rfc2312.txt

来自「RFC 的详细文档！」· 文本 代码 · 共 1,124 行 · 第 1/3 页

   For instance, a secure Internet mail agent may resort to checking a
   centralized certificate retrieval mechanism for a certificate if it
   can not be found in a user's local certificate storage/retrieval
   database.

   Receiving and sending agents SHOULD provide a mechanism for the
   import and export of certificates, using a PKCS #7 certs-only
   message. This allows for import and export of full certificate chains
   as opposed to just a single certificate. This is described in
   [SMIME-MSG].








Dusse, et. al.               Informational                      [Page 7]

RFC 2312        S/MIME Version 2 Certificate Handling         March 1998


4.1 Certificate Revocation Lists

   A receiving agent SHOULD have access to some certificate-revocation
   list (CRL) retrieval mechanism in order to gain access to
   certificate-revocation information when validating certificate
   chains. A receiving or sending agent SHOULD also provide a mechanism
   to allow a user to store incoming certificate-revocation information
   for correspondents in such a way so as to guarantee its later
   retrieval. However, it is always better to get the latest information
   from the CA than to get information stored away from incoming
   messages.

   Receiving and sending agents SHOULD retrieve and utilize CRL
   information every time a certificate is verified as part of a
   certificate chain validation even if the certificate was already
   verified in the past.  However, in many instances (such as off-line
   verification) access to the latest CRL information may be difficult
   or impossible. The use of CRL information, therefore, may be dictated
   by the value of the information that is protected. The value of the
   CRL information in a particular context is beyond the scope of this
   memo but may be governed by the policies associated with particular
   certificate hierarchies.

4.2 Certificate Chain Validation

   In creating a user agent for secure messaging, certificate, CRL, and
   certificate chain validation SHOULD be highly automated while still
   acting in the best interests of the user. Certificate, CRL, and chain
   validation MUST be performed when validating a correspondent's public
   key. This is necessary when a) verifying a signature from a
   correspondent and, b) creating a digital envelope with the
   correspondent as the intended recipient.

   Certificates and CRLs are made available to the chain validation
   procedure in two ways: a) incoming messages, and b) certificate and
   CRL retrieval mechanisms. Certificates and CRLs in incoming messages
   are not required to be in any particular order nor are they required
   to be in any way related to the sender or recipient of the message
   (although in most cases they will be related to the sender). Incoming
   certificates and CRLs SHOULD be cached for use in chain validation
   and optionally stored for later use. This temporary certificate and
   CRL cache SHOULD be used to augment any other certificate and CRL
   retrieval mechanisms for chain validation on incoming signed
   messages.







Dusse, et. al.               Informational                      [Page 8]

RFC 2312        S/MIME Version 2 Certificate Handling         March 1998


4.3 Certificate and CRL Signing Algorithms

   Certificates and Certificate-Revocation Lists (CRLs) are signed by
   the certificate issuer. A receiving agent MUST be capable of
   verifying the signatures on certificates andCRLs made with
   md5WithRSAEncryption and sha-1WithRSAEncryption signature algorithms
   with key sizes from 512 bits to 2048 bits described in [SMIME-MSG]. A
   receiving agent SHOULD be capable of verifying the signatures on
   certificates and CRLs made with the md2WithRSAEncryption signature
   algorithm with key sizes from 512 bits to 2048 bits.

4.4 X.509 Version 3 Certificate Extensions

   The X.509 v3 standard describes an extensible framework in which the
   basic certificate information can be extended and how such extensions
   can be used to control the process of issuing and validating
   certificates. The PKIX Working Group has ongoing efforts to identify
   and create extensions which have value in particular certification
   environments. As such, there is still a fair amount of profiling work
   to be done before there is widespread agreement on which v3
   extensions will be used. Further, there are active efforts underway
   to issue X.509 v3 certificates for business purposes. This memo
   identifies the minumum required set of certificate extensions which
   have the greatest value in the S/MIME environment. The
   basicConstraints, and keyUsage extensions are defined in [X.509].

   Sending and receiving agents MUST correctly handle the v3 Basic
   Constraints Certificate Extension, the Key Usage Certificate
   Extension, authorityKeyID, subjectKeyID, and the subjectAltNames when
   they appear in end-user certificates. Some mechanism SHOULD exist to
   handle the defined v3 certificate extensions when they appear in
   intermediate or CA certificates.

