514045CEE9994E0CF37BAE05F8DE33B35 | EDDC73B5 94FAA0EF E595C612 A6AE5B8C 7F0CA19C EC4FE7AB 60546768 4BB2387D | |||
| FF98BCE77742CE4B12273BD122137FE9020105A381E93081E630640603551D09 | 5F2F7EBD BC3EF0A6 04F6B404 01176925 02030100 01A381E9 3081E630 64060355 | |||
| 045D305B301006082B06010505070904310413024445300F06082B0601050507 | 1D09045D 305B3010 06082B06 01050507 09043104 13024445 300F0608 2B060105 | |||
| 09033103130146301D06082B060105050709013111180F313937313130313430 | 05070903 31031301 46301D06 082B0601 05050709 01311118 0F313937 31313031 | |||
| 30303030305A301706082B06010505070902310B0C094461726D737461647430 | 34313230 3030305A 30170608 2B060105 05070902 310B0C09 4461726D 73746164 | |||
| 0E0603551D0F0101FF04040302064030120603551D20040B3009300706052B24 | 74300E06 03551D0F 0101FF04 04030206 40301206 03551D20 040B3009 30070605 | |||
| 080101301F0603551D23041830168014000102030405060708090A0B0C0D0E0F | 2B240801 01301F06 03551D23 04183016 80140001 02030405 06070809 0A0B0C0D | |||
| FEDCBA98303906082B06010505070103042D302B302906082B06010505070B01 | 0E0FFEDC BA983039 06082B06 01050507 0103042D 302B3029 06082B06 01050507 | |||
| 301D301B81196D756E69636970616C697479406461726D73746164742E646530 | 0B02301D 301B8119 6D756E69 63697061 6C697479 40646172 6D737461 64742E64 | |||
| 0D06092A864886F70D01010505000381810048FD14D9AFE961E4321D9AA40CC0 | 65300D06 092A8648 86F70D01 01050500 03818100 8F8C80BB B2D86B75 F4E21F82 | |||
| 1C12893550CF76FBECBDE448926B0AE6F904AB89E7B5F808666FB007218AC18D | EFE0F20F 6C558890 A6E73118 8359B9C7 8CE71C92 0C66C600 53FBC924 825090F2 | |||
| 28CE1E2D40FBF8C16B275CBA0547D7885B74059DEC736223368FC1602A510BC1 | 95B08826 EAF3FF1F 5917C80B B4836129 CFE5563E 78592B5B B0F9ACB5 2915F0F2 | |||
| EB31E39F3967BE6B413D48BC743A0AB19C57FD20F3B393E8FEBD8B05CAA5007D | BC36991F 21436520 E9064761 D932D871 F71FFEBD AD648FA7 CF3C1BC0 96F112D4 | |||
| AD36F9D789AEF636A0AC0F93BCB3711B5907 | B882B39F E1A16A90 AE1A80B8 A9676518 B5AA7E97 | |||
| C.4 CA's public RSA key | C.4 CA's public RSA key | |||
| This section contains the DER-encoded public RSA key of the CA who | This section contains the DER-encoded public RSA key of the CA who | |||
| signed the example certificate. It is included with the purpose of | signed the example certificate. It is included with the purpose of | |||
| simplifying verifications of the example certificate. | simplifying verifications of the example certificate. | |||
| 30818902818100ad1f35964b3674c807b9f8a645d2c8174e514b69a4b46a7382 | 30818902818100c88f4bdb66f713ba3dd7a9069880e888d4321acb53cda7fcdf | |||
| 915abbc44eccede914dae8fcc023abcea9c53380e641795cb0dda664b872fc10 | da89b834e25430b956d46a438baa6798035af30db378424e00a8296b012b1b24 | |||
| 9f9bbb852bf42d994f634c681608e388dce240b558513e5b60027bd1a07cef9c | f9cf0b3f83be116cd8a36957dc3f54cbd7c58a10c380b3dfa15bd2922ea8660f | |||
| 9b6db37c7e1f1abd238eed96e4b669056b260f55e83f14e6027127c9deb3ad18 | 96e1603d81357c0442ad607c5161d083d919fd5307c1c3fa6dfead0e6410999e | |||
| afcd3f8a5f5bf50203010001 | 8b8a8411d525dd0203010001 | |||
| Authors' Addresses | Authors' Addresses | |||
| Stefan Santesson | Stefan Santesson | |||
| Microsoft Denmark | Microsoft Denmark | |||
| Tuborg Boulevard 12 | Tuborg Boulevard 12 | |||
| DK-2900 Hellerup | DK-2900 Hellerup | |||
| Denmark | Denmark | |||
| EMail: stefans@microsoft.com | EMail: stefans@microsoft.com | |||
| End of changes. 85 change blocks. | ||||
| 242 lines changed or deleted | 255 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||