Internet X.509 Public Key Infrastructure: Qualified Certificates Profile
RFC 3739
Document Type RFC - Proposed Standard (March 2004; Errata)
Obsoletes RFC 3039
Authors Stefan Santesson  , Magnus Nystrom  , Tim Polk 
Last updated 2020-01-21
Stream Internent Engineering Task Force (IETF)
Formats plain text html pdf htmlized (tools) htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3739 (Proposed Standard)
Action Holders
(None)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                       S. Santesson
Request for Comments: 3739                                     Microsoft
Obsoletes: 3039                                               M. Nystrom
Category: Standards Track                                   RSA Security
                                                                 T. Polk
                                                                    NIST
                                                              March 2004

               Internet X.509 Public Key Infrastructure:
                     Qualified Certificates Profile

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   This document forms a certificate profile, based on RFC 3280, for
   identity certificates issued to natural persons.

   The profile defines specific conventions for certificates that are
   qualified within a defined legal framework, named Qualified
   Certificates.  However, the profile does not define any legal
   requirements for such Qualified Certificates.

   The goal of this document is to define a certificate profile that
   supports the issuance of Qualified Certificates independent of local
   legal requirements.  The profile is however not limited to Qualified
   Certificates and further profiling may facilitate specific local
   needs.

Santesson, et al.           Standards Track                     [Page 1]
RFC 3739             Qualified Certificates Profile           March 2004

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Changes since RFC 3039 . . . . . . . . . . . . . . . . .  3
       1.2.  Definitions. . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Requirements and Assumptions . . . . . . . . . . . . . . . . .  4
       2.1.  Properties . . . . . . . . . . . . . . . . . . . . . . .  5
       2.2.  Statement of Purpose . . . . . . . . . . . . . . . . . .  5
       2.3.  Policy Issues. . . . . . . . . . . . . . . . . . . . . .  5
       2.4.  Uniqueness of Names. . . . . . . . . . . . . . . . . . .  6
   3.  Certificate and Certificate Extensions Profile . . . . . . . .  6
       3.1.  Basic Certificate Fields . . . . . . . . . . . . . . . .  6
             3.1.1.  Issuer . . . . . . . . . . . . . . . . . . . . .  6
             3.1.2.  Subject. . . . . . . . . . . . . . . . . . . . .  7
       3.2.  Certificate Extensions . . . . . . . . . . . . . . . . .  9
             3.2.1.  Subject Alternative Name . . . . . . . . . . . .  9
             3.2.2.  Subject Directory Attributes . . . . . . . . . .  9
             3.2.3.  Certificate Policies . . . . . . . . . . . . . . 11
             3.2.4.  Key Usage. . . . . . . . . . . . . . . . . . . . 11
             3.2.5.  Biometric Information. . . . . . . . . . . . . . 11
             3.2.6.  Qualified Certificate Statements . . . . . . . . 13
   4.  Security Considerations. . . . . . . . . . . . . . . . . . . . 15
   A.  ASN.1 Definitions. . . . . . . . . . . . . . . . . . . . . . . 17
       A.1.  1988 ASN.1 Module (Normative). . . . . . . . . . . . . . 17
       A.2.  1997 ASN.1 Module (Informative). . . . . . . . . . . . . 19
   B.  A Note on Attributes . . . . . . . . . . . . . . . . . . . . . 23
   C.  Example Certificate. . . . . . . . . . . . . . . . . . . . . . 23
       C.1.  ASN.1 Structure. . . . . . . . . . . . . . . . . . . . . 24
             C.1.1.  Extensions . . . . . . . . . . . . . . . . . . . 24
             C.1.2.  The Certificate. . . . . . . . . . . . . . . . . 25
       C.2.  ASN.1 Dump . . . . . . . . . . . . . . . . . . . . . . . 27
       C.3.  DER-encoding . . . . . . . . . . . . . . . . . . . . . . 30
       C.4.  CA's Public Key. . . . . . . . . . . . . . . . . . . . . 31
   References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 34

1.  Introduction

   This specification is one part of a family of standards for the X.509
   Public Key Infrastructure (PKI) for the Internet.  It is based on
   [X.509] and [RFC 3280], which defines underlying certificate formats
   and semantics needed for a full implementation of this standard.

   This profile includes specific mechanisms intended for use with
   Qualified Certificates.  The term Qualified Certificates and the
   assumptions that affect the scope of this document are discussed in
   Section 2.

Santesson, et al.           Standards Track                     [Page 2]
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools