没有合适的资源?快使用搜索试试~ 我知道了~
X509 RFC5280规范
2星 需积分: 50 47 下载量 69 浏览量
2017-09-06
22:28:21
上传
评论
收藏 202KB PDF 举报
温馨提示
试读
151页
X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范X509 RFC5280规范
资源推荐
资源详情
资源评论
Network Working Group D. Cooper
Request for Comments: 5280 NIST
Obsoletes: 3280, 4325, 4630 S. Santesson
Category: Standards Track Microsoft
S. Farrell
Trinity College Dublin
S. Boeyen
Entrust
R. Housley
Vigil Security
W. Polk
NIST
May 2008
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
This memo profiles the X.509 v3 certificate and X.509 v2 certificate
revocation list (CRL) for use in the Internet. An overview of this
approach and model is provided as an introduction. The X.509 v3
certificate format is described in detail, with additional
information regarding the format and semantics of Internet name
forms. Standard certificate extensions are described and two
Internet-specific extensions are defined. A set of required
certificate extensions is specified. The X.509 v2 CRL format is
described in detail along with standard and Internet-specific
extensions. An algorithm for X.509 certification path validation is
described. An ASN.1 module and examples are provided in the
appendices.
Cooper, et al. Standards Track [Page 1]
RFC 5280 PKIX Certificate and CRL Profile May 2008
Table of Contents
1. Introduction ....................................................4
2. Requirements and Assumptions ....................................6
2.1. Communication and Topology .................................7
2.2. Acceptability Criteria .....................................7
2.3. User Expectations ..........................................7
2.4. Administrator Expectations .................................8
3. Overview of Approach ............................................8
3.1. X.509 Version 3 Certificate ................................9
3.2. Certification Paths and Trust .............................10
3.3. Revocation ................................................13
3.4. Operational Protocols .....................................14
3.5. Management Protocols ......................................14
4. Certificate and Certificate Extensions Profile .................16
4.1. Basic Certificate Fields ..................................16
4.1.1. Certificate Fields .................................17
4.1.1.1. tbsCertificate ............................18
4.1.1.2. signatureAlgorithm ........................18
4.1.1.3. signatureValue ............................18
4.1.2. TBSCertificate .....................................18
4.1.2.1. Version ...................................19
4.1.2.2. Serial Number .............................19
4.1.2.3. Signature .................................19
4.1.2.4. Issuer ....................................20
4.1.2.5. Validity ..................................22
4.1.2.5.1. UTCTime ........................23
4.1.2.5.2. GeneralizedTime ................23
4.1.2.6. Subject ...................................23
4.1.2.7. Subject Public Key Info ...................25
4.1.2.8. Unique Identifiers ........................25
4.1.2.9. Extensions ................................26
4.2. Certificate Extensions ....................................26
4.2.1. Standard Extensions ................................27
4.2.1.1. Authority Key Identifier ..................27
4.2.1.2. Subject Key Identifier ....................28
4.2.1.3. Key Usage .................................29
4.2.1.4. Certificate Policies ......................32
4.2.1.5. Policy Mappings ...........................35
4.2.1.6. Subject Alternative Name ..................35
4.2.1.7. Issuer Alternative Name ...................38
4.2.1.8. Subject Directory Attributes ..............39
4.2.1.9. Basic Constraints .........................39
4.2.1.10. Name Constraints .........................40
4.2.1.11. Policy Constraints .......................43
4.2.1.12. Extended Key Usage .......................44
4.2.1.13. CRL Distribution Points ..................45
4.2.1.14. Inhibit anyPolicy ........................48
Cooper, et al. Standards Track [Page 2]
RFC 5280 PKIX Certificate and CRL Profile May 2008
4.2.1.15. Freshest CRL (a.k.a. Delta CRL
Distribution Point) ......................48
4.2.2. Private Internet Extensions ........................49
4.2.2.1. Authority Information Access ..............49
4.2.2.2. Subject Information Access ................51
5. CRL and CRL Extensions Profile .................................54
5.1. CRL Fields ................................................55
5.1.1. CertificateList Fields .............................56
5.1.1.1. tbsCertList ...............................56
5.1.1.2. signatureAlgorithm ........................57
5.1.1.3. signatureValue ............................57
5.1.2. Certificate List "To Be Signed" ....................58
5.1.2.1. Version ...................................58
5.1.2.2. Signature .................................58
5.1.2.3. Issuer Name ...............................58
5.1.2.4. This Update ...............................58
5.1.2.5. Next Update ...............................59
5.1.2.6. Revoked Certificates ......................59
5.1.2.7. Extensions ................................60
5.2. CRL Extensions ............................................60
5.2.1. Authority Key Identifier ...........................60
5.2.2. Issuer Alternative Name ............................60
5.2.3. CRL Number .........................................61
5.2.4. Delta CRL Indicator ................................62
5.2.5. Issuing Distribution Point .........................65
5.2.6. Freshest CRL (a.k.a. Delta CRL Distribution
Point) .............................................67
5.2.7. Authority Information Access .......................67
5.3. CRL Entry Extensions ......................................69
5.3.1. Reason Code ........................................69
5.3.2. Invalidity Date ....................................70
5.3.3. Certificate Issuer .................................70
6. Certification Path Validation ..................................71
6.1. Basic Path Validation .....................................72
6.1.1. Inputs .............................................75
