Internet-Draft | A Mechanism for Encoding Differences in | October 2024 |
Bonnell, et al. | Expires 24 April 2025 | [Page] |
- Workgroup:
- Network Working Group
- Internet-Draft:
- draft-bonnell-lamps-chameleon-certs-05
- Published:
- Intended Status:
- Standards Track
- Expires:
A Mechanism for Encoding Differences in Paired Certificates
Abstract
This document specifies a method to efficiently convey the differences between two certificates in an X.509 version 3 extension. This method allows a relying party to extract information sufficient to construct the paired certificate and perform certification path validation using the constructed certificate. In particular, this method is especially useful as part of a key or signature algorithm migration, where subjects may be issued multiple certificates containing different public keys or signed with different CA private keys or signature algorithms. This method does not require any changes to the certification path validation algorithm as described in RFC 5280. Additionally, this method does not violate the constraints of serial number uniqueness for certificates issued by a single certification authority.¶
About This Document
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://CBonnell.github.io/chameleon-certs/draft-bonnell-lamps-chameleon-certs.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-bonnell-lamps-chameleon-certs/.¶
Discussion of this document takes place on the Limited Additional Mechanisms for PKIX and SMIME (lamps) Working Group mailing list (mailto:spasm@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spasm/. Subscribe at https://www.ietf.org/mailman/listinfo/spasm/.¶
Source for this draft and an issue tracker can be found at https://github.com/CBonnell/chameleon-certs.¶
Status of This Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 April 2025.¶
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
1. Introduction
In certain public key infrastructures, it is common to issue multiple certificates to a single subject. In particular, as part of an algorithm migration, multiple certificates may be issued to a single subject which convey public keys of different types or are signed with different signature algorithms. In cases where relying party systems cannot be immediately updated to support new algorithms, it is useful to issue certificates to subjects that convey public keys whose algorithm is being phased out to maintain interoperability. However, multiple certificates adds complexity to certificate management for relying parties and exposes limitations in applications and protocols that support a single certificate chain. For this reason, it is useful to efficiently convey information concerning the elements of two certificates within a single certificate. This information can then be used to construct the paired certificate as needed by relying parties.¶
This document specifies an X.509 v3 certificate extension that includes sufficient information for a relying party to construct both paired certificates with a single certificate. This method does not require any changes to the certification path validation algorithm as described in [RFC5280]. Additionally, this method does not violate the constraints of serial number uniqueness for certificates issued by a single certification authority.¶
This mechanism is particularly relevant for the migration to quantum-resistant algorithms. Similar migration mechanisms have been proposed in the literature, such as the mechanism proposed in [TRANSQRPKI], where encoding the entire paired certificate in a non-critical extension is proposed. This specification builds on this idea by specifying a mechanism that requires only the differences between two paired certificates to be encoded, thus realizing a space savings.¶
In addition to the certificate extension, this document specifies two PKCS #10 Certificate Signing Request attributes that can be used by applicants to request Paired Certificates using a single PKCS #10 Certificate Signing Request.¶
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
2.1. Definitions
For conciseness, this document defines several terms that are frequently used throughout.¶
Base Certificate: A X.509 v3 certificate which contains a delta certificate descriptor extension.¶
DCD: An acronym meaning "Delta Certificate descriptor", which is a reference to the X.509 v3 certificate extension defined in this document.¶
Delta Certificate: A X.509 v3 certificate which can be reconstructed by incorporating the fields and extensions contained in a Base Certificate.¶
Paired Certificates: A Base Certificate and the corresponding Delta Certificate whose information is encoded in the Base Certificate's DCD extension.¶
3. Relationship between Base Certificates and Delta Certificates
In some public key infrastructures, it may be common to issue multiple certificates to the same subject. For example, these certificates generally contain the same (or substantially similar) identity information and generally have identical validity periods. The differences in certificate content generally stem from the certification of different keys, where the named subject may have multiple keys of different algorithms certified by separate certificates. The use of different keys allows for the subject to use the key that is most appropriate for a given operation and intended recipient. For example, as part of an ongoing algorithm migration, it is useful to use stronger algorithms when both of the systems utilized by the subscriber/sender and recipient have been upgraded. However, in the case where systems have not yet been updated, the use of a legacy key algorithm may be required. Additionally, multiple certificates may be issued to the same subject that certify keys for different purposes, such as one key for signing and another key for encryption.¶
The management of multiple certificates may be complex, and there may be limitations in protocols regarding the handling of multiple certificate chains. To account for these concerns, this document proposes a method to efficiently encode the differences between two certificates with sufficient information such that a relying party can derive the complete certificate from another. For the purposes of this document, the "Base Certificate" contains its own fields and extensions and additionally includes an extension that conveys all differences contained within the paired certificate. The certificate whose elements which differ from the Base Certificate and are captured in the Delta Certificate descriptor extension of the Base Certificate is known as the "Delta Certificate".¶
Delta Certificates are reconstructed from the Base Certificate either on the sender's side or the recipient's side depending on the protocol and application(s) in use. The sender may elect to send the Base Certificate or the Delta Certificate based on information that it has about what the recipient can process. Similarly, the client may send either the Base Certificate or the Delta Certificate based on what the server can process. This assures backwards compatibility as the certificate sent to the peer (server or client) is chosen based on what it can process. The negotiation on which certificate to use is out-of-scope of this document and is deferred to each protocol and application.¶
In the absence of information concerning the capabilities of the peer, it is unknown whether it understands the DCD extension in the Base Certificate. When the recipient does not understand the DCD extension, it only processes the information within the Base Certificate and ignores the information found in a non-critical DCD extension. If the recipient receives a Base Certificate and is capable of processing the DCD extension, then it may reconstruct the Delta Certificate to be used for processing.¶
In a protocol, the sender may perform a cryptographic operation with the key conveyed within the Base Certificate. If it understands the DCD extension, then it may reconstruct the Delta Certificate and choose to perform the same operation with the key conveyed within the DCD extension. Alternatively, if the sender understands the DCD extension and knows that the receiver will only process the Delta Certificate, the sender can reconstruct and send only the Delta Certificate. This behavior is deferred to the software in use.¶
4. Delta certificate descriptor extension
The Delta Certificate descriptor ("DCD") extension is used to reconstruct the Delta Certificate by incorporating both the fields and extensions present in the Base Certificate as well as the information contained within the extension itself.¶
Certification authorities SHOULD NOT mark this extension as critical so that applications that do not understand the extension will still be able to process the Base Certificate.¶
The inclusion of the DCD extension within a Base Certificate is not a statement from the issuing Certification Authority of the Base Certificate that the contents of the Delta Certificate have been verified. Conversely, the DCD extension is merely a mechanism to encode the differences between two Paired Certificates. Given this, it is possible for the Base Certificate to expire prior to the Delta Certificate, and vice versa. However, the policies governing a public key infrastructure may add additional requirements for the content of the DCD extension or alignment of validity periods for Base Certificates and Delta Certificates. For example, a policy may require that the validity periods of the Base Certificate and Delta Certificate be identical, or that if the Delta Certificate is revoked, the Base Certificate must also be revoked.¶
4.1. Delta certificate descriptor content
The DCD extension is identified with the following object identifier:¶
(TODO: replace this temporary OID)¶
id-ce-deltaCertificateDescriptor OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) entrust(114027) 80 6 1 }¶
The ASN.1 syntax of the extension is as follows:¶
DeltaCertificateDescriptor ::= SEQUENCE { serialNumber CertificateSerialNumber, signature [0] EXPLICIT AlgorithmIdentifier {SIGNATURE_ALGORITHM, {...}} OPTIONAL, issuer [1] EXPLICIT Name OPTIONAL, validity [2] EXPLICIT Validity OPTIONAL, subject [3] EXPLICIT Name OPTIONAL, subjectPublicKeyInfo SubjectPublicKeyInfo, extensions [4] EXPLICIT Extensions{CertExtensions} OPTIONAL, signatureValue BIT STRING }¶
The serialNumber field MUST be present and contain the serial number of the Delta Certificate.¶
The signature field specifies the signature algorithm used by the issuing certification authority to sign the Delta Certificate. If the DER encoding of the value of the signature field of the Base Certificate and Delta Certificate is the same, then this field MUST be absent. Otherwise, it MUST contain the DER encoding of the value of the signature field of the Delta Certificate.¶
The issuer field specifies the distinguished name of the issuing certification authority which signed the Delta Certificate. If the DER encoding of the value of the issuer field of the Base Certificate and Delta Certificate is the same, then this field MUST be absent. Otherwise, it MUST contain the DER encoding of the value of the issuer field of the Delta Certificate.¶
The validity field specifies the validity period of the Delta Certificate. If the DER encoding of the value of the validity field of the Base Certificate and Delta Certificate is the same, then this field MUST be absent. Otherwise, it MUST contain the DER encoding of the value of the validity field of the Delta Certificate.¶
The subject field specifies the distinguished name of the named subject as encoded in the Delta Certificate. If the DER encoding of the value of the subject field of the Base Certificate and Delta Certificate is the same, then this field MUST be absent. Otherwise, it MUST contain the DER encoding of the value of the subject field of the Delta Certificate.¶
The subjectPublicKeyInfo field contains the public key certified in the Delta Certificate. The value of this field MUST differ from the value of the subjectPublicKeyInfo field of the Base Certificate. In other words, the Base Certificate and Delta Certificate MUST certify different keys.¶
The extensions field contains the extensions whose criticality and/or DER-encoded value are different in the Delta Certificate compared to the Base Certificate with the exception of the DCD extension itself. If the extensions field is absent, then all extensions in the Delta Certificate MUST have the same criticality and DER-encoded value as the Base Certificate (except for the DCD extension, which MUST be absent from the Delta Certificate). This field MUST NOT contain any extension:¶
-
which has the same criticality and DER-encoded value as encoded in the Base Certificate,¶
-
whose type does not appear in the Base Certificate, or¶
-
which is of the DCD extension type (recursive Delta Certificates are not permitted).¶
Additionally, the Base Certificate SHALL NOT include any extensions which are not included in the Delta Certificate, with the exception of the DCD extension itself. Likewise, there is no mechanism to remove extensions from the Delta Certificate that are present in the Base Certificate. Therefore, it is not possible to add or remove extensions using the DCD extension. The ordering of extensions in this field MUST be relative to the ordering of the extensions as they are encoded in the Delta Certificate. Maintaining this relative ordering ensures that the Delta Certificate's extensions can be constructed with a single pass.¶
The signatureValue field contains the value of the signature field of the Delta Certificate. It MUST be present.¶
4.2. Issuing a Base Certificate
The signature of the Delta Certificate must be known so that its
value can be included in the signatureValue field of the delta
certificate descriptor extension. Given this, Delta Certificate will
necessarily need to be issued prior to the issuance of the Base
Certificate. To simplify reconstruction of the Delta Certificate,
the signatures for Base and Delta Certificates MUST be calculated over
the DER encoding of the TBSCertificate
structure.¶
After the Delta Certificate is issued, the certification authority compares the signature, issuer, validity, subject, subjectPublicKeyInfo, and extensions fields of the Delta Certificate and the to-be-signed certificate which will contain the DCD extension. The certification authority then populates the DCD extension with the values of the fields which differ from the Base Certificate. The CA MUST encode extensions in the Base Certificate in the same order used for the Delta Certificate, with the exception of the DCD extension itself.¶
The certification authority then adds the computed DCD extension to the to-be-signed Base Certificate and signs the Base Certificate.¶
4.3. Reconstructing a Delta Certificate from a Base Certificate
The following procedure describes how to reconstruct a Delta Certificate from a Base Certificate:¶
-
Create an initial Delta Certificate template by copying the Base Certificate excluding the DCD extension.¶
-
Replace the value of the serialNumber field of the Delta Certificate template with the value of the DCD extension's serialNumber field.¶
-
If the DCD extension contains a value for the signature field, then replace the value of the signature field and the signatureAlgorithm field of the Delta Certificate template with the value of the DCD extension's signature field.¶
-
If the DCD extension contains a value for the issuer field, then replace the value of the issuer field of the Delta Certificate template with the value of the DCD extension's issuer field.¶
-
If the DCD extension contains a value for the validity field, then replace the value of the validity field of the Delta Certificate template with the value of the DCD extension's validity field.¶
-
Replace the value of the subjectPublicKeyInfo field of the Delta Certificate template with the value of the DCD extension's subjectPublicKeyInfo field.¶
-
If the DCD extension contains a value for the subject field, then replace the value of the subject field of the Delta Certificate template with the value of the DCD extension's subject field.¶
-
If the DCD extension contains a value for the extensions field, then iterate over the DCD extension's "extensions" field, replacing the criticality and/or extension value of each identified extension in the Delta Certificate template. If any extension is present in the field that does not appear in the Delta Certificate template, then this reconstruction process MUST fail.¶
-
Replace the value of the signature field of the Delta Certificate template with the value of the DCD extension's signatureValue field.¶
As part of testing implementations of this specification, implementers are encouraged to verify the signature of the reconstructed Delta Certificate using the issuing Certification Authority's public key to ensure that the Delta Certificate was reconstructed correctly.¶
5. Delta certificate request content and semantics
Using the two attributes that are defined below, it is possible to create Certificate Signing Requests for both Base and Delta Certificates within a single PKCS #10 Certificate Signing Request. The mechanism presented in this section need not be used exclusively by requestors for the issuance of Paired Certificates; other mechanisms (such as the submission of two Certificate Signing Requests, etc.) are also acceptable. Additionally, this document does not place any restriction on the amount of time that may elapse between the issuance of a Delta Certificate and the request of a Base Certificate; such restrictions should be defined by the policy of a particular public key infrastructure.¶
The delta certificate request attribute is used to convey the requested differences between the request for issuance of the Base Certificate and the requested Delta Certificate. Similar to the semantics of Certificate Signing Requests in general, the Certification Authority MAY add, modify, or selectively ignore information conveyed in the attribute when issuing the corresponding Delta Certificate.¶
The attribute is identified with the following object identifier:¶
(TODO: replace this temporary OID)¶
id-at-deltaCertificateRequest OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) entrust(114027) 80 6 2 }¶
The ASN.1 syntax of the attribute is as follows:¶
DeltaCertificateRequestValue ::= SEQUENCE { subject [0] EXPLICIT Name OPTIONAL, subjectPKInfo SubjectPublicKeyInfo, extensions [1] EXPLICIT Extensions{CertExtensions} OPTIONAL, signatureAlgorithm [2] EXPLICIT AlgorithmIdentifier {SIGNATURE_ALGORITHM, {...}} OPTIONAL } DeltaCertificateRequest ::= ATTRIBUTE { WITH SYNTAX DeltaCertificateRequestValue SINGLE VALUE TRUE ID id-at-deltaCertificateRequest }¶
The delta certificate request signature attribute is used to convey the signature that is calculated over the CertificationRequestInfo using the signature algorithm and key that is specified in the delta certificate request attribute. Section 5.1 describes in detail how to determine the value of this attribute.¶
This attribute is identified with the following object identifier:¶
(TODO: replace this temporary OID)¶
id-at-deltaCertificateRequestSignature OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) entrust(114027) 80 6 3 }¶
The ASN.1 syntax of the attribute is as follows:¶
DeltaCertificateRequestSignatureValue ::= BIT STRING deltaCertificateRequestSignature ATTRIBUTE ::= { WITH SYNTAX DeltaCertificateRequestSignatureValue SINGLE VALUE TRUE ID id-at-deltaCertificateRequestSignature }¶
5.1. Creating a Certificate Signing Request for Paired Certificates
The following procedure is used by a certificate requestor to create a combined Certificate Signing Request for Paired Certificates.¶
-
Create a CertificationRequestInfo containing the subject, subjectPKInfo, and attributes for the Base Certificate.¶
-
Create a delta certificate request attribute that specifies the requested differences between the to-be-issued Base Certificate and Delta Certificate requests.¶
-
Add the delta certificate request attribute that was created by step 2 to the list of attributes in the CertificationRequestInfo.¶
-
Sign the CertificationRequestInfo using the private key of the delta certificate request subject.¶
-
Create a delta certificate request signature attribute that contains the signature value calculated by step 4.¶
-
Add the delta certificate request signature attribute that was created by step 5 to the list of attributes.¶
-
Sign the CertificationRequestInfo using the private key of the base certificate request subject.¶
5.2. Verifying a Certificate Signing Request for Paired Certificates
The following procedure is used by a Certification Authority to verify a Certificate Signing Request for Paired Certificates that was created using the process outlined in Section 5.1.¶
-
Create a CertificationRequest template by copying the CertificationRequest submitted by the certificate requestor.¶
-
Verify the signature of the base certificate request using the public key associated with the base certificate request subject and the signature algorithm specified in the
signatureAlgorithm
field of the CertificationRequest template. If signature verification fails, then the Certification Authority MUST treat the Certificate Signing Request as invalid.¶ -
Remove the delta certificate request signature attribute from the CertificationRequest template.¶
-
Replace the value of the
signature
field of the CertificationRequest template with the value of the delta certificate request attribute that was removed in step 3.¶ -
Verify the signature of the delta certificate request using the public key associated with the delta certificate request subject. If the
signatureAlgorithm
field of the delta certificate request attribute is present, then the Certification Authority MUST perform signature verification using the algorithm specified in this field. Otherwise, the Certification Authority MUST perform signature verification using the algorithm specified in thesignatureAlgorithm
field of the CertificationRequest template. If signature verification fails, then the Certification Authority MUST treat the Certificate Signing Request as invalid.¶
6. Security Considerations
The validation of Base Certificates and Delta Certificates follows the certification path validation algorithm defined in [RFC5280]. In particular, the certification path validation algorithm defined in [RFC5280] MUST be performed prior to using a Base or Delta Certificate; it is not sufficient to reconstruct a Delta Certificate and use it for any purpose without performing certification path validation. If a use case requires it, a Delta Certificate can be reconstructed specifically for the purposes of validation to ensure that the Delta Certificate is valid for its intended purpose on final reconstruction. That being said, some form of validation such as revocation checking, and signature verification MUST always be assured at the point the certificate is used.¶
There are some additional considerations for the software to handle the Base Certificate and Delta Certificate. The Base Certificate and Delta Certificate may have different security properties such as different signing algorithms, different key types or the same key types with different key sizes or signing algorithms. The preference on which certificate to be used or using both when available is deferred to the server or client software.¶
The software is expected to make choices depending on the certificate's security properties or a policy set for the particular PKI. One example of handling two certificates is "fallback" where if the validation of the first certificate fails, it attempts to validate the second certificate. Another example to handle two certificate is "upgrade", where the validation of the first certificate succeeds but still attempts the validation of the second certificate. While this document provides a vehicle to convey information of two certificates in one, it does not address the rules that are expected to be set by the policy of a PKI on how to issue Paired Certificates and how to handle them.¶
The algorithms that are used for the Base Certificate and Delta Certificate respectively should be carefully set by the policy of each PKI reflecting the best current practices in usage of cryptography. The behavior of the server or client software is expected to be well-defined in accordance with the policy in order to avoid downgrade attacks or substitution attacks.¶
7. IANA Considerations
For the Delta Certificate descriptor extension as defined in Section 4.1, IANA is requested to assign an object identifier (OID) for the certificate extension. The OID for the certificate extension should be allocated in the "SMI Security for PKIX Certificate Extension" registry (1.3.6.1.5.5.7.1).¶
For the Delta Certificate Request and Delta Certificate Request Signature attributes as defined in Section 5, IANA is requested to create a new registry under SMI Security Codes and assign two object identifiers (OID).¶
For the ASN.1 Module for the extension and attributes defined in Appendix A, IANA is requested to assign an object identifier (OID). The OID for the module should be allocated in the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).¶
8. References
8.1. Normative References
- [RFC2119]
- Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
- [RFC5280]
- Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, , <https://www.rfc-editor.org/rfc/rfc5280>.
- [RFC8174]
- Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
- [X.680]
- ITU-T, "Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation", ISO/IEC 8824-1:2015, .
8.2. Informative References
- [TRANSQRPKI]
- Bindel, N., Herath, U., McKague, M., and D. Stebila, "Transitioning to a Quantum-Resistant Public Key Infrastructure", , <https://d1kjwivbowugqa.cloudfront.net/files/research/papers/PQCrypto-BHMS17-full.pdf>.
Appendix A. ASN.1 Module
The following ASN.1 [X.680] module provides the complete definition of the extensions, attributes, and associated identifiers specified in this document.¶
DeltaCertificateDescriptor { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-deltaCertificateDescriptor(TBD) } DEFINITIONS EXPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS AlgorithmIdentifier{}, SIGNATURE-ALGORITHM FROM AlgorithmInformation-2009 -- RFC 5912 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) } EXTENSION, ATTRIBUTE, Extensions{} FROM PKIX-CommonTypes-2009 -- RFC 5912 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } CertificateSerialNumber, Name, Validity, SubjectPublicKeyInfo, CertExtensions FROM PKIX1Explicit-2009 -- RFC 5912 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }; -- Temporary OID arc -- id-temporaryArc OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) entrust(114027) 80 6 } -- Extension -- id-ce-deltaCertificateDescriptor OBJECT IDENTIFIER ::= { id-temporaryArc 1 } DeltaCertificateDescriptor ::= SEQUENCE { serialNumber CertificateSerialNumber, signature [0] EXPLICIT AlgorithmIdentifier {SIGNATURE_ALGORITHM, {...}} OPTIONAL, issuer [1] EXPLICIT Name OPTIONAL, validity [2] EXPLICIT Validity OPTIONAL, subject [3] EXPLICIT Name OPTIONAL, subjectPublicKeyInfo SubjectPublicKeyInfo, extensions [4] EXPLICIT Extensions{CertExtensions} OPTIONAL, signatureValue BIT STRING } ext-deltaCertificateDescriptor EXTENSION ::= { SYNTAX DeltaCertificateDescriptor IDENTIFIED BY id-ce-deltaCertificateDescriptor CRITICALITY { FALSE } } -- Request Attributes -- id-at-deltaCertificateRequest OBJECT IDENTIFIER ::= { id-temporaryArc 2 } DeltaCertificateRequestValue ::= SEQUENCE { subject [0] EXPLICIT Name OPTIONAL, subjectPKInfo SubjectPublicKeyInfo, extensions [1] EXPLICIT Extensions{CertExtensions} OPTIONAL, signatureAlgorithm [2] EXPLICIT AlgorithmIdentifier {SIGNATURE_ALGORITHM, {...}} OPTIONAL } DeltaCertificateRequest ::= ATTRIBUTE { WITH SYNTAX DeltaCertificateRequestValue SINGLE VALUE TRUE ID id-at-deltaCertificateRequest } id-at-deltaCertificateRequestSignature OBJECT IDENTIFIER ::= { id-temporaryArc 3 } DeltaCertificateRequestSignatureValue ::= BIT STRING DeltaCertificateRequestSignature ::= ATTRIBUTE { WITH SYNTAX DeltaCertificateRequestSignatureValue SINGLE VALUE TRUE ID id-at-deltaCertificateRequestSignature } END¶
Appendix B. Examples
This appendix includes some example certificates which demonstrate the use of the mechanism specified in this document. Two use cases of this mechanism are demonstrated: algorithm migration and dual use. The PEM text and dumpasn1 output for each certificate is provided.¶
B.1. Root certificates
The two certificates in this section represent the two root Certification Authorities which issue the end-entity certificates in the following section.¶
B.1.1. EC P-521 root certificate
This is the EC root certificate.¶
-----BEGIN CERTIFICATE----- MIIDBDCCAmagAwIBAgIUDCQO4j68JeS6tggSujZ2W/+5RMAwCgYIKoZIzj0EAwQw gYsxCzAJBgNVBAYTAlhYMTUwMwYDVQQKDCxSb3lhbCBJbnN0aXR1dGUgb2YgUHVi bGljIEtleSBJbmZyYXN0cnVjdHVyZTErMCkGA1UECwwiUG9zdC1IZWZmYWx1bXAg UmVzZWFyY2ggRGVwYXJ0bWVudDEYMBYGA1UEAwwPRUNEU0EgUm9vdCAtIEcxMB4X DTI0MTAxNzIzMzcyM1oXDTM0MTAxNTIzMzcyM1owgYsxCzAJBgNVBAYTAlhYMTUw MwYDVQQKDCxSb3lhbCBJbnN0aXR1dGUgb2YgUHVibGljIEtleSBJbmZyYXN0cnVj dHVyZTErMCkGA1UECwwiUG9zdC1IZWZmYWx1bXAgUmVzZWFyY2ggRGVwYXJ0bWVu dDEYMBYGA1UEAwwPRUNEU0EgUm9vdCAtIEcxMIGbMBAGByqGSM49AgEGBSuBBAAj A4GGAAQBAFYGp79DhDUnJ+euhbWIqRMPC/YJyMcXp5xEF96cQji2rOckvcqQkhqE K2upXcSLaclIkS16REFZgT0q3vO2m1wAhXxeKePsML2EiCMQIEArXsEwCDGu+qdx mN2lHUQNuiisrkigRdXILHaAXdfTtAvpopsAchnm+vUbHNavcxVRjK2jYzBhMA8G A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTro9CLUf4S 3MwhZoeFD5jHZ3OINDAfBgNVHSMEGDAWgBTro9CLUf4S3MwhZoeFD5jHZ3OINDAK BggqhkjOPQQDBAOBiwAwgYcCQUnnSxI6X5NPGGetpBUkEh3HIDTrW24dPtx74wmW ANwrejsbS0SvbipnQJPQXjTv8aXDlDAMiPKHado5qCJXMvU3AkIAmDbRmevtaNUQ 0k6e97CWc8tTPE7gXo5iqFD0NU9v20HV3z7voEU8fYD65A1Ay3VQ76nC8W8T4T1a fvRCLit6wo0= -----END CERTIFICATE-----¶
0 772: SEQUENCE { 4 614: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 20: INTEGER 0C 24 0E E2 3E BC 25 E4 BA B6 08 12 BA 36 76 5B FF B9 44 C0 35 10: SEQUENCE { 37 8: OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4) : } 47 139: SEQUENCE { 50 11: SET { 52 9: SEQUENCE { 54 3: OBJECT IDENTIFIER countryName (2 5 4 6) 59 2: PrintableString 'XX' : } : } 63 53: SET { 65 51: SEQUENCE { 67 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 72 44: UTF8String : 'Royal Institute of Public Key Infrastructure' : } : } 118 43: SET { 120 41: SEQUENCE { 122 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 127 34: UTF8String 'Post-Heffalump Research Department' : } : } 163 24: SET { 165 22: SEQUENCE { 167 3: OBJECT IDENTIFIER commonName (2 5 4 3) 172 15: UTF8String 'ECDSA Root - G1' : } : } : } 189 30: SEQUENCE { 191 13: UTCTime 17/10/2024 23:37:23 GMT 206 13: UTCTime 15/10/2034 23:37:23 GMT : } 221 139: SEQUENCE { 224 11: SET { 226 9: SEQUENCE { 228 3: OBJECT IDENTIFIER countryName (2 5 4 6) 233 2: PrintableString 'XX' : } : } 237 53: SET { 239 51: SEQUENCE { 241 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 246 44: UTF8String : 'Royal Institute of Public Key Infrastructure' : } : } 292 43: SET { 294 41: SEQUENCE { 296 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 301 34: UTF8String 'Post-Heffalump Research Department' : } : } 337 24: SET { 339 22: SEQUENCE { 341 3: OBJECT IDENTIFIER commonName (2 5 4 3) 346 15: UTF8String 'ECDSA Root - G1' : } : } : } 363 155: SEQUENCE { 366 16: SEQUENCE { 368 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 377 5: OBJECT IDENTIFIER secp521r1 (1 3 132 0 35) : } 384 134: BIT STRING : 04 01 00 56 06 A7 BF 43 84 35 27 27 E7 AE 85 B5 : 88 A9 13 0F 0B F6 09 C8 C7 17 A7 9C 44 17 DE 9C : 42 38 B6 AC E7 24 BD CA 90 92 1A 84 2B 6B A9 5D : C4 8B 69 C9 48 91 2D 7A 44 41 59 81 3D 2A DE F3 : B6 9B 5C 00 85 7C 5E 29 E3 EC 30 BD 84 88 23 10 : 20 40 2B 5E C1 30 08 31 AE FA A7 71 98 DD A5 1D : 44 0D BA 28 AC AE 48 A0 45 D5 C8 2C 76 80 5D D7 : D3 B4 0B E9 A2 9B 00 72 19 E6 FA F5 1B 1C D6 AF : 73 15 51 8C AD : } 521 99: [3] { 523 97: SEQUENCE { 525 15: SEQUENCE { 527 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 532 1: BOOLEAN TRUE 535 5: OCTET STRING, encapsulates { 537 3: SEQUENCE { 539 1: BOOLEAN TRUE : } : } : } 542 14: SEQUENCE { 544 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 549 1: BOOLEAN TRUE 552 4: OCTET STRING, encapsulates { 554 2: BIT STRING 1 unused bit : '1100000'B : } : } 558 29: SEQUENCE { 560 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 565 22: OCTET STRING, encapsulates { 567 20: OCTET STRING : EB A3 D0 8B 51 FE 12 DC CC 21 66 87 85 0F 98 C7 : 67 73 88 34 : } : } 589 31: SEQUENCE { 591 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 596 24: OCTET STRING, encapsulates { 598 22: SEQUENCE { 600 20: [0] : EB A3 D0 8B 51 FE 12 DC CC 21 66 87 85 0F 98 C7 : 67 73 88 34 : } : } : } : } : } : } 622 10: SEQUENCE { 624 8: OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4) : } 634 139: BIT STRING, encapsulates { 638 135: SEQUENCE { 641 65: INTEGER : 49 E7 4B 12 3A 5F 93 4F 18 67 AD A4 15 24 12 1D : C7 20 34 EB 5B 6E 1D 3E DC 7B E3 09 96 00 DC 2B : 7A 3B 1B 4B 44 AF 6E 2A 67 40 93 D0 5E 34 EF F1 : A5 C3 94 30 0C 88 F2 87 69 DA 39 A8 22 57 32 F5 : 37 708 66: INTEGER : 00 98 36 D1 99 EB ED 68 D5 10 D2 4E 9E F7 B0 96 : 73 CB 53 3C 4E E0 5E 8E 62 A8 50 F4 35 4F 6F DB : 41 D5 DF 3E EF A0 45 3C 7D 80 FA E4 0D 40 CB 75 : 50 EF A9 C2 F1 6F 13 E1 3D 5A 7E F4 42 2E 2B 7A : C2 8D : } : } : }¶
B.1.2. ML-DSA-65 root certificate
This is the ML-DSA-65 root certificate. It contains a Delta Certificate Descriptor extension which includes sufficient information to recreate the ECDSA P-521 root.¶
-----BEGIN CERTIFICATE----- MIIZCDCCDAWgAwIBAgIUFWd6hCxGhDNL+S1OL3UY7w+psbQwCwYJYIZIAWUDBAMS MIGMMQswCQYDVQQGEwJYWDE1MDMGA1UECgwsUm95YWwgSW5zdGl0dXRlIG9mIFB1 YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1cmUxKzApBgNVBAsMIlBvc3QtSGVmZmFsdW1w IFJlc2VhcmNoIERlcGFydG1lbnQxGTAXBgNVBAMMEE1MLURTQSBSb290IC0gRzEw HhcNMjQxMDE3MjMzNzIzWhcNMzQxMDE1MjMzNzIzWjAvMQswCQYDVQQGEwJYWDEP MA0GA1UECgwGSGFuYWtvMQ8wDQYDVQQLDAZZYW1hZGEwggeyMAsGCWCGSAFlAwQD EgOCB6EA/a6iHTzCfanvaHi8GU+U+oX5nDkvkSj/c/eGnGt0f70YDjvXoNmwXSxI pFHz7mLnmJ09lEI2O1OGLgUFjAYdubQRMlvjj0OzZjD4gJhs/c6G8B2loKtd6aOW t4KPPVpmmvXaOFwFeU3NVq+JYZh8Uk7dCQ6PNC6FqIirE+5X8EqoG1SvOe8jYDt+ KVu7Q9VKSNMEwZYoa9lE/JDlQ+CTr3LsC4XbpHGFzxlbXBz2hPv9Rq+K5JGKZ8Xe WiEvJ0gwU9BuEJ1zwA/mKO/gmYcxFwVT24aaoW4nDwZ4eyUmDxdH6y1PK7Anwbbm Izis+50FisFbSCv+FCg+M4Bwa+VFLcnG2RB31dwR6Qx7WOyMhYEXycQIPwD1GRLO zJopFVAoeWFIUec28gSLPG/a6WtZthVf3AwNlEU9q5GVMyNXi4wikwr3oMW0JHea Muv1dN+QEHPKFUP/pVdrux+39EdUP2Ydh0m4xB4cPTYD3b0PEtNvlwWvprP1S6yE GbbFNCqXKoPiGLeTgEiKIzDr9b0DxFMQhjzHBEKxnTbpFpYTuFuUApUAnmm6DzUj o1V1RdsIqG5B1ZEGaJxHkBZle7Xr6ALw9Pr8ypmaUNnjq9E4ZxoqBWhuWQLsomB3 gLXrXcTTZGo/Yr603KZacjL0fitoplczRu91crEqLV4d7s1jNZKKRC+0p2cYDcIn ktjgf8ypkgElWo+GdgoMmUdqtzpORIbq3pWV3AJfL9PU8tB6KTCN86Rxb/syTG7Y 53TLW67qyY6xY/BGvdxtdjw7zNkkOhO6AUywFn8xi5+B9S3n11ICSXrn6Rpu+Qgt z1GKl53ltc97Gv19eFn48u7uPwkqtHVyvRqCzEMBygZKcy2Weaij3gsXW+JWYxtP zJgrn9fA3zGia9CWPe/+W0xGuIm0nXf4H85rrJ8Iwgh7lwlQeoWaXFIzxtj5YSks ksZGy0YcW1QfmUGpeu5j6qLBuLfNyKgNpRxMbqC50UQh0hSJkOr9mwEPEL7A0LJG SlRnqNo7gCmhxTRKyaNR3luLZbIJfj4j3ltlPCDCRBrIFXkTbAiE8tfillgWqnCK phdQHtzLRvFPaFpCDMhXuAyjLXW/6JhERClap5dJFjYVH0YWvWffcRPChusVSSLh lTGxD5QYe8S0EkECJ1ajlUCyRf1kOPejJSh/gsW0DLvYW3vIypDJhnDcD40CPqqz B5YduFeFGkYLnJs6LA1JyosJGkblcUA5O+eqz7AIdK02GPLL5eDAeQ/HCXgIa8AN nXa3eErpAv7V6TCIdUpUdAMzTSf1E5x30uas4PBbF85MZWTP5xH2eGHmaNvi2UQd Zg3FVfWa4hv99IIlBPqDykd60RHKrWSXwB16R0zzzLy8vcIDPMrC9M2rOGkJF2w1 KZ6u86/PGUVvwESxz+7jpxkMFdsgQ79ffhJYxjJNBY0EEe9C3vz4+vIDm0PW7YhR BZ11pWYH+4v8WzhT1HmGIfq6QQYh9Pz9uHsNc9Pl5kTQu1jTgdSeqFbshUNWuvGo LeGhoIC6fn5cYKJhKEslFl4fcJr5eQfVzwhXncZkloHgrrFYprv35Odqo/2AAPu6 +ILsegIY+D809nrQWBsZLNs7gopYi68xHc/yA6vOFGu7hLk/6qeV8ZNr89aGQU3Q WBLmFRCZ+c4325uNmr2uhZntOK2ELVDosHkMkxynQPKDXheUGhU2lP/3bT+aGsug l+0eXYYrxR3qnc5fM8u9ntJUGDTV9z/CzcBovHdMJfR16gbs4Qi5tsrwp1Teu8cI SKh1zgdlxXKk/F7D0q3xiMcS8RC4fp3wstOVzgaQNrJEgAcN3tNsblu1JYKoSwoe Rg94FAvULY8PLlkntNvjWAqAQXr1UW/diWX20wSUG9qFCmyo/TFpUbXIUER1kwi4 j/Ll5tLfziGWWsnAehE8heeZSkeKwa63ZBjUAZzQ2Ycohd3I+yzf3sbL6q4v4qtT tpRSJh4f25YJEg4DPYCUxpS1ZQyhZ7yG77ylKgw2+pA1Kv3wArO/3pWff+NZoP9O LKDrOmNY2ythYRxjfvwerjAl93vcnqm/t84XY1PNWk4uvf5M3ZqBF4skeMAtTdsD y1ROQuAMBvnuXdg58cBDe6RSInoJyn8sZYILyveHt9bK4E9O3icOfCMaCweeJ30x SDOrW9bdB7jA3WHqzSrg1NqJJGUwCQTYdmbACzOsiDaduUZAB4BaD666bzcSUjHf QEN5/930H4wFNyRBAcrjlyJ0s3SCDG+8RX0EVN8QFt+A+0VFPpkTeIqsOzHaSwjs WhALemYVCFpuqCc9ILDh7LmGNPkAUFpVjCGOWiNTxP1jhiQWp/gR7fF3Y/8tpFF0 /Le6X7p4VysXETscgXtopK/eT4eRo08wI2bkR7V8E9eiV+djFJw9uiHxmYH2HN2X xVNWRGnpZRUiHzHIm0mQwmaamkaz+v8D8zNa2EC8PNcE1UAjqiKEcxOm3pBcFozT BnDx5gJ0zcOP29+DZWKDNNHwr+ldHK51ttXeBn44LVC7CsG8CcN+/hMK0oGs7ivE eC4YVfpeimX5k4ZfG0BfQAEVSUkgQL5d0VyW3Ceiunzc4wbYHTOjggNDMIIDPzAP BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUmwe0pHXE vJFdNeDJocFi4ndV1j8wHwYDVR0jBBgwFoAUmwe0pHXEvJFdNeDJocFi4ndV1j8w ggLaBgpghkgBhvprUAYBBIICyjCCAsYCFAwkDuI+vCXkurYIEro2dlv/uUTAoAww CgYIKoZIzj0EAwShgY4wgYsxCzAJBgNVBAYTAlhYMTUwMwYDVQQKDCxSb3lhbCBJ bnN0aXR1dGUgb2YgUHVibGljIEtleSBJbmZyYXN0cnVjdHVyZTErMCkGA1UECwwi UG9zdC1IZWZmYWx1bXAgUmVzZWFyY2ggRGVwYXJ0bWVudDEYMBYGA1UEAwwPRUNE U0EgUm9vdCAtIEcxo4GOMIGLMQswCQYDVQQGEwJYWDE1MDMGA1UECgwsUm95YWwg SW5zdGl0dXRlIG9mIFB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1cmUxKzApBgNVBAsM IlBvc3QtSGVmZmFsdW1wIFJlc2VhcmNoIERlcGFydG1lbnQxGDAWBgNVBAMMD0VD RFNBIFJvb3QgLSBHMTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAQBWBqe/Q4Q1 JyfnroW1iKkTDwv2CcjHF6ecRBfenEI4tqznJL3KkJIahCtrqV3Ei2nJSJEtekRB WYE9Kt7ztptcAIV8Xinj7DC9hIgjECBAK17BMAgxrvqncZjdpR1EDboorK5IoEXV yCx2gF3X07QL6aKbAHIZ5vr1GxzWr3MVUYytpFIwUDAOBgNVHQ8BAf8EBAMCAQYw HQYDVR0OBBYEFOuj0ItR/hLczCFmh4UPmMdnc4g0MB8GA1UdIwQYMBaAFOuj0ItR /hLczCFmh4UPmMdnc4g0A4GLADCBhwJBSedLEjpfk08YZ62kFSQSHccgNOtbbh0+ 3HvjCZYA3Ct6OxtLRK9uKmdAk9BeNO/xpcOUMAyI8odp2jmoIlcy9TcCQgCYNtGZ 6+1o1RDSTp73sJZzy1M8TuBejmKoUPQ1T2/bQdXfPu+gRTx9gPrkDUDLdVDvqcLx bxPhPVp+9EIuK3rCjTALBglghkgBZQMEAxIDggzuAKKWJqZR+Ce+zJlGjCzLJWmx /c3mxMug0vo1NtheVQ4Id3Lnhv5yimxnGXCdtkCcRyQGef6ku2gpf6AeSTBaA9sa C3d8sB1HLTlPnwBXTWJ0xgp0kGVqCfwrbeRdCsoFrRoz1V2ETBecFehgQFHYLWtO Q/VZrXPpwUxjIJRpSdxIw3SCsADjT/cQI9CQl5riMFOsZedRRPxSpw6lAGo557Ul IgsxXA90mZQvRONY3mh8YkDT5uxQV0xRlyLLcZ3dxkzKgZrndz9F1yPrDGA0ixdk F+3u4mxt8BJYZyRA2UeLEPG0OAIORmCeNuuixnFytGkctTd83GHeAszUtSanOyIU JSomB/9G/omW3TU8uI8zWFuW+Fac8kpcNIECMujWUpB4RlxTWC/eTqrSiH7leE41 aCaZC8Hd1jwTEK2xvPC8KCI/apk71rnmX4KFOCgG8FirIw/Usv6mnqt2G65nNlde 7gWS8XoMFJDtYWDUpkgwRwLHvBNvKK/WikRDG3pSI8E1UyU1MU5R1JQnQRgzjazR 5lWhsMLrYoC+wi+XKNkFjeKVbgoiVoAD3ZKGnkJvIEueilGEWTYoTiobKBHzDjI3 b9x0GuBU0Z/MiRsycsDJUrl8hK8kpgBAS7ENTaowGdE9KhiqzY4xX83vgjy0bDL4 X9+2CXuQtFR5QotYapjA1HJUM5UuB5ix7i32dbZfnrJOZqcgocWuFRkShsAAu/wH wFeeiJodlAlFVh3onDgh76316MewB/VLpM3G4EctzI9i5xqJzKXjlKWXP9ZjW/Sd 50R42fe6AaUqN4DaNbwOQaBs48auupU+EK6NytQl9rCeCJ4gicnM1no4QQbcwecZ VvrrCs8egd3hawzMuCRhKeNzaYVeqnWhsRWdLxJANa07ANQqgXLhSx7vDBLiIQLA UNqNYndYjEG3jirFxITUtHcz4ekZC7hpGkbl5qabQvrlk6lJ7yfuNuoO5jcCKY/C BbOluVgjOeYeBfqJ9u9MwMcTUs26DkpW9h5YXIXATBj9dI3Tzp6fb9qtg9zBTHap JKwmbUbgbPJSabtFMwh5XUpIpsJ+Mujek4uQ2GNaA6YfitHeDP91DM9ZUVFM7/5/ 0BysQZLfD3SDO2Q/TnCug4XlCy0Z8ChnCBRGldqU1cMKPszXviLauBoM6aiLx7Lf feuMxZVWJ1xC3crrP4OXpEO7IkIsDeKoVBBdkhV9RuD394h7jSCljMEVCYKCRUWV mvffcmJNxfIfTgeLboHiAu0vDjE6s9vrcUASTDTgXuooy3rQ4q4fkWvV+cLPCZH9 sRZQvGcziMWrubTPa3WuVG9FHmejYcTsRTIxl1IlU8IjgW5hzwdmiZKI9cnCPqxy a+uSk7K/by9rG4msxklsijdQ8CRg3V4mgNW5FTa6hXpfabmYWEZetYzJ7CISueCH RtevtYz5HTARC5KB2CcYMV3Cz1AaIxd29lZpWJFd8sWLN50P/1KBanqeFfqXgIuW RVE26I1IyMrrxzPUN6F+C7AWEEFGI5rue3M2EdIAAP3Sv6paLut9cESLS8zQBz8J nL+RXsvL3ctYW5XbcuDIFJaIAENJArveEI4u4Oyvxyz0bp5JmS8tpRTWUoRWBt9B hAp4axTi2eUWn6XHCBTG5DIyi4i+Tz8yt+zkBLdCh/b/UgxVtH6O5jcrOc9j0kb7 IJGacW71sE/sM0xCLFvqo2pEaKrt2dF+3/sK9TsT8TCisrEC4iCeSWt/I6Jb1RIc TjBIt+yP/0u+B/pZVs9sUQpNkgkUmxAgJsuhH9PkIV+26vijDppKSgod4CrlCrkE gvUe55DhUTx7bi2TNNUwQNRY8KeGsJMEOap6TIV0MdEnvRqpnVpWlYWSIpC4lJFH uEPkkfumLKphH+ZrComFg/8Ys0ApNiGpAIIDngUkOvUggT51vyk5EnzJs7n6XQoI cnJ+nax/+bLC9UHo6llqmggUXOUnRupclyJUo99uafwyoCw/8y43OI4s7CffQZ9U JJLOT5WvoFXLqZlLl99CmQRZ/+0CEObOxsf5zmt2YbKKLVh1xZCyOyglODG5fU1O a+droWi/K/Y8EN2TFYC9278AC9TVFhY7QoMhn1eG3Lc5cNfL5G5aPcbIybJUJ1XT 17wHKrExmRG8/itNHB7Yh4uetwumgls+vWL/QpCepU3kTMc4yXMnuYkmqmA4vW/B vy4CCSarPjUCoF7hyfPSEv2fI1iTleJl5lDNsII8uz2zW2kNGK9RVKNPkMAW5EqR nVGdt6TzpNlRtBo8ZZbV6g00+ZRKrW0iXfYRv6jT0+02/BjCA4sr+KwwTS70oU0s MIsgfLFRWUP2swV3oUsGrxL+r8OckzqTmRzMMk0MCiIm6Tg2DSBhiMF9Sn8cajIW PVpBZoPlmPz3S0LqMH4KFRHqx8HIcRUKdRSItOn7h7kZEl4dkrY6HehbZd/s0h4Z EIUotKN/Ls8NbS+NqxvKkiu/udt+tGjWzlauHR1I8b4uyJMoE1A+pJS5A5AdXPsr q0Nj3cHhvZCSdbsFH4pWd7m90EWc4e54EX6NHnFUlvypjmQ5rXAIdNn3uMQ9hD9F BQjDa9p5KI8bTvQBojS1fuOKR2wTqjCFVAjnnTgQ1xvDtIdBDPpfFwB/fIvh2wRi tnu/9bs4suGX7yXWIAg+KopJUL5AjF8QUyOPzDVAVHQk+rRjg2rcb4b72dR56o8F Y8GvdTAJGKApxFFKXk+YRYXUBczoaV6XG3J4+pieHv10P/wNrua2nKotTNgQ3X3e Lg8BYMejeUAFyaLSn/taMsCwDAQfEIExx8wCB3ySp7oa0l70V2IjXReTijM8M2Yf osYQ6KX01GyP01BGPiLj4Z2CeAr7y7QH5qkWBIQNOPEOMpC/3lKfWgF0GUrW1qzD lxRSRcqYrmvWpT3tZYftGt1WqpFHi6N4R09KaLrEEgF57CYfKrQJisBKehm63v5A 2Pbc9mRsbCz1KSP0dtKSaXhaMBSbs/AflAOEniA45ZozFQHIp2VIgvYVxe0kV+i4 0UOGBb4eckx8jfXr9zG1MyLCmc3tBEDZIIicJSaqGA4lRpKQoGbHOxGEEgvWi46e pRUpsCh7xP9k4bwrAGiFUOsq+NneS0DL5/iosSwjVlrF1CKjpG6zvTNgtSgQ0WL0 5/1f/gH9KJDyzVukKsl8xfK/EQw7q9zNxlw3DdqX0Gh74+AwLpUCMIen4+XgKxTD 9qLphL/gsWtncpaK2buRmQii2++Px8+8XbrReAENjLfuEH4m1Pnqo/tVtGpt2JOv KrtM7Abj9ZRcxVthhy+K6cZwC9qcFSeuswcU81bqpJ4pmEcgCbd+DnqMBBMJsJHs wKrhY4VaOpKt15lWQzqaHV2+S9uVmhS48aIUw4GWhfuwWLVwTACEtUvqPR8eK1n/ MLP0tmLlc2igdIQ0+Rj+27GJOm4sWx58kEnOlO1E5AlaMmoclJuVtwn7LSjdLY6/ HVBYST10of4OwXTk6reKpZnfzwI4Jb1Ml6MKyujGrBHfFpF0ezY8gGnhUif+GeCa A5qySvwYq7dHpbhBsWFZXf5coK5xCUX7MblWY1kzDXqKr0dTiSHL0AxKD5DORpal poSnF1auJcqwyoPDvtJxG/k2pWZD6206v6o/Ed2VItKgzeRQBznFCLhAbKSZKSjQ VDT8HpX1xoakWvXrmE5g0/2UVQu39MuHkoXV3MwG45N/03fyUsR+MAAvyjfOqlmb 8UFQYGdAeA/P5+60DRCtC/v/9jlWj+uDDbyUD5rYlO9kLKlxmKgdH2LHerJ63Y4a 0P4PvBNYiPevrvN9WO5f0Z5N/fMwz88gm8Q2TVt3kJqHPj9SFI1e/KVOCZQlNTLh ewnrNZZAjP9yQGbxnIgeiftnSmBM/30VxCgDv1+hE1FeG2jm4URgsiIu53rX6Ac7 HUl48/QWIXHMUQxSWXeXxGKI+SaVFRrM+5DCjWxW4bM190Joj21R7dBRfCbmdLrI y6uhLJqKtZ+imkZnGpd33lWBJp9wuOVSEJWiS2Jwj4sgdrywD1mSPkyG2oXZOLUL A3e8SFVGQaI7aFwG7wiRibgnuLz1omU/n46f02Gjj/0kSkqlhWIT7rqKkRYimMhE 6PTVRRLDmFK6OhK2WSCDIXGkQxv/pD5TOL0bjchj/FF9sQhDhG7W8IPOLMrtRsmK PHfQ4l6+SUMo+tVNfo87m6uQismTwSu6nt4X+CNFvb5bY9Apltg5HAkTInJ41ed+ Shu2siOaLEbfQ3rjeeyTwuCnn8NPOe3VBLfhEvznBR+wCQA7W6/UiUoJCZgZwQkP pGbnhaBP+YJF9ypE/mS0RGhti6UGKS9QWXaH9h4hVlt3krr4IiVYgpGetb/vCA5d fYAjMD9K/AAAAAAAAAAAAAAAAAAAAAUNFR4jKA== -----END CERTIFICATE-----¶
