idnits 2.17.1 draft-ietf-pkix-qc-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 4 instances of too long lines in the document, the longest one being 3 characters in excess of 72. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 1163 has weird spacing: '...ementId id-q...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'UNIVERSAL 16' is mentioned on line 1418, but not defined -- Looks like a reference, but probably isn't: '0' on line 1282 == Missing Reference: 'UNIVERSAL 2' is mentioned on line 1285, but not defined == Missing Reference: 'UNIVERSAL 6' is mentioned on line 1420, but not defined == Missing Reference: 'UNIVERSAL 5' is mentioned on line 1375, but not defined == Missing Reference: 'UNIVERSAL 17' is mentioned on line 1350, but not defined == Missing Reference: 'UNIVERSAL 19' is mentioned on line 1337, but not defined == Missing Reference: 'UNIVERSAL 12' is mentioned on line 1365, but not defined == Missing Reference: 'UNIVERSAL 23' is mentioned on line 1325, but not defined == Missing Reference: 'UNIVERSAL 3' is mentioned on line 1378, but not defined -- Looks like a reference, but probably isn't: '3' on line 1381 == Missing Reference: 'UNIVERSAL 4' is mentioned on line 1423, but not defined == Missing Reference: 'UNIVERSAL 1' is mentioned on line 1397, but not defined == Unused Reference: 'RFC 2119' is defined on line 645, but no explicit reference was found in the text == Unused Reference: 'RFC 2247' is defined on line 648, but no explicit reference was found in the text == Unused Reference: 'RFC 2459' is defined on line 651, but no explicit reference was found in the text == Unused Reference: 'ISO 3166' is defined on line 669, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2459 (Obsoleted by RFC 3280) -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO 3166' -- Possible downref: Non-RFC (?) normative reference: ref. 'PKCS 9' Summary: 5 errors (**), 0 flaws (~~), 19 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PKIX Working Group S. Santesson (AddTrust) 3 INTERNET-DRAFT W. Polk (NIST) 4 Expires January, 2001 P. Barzin (SECUDE) 5 M. Nystrom (RSA Security) 6 July, 2000 8 Internet X.509 Public Key Infrastructure 10 Qualified Certificates Profile 12 14 Status of this Memo 16 This document is an Internet-Draft and is in full conformance with 17 all provisions of Section 10 of RFC2026. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that other 21 groups may also distribute working documents as Internet-Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 Copyright (C) The Internet Society (2000). All Rights Reserved. 36 Abstract 38 This document forms a certificate profile for Qualified Certificates, 39 based on RFC 2459, for use in the Internet. The term Qualified 40 Certificate is used to describe a certificate with a certain 41 qualified status within applicable governing law. Further, Qualified 42 Certificates are issued exclusively to physical persons. 44 The goal of this document is to define a general syntax independent 45 of local legal requirements. The profile is however designed to allow 46 further profiling in order to meet specific local needs. 48 It is important to note that the profile does not define any legal 49 requirements for Qualified Certificates. 51 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 52 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 53 document are to be interpreted as described in RFC 2119. 55 Please send comments on this document to the ietf-pkix@imc.org 56 mailing list. 58 Table of Contents 60 1 Introduction ................................................ 3 61 2 Requirements and Assumptions ................................ 3 62 2.1 Properties ................................................ 4 63 2.2 Statement of Purpose ...................................... 5 64 2.3 Policy Issues ............................................. 5 65 2.4 Uniqueness of names ....................................... 5 66 3 Certificate and Certificate Extensions Profile .............. 5 67 3.1 Basic Certificate Fields .................................. 6 68 3.1.1 Issuer .................................................. 6 69 3.1.2 Subject ................................................. 6 70 3.2 Certificate Extensions .................................... 8 71 3.2.1 Subject Directory Attributes ............................ 8 72 3.2.2 Certificate Policies .................................... 10 73 3.2.3 Key Usage ............................................... 10 74 3.2.4 Biometric Information ................................... 10 75 3.2.5 Qualified Certificate Statements ........................ 11 76 4 Security Considerations ..................................... 13 77 5 References .................................................. 14 78 6 Intellectual Property Right ................................. 15 80 Appendices 82 A ASN.1 definitions ........................................... 16 83 A.1 1988 ASN.1 Module ......................................... 16 84 A.2 1993 ASN.1 Module ......................................... 19 85 B A Note on Attributes ........................................ 24 86 C. Example Certificate ........................................ 24 87 C.1 ASN.1 Structure ........................................... 25 88 C.2 ASN.1 Dump ................................................ 28 89 C.3 DER-encoding .............................................. 31 90 C.4 CA's public key ........................................... 32 91 D. Authors' Addresses ......................................... 32 92 E. Full Copyright Statement ................................... 33 94 1 Introduction 96 This specification is one part of a family of standards for the X.509 97 Public Key Infrastructure (PKI) for the Internet. It is based on RFC 98 2459, which defines underlying certificate formats and semantics 99 needed for a full implementation of this standard. 101 The standard profiles the format for a specific type of certificates 102 named Qualified Certificates. The term Qualified Certificates and the 103 assumptions that affects the scope of this document are discussed in 104 Section 2. 106 Section 3 defines requirements on information content in Qualified 107 Certificates. This profile addresses two fields in the basic 108 certificate as well as five certificate extensions. The certificate 109 fields are the subject and issuer fields. The certificate extensions 110 are subject directory attributes, certificate policies, key usage, a 111 private extension for storage of biometric data and a private 112 extension for storage of statements related to Qualified 113 Certificates. 115 In Section 4, some security considerations are discussed in order to 116 clarify the security context in which Qualified Certificates are 117 assumed to be utilized. Section 5 contains the references. 119 Appendix A contains all relevant ASN.1 [X.680] structures that are 120 not already defined in RFC 2459. Appendix B contains a note on 121 attributes. Appendix C contains an example certificate. Appendix D 122 contains authors' addresses and Appendix E contains the IETF 123 Copyright Statement. 125 It should be noted that this specification does not define the 126 specific semantics of Qualified Certificates, and does not define the 127 policies that should be used with them. That is, this document 128 defines what information should go into Qualified Certificates, but 129 not what that information means. A system that uses Qualified 130 Certificates must define its own semantics for the information in 131 Qualified Certificates. It is expected that laws and corporate 132 policies will make these definitions. 