6.1.2. Initialization .....................................77
6.1.3. Basic Certificate Processing .......................80
6.1.4. Preparation for Certificate i+1 ....................84
6.1.5. Wrap-Up Procedure ..................................87
6.1.6. Outputs ............................................89
6.2. Using the Path Validation Algorithm .......................89
6.3. CRL Validation ............................................90
6.3.1. Revocation Inputs ..................................91
6.3.2. Initialization and Revocation State Variables ......91
6.3.3. CRL Processing .....................................92
7. Processing Rules for Internationalized Names ...................95
7.1. Internationalized Names in Distinguished Names ............96
7.2. Internationalized Domain Names in GeneralName .............97
Cooper, et al. Standards Track [Page 3]
RFC 5280 PKIX Certificate and CRL Profile May 2008
7.3. Internationalized Domain Names in Distinguished Names .....98
7.4. Internationalized Resource Identifiers ....................98
7.5. Internationalized Electronic Mail Addresses ..............100
8. Security Considerations .......................................100
9. IANA Considerations ...........................................105
10. Acknowledgments ..............................................105
11. References ...................................................105
11.1. Normative References ....................................105
11.2. Informative References ..................................107
Appendix A. Pseudo-ASN.1 Structures and OIDs ....................110
A.1. Explicitly Tagged Module, 1988 Syntax ....................110
A.2. Implicitly Tagged Module, 1988 Syntax ....................125
Appendix B. ASN.1 Notes ..........................................133
Appendix C. Examples .............................................136
C.1. RSA Self-Signed Certificate ..............................137
C.2. End Entity Certificate Using RSA .........................140
C.3. End Entity Certificate Using DSA .........................143
C.4. Certificate Revocation List ..............................147
1. Introduction
This specification is one part of a family of standards for the X.509
Public Key Infrastructure (PKI) for the Internet.
This specification profiles the format and semantics of certificates
and certificate revocation lists (CRLs) for the Internet PKI.
Procedures are described for processing of certification paths in the
Internet environment. Finally, ASN.1 modules are provided in the
appendices for all data structures defined or referenced.
Section 2 describes Internet PKI requirements and the assumptions
that affect the scope of this document. Section 3 presents an
architectural model and describes its relationship to previous IETF
and ISO/IEC/ITU-T standards. In particular, this document’s
relationship with the IETF PEM specifications and the ISO/IEC/ITU-T
X.509 documents is described.
Section 4 profiles the X.509 version 3 certificate, and Section 5
profiles the X.509 version 2 CRL. The profiles include the
identification of ISO/IEC/ITU-T and ANSI extensions that may be
useful in the Internet PKI. The profiles are presented in the 1988
Abstract Syntax Notation One (ASN.1) rather than the 1997 ASN.1
syntax used in the most recent ISO/IEC/ITU-T standards.
Section 6 includes certification path validation procedures. These
procedures are based upon the ISO/IEC/ITU-T definition.
Implementations are REQUIRED to derive the same results but are not
required to use the specified procedures.
Cooper, et al. Standards Track [Page 4]
RFC 5280 PKIX Certificate and CRL Profile May 2008
Procedures for identification and encoding of public key materials
and digital signatures are defined in [RFC3279], [RFC4055], and
[RFC4491]. Implementations of this specification are not required to
use any particular cryptographic algorithms. However, conforming
implementations that use the algorithms identified in [RFC3279],
[RFC4055], and [RFC4491] MUST identify and encode the public key
materials and digital signatures as described in those
specifications.
Finally, three appendices are provided to aid implementers. Appendix
A contains all ASN.1 structures defined or referenced within this
specification. As above, the material is presented in the 1988
ASN.1. Appendix B contains notes on less familiar features of the
ASN.1 notation used within this specification. Appendix C contains
examples of conforming certificates and a conforming CRL.
This specification obsoletes [RFC3280]. Differences from RFC 3280
are summarized below:
* Enhanced support for internationalized names is specified in
Section 7, with rules for encoding and comparing
Internationalized Domain Names, Internationalized Resource
Identifiers (IRIs), and distinguished names. These rules are
aligned with comparison rules established in current RFCs,
including [RFC3490], [RFC3987], and [RFC4518].
* Sections 4.1.2.4 and 4.1.2.6 incorporate the conditions for
continued use of legacy text encoding schemes that were
specified in [RFC4630]. Where in use by an established PKI,
transition to UTF8String could cause denial of service based on
name chaining failures or incorrect processing of name
constraints.
* Section 4.2.1.4 in RFC 3280, which specified the
privateKeyUsagePeriod certificate extension but deprecated its
use, was removed. Use of this ISO standard extension is neither
deprecated nor recommended for use in the Internet PKI.
* Section 4.2.1.5 recommends marking the policy mappings extension
as critical. RFC 3280 required that the policy mappings
extension be marked as non-critical.
* Section 4.2.1.11 requires marking the policy constraints
extension as critical. RFC 3280 permitted the policy
constraints extension to be marked as critical or non-critical.
* The Authority Information Access (AIA) CRL extension, as
specified in [RFC4325], was added as Section 5.2.7.
Cooper, et al. Standards Track [Page 5]
剩余150页未读,继续阅读
资源评论
- yhb78052018-12-26PDF 的RFC 英文原版,我还以为有翻译呢,那直接从官网下载就好了,https://tools.ietf.org/html/rfc5280
- 超人kk2020-03-19垃圾,下载不了的
- cuixinju2021-01-22可以可以可以
hejie1213
- 粉丝: 0
- 资源: 1
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功