0 6408: SEQUENCE { 4 3077: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 20: INTEGER 15 67 7A 84 2C 46 84 33 4B F9 2D 4E 2F 75 18 EF 0F A9 B1 B4 35 11: SEQUENCE { 37 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 3 18' : } 48 140: SEQUENCE { 51 11: SET { 53 9: SEQUENCE { 55 3: OBJECT IDENTIFIER countryName (2 5 4 6) 60 2: PrintableString 'XX' : } : } 64 53: SET { 66 51: SEQUENCE { 68 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 73 44: UTF8String : 'Royal Institute of Public Key Infrastructure' : } : } 119 43: SET { 121 41: SEQUENCE { 123 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 128 34: UTF8String 'Post-Heffalump Research Department' : } : } 164 25: SET { 166 23: SEQUENCE { 168 3: OBJECT IDENTIFIER commonName (2 5 4 3) 173 16: UTF8String 'ML-DSA Root - G1' : } : } : } 191 30: SEQUENCE { 193 13: UTCTime 17/10/2024 23:37:23 GMT 208 13: UTCTime 15/10/2034 23:37:23 GMT : } 223 47: SEQUENCE { 225 11: SET { 227 9: SEQUENCE { 229 3: OBJECT IDENTIFIER countryName (2 5 4 6) 234 2: PrintableString 'XX' : } : } 238 15: SET { 240 13: SEQUENCE { 242 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 247 6: UTF8String 'Hanako' : } : } 255 15: SET { 257 13: SEQUENCE { 259 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 264 6: UTF8String 'Yamada' : } : } : } 272 1970: SEQUENCE { 276 11: SEQUENCE { 278 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 3 18' : } 289 1953: BIT STRING : FD AE A2 1D 3C C2 7D A9 EF 68 78 BC 19 4F 94 FA : 85 F9 9C 39 2F 91 28 FF 73 F7 86 9C 6B 74 7F BD : 18 0E 3B D7 A0 D9 B0 5D 2C 48 A4 51 F3 EE 62 E7 : 98 9D 3D 94 42 36 3B 53 86 2E 05 05 8C 06 1D B9 : B4 11 32 5B E3 8F 43 B3 66 30 F8 80 98 6C FD CE : 86 F0 1D A5 A0 AB 5D E9 A3 96 B7 82 8F 3D 5A 66 : 9A F5 DA 38 5C 05 79 4D CD 56 AF 89 61 98 7C 52 : 4E DD 09 0E 8F 34 2E 85 A8 88 AB 13 EE 57 F0 4A : [ Another 1824 bytes skipped ] : } 2246 835: [3] { 2250 831: SEQUENCE { 2254 15: SEQUENCE { 2256 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 2261 1: BOOLEAN TRUE 2264 5: OCTET STRING, encapsulates { 2266 3: SEQUENCE { 2268 1: BOOLEAN TRUE : } : } : } 2271 14: SEQUENCE { 2273 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 2278 1: BOOLEAN TRUE 2281 4: OCTET STRING, encapsulates { 2283 2: BIT STRING 1 unused bit : '1100001'B : } : } 2287 29: SEQUENCE { 2289 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 2294 22: OCTET STRING, encapsulates { 2296 20: OCTET STRING : 9B 07 B4 A4 75 C4 BC 91 5D 35 E0 C9 A1 C1 62 E2 : 77 55 D6 3F : } : } 2318 31: SEQUENCE { 2320 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 2325 24: OCTET STRING, encapsulates { 2327 22: SEQUENCE { 2329 20: [0] : 9B 07 B4 A4 75 C4 BC 91 5D 35 E0 C9 A1 C1 62 E2 : 77 55 D6 3F : } : } : } 2351 730: SEQUENCE { 2355 10: OBJECT IDENTIFIER : deltaCertificateDescriptor (2 16 840 1 114027 80 6 1) 2367 714: OCTET STRING, encapsulates { 2371 710: SEQUENCE { 2375 20: INTEGER : 0C 24 0E E2 3E BC 25 E4 BA B6 08 12 BA 36 76 5B : FF B9 44 C0 2397 12: [0] { 2399 10: SEQUENCE { 2401 8: OBJECT IDENTIFIER : ecdsaWithSHA512 (1 2 840 10045 4 3 4) : } : } 2411 142: [1] { 2414 139: SEQUENCE { 2417 11: SET { 2419 9: SEQUENCE { 2421 3: OBJECT IDENTIFIER countryName (2 5 4 6) 2426 2: PrintableString 'XX' : } : } 2430 53: SET { 2432 51: SEQUENCE { 2434 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 2439 44: UTF8String : 'Royal Institute of Public Key Infrastructure' : } : } 2485 43: SET { 2487 41: SEQUENCE { 2489 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 2494 34: UTF8String 'Post-Heffalump Research Department' : } : } 2530 24: SET { 2532 22: SEQUENCE { 2534 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2539 15: UTF8String 'ECDSA Root - G1' : } : } : } : } 2556 142: [3] { 2559 139: SEQUENCE { 2562 11: SET { 2564 9: SEQUENCE { 2566 3: OBJECT IDENTIFIER countryName (2 5 4 6) 2571 2: PrintableString 'XX' : } : } 2575 53: SET { 2577 51: SEQUENCE { 2579 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 2584 44: UTF8String : 'Royal Institute of Public Key Infrastructure' : } : } 2630 43: SET { 2632 41: SEQUENCE { 2634 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 2639 34: UTF8String 'Post-Heffalump Research Department' : } : } 2675 24: SET { 2677 22: SEQUENCE { 2679 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2684 15: UTF8String 'ECDSA Root - G1' : } : } : } : } 2701 155: SEQUENCE { 2704 16: SEQUENCE { 2706 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 2715 5: OBJECT IDENTIFIER secp521r1 (1 3 132 0 35) : } 2722 134: BIT STRING : 04 01 00 56 06 A7 BF 43 84 35 27 27 E7 AE 85 B5 : 88 A9 13 0F 0B F6 09 C8 C7 17 A7 9C 44 17 DE 9C : 42 38 B6 AC E7 24 BD CA 90 92 1A 84 2B 6B A9 5D : C4 8B 69 C9 48 91 2D 7A 44 41 59 81 3D 2A DE F3 : B6 9B 5C 00 85 7C 5E 29 E3 EC 30 BD 84 88 23 10 : 20 40 2B 5E C1 30 08 31 AE FA A7 71 98 DD A5 1D : 44 0D BA 28 AC AE 48 A0 45 D5 C8 2C 76 80 5D D7 : D3 B4 0B E9 A2 9B 00 72 19 E6 FA F5 1B 1C D6 AF : 73 15 51 8C AD : } 2859 82: [4] { 2861 80: SEQUENCE { 2863 14: SEQUENCE { 2865 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 2870 1: BOOLEAN TRUE 2873 4: OCTET STRING, encapsulates { 2875 2: BIT STRING 1 unused bit : '1100000'B : } : } 2879 29: SEQUENCE { 2881 3: OBJECT IDENTIFIER : subjectKeyIdentifier (2 5 29 14) 2886 22: OCTET STRING, encapsulates { 2888 20: OCTET STRING : EB A3 D0 8B 51 FE 12 DC CC 21 66 87 85 0F 98 C7 : 67 73 88 34 : } : } 2910 31: SEQUENCE { 2912 3: OBJECT IDENTIFIER : authorityKeyIdentifier (2 5 29 35) 2917 24: OCTET STRING, encapsulates { 2919 22: SEQUENCE { 2921 20: [0] : EB A3 D0 8B 51 FE 12 DC CC 21 66 87 85 0F 98 C7 : 67 73 88 34 : } : } : } : } : } 2943 139: BIT STRING, encapsulates { 2947 135: SEQUENCE { 2950 65: INTEGER : 49 E7 4B 12 3A 5F 93 4F 18 67 AD A4 15 24 12 1D : C7 20 34 EB 5B 6E 1D 3E DC 7B E3 09 96 00 DC 2B : 7A 3B 1B 4B 44 AF 6E 2A 67 40 93 D0 5E 34 EF F1 : A5 C3 94 30 0C 88 F2 87 69 DA 39 A8 22 57 32 F5 : 37 3017 66: INTEGER : 00 98 36 D1 99 EB ED 68 D5 10 D2 4E 9E F7 B0 96 : 73 CB 53 3C 4E E0 5E 8E 62 A8 50 F4 35 4F 6F DB : 41 D5 DF 3E EF A0 45 3C 7D 80 FA E4 0D 40 CB 75 : 50 EF A9 C2 F1 6F 13 E1 3D 5A 7E F4 42 2E 2B 7A : C2 8D : } : } : } : } : } : } : } : } 3085 11: SEQUENCE { 3087 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 3 18' : } 3098 3310: BIT STRING : A2 96 26 A6 51 F8 27 BE CC 99 46 8C 2C CB 25 69 : B1 FD CD E6 C4 CB A0 D2 FA 35 36 D8 5E 55 0E 08 : 77 72 E7 86 FE 72 8A 6C 67 19 70 9D B6 40 9C 47 : 24 06 79 FE A4 BB 68 29 7F A0 1E 49 30 5A 03 DB : 1A 0B 77 7C B0 1D 47 2D 39 4F 9F 00 57 4D 62 74 : C6 0A 74 90 65 6A 09 FC 2B 6D E4 5D 0A CA 05 AD : 1A 33 D5 5D 84 4C 17 9C 15 E8 60 40 51 D8 2D 6B : 4E 43 F5 59 AD 73 E9 C1 4C 63 20 94 69 49 DC 48 : [ Another 3181 bytes skipped ] : }¶
B.2. Algorithm migration example
B.2.1. ML-DSA-65 signing end-entity certificate
This is an end-entity signing certificate which certifies a ML-DSA-65 key.¶
-----BEGIN CERTIFICATE----- MIIWJjCCCSOgAwIBAgIUQZG8jQpzWDji9fN14AOMsoG89SIwCwYJYIZIAWUDBAMS MIGMMQswCQYDVQQGEwJYWDE1MDMGA1UECgwsUm95YWwgSW5zdGl0dXRlIG9mIFB1 YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1cmUxKzApBgNVBAsMIlBvc3QtSGVmZmFsdW1w IFJlc2VhcmNoIERlcGFydG1lbnQxGTAXBgNVBAMMEE1MLURTQSBSb290IC0gRzEw HhcNMjQxMDE3MjMzNzIzWhcNMzQxMDE1MjMzNzIzWjAvMQswCQYDVQQGEwJYWDEP MA0GA1UECgwGSGFuYWtvMQ8wDQYDVQQLDAZZYW1hZGEwggeyMAsGCWCGSAFlAwQD EgOCB6EAh3C60Iowi3gHMtKvoDgZ1gHulpK4i8rX/+KOI9lKjMr4BUqYKeM80jQ9 odCo1B3pTpG+79xQVpZakl2VCdhDEw4cdp+JZ21lwVhO8EBwMVFPExk4F3Tz94+J 2y0XqVx4TSGbeJzaaqPVEsJV/+KjBGr1BUUMFGl4ZAKwe5+47EAK9TZWNgsgW0MI x9G0q42s8WHh0LTymbi7zTcUEh8HcHDJPfxcH53AjXTlOdjlnzUcyzxobot+cah/ 62AEiPUaAuPQsko9l1Lk5B6frofqTE7tpNBn3eMjXV2R4cPJo/Kj1wFrchdD5BMg +MD19mDu9aT7BIMC3MZemWaynMRnbwfMkqDFpPKE1mISbDv2Ia0bqzHUNMUSc26X aer2rcXdD7TM4kZfS1SL4QhnbD6chyfw9Z9ggPiSU2J4glEL1detpi2MwWwKtSiQ 5Sc0ksaX35U6ULTl+5zOwQd8WeXaS+7AUlTS25mDzQRXd+goSX2QZC/e2a2yh2Hs CIDP8PAG/J6ClnuMasGwo+4v93/GKfGjJ85HqSeK/ybbQna/bi4dwabtSRPmflmk 1YDFov4IP9J9oI3NQx/JEMSgHWpSxGsdGOgNGHLTACbqLCqLhWCjiJyMU5bQo7Um p9U1nzaZoIQkKbsTAE2FrTKA+PJtDxl3OkDzNnCKW2IijN68+msyuDTMdv4fLIBC KCsFPHpLRZInBKwZJ8a2qm0G0a6R64/A/65KoVoByDkKsJbP0QtpZmaLW+r9G6yr vOSBgorDYBcA1l6y6gh8SS/RhSgmBFtXog4l4pm2DwkiqGEqz9GOUgMMA08UocHW TvfUlGJYM/INFqLc5xM3xJ+6ef37+dlNd86+HXVx1uzEOCDJHhlVwYKNhoKiGGeb 3IrOkzVxQ44tVmjfIn6RmlvFyAIKuJvRxPN53wFFI2j4AhyCaut8dcgFdKdoAfnQ AuoE0i1vMcJXBn2XAlFmifCVYw6AtghqVkEVlOK0VwEcNeiCC3TzwqPLLNkgedGZ fiVTcJSVsAN6Q1KjPhAWAaUSCMPYgHKVzSOu9eKRiesiqEjr44D7ATWi3VP3kzHH lRmPakUAV9U7woOpNHbsIyEhrua9n/D5LoYbL2a0QLtcs2BW6pGfXLlIafW95QZL rz1uUvSzb8MuLdFuk3Moh/ugHWvmcyoLloIGhf789/qdEldmSMe/PwM3ruHsoKMj /yTW28wvnkJU6y8FoOaDhLP83MICvLc0jockJXvgG6Y5eEfQ+69Or20Gvneb+fmn YDxYhIqLhcZ9EjDAFsgKO83Xk8lWa20AXUX6vbkpbimRCRQK8NLc+NHxVYLnKwmN Y9av2LPuXxyCm15YEWOlZs+rXa3zj8fa2ptidCGHICHR3rKEiyPfCIMAFhs5VGva 3SZWFOjFVXzOl8q/CODaoJwPXVPe8hiEIfnswNKBsg6+mZcv0wD252QmrCAmGhIh z5uBj23TL/wHoucrVfvDhjQWPiiXNRSVYf9abgxU/C2VfQFJSWH9SDTQIShzY2vq 7T/Nnb76+3w+oo+f7a40Z+B2vSJJ37wqQQmVnQxQHrDMgRGzeS2OHoQMcZrrwOwz c9IeP+pa4qQcdrzIuAbKHcZfGWS49OMSdOLAizOwKxkOKmixmNndQBbXqOjH7ofl IzsX+muGqhp+pX0ZjH5A+SgPc3IogUV7giY5ABzn4q2Z7yyMewTrQB2VRANdM3EZ BLGK3fQ/OrSrPqSfulwCLc97vLuByBfTrpJOhnLzM9AL8U6NascJ0W9fcyLKtBj9 +iGKhq0MgRgK/IsA1J7SEczyfk2sf39jIbPzSvD8RrbVcqO2p5wkzpL2H/BuD2Wq dw301hefg/eSdcO/cSHumLUU9ZyRfQuWAFsZQ5+OXkSaIMStJZOScluoQuY0NHib 5bwni5TX3G8TZ0tcmMFgrhmNmv+xUYNhhKYOEL/SAIbonl33KR6URa1R0eQMnhTs Gff7wHfMX7ggynZ20886NWHLA30whGHPiLcn8QHJFdPvRaJvrF03rEGUPMKXkoV3 /vX0QoA10Y4VD6EwdDiIOrIiBDSYBB1ZteGn5kG16c4YZTbenYJ6QBjB7D6FrkG5 SjNzDlSL1GBe/rxbyuEYrfM6ImIrl+GPP4p/aFx/tAmPrgIj6gxeXrUMaRXOipht HWHdWdhnHpq6I61t0KmcbFnMZ2AQICJxbVSCd0uVwvtdJA8xftakRiC5Miy5c3jb OmcPsTiCk3cj3U+cuXFiuiNMkkIxpUineagyZVYhYnn2QlerFdJC2Lfw5DHekIA0 nt8byScNsZujwPvIuKeevA/0byH6QpizT0lUBW/ZioI3780b5VZn0BRBNG7cY94s 9EpjfbuaTDv2xW7AGVGgOUy8VOnX0Xf9GlDiXOUnXAUJZjIFNmd4D7fyGQccbXl4 V9xf1xlIL8JYlHSgpMuVaSMlgwQEbHQrPNzpdmXaNfmFo/63FLgs8CL5XvaY2Qyj oWnGdF6BUL2BFVFw+7nNTEqIT30XfEDJsqcDQPNLFK9vph1M6Bc2mqMpw0d3lMvK 1BIKKD6cDVqb20HQdDl7UejWY7ZdzoH7n8FLvQGiMw3JFbwcNW+jYzBhMA8GA1Ud EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBRJdGxRQiHln7uR 5KM1S+MBTZCQjjAfBgNVHSMEGDAWgBSbB7SkdcS8kV014MmhwWLid1XWPzALBglg hkgBZQMEAxIDggzuAGCvh2/Uhmxi1UZdlJIESseE0B5d5l0j10+pP5DAzzK29T+C dHCNTxH7u2QSzKVI7PlhuufvItGyi0P2v4dFgd1fvWWJ4Q8SSGEV6/Rz4KX8PV4x Rs5e6/aa3993WnIiEffCjTmibP7EkiHkhGmyx2xm4p1119bjVym7U94Wk9iEpL87 RHRD93XTg/zYYU2IVFMVsOaSkAXRGAyZkjGtM/BrHfcvS5ahQ1Y8HvDCaIGsv8vw haUJprsJInyZ1/yTjM6ExoWGDFylEiOXKKEM/l5Q67z+stvjO9LeVnJUw4rFCbLu xS7RdQYFZ2Pusz0dqbmjYdu64Iv9bjbY7DqoABumgRnjru36dbsAXmrOj94QrIm2 c0MiZihVRCKIoHj0wUUllfbnNCtXB2Ax4vjJXDLIoMk9R+hFjlocpF0cdUkxCEmZ 1nTeDP6+4uNALuuesT2HViqJLEmFFrgl1Mh+SvrQ00Arcsifs31ScixcvLjRtunI cE4sq9knko7TTgZKuYaju9h/+6xlLbn8SgCWGD1pAN1VjIMps9a4PEmgU8OxrjSA 0zbizFqOAtX08ovsqYuSCSCB0jocG30lmM5Tzl5zKUWkNhSuQiBv5KI9U1W1F8Hb 9uBr2pu1Q50FFnYVRWwka0w61l+ryOIV4jhvrGV74YxEz5K7V63HHBDI5MYwA2oF PMi0syrftCTG+2HGi2ohX4N4xVQ3NqZqlEH8pEw//J8sEqchdG6fZvBFVEeH+hId skDYeKH7kkSVQfZp7/dUFRFCve2ZJu1lOOfAfLAIkbkInJk6EwPzbm9cwBplL33L BcDaqBnINZct7ptfpl9g6OuuL0qyjTqaO6jPBcFIBNGBy0eggm2D1h+3J89vu+TI +n6PVhcHnBBT5pzt2M8cfPzr41+Yw6WNxltH/wu+66ooqGm7nozY07BTFuGEGbRL bEmdkOK0IVMSTNb0RIf7E8TfkT38YsuMHuYEmbHHy9KgfMJ+6WmP3G1hMySrb5RL pL51iI7dejSyx3ASDE351Hbm3rpZgdaeZNTSiiELDj0tAMVi//gTbNsBUGuCQTbg 5YfJ0Ee3CFCBjoahcCthVgrh+NeENb3NNneBUx4j8OYiJvJP3GQ5TnijtDmp8K78 lTQ3W9Z2gvZa8UVpJnMqJD6AbbHxVBeW2JrK4QmRUh4KNo61TbF6OjrSc/d+GRGT hg2I4Ua4xwpdx1IBYVH4eGlQ642hvGrUEqWwYTPmQG1SPK+5XXHIGggARPNt3UpY s67gfaYYX+KzCipI1oN9bvZeR4PFkrxyKdsZ4PzMzmlFdTSMibDKaYt9JA6YDinO Rp9MMYbwGRbxtMeNSpjCdPFLRudfnn7WRK2WSo8g8SfsUiEN6TX2RQQBOyT0w6gG ABGjiRV+ToRN50sYqz1YetXPUZooVgNxieT9XbF9d1WLFp1vUBq57YIestxYlYxZ gah5dGDl2ki6+LFJFz/iYiuHV56v3gmnGozotxWrh1NK5RgWOB0iM5xSPciLcq2Y xfm+fA/mXWtUaHl4Y1jk44qPDWUJCJIN6XLXE4WxXWdtjkswoYsGTGWfC0c5Lz0s YIe5EDjUZMhDibULHofwcU3/rUks0X35HIDVzVZFtyvgkFAec1Tby+VyyD6ssrnj gloKmFFN/RssM50//yaenfvkuIWSo3ZQBX/5BwdqOcPJvYWA/vxAIJyNg8IMNsyL yL3sbIrpzQFcTg2Q4cBEEFnHmju6qFq4xG4PzJafeAt94Hp5LI1sdALTho0ijVbT zIoK3KEkYvQw+7+q5YRp3rUD+4C7RxSUxamxyqwoq5ZqakAtXAgghUXBJiDnL8z6 eDQ8e0OIaCbz5W12M92Sp0sjyORgW++LnAdfTXVHpyvQyAOez1pcErhJUo78oXio GlaWXaxjkvXf8YzER33+v97X3zSP9BpMd3l11X4xTrMhjTY1fMVxZMhYiJ+zcZuA EMVc2ikWj2oFfcpC3v/neF0mdNPiPPa+Bmi67IypjA47M/VyLii/xV9MWgEmvI/2 KGtFjN1AmiXkxTCUxY+eagSZl09x8l8QQwHre1psUA4fXImFi6dLFWEL07GPnQk/ FupDUBngvwtyUVXqFQxWihviYC722JpaqemAdw91lxqxsFYkU2Dqj81jwaRrJbju HI1uTboqZ+o9cshZSJUIyRhxC1Pm/LwxaPfgkK+i9SB2sYtglFzFAAITNGLslQ5l N1ZDhcZhwaa4mKnOi0sNfWeBJBGhHU7ok2Vw4LjpiyvJSrQTIfdyAJByB8lD1nvG cgudSs3W9p7cEFlKOyV8I+j7Z3khtG8mSim4ZkzQfSOiEq3NtCNxk6iGB1ii0Kmv Me+OmBY/hT0f68eI3hHNCv+9epB2dQ10yy84limjaZQjpC6Qb/m3UGn4h7d6lfzY qI0mdiuT3JYdxf5uZWMdXbImd+R6vm3wv++TH56XaYmrZGT8u3AUu2iRWTKlv9/f HouVvtAGRQkj6edX2VQ882P5bXUQTNoBfMWzlSDLkXomuHniOVnT+mhmSNR1K8cj V2vT5IUL859ShRQFxHD9+wd5WP8+jW65fcUyjtOAsfG/nqv/tzpwLUx06tGqx70S EtClL2Uib2QNEZs4vcEQ5oltj6bwSNHr9BROIHRL47zgBbMZK48EYVn4N0Iuj8TI YhmsulTxoxEliXx8jMyC3ASeaKUobhFUjGM4mZSb4TWqxKrXR1xCB074fOf0azcK 0btbqj4XN4kCHT4smC5Qa82tv9+YNIiNx5E5Dk4uI1fRGrPL/iHRKg4JbFa03KUB 7wldKL/OXObo2q5POHcs/Rc8FKplGiILYFRBg2zFCFHmZnWwTklvsSoUJg9/skAG pHvs3gw8G19WepBFiU29iwuN9931RErk+o46o7gS6EcxGXM7uqeoeGhk/TZVSKCg wLsMZCTjoMgHFjxUOcBFsDMbGxO//rYCEA9qwhDcTeoz2MgXIdoVcp3vxBLohqAN 6MQPAdIC6oFhKKKDQhBGJs7UTxkkSEE1GHWeHv5anTgGzCg/G+rKAvKrcZCSx+YW KjnsJbDS1ONnmSu958RrYNAsqUWnBCn2uLY9aj/0VYkoN1Q77MDBff32y9eaQaKm +pWXwigaiRE+GOEwGvU0Wtcjwt7tYmuZIRNqemVdlkMqA4D9wIh/HWfbg8hlkq0m m1PIFgbawXHNlLz5o+D+Sxe67a+kVrlk39m5HGWml/r7QxqKuUWsaryQWkTucvcG fmonqfVUfw5iCtuQNOv5VAdGDCpO3SikIq08nhKSMcs13RxQIzVCrsKpY6F4Zlnv EVwG4SqWcVSicElcn3oIOgnMCp0C4tdHxV3To/1jrwz3p318rSa0J2bqa28quvuy k7Bda75WW1bOeURbshnMv3k1lcsp1H0xYdLsvr+h3EnHqhd1ekyAq70taXCUJbzz gAqMCiIgo7OB/aGI30PvEIcz1u5jX+6lOGhpy/6Ol54DnTHE/o/zQHpSPdQiSutn pZZeZRbz13ZSxGSh/PS6/Xzic7hGtI3yxi6XyEC+gJoUv2a6sMEoptMPs5LUhA1I S13HQYaibxu98DDsKVCUf1zLn1j5xaOfuNgois4RysxTfs3/hPEkVVGwymWq7zaU Gov8U1E/XjaNWq31dOLUS+2Qq0/NoEB94ryhWPYUl/6JrvW3FhtwUIAiNR1iDFw6 lgAdhQBGDzRBC8kzKSorNWNDdXoXXCe7gIYBfHppvqq12kQ11zk/13x0EhpzJZTg 8K2pENPwj00pnXvimQC6vwXecydCkvyYXk0PI2c8LjDpnDqypQJVkR3xY3r21XF0 gFnh4yUC0C+zjrs5PWa/C/7TBfwQyuJruZcPEiijT8tdcP7lakap5dD1tmGz2p1F 67ppqbTCip46CyHDCbv6Qbtnj7DCOMYGkRIeb0MYC5f/g/7GsMiv1hToxRLLq2K4 7/+xUoPj0LVwMM9/jP0Dry2y1+9A6qXM59oAWxb4HyPKQSlp5k/j6iWscRX1Rpuh 71LlCySCSvjJrufw4YHtLG6dCS/t1gNT0NzfMAeTV5DU0BcwBlp2tk7cAH1Ti5ya UXfFvn2oY88PYr26GDJkzKF2jaAlUxwsgDh+X31JFgHu/OFQvdRO/HwFOMiPkEn5 qPpca4A70JxL2U1z4T1Mhed5mW2OFil/LiB7WUjjCnkZJ2cRBGoBfP8jwwOUYgz+ yikFRBRLfBjEBkFqHa1kPgBsXt1YHF3Y5mviKsyewLPidq1CrToM4xuRNN1hMf3y 9aaYDoZ9cFO3Bklrjzu9AzUTHb5FEs7fzBoz+8y/3I4cmfCNw0rWkV+D4xuxACNG VnehzuIFGDI1PlVcdJvNYWqgw/y1v/D3CzxJmqMAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAIEhcbIA== -----END CERTIFICATE-----¶
0 5670: SEQUENCE { 4 2339: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 20: INTEGER 41 91 BC 8D 0A 73 58 38 E2 F5 F3 75 E0 03 8C B2 81 BC F5 22 35 11: SEQUENCE { 37 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 3 18' : } 48 140: SEQUENCE { 51 11: SET { 53 9: SEQUENCE { 55 3: OBJECT IDENTIFIER countryName (2 5 4 6) 60 2: PrintableString 'XX' : } : } 64 53: SET { 66 51: SEQUENCE { 68 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 73 44: UTF8String : 'Royal Institute of Public Key Infrastructure' : } : } 119 43: SET { 121 41: SEQUENCE { 123 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 128 34: UTF8String 'Post-Heffalump Research Department' : } : } 164 25: SET { 166 23: SEQUENCE { 168 3: OBJECT IDENTIFIER commonName (2 5 4 3) 173 16: UTF8String 'ML-DSA Root - G1' : } : } : } 191 30: SEQUENCE { 193 13: UTCTime 17/10/2024 23:37:23 GMT 208 13: UTCTime 15/10/2034 23:37:23 GMT : } 223 47: SEQUENCE { 225 11: SET { 227 9: SEQUENCE { 229 3: OBJECT IDENTIFIER countryName (2 5 4 6) 234 2: PrintableString 'XX' : } : } 238 15: SET { 240 13: SEQUENCE { 242 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 247 6: UTF8String 'Hanako' : } : } 255 15: SET { 257 13: SEQUENCE { 259 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 264 6: UTF8String 'Yamada' : } : } : } 272 1970: SEQUENCE { 276 11: SEQUENCE { 278 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 3 18' : } 289 1953: BIT STRING : 87 70 BA D0 8A 30 8B 78 07 32 D2 AF A0 38 19 D6 : 01 EE 96 92 B8 8B CA D7 FF E2 8E 23 D9 4A 8C CA : F8 05 4A 98 29 E3 3C D2 34 3D A1 D0 A8 D4 1D E9 : 4E 91 BE EF DC 50 56 96 5A 92 5D 95 09 D8 43 13 : 0E 1C 76 9F 89 67 6D 65 C1 58 4E F0 40 70 31 51 : 4F 13 19 38 17 74 F3 F7 8F 89 DB 2D 17 A9 5C 78 : 4D 21 9B 78 9C DA 6A A3 D5 12 C2 55 FF E2 A3 04 : 6A F5 05 45 0C 14 69 78 64 02 B0 7B 9F B8 EC 40 : [ Another 1824 bytes skipped ] : } 2246 99: [3] { 2248 97: SEQUENCE { 2250 15: SEQUENCE { 2252 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 2257 1: BOOLEAN TRUE 2260 5: OCTET STRING, encapsulates { 2262 3: SEQUENCE { 2264 1: BOOLEAN TRUE : } : } : } 2267 14: SEQUENCE { 2269 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 2274 1: BOOLEAN TRUE 2277 4: OCTET STRING, encapsulates { 2279 2: BIT STRING 1 unused bit : '1100001'B : } : } 2283 29: SEQUENCE { 2285 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 2290 22: OCTET STRING, encapsulates { 2292 20: OCTET STRING : 49 74 6C 51 42 21 E5 9F BB 91 E4 A3 35 4B E3 01 : 4D 90 90 8E : } : } 2314 31: SEQUENCE { 2316 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 2321 24: OCTET STRING, encapsulates { 2323 22: SEQUENCE { 2325 20: [0] : 9B 07 B4 A4 75 C4 BC 91 5D 35 E0 C9 A1 C1 62 E2 : 77 55 D6 3F : } : } : } : } : } : } 2347 11: SEQUENCE { 2349 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 3 18' : } 2360 3310: BIT STRING : 60 AF 87 6F D4 86 6C 62 D5 46 5D 94 92 04 4A C7 : 84 D0 1E 5D E6 5D 23 D7 4F A9 3F 90 C0 CF 32 B6 : F5 3F 82 74 70 8D 4F 11 FB BB 64 12 CC A5 48 EC : F9 61 BA E7 EF 22 D1 B2 8B 43 F6 BF 87 45 81 DD : 5F BD 65 89 E1 0F 12 48 61 15 EB F4 73 E0 A5 FC : 3D 5E 31 46 CE 5E EB F6 9A DF DF 77 5A 72 22 11 : F7 C2 8D 39 A2 6C FE C4 92 21 E4 84 69 B2 C7 6C : 66 E2 9D 75 D7 D6 E3 57 29 BB 53 DE 16 93 D8 84 : [ Another 3181 bytes skipped ] : }¶
B.2.2. EC signing end-entity certificate with encoded Delta Certificate
This is an end-entity signing certificate which certifies an EC key. It contains a Delta Certificate Descriptor extension which includes sufficient information to recreate the ML-DSA-65 signing end-entity certificate.¶
-----BEGIN CERTIFICATE----- MIIYhDCCF+agAwIBAgIUQFy9NSVq9ZXG6QZyo14DJ/bew58wCgYIKoZIzj0EAwQw gYsxCzAJBgNVBAYTAlhYMTUwMwYDVQQKDCxSb3lhbCBJbnN0aXR1dGUgb2YgUHVi bGljIEtleSBJbmZyYXN0cnVjdHVyZTErMCkGA1UECwwiUG9zdC1IZWZmYWx1bXAg UmVzZWFyY2ggRGVwYXJ0bWVudDEYMBYGA1UEAwwPRUNEU0EgUm9vdCAtIEcxMB4X DTI0MTAxNzIzMzcyM1oXDTM0MTAxNTIzMzcyM1owLzELMAkGA1UEBhMCWFgxDzAN BgNVBAoMBkhhbmFrbzEPMA0GA1UECwwGWWFtYWRhMIGbMBAGByqGSM49AgEGBSuB BAAjA4GGAAQAFfoXF6AZPOkYTpb8vA2q+ZAtkE399B9BBz+q0A91vSeBvZbfat5V hqVLtT+nEguQhlYhXf6CmCvFUERmQc8zfW4BaH1ZSd+kpuR5fJj6ibDbstHU3le4 Vq2qHR+aXvmccEtYVZ5BX3KE+gY/ezpY/BBXrd8vJuV72SPdsrNzjCz5z8OjghY+ MIIWOjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUB4Ts 5OVjMVy4x3jV/GEY8FPDjK0wHwYDVR0jBBgwFoAU66PQi1H+EtzMIWaHhQ+Yx2dz iDQwghXYBgpghkgBhvprUAYBBIIVyDCCFcQCFEGRvI0Kc1g44vXzdeADjLKBvPUi oA0wCwYJYIZIAWUDBAMSoYGPMIGMMQswCQYDVQQGEwJYWDE1MDMGA1UECgwsUm95 YWwgSW5zdGl0dXRlIG9mIFB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1cmUxKzApBgNV BAsMIlBvc3QtSGVmZmFsdW1wIFJlc2VhcmNoIERlcGFydG1lbnQxGTAXBgNVBAMM EE1MLURTQSBSb290IC0gRzEwggeyMAsGCWCGSAFlAwQDEgOCB6EAh3C60Iowi3gH MtKvoDgZ1gHulpK4i8rX/+KOI9lKjMr4BUqYKeM80jQ9odCo1B3pTpG+79xQVpZa kl2VCdhDEw4cdp+JZ21lwVhO8EBwMVFPExk4F3Tz94+J2y0XqVx4TSGbeJzaaqPV EsJV/+KjBGr1BUUMFGl4ZAKwe5+47EAK9TZWNgsgW0MIx9G0q42s8WHh0LTymbi7 zTcUEh8HcHDJPfxcH53AjXTlOdjlnzUcyzxobot+cah/62AEiPUaAuPQsko9l1Lk 5B6frofqTE7tpNBn3eMjXV2R4cPJo/Kj1wFrchdD5BMg+MD19mDu9aT7BIMC3MZe mWaynMRnbwfMkqDFpPKE1mISbDv2Ia0bqzHUNMUSc26Xaer2rcXdD7TM4kZfS1SL 4QhnbD6chyfw9Z9ggPiSU2J4glEL1detpi2MwWwKtSiQ5Sc0ksaX35U6ULTl+5zO wQd8WeXaS+7AUlTS25mDzQRXd+goSX2QZC/e2a2yh2HsCIDP8PAG/J6ClnuMasGw o+4v93/GKfGjJ85HqSeK/ybbQna/bi4dwabtSRPmflmk1YDFov4IP9J9oI3NQx/J EMSgHWpSxGsdGOgNGHLTACbqLCqLhWCjiJyMU5bQo7Ump9U1nzaZoIQkKbsTAE2F rTKA+PJtDxl3OkDzNnCKW2IijN68+msyuDTMdv4fLIBCKCsFPHpLRZInBKwZJ8a2 qm0G0a6R64/A/65KoVoByDkKsJbP0QtpZmaLW+r9G6yrvOSBgorDYBcA1l6y6gh8 SS/RhSgmBFtXog4l4pm2DwkiqGEqz9GOUgMMA08UocHWTvfUlGJYM/INFqLc5xM3 xJ+6ef37+dlNd86+HXVx1uzEOCDJHhlVwYKNhoKiGGeb3IrOkzVxQ44tVmjfIn6R mlvFyAIKuJvRxPN53wFFI2j4AhyCaut8dcgFdKdoAfnQAuoE0i1vMcJXBn2XAlFm ifCVYw6AtghqVkEVlOK0VwEcNeiCC3TzwqPLLNkgedGZfiVTcJSVsAN6Q1KjPhAW AaUSCMPYgHKVzSOu9eKRiesiqEjr44D7ATWi3VP3kzHHlRmPakUAV9U7woOpNHbs IyEhrua9n/D5LoYbL2a0QLtcs2BW6pGfXLlIafW95QZLrz1uUvSzb8MuLdFuk3Mo h/ugHWvmcyoLloIGhf789/qdEldmSMe/PwM3ruHsoKMj/yTW28wvnkJU6y8FoOaD hLP83MICvLc0jockJXvgG6Y5eEfQ+69Or20Gvneb+fmnYDxYhIqLhcZ9EjDAFsgK O83Xk8lWa20AXUX6vbkpbimRCRQK8NLc+NHxVYLnKwmNY9av2LPuXxyCm15YEWOl Zs+rXa3zj8fa2ptidCGHICHR3rKEiyPfCIMAFhs5VGva3SZWFOjFVXzOl8q/CODa oJwPXVPe8hiEIfnswNKBsg6+mZcv0wD252QmrCAmGhIhz5uBj23TL/wHoucrVfvD hjQWPiiXNRSVYf9abgxU/C2VfQFJSWH9SDTQIShzY2vq7T/Nnb76+3w+oo+f7a40 Z+B2vSJJ37wqQQmVnQxQHrDMgRGzeS2OHoQMcZrrwOwzc9IeP+pa4qQcdrzIuAbK HcZfGWS49OMSdOLAizOwKxkOKmixmNndQBbXqOjH7oflIzsX+muGqhp+pX0ZjH5A +SgPc3IogUV7giY5ABzn4q2Z7yyMewTrQB2VRANdM3EZBLGK3fQ/OrSrPqSfulwC Lc97vLuByBfTrpJOhnLzM9AL8U6NascJ0W9fcyLKtBj9+iGKhq0MgRgK/IsA1J7S Eczyfk2sf39jIbPzSvD8RrbVcqO2p5wkzpL2H/BuD2Wqdw301hefg/eSdcO/cSHu mLUU9ZyRfQuWAFsZQ5+OXkSaIMStJZOScluoQuY0NHib5bwni5TX3G8TZ0tcmMFg rhmNmv+xUYNhhKYOEL/SAIbonl33KR6URa1R0eQMnhTsGff7wHfMX7ggynZ20886 NWHLA30whGHPiLcn8QHJFdPvRaJvrF03rEGUPMKXkoV3/vX0QoA10Y4VD6EwdDiI OrIiBDSYBB1ZteGn5kG16c4YZTbenYJ6QBjB7D6FrkG5SjNzDlSL1GBe/rxbyuEY rfM6ImIrl+GPP4p/aFx/tAmPrgIj6gxeXrUMaRXOiphtHWHdWdhnHpq6I61t0Kmc bFnMZ2AQICJxbVSCd0uVwvtdJA8xftakRiC5Miy5c3jbOmcPsTiCk3cj3U+cuXFi uiNMkkIxpUineagyZVYhYnn2QlerFdJC2Lfw5DHekIA0nt8byScNsZujwPvIuKee vA/0byH6QpizT0lUBW/ZioI3780b5VZn0BRBNG7cY94s9EpjfbuaTDv2xW7AGVGg OUy8VOnX0Xf9GlDiXOUnXAUJZjIFNmd4D7fyGQccbXl4V9xf1xlIL8JYlHSgpMuV aSMlgwQEbHQrPNzpdmXaNfmFo/63FLgs8CL5XvaY2QyjoWnGdF6BUL2BFVFw+7nN TEqIT30XfEDJsqcDQPNLFK9vph1M6Bc2mqMpw0d3lMvK1BIKKD6cDVqb20HQdDl7 UejWY7ZdzoH7n8FLvQGiMw3JFbwcNW+kYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD VR0PAQH/BAQDAgGGMB0GA1UdDgQWBBRJdGxRQiHln7uR5KM1S+MBTZCQjjAfBgNV HSMEGDAWgBSbB7SkdcS8kV014MmhwWLid1XWPwOCDO4AYK+Hb9SGbGLVRl2UkgRK x4TQHl3mXSPXT6k/kMDPMrb1P4J0cI1PEfu7ZBLMpUjs+WG65+8i0bKLQ/a/h0WB 3V+9ZYnhDxJIYRXr9HPgpfw9XjFGzl7r9prf33daciIR98KNOaJs/sSSIeSEabLH bGbinXXX1uNXKbtT3haT2ISkvztEdEP3ddOD/NhhTYhUUxWw5pKQBdEYDJmSMa0z 8Gsd9y9LlqFDVjwe8MJogay/y/CFpQmmuwkifJnX/JOMzoTGhYYMXKUSI5cooQz+ XlDrvP6y2+M70t5WclTDisUJsu7FLtF1BgVnY+6zPR2puaNh27rgi/1uNtjsOqgA G6aBGeOu7fp1uwBeas6P3hCsibZzQyJmKFVEIoigePTBRSWV9uc0K1cHYDHi+Mlc MsigyT1H6EWOWhykXRx1STEISZnWdN4M/r7i40Au656xPYdWKoksSYUWuCXUyH5K +tDTQCtyyJ+zfVJyLFy8uNG26chwTiyr2SeSjtNOBkq5hqO72H/7rGUtufxKAJYY PWkA3VWMgymz1rg8SaBTw7GuNIDTNuLMWo4C1fTyi+ypi5IJIIHSOhwbfSWYzlPO XnMpRaQ2FK5CIG/koj1TVbUXwdv24Gvam7VDnQUWdhVFbCRrTDrWX6vI4hXiOG+s ZXvhjETPkrtXrcccEMjkxjADagU8yLSzKt+0JMb7YcaLaiFfg3jFVDc2pmqUQfyk TD/8nywSpyF0bp9m8EVUR4f6Eh2yQNh4ofuSRJVB9mnv91QVEUK97Zkm7WU458B8 sAiRuQicmToTA/Nub1zAGmUvfcsFwNqoGcg1ly3um1+mX2Do664vSrKNOpo7qM8F wUgE0YHLR6CCbYPWH7cnz2+75Mj6fo9WFwecEFPmnO3Yzxx8/OvjX5jDpY3GW0f/ C77rqiioabuejNjTsFMW4YQZtEtsSZ2Q4rQhUxJM1vREh/sTxN+RPfxiy4we5gSZ scfL0qB8wn7paY/cbWEzJKtvlEukvnWIjt16NLLHcBIMTfnUdubeulmB1p5k1NKK IQsOPS0AxWL/+BNs2wFQa4JBNuDlh8nQR7cIUIGOhqFwK2FWCuH414Q1vc02d4FT HiPw5iIm8k/cZDlOeKO0OanwrvyVNDdb1naC9lrxRWkmcyokPoBtsfFUF5bYmsrh CZFSHgo2jrVNsXo6OtJz934ZEZOGDYjhRrjHCl3HUgFhUfh4aVDrjaG8atQSpbBh M+ZAbVI8r7ldccgaCABE823dSlizruB9phhf4rMKKkjWg31u9l5Hg8WSvHIp2xng /MzOaUV1NIyJsMppi30kDpgOKc5Gn0wxhvAZFvG0x41KmMJ08UtG51+eftZErZZK jyDxJ+xSIQ3pNfZFBAE7JPTDqAYAEaOJFX5OhE3nSxirPVh61c9RmihWA3GJ5P1d sX13VYsWnW9QGrntgh6y3FiVjFmBqHl0YOXaSLr4sUkXP+JiK4dXnq/eCacajOi3 FauHU0rlGBY4HSIznFI9yItyrZjF+b58D+Zda1RoeXhjWOTjio8NZQkIkg3pctcT hbFdZ22OSzChiwZMZZ8LRzkvPSxgh7kQONRkyEOJtQseh/BxTf+tSSzRffkcgNXN VkW3K+CQUB5zVNvL5XLIPqyyueOCWgqYUU39GywznT//Jp6d++S4hZKjdlAFf/kH B2o5w8m9hYD+/EAgnI2Dwgw2zIvIvexsiunNAVxODZDhwEQQWceaO7qoWrjEbg/M lp94C33genksjWx0AtOGjSKNVtPMigrcoSRi9DD7v6rlhGnetQP7gLtHFJTFqbHK rCirlmpqQC1cCCCFRcEmIOcvzPp4NDx7Q4hoJvPlbXYz3ZKnSyPI5GBb74ucB19N dUenK9DIA57PWlwSuElSjvyheKgaVpZdrGOS9d/xjMRHff6/3tffNI/0Gkx3eXXV fjFOsyGNNjV8xXFkyFiIn7Nxm4AQxVzaKRaPagV9ykLe/+d4XSZ00+I89r4GaLrs jKmMDjsz9XIuKL/FX0xaASa8j/Yoa0WM3UCaJeTFMJTFj55qBJmXT3HyXxBDAet7 WmxQDh9ciYWLp0sVYQvTsY+dCT8W6kNQGeC/C3JRVeoVDFaKG+JgLvbYmlqp6YB3 D3WXGrGwViRTYOqPzWPBpGsluO4cjW5Nuipn6j1yyFlIlQjJGHELU+b8vDFo9+CQ r6L1IHaxi2CUXMUAAhM0YuyVDmU3VkOFxmHBpriYqc6LSw19Z4EkEaEdTuiTZXDg uOmLK8lKtBMh93IAkHIHyUPWe8ZyC51Kzdb2ntwQWUo7JXwj6PtneSG0byZKKbhm TNB9I6ISrc20I3GTqIYHWKLQqa8x746YFj+FPR/rx4jeEc0K/716kHZ1DXTLLziW KaNplCOkLpBv+bdQafiHt3qV/NiojSZ2K5Pclh3F/m5lYx1dsiZ35Hq+bfC/75Mf npdpiatkZPy7cBS7aJFZMqW/398ei5W+0AZFCSPp51fZVDzzY/ltdRBM2gF8xbOV IMuReia4eeI5WdP6aGZI1HUrxyNXa9PkhQvzn1KFFAXEcP37B3lY/z6Nbrl9xTKO 04Cx8b+eq/+3OnAtTHTq0arHvRIS0KUvZSJvZA0Rmzi9wRDmiW2PpvBI0ev0FE4g dEvjvOAFsxkrjwRhWfg3Qi6PxMhiGay6VPGjESWJfHyMzILcBJ5opShuEVSMYziZ lJvhNarEqtdHXEIHTvh85/RrNwrRu1uqPhc3iQIdPiyYLlBrza2/35g0iI3HkTkO Ti4jV9Eas8v+IdEqDglsVrTcpQHvCV0ov85c5ujark84dyz9FzwUqmUaIgtgVEGD bMUIUeZmdbBOSW+xKhQmD3+yQAake+zeDDwbX1Z6kEWJTb2LC4333fVESuT6jjqj uBLoRzEZczu6p6h4aGT9NlVIoKDAuwxkJOOgyAcWPFQ5wEWwMxsbE7/+tgIQD2rC ENxN6jPYyBch2hVyne/EEuiGoA3oxA8B0gLqgWEoooNCEEYmztRPGSRIQTUYdZ4e /lqdOAbMKD8b6soC8qtxkJLH5hYqOewlsNLU42eZK73nxGtg0CypRacEKfa4tj1q P/RViSg3VDvswMF9/fbL15pBoqb6lZfCKBqJET4Y4TAa9TRa1yPC3u1ia5khE2p6 ZV2WQyoDgP3AiH8dZ9uDyGWSrSabU8gWBtrBcc2UvPmj4P5LF7rtr6RWuWTf2bkc ZaaX+vtDGoq5RaxqvJBaRO5y9wZ+aiep9VR/DmIK25A06/lUB0YMKk7dKKQirTye EpIxyzXdHFAjNUKuwqljoXhmWe8RXAbhKpZxVKJwSVyfegg6CcwKnQLi10fFXdOj /WOvDPenfXytJrQnZuprbyq6+7KTsF1rvlZbVs55RFuyGcy/eTWVyynUfTFh0uy+ v6HcSceqF3V6TICrvS1pcJQlvPOACowKIiCjs4H9oYjfQ+8QhzPW7mNf7qU4aGnL /o6XngOdMcT+j/NAelI91CJK62elll5lFvPXdlLEZKH89Lr9fOJzuEa0jfLGLpfI QL6AmhS/ZrqwwSim0w+zktSEDUhLXcdBhqJvG73wMOwpUJR/XMufWPnFo5+42CiK zhHKzFN+zf+E8SRVUbDKZarvNpQai/xTUT9eNo1arfV04tRL7ZCrT82gQH3ivKFY 9hSX/omu9bcWG3BQgCI1HWIMXDqWAB2FAEYPNEELyTMpKis1Y0N1ehdcJ7uAhgF8 emm+qrXaRDXXOT/XfHQSGnMllODwrakQ0/CPTSmde+KZALq/Bd5zJ0KS/JheTQ8j ZzwuMOmcOrKlAlWRHfFjevbVcXSAWeHjJQLQL7OOuzk9Zr8L/tMF/BDK4mu5lw8S KKNPy11w/uVqRqnl0PW2YbPanUXrummptMKKnjoLIcMJu/pBu2ePsMI4xgaREh5v QxgLl/+D/sawyK/WFOjFEsurYrjv/7FSg+PQtXAwz3+M/QOvLbLX70Dqpczn2gBb FvgfI8pBKWnmT+PqJaxxFfVGm6HvUuULJIJK+Mmu5/Dhge0sbp0JL+3WA1PQ3N8w B5NXkNTQFzAGWna2TtwAfVOLnJpRd8W+fahjzw9ivboYMmTMoXaNoCVTHCyAOH5f fUkWAe784VC91E78fAU4yI+QSfmo+lxrgDvQnEvZTXPhPUyF53mZbY4WKX8uIHtZ SOMKeRknZxEEagF8/yPDA5RiDP7KKQVEFEt8GMQGQWodrWQ+AGxe3VgcXdjma+Iq zJ7As+J2rUKtOgzjG5E03WEx/fL1ppgOhn1wU7cGSWuPO70DNRMdvkUSzt/MGjP7 zL/cjhyZ8I3DStaRX4PjG7EAI0ZWd6HO4gUYMjU+VVx0m81haqDD/LW/8PcLPEma owAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgSFxsgMAoGCCqGSM49BAMEA4GLADCB hwJCAP1Y2r26fxhSYmL7pjEF7aP9V4ZzoVfpDf75VxKTW6vCvz/CozYhzn6mZka5 18GBRgmXC4Ye88toLOhdxjT319/lAkEVyxpodYAljpbkwVjT4a7b4yioPJvR6S44 6dU955tbns3PFbzhOU8usFhyXsKRDH7MBzt+ew9EnPEel7ud4+F23A== -----END CERTIFICATE-----¶
0 6276: SEQUENCE { 4 6118: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 20: INTEGER 40 5C BD 35 25 6A F5 95 C6 E9 06 72 A3 5E 03 27 F6 DE C3 9F 35 10: SEQUENCE { 37 8: OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4) : } 47 139: SEQUENCE { 50 11: SET { 52 9: SEQUENCE { 54 3: OBJECT IDENTIFIER countryName (2 5 4 6) 59 2: PrintableString 'XX' : } : } 63 53: SET { 65 51: SEQUENCE { 67 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 72 44: UTF8String : 'Royal Institute of Public Key Infrastructure' : } : } 118 43: SET { 120 41: SEQUENCE { 122 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 127 34: UTF8String 'Post-Heffalump Research Department' : } : } 163 24: SET { 165 22: SEQUENCE { 167 3: OBJECT IDENTIFIER commonName (2 5 4 3) 172 15: UTF8String 'ECDSA Root - G1' : } : } : } 189 30: SEQUENCE { 191 13: UTCTime 17/10/2024 23:37:23 GMT 206 13: UTCTime 15/10/2034 23:37:23 GMT : } 221 47: SEQUENCE { 223 11: SET { 225 9: SEQUENCE { 227 3: OBJECT IDENTIFIER countryName (2 5 4 6) 232 2: PrintableString 'XX' : } : } 236 15: SET { 238 13: SEQUENCE { 240 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 245 6: UTF8String 'Hanako' : } : } 253 15: SET { 255 13: SEQUENCE { 257 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 262 6: UTF8String 'Yamada' : } : } : } 270 155: SEQUENCE { 273 16: SEQUENCE { 275 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 284 5: OBJECT IDENTIFIER secp521r1 (1 3 132 0 35) : } 291 134: BIT STRING : 04 00 15 FA 17 17 A0 19 3C E9 18 4E 96 FC BC 0D : AA F9 90 2D 90 4D FD F4 1F 41 07 3F AA D0 0F 75 : BD 27 81 BD 96 DF 6A DE 55 86 A5 4B B5 3F A7 12 : 0B 90 86 56 21 5D FE 82 98 2B C5 50 44 66 41 CF : 33 7D 6E 01 68 7D 59 49 DF A4 A6 E4 79 7C 98 FA : 89 B0 DB B2 D1 D4 DE 57 B8 56 AD AA 1D 1F 9A 5E : F9 9C 70 4B 58 55 9E 41 5F 72 84 FA 06 3F 7B 3A : 58 FC 10 57 AD DF 2F 26 E5 7B D9 23 DD B2 B3 73 : 8C 2C F9 CF C3 : } 428 5694: [3] { 432 5690: SEQUENCE { 436 12: SEQUENCE { 438 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 443 1: BOOLEAN TRUE 446 2: OCTET STRING, encapsulates { 448 0: SEQUENCE {} : } : } 450 14: SEQUENCE { 452 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 457 1: BOOLEAN TRUE 460 4: OCTET STRING, encapsulates { 462 2: BIT STRING 7 unused bits : '1'B (bit 0) : } : } 466 29: SEQUENCE { 468 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 473 22: OCTET STRING, encapsulates { 475 20: OCTET STRING : 07 84 EC E4 E5 63 31 5C B8 C7 78 D5 FC 61 18 F0 : 53 C3 8C AD : } : } 497 31: SEQUENCE { 499 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 504 24: OCTET STRING, encapsulates { 506 22: SEQUENCE { 508 20: [0] : EB A3 D0 8B 51 FE 12 DC CC 21 66 87 85 0F 98 C7 : 67 73 88 34 : } : } : } 530 5592: SEQUENCE { 534 10: OBJECT IDENTIFIER : deltaCertificateDescriptor (2 16 840 1 114027 80 6 1) 546 5576: OCTET STRING, encapsulates { 550 5572: SEQUENCE { 554 20: INTEGER : 41 91 BC 8D 0A 73 58 38 E2 F5 F3 75 E0 03 8C B2 : 81 BC F5 22 576 13: [0] { 578 11: SEQUENCE { 580 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 3 18' : } : } 591 143: [1] { 594 140: SEQUENCE { 597 11: SET { 599 9: SEQUENCE { 601 3: OBJECT IDENTIFIER countryName (2 5 4 6) 606 2: PrintableString 'XX' : } : } 610 53: SET { 612 51: SEQUENCE { 614 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 619 44: UTF8String : 'Royal Institute of Public Key Infrastructure' : } : } 665 43: SET { 667 41: SEQUENCE { 669 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 674 34: UTF8String 'Post-Heffalump Research Department' : } : } 710 25: SET { 712 23: SEQUENCE { 714 3: OBJECT IDENTIFIER commonName (2 5 4 3) 719 16: UTF8String 'ML-DSA Root - G1' : } : } : } : } 737 1970: SEQUENCE { 741 11: SEQUENCE { 743 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 3 18' : } 754 1953: BIT STRING : 87 70 BA D0 8A 30 8B 78 07 32 D2 AF A0 38 19 D6 : 01 EE 96 92 B8 8B CA D7 FF E2 8E 23 D9 4A 8C CA : F8 05 4A 98 29 E3 3C D2 34 3D A1 D0 A8 D4 1D E9 : 4E 91 BE EF DC 50 56 96 5A 92 5D 95 09 D8 43 13 : 0E 1C 76 9F 89 67 6D 65 C1 58 4E F0 40 70 31 51 : 4F 13 19 38 17 74 F3 F7 8F 89 DB 2D 17 A9 5C 78 : 4D 21 9B 78 9C DA 6A A3 D5 12 C2 55 FF E2 A3 04 : 6A F5 05 45 0C 14 69 78 64 02 B0 7B 9F B8 EC 40 : [ Another 1824 bytes skipped ] : } 2711 99: [4] { 2713 97: SEQUENCE { 2715 15: SEQUENCE { 2717 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 2722 1: BOOLEAN TRUE 2725 5: OCTET STRING, encapsulates { 2727 3: SEQUENCE { 2729 1: BOOLEAN TRUE : } : } : } 2732 14: SEQUENCE { 2734 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 2739 1: BOOLEAN TRUE 2742 4: OCTET STRING, encapsulates { 2744 2: BIT STRING 1 unused bit : '1100001'B : } : } 2748 29: SEQUENCE { 2750 3: OBJECT IDENTIFIER : subjectKeyIdentifier (2 5 29 14) 2755 22: OCTET STRING, encapsulates { 2757 20: OCTET STRING : 49 74 6C 51 42 21 E5 9F BB 91 E4 A3 35 4B E3 01 : 4D 90 90 8E : } : } 2779 31: SEQUENCE { 2781 3: OBJECT IDENTIFIER : authorityKeyIdentifier (2 5 29 35) 2786 24: OCTET STRING, encapsulates { 2788 22: SEQUENCE { 2790 20: [0] : 9B 07 B4 A4 75 C4 BC 91 5D 35 E0 C9 A1 C1 62 E2 : 77 55 D6 3F : } : } : } : } : } 2812 3310: BIT STRING : 60 AF 87 6F D4 86 6C 62 D5 46 5D 94 92 04 4A C7 : 84 D0 1E 5D E6 5D 23 D7 4F A9 3F 90 C0 CF 32 B6 : F5 3F 82 74 70 8D 4F 11 FB BB 64 12 CC A5 48 EC : F9 61 BA E7 EF 22 D1 B2 8B 43 F6 BF 87 45 81 DD : 5F BD 65 89 E1 0F 12 48 61 15 EB F4 73 E0 A5 FC : 3D 5E 31 46 CE 5E EB F6 9A DF DF 77 5A 72 22 11 : F7 C2 8D 39 A2 6C FE C4 92 21 E4 84 69 B2 C7 6C : 66 E2 9D 75 D7 D6 E3 57 29 BB 53 DE 16 93 D8 84 : [ Another 3181 bytes skipped ] : } : } : } : } : } : } 6126 10: SEQUENCE { 6128 8: OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4) : } 6138 139: BIT STRING, encapsulates { 6142 135: SEQUENCE { 6145 66: INTEGER : 00 FD 58 DA BD BA 7F 18 52 62 62 FB A6 31 05 ED : A3 FD 57 86 73 A1 57 E9 0D FE F9 57 12 93 5B AB : C2 BF 3F C2 A3 36 21 CE 7E A6 66 46 B9 D7 C1 81 : 46 09 97 0B 86 1E F3 CB 68 2C E8 5D C6 34 F7 D7 : DF E5 6213 65: INTEGER : 15 CB 1A 68 75 80 25 8E 96 E4 C1 58 D3 E1 AE DB : E3 28 A8 3C 9B D1 E9 2E 38 E9 D5 3D E7 9B 5B 9E : CD CF 15 BC E1 39 4F 2E B0 58 72 5E C2 91 0C 7E : CC 07 3B 7E 7B 0F 44 9C F1 1E 97 BB 9D E3 E1 76 : DC : } : } : }¶
B.3. Dual use example
B.3.1. EC signing end-entity certificate
