Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

Abstract: This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is describ… Show more

“…When it is present, it provides the controls needed to initialize an X.509 certification path validation algorithm implementation (see Section 6 of [RFC5280]). When absent, the trust anchor cannot be used to validate the signature on an X.509 certificate.…”

“…If the certificate is present, the subject name in the certificate MUST exactly match the X.500 distinguished name provided in the taName field, the public key MUST exactly match the public key in the pubKey field, and the subjectKeyIdentifier extension, if present, MUST exactly match the key identifier in the keyId field. The complete description of the syntax and semantics of the Certificate are provided in [RFC5280] inhibitPolicyMapping indicates if policy mapping is allowed in the certification path. When set to TRUE, policy mapping is not permitted.…”

“…When set to TRUE, all certificates in the certification path MUST contain an acceptable policy identifier in the certificate policies extension. This value represents the initial-explicit-policy input value to the certification path validation algorithm described in Section 6.1.1 of [RFC5280]. An acceptable policy identifier is a member of the policySet or the identifier of a policy that is declared to be equivalent through policy mapping.…”

“…This value represents the initial-any-policy-inhibit input value to the certification path validation algorithm described in Section 6.1.1 of [RFC5280]. nameConstr is OPTIONAL.…”

“…nameConstr is OPTIONAL. It has the same syntax and semantics as the Name Constraints certificate extension [RFC5280], which includes a list of permitted names and a list of excluded names. The definition of GeneralName can be found in [RFC5280].…”

Trust Anchor Format

“…When it is present, it provides the controls needed to initialize an X.509 certification path validation algorithm implementation (see Section 6 of [RFC5280]). When absent, the trust anchor cannot be used to validate the signature on an X.509 certificate.…”

“…If the certificate is present, the subject name in the certificate MUST exactly match the X.500 distinguished name provided in the taName field, the public key MUST exactly match the public key in the pubKey field, and the subjectKeyIdentifier extension, if present, MUST exactly match the key identifier in the keyId field. The complete description of the syntax and semantics of the Certificate are provided in [RFC5280] inhibitPolicyMapping indicates if policy mapping is allowed in the certification path. When set to TRUE, policy mapping is not permitted.…”

“…When set to TRUE, all certificates in the certification path MUST contain an acceptable policy identifier in the certificate policies extension. This value represents the initial-explicit-policy input value to the certification path validation algorithm described in Section 6.1.1 of [RFC5280]. An acceptable policy identifier is a member of the policySet or the identifier of a policy that is declared to be equivalent through policy mapping.…”

“…This value represents the initial-any-policy-inhibit input value to the certification path validation algorithm described in Section 6.1.1 of [RFC5280]. nameConstr is OPTIONAL.…”

“…nameConstr is OPTIONAL. It has the same syntax and semantics as the Name Constraints certificate extension [RFC5280], which includes a list of permitted names and a list of excluded names. The definition of GeneralName can be found in [RFC5280].…”

Trust Anchor Format

References

References