📄 rfc2459.txt
字号:
Network Working Group R. HousleyRequest for Comments: 2459 SPYRUSCategory: Standards Track W. Ford VeriSign W. Polk NIST D. Solo Citicorp January 1999 Internet X.509 Public Key Infrastructure Certificate and CRL ProfileStatus of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved.Abstract This memo profiles the X.509 v3 certificate and X.509 v2 CRL for use in the Internet. An overview of the approach and model are provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms (e.g., IP addresses). Standard certificate extensions are described and one new Internet-specific extension is defined. A required set of certificate extensions is specified. The X.509 v2 CRL format is described and a required extension set is defined as well. An algorithm for X.509 certificate path validation is described. Supplemental information is provided describing the format of public keys and digital signatures in X.509 certificates for common Internet public key encryption algorithms (i.e., RSA, DSA, and Diffie-Hellman). ASN.1 modules and examples are provided in the appendices. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.Housley, et. al. Standards Track [Page 1]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999 Please send comments on this document to the ietf-pkix@imc.org mail list. TTTTaaaabbbblllleeee ooooffff CCCCoooonnnntttteeeennnnttttssss 1 Introduction ................................................ 5 2 Requirements and Assumptions ................................ 6 2.1 Communication and Topology ................................ 6 2.2 Acceptability Criteria .................................... 7 2.3 User Expectations ......................................... 7 2.4 Administrator Expectations ................................ 7 3 Overview of Approach ........................................ 7 3.1 X.509 Version 3 Certificate ............................... 9 3.2 Certification Paths and Trust ............................. 10 3.3 Revocation ................................................ 12 3.4 Operational Protocols ..................................... 13 3.5 Management Protocols ...................................... 13 4 Certificate and Certificate Extensions Profile .............. 15 4.1 Basic Certificate Fields .................................. 15 4.1.1 Certificate Fields ...................................... 16 4.1.1.1 tbsCertificate ........................................ 16 4.1.1.2 signatureAlgorithm .................................... 16 4.1.1.3 signatureValue ........................................ 17 4.1.2 TBSCertificate .......................................... 17 4.1.2.1 Version ............................................... 17 4.1.2.2 Serial number ......................................... 18 4.1.2.3 Signature ............................................. 18 4.1.2.4 Issuer ................................................ 18 4.1.2.5 Validity .............................................. 21 4.1.2.5.1 UTCTime ............................................. 22 4.1.2.5.2 GeneralizedTime ..................................... 22 4.1.2.6 Subject ............................................... 22 4.1.2.7 Subject Public Key Info ............................... 23 4.1.2.8 Unique Identifiers .................................... 24 4.1.2.9 Extensions ............................................. 24 4.2 Certificate Extensions .................................... 24 4.2.1 Standard Extensions ..................................... 25 4.2.1.1 Authority Key Identifier .............................. 25 4.2.1.2 Subject Key Identifier ................................ 26 4.2.1.3 Key Usage ............................................. 27 4.2.1.4 Private Key Usage Period .............................. 29 4.2.1.5 Certificate Policies .................................. 29 4.2.1.6 Policy Mappings ....................................... 31 4.2.1.7 Subject Alternative Name .............................. 32Housley, et. al. Standards Track [Page 2]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999 4.2.1.8 Issuer Alternative Name ............................... 34 4.2.1.9 Subject Directory Attributes .......................... 34 4.2.1.10 Basic Constraints .................................... 35 4.2.1.11 Name Constraints ..................................... 35 4.2.1.12 Policy Constraints ................................... 37 4.2.1.13 Extended key usage field ............................. 38 4.2.1.14 CRL Distribution Points .............................. 39 4.2.2 Private Internet Extensions ............................. 40 4.2.2.1 Authority Information Access .......................... 41 5 CRL and CRL Extensions Profile .............................. 42 5.1 CRL Fields ................................................ 43 5.1.1 CertificateList Fields .................................. 43 5.1.1.1 tbsCertList ........................................... 44 5.1.1.2 signatureAlgorithm .................................... 44 5.1.1.3 signatureValue ........................................ 44 5.1.2 Certificate List "To Be Signed" ......................... 44 5.1.2.1 Version ............................................... 45 5.1.2.2 Signature ............................................. 45 5.1.2.3 Issuer Name ........................................... 45 5.1.2.4 This Update ........................................... 45 5.1.2.5 Next Update ........................................... 45 5.1.2.6 Revoked Certificates .................................. 46 5.1.2.7 Extensions ............................................ 46 5.2 CRL Extensions ............................................ 46 5.2.1 Authority Key Identifier ................................ 47 5.2.2 Issuer Alternative Name ................................. 