tech-invite   World Map     

3GPP     Specs     Glossaries     Architecture     IMS     UICC       IETF     RFCs     Groups     SIP     ABNFs       Search

RFC 2459


Pages: 129
Top     in Index     Prev     Next
 

Internet X.509 Public Key Infrastructure Certificate and CRL Profile

Part 1 of 4, p. 1 to 24
None       Next RFC Part

Obsoleted by:    3280


Top       ToC       Page 1 
Network Working Group                                         R. Housley
Request for Comments: 2459                                        SPYRUS
Category: Standards Track                                        W. Ford
                                                                VeriSign
                                                                 W. Polk
                                                                    NIST
                                                                 D. Solo
                                                                Citicorp
                                                            January 1999


                Internet X.509 Public Key Infrastructure
                      Certificate and CRL Profile

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   This memo profiles the X.509 v3 certificate and X.509 v2 CRL for use
   in the Internet.  An overview of the approach and model are provided
   as an introduction.  The X.509 v3 certificate format is described in
   detail, with additional information regarding the format and
   semantics of Internet name forms (e.g., IP addresses).  Standard
   certificate extensions are described and one new Internet-specific
   extension is defined.  A required set of certificate extensions is
   specified.  The X.509 v2 CRL format is described and a required
   extension set is defined as well.  An algorithm for X.509 certificate
   path validation is described. Supplemental information is provided
   describing the format of public keys and digital signatures in X.509
   certificates for common Internet public key encryption algorithms
   (i.e., RSA, DSA, and Diffie-Hellman).  ASN.1 modules and examples are
   provided in the appendices.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119.

Page 2 
   Please send comments on this document to the ietf-pkix@imc.org mail
   list.



Table of Contents

   1  Introduction ................................................    5
   2  Requirements and Assumptions ................................    6
   2.1  Communication and Topology ................................    6
   2.2  Acceptability Criteria ....................................    7
   2.3  User Expectations .........................................    7
   2.4  Administrator Expectations ................................    7
   3  Overview of Approach ........................................    7
   3.1  X.509 Version 3 Certificate ...............................    9
   3.2  Certification Paths and Trust .............................   10
   3.3  Revocation ................................................   12
   3.4  Operational Protocols .....................................   13
   3.5  Management Protocols ......................................   13
   4  Certificate and Certificate Extensions Profile ..............   15
   4.1  Basic Certificate Fields ..................................   15
   4.1.1  Certificate Fields ......................................   16
   4.1.1.1  tbsCertificate ........................................   16
   4.1.1.2  signatureAlgorithm ....................................   16
   4.1.1.3  signatureValue ........................................   17
   4.1.2  TBSCertificate ..........................................   17
   4.1.2.1  Version ...............................................   17
   4.1.2.2  Serial number .........................................   18
   4.1.2.3  Signature .............................................   18
   4.1.2.4  Issuer ................................................   18
   4.1.2.5  Validity ..............................................   21
   4.1.2.5.1  UTCTime .............................................   22
   4.1.2.5.2  GeneralizedTime .....................................   22
   4.1.2.6  Subject ...............................................   22
   4.1.2.7  Subject Public Key Info ...............................   23
   4.1.2.8  Unique Identifiers ....................................   24
   4.1.2.9 Extensions .............................................   24
   4.2  Certificate Extensions ....................................   24
   4.2.1  Standard Extensions .....................................   25
   4.2.1.1  Authority Key Identifier ..............................   25
   4.2.1.2  Subject Key Identifier ................................   26
   4.2.1.3  Key Usage .............................................   27
   4.2.1.4  Private Key Usage Period ..............................   29
   4.2.1.5  Certificate Policies ..................................   29
   4.2.1.6  Policy Mappings .......................................   31
   4.2.1.7  Subject Alternative Name ..............................   32

Top      ToC       Page 3 
   4.2.1.8  Issuer Alternative Name ...............................   34
   4.2.1.9  Subject Directory Attributes ..........................   34
   4.2.1.10  Basic Constraints ....................................   35
   4.2.1.11  Name Constraints .....................................   35
   4.2.1.12  Policy Constraints ...................................   37
   4.2.1.13  Extended key usage field .............................   38
   4.2.1.14  CRL Distribution Points ..............................   39
   4.2.2  Private Internet Extensions .............................   40
   4.2.2.1  Authority Information Access ..........................   41
   5  CRL and CRL Extensions Profile ..............................   42
   5.1  CRL Fields ................................................   43
   5.1.1  CertificateList Fields ..................................   43
   5.1.1.1  tbsCertList ...........................................   44
   5.1.1.2  signatureAlgorithm ....................................   44
   5.1.1.3  signatureValue ........................................   44
   5.1.2  Certificate List "To Be Signed" .........................   44
   5.1.2.1  Version ...............................................   45
   5.1.2.2  Signature .............................................   45
   5.1.2.3  Issuer Name ...........................................   45
   5.1.2.4  This Update ...........................................   45
   5.1.2.5  Next Update ...........................................   45
   5.1.2.6  Revoked Certificates ..................................   46
   5.1.2.7  Extensions ............................................   46
   5.2  CRL Extensions ............................................   46
   5.2.1  Authority Key Identifier ................................   47
   5.2.2  Issuer Alternative Name .................................   47
   5.2.3  CRL Number ..............................................   47
   5.2.4  Delta CRL Indicator .....................................   48
   5.2.5  Issuing Distribution Point ..............................   48
   5.3  CRL Entry Extensions ......................................   49
   5.3.1  Reason Code .............................................   50
   5.3.2  Hold Instruction Code ...................................   50
   5.3.3  Invalidity Date .........................................   51
   5.3.4  Certificate Issuer ......................................   51
   6  Certificate Path Validation .................................   52
   6.1  Basic Path Validation .....................................   52
   6.2  Extending Path Validation .................................   56
   7  Algorithm Support ...........................................   57
   7.1  One-way Hash Functions ....................................   57
   7.1.1  MD2 One-way Hash Function ...............................   57
   7.1.2  MD5 One-way Hash Function ...............................   58
   7.1.3  SHA-1 One-way Hash Function .............................   58
   7.2  Signature Algorithms ......................................   58
   7.2.1  RSA Signature Algorithm .................................   59
   7.2.2  DSA Signature Algorithm .................................   60
   7.3  Subject Public Key Algorithms .............................   60
   7.3.1  RSA Keys ................................................   61
   7.3.2  Diffie-Hellman Key Exchange Key .........................   61

Top      ToC       Page 4 
   7.3.3  DSA Signature Keys ......................................   63
   8  References ..................................................   64
   9  Intellectual Property Rights ................................   66
   10  Security Considerations ....................................   67
   Appendix A.  ASN.1 Structures and OIDs .........................   70
   A.1 Explicitly Tagged Module, 1988 Syntax ......................   70
   A.2 Implicitly Tagged Module, 1988 Syntax ......................   84
   Appendix B.  1993 ASN.1 Structures and OIDs ....................   91
   B.1 Explicitly Tagged Module, 1993 Syntax ......................   91
   B.2 Implicitly Tagged Module, 1993 Syntax ......................  108
   Appendix C.  ASN.1 Notes .......................................  116
   Appendix D.  Examples ..........................................  117
   D.1  Certificate ...............................................  117
   D.2  Certificate ...............................................  120
   D.3  End-Entity Certificate Using RSA ..........................  123
   D.4  Certificate Revocation List ...............................  126
   Appendix E.  Authors' Addresses ................................  128
   Appendix F.  Full Copyright Statement ..........................  129

Top      ToC       Page 5 
1  Introduction

   This specification is one part of a family of standards for the X.509
   Public Key Infrastructure (PKI) for the Internet.  This specification
   is a standalone document; implementations of this standard may
   proceed independent from the other parts.

   This specification profiles the format and semantics of certificates
   and certificate revocation lists for the Internet PKI.  Procedures
   are described for processing of certification paths in the Internet
   environment.  Encoding rules are provided for popular cryptographic
   algorithms.  Finally, ASN.1 modules are provided in the appendices
   for all data structures defined or referenced.

   The specification describes the requirements which inspire the
   creation of this document and the assumptions which affect its scope
   in Section 2.  Section 3 presents an architectural model and
   describes its relationship to previous IETF and ISO/IEC/ITU
   standards.  In particular, this document's relationship with the IETF
   PEM specifications and the ISO/IEC/ITU X.509 documents are described.

   The specification profiles the X.509 version 3 certificate in Section
   4, and the X.509 version 2 certificate revocation list (CRL) in
   Section 5. The profiles include the identification of ISO/IEC/ITU and
   ANSI extensions which may be useful in the Internet PKI. The profiles
   are presented in the 1988 Abstract Syntax Notation One (ASN.1) rather
   than the 1994 syntax used in the ISO/IEC/ITU standards.

   This specification also includes path validation procedures in
   Section 6.  These procedures are based upon the ISO/IEC/ITU
   definition, but the presentation assumes one or more self-signed
   trusted CA certificates.  Implementations are required to derive the
   same results but are not required to use the specified procedures.

   Section 7 of the specification describes procedures for
   identification and encoding of public key materials and digital
   signatures.  Implementations are not required to use any particular
   cryptographic algorithms.  However, conforming implementations which
   use the identified algorithms are required to identify and encode the
   public key materials and digital signatures as described.

   Finally, four appendices are provided to aid implementers.  Appendix
   A contains all ASN.1 structures defined or referenced within this
   specification.  As above, the material is presented in the 1988
   Abstract Syntax Notation One (ASN.1) rather than the 1994 syntax.
   Appendix B contains the same information in the 1994 ASN.1 notation
   as a service to implementers using updated toolsets.  However,
   Appendix A takes precedence in case of conflict.  Appendix C contains

Top      ToC       Page 6 
   notes on less familiar features of the ASN.1 notation used within
   this specification.  Appendix D contains examples of a conforming
   certificate and a conforming CRL.

2  Requirements and Assumptions

   The goal of this specification is to develop a profile to facilitate
   the use of X.509 certificates within Internet applications for those
   communities wishing to make use of X.509 technology. Such
   applications may include WWW, electronic mail, user authentication,
   and IPsec.  In order to relieve some of the obstacles to using X.509
   certificates, this document defines a profile to promote the
   development of certificate management systems; development of
   application tools; and interoperability determined by policy.

   Some communities will need to supplement, or possibly replace, this
   profile in order to meet the requirements of specialized application
   domains or environments with additional authorization, assurance, or
   operational requirements.  However, for basic applications, common
   representations of frequently used attributes are defined so that
   application developers can obtain necessary information without
   regard to the issuer of a particular certificate or certificate
   revocation list (CRL).

   A certificate user should review the certificate policy generated by
   the certification authority (CA) before relying on the authentication
   or non-repudiation services associated with the public key in a
   particular certificate.  To this end, this standard does not
   prescribe legally binding rules or duties.

   As supplemental authorization and attribute management tools emerge,
   such as attribute certificates, it may be appropriate to limit the
   authenticated attributes that are included in a certificate.  These
   other management tools may provide more appropriate methods of
   conveying many authenticated attributes.

