rfc3039.txt

PKIX的RFC英文文档

Network Working Group                                       S. Santesson
Request for Comments: 3039                                      AddTrust
Category: Standards Track                                        W. Polk
                                                                    NIST
                                                               P. Barzin
                                                                  SECUDE
                                                              M. Nystrom
                                                            RSA Security
                                                            January 2001


                Internet X.509 Public Key Infrastructure
                     Qualified Certificates Profile

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   This document forms a certificate profile for Qualified Certificates,
   based on RFC 2459, for use in the Internet.  The term Qualified
   Certificate is used to describe a certificate with a certain
   qualified status within applicable governing law.  Further, Qualified
   Certificates are issued exclusively to physical persons.

   The goal of this document is to define a general syntax independent
   of local legal requirements.  The profile is however designed to
   allow further profiling in order to meet specific local needs.

   It is important to note that the profile does not define any legal
   requirements for Qualified Certificates.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119.







Santesson, et al.           Standards Track                     [Page 1]

RFC 3039             Qualified Certificates Profile         January 2001


Table of Contents

   1  Introduction ................................................    2
   2  Requirements and Assumptions ................................    3
   2.1  Properties ................................................    4
   2.2  Statement of Purpose ......................................    5
   2.3  Policy Issues .............................................    5
   2.4  Uniqueness of names .......................................    5
   3  Certificate and Certificate Extensions Profile ..............    6
   3.1  Basic Certificate Fields ..................................    6
   3.1.1  Issuer ..................................................    6
   3.1.2  Subject .................................................    6
   3.2  Certificate Extensions ....................................    9
   3.2.1  Subject Directory Attributes ............................    9
   3.2.2  Certificate Policies ....................................   10
   3.2.3  Key Usage ...............................................   10
   3.2.4  Biometric Information ...................................   11
   3.2.5  Qualified Certificate Statements ........................   12
   4  Security Considerations .....................................   14
   5  References ..................................................   15
   6  Intellectual Property Rights ................................   16
   A  ASN.1 definitions ...........................................   17
   A.1  1988 ASN.1 Module .........................................   17
   A.2  1993 ASN.1 Module .........................................   19
   B  A Note on Attributes ........................................   24
   C.  Example Certificate ........................................   24
   C.1  ASN.1 Structure ...........................................   25
   C.1.1 Extensions ...............................................   25
   C.1.2 The certificate ..........................................   27
   C.2  ASN.1 Dump ................................................   29
   C.3  DER-encoding ..............................................   32
   C.4  CA's public key ...........................................   33
   Authors' Addresses .............................................   34
   Full Copyright Statement .......................................   35

1  Introduction

   This specification is one part of a family of standards for the X.509
   Public Key Infrastructure (PKI) for the Internet.  It is based on RFC
   2459, which defines underlying certificate formats and semantics
   needed for a full implementation of this standard.

   The standard profiles the format for a specific type of certificates
   named Qualified Certificates.  The term Qualified Certificates and
   the assumptions that affects the scope of this document are discussed
   in Section 2.





Santesson, et al.           Standards Track                     [Page 2]

RFC 3039             Qualified Certificates Profile         January 2001


   Section 3 defines requirements on information content in Qualified
   Certificates.  This profile addresses two fields in the basic
   certificate as well as five certificate extensions.  The certificate
   fields are the subject and issuer fields.  The certificate extensions
   are subject directory attributes, certificate policies, key usage, a
   private extension for storage of biometric data and a private
   extension for storage of statements related to Qualified
   Certificates.  The private extensions are presented in the 1993
   Abstract Syntax Notation One (ASN.1), but in conformance with RFC
   2459 the 1988 ASN.1 module in Appendix A contains all normative
   definitions (the 1993 module in Appendix A is informative).

   In Section 4, some security considerations are discussed in order to
   clarify the security context in which Qualified Certificates are
   assumed to be utilized.  Section 5 contains the references.

   Appendix A contains all relevant ASN.1 [X.680] structures that are
   not already defined in RFC 2459.  Appendix B contains a note on
   attributes.  Appendix C contains an example certificate.  Appendix D
   contains authors' addresses and Appendix E contains the IETF
   Copyright Statement.

   It should be noted that this specification does not define the
   specific semantics of Qualified Certificates, and does not define the
   policies that should be used with them.  That is, this document
   defines what information should go into Qualified Certificates, but
   not what that information means.  A system that uses Qualified
   Certificates must define its own semantics for the information in
   Qualified Certificates.  It is expected that laws and corporate
   policies will make these definitions.

2  Requirements and Assumptions

   The term "Qualified Certificate" has been used by the European
   Commission to describe a certain type of certificates with specific
   relevance for European legislation.  This specification is intended
   to support this class of certificates, but its scope is not limited
   to this application.

   Within this standard the term "Qualified Certificate" is used more
   generally, describing the format for a certificate whose primary
   purpose is identifying a person with high level of assurance in
   public non-repudiation services.  The actual mechanisms that will
   decide whether a certificate should or should not be considered to be
   a "Qualified Certificate" in regard to any legislation are outside
   the scope of this standard.





Santesson, et al.           Standards Track                     [Page 3]

RFC 3039             Qualified Certificates Profile         January 2001


   Harmonization in the field of Qualified Certificates is essential
   within several aspects that fall outside the scope of RFC 2459.  The
   most important aspects that affect the scope of this specification
   are:

   -  Definition of names and identity information in order to identify
      the associated subject in a uniform way.