   Certificates issued for the S/MIME environment SHOULD NOT contain any
   critical extensions other than those listed here. These extensions
   SHOULD be marked as non-critical unless the proper handling of the
   extension is deemed critical to the correct interpretation of the
   associated certificate. Other extensions may be included, but those
   extensions SHOULD NOT be marked as critical.

4.4.1 Basic Constraints Certificate Extension

   The basic constraints extension serves to delimit the role and
   position of an issuing authority or end-user certificate plays in a
   chain of certificates.






Dusse, et. al.               Informational                      [Page 9]

RFC 2312        S/MIME Version 2 Certificate Handling         March 1998


   For example, certificates issued to CAs and subordinate CAs contain a
   basic constraint extension that identifies them as issuing authority
   certificates. End-user subscriber certificates contain an extension
   that constrains the certificate from being an issuing authority
   certificate.

   Certificates SHOULD contain a basicContstraints extension.

4.4.2 Key Usage Certificate Extension

   The key usage extension serves to limit the technical purposes for
   which a public key listed in a valid certificate may be used. Issuing
   authority certificates may contain a key usage extension that
   restricts the key to signing certificates, certificate revocation
   lists and other data.

   For example, a certification authority may create subordinate issuer
   certificates which contain a keyUsage extension which specifies that
   the corresponding public key can be used to sign end user certs and
   sign CRLs.

5. Generating Keys and Certification Requests

5.1 Binding Names and Keys

   An S/MIME agent or some related administrative utility or function
   MUST be capable of generating a certification request given a user's
   public key and associated name information. In most cases, the user's
   public key/private key pair will be generated simultaneously.
   However, there are cases where the keying information may be
   generated by an external process (such as when a key pair is
   generated on a cryptographic token or by a "key recovery" service).

   There SHOULD NOT be multiple valid (that is, non-expired and non-
   revoked) certificates for the same key pair bound to different
   Distinguished Names.  Otherwise, a security flaw exists where an
   attacker can substitute one valid certificate for another in such a
   way that can not be detected by a message recipient. If a users
   wishes to change their name (or create an alternate name), the user
   agent SHOULD generate a new key pair. If the user wishes to reuse an
   existing key pair with a new or alternate name, the user SHOULD first
   have any valid certificates for the existing public key revoked.

   In general, it is possible for a user to request certification for
   the same name and different public key from the same or different
   certification authorities.  This is acceptable both for end-entity
   and issuer certificates and can be useful in supporting a change of
   issuer keys in a smooth fashion.



Dusse, et. al.               Informational                     [Page 10]

RFC 2312        S/MIME Version 2 Certificate Handling         March 1998


   CAs that re-use their own name with distinct keys MUST include the
   AuthorityKeyIdentifier extension in certificates that they issue, and
   MUST have the SubjectKeyIdentifier extension in their own
   certificate. CAs SHOULD use these extensions uniformly.

   Clients SHOULD handle multiple valid CA certificates that certify
   different public keys but contain the same subject name (in this
   case, that CA's name).

   When selecting an appropriate issuer's certificate to use to verify a
   given certificate, clients SHOULD process the AuthorityKeyIdentifier
   and SubjectKeyIdentifier extensions.

   5.2 Using PKCS #10 for Certification Requests

   PKCS #10 is a flexible and extensible message format for representing
   the results of cryptographic operations on some data. The choice of
   naming information is largely dictated by the policies and procedures
   associated with the intended certification service.

   In addition to key and naming information, the PKCS #10 format
   supports the inclusion of optional attributes, signed by the entity
   requesting certification. This allows for information to be conveyed
   in a certification request which may be useful to the request
   process, but not necessarily part of the Distinguished Name being
   certified.

   Receiving agents MUST support the identification of an RSA key with
   the rsa defined in X.509 and the rsaEncryption OID. Certification
   authorities MUST support sha-1WithRSAEncryption and
   md5WithRSAEncryption and SHOULD support MD2WithRSAEncryption for
   verification of signatures on certificate requests as described in
   [SMIME-MSG].

   For the creation and submission of certification-requests, RSA keys
   SHOULD be identified with the rsaEncryption OID and signed with the
   sha-1WithRSAEncryption signature algorithm.  Certification-requests
   MUST NOT be signed with the md2WithRSAEncryption signature algorithm.

   Certification requests MUST include a valid Internet mail address,
   either as part of the certificate (as described in 3.2) or as part of
   the PKCS #10 attribute list. Certification authorities MUST check
   that the address in the "From:" header matches either of these
   addresses. CAs SHOULD allow the CA operator to configure processing
   of messages whose addresses do not match.






Dusse, et. al.               Informational                     [Page 11]

RFC 2312        S/MIME Version 2 Certificate Handling         March 1998


   Certification authorities SHOULD support parsing of zero or one
   instance of each of the following set of certification-request
   attributes on incoming messages. Attributes that a particular
   implementation does not support may generate a warning message to the
   requestor, or may be silently ignored.  Inclusion of the following
   attributes during the creation and submission of a certification-
   request will most likely be dictated by the policies associated with
   the certification service which will certify the corresponding name
   and public key.

   postalAddress
   challengePassword
   unstructuredAddress

   postalAddress is described in [X.520].

5.2.1 Challenge Password

   The challenge-password attribute type specifies a password by which
   an entity may request certificate revocation. The interpretation of
   the password is intended to be specified by the issuer of the
   certificate; no particular interpretation is required. The
   challenge-password attribute type is intended for PKCS #10
   certification requests.

Challenge-password attribute values have ASN.1 type ChallengePassword:

ChallengePassword ::= CHOICE {
  PrintableString, T61String }

A challenge-password attribute must have a single attribute value.

It is expected that if UCS becomes an ASN.1 type
(e.g., UNIVERSAL STRING),
ChallengePassword will become a CHOICE type:

ChallengePassword ::= CHOICE {
    PrintableString, T61String, UNIVERSAL STRING }

5.2.2 Unstructured Address

   The unstructured-address attribute type specifies the address or
   addresses of the subject of a certificate as an unstructured ASCII or
   T.61 string.  The interpretation of the addresses is intended to be
   specified by the issuer of the certificate; no particular
   interpretation is required. A likely interpretation is as an
   alternative to the X.520 postalAddress attribute type. The
   unstructured-address attribute type is intended for PKCS #10



Dusse, et. al.               Informational                     [Page 12]

RFC 2312        S/MIME Version 2 Certificate Handling         March 1998


   certification requests.

   Unstructured-address attribute values have
   ASN.1 type UnstructuredAddress:

   UnstructuredAddress ::= CHOICE {
     PrintableString, T61String }

   An unstructured-address attribute can have multiple attribute values.

   Note: T.61's newline character (hexadecimal code 0d) is recommended
   as a line separator in multi-line addresses.

   It is expected that if UCS becomes an ASN.1 type (e.g., UNIVERSAL
   STRING), UnstructuredAddress will become a CHOICE type:

   UnstructuredAddress ::= CHOICE {
       PrintableString, T61String, UNIVERSAL STRING }

5.3 Fulfilling a Certification Request

   Certification authorities SHOULD use the sha-1WithRSAEncryption
   signature algorithms when signing certificates.

5.4 Using PKCS #7 for Fulfilled Certificate Response

   [PKCS-7] supports a degenerate case of the SignedData content type
   where there are no signers on the content (and hence, the content
   value is "irrelevant"). This degenerate case is used to convey
   certificate and CRL information. Certification authorities MUST use
   this format for returning certificate information resulting from the
   successful fulfillment of a certification request. At a minimum, the
   fulfilled certificate response MUST include the actual subject
   certificate (corresponding to the information in the certification
   request). The response SHOULD include other certificates which link
   the issuer to higher level certification authorities and
   corresponding certificate-revocation lists. Unrelated certificates
   and revocation information is also acceptable.

   Receiving agents MUST parse this degenerate PKCS #7 message type and
   handle the certificates and CRLs according to the requirements and
   recommendations in Section 4.









Dusse, et. al.               Informational                     [Page 13]

RFC 2312        S/MIME Version 2 Certificate Handling         March 1998


6. Security Considerations

   All of the security issues faced by any cryptographic application
   must be faced by a S/MIME agent. Among these issues are protecting
   the user's private key, preventing various attacks, and helping the
   user avoid mistakes such as inadvertently encrypting a message for
   the wrong recipient. The entire list of security considerations is
   beyond the scope of this document, but some significant concerns are
   listed here.

   When processing certificates, there are many situations where the
   processing might fail. Because the processing may be done by a user
   agent, a security gateway, or other program, there is no single way
   to handle such failures. Just because the methods to handle the
   failures has not been listed, however, the reader should not assume
   that they are not important.  The opposite is true: if a certificate