2.1  Communication and Topology

   The users of certificates will operate in a wide range of
   environments with respect to their communication topology, especially
   users of secure electronic mail.  This profile supports users without
   high bandwidth, real-time IP connectivity, or high connection
   availability.  In addition, the profile allows for the presence of
   firewall or other filtered communication.

Top      ToC       Page 7 
   This profile does not assume the deployment of an X.500 Directory
   system.  The profile does not prohibit the use of an X.500 Directory,
   but other means of distributing certificates and certificate
   revocation lists (CRLs) may be used.

2.2  Acceptability Criteria

   The goal of the Internet Public Key Infrastructure (PKI) is to meet
   the needs of deterministic, automated identification, authentication,
   access control, and authorization functions. Support for these
   services determines the attributes contained in the certificate as
   well as the ancillary control information in the certificate such as
   policy data and certification path constraints.

2.3  User Expectations

   Users of the Internet PKI are people and processes who use client
   software and are the subjects named in certificates.  These uses
   include readers and writers of electronic mail, the clients for WWW
   browsers, WWW servers, and the key manager for IPsec within a router.
   This profile recognizes the limitations of the platforms these users
   employ and the limitations in sophistication and attentiveness of the
   users themselves.  This manifests itself in minimal user
   configuration responsibility (e.g., trusted CA keys, rules), explicit
   platform usage constraints within the certificate, certification path
   constraints which shield the user from many malicious actions, and
   applications which sensibly automate validation functions.

2.4  Administrator Expectations

   As with user expectations, the Internet PKI profile is structured to
   support the individuals who generally operate CAs.  Providing
   administrators with unbounded choices increases the chances that a
   subtle CA administrator mistake will result in broad compromise.
   Also, unbounded choices greatly complicate the software that shall
   process and validate the certificates created by the CA.

3  Overview of Approach

   Following is a simplified view of the architectural model assumed by
   the PKIX specifications.

Top      ToC       Page 8 
       +---+
       | C |                       +------------+
       | e | <-------------------->| End entity |
       | r |       Operational     +------------+
       | t |       transactions          ^
       |   |      and management         |  Management
       | / |       transactions          |  transactions
       |   |                             |                PKI users
       | C |                             v
       | R |       -------------------+--+-----------+----------------
       | L |                          ^              ^
       |   |                          |              |  PKI management
       |   |                          v              |      entities
       | R |                       +------+          |
       | e | <---------------------| RA   | <---+    |
       | p |  Publish certificate  +------+     |    |
       | o |                                    |    |
       | s |                                    |    |
       | I |                                    v    v
       | t |                                +------------+
       | o | <------------------------------|     CA     |
       | r |   Publish certificate          +------------+
       | y |   Publish CRL                         ^
       |   |                                       |
       +---+                        Management     |
                                    transactions   |
                                                   v
                                               +------+
                                               |  CA  |
                                               +------+

                          Figure 1 - PKI Entities

   The components in this model are:

   end entity:  user of PKI certificates and/or end user system that
                is the subject of a certificate;
   CA:          certification authority;
   RA:          registration authority, i.e., an optional system to
                which a CA delegates certain management functions;
   repository:  a system or collection of distributed systems that
                store certificates and CRLs and serves as a means of
                distributing these certificates and CRLs to end
                entities.

Top      ToC       Page 9 
3.1  X.509 Version 3 Certificate

   Users of a public key shall be confident that the associated private
   key is owned by the correct remote subject (person or system) with
   which an encryption or digital signature mechanism will be used.
   This confidence is obtained through the use of public key
   certificates, which are data structures that bind public key values
   to subjects.  The binding is asserted by having a trusted CA
   digitally sign each certificate. The CA may base this assertion upon
   technical means (a.k.a., proof of posession through a challenge-
   response protocol), presentation of the private key, or on an
   assertion by the subject.  A certificate has a limited valid lifetime
   which is indicated in its signed contents.  Because a certificate's
   signature and timeliness can be independently checked by a
   certificate-using client, certificates can be distributed via
   untrusted communications and server systems, and can be cached in
   unsecured storage in certificate-using systems.

   ITU-T X.509 (formerly CCITT X.509) or ISO/IEC/ITU 9594-8, which was
   first published in 1988 as part of the X.500 Directory
   recommendations, defines a standard certificate format [X.509]. The
   certificate format in the 1988 standard is called the version 1 (v1)
   format.  When X.500 was revised in 1993, two more fields were added,
   resulting in the version 2 (v2) format. These two fields may be used
   to support directory access control.

   The Internet Privacy Enhanced Mail (PEM) RFCs, published in 1993,
   include specifications for a public key infrastructure based on X.509
   v1 certificates [RFC 1422].  The experience gained in attempts to
   deploy RFC 1422 made it clear that the v1 and v2 certificate formats
   are deficient in several respects.  Most importantly, more fields
   were needed to carry information which PEM design and implementation
   experience has proven necessary.  In response to these new
   requirements, ISO/IEC/ITU and ANSI X9 developed the X.509 version 3
   (v3) certificate format.  The v3 format extends the v2 format by
   adding provision for additional extension fields.  Particular
   extension field types may be specified in standards or may be defined
   and registered by any organization or community. In June 1996,
   standardization of the basic v3 format was completed [X.509].

   ISO/IEC/ITU and ANSI X9 have also developed standard extensions for
   use in the v3 extensions field [X.509][X9.55].  These extensions can
   convey such data as additional subject identification information,
   key attribute information, policy information, and certification path
   constraints.