   -  Definition of information which identifies the CA and the
      jurisdiction under which the CA operates when issuing a particular
      certificate.

   -  Definition of key usage extension usage for Qualified
      Certificates.

   -  Definition of information structure for storage of biometric
      information.

   -  Definition of a standardized way to store predefined statements
      with relevance for Qualified Certificates.

   -  Requirements for critical extensions.

2.1  Properties

   A Qualified Certificate as defined in this standard is assumed to
   have the following properties:

   -  The certificate is issued by a CA that makes a public statement
      that the certificate serves the purpose of a Qualified
      Certificate, as discussed in Section 2.2

   -  The certificate indicates a certificate policy consistent with
      liabilities, practices and procedures undertaken by the CA, as
      discussed in 2.3

   -  The certificate is issued to a natural person (living human
      being).

   -  The certificate contains an identity based on a pseudonym or a
      real name of the subject.










Santesson, et al.           Standards Track                     [Page 4]

RFC 3039             Qualified Certificates Profile         January 2001


2.2  Statement of Purpose

   For a certificate to serve the purpose of being a Qualified
   Certificate, this profile assumes that the CA will have to include in
   the certificate information that explicitly defines this intent.

   The function of this information is thus to assist any concerned
   entity in evaluating the risk associated with creating or accepting
   signatures that are based on a Qualified Certificate.

   This profile defines two complementary ways to include this
   information:

   -  As information defined by a certificate policy included in the
      certificate policies extension, and

   -  As a statement included in the Qualified Certificates Statements
      extension.

2.3  Policy Issues

   Certain policy aspects define the context in which this profile is to
   be understood and used.  It is however outside the scope of this
   profile to specify any policies or legal aspects that will govern
   services that issue or utilize certificates according to this
   profile.

   It is however assumed that the issuing CA will undertake to follow a
   publicly available certificate policy that is consistent with its
   liabilities, practices and procedures.

2.4  Uniqueness of names

   Distinguished name is originally defined in X.501 [X.501] as a
   representation of a directory name, defined as a construct that
   identifies a particular object from among the set of all objects.  An
   object can be assigned a distinguished name without being represented
   by an entry in the Directory, but this name is then the name its
   object entry could have had if it were represented in the Directory.
   In the context of qualified certificates, a distinguished name
   denotes a set of attribute values [X.501] which forms a name that is
   unambiguous within a certain domain that forms either a real or a
   virtual DIT (Directory Information Tree)[X.501].  In the case of
   subject names the domain is assumed to be at least the issuing domain
   of the CA.  The distinguished name MUST be unique for each subject
   entity certified by the one CA as defined by the issuer name field,
   during the whole life time of the CA.




Santesson, et al.           Standards Track                     [Page 5]

RFC 3039             Qualified Certificates Profile         January 2001


3  Certificate and Certificate Extensions Profile

   This section defines a profile for Qualified Certificates.  The
   profile is based on the Internet certificate profile RFC 2459 which
   in turn is based on the X.509 version 3 format.  For full
   implementation of this section implementers are REQUIRED to consult
   the underlying formats and semantics defined in RFC 2459.

   ASN.1 definitions relevant for this section that are not supplied by
   RFC 2459 are supplied in Appendix A.

3.1  Basic Certificate Fields

   This specification provides additional details regarding the contents
   of two fields in the basic certificate.  These fields are the issuer
   and subject fields.

3.1.1  Issuer

   The issuer field SHALL identify the organization responsible for
   issuing the certificate.  The name SHOULD be an officially registered
   name of the organization.

   The identity of the issuer SHALL be specified using an appropriate
   subset of the following attributes:

         domainComponent;
         countryName;
         stateOrProvinceName;
         organizationName;
         localityName; and
         serialNumber.

   Additional attributes MAY be present but they SHOULD NOT be necessary
   to identify the issuing organization.

   Attributes present in the issuer field SHOULD be consistent with the
   laws under which the issuer operates.

   A relying party MAY have to consult associated certificate policies
   and/or the issuer's CPS, in order to determine the semantics of name
   fields and the laws under which the issuer operates.

3.1.2  Subject

   The subject field of a certificate compliant with this profile SHALL
   contain a distinguished name of the subject (see 2.4 for definition
   of distinguished name).



Santesson, et al.           Standards Track                     [Page 6]

RFC 3039             Qualified Certificates Profile         January 2001


   The subject field SHALL contain an appropriate subset of the
   following attributes:

      countryName;
      commonName;
      surname;
      givenName;
      pseudonym;
      serialNumber;
      organizationName;
      organizationalUnitName;
      stateOrProvinceName
      localityName and
      postalAddress.

   Other attributes may be present but MUST NOT be necessary to
   distinguish the subject name from other subject names within the
   issuer domain.

   Of these attributes, the subject field SHALL include at least one of
   the following:

      Choice   I:  commonName
      Choice  II:  givenName
      Choice III:  pseudonym

   The countryName attribute value specifies a general context in which
   other attributes are to be understood.  The country attribute does
   not necessarily indicate the subject's country of citizenship or
   country of residence, nor does it have to indicate the country of
   issuance.

   Note: Many X.500 implementations require the presence of countryName