Internet X.509 Public Key Infrastructure: Qualified Certificates Profile
RFC 3739
Document | Type |
RFC - Proposed Standard
(March 2004; Errata)
Obsoletes RFC 3039
|
|
---|---|---|---|
Authors | Stefan Santesson , Magnus Nystrom , Tim Polk | ||
Last updated | 2020-01-21 | ||
Stream | Internent Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 3739 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group S. Santesson Request for Comments: 3739 Microsoft Obsoletes: 3039 M. Nystrom Category: Standards Track RSA Security T. Polk NIST March 2004 Internet X.509 Public Key Infrastructure: Qualified Certificates Profile Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document forms a certificate profile, based on RFC 3280, for identity certificates issued to natural persons. The profile defines specific conventions for certificates that are qualified within a defined legal framework, named Qualified Certificates. However, the profile does not define any legal requirements for such Qualified Certificates. The goal of this document is to define a certificate profile that supports the issuance of Qualified Certificates independent of local legal requirements. The profile is however not limited to Qualified Certificates and further profiling may facilitate specific local needs. Santesson, et al. Standards Track [Page 1] RFC 3739 Qualified Certificates Profile March 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Changes since RFC 3039 . . . . . . . . . . . . . . . . . 3 1.2. Definitions. . . . . . . . . . . . . . . . . . . . . . . 4 2. Requirements and Assumptions . . . . . . . . . . . . . . . . . 4 2.1. Properties . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Statement of Purpose . . . . . . . . . . . . . . . . . . 5 2.3. Policy Issues. . . . . . . . . . . . . . . . . . . . . . 5 2.4. Uniqueness of Names. . . . . . . . . . . . . . . . . . . 6 3. Certificate and Certificate Extensions Profile . . . . . . . . 6 3.1. Basic Certificate Fields . . . . . . . . . . . . . . . . 6 3.1.1. Issuer . . . . . . . . . . . . . . . . . . . . . 6 3.1.2. Subject. . . . . . . . . . . . . . . . . . . . . 7 3.2. Certificate Extensions . . . . . . . . . . . . . . . . . 9 3.2.1. Subject Alternative Name . . . . . . . . . . . . 9 3.2.2. Subject Directory Attributes . . . . . . . . . . 9 3.2.3. Certificate Policies . . . . . . . . . . . . . . 11 3.2.4. Key Usage. . . . . . . . . . . . . . . . . . . . 11 3.2.5. Biometric Information. . . . . . . . . . . . . . 11 3.2.6. Qualified Certificate Statements . . . . . . . . 13 4. Security Considerations. . . . . . . . . . . . . . . . . . . . 15 A. ASN.1 Definitions. . . . . . . . . . . . . . . . . . . . . . . 17 A.1. 1988 ASN.1 Module (Normative). . . . . . . . . . . . . . 17 A.2. 1997 ASN.1 Module (Informative). . . . . . . . . . . . . 19 B. A Note on Attributes . . . . . . . . . . . . . . . . . . . . . 23 C. Example Certificate. . . . . . . . . . . . . . . . . . . . . . 23 C.1. ASN.1 Structure. . . . . . . . . . . . . . . . . . . . . 24 C.1.1. Extensions . . . . . . . . . . . . . . . . . . . 24 C.1.2. The Certificate. . . . . . . . . . . . . . . . . 25 C.2. ASN.1 Dump . . . . . . . . . . . . . . . . . . . . . . . 27 C.3. DER-encoding . . . . . . . . . . . . . . . . . . . . . . 30 C.4. CA's Public Key. . . . . . . . . . . . . . . . . . . . . 31 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 34 1. Introduction This specification is one part of a family of standards for the X.509 Public Key Infrastructure (PKI) for the Internet. It is based on [X.509] and [RFC 3280], which defines underlying certificate formats and semantics needed for a full implementation of this standard. This profile includes specific mechanisms intended for use with Qualified Certificates. The term Qualified Certificates and the assumptions that affect the scope of this document are discussed in Section 2. Santesson, et al. Standards Track [Page 2]Show full document text