📄 draft-ietf-pkix-cvp-01.txt
字号:
signatory MUST contain, when the request is signed, an unambiguous reference to the certificate from the requester. It is used to authenticate the requester.requestExtensions is a way to allow additional elements to be added later on, if needed. Signature ::= SEQUENCE { signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } CertOrCertRef ::= CHOICE { certificate [1] Certificate, certRef [2] CertRef }Pinkas [Page 12]Internet Draft CVP October 2002CertOrCertRef may specify the certificate itself or an unambiguous reference of the certificate. CertRef ::= CHOICE { eSSCertId [0] ESSCertID, certIdWithSignature [1] CertIdWithSignature } CertIdWithSignature ::= SEQUENCE { issuerSerial IssuerSerial, tbsCertificateHash BIT STRING, certSignature CertSignature }IssuerSerial is defined in RFC2634 section 5.4.1.tbsCertificateHash contains a hash value computed over the ASN.1 DER encoded tbsCertificate field from the certificate using the hash function identified in the signature algorithm from the signature.certSignature contains the signature fields from the certificate. CertSignature ::= SEQUENCE { signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } ValOrDiscoPolicy ::= CHOICE { simplePolicy SimplePolicy, otherPolicy PolicyRef }ValOrDiscoPolicy is either a simple policy or referenced policy. When it is a referenced policy, then it is composed of an OID or a URN, and optionally of both the hash value of the policy and of the hash algorithm used to compute the hash value of the policy.When it is a simple policy, it must include one mandatory parameter, i.e. a self-signed certificate and may include two additional parameters to define the acceptable certificate policies and the path length constraints, if any. See section 6 for the exact definition of the simple policies defined in this document. SimplePolicy ::= SEQUENCE { policyID OBJECT IDENTIFIER, trustanchor Certificate, -- self-signed certificate acceptablePolicySet [0] AcceptablePolicySet OPTIONAL, -- if not present "any policy" pathLenConstraint [1] PathLenConstraint OPTIONAL -- if not present "any length" }Pinkas [Page 13]Internet Draft CVP October 2002trustanchor provides the self signed certificate for the CA that is used as the trust anchor for the start of certificate path processing.acceptablePolicySet identifies the initial set of certificate policies, any of which MUST be included in the certificates from the path.pathLenConstraint indicates the maximum number of CA certificates that may be in a certification path following the trust anchor. A value of zero indicates that only the given trust anchor and an end-entity certificate must form the path. If present, pathLenConstraint must be greater than or equal to zero. Where pathLenConstraint is not present, there is no limit to the allowed length of the certification path.AcceptablePolicySet ::= SEQUENCE OF CertPolicyIdCertPolicyId ::= OBJECT IDENTIFIERAcceptablePolicySet specifies a set of certificate policies. For a certificate to be valid against that criteria, any certificate of the path MUST include one of these policies. PolicyRef ::= SEQUENCE{ policyID PolicyID, policyHashAlg AlgorithmIdentifier OPTIONAL, policyHash PolicyHash OPTIONAL, policyLocation PolicyLocations OPTIONAL } PolicyID :: = CHOICE { policybyOId OBJECT IDENTIFIER, policybyURN NAME } ValPolicyHash ::= OCTET STRINGThe valPolicyID field contains an object-identifier or a URI which uniquely identifies a specific version of the signature policy.The value for valPolicyHash SHALL be computed on the hash of the DER encoding of ValidationPolicyDef when the policy is locally defined or of the definition of the policy when it is externally defined. ValPolLocations :: = SEQUENCE OF NamevalPolLocation contains web URIs or URL references to the definition of signature policy. CertificateValues ::= SEQUENCE OF CertificatePinkas [Page 14]Internet Draft CVP October 2002UsefulCerts is a set of certificates, some of them may be useful to build the path. ValidationData ::= CHOICE { pathInfo PathInfo, tbsResponse TBSResponse }ValidationData may either be: - information on the path (certificates, CRLs or OCSP responses), - or a single CVP signed response, from a CVP server trusted under the validation policy. PathInfo ::= SEQUENCE { certificateValues [0] CertificateValues OPTIONAL, revocationValues [1] RevocationValues OPTIONAL, certPathRefs [2] CertPathRefs OPTIONAL -- only used for DPV }RevocationValues is defined in [RFC3126]. CertPathRefs ::= SEQUENCE { pathRefrences ValidatedPathRefs, timeStamps SEQUENCE OF TimeStampToken OPTIONAL } ValidatedPathRefs ::= SEQUENCE { certificateRefs CompleteCertificateRefs, -- defined in [RFC3126] revocationRefs CompleteRevocationRefs -- defined in [RFC3126] }PathInfo contains a sequence of certificates, from the certificate to validate up to a trust anchor, exclusive of the self-signed certificate