47 5.2.3 CRL Number .............................................. 47 5.2.4 Delta CRL Indicator ..................................... 48 5.2.5 Issuing Distribution Point .............................. 48 5.3 CRL Entry Extensions ...................................... 49 5.3.1 Reason Code ............................................. 50 5.3.2 Hold Instruction Code ................................... 50 5.3.3 Invalidity Date ......................................... 51 5.3.4 Certificate Issuer ...................................... 51 6 Certificate Path Validation ................................. 52 6.1 Basic Path Validation ..................................... 52 6.2 Extending Path Validation ................................. 56 7 Algorithm Support ........................................... 57 7.1 One-way Hash Functions .................................... 57 7.1.1 MD2 One-way Hash Function ............................... 57 7.1.2 MD5 One-way Hash Function ............................... 58 7.1.3 SHA-1 One-way Hash Function ............................. 58 7.2 Signature Algorithms ...................................... 58 7.2.1 RSA Signature Algorithm ................................. 59 7.2.2 DSA Signature Algorithm ................................. 60 7.3 Subject Public Key Algorithms ............................. 60 7.3.1 RSA Keys ................................................ 61 7.3.2 Diffie-Hellman Key Exchange Key ......................... 61Housley, et. al. Standards Track [Page 3]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999 7.3.3 DSA Signature Keys ...................................... 63 8 References .................................................. 64 9 Intellectual Property Rights ................................ 66 10 Security Considerations .................................... 67 Appendix A. ASN.1 Structures and OIDs ......................... 70 A.1 Explicitly Tagged Module, 1988 Syntax ...................... 70 A.2 Implicitly Tagged Module, 1988 Syntax ...................... 84 Appendix B. 1993 ASN.1 Structures and OIDs .................... 91 B.1 Explicitly Tagged Module, 1993 Syntax ...................... 91 B.2 Implicitly Tagged Module, 1993 Syntax ...................... 108 Appendix C. ASN.1 Notes ....................................... 116 Appendix D. Examples .......................................... 117 D.1 Certificate ............................................... 117 D.2 Certificate ............................................... 120 D.3 End-Entity Certificate Using RSA .......................... 123 D.4 Certificate Revocation List ............................... 126 Appendix E. Authors' Addresses ................................ 128 Appendix F. Full Copyright Statement .......................... 129Housley, et. al. Standards Track [Page 4]
RFC 2459 Internet X.509 Public Key Infrastructure January 19991 Introduction This specification is one part of a family of standards for the X.509 Public Key Infrastructure (PKI) for the Internet. This specification is a standalone document; implementations of this standard may proceed independent from the other parts. This specification profiles the format and semantics of certificates and certificate revocation lists for the Internet PKI. Procedures are described for processing of certification paths in the Internet environment. Encoding rules are provided for popular cryptographic algorithms. Finally, ASN.1 modules are provided in the appendices for all data structures defined or referenced. The specification describes the requirements which inspire the creation of this document and the assumptions which affect its scope in Section 2. Section 3 presents an architectural model and describes its relationship to previous IETF and ISO/IEC/ITU standards. In particular, this document's relationship with the IETF PEM specifications and the ISO/IEC/ITU X.509 documents are described. The specification profiles the X.509 version 3 certificate in Section 4, and the X.509 version 2 certificate revocation list (CRL) in Section 5. The profiles include the identification of ISO/IEC/ITU and ANSI extensions which may be useful in the Internet PKI. The profiles are presented in the 1988 Abstract Syntax Notation One (ASN.1) rather than the 1994 syntax used in the ISO/IEC/ITU standards. This specification also includes path validation procedures in Section 6. These procedures are based upon the ISO/IEC/ITU definition, but the presentation assumes one or more self-signed trusted CA certificates. Implementations are required to derive the same results but are not required to use the specified procedures. Section 7 of the specification describes procedures for identification and encoding of public key materials and digital signatures. Implementations are not required to use any particular cryptographic algorithms. However, conforming implementations which use the identified algorithms are required to identify and encode the public key materials and digital signatures as described. Finally, four appendices are provided to aid implementers. Appendix A contains all ASN.1 structures defined or referenced within this specification. As above, the material is presented in the 1988 Abstract Syntax Notation One (ASN.1) rather than the 1994 syntax. Appendix B contains the same information in the 1994 ASN.1 notation as a service to implementers using updated toolsets. However, Appendix A takes precedence in case of conflict. Appendix C containsHousley, et. al. Standards Track [Page 5]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999 notes on less familiar features of the ASN.1 notation used within this specification. Appendix D contains examples of a conforming certificate and a conforming CRL.⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -