draft-ietf-pkix-scvp-11.txt

PKIX的RFC英文文档

        success                  (0),
        unrecognizedCheck        (1),
        unrecognizedWantBack     (2),
        malformedPKC             (3),
        malformedAC              (4),
        unrecognizedCertPolicy   (5),
        unrecognizedValPolicy    (6),
        unrecognizedExtension    (7),
        unavailableValidityTime  (8),
        referenceCertHashFail    (9),
        certPathConstructFail   (10),
        certPathNotValid        (11),
        certPathNotValidNow     (12) }


   The meaning of the various ReplyStatus values are:

       0  Success: a definitive answer follows
       1  Failure: an OID in the check item is not recognized
       2  Failure: an OID in the wantBack item is not recognized
       3  Failure: the public key certificate was malformed
       4  Failure: the attribute certificate was malformed
       5  Failure: the certificate policy OID is not recognized
       6  Failure: the validation policy OID is not recognized
       7  Failure: the extension OID is not recognized
       8  Failure: historical data for the requested validity
                   time is not available
       9  Failure: the referenced certificate did not match the
                   hash value provided
      10  Failure: no certification path could be constructed
      11  Failure: the constructed certification path is invalid
      12  Failure: the constructed certification path is invalid,
                   but a query at a later time may be successful

   Codes 3 and 4 are used to tell the client that the request was
   properly formed, but the certificate in question was not. This is
   especially useful to clients that do not parse certificates.

4.7.3 replyValTime

   The replyValTime item tells the time at which the information in the
   CertReply was correct. The replyValTime item represents the date and
   time in UTC, using GeneralizedTime type. The encoding rules for
   GeneralizedTime in section 4.2 MUST be used.



Malpani, Housley, & Freeman                                    [Page 25]

INTERNET DRAFT                    SCVP                     December 2002


   Within the request, the optional validityTime item tells the date and
   time relative to which the SCVP client wants the server to perform
   the checks. If the validityTime is not present, the server MUST
   respond as if the client provided the date and time at which the
   server processes the request.

   The information in the CertReply item MUST be formatted as if the
   server created this portion of response at the time indicated in the
   validityTime item of the query. However, if the server does not have
   appropriate historical information, the server MAY either return an
   error or return information for a later time.

4.7.4 replyChecks

   The replyChecks contains the responses to the checks item in the
   query. The replyChecks item repeats the object identifier (OID) from
   the query and an integer. The value of the integer indicates whether
   the requested check was successful. The OIDs in the checks item of
   the query are used to identify the corresponding replyChecks values.
   The OIDs in the replyChecks item MUST match the OIDs in the checks
   item in the request.

   The replyChecks item uses the ReplyChecks type, which has the
   following syntax:

      ReplyChecks ::= SEQUENCE OF ReplyCheck

      ReplyCheck ::= SEQUENCE {
        check                      OBJECT IDENTIFIER,
        status                     INTEGER }

   The status value for public key certification path building to a
   trusted root, { id-stc 1 }, can be one of the following:

      0: Built a path
      1: Could not build a path

   The status value for public key certification path building to a
   trusted root along with simple validation processing, { id-stc 2 },
   can be one of the following:

      0: Valid
      1: Not valid








Malpani, Housley, & Freeman                                    [Page 26]

INTERNET DRAFT                    SCVP                     December 2002


   The status value for public key certification path building to a
   trusted root along with complete status checking, { id-stc 3 }, can
   be one of the following:

      0: Good
      1: Revoked
      2: Unknown

   The status value for AC issuer certification path building to a
   trusted root, { id-stc 4 }, can be one of the following:

      0: Built a path
      1: Could not build a path

   The status value for AC issuer certification path building to a
   trusted root along with simple validation processing, { id-stc 5 },
   can be one of the following:

      0: Valid
      1: Not valid

   The status value for AC issuer certification path building to a
   trusted root along with complete status checking, { id-stc 6 }, can
   be one of the following:

      0: Good
      1: Revoked
      2: Unknown

   The status value for revocation status checking of an AC as well as
   AC issuer certification path building to a trusted root along with
   complete status checking, { id-stc 7 }, can be one of the following:

      0: Good
      1: Revoked
      2: Unknown

4.7.5 replyWantBack

   The replyWantBack contains the responses to the wantBack item in the
   request. The replyWantBack item includes the object identifier (OID)
   from the wantBack item in the request and an octet string. Within the
   octet string is the requested value. The OIDs in the wantBack item in
   the request are used to identify the corresponding reply value. The
   OIDs in the replyWantBack item MUST match the OIDs in the wantBack
   item in the request.





Malpani, Housley, & Freeman                                    [Page 27]

INTERNET DRAFT                    SCVP                     December 2002


   The replyWantBack item uses the ReplyWantBack type, which has the
   following syntax:

      ReplyWantBacks ::= SEQUENCE OF ReplyWantBack

      ReplyWantBack::= SEQUENCE {
        wb                         OBJECT IDENTIFIER,
        value                      OCTET STRING }

   The octet string value for the certification path used to verify the
   certificate in the request, { id-swb 1 }, contains the CertBundle
   type. The syntax and semantics of the CertBundle type are described
   in section 3.2.7.

   The octet string value for the proof of revocation status,
   { id-swb 2 }, contains the RevocationInfo type. The syntax and
   semantics of the RevocationInfo type are described in section 3.2.9.

   The octet string value for the public key certificate status,
   { id-swb 3 }, contains an ASN.1 BOOLEAN type. The value will be TRUE
   if the certificate is valid, and the value will be FALSE if the
   certificate is not valid.

   The octet string value for the public key information, { id-swb 4 },
   contains the SubjectPublicKeyInfo type. The syntax and semantics of
   the SubjectPublicKeyInfo type are described in [PKIX-1].

   The octet string value for the AC issuer certification path used to
   verify the certificate in the request, { id-swb 5 }, contains the
   CertBundle type. The syntax and semantics of the CertBundle type are
   described in section 3.2.7.

   The octet string value for the proof of revocation status of the AC
   issuer certification path, { id-swb 6 }, contains the RevocationInfo
   type. The syntax and semantics of the RevocationInfo type are
   described in section 3.2.9.

   The octet string value for the proof of revocation status of the
   attribute certificate, { id-swb 7 }, contains the RevocationInfo
   type. The syntax and semantics of the RevocationInfo type are
   described in section 3.2.9.

   The octet string value for the attribute certificate status,
   { id-swb 8 }, contains an ASN.1 BOOLEAN type. The value will be TRUE
   if the certificate is valid, and the value will be FALSE if the
   certificate is not valid.





Malpani, Housley, & Freeman                                    [Page 28]

INTERNET DRAFT                    SCVP                     December 2002


4.7.6 valPolicy

   The valPolicy item tells the validation policy used by the SCVP
   server. Even if the query does not include a validation policy, the
   server MUST indicate the validation policy that was used. The
   valPolicy value MUST NOT be id-svp-defaultValPolicy.

   The syntax and semantics of the valPolicy item are descried in
   section 3.2.5.

4.7.7 nextUpdate

   The nextUpdate item tells the time at which the server expects
   additional information regarding the validity of the certificate to
   become available. Such information could change the status of the
   certificate; however, it might not change the status of the
   certificate. The nextUpdate is especially interesting if the
   certificate revocation status information is not available or the
   certificate is suspended. The nextUpdate item represents the date and
   time in UTC, using the GeneralizedTime type. The encoding rules for
   GeneralizedTime in section 4.2 MUST be used.

4.7.8 certReplyExtensions

   The certReplyExtensions contains the responses to the queryExtension
   item in the request. The singleReplyExtensions item uses the
   Extensions type defined in [PKIX-1]. The object identifiers (OIDs) in
   the queryExtension item in the request are used to identify the
   corresponding reply value. The certReplyExtensions item, when
   present, contains a sequence of Extension items, each of which
   contains an extnID item, a critical item, and an extnValue item.

   The extnID item is an identifier for the extension. It contains the
   OID that names the extension, and it MUST match one of the OIDs in
   the queryExtension item in the request.

   The critical item is a BOOLEAN, and it MUST be set to FALSE.

   The extnValue item contains an OCTET STRING. Within the OCTET STRING
   is the extension value. An ASN.1 type is specified for each
   extension, and identified by extnID.










Malpani, Housley, & Freeman                                    [Page 29]

INTERNET DRAFT                    SCVP                     December 2002


4.8 requestNonce

   The requestNonce optional item contains an identifier generated by
   the client for the request. If the client includes a requestNonce
   value in the request, then the server MUST return the same value in
   the response.

   The requestNonce item uses the octet string type.

4.9 serverContextInfo

   The serverContextInfo item in a response is a mechanism for the
   server to pass some opaque context information to the client. If the
   client does not like the certification path retuned, it can make a
   new query and pass along this context information.

   Section 3.2.4 contains information about the client usage of this
   item.

   The context information is opaque to the client, but it provides
   information to the server that ensures that a different certification
   path will be returned (if another one can be found). The context
   information could indicate state on the server or it could contain a
   sequence of hashes of certification paths that have already returned
   to the client. The protocol does not dictate any structure or
   requirements for this item. However, implementers should review the
   Security Considerations section of this document before selecting a
   structure.

   Servers that are incapable of returning additional paths MUST NOT
   include the serverContextInfo item in the response.

4.10 respExtensions

   The respExtensions item MAY contain Extensions. If present, each
   Extension in the sequence extends the request. This specification
   does not define any extensions, the facility is provided to allow
   future specifications to extend the SCVP. The syntax for Extensions
   is imported from [PKIX-1]. The respExtensions item, when present,
   contains a sequence of Extension items, each of which contains an
   extnID item, a critical item, and an extnValue item.

   The extnID item is an identifier for the extension. It contains the
   object identifier (OID) that names the extension.

   The critical item is a BOOLEAN. Each extension is designated as
   either critical (with a value of TRUE) or non-critical (with a value
   of FALSE). An SCVP client MUST reject the response if it encounters a



Malpani, Housley, & Freeman                                    [Page 30]

INTERNET DRAFT                    SCVP                     December 2002


   critical extension it does not recognize; however, a non-critical
   extension MAY be ignored if it is not recognized.

   The extnValue item contains an OCTET STRING. Within the OCTET STRING
   is the extension value. An ASN.1 type is specified for each
   extension, and identified by ex