of the trust anchor, if any; a sequence of revocation status information; and optionally the references of the path that may be time-stamped.The hash of the time-stamp token(s) SHALL be computed on the DER encoding of ValidatedPathRefs.5.2.2. Response SyntaxThis section specifies the ASN.1 specification for a confirmationresponse. The actual formatting of the message could vary dependingon the transport mechanism used (HTTP, SMTP, LDAP, etc.).An CVP response at a minimum consists of a cVPStatus fieldindicating the processing status of the prior request. If the valueof cVPStatus is one of the error conditions, tbsResponse and optionalSignature are not set.Pinkas [Page 15]Internet Draft CVP October 2002 CvpResponse ::= SEQUENCE { mbsResponse MBSResponse, -- May Be Signed Response optionaldpDSignature [0] EXPLICIT Signature OPTIONAL }The full response may be signed, only when it is a DPD response. Otherwise, for DPV, individual signatures may be placed on for each individual DPV response data (i.e. individualResponseData). MBSResponse ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, cVPStatus CVPResponseStatus, response Response }cVPStatus status indicates if an error was encountered. CVPResponseStatus ::= ENUMERATED { successful (0), -- Request was understood malformedRequest (1), -- malformed request internalError (2), -- internal error in issuer tryLater (3), -- try again later sigRequired (4), -- must sign the request unauthorized (5), -- request unauthorized unknownPolicy (6) -- policy unknown }response may either be a response to a query for listing the policies known to the server or to a DPV or DPD query. Response ::= CHOICE { policyResponse [0] PolicyResponse, responses [1] SEQUENCE OF IndividualResponse }policyResponse is a response to a policy query. Separate lists are provided for validation policies and discovery policies. PolicyResponse ::= SEQUENCE { valPolices [0] ValOrDiscoPolicies OPTIONAL, discoveryPolicies [1] ValOrDiscoPolicies OPTIONAL } ValOrDiscoPolicies ::= SEQUENCE OF ValOrDiscoPolicyIf one of the simple policies, as defined in the present document, is supported, then the server MUST provide the additional parameters which are associated with it.Pinkas [Page 16]Internet Draft CVP October 2002 IndividualResponse ::= SEQUENCE { individualResponseData IndividualResponseData, optionalSignature [0] EXPLICIT Signature OPTIONAL, validationData ValidationData OPTIONAL, }The individualResponseData when it is a DPV response is usually signed, unless the client requires the signature to be absent. validationData is not directly part of the signed data but only the hash of this field is included to keep the signed part short.Each IndividualResponse may be individually signed so the client can keep individual signed DPV responses in order to demonstrate that the validation was effectively done by the DPV server.The value for signature SHALL be computed on the hash of the DER encoding of IndividualResponseData. IndividualResponseData ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, nonce OCTET STRING OPTIONAL, majorStatus MajorStatus, minorStatus MinorStatus OPTIONAL, certProcessed CertOrCertRef, policy Policy, checks Checks, -- copied from the request serialNumber INTEGER -- allows to uniquely reference the response, producedAt GeneralizedTime, validationTime GeneralizedTime OPTIONAL, -- only for a DPV response requestHash AnyHash, -- computed over a single CertQuery cVPServerCert ESSCertID OPTIONAL, -- only if the response is signed requesterName [1] EXPLICIT GeneralName OPTIONAL, requesterData [2] EXPLICIT CHARACTER STRING OPTIONAL, validationDataHash [3] OCTET STRING OPTIONAL, serverContextInfo [4] OCTET STRING OPTIONAL, -- only for a DPD response responseExtensions [5] EXPLICIT Extensions OPTIONAL }The various parameters from the IndividualResponseData are the following:version allows to identify the version of the protocol. Version ::= INTEGER { v1(0) }nonce if present in the request MUST be copied in that field.Pinkas [Page 17]Internet Draft CVP October 2002majorStatus indicates the validity of the certificate according to either the validation or the discovery policy. For DPV: MajorStatus ::= CHOICE { valid [0] IMPLICIT NULL, invalid [1] IMPLICIT NULL, unknown [2] IMPLICIT NULL } When the response indicates "valid", this means that the certificate is valid according to the validation policy. When the response indicates "invalid", this means that the certificate is invalid according to the validation policy. When the response indicates "unknown", this means that information is missing to build a path between the certificate and a trusted anchor. This may also be, when the reference to the certificate is used, because the server is unable to get the actual value of the certificate. When the major status indicates that certificate is not valid ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -