datatracker.ietf.org
Sign in
Version 5.7.4, 2014-11-12
Report a bug

Internet X.509 Public Key Infrastructure Authority Information Access Certificate Revocation List (CRL) Extension
RFC 4325

Document type: RFC - Proposed Standard (December 2005; No errata)
Obsoleted by RFC 5280
Updates RFC 3280
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4325 (Proposed Standard)
Responsible AD: Sam Hartman
Send notices to: kent@bbn.com, wpolk@nist.gov, housley@vigilsec.com

Network Working Group                                       S. Santesson
Request for Comments: 4325                                     Microsoft
Updates: 3280                                                 R. Housley
Category: Standards Track                                 Vigil Security
                                                           December 2005

     Internet X.509 Public Key Infrastructure Authority Information
           Access Certificate Revocation List (CRL) Extension

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document updates RFC 3280 by defining the Authority Information
   Access Certificate Revocation List (CRL) extension.  RFC 3280 defines
   the Authority Information Access certificate extension using the same
   syntax.  The CRL extension provides a means of discovering and
   retrieving CRL issuer certificates.

Table of Contents

   1. Introduction ....................................................2
      1.1. Terminology ................................................3
   2. Authority Information Access CRL Extension ......................3
   3. Security Considerations .........................................5
   4. References ......................................................5
      4.1. Normative References .......................................5
      4.2. Informative References .....................................6

Santesson & Housley         Standards Track                     [Page 1]
RFC 4325       Authority Information Access CRL Extension  December 2005

1.  Introduction

   RFC 3280 [PKIX1] specifies the validation of certification paths.
   One aspect involves the determination that a certificate has not been
   revoked, and one revocation checking mechanism is the Certificate
   Revocation List (CRL).  CRL validation is also specified in RFC 3280,
   which involves the constructions of a valid certification path for
   the CRL issuer.  Building a CRL issuer certification path from the
   signer of the CRL to a trust anchor is straightforward when the
   certificate of the CRL issuer is present in the certification path
   associated with the target certificate, but it can be complex in
   other situations.

   There are several legitimate scenarios where the certificate of the
   CRL issuer is not present, or easily discovered, from the target
   certification path.  This can be the case when indirect CRLs are
   used, when the Certification Authority (CA) that issued the target
   certificate changes its certificate signing key, or when the CA
   employs separate keys for certificate signing and CRL signing.

   Methods of finding the certificate of the CRL issuer are currently
   available, such as through an accessible directory location or
   through use of the Subject Information Access extension in
   intermediary CA certificates.

   Directory lookup requires existence and access to a directory that
   has been populated with all of the necessary certificates.  The
   Subject Information Access extension, which supports building the CRL
   issuer certification path top-down (in the direction from the trust
   anchor to the CRL issuer), requires that some certificates in the CRL
   issuer certification path includes an appropriate Subject Information
   Access extension.

   RFC 3280 [PKIX1] provides for bottom-up discovery of certification
   paths through the Authority Information Access extension, where the
   id-ad-caIssuers access method may specify one or more accessLocation
   fields that reference CA certificates associated with the certificate
   containing this extension.

   This document enables the use of the Authority Information Access
   extension in CRLs, enabling a CRL checking application to use the
   access method (id-ad-caIssuers) to locate certificates that may be
   useful in the construction of a valid CRL issuer certification path
   to an appropriate trust anchor.

Santesson & Housley         Standards Track                     [Page 2]
RFC 4325       Authority Information Access CRL Extension  December 2005

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this

[include full document text]