rfc2459.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,410 行 · 第 1/5 页
TXT
1,410 行
Network Working Group R. Housley
Request for Comments: 2459 SPYRUS
Category: Standards Track W. Ford
VeriSign
W. Polk
NIST
D. Solo
Citicorp
January 1999
Internet X.509 Public Key Infrastructure
Certificate and CRL Profile
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
This memo profiles the X.509 v3 certificate and X.509 v2 CRL for use
in the Internet. An overview of the approach and model are provided
as an introduction. The X.509 v3 certificate format is described in
detail, with additional information regarding the format and
semantics of Internet name forms (e.g., IP addresses). Standard
certificate extensions are described and one new Internet-specific
extension is defined. A required set of certificate extensions is
specified. The X.509 v2 CRL format is described and a required
extension set is defined as well. An algorithm for X.509 certificate
path validation is described. Supplemental information is provided
describing the format of public keys and digital signatures in X.509
certificates for common Internet public key encryption algorithms
(i.e., RSA, DSA, and Diffie-Hellman). ASN.1 modules and examples are
provided in the appendices.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
Housley, et. al. Standards Track [Page 1]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
Please send comments on this document to the ietf-pkix@imc.org mail
list.
TTTTaaaabbbblllleeee ooooffff CCCCoooonnnntttteeeennnnttttssss
1 Introduction ................................................ 5
2 Requirements and Assumptions ................................ 6
2.1 Communication and Topology ................................ 6
2.2 Acceptability Criteria .................................... 7
2.3 User Expectations ......................................... 7
2.4 Administrator Expectations ................................ 7
3 Overview of Approach ........................................ 7
3.1 X.509 Version 3 Certificate ............................... 9
3.2 Certification Paths and Trust ............................. 10
3.3 Revocation ................................................ 12
3.4 Operational Protocols ..................................... 13
3.5 Management Protocols ...................................... 13
4 Certificate and Certificate Extensions Profile .............. 15
4.1 Basic Certificate Fields .................................. 15
4.1.1 Certificate Fields ...................................... 16
4.1.1.1 tbsCertificate ........................................ 16
4.1.1.2 signatureAlgorithm .................................... 16
4.1.1.3 signatureValue ........................................ 17
4.1.2 TBSCertificate .......................................... 17
4.1.2.1 Version ............................................... 17
4.1.2.2 Serial number ......................................... 18
4.1.2.3 Signature ............................................. 18
4.1.2.4 Issuer ................................................ 18
4.1.2.5 Validity .............................................. 21
4.1.2.5.1 UTCTime ............................................. 22
4.1.2.5.2 GeneralizedTime ..................................... 22
4.1.2.6 Subject ............................................... 22
4.1.2.7 Subject Public Key Info ............................... 23
4.1.2.8 Unique Identifiers .................................... 24
4.1.2.9 Extensions ............................................. 24
4.2 Certificate Extensions .................................... 24
4.2.1 Standard Extensions ..................................... 25
4.2.1.1 Authority Key Identifier .............................. 25
4.2.1.2 Subject Key Identifier ................................ 26
4.2.1.3 Key Usage ............................................. 27
4.2.1.4 Private Key Usage Period .............................. 29
4.2.1.5 Certificate Policies .................................. 29
4.2.1.6 Policy Mappings ....................................... 31
4.2.1.7 Subject Alternative Name .............................. 32
Housley, et. al. Standards Track [Page 2]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
4.2.1.8 Issuer Alternative Name ............................... 34
4.2.1.9 Subject Directory Attributes .......................... 34
4.2.1.10 Basic Constraints .................................... 35
4.2.1.11 Name Constraints ..................................... 35
4.2.1.12 Policy Constraints ................................... 37
4.2.1.13 Extended key usage field ............................. 38
4.2.1.14 CRL Distribution Points .............................. 39
4.2.2 Private Internet Extensions ............................. 40
4.2.2.1 Authority Information Access .......................... 41
5 CRL and CRL Extensions Profile .............................. 42
5.1 CRL Fields ................................................ 43
5.1.1 CertificateList Fields .................................. 43
5.1.1.1 tbsCertList ........................................... 44
5.1.1.2 signatureAlgorithm .................................... 44
5.1.1.3 signatureValue ........................................ 44
5.1.2 Certificate List "To Be Signed" ......................... 44
5.1.2.1 Version ............................................... 45
5.1.2.2 Signature ............................................. 45
5.1.2.3 Issuer Name ........................................... 45
5.1.2.4 This Update ........................................... 45
5.1.2.5 Next Update ........................................... 45
5.1.2.6 Revoked Certificates .................................. 46
5.1.2.7 Extensions ............................................ 46
