rfc3039.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,771 行 · 第 1/5 页
TXT
1,771 行
Network Working Group S. Santesson
Request for Comments: 3039 AddTrust
Category: Standards Track W. Polk
NIST
P. Barzin
SECUDE
M. Nystrom
RSA Security
January 2001
Internet X.509 Public Key Infrastructure
Qualified Certificates Profile
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
This document forms a certificate profile for Qualified Certificates,
based on RFC 2459, for use in the Internet. The term Qualified
Certificate is used to describe a certificate with a certain
qualified status within applicable governing law. Further, Qualified
Certificates are issued exclusively to physical persons.
The goal of this document is to define a general syntax independent
of local legal requirements. The profile is however designed to
allow further profiling in order to meet specific local needs.
It is important to note that the profile does not define any legal
requirements for Qualified Certificates.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
Santesson, et al. Standards Track [Page 1]
RFC 3039 Qualified Certificates Profile January 2001
Table of Contents
1 Introduction ................................................ 2
2 Requirements and Assumptions ................................ 3
2.1 Properties ................................................ 4
2.2 Statement of Purpose ...................................... 5
2.3 Policy Issues ............................................. 5
2.4 Uniqueness of names ....................................... 5
3 Certificate and Certificate Extensions Profile .............. 6
3.1 Basic Certificate Fields .................................. 6
3.1.1 Issuer .................................................. 6
3.1.2 Subject ................................................. 6
3.2 Certificate Extensions .................................... 9
3.2.1 Subject Directory Attributes ............................ 9
3.2.2 Certificate Policies .................................... 10
3.2.3 Key Usage ............................................... 10
3.2.4 Biometric Information ................................... 11
3.2.5 Qualified Certificate Statements ........................ 12
4 Security Considerations ..................................... 14
5 References .................................................. 15
6 Intellectual Property Rights ................................ 16
A ASN.1 definitions ........................................... 17
A.1 1988 ASN.1 Module ......................................... 17
A.2 1993 ASN.1 Module ......................................... 19
B A Note on Attributes ........................................ 24
C. Example Certificate ........................................ 24
C.1 ASN.1 Structure ........................................... 25
C.1.1 Extensions ............................................... 25
C.1.2 The certificate .......................................... 27
C.2 ASN.1 Dump ................................................ 29
C.3 DER-encoding .............................................. 32
C.4 CA's public key ........................................... 33
Authors' Addresses ............................................. 34
Full Copyright Statement ....................................... 35
1 Introduction
This specification is one part of a family of standards for the X.509
Public Key Infrastructure (PKI) for the Internet. It is based on RFC
2459, which defines underlying certificate formats and semantics
needed for a full implementation of this standard.
The standard profiles the format for a specific type of certificates
named Qualified Certificates. The term Qualified Certificates and
the assumptions that affects the scope of this document are discussed
in Section 2.
Santesson, et al. Standards Track [Page 2]
RFC 3039 Qualified Certificates Profile January 2001
Section 3 defines requirements on information content in Qualified
Certificates. This profile addresses two fields in the basic
certificate as well as five certificate extensions. The certificate
fields are the subject and issuer fields. The certificate extensions
are subject directory attributes, certificate policies, key usage, a
private extension for storage of biometric data and a private
extension for storage of statements related to Qualified
Certificates. The private extensions are presented in the 1993
Abstract Syntax Notation One (ASN.1), but in conformance with RFC
2459 the 1988 ASN.1 module in Appendix A contains all normative
definitions (the 1993 module in Appendix A is informative).
In Section 4, some security considerations are discussed in order to
clarify the security context in which Qualified Certificates are
assumed to be utilized. Section 5 contains the references.
Appendix A contains all relevant ASN.1 [X.680] structures that are
not already defined in RFC 2459. Appendix B contains a note on
attributes. Appendix C contains an example certificate. Appendix D
contains authors' addresses and Appendix E contains the IETF
Copyright Statement.
It should be noted that this specification does not define the
specific semantics of Qualified Certificates, and does not define the
policies that should be used with them. That is, this document
defines what information should go into Qualified Certificates, but
not what that information means. A system that uses Qualified
Certificates must define its own semantics for the information in
Qualified Certificates. It is expected that laws and corporate
policies will make these definitions.
2 Requirements and Assumptions
The term "Qualified Certificate" has been used by the European
Commission to describe a certain type of certificates with specific
relevance for European legislation. This specification is intended
to support this class of certificates, but its scope is not limited
to this application.
Within this standard the term "Qualified Certificate" is used more
generally, describing the format for a certificate whose primary
purpose is identifying a person with high level of assurance in
public non-repudiation services. The actual mechanisms that will
decide whether a certificate should or should not be considered to be
a "Qualified Certificate" in regard to any legislation are outside
the scope of this standard.
