rfc3039.txt

来自「RFC 的详细文档！」· 文本 代码 · 共 1,771 行 · 第 1/5 页

Santesson, et al.           Standards Track                    [Page 19]

RFC 3039             Qualified Certificates Profile         January 2001


DEFINITIONS EXPLICIT TAGS ::=

BEGIN

-- EXPORTS ALL --

IMPORTS

authorityKeyIdentifier, subjectKeyIdentifier, keyUsage,
    extendedKeyUsage, privateKeyUsagePeriod, certificatePolicies,
    policyMappings, subjectAltName, issuerAltName, basicConstraints,
    nameConstraints, policyConstraints, cRLDistributionPoints,
    subjectDirectoryAttributes, authorityInfoAccess, GeneralName,
    OTHER-NAME
    FROM PKIX1Implicit93 {iso(1) identified-organization(3) dod(6)
    internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
    id-pkix1-implicit-93(4)}

id-pkix, AlgorithmIdentifier, ATTRIBUTE, Extension, EXTENSION,
    DirectoryString{}, ub-name, id-pe, id-at, id-at-commonName,
    id-at-surname, id-at-countryName, id-at-localityName,
    id-at-stateOrProvinceName, id-at-organizationName,
    id-at-organizationalUnitName, id-at-givenName, id-at-dnQualifier,
    pkcs9email, title, organizationName, organizationalUnitName,
    stateOrProvinceName, localityName, countryName,
    generationQualifier, dnQualifier, initials, givenName, surname,
    commonName, name
    FROM PKIX1Explicit93 {iso(1) identified-organization(3) dod(6)
    internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
    id-pkix1-explicit-93(3)};

-- Object Identifiers

-- Externally defined OIDs
id-at-serialNumber  OBJECT IDENTIFIER ::= { id-at 5}
id-at-postalAddress OBJECT IDENTIFIER ::= { id-at 16 }
id-at-pseudonym     OBJECT IDENTIFIER ::= { id-at 65 }
id-domainComponent  OBJECT IDENTIFIER ::= { 0 9 2342 19200300 100 1 25 }

-- Locally defined OIDs

-- Arc for QC personal data attributes

id-pda  OBJECT IDENTIFIER ::= { id-pkix 9 }
-- Arc for QC statements
id-qcs  OBJECT IDENTIFIER ::= { id-pkix 11 }

-- Private extensions



Santesson, et al.           Standards Track                    [Page 20]

RFC 3039             Qualified Certificates Profile         January 2001


id-pe-biometricInfo         OBJECT IDENTIFIER ::= { id-pe 2 }
id-pe-qcStatements          OBJECT IDENTIFIER ::= { id-pe 3 }

-- Personal data attributes
id-pda-dateOfBirth          OBJECT IDENTIFIER ::= { id-pda 1 }
id-pda-placeOfBirth         OBJECT IDENTIFIER ::= { id-pda 2 }
id-pda-gender               OBJECT IDENTIFIER ::= { id-pda 3 }
id-pda-countryOfCitizenship OBJECT IDENTIFIER ::= { id-pda 4 }
id-pda-countryOfResidence   OBJECT IDENTIFIER ::= { id-pda 5 }

-- QC statements
id-qcs-pkixQCSyntax-v1      OBJECT IDENTIFIER ::= { id-qcs 1 }

-- Object Sets

-- The following information object set is defined to constrain the
-- set of legal certificate extensions. Note that this set is an
-- extension of the ExtensionSet defined in RFC 2459.
ExtensionSet EXTENSION ::= {
    authorityKeyIdentifier |
    subjectKeyIdentifier |
    keyUsage |
    extendedKeyUsage |
    privateKeyUsagePeriod |
    certificatePolicies |
    policyMappings |
    subjectAltName |
    issuerAltName |
    basicConstraints |
    nameConstraints |
    policyConstraints |
    cRLDistributionPoints |
    subjectDirectoryAttributes |
    authorityInfoAccess |
    biometricInfo |
    qcStatements, ... }

-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize in
-- distinguished names. The set may of course be augmented to meet
-- local requirements.  Note that deleting members of the set may
-- prevent interoperability with conforming implementations, and that
-- this set is an extension of the SupportedAttributes set in RFC 2459.

