Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension
RFC 4325
| Document | Type |
RFC - Proposed Standard
(December 2005; No errata)
Obsoleted by RFC 5280
Updates RFC 3280
|
|
|---|---|---|---|
| Authors | Stefan Santesson , Russ Housley | ||
| Last updated | 2015-10-14 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 4325 (Proposed Standard) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Sam Hartman | ||
| Send notices to | wpolk@nist.gov | ||
Network Working Group S. Santesson
Request for Comments: 4325 Microsoft
Updates: 3280 R. Housley
Category: Standards Track Vigil Security
December 2005
Internet X.509 Public Key Infrastructure Authority Information
Access Certificate Revocation List (CRL) Extension
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document updates RFC 3280 by defining the Authority Information
Access Certificate Revocation List (CRL) extension. RFC 3280 defines
the Authority Information Access certificate extension using the same
syntax. The CRL extension provides a means of discovering and
retrieving CRL issuer certificates.
Table of Contents
1. Introduction ....................................................2
1.1. Terminology ................................................3
2. Authority Information Access CRL Extension ......................3
3. Security Considerations .........................................5
4. References ......................................................5
4.1. Normative References .......................................5
4.2. Informative References .....................................6
Santesson & Housley Standards Track [Page 1]
RFC 4325 Authority Information Access CRL Extension December 2005
1. Introduction
RFC 3280 [PKIX1] specifies the validation of certification paths.
One aspect involves the determination that a certificate has not been
revoked, and one revocation checking mechanism is the Certificate
Revocation List (CRL). CRL validation is also specified in RFC 3280,
which involves the constructions of a valid certification path for
the CRL issuer. Building a CRL issuer certification path from the
signer of the CRL to a trust anchor is straightforward when the
certificate of the CRL issuer is present in the certification path
associated with the target certificate, but it can be complex in
other situations.
There are several legitimate scenarios where the certificate of the
CRL issuer is not present, or easily discovered, from the target
certification path. This can be the case when indirect CRLs are
used, when the Certification Authority (CA) that issued the target
certificate changes its certificate signing key, or when the CA
employs separate keys for certificate signing and CRL signing.
Methods of finding the certificate of the CRL issuer are currently
available, such as through an accessible directory location or
through use of the Subject Information Access extension in
intermediary CA certificates.
Directory lookup requires existence and access to a directory that
has been populated with all of the necessary certificates. The
Subject Information Access extension, which supports building the CRL
issuer certification path top-down (in the direction from the trust
anchor to the CRL issuer), requires that some certificates in the CRL
issuer certification path includes an appropriate Subject Information
Access extension.
RFC 3280 [PKIX1] provides for bottom-up discovery of certification
paths through the Authority Information Access extension, where the
id-ad-caIssuers access method may specify one or more accessLocation
fields that reference CA certificates associated with the certificate
containing this extension.
This document enables the use of the Authority Information Access
extension in CRLs, enabling a CRL checking application to use the
access method (id-ad-caIssuers) to locate certificates that may be
useful in the construction of a valid CRL issuer certification path
to an appropriate trust anchor.
Santesson & Housley Standards Track [Page 2]
RFC 4325 Authority Information Access CRL Extension December 2005
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Authority Information Access CRL Extension
This section defines the use of the Authority Information Access
extension in a CRL. The syntax and semantics defined in RFC 3280
[PKIX1] for the certificate extensions are also used for the CRL
Show full document text