X509RFC5280规范_RFC5280资源-CSDN文库

2星需积分: 50 69 浏览量 2017-09-06 22:28:21 上传评论收藏 202KB PDF 举报

资源推荐

资源详情

资源评论

Network Working Group D. Cooper

Request for Comments: 5280 NIST

Obsoletes: 3280, 4325, 4630 S. Santesson

Category: Standards Track Microsoft

S. Farrell

Trinity College Dublin

S. Boeyen

Entrust

R. Housley

Vigil Security

W. Polk

NIST

May 2008

Internet X.509 Public Key Infrastructure Certificate

and Certificate Revocation List (CRL) Profile

Status of This Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Abstract

This memo profiles the X.509 v3 certificate and X.509 v2 certificate

revocation list (CRL) for use in the Internet. An overview of this

approach and model is provided as an introduction. The X.509 v3

certificate format is described in detail, with additional

information regarding the format and semantics of Internet name

forms. Standard certificate extensions are described and two

Internet-specific extensions are defined. A set of required

certificate extensions is specified. The X.509 v2 CRL format is

described in detail along with standard and Internet-specific

extensions. An algorithm for X.509 certification path validation is

described. An ASN.1 module and examples are provided in the

appendices.

Cooper, et al. Standards Track [Page 1]

RFC 5280 PKIX Certificate and CRL Profile May 2008

Table of Contents

1. Introduction ....................................................4

2. Requirements and Assumptions ....................................6

2.1. Communication and Topology .................................7

2.2. Acceptability Criteria .....................................7

2.3. User Expectations ..........................................7

2.4. Administrator Expectations .................................8

3. Overview of Approach ............................................8

3.1. X.509 Version 3 Certificate ................................9

3.2. Certification Paths and Trust .............................10

3.3. Revocation ................................................13

3.4. Operational Protocols .....................................14

3.5. Management Protocols ......................................14

4. Certificate and Certificate Extensions Profile .................16

4.1. Basic Certificate Fields ..................................16

4.1.1. Certificate Fields .................................17

4.1.1.1. tbsCertificate ............................18

4.1.1.2. signatureAlgorithm ........................18

4.1.1.3. signatureValue ............................18

4.1.2. TBSCertificate .....................................18

4.1.2.1. Version ...................................19

4.1.2.2. Serial Number .............................19

4.1.2.3. Signature .................................19

4.1.2.4. Issuer ....................................20

4.1.2.5. Validity ..................................22

4.1.2.5.1. UTCTime ........................23

4.1.2.5.2. GeneralizedTime ................23

4.1.2.6. Subject ...................................23

4.1.2.7. Subject Public Key Info ...................25

4.1.2.8. Unique Identifiers ........................25

4.1.2.9. Extensions ................................26

4.2. Certificate Extensions ....................................26

4.2.1. Standard Extensions ................................27

4.2.1.1. Authority Key Identifier ..................27

4.2.1.2. Subject Key Identifier ....................28

4.2.1.3. Key Usage .................................29

4.2.1.4. Certificate Policies ......................32

4.2.1.5. Policy Mappings ...........................35

4.2.1.6. Subject Alternative Name ..................35

4.2.1.7. Issuer Alternative Name ...................38

4.2.1.8. Subject Directory Attributes ..............39

4.2.1.9. Basic Constraints .........................39

4.2.1.10. Name Constraints .........................40

4.2.1.11. Policy Constraints .......................43

4.2.1.12. Extended Key Usage .......................44

4.2.1.13. CRL Distribution Points ..................45

4.2.1.14. Inhibit anyPolicy ........................48

Cooper, et al. Standards Track [Page 2]

RFC 5280 PKIX Certificate and CRL Profile May 2008

4.2.1.15. Freshest CRL (a.k.a. Delta CRL

Distribution Point) ......................48

4.2.2. Private Internet Extensions ........................49

4.2.2.1. Authority Information Access ..............49

4.2.2.2. Subject Information Access ................51

5. CRL and CRL Extensions Profile .................................54

5.1. CRL Fields ................................................55

5.1.1. CertificateList Fields .............................56

5.1.1.1. tbsCertList ...............................56

5.1.1.2. signatureAlgorithm ........................57

5.1.1.3. signatureValue ............................57

5.1.2. Certificate List "To Be Signed" ....................58

5.1.2.1. Version ...................................58

5.1.2.2. Signature .................................58

5.1.2.3. Issuer Name ...............................58

5.1.2.4. This Update ...............................58

5.1.2.5. Next Update ...............................59

5.1.2.6. Revoked Certificates ......................59

5.1.2.7. Extensions ................................60

5.2. CRL Extensions ............................................60

5.2.1. Authority Key Identifier ...........................60

5.2.2. Issuer Alternative Name ............................60

5.2.3. CRL Number .........................................61

5.2.4. Delta CRL Indicator ................................62

5.2.5. Issuing Distribution Point .........................65

5.2.6. Freshest CRL (a.k.a. Delta CRL Distribution

Point) .............................................67

5.2.7. Authority Information Access .......................67

5.3. CRL Entry Extensions ......................................69

5.3.1. Reason Code ........................................69

5.3.2. Invalidity Date ....................................70

5.3.3. Certificate Issuer .................................70

6. Certification Path Validation ..................................71

6.1. Basic Path Validation .....................................72

6.1.1. Inputs .............................................75

6.1.2. Initialization .....................................77

6.1.3. Basic Certificate Processing .......................80

6.1.4. Preparation for Certificate i+1 ....................84

6.1.5. Wrap-Up Procedure ..................................87

6.1.6. Outputs ............................................89

6.2. Using the Path Validation Algorithm .......................89

6.3. CRL Validation ............................................90

6.3.1. Revocation Inputs ..................................91

6.3.2. Initialization and Revocation State Variables ......91

6.3.3. CRL Processing .....................................92

7. Processing Rules for Internationalized Names ...................95

7.1. Internationalized Names in Distinguished Names ............96

7.2. Internationalized Domain Names in GeneralName .............97

Cooper, et al. Standards Track [Page 3]

RFC 5280 PKIX Certificate and CRL Profile May 2008

7.3. Internationalized Domain Names in Distinguished Names .....98

7.4. Internationalized Resource Identifiers ....................98

7.5. Internationalized Electronic Mail Addresses ..............100

8. Security Considerations .......................................100

9. IANA Considerations ...........................................105

10. Acknowledgments ..............................................105

11. References ...................................................105

11.1. Normative References ....................................105

11.2. Informative References ..................................107

Appendix A. Pseudo-ASN.1 Structures and OIDs ....................110

A.1. Explicitly Tagged Module, 1988 Syntax ....................110

A.2. Implicitly Tagged Module, 1988 Syntax ....................125

Appendix B. ASN.1 Notes ..........................................133

Appendix C. Examples .............................................136

C.1. RSA Self-Signed Certificate ..............................137

C.2. End Entity Certificate Using RSA .........................140

C.3. End Entity Certificate Using DSA .........................143

C.4. Certificate Revocation List ..............................147

1. Introduction

This specification is one part of a family of standards for the X.509

Public Key Infrastructure (PKI) for the Internet.

This specification profiles the format and semantics of certificates

and certificate revocation lists (CRLs) for the Internet PKI.

Procedures are described for processing of certification paths in the

Internet environment. Finally, ASN.1 modules are provided in the

appendices for all data structures defined or referenced.

Section 2 describes Internet PKI requirements and the assumptions

that affect the scope of this document. Section 3 presents an

architectural model and describes its relationship to previous IETF

and ISO/IEC/ITU-T standards. In particular, this document’s

relationship with the IETF PEM specifications and the ISO/IEC/ITU-T

X.509 documents is described.

Section 4 profiles the X.509 version 3 certificate, and Section 5

profiles the X.509 version 2 CRL. The profiles include the

identification of ISO/IEC/ITU-T and ANSI extensions that may be

useful in the Internet PKI. The profiles are presented in the 1988

Abstract Syntax Notation One (ASN.1) rather than the 1997 ASN.1

syntax used in the most recent ISO/IEC/ITU-T standards.

Section 6 includes certification path validation procedures. These

procedures are based upon the ISO/IEC/ITU-T definition.

Implementations are REQUIRED to derive the same results but are not

required to use the specified procedures.

Cooper, et al. Standards Track [Page 4]

RFC 5280 PKIX Certificate and CRL Profile May 2008

Procedures for identification and encoding of public key materials

and digital signatures are defined in [RFC3279], [RFC4055], and

[RFC4491]. Implementations of this specification are not required to

use any particular cryptographic algorithms. However, conforming

implementations that use the algorithms identified in [RFC3279],

[RFC4055], and [RFC4491] MUST identify and encode the public key

materials and digital signatures as described in those

specifications.

Finally, three appendices are provided to aid implementers. Appendix

A contains all ASN.1 structures defined or referenced within this

specification. As above, the material is presented in the 1988

ASN.1. Appendix B contains notes on less familiar features of the

ASN.1 notation used within this specification. Appendix C contains

examples of conforming certificates and a conforming CRL.

This specification obsoletes [RFC3280]. Differences from RFC 3280

are summarized below:

* Enhanced support for internationalized names is specified in

Section 7, with rules for encoding and comparing

Internationalized Domain Names, Internationalized Resource

Identifiers (IRIs), and distinguished names. These rules are

aligned with comparison rules established in current RFCs,

including [RFC3490], [RFC3987], and [RFC4518].

* Sections 4.1.2.4 and 4.1.2.6 incorporate the conditions for

continued use of legacy text encoding schemes that were

specified in [RFC4630]. Where in use by an established PKI,

transition to UTF8String could cause denial of service based on

name chaining failures or incorrect processing of name

constraints.

* Section 4.2.1.4 in RFC 3280, which specified the

privateKeyUsagePeriod certificate extension but deprecated its

use, was removed. Use of this ISO standard extension is neither

deprecated nor recommended for use in the Internet PKI.

* Section 4.2.1.5 recommends marking the policy mappings extension

as critical. RFC 3280 required that the policy mappings

extension be marked as non-critical.

* Section 4.2.1.11 requires marking the policy constraints

extension as critical. RFC 3280 permitted the policy

constraints extension to be marked as critical or non-critical.

* The Authority Information Access (AIA) CRL extension, as

specified in [RFC4325], was added as Section 5.2.7.

Cooper, et al. Standards Track [Page 5]

剩余150页未读，继续阅读

评论收藏

内容反馈

yhb7805

2018-12-26

PDF 的RFC 英文原版，我还以为有翻译呢，那直接从官网下载就好了，https://tools.ietf.org/html/rfc5280
超人kk

2020-03-19

垃圾，下载不了的
cuixinju

2021-01-22

可以可以可以

hejie1213

粉丝: 0
资源: 1

X509 RFC5280规范

最新资源

X509 RFC5280规范

x509证书规范

RFC与X.509相关的技术规范.zip

rfc 规范 中文版 合集

rfc5280-en

RFC5280_中文版_个人翻译v1.0

标准英文RFC参考资料

x509证书中issuer规范

X509中发行者命名规范

RFC中文文档-txt

中文版RFC，共456

rfc中文文档目录，包含部分翻译

中文RFC文档.zip

关于rfc的文档组织：中国互动出版网

SIP(VoIP)常用RFC文档.zip

RFC1113_Internet电子邮件秘密增强第一部分- 信息加密和身份验证步骤 .doc

RFC协议标准

timestamp:RFC3161中指定的Go时间戳协议（TSP）实现

基于spring-boot 2.x扩展WebSocket，支持细粒度控制.rar

SMTP&POP3协议详细&MIME规范

官网原版apache-tomcat-9.0.8-windows-x64

LDAP服务器.pdf

BASE64介绍.rar

802.2分组在IPX网络上传输的标准

简单易用的高速加密工具 BCArchive 2.07.2.zip

spring security3.2.0

Pure-Swift JSON解析器和格式化程序。 完全可流式输入和输出。 Linux和OS X就绪。 替换为NSJSONSerialization。-Swift开发

2023.10.21 雷蛇+鼠标宏+PUBG+绝地求生 步枪通用

115转存助手ui优化版3.9.1网友魔改-转存提取全修复-user

恩山新版中兴Telnet工具体验版-20230830.rar

最新资源

rfc 规范中文版合集

Pure-Swift JSON解析器和格式化程序。完全可流式输入和输出。 Linux和OS X就绪。替换为NSJSONSerialization。-Swift开发

2023.10.21 雷蛇+鼠标宏+PUBG+绝地求生步枪通用