SupportedAttributes ATTRIBUTE ::= {
    countryName | commonName | surname | givenName | pseudonym |
    serialNumber | organizationName | organizationalUnitName |
    stateOrProvinceName | localityName | postalAddress |



Santesson, et al.           Standards Track                    [Page 21]

RFC 3039             Qualified Certificates Profile         January 2001


    pkcs9email | domainComponent | dnQualifier,
    ... -- For future extensions -- }

-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize in
-- subjectDirectoryAttribute extensions. The set may be augmented to
-- meet local requirements.  Note that deleting members of the set
-- may prevent interoperability with conforming implementations.
PersonalDataAttributeSet ATTRIBUTE ::= {
    title | dateOfBirth | placeOfBirth | gender | countryOfCitizenship |
    countryOfResidence, ... }

-- Attributes

-- serialNumber from X.520
serialNumber ATTRIBUTE ::= {
    WITH SYNTAX PrintableString (SIZE(1..64))
    ID          id-at-serialNumber }

-- postalAddress from X.520
postalAddress ATTRIBUTE ::= {
    WITH SYNTAX SEQUENCE SIZE (1..6) OF DirectoryString { 30 }
    ID          id-at-postalAddress }

-- pseudonym from (forthcoming) X.520)
pseudonym ATTRIBUTE ::= {
    WITH SYNTAX DirectoryString { ub-name }
    ID          id-at-pseudonym }

-- domainComponent from RFC 2247
domainComponent ATTRIBUTE ::= {
    WITH SYNTAX IA5String
    ID          id-domainComponent }

dateOfBirth ATTRIBUTE ::= {
    WITH SYNTAX GeneralizedTime
    ID          id-pda-dateOfBirth }

placeOfBirth ATTRIBUTE ::= {
    WITH SYNTAX DirectoryString { ub-name }
    ID          id-pda-placeOfBirth }

gender ATTRIBUTE ::= {
    WITH SYNTAX PrintableString (SIZE(1) ^ FROM("M"|"F"|"m"|"f"))
    ID          id-pda-gender }

countryOfCitizenship ATTRIBUTE ::= {
    WITH SYNTAX PrintableString (SIZE (2))



Santesson, et al.           Standards Track                    [Page 22]

RFC 3039             Qualified Certificates Profile         January 2001


        (CONSTRAINED BY { -- ISO 3166 codes only -- })
    ID          id-pda-countryOfCitizenship }

countryOfResidence ATTRIBUTE ::= {
    WITH SYNTAX PrintableString (SIZE (2))
        (CONSTRAINED BY { -- ISO 3166 codes only -- })
    ID          id-pda-countryOfResidence }

-- Private extensions

-- Biometric info extension

biometricInfo  EXTENSION ::= {
    SYNTAX             BiometricSyntax
    IDENTIFIED BY      id-pe-biometricInfo }

BiometricSyntax ::= SEQUENCE OF BiometricData

BiometricData ::= SEQUENCE {
    typeOfBiometricData TypeOfBiometricData,
    hashAlgorithm       AlgorithmIdentifier,
    biometricDataHash   OCTET STRING,
    sourceDataUri       IA5String OPTIONAL,
    ... -- For future extensions -- }

TypeOfBiometricData ::= CHOICE {
    predefinedBiometricType PredefinedBiometricType,
    biometricDataOid        OBJECT IDENTIFIER }

PredefinedBiometricType ::= INTEGER { picture(0),
    handwritten-signature(1)} (picture|handwritten-signature,...)

-- QC Statements Extension

qcStatements  EXTENSION ::= {
    SYNTAX        QCStatements
    IDENTIFIED BY id-pe-qcStatements }

QCStatements ::= SEQUENCE OF QCStatement

QCStatement ::= SEQUENCE {
    statementId   QC-STATEMENT.&id({SupportedStatements}),
    statementInfo QC-STATEMENT.&Type
    ({SupportedStatements}{@statementId}) OPTIONAL }

QC-STATEMENT ::= CLASS {
    &id   OBJECT IDENTIFIER UNIQUE,
    &Type OPTIONAL }



Santesson, et al.           Standards Track                    [Page 23]

RFC 3039             Qualified Certificates Profile         January 2001


WITH SYNTAX {
    [SYNTAX &Type] IDENTIFIED BY &id }

qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation
    IDENTIFIED BY id-qcs-pkixQCSyntax-v1}
    --  This statement identifies conformance with syntax and
    --  semantics defined in this Qualified Certificate profile
    --  (Version 1). The SemanticsInformation may optionally contain
    --  additional semantics information as specified.

SemanticsInformation ::= SEQUENCE {
    semanticsIdentifier         OBJECT IDENTIFIER OPTIONAL,
    nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL
    }(WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
      WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})

NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName

-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize as QCSs.
SupportedStatements QC-STATEMENT ::= {
    qcStatement-1, ... -- For future extensions -- }

END

B. A Note on Attributes

   This document defines several new attributes, both for use in the
   subject field of issued certificates and in the
   subjectDirectoryAttributes extension.  In the interest of conformity,
   they have been defined here using the ASN.1 ATTRIBUTE definition from
   RFC 2459, which is sufficient for the purposes of this document, but
   greatly simplified in comparison with ISO/ITU's definition.  A
   complete definition of these new attributes (including matching
   rules), along with object classes to support them in LDAP-accessible
   directories, can be found in [PKCS 9].

C. Example Certificate

   This section contains the ASN.1 structure, an ASN.1 dump, and the
   DER-encoding of a certificate issued in conformance with this
   profile.  The example has been developed with the help of the OSS
   ASN.1 compiler.  The certificate has the following characteristics:

      1.  The certificate is signed with RSA and the SHA-1 hash
          algorithm
      2.  The issuer's distinguished name is O=GMD - Forschungszentrum
          Informationstechnik GmbH; C=DE



Santesson, et al.           Standards Track                    [Page 24]

RFC 3039             Qualified Certificates Profile         January 2001


      3.  The subject's distinguished name is CN=Petra M.  Barzin, O=GMD
          - Forschungszentrum Informationstechnik GmbH, C=DE
      4.  The certificate was issued on May 1, 2000 and will expire on
          November 1, 2000
      5.  The certificate contains a 1024 bit RSA key
      6.  The certificate includes a critical key usage extension
          exclusively indicating non-repudiation
      7.  The certificate includes a certificate policy identifier
          extension indicating the practices and procedures undertaken
          by the issuing CA (object identifier 1.3.36.8.1.1).  The
          certificate policy object identifier is defined by TeleTrust,
          Germany.  It is required to be set in a certificate conformant
          to the German digital signature law.
      8.  The certificate includes a subject directory attributes
          extension containing the following attributes:

          surname:               Barzin
          given name:            Petra
          date of birth:         October, 14th 1971
          place of birth:        Darmstadt
          country of citizenship:Germany
          gender:                Female

      9.  The certificate includes a qualified statement private
          extension indicating that the naming registration authority's
          name as "municipality@darmstadt.de".
      10. The certificate includes, in conformance with RFC 2459, an
          authority key identifier extension.

C.1 ASN.1 Structure

C.1.1 Extensions

   Since extensions are DER-encoded already when placed in the structure
   to be signed, they are for clarity shown here in the value notation
   defined in [X.680].

C.1.1.1 The subjectDirectoryAttributes extension

   petrasSubjDirAttrs AttributesSyntax ::= {
       {
           type id-pda-countryOfCitizenship,
           values {
               PrintableString : "DE"
           }
       },
       {
           type id-pda-gender,



Santesson, et al.           Standards Track                    [Page 25]

RFC 3039             Qualified Certificates Profile         January 2001


           values {
               PrintableString : "F"
           }
       },
       {
           type id-pda-dateOfBirth,
           values {
               GeneralizedTime : "197110140000Z"
           }
       },
       {
           type id-pda-placeOfBirth,
           values {
               DirectoryString : utf8String : "Darmstadt"