Top      ToC       Page 10 
   However, the ISO/IEC/ITU and ANSI X9 standard extensions are very
   broad in their applicability.  In order to develop interoperable
   implementations of X.509 v3 systems for Internet use, it is necessary
   to specify a profile for use of the X.509 v3 extensions tailored for
   the Internet.  It is one goal of this document to specify a profile
   for Internet WWW, electronic mail, and IPsec applications.
   Environments with additional requirements may build on this profile
   or may replace it.

3.2  Certification Paths and Trust

   A user of a security service requiring knowledge of a public key
   generally needs to obtain and validate a certificate containing the
   required public key. If the public-key user does not already hold an
   assured copy of the public key of the CA that signed the certificate,
   the CA's name, and related information (such as the validity period
   or name constraints), then it might need an additional certificate to
   obtain that public key.  In general, a chain of multiple certificates
   may be needed, comprising a certificate of the public key owner (the
   end entity) signed by one CA, and zero or more additional
   certificates of CAs signed by other CAs.  Such chains, called
   certification paths, are required because a public key user is only
   initialized with a limited number of assured CA public keys.

   There are different ways in which CAs might be configured in order
   for public key users to be able to find certification paths.  For
   PEM, RFC 1422 defined a rigid hierarchical structure of CAs.  There
   are three types of PEM certification authority:

      (a)  Internet Policy Registration Authority (IPRA):  This
      authority, operated under the auspices of the Internet Society,
      acts as the root of the PEM certification hierarchy at level 1.
      It issues certificates only for the next level of authorities,
      PCAs.  All certification paths start with the IPRA.

      (b)  Policy Certification Authorities (PCAs):  PCAs are at level 2
      of the hierarchy, each PCA being certified by the IPRA.  A PCA
      shall establish and publish a statement of its policy with respect
      to certifying users or subordinate certification authorities.
      Distinct PCAs aim to satisfy different user needs. For example,
      one PCA (an organizational PCA) might support the general
      electronic mail needs of commercial organizations, and another PCA
      (a high-assurance PCA) might have a more stringent policy designed
      for satisfying legally binding digital signature requirements.

Top      ToC       Page 11 
      (c)  Certification Authorities (CAs):  CAs are at level 3 of the
      hierarchy and can also be at lower levels. Those at level 3 are
      certified by PCAs.  CAs represent, for example, particular
      organizations, particular organizational units (e.g., departments,
      groups, sections), or particular geographical areas.

   RFC 1422 furthermore has a name subordination rule which requires
   that a CA can only issue certificates for entities whose names are
   subordinate (in the X.500 naming tree) to the name of the CA itself.
   The trust associated with a PEM certification path is implied by the
   PCA name. The name subordination rule ensures that CAs below the PCA
   are sensibly constrained as to the set of subordinate entities they
   can certify (e.g., a CA for an organization can only certify entities
   in that organization's name tree). Certificate user systems are able
   to mechanically check that the name subordination rule has been
   followed.

   The RFC 1422 uses the X.509 v1 certificate formats. The limitations
   of X.509 v1 required imposition of several structural restrictions to
   clearly associate policy information or restrict the utility of
   certificates.  These restrictions included:

      (a) a pure top-down hierarchy, with all certification paths
      starting from IPRA;

      (b) a naming subordination rule restricting the names of a CA's
      subjects; and

      (c) use of the PCA concept, which requires knowledge of individual
      PCAs to be built into certificate chain verification logic.
      Knowledge of individual PCAs was required to determine if a chain
      could be accepted.

   With X.509 v3, most of the requirements addressed by RFC 1422 can be
   addressed using certificate extensions, without a need to restrict
   the CA structures used.  In particular, the certificate extensions
   relating to certificate policies obviate the need for PCAs and the
   constraint extensions obviate the need for the name subordination
   rule.  As a result, this document supports a more flexible
   architecture, including:

      (a) Certification paths may start with a public key of a CA in a
      user's own domain, or with the public key of the top of a
      hierarchy.  Starting with the public key of a CA in a user's own
      domain has certain advantages.  In some environments, the local
      domain is the most trusted.

Top      ToC       Page 12 
      (b)  Name constraints may be imposed through explicit inclusion of
      a name constraints extension in a certificate, but are not
      required.

      (c)  Policy extensions and policy mappings replace the PCA
      concept, which permits a greater degree of automation.  The
      application can determine if the certification path is acceptable
      based on the contents of the certificates instead of a priori
      knowledge of PCAs. This permits automation of certificate chain
      processing.

3.3  Revocation

   When a certificate is issued, it is expected to be in use for its
   entire validity period.  However, various circumstances may cause a
   certificate to become invalid prior to the expiration of the validity
   period. Such circumstances include change of name, change of
   association between subject and CA (e.g., an employee terminates
   employment with an organization), and compromise or suspected
   compromise of the corresponding private key.  Under such
   circumstances, the CA needs to revoke the certificate.

   X.509 defines one method of certificate revocation.  This method
   involves each CA periodically issuing a signed data structure called
   a certificate revocation list (CRL).  A CRL is a time stamped list
   identifying revoked certificates which is signed by a CA and made
   freely available in a public repository.  Each revoked certificate is
   identified in a CRL by its certificate serial number. When a
   certificate-using system uses a certificate (e.g., for verifying a
   remote user's digital signature), that system not only checks the
   certificate signature and validity but also acquires a suitably-
   recent CRL and checks that the certificate serial number is not on
   that CRL.  The meaning of "suitably-recent" may vary with local
   policy, but it usually means the most recently-issued CRL.  A CA
   issues a new CRL on a regular periodic basis (e.g., hourly, daily, or
   weekly).  An entry is added to the CRL as part of the next update
   following notification of revocation. An entry may be removed from
   the CRL after appearing on one regularly scheduled CRL issued beyond
   the revoked certificate's validity period.

   An advantage of this revocation method is that CRLs may be
   distributed by exactly the same means as certificates themselves,
   namely, via untrusted communications and server systems.

   One limitation of the CRL revocation method, using untrusted
   communications and servers, is that the time granularity of
   revocation is limited to the CRL issue period.  For example, if a
   revocation is reported now, that revocation will not be reliably

Top      ToC       Page 13 
   notified to certificate-using systems until the next periodic CRL is
   issued -- this may be up to one hour, one day, or one week depending
   on the frequency that the CA issues CRLs.

   As with the X.509 v3 certificate format, in order to facilitate
   interoperable implementations from multiple vendors, the X.509 v2 CRL
   format needs to be profiled for Internet use.  It is one goal of this
   document to specify that profile.  However, this profile does not
   require CAs to issue CRLs. Message formats and protocols supporting
   on-line revocation notification may be defined in other PKIX
   specifications.  On-line methods of revocation notification may be
   applicable in some environments as an alternative to the X.509 CRL.
   On-line revocation checking may significantly reduce the latency
   between a revocation report and the distribution of the information
   to relying parties.  Once the CA accepts the report as authentic and
   valid, any query to the on-line service will correctly reflect the
   certificate validation impacts of the revocation.  However, these
   methods impose new security requirements; the certificate validator
   shall trust the on-line validation service while the repository does
   not need to be trusted.

3.4  Operational Protocols

   Operational protocols are required to deliver certificates and CRLs
   (or status information) to certificate using client systems.
   Provision is needed for a variety of different means of certificate
   and CRL delivery, including distribution procedures based on LDAP,
   HTTP, FTP, and X.500.  Operational protocols supporting these
   functions are defined in other PKIX specifications.  These
   specifications may include definitions of message formats and
   procedures for supporting all of the above operational environments,
   including definitions of or references to appropriate MIME content
   types.

3.5  Management Protocols

   Management protocols are required to support on-line interactions
   between PKI user and management entities.  For example, a management
   protocol might be used between a CA and a client system with which a
   key pair is associated, or between two CAs which cross-certify each
   other.  The set of functions which potentially need to be supported
   by management protocols include:

      (a)  registration:  This is the process whereby a user first makes
      itself known to a CA (directly, or through an RA), prior to that
      CA issuing  a certificate or certificates for that user.

Top      ToC       Page 14 
      (b)  initialization:  Before a client system can operate securely
      it is necessary to install key materials which have the
      appropriate relationship with keys stored elsewhere in the
      infrastructure.  For example, the client needs to be securely
      initialized with the public key and other assured information of
      the trusted CA(s), to be used in validating certificate paths.
      Furthermore, a client typically needs to be initialized with its
      own key pair(s).

      (c)  certification:  This  is the process in which a CA issues a
      certificate for a user's public key, and returns that certificate
      to the user's client system and/or posts that certificate in a
      repository.

      (d)  key pair recovery:  As an option, user client key materials
      (e.g., a user's private key used for encryption purposes) may be
      backed up by a CA or a key backup system.  If a user needs to
      recover these backed up key materials (e.g., as a result of a
      forgotten password or a lost key chain file), an on-line protocol
      exchange may be needed to support such recovery.

      (e)  key pair update:  All key pairs need to be updated regularly,
      i.e., replaced with a new key pair, and new certificates issued.

      (f)  revocation request:  An authorized person advises a CA of an
      abnormal situation requiring certificate revocation.

      (g)  cross-certification:  Two CAs exchange information used in
      establishing a cross-certificate. A cross-certificate is a
      certificate issued by one CA to another CA which contains a CA
      signature key used for issuing certificates.

   Note that on-line protocols are not the only way of implementing the
   above functions.  For all functions there are off-line methods of
   achieving the same result, and this specification does not mandate
   use of on-line protocols.  For example, when hardware tokens are
   used, many of the functions may be achieved as part of the physical
   token delivery.  Furthermore, some of the above functions may be
   combined into one protocol exchange.  In particular, two or more of
   the registration, initialization, and certification functions can be
   combined into one protocol exchange.

   The PKIX series of specifications may define a set of standard
   message formats supporting the above functions in future
   specifications.  In that case, the protocols for conveying these
   messages in different environments (e.g., on-line, file transfer, e-
   mail, and WWW) will also be described in those specifications.

Top      ToC       Page 15 
4  Certificate and Certificate Extensions Profile

   This section presents a profile for public key certificates that will
   foster interoperability and a reusable PKI.  This section is based
   upon the X.509 v3 certificate format and the standard certificate
   extensions defined in [X.509].  The ISO/IEC/ITU documents use the
   1993 version of ASN.1; while this document uses the 1988 ASN.1
   syntax, the encoded certificate and standard extensions are
   equivalent.  This section also defines private extensions required to
   support a PKI for the Internet community.

   Certificates may be used in a wide range of applications and
   environments covering a broad spectrum of interoperability goals and
   a broader spectrum of operational and assurance requirements.  The
   goal of this document is to establish a common baseline for generic
   applications requiring broad interoperability and limited special
   purpose requirements.  In particular, the emphasis will be on
   supporting the use of X.509 v3 certificates for informal Internet
   electronic mail, IPsec, and WWW applications.

4.1  Basic Certificate Fields

   The X.509 v3 certificate basic syntax is as follows.  For signature
   calculation, the certificate is encoded using the ASN.1 distinguished
   encoding rules (DER) [X.208].  ASN.1 DER encoding is a tag, length,
   value encoding system for each element.

   Certificate  ::=  SEQUENCE  {
        tbsCertificate       TBSCertificate,
        signatureAlgorithm   AlgorithmIdentifier,
        signatureValue       BIT STRING  }

   TBSCertificate  ::=  SEQUENCE  {
        version         [0]  EXPLICIT Version DEFAULT v1,
        serialNumber         CertificateSerialNumber,
        signature            AlgorithmIdentifier,
        issuer               Name,
        validity             Validity,
        subject              Name,
        subjectPublicKeyInfo SubjectPublicKeyInfo,
        issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                             -- If present, version shall be v2 or v3
        subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                             -- If present, version shall be v2 or v3
        extensions      [3]  EXPLICIT Extensions OPTIONAL
                             -- If present, version shall be v3
        }

Top      ToC       Page 16 
   Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

   CertificateSerialNumber  ::=  INTEGER

   Validity ::= SEQUENCE {
        notBefore      Time,
        notAfter       Time }

   Time ::= CHOICE {
        utcTime        UTCTime,
        generalTime    GeneralizedTime }

   UniqueIdentifier  ::=  BIT STRING

   SubjectPublicKeyInfo  ::=  SEQUENCE  {
        algorithm            AlgorithmIdentifier,
        subjectPublicKey     BIT STRING  }

   Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

   Extension  ::=  SEQUENCE  {
        extnID      OBJECT IDENTIFIER,
        critical    BOOLEAN DEFAULT FALSE,
        extnValue   OCTET STRING  }

   The following items describe the X.509 v3 certificate for use in the
   Internet.

4.1.1  Certificate Fields

   The Certificate is a SEQUENCE of three required fields. The fields
   are described in detail in the following subsections.

4.1.1.1  tbsCertificate

   The field contains the names of the subject and issuer, a public key
   associated with the subject, a validity period, and other associated
   information.  The fields are described in detail in section 4.1.2;
   the tbscertificate may also include extensions which are described in
   section 4.2.

4.1.1.2  signatureAlgorithm

   The signatureAlgorithm field contains the identifier for the
   cryptographic algorithm used by the CA to sign this certificate.
   Section 7.2 lists the supported signature algorithms.

   An algorithm identifier is defined by the following ASN.1 structure:

Top      ToC       Page 17 
   AlgorithmIdentifier  ::=  SEQUENCE  {
        algorithm               OBJECT IDENTIFIER,
        parameters              ANY DEFINED BY algorithm OPTIONAL  }

   The algorithm identifier is used to identify a cryptographic
   algorithm.  The OBJECT IDENTIFIER component identifies the algorithm
   (such as DSA with SHA-1).  The contents of the optional parameters
   field will vary according to the algorithm identified. Section 7.2
   lists the supported algorithms for this specification.

   This field MUST contain the same algorithm identifier as the
   signature field in the sequence tbsCertificate (see sec. 4.1.2.3).

4.1.1.3  signatureValue

   The signatureValue field contains a digital signature computed upon
   the ASN.1 DER encoded tbsCertificate.  The ASN.1 DER encoded
   tbsCertificate is used as the input to the signature function. This
   signature value is then ASN.1 encoded as a BIT STRING and included in
   the Certificate's signature field. The details of this process are
   specified for each of the supported algorithms in Section 7.2.

   By generating this signature, a CA certifies the validity of the
   information in the tbsCertificate field.  In particular, the CA
   certifies the binding between the public key material and the subject
   of the certificate.

4.1.2  TBSCertificate

   The sequence TBSCertificate contains information associated with the
   subject of the certificate and the CA who issued it.  Every
   TBSCertificate contains the names of the subject and issuer, a public
   key associated with the subject, a validity period, a version number,
   and a serial number; some may contain optional unique identifier
   fields.  The remainder of this section describes the syntax and
   semantics of these fields.  A TBSCertificate may also include
   extensions.  Extensions for the Internet PKI are described in Section
   4.2.

4.1.2.1  Version

   This field describes the version of the encoded certificate.  When
   extensions are used, as expected in this profile, use X.509 version 3
   (value is 2).  If no extensions are present, but a UniqueIdentifier
   is present, use version 2 (value is 1).  If only basic fields are
   present, use version 1 (the value is omitted from the certificate as
   the default value).

Top      ToC       Page 18 
   Implementations SHOULD be prepared to accept any version certificate.
   At a minimum, conforming implementations MUST recognize version 3
   certificates.

   Generation of version 2 certificates is not expected by
   implementations based on this profile.

4.1.2.2  Serial number

   The serial number is an integer assigned by the CA to each
   certificate.  It MUST be unique for each certificate issued by a
   given CA (i.e., the issuer name and serial number identify a unique
   certificate).

4.1.2.3  Signature

   This field contains the algorithm identifier for the algorithm used
   by the CA to sign the certificate.

   This field MUST contain the same algorithm identifier as the
   signatureAlgorithm field in the sequence Certificate (see sec.
   4.1.1.2).  The contents of the optional parameters field will vary
   according to the algorithm identified.  Section 7.2 lists the
   supported signature algorithms.

