Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension
RFC 4325
Document | Type |
RFC - Proposed Standard
(December 2005; No errata)
Obsoleted by RFC 5280
Updates RFC 3280
|
|
---|---|---|---|
Authors | Stefan Santesson , Russ Housley | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4325 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Sam Hartman | ||
Send notices to | wpolk@nist.gov |
Network Working Group S. Santesson Request for Comments: 4325 Microsoft Updates: 3280 R. Housley Category: Standards Track Vigil Security December 2005 Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document updates RFC 3280 by defining the Authority Information Access Certificate Revocation List (CRL) extension. RFC 3280 defines the Authority Information Access certificate extension using the same syntax. The CRL extension provides a means of discovering and retrieving CRL issuer certificates. Table of Contents 1. Introduction ....................................................2 1.1. Terminology ................................................3 2. Authority Information Access CRL Extension ......................3 3. Security Considerations .........................................5 4. References ......................................................5 4.1. Normative References .......................................5 4.2. Informative References .....................................6 Santesson & Housley Standards Track [Page 1] RFC 4325 Authority Information Access CRL Extension December 2005 1. Introduction RFC 3280 [PKIX1] specifies the validation of certification paths. One aspect involves the determination that a certificate has not been revoked, and one revocation checking mechanism is the Certificate Revocation List (CRL). CRL validation is also specified in RFC 3280, which involves the constructions of a valid certification path for the CRL issuer. Building a CRL issuer certification path from the signer of the CRL to a trust anchor is straightforward when the certificate of the CRL issuer is present in the certification path associated with the target certificate, but it can be complex in other situations. There are several legitimate scenarios where the certificate of the CRL issuer is not present, or easily discovered, from the target certification path. This can be the case when indirect CRLs are used, when the Certification Authority (CA) that issued the target certificate changes its certificate signing key, or when the CA employs separate keys for certificate signing and CRL signing. Methods of finding the certificate of the CRL issuer are currently available, such as through an accessible directory location or through use of the Subject Information Access extension in intermediary CA certificates. Directory lookup requires existence and access to a directory that has been populated with all of the necessary certificates. The Subject Information Access extension, which supports building the CRL issuer certification path top-down (in the direction from the trust anchor to the CRL issuer), requires that some certificates in the CRL issuer certification path includes an appropriate Subject Information Access extension. RFC 3280 [PKIX1] provides for bottom-up discovery of certification paths through the Authority Information Access extension, where the id-ad-caIssuers access method may specify one or more accessLocation fields that reference CA certificates associated with the certificate containing this extension. This document enables the use of the Authority Information Access extension in CRLs, enabling a CRL checking application to use the access method (id-ad-caIssuers) to locate certificates that may be useful in the construction of a valid CRL issuer certification path to an appropriate trust anchor. Santesson & Housley Standards Track [Page 2] RFC 4325 Authority Information Access CRL Extension December 2005 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Authority Information Access CRL Extension This section defines the use of the Authority Information Access extension in a CRL. The syntax and semantics defined in RFC 3280 [PKIX1] for the certificate extensions are also used for the CRLShow full document text