134 2 Requirements and Assumptions 136 The term "Qualified Certificate" has been used by the European 137 Commission to describe a certain type of certificates with specific 138 relevance for European legislation. This specification is intended 139 to support this class of certificates, but its scope is not limited 140 to this application. 142 Within this standard the term "Qualified Certificate" is used more 143 generally, describing the format for a certificate whose primary 144 purpose is identifying a person with high level of assurance in 145 public non-repudiation services. The actual mechanisms that will 146 decide whether a certificate should or should not be considered to be 147 a "Qualified Certificate" in regard to any legislation are outside 148 the scope of this standard. 150 Harmonization in the field of Qualified Certificates is essential 151 within several aspects that fall outside the scope of RFC 2459. The 152 most important aspects that affect the scope of this specification 153 are: 155 - Definition of names and identity information in order to identify 156 the associated subject in a uniform way. 158 - Definition of information which identifies the CA and the 159 jurisdiction under which the CA operates when issuing a 160 particular certificate. 162 - Definition of key usage extension usage for Qualified 163 Certificates. 165 - Definition of information structure for storage of biometric 166 information. 168 - Definition of a standardized way to store predefined statements 169 with relevance for Qualified Certificates. 171 - Requirements for critical extensions. 173 2.1 Properties 175 A Qualified Certificate as defined in this standard is assumed to 176 have the following properties: 178 - The certificate is issued by a CA that makes a public statement 179 that the certificate serves the purpose of a Qualified 180 Certificate, as discussed in Section 2.2 182 - The certificate indicates a certificate policy consistent with 183 liabilities, practices and procedures undertaken by the CA, as 184 discussed in 2.3 186 - The certificate is issued to a natural person (living human being). 188 - The certificate contains an identity based on a pseudonym or a 189 real name of the subject. 191 2.2 Statement of Purpose 193 For a certificate to serve the purpose of being a Qualified 194 Certificate, this profile assumes that the CA will have to include in 195 the certificate a public statement that explicitly defines this 196 intent. 198 The function of this statement is thus to assist any concerned entity 199 in evaluating the risk associated with creating or accepting 200 signatures that are based on a Qualified Certificate. 202 2.3 Policy Issues 204 Certain policy aspects define the context in which this profile is to 205 be understood and used. It is however outside the scope of this 206 profile to specify any policies or legal aspects that will govern 207 services that issue or utilize certificates according to this 208 profile. 210 It is however assumed that the issuing CA will undertake to follow a 211 publicly available certificate policy that is consistent with its 212 liabilities, practices and procedures. 214 2.4 Uniqueness of names 216 Distinguished name is originally defined in X.501 [X.501] as a 217 representation of a directory name, defined as a construct that 218 identifies a particular object from among the set of all objects. An 219 object can be assigned a distinguished name without being represented 220 by an entry in the Directory, but this name is then the name its 221 object entry could have had if it were represented in the Directory. 222 In the context of qualified certificates, a distinguished name 223 denotes a set of attribute values [X.501] which forms a name that is 224 unambiguous within a certain domain that forms either a real or a 225 virtual DIT (Directory Information Tree)[X.501]. In the case of 226 subject names the domain is assumed to be at least the issuing domain 227 of the CA. The distinguished name MUST be unique for each subject 228 entity certified by the one CA as defined by the issuer name field, 229 during the whole life time of the CA. 231 3 Certificate and Certificate Extensions Profile 233 This section defines a profile for Qualified Certificates. The 234 profile is based on the Internet certificate profile RFC 2459 which 235 in turn is based on the X.509 version 3 format. For full 236 implementation of this section implementers are REQUIRED to consult 237 the underlying formats and semantics defined in RFC 2459. 239 ASN.1 definitions relevant for this section that are not supplied by 240 RFC 2459 are supplied in Appendix A. 242 3.1 Basic Certificate Fields 244 This specification provides additional details regarding the contents 245 of two fields in the basic certificate. These fields are the issuer 246 and subject fields. 248 3.1.1 Issuer 250 The issuer field SHALL identify the organization responsible for 251 issuing the certificate, and SHALL include a registered name of the 252 organization. 254 The identity of the issuer SHALL be specified using an appropriate 255 subset of the following attributes: 257 domainComponent; 258 countryName; 259 stateOrProvinceName; 260 organizationName; 261 localityName; and 262 serialNumber. 264 Additional attributes MAY be present but they SHOULD NOT be necessary 265 to identify the issuing organization. 267 The legal jurisdiction for the issuing CA SHOULD be consistent with 268 the issuer name. 270 It should be noted, however, that a relying party MAY have to consult 271 associated certificate policies and/or the issuer's CPS, in order to 272 determine the semantics of name fields and legal jurisdiction. 274 3.1.2 Subject 276 The subject field of a certificate compliant with this profile SHALL 277 contain a distinguished name of the subject (see 2.4 for definition 278 of distinguished name). 280 The subject field SHALL contain an appropriate subset of the 281 following attributes: 283 countryName; 284 commonName; 285 surname; 286 givenName; 287 pseudonym; 288 serialNumber; 289 organizationName; 290 organizationalUnitName; 291 stateOrProvinceName 292 localityName and 293 postalAddress. 295 Other attributes may be present but MUST NOT be necessary to 296 distinguish the subject name from other subject names within the 297 issuer domain. 299 Of these attributes, the subject field SHALL include at least one of 300 the following: 302 Choice I: commonName 303 Choice II: givenName 304 Choice III: pseudonym 306 The countryName attribute value specifies a general context in which 307 other attributes are to be understood. The country attribute does not 308 necessarily indicate the subject's country of citizenship or country 309 of residence, nor does it have to indicate the country of issuance. 311 Note: Many X.500 implementations require the presence of countryName 312 in the DIT. In cases where the subject name, as specified in the 313 subject field, specifies a public X.500 directory entry, the 314 countryName attribute SHOULD always be present. 316 The commonName attribute value SHALL, when present, contain a name of 317 the subject. This MAY be in the subject's preferred presentation 318 format, or a format preferred by the CA, or some other format. 319 Pseudonyms, nicknames and names with spelling other than defined by 320 the registered name MAY be used. To understand the nature of the name 321 presented in commonName, complying applications MAY have to examine 322 present values of the givenName and surname attributes, or the 323 pseudonym attribute. 