4.1.2.4  Issuer

   The issuer field identifies the entity who has signed and issued the
   certificate.  The issuer field MUST contain a non-empty distinguished
   name (DN).  The issuer field is defined as the X.501 type Name.
   [X.501] Name is defined by the following ASN.1 structures:

   Name ::= CHOICE {
     RDNSequence }

   RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

   RelativeDistinguishedName ::=
     SET OF AttributeTypeAndValue

   AttributeTypeAndValue ::= SEQUENCE {
     type     AttributeType,
     value    AttributeValue }

   AttributeType ::= OBJECT IDENTIFIER

   AttributeValue ::= ANY DEFINED BY AttributeType

Top      ToC       Page 19 
   DirectoryString ::= CHOICE {
         teletexString           TeletexString (SIZE (1..MAX)),
         printableString         PrintableString (SIZE (1..MAX)),
         universalString         UniversalString (SIZE (1..MAX)),
         utf8String              UTF8String (SIZE (1.. MAX)),
         bmpString               BMPString (SIZE (1..MAX)) }

   The Name describes a hierarchical name composed of attributes, such
   as country name, and corresponding values, such as US.  The type of
   the component AttributeValue is determined by the AttributeType; in
   general it will be a DirectoryString.

   The DirectoryString type is defined as a choice of PrintableString,
   TeletexString, BMPString, UTF8String, and UniversalString.  The
   UTF8String encoding is the preferred encoding, and all certificates
   issued after December 31, 2003 MUST use the UTF8String encoding of
   DirectoryString (except as noted below).  Until that date, conforming
   CAs MUST choose from the following options when creating a
   distinguished name, including their own:

      (a) if the character set is sufficient, the string MAY be
      represented as a PrintableString;

      (b) failing (a), if the BMPString character set is sufficient the
      string MAY be represented as a BMPString; and

      (c) failing (a) and (b), the string MUST be represented as a
      UTF8String.  If (a) or (b) is satisfied, the CA MAY still choose
      to represent the string as a UTF8String.

   Exceptions to the December 31, 2003 UTF8 encoding requirements are as
   follows:

      (a) CAs MAY issue "name rollover" certificates to support an
      orderly migration to UTF8String encoding.  Such certificates would
      include the CA's UTF8String encoded name as issuer and and the old
      name encoding as subject, or vice-versa.

      (b) As stated in section 4.1.2.6, the subject field MUST be
      populated with a non-empty distinguished name matching the
      contents of the issuer field in all certificates issued by the
      subject CA regardless of encoding.

   The TeletexString and UniversalString are included for backward
   compatibility, and should not be used for certificates for new
   subjects.  However, these types may be used in certificates where the
   name was previously established.  Certificate users SHOULD be
   prepared to receive certificates with these types.

Top      ToC       Page 20 
   In addition, many legacy implementations support names encoded in the
   ISO 8859-1 character set (Latin1String) but tag them as
   TeletexString.  The Latin1String includes characters used in Western
   European countries which are not part of the TeletexString charcter
   set.  Implementations that process TeletexString SHOULD be prepared
   to handle the entire ISO 8859-1 character set.[ISO 8859-1]

   As noted above, distinguished names are composed of attributes.  This
   specification does not restrict the set of attribute types that may
   appear in names.  However, conforming implementations MUST be
   prepared to receive certificates with issuer names containing the set
   of attribute types defined below.  This specification also recommends
   support for additional attribute types.

   Standard sets of attributes have been defined in the X.500 series of
   specifications.[X.520]  Implementations of this specification MUST be
   prepared to receive the following standard attribute types in issuer
   names: country, organization, organizational-unit, distinguished name
   qualifier, state or province name,  and common name (e.g., "Susan
   Housley").  In addition, implementations of this specification SHOULD
   be prepared to receive the following standard attribute types in
   issuer names: locality, title,  surname, given name, initials, and
   generation qualifier (e.g., "Jr.", "3rd", or "IV").  The syntax and
   associated object identifiers (OIDs) for these attribute types are
   provided in the ASN.1 modules in Appendices A and B.

   In addition, implementations of this specification MUST be prepared
   to receive the domainComponent attribute, as defined in [RFC 2247].
   The Domain (Nameserver) System (DNS) provides a hierarchical resource
   labeling system.  This attribute provides is a convenient mechanism
   for organizations that wish to use DNs that parallel their DNS names.
   This is not a replacement for the dNSName component of the
   alternative name field. Implementations are not required to convert
   such names into DNS names. The syntax and associated OID for this
   attribute type is provided in the ASN.1 modules in Appendices A and
   B.

   Certificate users MUST be prepared to process the issuer
   distinguished name and subject distinguished name (see sec. 4.1.2.6)
   fields to perform name chaining for certification path validation
   (see section 6). Name chaining is performed by matching the issuer
   distinguished name in one certificate with the subject name in a CA
   certificate.

   This specification requires only a subset of the name comparison
   functionality specified in the X.500 series of specifications.  The
   requirements for conforming implementations are as follows:

Top      ToC       Page 21 
      (a) attribute values encoded in different types (e.g.,
      PrintableString and BMPString) may be assumed to represent
      different strings;

      (b) attribute values in types other than PrintableString are case
      sensitive (this permits matching of attribute values as binary
      objects);

      (c) attribute values in PrintableString are not case sensitive
      (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and

      (d) attribute values in PrintableString are compared after
      removing leading and trailing white space and converting internal
      substrings of one or more consecutive white space characters to a
      single space.

   These name comparison rules permit a certificate user to validate
   certificates issued using languages or encodings unfamiliar to the
   certificate user.

   In addition, implementations of this specification MAY use these
   comparison rules to process unfamiliar attribute types for name
   chaining. This allows implementations to process certificates with
   unfamiliar attributes in the issuer name.

   Note that the comparison rules defined in the X.500 series of
   specifications indicate that the character sets used to encode data
   in distinguished names are irrelevant.  The characters themselves are
   compared without regard to encoding. Implementations of the profile
   are permitted to use the comparison algorithm defined in the X.500
   series.  Such an implementation will recognize a superset of name
   matches recognized by the algorithm specified above.

