datatracker.ietf.org
Sign in
Version 5.6.3.p2, 2014-09-29
Report a bug

Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile
RFC 3820

Document type: RFC - Proposed Standard (June 2004; Errata)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 3820 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: No addresses provided

Network Working Group                                          S. Tuecke
Request for Comments: 3820                                           ANL
Category: Standards Track                                       V. Welch
                                                                    NCSA
                                                               D. Engert
                                                                     ANL
                                                             L. Pearlman
                                                                 USC/ISI
                                                             M. Thompson
                                                                    LBNL
                                                               June 2004

            Internet X.509 Public Key Infrastructure (PKI)
                       Proxy Certificate Profile

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).

Abstract

   This document forms a certificate profile for Proxy Certificates,
   based on X.509 Public Key Infrastructure (PKI) certificates as
   defined in RFC 3280, for use in the Internet.  The term Proxy
   Certificate is used to describe a certificate that is derived from,
   and signed by, a normal X.509 Public Key End Entity Certificate or by
   another Proxy Certificate for the purpose of providing restricted
   proxying and delegation within a PKI based authentication system.

Tuecke, et al.              Standards Track                     [Page 1]
RFC 3820            X.509 Proxy Certificate Profile            June 2004

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Overview of Approach . . . . . . . . . . . . . . . . . . . . .  4
       2.1.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  4
       2.2.  Background . . . . . . . . . . . . . . . . . . . . . . .  5
       2.3.  Motivation for Proxying. . . . . . . . . . . . . . . . .  5
       2.4.  Motivation for Restricted Proxies. . . . . . . . . . . .  7
       2.5.  Motivation for Unique Proxy Name . . . . . . . . . . . .  8
       2.6.  Description Of Approach. . . . . . . . . . . . . . . . .  9
       2.7.  Features Of This Approach. . . . . . . . . . . . . . . . 10
   3.  Certificate and Certificate Extensions Profile . . . . . . . . 12
       3.1.  Issuer . . . . . . . . . . . . . . . . . . . . . . . . . 12
       3.2.  Issuer Alternative Name. . . . . . . . . . . . . . . . . 12
       3.3.  Serial Number. . . . . . . . . . . . . . . . . . . . . . 12
       3.4.  Subject. . . . . . . . . . . . . . . . . . . . . . . . . 13
       3.5.  Subject Alternative Name . . . . . . . . . . . . . . . . 13
       3.6.  Key Usage and Extended Key Usage . . . . . . . . . . . . 13
       3.7.  Basic Constraints. . . . . . . . . . . . . . . . . . . . 14
       3.8.  The ProxyCertInfo Extension. . . . . . . . . . . . . . . 14
   4.  Proxy Certificate Path Validation. . . . . . . . . . . . . . . 17
       4.1.  Basic Proxy Certificate Path Validation. . . . . . . . . 19
       4.2.  Using the Path Validation Algorithm. . . . . . . . . . . 23
   5.  Commentary . . . . . . . . . . . . . . . . . . . . . . . . . . 24
       5.1.  Relationship to Attribute Certificates . . . . . . . . . 24
       5.2.  Kerberos 5 Tickets . . . . . . . . . . . . . . . . . . . 28
       5.3.  Examples of usage of Proxy Restrictions. . . . . . . . . 28
       5.4.  Delegation Tracing . . . . . . . . . . . . . . . . . . . 29
   6.  Security Considerations. . . . . . . . . . . . . . . . . . . . 30
       6.1.  Compromise of a Proxy Certificate. . . . . . . . . . . . 30
       6.2.  Restricting Proxy Certificates . . . . . . . . . . . . . 31
       6.3.  Relying Party Trust of Proxy Certificates. . . . . . . . 31
       6.4.  Protecting Against Denial of Service with Key Generation 32
       6.5.  Use of Proxy Certificates in a Central Repository. . . . 32
   7.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 33
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 33
       8.1.  Normative References . . . . . . . . . . . . . . . . . . 33
       8.2.  Informative References . . . . . . . . . . . . . . . . . 33
   9.  Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 34
   Appendix A. 1988 ASN.1 Module. . . . . . . . . . . . . . . . . . . 35
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36

[include full document text]