325 Note: Many client implementations presuppose the presence of the 326 commonName attribute value in the subject field and use this value to 327 display the subject's name regardless of present givenName, surname 328 or pseudonym attribute values. 330 The surname and givenName attribute types SHALL, if present, contain 331 the registered name of the subject, depending on the laws under which 332 the CA prepares the certificate. These attributes SHALL be used in 333 the subject field if the commonName attribute is not present. In 334 cases where the subject only has a single name registered, the 335 givenName attribute SHALL be used and the surname attribute SHALL be 336 omitted. 338 The pseudonym attribute type SHALL, if present, contain a pseudonym 339 of the subject. Use of the pseudonym attribute MUST NOT be combined 340 with use of any of the attributes surname and/or givenName. 342 The serialNumber attribute type SHALL, when present, be used to 343 differentiate between names where the subject field would otherwise 344 be identical. This attribute has no defined semantics beyond 345 ensuring uniqueness of subject names. It MAY contain a number or 346 code assigned by the CA or an identifier assigned by a government or 347 civil authority. It is the CA's responsibility to ensure that the 348 serialNumber is sufficient to resolve any subject name collisions. 350 The organizationName and the organizationalUnitName attribute types 351 SHALL, when present, be used to store the name and relevant 352 information of an organization with which the subject is associated. 353 The type of association between the organization and the subject is 354 beyond the scope of this document. 356 The postalAddress, the stateOrProvinceName and the localityName 357 attribute types SHALL, when present, be used to store address and 358 geographical information with which the subject is associated. If an 359 organizationName value also is present then the postalAddress, 360 stateOrProvinceName and localityName attribute values SHALL be 361 associated with the specified organization. The type of association 362 between the postalAddress, stateOrProvinceName and the localityName 363 and either the subject or the organizationName is beyond the scope of 364 this document. 366 Compliant implementations SHALL be able to interpret the attributes 367 named in this section. 369 3.2 Certificate Extensions 371 This specification provides additional details regarding the contents 372 of five certificate extensions. These extensions are the subject 373 directory attributes, certificate policies, key usage, private 374 extension for biometric information and private extension for 375 Qualified Certificate statements. 377 3.2.1 Subject Directory Attributes 379 The subjectDirectoryAttributes extension MAY contain additional 380 attributes, associated with the subject, as complement to present 381 information in the subject field and the subject alternative name 382 extension. 384 Attributes suitable for storage in this extension are attributes, 385 which are not part of the subject's distinguished name, but which MAY 386 still be useful for other purposes (e.g. authorization). 388 This extension MUST NOT be marked critical. 390 Compliant implementations SHALL be able to interpret the following 391 attributes: 393 title; 394 dateOfBirth; 395 placeOfBirth; 396 gender; 397 countryOfCitizenship; and 398 countryOfResidence. 400 Other attributes MAY be included according to local definitions. 402 The title attribute type SHALL, when present, be used to store a 403 designated position or function of the subject within the 404 organization specified by present organizational attributes in the 405 subject field. The association between the title, the subject and the 406 organization is beyond the scope of this document. 408 The dateOfBirth attribute SHALL, when present, contain the value of 409 the date of birth of the subject. The manner in which the date of 410 birth is associated with the subject is outside the scope of this 411 document. 413 The placeOfBirth attribute SHALL, when present, contain the value of 414 the place of birth of the subject. The manner in which the place of 415 birth is associated with the subject is outside the scope of this 416 document. 418 The gender attribute SHALL, when present, contain the value of the 419 gender of the subject. For females the value "F" and for males the 420 value "M" have to be used. The manner in which the gender is 421 associated with the subject is outside the scope of this document. 423 The countryOfCitizenship attribute SHALL, when present, contain the 424 identifier of at least one of the subject's claimed country of 425 citizenship at the time that the certificate was issued. If the 426 subject is a citizen of more than one country, more than one country 427 MAY be present. Determination of citizenship is a matter of law and 428 is outside the scope of this document. 430 The countryOfResidence attribute SHALL, when present, contain the 431 value of at least one country in which the subject is resident. If 432 the subject is a resident of more than one country, more than one 433 country MAY be present. Determination of residence is a matter of 434 law and is outside the scope of this document. 436 3.2.2 Certificate Policies 438 The certificate policies extension SHALL contain the identifier of at 439 least one certificate policy which reflects the practices and 440 procedures undertaken by the CA. The certificate policy extension MAY 441 be marked critical. 443 A statement by the issuer stating the purpose of the certificate as 444 discussed in Section 2.2 SHOULD be evident through indicated 445 policies. 447 In order to enhance path validation based on policy object 448 identifiers any statement related to Qualified Certificates, as 449 defined in 3.2.5, SHOULD also be defined by included certificate 450 policies. 452 Certificate policies MAY be combined with any qualifier defined in 453 RFC 2459. 455 3.2.3 Key Usage 457 The key usage extension SHALL be present. If the key usage 458 nonRepudiation bit is asserted then it SHOULD NOT be combined with 459 any other key usage , i.e. if set, the key usage non-repudiation 460 SHOULD be set exclusively. 462 The key usage extension MAY be marked critical. 464 3.2.4 Biometric Information 466 This section defines an extension for storage of biometric 467 information. Biometric information is stored in the form of a hash of 468 a biometric template. 470 The purpose of this extension is to provide means for authentication 471 of biometric information. The biometric information that corresponds 472 to the stored hash is not stored in this extension, but the extension 473 MAY include an URI pointing to a location where this information can 474 be obtained. If included, this URI does not imply that this is the 475 only way to access this information. 477 It is RECOMMENDED that biometric information in this extension are 478 limited to information types suitable for human verification, i.e., 479 where the decision of whether the information is an accurate 480 representation of the subject is naturally performed by a person. 481 This implies a usage where the biometric information is represented 482 by, for example, a graphical image displayed to the relying party, 483 which MAY be used by the relying party to enhance identification of 484 the subject. 