Santesson, et al. Standards Track [Page 3]
RFC 3039 Qualified Certificates Profile January 2001
Harmonization in the field of Qualified Certificates is essential
within several aspects that fall outside the scope of RFC 2459. The
most important aspects that affect the scope of this specification
are:
- Definition of names and identity information in order to identify
the associated subject in a uniform way.
- Definition of information which identifies the CA and the
jurisdiction under which the CA operates when issuing a particular
certificate.
- Definition of key usage extension usage for Qualified
Certificates.
- Definition of information structure for storage of biometric
information.
- Definition of a standardized way to store predefined statements
with relevance for Qualified Certificates.
- Requirements for critical extensions.
2.1 Properties
A Qualified Certificate as defined in this standard is assumed to
have the following properties:
- The certificate is issued by a CA that makes a public statement
that the certificate serves the purpose of a Qualified
Certificate, as discussed in Section 2.2
- The certificate indicates a certificate policy consistent with
liabilities, practices and procedures undertaken by the CA, as
discussed in 2.3
- The certificate is issued to a natural person (living human
being).
- The certificate contains an identity based on a pseudonym or a
real name of the subject.
Santesson, et al. Standards Track [Page 4]
RFC 3039 Qualified Certificates Profile January 2001
2.2 Statement of Purpose
For a certificate to serve the purpose of being a Qualified
Certificate, this profile assumes that the CA will have to include in
the certificate information that explicitly defines this intent.
The function of this information is thus to assist any concerned
entity in evaluating the risk associated with creating or accepting
signatures that are based on a Qualified Certificate.
This profile defines two complementary ways to include this
information:
- As information defined by a certificate policy included in the
certificate policies extension, and
- As a statement included in the Qualified Certificates Statements
extension.
2.3 Policy Issues
Certain policy aspects define the context in which this profile is to
be understood and used. It is however outside the scope of this
profile to specify any policies or legal aspects that will govern
services that issue or utilize certificates according to this
profile.
It is however assumed that the issuing CA will undertake to follow a
publicly available certificate policy that is consistent with its
liabilities, practices and procedures.
2.4 Uniqueness of names
Distinguished name is originally defined in X.501 [X.501] as a
representation of a directory name, defined as a construct that
identifies a particular object from among the set of all objects. An
object can be assigned a distinguished name without being represented
by an entry in the Directory, but this name is then the name its
object entry could have had if it were represented in the Directory.
In the context of qualified certificates, a distinguished name
denotes a set of attribute values [X.501] which forms a name that is
unambiguous within a certain domain that forms either a real or a
virtual DIT (Directory Information Tree)[X.501]. In the case of
subject names the domain is assumed to be at least the issuing domain
of the CA. The distinguished name MUST be unique for each subject
entity certified by the one CA as defined by the issuer name field,
during the whole life time of the CA.
Santesson, et al. Standards Track [Page 5]
RFC 3039 Qualified Certificates Profile January 2001
3 Certificate and Certificate Extensions Profile
This section defines a profile for Qualified Certificates. The
profile is based on the Internet certificate profile RFC 2459 which
in turn is based on the X.509 version 3 format. For full
implementation of this section implementers are REQUIRED to consult
the underlying formats and semantics defined in RFC 2459.
ASN.1 definitions relevant for this section that are not supplied by
RFC 2459 are supplied in Appendix A.
3.1 Basic Certificate Fields
This specification provides additional details regarding the contents
of two fields in the basic certificate. These fields are the issuer
and subject fields.
3.1.1 Issuer
The issuer field SHALL identify the organization responsible for
issuing the certificate. The name SHOULD be an officially registered
name of the organization.
The identity of the issuer SHALL be specified using an appropriate
subset of the following attributes:
domainComponent;
countryName;
stateOrProvinceName;
organizationName;
localityName; and
serialNumber.
Additional attributes MAY be present but they SHOULD NOT be necessary
to identify the issuing organization.
Attributes present in the issuer field SHOULD be consistent with the
laws under which the issuer operates.
A relying party MAY have to consult associated certificate policies
and/or the issuer's CPS, in order to determine the semantics of name
fields and the laws under which the issuer operates.
3.1.2 Subject
The subject field of a certificate compliant with this profile SHALL
contain a distinguished name of the subject (see 2.4 for definition
of distinguished name).
Santesson, et al. Standards Track [Page 6]
RFC 3039 Qualified Certificates Profile January 2001
The subject field SHALL contain an appropriate subset of the
following attributes:
countryName;
commonName;
surname;
givenName;
pseudonym;
serialNumber;
organizationName;
organizationalUnitName;
stateOrProvinceName
localityName and
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?