5.2 CRL Extensions ............................................ 46
5.2.1 Authority Key Identifier ................................ 47
5.2.2 Issuer Alternative Name ................................. 47
5.2.3 CRL Number .............................................. 47
5.2.4 Delta CRL Indicator ..................................... 48
5.2.5 Issuing Distribution Point .............................. 48
5.3 CRL Entry Extensions ...................................... 49
5.3.1 Reason Code ............................................. 50
5.3.2 Hold Instruction Code ................................... 50
5.3.3 Invalidity Date ......................................... 51
5.3.4 Certificate Issuer ...................................... 51
6 Certificate Path Validation ................................. 52
6.1 Basic Path Validation ..................................... 52
6.2 Extending Path Validation ................................. 56
7 Algorithm Support ........................................... 57
7.1 One-way Hash Functions .................................... 57
7.1.1 MD2 One-way Hash Function ............................... 57
7.1.2 MD5 One-way Hash Function ............................... 58
7.1.3 SHA-1 One-way Hash Function ............................. 58
7.2 Signature Algorithms ...................................... 58
7.2.1 RSA Signature Algorithm ................................. 59
7.2.2 DSA Signature Algorithm ................................. 60
7.3 Subject Public Key Algorithms ............................. 60
7.3.1 RSA Keys ................................................ 61
7.3.2 Diffie-Hellman Key Exchange Key ......................... 61
Housley, et. al. Standards Track [Page 3]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
7.3.3 DSA Signature Keys ...................................... 63
8 References .................................................. 64
9 Intellectual Property Rights ................................ 66
10 Security Considerations .................................... 67
Appendix A. ASN.1 Structures and OIDs ......................... 70
A.1 Explicitly Tagged Module, 1988 Syntax ...................... 70
A.2 Implicitly Tagged Module, 1988 Syntax ...................... 84
Appendix B. 1993 ASN.1 Structures and OIDs .................... 91
B.1 Explicitly Tagged Module, 1993 Syntax ...................... 91
B.2 Implicitly Tagged Module, 1993 Syntax ...................... 108
Appendix C. ASN.1 Notes ....................................... 116
Appendix D. Examples .......................................... 117
D.1 Certificate ............................................... 117
D.2 Certificate ............................................... 120
D.3 End-Entity Certificate Using RSA .......................... 123
D.4 Certificate Revocation List ............................... 126
Appendix E. Authors' Addresses ................................ 128
Appendix F. Full Copyright Statement .......................... 129
Housley, et. al. Standards Track [Page 4]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
1 Introduction
This specification is one part of a family of standards for the X.509
Public Key Infrastructure (PKI) for the Internet. This specification
is a standalone document; implementations of this standard may
proceed independent from the other parts.
This specification profiles the format and semantics of certificates
and certificate revocation lists for the Internet PKI. Procedures
are described for processing of certification paths in the Internet
environment. Encoding rules are provided for popular cryptographic
algorithms. Finally, ASN.1 modules are provided in the appendices
for all data structures defined or referenced.
The specification describes the requirements which inspire the
creation of this document and the assumptions which affect its scope
in Section 2. Section 3 presents an architectural model and
describes its relationship to previous IETF and ISO/IEC/ITU
standards. In particular, this document's relationship with the IETF
PEM specifications and the ISO/IEC/ITU X.509 documents are described.
The specification profiles the X.509 version 3 certificate in Section
4, and the X.509 version 2 certificate revocation list (CRL) in
Section 5. The profiles include the identification of ISO/IEC/ITU and
ANSI extensions which may be useful in the Internet PKI. The profiles
are presented in the 1988 Abstract Syntax Notation One (ASN.1) rather
than the 1994 syntax used in the ISO/IEC/ITU standards.
This specification also includes path validation procedures in
Section 6. These procedures are based upon the ISO/IEC/ITU
definition, but the presentation assumes one or more self-signed
trusted CA certificates. Implementations are required to derive the
same results but are not required to use the specified procedures.
Section 7 of the specification describes procedures for
identification and encoding of public key materials and digital
signatures. Implementations are not required to use any particular
cryptographic algorithms. However, conforming implementations which
use the identified algorithms are required to identify and encode the
public key materials and digital signatures as described.
Finally, four appendices are provided to aid implementers. Appendix
A contains all ASN.1 structures defined or referenced within this
specification. As above, the material is presented in the 1988
Abstract Syntax Notation One (ASN.1) rather than the 1994 syntax.
Appendix B contains the same information in the 1994 ASN.1 notation
as a service to implementers using updated toolsets. However,
Appendix A takes precedence in case of conflict. Appendix C contains
Housley, et. al. Standards Track [Page 5]
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?