486 This extension MUST NOT be marked critical. 488 biometricInfo EXTENSION ::= { 489 SYNTAX BiometricSyntax 490 IDENTIFIED BY id-pe-biometricInfo } 492 id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2} 494 BiometricSyntax ::= SEQUENCE OF BiometricData 496 BiometricData ::= SEQUENCE { 497 typeOfBiometricData TypeOfBiometricData, 498 hashAlgorithm AlgorithmIdentifier, 499 biometricDataHash OCTET STRING, 500 sourceDataUri IA5String OPTIONAL } 502 TypeOfBiometricData ::= CHOICE { 503 predefinedBiometricType PredefinedBiometricType, 504 biometricDataID OBJECT IDENTIFIER } 506 PredefinedBiometricType ::= INTEGER { picture(0), 507 handwritten-signature(1)} (picture|handwritten-signature,...) 509 The predefined biometric type picture, when present, SHALL identify 510 that the source picture is in the form of a displayable graphical 511 image of the subject. The hash of the graphical image SHALL only be 512 calculated over the image data excluding any labels defining the 513 image type. 515 The predefined biometric type handwritten-signature, when present, 516 SHALL identify that the source data is in the form of a displayable 517 graphical image of the subject's handwritten signature. The hash of 518 the graphical image SHALL only be calculated over the image data 519 excluding any labels defining the image type. 521 3.2.5 Qualified Certificate Statements 523 This section defines an extension for inclusion of defined statements 524 related to Qualified Certificates. 526 A typical statement suitable for inclusion in this extension MAY be a 527 statement by the issuer that the certificate is issued as a Qualified 528 Certificate in accordance with a particular legal system (as 529 discussed in Section 2.2). 531 Other statements suitable for inclusion in this extension MAY be 532 statements related to the applicable legal jurisdiction within which 533 the certificate is issued. As an example this MAY include a maximum 534 reliance limit for the certificate indicating restrictions on CA's 535 liability. 537 Each statement SHALL include an object identifier for the statement 538 and MAY also include optional qualifying data contained in the 539 statementInfo parameter. 541 If the statementInfo parameter is included then the object identifier 542 of the statement SHALL define the syntax and SHOULD define the 543 semantics of this parameter. If the object identifier does not 544 define the semantics, a relying party may have to consult a relevant 545 certificate policy or CPS to determine the exact semantics. 547 This extension may be critical or non-critical. 549 qcStatements EXTENSION ::= { 550 SYNTAX QCStatements 551 IDENTIFIED BY id-pe-qcStatements } 553 id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 } 555 QCStatements ::= SEQUENCE OF QCStatement 557 QCStatement ::= SEQUENCE { 558 statementId QC-STATEMENT.&Id({SupportedStatements}), 559 statementInfo QC-STATEMENT.&Type 560 ({SupportedStatements}{@statementId}) OPTIONAL } 562 SupportedStatements QC-STATEMENT ::= { qcStatement-1,...} 564 3.2.5.1 Predefined Statements 566 This profile includes one predefined object identifier (id-qcs- 567 pkixQCSyntax-v1), identifying conformance with syntax and semantics 568 defined in this profile. This Qualified Certificate profile is 569 referred to as version 1. 571 qcStatement-1 QC-STATEMENT ::= { SemanticsInformation IDENTIFIED 572 BY id-qcs-pkixQCSyntax-v1 } 573 -- This statement identifies conformance with syntax and 574 -- semantics defined in this Qualified Certificate profile 575 -- (Version 1). The SemanticsInformation may optionally contain 576 -- additional semantics information as specified. 578 SemanticsInformation ::= SEQUENCE { 579 semanticsIdentifier OBJECT IDENTIFIER OPTIONAL, 580 nameRegistrationAuthorities NameRegistrationAuthorities 581 OPTIONAL } 582 (WITH COMPONENTS {..., semanticsIdentifier PRESENT}| 583 WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT}) 585 NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF 586 GeneralName 588 The SementicsInformation component identified by id-qcs- 589 pkixQCSyntax-v1 MAY contain a semantics identifier and MAY identify 590 one or more name registration authorities. 592 The semanticsIdentifier component, if present, SHALL contain an OID, 593 defining semantics for attributes and names in basic certificate 594 fields and certificate extensions. The OID may define semantics for 595 all, or for a subgroup of all present attributes and/or names. 597 The NameRegistrationAuthorities component, if present, SHALL contain 598 a name of one or more name registration authorities, responsible for 599 registration of attributes or names associated with the subject. The 600 association between an identified name registration authority and 601 present attributes MAY be defined by a semantics identifier OID, by a 602 certificate policy (or CPS) or some other implicit factors. 604 If a value of type SemanticsInformation is present in a QCStatement 605 then at least one of the fields semanticsIdentifier and 606 nameRegistrationAuthorities must be present, as indicated. 608 4 Security Considerations 610 The legal value of a digital signature that is validated with a 611 Qualified Certificate will be highly dependent upon the policy 612 governing the use of the associated private key. Both the private key 613 holder as well as the relying party should make sure that the private 614 key is used only with the consent of the legitimate key holder. 616 Since the public keys are for public use with legal implications for 617 involved parties, certain conditions should exist before CAs issues 618 certificates as Qualified Certificates. The associated private keys 619 must be unique for the subject, and must be maintained under the 620 subject's sole control. That is, a CA should not issue a qualified 621 certificate if the private key is shared among entities, or the means 622 to use the private key is not protected against unintended usage. 623 This implies that the CA must perform proof-of-possession of the 624 private key. In addition, it implies that the CA have some knowledge 625 about the subject's cryptographic module. 627 CAs should not issue CA certificates with policy mapping extensions 628 indicating acceptance of another CA's policy unless these conditions 629 are met. 631 Combining the nonRepudiation bit in the keyUsage certificate 632 extension with other keyUsage bits may have security implications and 633 this specification therefore recommends against such practices. 635 Comparing two qualified certificates to determine if they represent 636 the same physical entity may provide misleading results and should be 637 performed with care. 639 This specification is a profile of RFC 2459. The security 640 considerations section of that document applies to this specification 641 as well. 643 5 References 645 [RFC 2119] S. Bradner, "Key words for use in RFCs to Indicate 646 Requirement Levels", March 1997. 648 [RFC 2247] S. Kille, M. Wahl, A. Grimstad, R. Huber, S. Sataluri, 649 "Using Domains in LDAP/X.500 Distinguished Names", January 1998. 651 [RFC 2459] R. Housley, W. Ford, W. Polk, and D.Solo, "Internet X.509 652 Public Key Infrastructure: Certificate and CRL Profile", January 653 1999. 655 [X.501] ITU-T Recommendation X.501: Information Technology - Open 656 Systems Interconnection - The Directory: Models, June 1993. 658 [X.509] ITU-T Recommendation X.509: Information Technology - Open 659 Systems Interconnection - The Directory: Authentication Framework, 660 June 1997. 662 [X.520] ITU-T Recommendation X.520: Information Technology - Open 663 Systems Interconnection - The Directory: Selected Attribute Types, 664 June 1993. 666 [X.680] ITU-T Recommendation X.680: Information Technology - 667 Abstract Syntax Notation One, 1997. 669 [ISO 3166] ISO Standard 3166: Codes for the representation of names 670 of countries, 1993. 672 [PKCS 9] RSA Laboratories: PKCS #9 v2.0: Selected Object Classes and 673 Attributes, February 2000. 675 6 Intellectual Property Rights 677 The IETF takes no position regarding the validity or scope of any 678 intellectual property or other rights that might be claimed to 679 pertain to the implementation or use of the technology described in 680 this document or the extent to which any license under such rights 681 might or might not be available; neither does it represent that it 682 has made any effort to identify any such rights. Information on the 683 IETF's procedures with respect to rights in standards-track and 684 standards related documentation can be found in BCP-11. Copies of 685 claims of rights made available for publication and any assurances of 686 licenses to be made available, or the result of an attempt made to 687 obtain a general license or permission for the use of such 688 proprietary rights by implementors or users of this specification can 689 be obtained from the IETF Secretariat. 691 The IETF invites any interested party to bring to its attention any 692 copyrights, patents or patent applications, or other proprietary 693 rights which may cover technology that may be required to practice 694 this standard. Please address the information to the IETF Executive 695 Director. 697 APPENDICES 699 A. ASN.1 definitions 701 As in RFC 2459, ASN.1 modules are supplied in two different variants 702 of the ASN.1 syntax. 704 Appendix A.1 is in the 1988 syntax, and does not use macros. However, 705 since the module imports type definitions from modules in RFC 2459 706 which are not completely in the 1988 syntax, the same comments as in 707 RFC 2459 regarding its use applies here as well; i.e. Appendix A.1 708 may be parsed by an 1988 ASN.1-parser by removing the definitions for 709 the UNIVERSAL types and all references to them in RFC 2459's 1988 710 modules. 712 Appendix A.2 is in the 1993 syntax. However, since the module imports 713 type definitions from modules in RFC 2459 which are not completely in 714 the 1993 syntax, the same comments as in RFC 2459 regarding its use 715 applies here as well; i.e. Appendix A.2 may be parsed by an 1993 716 ASN.1-parser by removing the UTF8String choice from the definition of 717 DirectoryString in the module PKIX1Explicit93 in RFC 2459. Appendix 718 A.2 may be parsed "as is" by an 1997 ASN.1 parser, however. 720 A.1 1988 ASN.1 Module 722 PKIXqualified88 {iso(1) identified-organization(3) dod(6) 723 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 724 id-mod-qualified-cert-88(10) } 726 DEFINITIONS EXPLICIT TAGS ::= 728 BEGIN 730 -- EXPORTS ALL -- 732 IMPORTS 734 GeneralName 735 FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) 736 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 737 id-pkix1-implicit-88(2)} 739 AlgorithmIdentifier, DirectoryString, Attribute, AttributeType, 740 id-pkix, id-pe, id-at 741 FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) 742 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 743 id-pkix1-explicit-88(1)}; 745 -- Locally defined OIDs 747 -- Arc for QC 'OtherName' types 748 id-on OBJECT IDENTIFIER ::= { id-pkix 8 } 749 -- Arc for QC personal data attributes 750 id-pda OBJECT IDENTIFIER ::= { id-pkix 9 } 751 -- Arc for QC statements 752 id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 } 754 -- Attributes 756 id-at-serialNumber AttributeType ::= { id-at 5 } 757 SerialNumber ::= PrintableString (SIZE(1..64)) 759 id-at-postalAddress AttributeType ::= { id-at 16 } 760 PostalAddress ::= SEQUENCE OF DirectoryString 762 id-at-pseudonym AttributeType ::= { id-at 65 } 763 Pseudonym ::= DirectoryString 765 domainComponent AttributeType ::= 766 { 0 9 2342 19200300 100 1 25 } 767 DomainComponent ::= IA5String 769 id-pda-dateOfBirth AttributeType ::= { id-pda 1 } 770 DateOfBirth ::= GeneralizedTime 772 id-pda-placeOfBirth AttributeType ::= { id-pda 2 } 773 PlaceOfBirth ::= DirectoryString 775 id-pda-gender AttributeType ::= { id-pda 3 } 776 Gender ::= PrintableString (SIZE(1)) 777 -- "M", "F", "m" or "f" 779 id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 } 780 CountryOfCitizenship ::= PrintableString (SIZE (2)) 781 -- ISO 3166 Country Code 783 id-pda-countryOfResidence AttributeType ::= { id-pda 5 } 784 CountryOfResidence ::= PrintableString (SIZE (2)) 785 -- ISO 3166 Country Code 787 -- Private extensions 789 -- Biometric info extension 791 id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2} 792 BiometricSyntax ::= SEQUENCE OF BiometricData 794 BiometricData ::= SEQUENCE { 795 typeOfBiometricData TypeOfBiometricData, 796 hashAlgorithm AlgorithmIdentifier, 797 biometricDataHash OCTET STRING, 798 sourceDataUri IA5String OPTIONAL } 800 TypeOfBiometricData ::= CHOICE { 801 predefinedBiometricType PredefinedBiometricType, 802 biometricDataOid OBJECT IDENTIFIER } 804 PredefinedBiometricType ::= INTEGER { 805 picture(0),handwritten-signature(1)} 806 (picture|handwritten-signature) 808 -- QC Statements Extension 810 id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3} 812 QCStatements ::= SEQUENCE OF QCStatement 814 QCStatement ::= SEQUENCE { 815 statementId OBJECT IDENTIFIER, 816 statementInfo ANY DEFINED BY statementId OPTIONAL} 818 -- QC statements 819 id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 } 821 -- This object identifier identifies conformance with syntax and 822 -- semantics defined in this Qualified Certificate profile 823 -- (Version 1). This statement may optionally contain 824 -- additional semantics information as specified below. 826 SemanticsInformation ::= SEQUENCE { 827 semanticsIndentifier OBJECT IDENTIFIER OPTIONAL, 828 nameRegistrationAuthorities NameRegistrationAuthorities 829 OPTIONAL } 830 NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF 831 GeneralName 833 END 835 A.2 1993 ASN.1 Module 837 PKIXqualified93 {iso(1) identified-organization(3) dod(6) 838 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 839 id-mod-qualified-cert-93(11) } 841 DEFINITIONS EXPLICIT TAGS ::= 843 BEGIN 845 -- EXPORTS ALL -- 847 IMPORTS 849 authorityKeyIdentifier, subjectKeyIdentifier, keyUsage, 850 extendedKeyUsage, privateKeyUsagePeriod, certificatePolicies, 851 policyMappings, subjectAltName, issuerAltName, basicConstraints, 852 nameConstraints, policyConstraints, cRLDistributionPoints, 853 subjectDirectoryAttributes, authorityInfoAccess, GeneralName, 854 OTHER-NAME 855 FROM PKIX1Implicit93 {iso(1) identified-organization(3) dod(6) 856 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 857 id-pkix1-implicit-93(4)} 859 id-pkix, AlgorithmIdentifier, ATTRIBUTE, Extension, EXTENSION, 860 DirectoryString{}, ub-name, id-pe, id-at, id-at-commonName, 861 id-at-surname, id-at-countryName, id-at-localityName, 862 id-at-stateOrProvinceName, id-at-organizationName, 863 id-at-organizationalUnitName, id-at-givenName, id-at-dnQualifier, 864 pkcs9email, title, organizationName, organizationalUnitName, 865 stateOrProvinceName, localityName, countryName, 866 generationQualifier, dnQualifier, initials, givenName, surname, 867 commonName, name 868 FROM PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) 869 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 870 id-pkix1-explicit-93(3)}; 872 -- Object Identifiers 874 -- Externally defined OIDs 875 id-at-serialNumber OBJECT IDENTIFIER ::= { id-at 5} 876 id-at-postalAddress OBJECT IDENTIFIER ::= { id-at 16 } 877 id-at-pseudonym OBJECT IDENTIFIER ::= { id-at 65 } 878 id-domainComponent OBJECT IDENTIFIER ::= { 0 4 2342 19200300 100 1 25 } 880 -- Locally defined OIDs 882 -- Arc for QC 'OtherName' types 883 id-on OBJECT IDENTIFIER ::= { id-pkix 8 } 884 -- Arc for QC personal data attributes 885 id-pda OBJECT IDENTIFIER ::= { id-pkix 9 } 886 -- Arc for QC statements 887 id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 } 889 -- Private extensions 890 id-pe-biometricInfo OBJECT IDENTIFIER ::= { id-pe 2 } 891 id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 } 893 -- Personal data attributes 894 id-pda-dateOfBirth OBJECT IDENTIFIER ::= { id-pda 1 } 895 id-pda-placeOfBirth OBJECT IDENTIFIER ::= { id-pda 2 } 896 id-pda-gender OBJECT IDENTIFIER ::= { id-pda 3 } 897 id-pda-countryOfCitizenship OBJECT IDENTIFIER ::= { id-pda 4 } 898 id-pda-countryOfResidence OBJECT IDENTIFIER ::= { id-pda 5 } 900 -- QC statements 901 id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 } 903 -- Object Sets 905 -- The following information object set is defined to constrain the 906 -- set of legal certificate extensions. Note that this set is an 907 -- extension of the ExtensionSet defined in RFC 2459. 908 ExtensionSet EXTENSION ::= { 909 authorityKeyIdentifier | 910 subjectKeyIdentifier | 911 keyUsage | 912 extendedKeyUsage | 913 privateKeyUsagePeriod | 914 certificatePolicies | 915 policyMappings | 916 subjectAltName | 917 issuerAltName | 918 basicConstraints | 919 nameConstraints | 920 policyConstraints | 921 cRLDistributionPoints | 922 subjectDirectoryAttributes | 923 authorityInfoAccess | 924 biometricInfo | 925 qcStatements, ... } 927 -- The following information object set is defined to constrain the 928 -- set of attributes applications are required to recognize in 929 -- distinguished names. The set may of course be augmented to meet 930 -- local requirements. Note that deleting members of the set may 931 -- prevent interoperability with conforming implementations, and that 932 -- this set is an extension of the SupportedAttributes set in RFC 2459. 933 SupportedAttributes ATTRIBUTE ::= { 934 countryName | commonName | surname | givenName | pseudonym | 935 serialNumber | organizationName | organizationalUnitName | 936 stateOrProvinceName | localityName | postalAddress | 937 pkcs9email | domainComponent | dnQualifier, 938 ... -- For future extensions -- } 940 -- The following information object set is defined to constrain the 941 -- set of attributes applications are required to recognize in 942 -- subjectDirectoryAttribute extensions. The set may be augmented to 943 -- meet local requirements. Note that deleting members of the set 944 -- may prevent interoperability with conforming implementations. 945 PersonalDataAttributeSet ATTRIBUTE ::= { 946 title | dateOfBirth | placeOfBirth | gender | countryOfCitizenship | 947 countryOfResidence, ... } 949 -- Attributes 951 -- serialNumber from X.520 952 serialNumber ATTRIBUTE ::= { 953 WITH SYNTAX PrintableString (SIZE(1..64)) 954 ID id-at-serialNumber } 956 -- postalAddress from X.520 957 postalAddress ATTRIBUTE ::= { 958 WITH SYNTAX SEQUENCE SIZE (1..6) OF DirectoryString { 30 } 959 ID id-at-postalAddress } 961 -- pseudonym from (forthcoming) X.520) 962 pseudonym ATTRIBUTE ::= { 963 WITH SYNTAX DirectoryString { ub-name } 964 ID id-at-pseudonym } 966 -- domainComponent from RFC 2247 967 domainComponent ATTRIBUTE ::= { 968 WITH SYNTAX IA5String 969 ID id-domainComponent } 971 dateOfBirth ATTRIBUTE ::= { 972 WITH SYNTAX GeneralizedTime 973 ID id-pda-dateOfBirth } 975 placeOfBirth ATTRIBUTE ::= { 976 WITH SYNTAX UTF8String (SIZE(1..ub-name)) 977 ID id-pda-placeOfBirth } 979 gender ATTRIBUTE ::= { 980 WITH SYNTAX PrintableString (SIZE(1) ^ FROM("M"|"F"|"m"|"f")) 981 ID id-pda-gender } 983 countryOfCitizenship ATTRIBUTE ::= { 984 WITH SYNTAX PrintableString (SIZE (2)) 985 (CONSTRAINED BY { -- ISO 3166 codes only -- }) 986 ID id-pda-countryOfCitizenship } 988 countryOfResidence ATTRIBUTE ::= { 989 WITH SYNTAX PrintableString (SIZE (2)) 990 (CONSTRAINED BY { -- ISO 3166 codes only -- }) 991 ID id-pda-countryOfResidence } 993 -- Private extensions 995 -- Biometric info extension 997 biometricInfo EXTENSION ::= { 998 SYNTAX BiometricSyntax 999 IDENTIFIED BY id-pe-biometricInfo } 1001 BiometricSyntax ::= SEQUENCE OF BiometricData 1003 BiometricData ::= SEQUENCE { 1004 typeOfBiometricData TypeOfBiometricData, 1005 hashAlgorithm AlgorithmIdentifier, 1006 biometricDataHash OCTET STRING, 1007 sourceDataUri IA5String OPTIONAL, 1008 ... -- For future extensions -- } 1010 TypeOfBiometricData ::= CHOICE { 1011 predefinedBiometricType PredefinedBiometricType, 1012 biometricDataOid OBJECT IDENTIFIER } 1014 PredefinedBiometricType ::= INTEGER { picture(0), 1015 handwritten-signature(1)} (picture|handwritten-signature,...) 1017 -- QC Statements Extension 1019 qcStatements EXTENSION ::= { 1020 SYNTAX QCStatements 1021 IDENTIFIED BY id-pe-qcStatements } 1023 QCStatements ::= SEQUENCE OF QCStatement 1025 QCStatement ::= SEQUENCE { 1026 statementId QC-STATEMENT.&id({SupportedStatements}), 1027 statementInfo QC-STATEMENT.&Type 1028 ({SupportedStatements}{@statementId}) OPTIONAL } 1030 QC-STATEMENT ::= CLASS { 1031 &id OBJECT IDENTIFIER UNIQUE, 1032 &Type OPTIONAL } 1033 WITH SYNTAX { 1034 [&Type] IDENTIFIED BY &id } 1036 qcStatement-1 QC-STATEMENT ::= { SemanticsInformation IDENTIFIED BY 1037 id-qcs-pkixQCSyntax-v1} 1038 -- This statement identifies conformance with syntax and 1039 -- semantics defined in this Qualified Certificate profile 1040 -- (Version 1). The SemanticsInformation may optionally contain 1041 -- additional semantics information as specified. 1043 SemanticsInformation ::= SEQUENCE { 1044 semanticsIdentifier OBJECT IDENTIFIER OPTIONAL, 1045 nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL 1046 }(WITH COMPONENTS {..., semanticsIdentifier PRESENT}| 1047 WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT}) 1049 NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName 1051 -- The following information object set is defined to constrain the 1052 -- set of attributes applications are required to recognize as QCSs. 1053 SupportedStatements QC-STATEMENT ::= { 1054 qcStatement-1, ... -- For future extensions -- } 1056 END 1058 B. A Note on Attributes 1060 This document defines several new attributes, both for use in the 1061 subject field of issued certificates and in the 1062 subjectDirectoryAttributes extension. In the interest of conformity, 1063 they have been defined here using the ASN.1 ATTRIBUTE definition from 1064 RFC 2459, which is sufficient for the purposes of this document, but 1065 greatly simplified in comparison with ISO/ITU's definition. A 1066 complete definition of these new attributes (including matching 1067 rules), along with object classes to support them in LDAP-accessible 1068 directories, can be found in [PKCS 9]. 1070 C. Example Certificate 1072 This section contains the ASN.1 structure, an ASN.1 dump, and the 1073 DER-encoding of a certificate issued in conformance with this 1074 profile. The example has been developed with the help of the OSS 1075 ASN.1 compiler. The certificate has the following characteristics: 1077 1. The certificate is signed with RSA and the SHA-1 hash algo- 1078 rithm 1079 2. The issuer's distinguished name is O=GMD - Forschungszentrum 1080 Informationstechnik GmbH; C=DE 1081 3. The subject's distinguished name is CN=Petra M. Barzin, 1082 O=GMD - Forschungszentrum Informationstechnik GmbH, C=DE 1083 5. The certificate was issued on May 1, 2000 and will expire on 1084 November 1, 2000 1085 6. The certificate contains a 1024 bit RSA key 1086 7. The certificate includes a critical key usage extension 1087 exclusively indicating non-repudiation 1088 8. The certificate includes a certificate policy identifier 1089 extension indicating the practices and procedures undertaken 1090 by the issuing CA (object identifier 1.3.36.8.1.1). The 1091 certificate policy object identifier is defined by TeleTrust, 1092 Germany. It is required to be set in a certificate conformant 1093 to the German digital signature law. 1094 9. The certificate includes a subject directory attributes 1095 extension containing the following attributes: 1097 surname: Barzin 1098 given name: Petra 1099 date of birth: October, 14th 1971 1100 place of birth: Darmstadt 1101 country of citizenship:DE (object identifier 1102 gender: female 1104 10. The certificate includes a qualified statement private 1105 extension indicating that the naming registration authority's 1106 name as "municipality@darmstadt.de". 1107 11. The certificate includes, in conformance with RFC 2459, an 1108 authority key identifier extension. 1110 C.1 ASN.1 Structure 1112 C.1.1 Extensions 1114 Since extensions are DER-encoded already when placed in the structure 1115 to be signed, they are for clarity shown here in the value notation 1116 defined in [X.680]. 1118 C.1.1.1 The subjectDirectoryAttributes extension 1120 petrasSubjDirAttrs AttributesSyntax ::= { 1121 { 1122 type id-pda-countryOfCitizenship, 1123 values { 1124 PrintableString : "DE" 1125 } 1126 }, 1127 { 1128 type id-pda-gender, 1129 values { 1130 PrintableString : "F" 1131 } 1132 }, 1133 { 1134 type id-pda-dateOfBirth, 1135 values { 1136 GeneralizedTime : "197110140000Z" 1137 } 1138 }, 1139 { 1140 type id-pda-placeOfBirth, 1141 values { 1142 UTF8String : "Darmstadt" 1143 } 1144 } 1145 } 1147 C.1.1.2 The keyUsage extension 1149 petrasKeyUsage KeyUsage ::= {nonRepudiation} 1151 C.1.1.3 The certificatePolicies extension 1153 petrasCertificatePolicies CertificatePoliciesSyntax ::= { 1154 { 1155 policyIdentifier {1 3 36 8 1 1} 1156 } 1157 } 1159 C.1.1.4 The qcStatements extension 1161 petrasQCStatement QCStatements ::= { 1162 { 1163 statementId id-qcs-pkixQCSyntax-v1, 1164 statementInfo SemanticsInformation : { 1165 nameRegistrationAuthorities { 1166 rfc822Name : "municipality@darmstadt.de" 1167 } 1168 } 1169 } 1170 } 1172 C.1.1.5 The authorityKeyIdentifier extension 1174 petrasAKI AuthorityKeyIdentifier ::= { 1175 keyIdentifier '000102030405060708090A0B0C0D0E0FFEDCBA98'H 1176 } 1178 C.1.2 The certificate 1180 The signed portion of the certificate is shown here in the value 1181 notation defined in [X.680]. Note that extension values are already 1182 DER encoded in this structure. Some values has been truncated for 1183 readability purposes. 1185 { 1186 version v3, 1187 serialNumber 1234567890, 1188 signature 1189 { 1190 algorithm { 1 2 840 113549 1 1 5 }, 1191 parameters RSAParams : NULL 1192 }, 1193 issuer rdnSequence : 1194 { 1195 { 1196 { 1197 type { 2 5 4 6 }, 1198 value PrintableString : "DE" 1199 } 1200 }, 1201 { 1202 { 1203 type { 2 5 4 10 }, 1204 value UTF8String : 1205 "GMD - Forschungszentrum Informationstechnik GmbH" 1206 } 1207 } 1208 }, 1209 validity 1210 { 1211 notBefore utcTime : "000501100000Z", 1212 notAfter utcTime : "001101100000Z" 1213 }, 1214 subject rdnSequence : 1215 { 1216 { 1217 { 1218 type { 2 5 4 6 }, 1219 value PrintableString : "DE" 1220 } 1221 }, 1222 { 1223 { 1224 type { 2 5 4 10 }, 1225 value UTF8String : 1226 "GMD Forschungszentrum Informationstechnik GmbH" 1227 } 1228 }, 1229 { 1230 { 1231 type { 2 5 4 4 }, 1232 value UTF8String : "Barzin" 1233 }, 1234 { 1235 type { 2 5 4 42 }, 1236 value UTF8String : "Petra" 1237 } 1238 } 1239 }, 1240 subjectPublicKeyInfo 1241 { 1242 algorithm 1243 { 1244 algorithm { 1 2 840 113549 1 1 1 }, 1245 parameters RSAParams : NULL 1246 }, 1247 subjectPublicKey '00110000 10000001 10000111 00000010 1000 ...'B 1248 }, 1249 extensions 1250 { 1251 { 1252 extnId { 2 5 29 9 }, -- subjectDirectoryAttributes 1253 extnValue '305B301006082B06010505070904310413024445300F0 ...'H 1254 }, 1255 { 1256 extnId { 2 5 29 15 }, -- keyUsage 1257 critical TRUE, 1258 extnValue '03020640'H 1259 }, 1260 { 1261 extnId { 2 5 29 32 }, -- certificatePolicies 1262 extnValue '3009300706052B24080101'H 1263 }, 1264 { 1265 extnId { 2 5 29 35 }, -- authorityKeyIdentifier 1266 extnValue '30168014000102030405060708090A0B0C0D0E0FFEDCBA98'H 1267 }, 1268 { 1269 extnId { 1 3 6 1 5 5 7 1 3 }, -- qcStatements 1270 extnValue '302B302906082B06010505070B01301D301B81196D756 ...'H 1271 } 1272 } 1273 } 1275 C.2 ASN.1 dump 1277 This section contains an ASN.1 dump of the signed portion of the 1278 certificate. Some values has been truncated for readability purposes. 1280 TBSCertificate SEQUENCE: tag = [UNIVERSAL 16] constructed; 1281 length = 631 1282 version : tag = [0] constructed; length = 3 1283 Version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1 1284 2 1285 serialNumber CertificateSerialNumber INTEGER: tag = [UNIVERSAL 2] 1286 primitive; length = 4 1287 1234567890 1288 signature AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16] 1289 constructed; length = 13 1290 algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1291 length = 9 1292 { 1 2 840 113549 1 1 5 } 1293 parameters OpenType: NULL: tag = [UNIVERSAL 5] primitive; 1294 length = 0 1295 NULL 1296 issuer Name CHOICE 1297 rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] 1298 constructed; length = 72 1299 RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] 1300 constructed; length = 11 1301 AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] 1302 constructed; length = 9 1303 type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1304 length = 3 1305 { 2 5 4 6 } 1306 value OpenType: PrintableString: tag = [UNIVERSAL 19] 1307 primitive; length = 2 1308 "DE" 1309 RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] 1310 constructed; length = 57 1311 AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] 1312 constructed; length = 55 1313 type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1314 length = 3 1315 { 2 5 4 10 } 1316 value OpenType : UTF8String: tag = [UNIVERSAL 12] 1317 primitive; length = 48 1318 0x474d44202d20466f72736368756e67737a656e7472756d2049... 1319 validity Validity SEQUENCE: tag = [UNIVERSAL 16] constructed; 1320 length = 30 1321 notBefore Time CHOICE 1322 utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13 1323 000501100000Z 1324 notAfter Time CHOICE 1325 utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13 1326 001101100000Z 1327 subject Name CHOICE 1328 rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16] 1329 constructed; length = 101 1330 RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] 1331 constructed; length = 11 1332 AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] 1333 constructed; length = 9 1334 type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1335 length = 3 1336 { 2 5 4 6 } 1337 value OpenType: PrintableString: tag = [UNIVERSAL 19] 1338 primitive; length = 2 1339 "DE" 1340 RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] 1341 constructed; length = 55 1342 AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] 1343 constructed; length = 53 1344 type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1345 length = 3 1346 { 2 5 4 10 } 1347 value OpenType: UTF8String: tag = [UNIVERSAL 12] 1348 primitive; length = 46 1349 0x474d4420466f72736368756e67737a656e7472756d20496e66... 