4.1.2.5  Validity

   The certificate validity period is the time interval during which the
   CA warrants that it will maintain information about the status of the
   certificate. The field is represented as a SEQUENCE of two dates:
   the date on which the certificate validity period begins (notBefore)
   and the date on which the certificate validity period ends
   (notAfter).  Both notBefore and notAfter may be encoded as UTCTime or
   GeneralizedTime.

   CAs conforming to this profile MUST always encode certificate
   validity dates through the year 2049 as UTCTime; certificate validity
   dates in 2050 or later MUST be encoded as GeneralizedTime.

Top      ToC       Page 22 
4.1.2.5.1  UTCTime

   The universal time type, UTCTime, is a standard ASN.1 type intended
   for international applications where local time alone is not
   adequate.  UTCTime specifies the year through the two low order
   digits and time is specified to the precision of one minute or one
   second.  UTCTime includes either Z (for Zulu, or Greenwich Mean Time)
   or a time differential.

   For the purposes of this profile, UTCTime values MUST be expressed
   Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are
   YYMMDDHHMMSSZ), even where the number of seconds is zero.  Conforming
   systems MUST interpret the year field (YY) as follows:

      Where YY is greater than or equal to 50, the year shall be
      interpreted as 19YY; and

      Where YY is less than 50, the year shall be interpreted as 20YY.

4.1.2.5.2  GeneralizedTime

   The generalized time type, GeneralizedTime, is a standard ASN.1 type
   for variable precision representation of time.  Optionally, the
   GeneralizedTime field can include a representation of the time
   differential between local and Greenwich Mean Time.

   For the purposes of this profile, GeneralizedTime values MUST be
   expressed Greenwich Mean Time (Zulu) and MUST include seconds (i.e.,
   times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero.
   GeneralizedTime values MUST NOT include fractional seconds.

4.1.2.6  Subject

   The subject field identifies the entity associated with the public
   key stored in the subject public key field.  The subject name may be
   carried in the subject field and/or the subjectAltName extension.  If
   the subject is a CA (e.g., the basic constraints extension, as
   discussed in 4.2.1.10, is present and the value of cA is TRUE,) then
   the subject field MUST be populated with a non-empty distinguished
   name matching the contents of the issuer field (see sec. 4.1.2.4) in
   all certificates issued by the subject CA.  If subject naming
   information is present only in the subjectAltName extension (e.g., a
   key bound only to an email address or URI), then the subject name
   MUST be an empty sequence and the subjectAltName extension MUST be
   critical.

Top      ToC       Page 23 
   Where it is non-empty, the subject field MUST contain an X.500
   distinguished name (DN). The DN MUST be unique for each subject
   entity certified by the one CA as defined by the issuer name field. A
   CA may issue more than one certificate with the same DN to the same
   subject entity.

   The subject name field is defined as the X.501 type Name.
   Implementation requirements for this field are those defined for the
   issuer field (see sec.  4.1.2.4).  When encoding attribute values of
   type DirectoryString, the encoding rules for the issuer field MUST be
   implemented.  Implementations of this specification MUST be prepared
   to receive subject names containing the attribute types required for
   the issuer field.  Implementations of this specification SHOULD be
   prepared to receive subject names containing the recommended
   attribute types for the issuer field.  The syntax and associated
   object identifiers (OIDs) for these attribute types are provided in
   the ASN.1 modules in Appendices A and B.  Implementations of this
   specification MAY use these comparison rules to process unfamiliar
   attribute types (i.e., for name chaining). This allows
   implementations to process certificates with unfamiliar attributes in
   the subject name.

   In addition, legacy implementations exist where an RFC 822 name is
   embedded in the subject distinguished name as an EmailAddress
   attribute.  The attribute value for EmailAddress is of type IA5String
   to permit inclusion of the character '@', which is not part of the
   PrintableString character set.  EmailAddress attribute values are not
   case sensitive (e.g., "fanfeedback@redsox.com" is the same as
   "FANFEEDBACK@REDSOX.COM").

   Conforming implementations generating new certificates with
   electronic mail addresses MUST use the rfc822Name in the subject
   alternative name field (see sec. 4.2.1.7) to describe such
   identities.  Simultaneous inclusion of the EmailAddress attribute in
   the subject distinguished name to support legacy implementations is
   deprecated but permitted.

4.1.2.7  Subject Public Key Info

   This field is used to carry the public key and identify the algorithm
   with which the key is used. The algorithm is identified using the
   AlgorithmIdentifier structure specified in section 4.1.1.2. The
   object identifiers for the supported algorithms and the methods for
   encoding the public key materials (public key and parameters) are
   specified in section 7.3.

Top      ToC       Page 24 
4.1.2.8  Unique Identifiers

   These fields may only appear if the version is 2 or 3 (see sec.
   4.1.2.1).  The subject and issuer unique identifiers are present in
   the certificate to handle the possibility of reuse of subject and/or
   issuer names over time.  This profile recommends that names not be
   reused for different entities and that Internet certificates not make
   use of unique identifiers.  CAs conforming to this profile SHOULD NOT
   generate certificates with unique identifiers.  Applications
   conforming to this profile SHOULD be capable of parsing unique
   identifiers and making comparisons.

4.1.2.9  Extensions

   This field may only appear if the version is 3 (see sec. 4.1.2.1).
   If present, this field is a SEQUENCE of one or more certificate
   extensions. The format and content of certificate extensions in the
   Internet PKI is defined in section 4.2.



(page 24 continued on part 2)

Next RFC Part