1350 RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17] 1351 constructed; length = 29 1352 AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] 1353 constructed; length = 13 1354 type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1355 length = 3 1356 { 2 5 4 4 } 1357 value OpenType: UTF8String: tag = [UNIVERSAL 12] 1358 primitive; length = 6 1359 0x4261727a696e 1360 AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16] 1361 constructed; length = 12 1362 type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1363 length = 3 1364 { 2 5 4 42 } 1365 value OpenType: UTF8String: tag = [UNIVERSAL 12] 1366 primitive; length = 5 1367 0x5065747261 1368 subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE: tag = 1369 [UNIVERSAL 16] constructed; length = 157 1370 algorithm AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16] 1371 constructed; length = 13 1372 algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1373 length = 9 1374 { 1 2 840 113549 1 1 1 } 1375 parameters OpenType: NULL: tag = [UNIVERSAL 5] primitive; 1376 length = 0 1377 NULL 1378 subjectPublicKey BIT STRING: tag = [UNIVERSAL 3] primitive; 1379 length = 139 1380 0x0030818702818100b8488400d4b6088be48ead459ca19ec717aaf3d1d... 1381 extensions : tag = [3] constructed; length = 233 1382 Extensions SEQUENCE OF: tag = [UNIVERSAL 16] constructed; 1383 length = 230 1384 Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; 1385 length = 100 1386 extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1387 length = 3 1388 { 2 5 29 9 } 1389 extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; 1390 length = 93 1391 0x305b301006082b06010505070904310413024445300f06082b060... 1392 Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; 1393 length = 14 1394 extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1395 length = 3 1396 { 2 5 29 15 } 1397 critical BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1 1398 TRUE 1399 extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; 1400 length = 4 1401 0x03020640 1402 Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; 1403 length = 18 1404 extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1405 length = 3 1406 { 2 5 29 32 } 1407 extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; 1408 length = 11 1409 0x3009300706052b24080101 1410 Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; 1411 length = 31 1412 extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1413 length = 3 1414 { 2 5 29 35 } 1415 extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; 1416 length = 24 1417 0x30168014000102030405060708090a0b0c0d0e0ffedcba98 1418 Extension SEQUENCE: tag = [UNIVERSAL 16] constructed; 1419 length = 57 1420 extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive; 1421 length = 8 1422 { 1 3 6 1 5 5 7 1 3 } 1423 extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive; 1424 length = 45 1425 0x302b302906082b06010505070b01301d301b81196d756e6963697... 1427 C.3 DER-encoding 1429 This section contains the full, DER-encoded certificate, in hex. 1431 3082030E30820277A0030201020204499602D2300D06092A864886F70D010105 1432 05003048310B300906035504061302444531393037060355040A0C30474D4420 1433 2D20466F72736368756E67737A656E7472756D20496E666F726D6174696F6E73 1434 746563686E696B20476D6248301E170D3030303530313130303030305A170D30 1435 30313130313130303030305A3065310B30090603550406130244453137303506 1436 0355040A0C2E474D4420466F72736368756E67737A656E7472756D20496E666F 1437 726D6174696F6E73746563686E696B20476D6248311D300C060355042A0C0550 1438 65747261300D06035504040C064261727A696E30819D300D06092A864886F70D 1439 010101050003818B0030818702818100B8488400D4B6088BE48EAD459CA19EC7 1440 17AAF3D1D4EE3ECCA496128A13597D16CC8B85EB37EFCE110C63B01E684E5CF6 1441 32291EAC60FD153C266EAAC36AD4CEA92319F9BFDD261AD2BFE41EAB4E17FE67 1442 8341EE52D9A0A8B4DEC07B7ACC76762514045CEE9994E0CF37BAE05F8DE33B35 1443 FF98BCE77742CE4B12273BD122137FE9020105A381E93081E630640603551D09 1444 045D305B301006082B06010505070904310413024445300F06082B0601050507 1445 09033103130146301D06082B060105050709013111180F313937313130313430 1446 30303030305A301706082B06010505070902310B0C094461726D737461647430 1447 0E0603551D0F0101FF04040302064030120603551D20040B3009300706052B24 1448 080101301F0603551D23041830168014000102030405060708090A0B0C0D0E0F 1449 FEDCBA98303906082B06010505070103042D302B302906082B06010505070B01 1450 301D301B81196D756E69636970616C697479406461726D73746164742E646530 1451 0D06092A864886F70D01010505000381810048FD14D9AFE961E4321D9AA40CC0 1452 1C12893550CF76FBECBDE448926B0AE6F904AB89E7B5F808666FB007218AC18D 1453 28CE1E2D40FBF8C16B275CBA0547D7885B74059DEC736223368FC1602A510BC1 1454 EB31E39F3967BE6B413D48BC743A0AB19C57FD20F3B393E8FEBD8B05CAA5007D 1455 AD36F9D789AEF636A0AC0F93BCB3711B5907 1457 C.4 CA's public RSA key 1459 This section contains the DER-encoded public RSA key of the CA who 1460 signed the example certificate. It is included with the purpose of 1461 simplifying verifications of the example certificate. 1463 30818902818100ad1f35964b3674c807b9f8a645d2c8174e514b69a4b46a7382 1464 915abbc44eccede914dae8fcc023abcea9c53380e641795cb0dda664b872fc10 1465 9f9bbb852bf42d994f634c681608e388dce240b558513e5b60027bd1a07cef9c 1466 9b6db37c7e1f1abd238eed96e4b669056b260f55e83f14e6027127c9deb3ad18 1467 afcd3f8a5f5bf50203010001 1469 D. Authors' Addresses 1471 Stefan Santesson 1472 AddTrust AB 1473 Slagthuset 1474 S-211 20 Malmoe 1475 Sweden 1476 stefan@addtrust.com 1478 Tim Polk 1479 NIST 1480 Building 820, Room 426 1481 Gaithersburg, MD 20899, USA 1482 wpolk@nist.gov 1484 Petra Barzin 1485 SECUDE - Sicherheitstechnologie Informationssysteme GmbH 1486 Landwehrstrasse 50a 1487 D-64293 Darmstadt 1488 Germany 1489 barzin@secude.com 1490 Magnus Nystrom 1491 RSA Security AB 1492 Box 10704 1493 S-121 29 Stockholm 1494 Sweden 1495 magnus@rsasecurity.com 1497 E. Full Copyright Statement 1499 Copyright (C) The Internet Society (2000). All Rights Reserved. 1501 This document and translations of it may be copied and furnished to 1502 others, and derivative works that comment on or otherwise explain it 1503 or assist in its implementation may be prepared, copied, published 1504 and distributed, in whole or in part, without restriction of any 1505 kind, provided that the above copyright notice and this paragraph are 1506 included on all such copies and derivative works. In addition, the 1507 ASN.1 modules presented in Appendices A and B may be used in whole or 1508 in part without inclusion of the copyright notice. However, this 1509 document itself may not be modified in any way, such as by removing 1510 the copyright notice or references to the Internet Society or other 1511 Internet organizations, except as needed for the purpose of 1512 developing Internet standards in which case the procedures for 1513 copyrights defined in the Internet Standards process shall be 1514 followed, or as required to translate it into languages other than 1515 English. 1517 The limited permissions granted above are perpetual and will not be 1518 revoked by the Internet Society or its successors or assigns. This 1519 document and the information contained herein is provided on an "AS 1520 IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK 1521 FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT 1522 LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL 1523 NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY 1524 OR FITNESS FOR A PARTICULAR PURPOSE.