This is an end-entity signing certificate which certifies an EC key.¶
-----BEGIN CERTIFICATE----- MIICYTCCAcOgAwIBAgIUVcVNficoipRs4c6JBiF731VtDLAwCgYIKoZIzj0EAwQw gYsxCzAJBgNVBAYTAlhYMTUwMwYDVQQKDCxSb3lhbCBJbnN0aXR1dGUgb2YgUHVi bGljIEtleSBJbmZyYXN0cnVjdHVyZTErMCkGA1UECwwiUG9zdC1IZWZmYWx1bXAg UmVzZWFyY2ggRGVwYXJ0bWVudDEYMBYGA1UEAwwPRUNEU0EgUm9vdCAtIEcxMB4X DTI0MTAxNzIzMzcyM1oXDTM0MTAxNTIzMzcyM1owLzELMAkGA1UEBhMCWFgxDzAN BgNVBAoMBkhhbmFrbzEPMA0GA1UECwwGWWFtYWRhMFkwEwYHKoZIzj0CAQYIKoZI zj0DAQcDQgAEbg5mK9aDw+9pIASgzCANcYRugXSfaWtTH3Kg6th/m8hybPvXHsFG Enm4Zu3a+S/5RPmIw78UoBMpIqR+Tfno16NgMF4wDAYDVR0TAQH/BAIwADAOBgNV HQ8BAf8EBAMCB4AwHQYDVR0OBBYEFKjGwfjydnErtBzOVMiLz5lP9Jq/MB8GA1Ud IwQYMBaAFOuj0ItR/hLczCFmh4UPmMdnc4g0MAoGCCqGSM49BAMEA4GLADCBhwJB O3d8oj0thpSmSI85xLuvA97w/QKRhdGXwPtzO7VceH3seMiORoCLPKO8Gfd1liRL tznhz7IbmVbS64WbxQe4QawCQgFeT1babH2MEBLT+NGXIKA0azitP11LA/rynYoD bindtP08txIa8w9O2MhG1706nrLc+z+PstQqXgQQ5ha/fn97PA== -----END CERTIFICATE-----¶
0 609: SEQUENCE { 4 451: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 20: INTEGER 55 C5 4D 7E 27 28 8A 94 6C E1 CE 89 06 21 7B DF 55 6D 0C B0 35 10: SEQUENCE { 37 8: OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4) : } 47 139: SEQUENCE { 50 11: SET { 52 9: SEQUENCE { 54 3: OBJECT IDENTIFIER countryName (2 5 4 6) 59 2: PrintableString 'XX' : } : } 63 53: SET { 65 51: SEQUENCE { 67 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 72 44: UTF8String : 'Royal Institute of Public Key Infrastructure' : } : } 118 43: SET { 120 41: SEQUENCE { 122 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 127 34: UTF8String 'Post-Heffalump Research Department' : } : } 163 24: SET { 165 22: SEQUENCE { 167 3: OBJECT IDENTIFIER commonName (2 5 4 3) 172 15: UTF8String 'ECDSA Root - G1' : } : } : } 189 30: SEQUENCE { 191 13: UTCTime 17/10/2024 23:37:23 GMT 206 13: UTCTime 15/10/2034 23:37:23 GMT : } 221 47: SEQUENCE { 223 11: SET { 225 9: SEQUENCE { 227 3: OBJECT IDENTIFIER countryName (2 5 4 6) 232 2: PrintableString 'XX' : } : } 236 15: SET { 238 13: SEQUENCE { 240 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 245 6: UTF8String 'Hanako' : } : } 253 15: SET { 255 13: SEQUENCE { 257 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 262 6: UTF8String 'Yamada' : } : } : } 270 89: SEQUENCE { 272 19: SEQUENCE { 274 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 283 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) : } 293 66: BIT STRING : 04 6E 0E 66 2B D6 83 C3 EF 69 20 04 A0 CC 20 0D : 71 84 6E 81 74 9F 69 6B 53 1F 72 A0 EA D8 7F 9B : C8 72 6C FB D7 1E C1 46 12 79 B8 66 ED DA F9 2F : F9 44 F9 88 C3 BF 14 A0 13 29 22 A4 7E 4D F9 E8 : D7 : } 361 96: [3] { 363 94: SEQUENCE { 365 12: SEQUENCE { 367 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 372 1: BOOLEAN TRUE 375 2: OCTET STRING, encapsulates { 377 0: SEQUENCE {} : } : } 379 14: SEQUENCE { 381 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 386 1: BOOLEAN TRUE 389 4: OCTET STRING, encapsulates { 391 2: BIT STRING 7 unused bits : '1'B (bit 0) : } : } 395 29: SEQUENCE { 397 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 402 22: OCTET STRING, encapsulates { 404 20: OCTET STRING : A8 C6 C1 F8 F2 76 71 2B B4 1C CE 54 C8 8B CF 99 : 4F F4 9A BF : } : } 426 31: SEQUENCE { 428 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 433 24: OCTET STRING, encapsulates { 435 22: SEQUENCE { 437 20: [0] : EB A3 D0 8B 51 FE 12 DC CC 21 66 87 85 0F 98 C7 : 67 73 88 34 : } : } : } : } : } : } 459 10: SEQUENCE { 461 8: OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4) : } 471 139: BIT STRING, encapsulates { 475 135: SEQUENCE { 478 65: INTEGER : 3B 77 7C A2 3D 2D 86 94 A6 48 8F 39 C4 BB AF 03 : DE F0 FD 02 91 85 D1 97 C0 FB 73 3B B5 5C 78 7D : EC 78 C8 8E 46 80 8B 3C A3 BC 19 F7 75 96 24 4B : B7 39 E1 CF B2 1B 99 56 D2 EB 85 9B C5 07 B8 41 : AC 545 66: INTEGER : 01 5E 4F 56 DA 6C 7D 8C 10 12 D3 F8 D1 97 20 A0 : 34 6B 38 AD 3F 5D 4B 03 FA F2 9D 8A 03 6E 29 DD : B4 FD 3C B7 12 1A F3 0F 4E D8 C8 46 D7 BD 3A 9E : B2 DC FB 3F 8F B2 D4 2A 5E 04 10 E6 16 BF 7E 7F : 7B 3C : } : } : }¶
B.3.2. EC dual use end-entity certificate with encoded Delta Certificate
This is an end-entity key exchange certificate which certifies an EC key. It contains a Delta Certificate Descriptor extension which includes sufficient information to the recreate the EC signing end-entity certificate.¶
-----BEGIN CERTIFICATE----- MIIDzTCCAy6gAwIBAgIUczxcVsNa7M9uSs598vuGatGLDuIwCgYIKoZIzj0EAwQw gYsxCzAJBgNVBAYTAlhYMTUwMwYDVQQKDCxSb3lhbCBJbnN0aXR1dGUgb2YgUHVi bGljIEtleSBJbmZyYXN0cnVjdHVyZTErMCkGA1UECwwiUG9zdC1IZWZmYWx1bXAg UmVzZWFyY2ggRGVwYXJ0bWVudDEYMBYGA1UEAwwPRUNEU0EgUm9vdCAtIEcxMB4X DTI0MTAxNzIzMzcyM1oXDTM0MTAxNTIzMzcyM1owLzELMAkGA1UEBhMCWFgxDzAN BgNVBAoMBkhhbmFrbzEPMA0GA1UECwwGWWFtYWRhMHYwEAYHKoZIzj0CAQYFK4EE ACIDYgAE+qm8IaZ5hVFufLvTuniWWnQoa9d0YCyNiOmQ2OrrcukSy0FgozyJq7hc g8o2pJ5uRRLVysU1gHNfxL+TvwRRr6eWUJE8v0dCUccuCFPAVbxwf7Hjcp5NSsFn J2lIrvzgo4IBrDCCAagwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAwgwHQYD VR0OBBYEFAHprr1J3zZ7gG1ksEzN8BHM7tCzMB8GA1UdIwQYMBaAFOuj0ItR/hLc zCFmh4UPmMdnc4g0MIIBRgYKYIZIAYb6a1AGAQSCATYwggEyAhRVxU1+JyiKlGzh zokGIXvfVW0MsDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABG4OZivWg8PvaSAE oMwgDXGEboF0n2lrUx9yoOrYf5vIcmz71x7BRhJ5uGbt2vkv+UT5iMO/FKATKSKk fk356NekMTAvMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUqMbB+PJ2cSu0HM5U yIvPmU/0mr8DgYsAMIGHAkE7d3yiPS2GlKZIjznEu68D3vD9ApGF0ZfA+3M7tVx4 fex4yI5GgIs8o7wZ93WWJEu3OeHPshuZVtLrhZvFB7hBrAJCAV5PVtpsfYwQEtP4 0ZcgoDRrOK0/XUsD+vKdigNuKd20/Ty3EhrzD07YyEbXvTqestz7P4+y1CpeBBDm Fr9+f3s8MAoGCCqGSM49BAMEA4GMADCBiAJCAXrIaCetU/F7+TDkYBjEaHRZEujy DL2Ic08Eu+iDBRvzuYjxulQKCJaRFrcbegcW8D8MTkrJW8b0j9PkIXuLB51wAkIB 0/4Tx4hhUQ6SCBNx70mG2kOeHpgZB62K3b3PtypOJtUWTZS5XgBhljUUTmdsaQtA wi1V+cwAnegmu168l43lQz0= -----END CERTIFICATE-----¶
0 973: SEQUENCE { 4 814: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 20: INTEGER 73 3C 5C 56 C3 5A EC CF 6E 4A CE 7D F2 FB 86 6A D1 8B 0E E2 35 10: SEQUENCE { 37 8: OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4) : } 47 139: SEQUENCE { 50 11: SET { 52 9: SEQUENCE { 54 3: OBJECT IDENTIFIER countryName (2 5 4 6) 59 2: PrintableString 'XX' : } : } 63 53: SET { 65 51: SEQUENCE { 67 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 72 44: UTF8String : 'Royal Institute of Public Key Infrastructure' : } : } 118 43: SET { 120 41: SEQUENCE { 122 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 127 34: UTF8String 'Post-Heffalump Research Department' : } : } 163 24: SET { 165 22: SEQUENCE { 167 3: OBJECT IDENTIFIER commonName (2 5 4 3) 172 15: UTF8String 'ECDSA Root - G1' : } : } : } 189 30: SEQUENCE { 191 13: UTCTime 17/10/2024 23:37:23 GMT 206 13: UTCTime 15/10/2034 23:37:23 GMT : } 221 47: SEQUENCE { 223 11: SET { 225 9: SEQUENCE { 227 3: OBJECT IDENTIFIER countryName (2 5 4 6) 232 2: PrintableString 'XX' : } : } 236 15: SET { 238 13: SEQUENCE { 240 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 245 6: UTF8String 'Hanako' : } : } 253 15: SET { 255 13: SEQUENCE { 257 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 262 6: UTF8String 'Yamada' : } : } : } 270 118: SEQUENCE { 272 16: SEQUENCE { 274 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 283 5: OBJECT IDENTIFIER secp384r1 (1 3 132 0 34) : } 290 98: BIT STRING : 04 FA A9 BC 21 A6 79 85 51 6E 7C BB D3 BA 78 96 : 5A 74 28 6B D7 74 60 2C 8D 88 E9 90 D8 EA EB 72 : E9 12 CB 41 60 A3 3C 89 AB B8 5C 83 CA 36 A4 9E : 6E 45 12 D5 CA C5 35 80 73 5F C4 BF 93 BF 04 51 : AF A7 96 50 91 3C BF 47 42 51 C7 2E 08 53 C0 55 : BC 70 7F B1 E3 72 9E 4D 4A C1 67 27 69 48 AE FC : E0 : } 390 428: [3] { 394 424: SEQUENCE { 398 12: SEQUENCE { 400 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 405 1: BOOLEAN TRUE 408 2: OCTET STRING, encapsulates { 410 0: SEQUENCE {} : } : } 412 14: SEQUENCE { 414 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 419 1: BOOLEAN TRUE 422 4: OCTET STRING, encapsulates { 424 2: BIT STRING 3 unused bits : '10000'B (bit 4) : } : } 428 29: SEQUENCE { 430 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 435 22: OCTET STRING, encapsulates { 437 20: OCTET STRING : 01 E9 AE BD 49 DF 36 7B 80 6D 64 B0 4C CD F0 11 : CC EE D0 B3 : } : } 459 31: SEQUENCE { 461 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 466 24: OCTET STRING, encapsulates { 468 22: SEQUENCE { 470 20: [0] : EB A3 D0 8B 51 FE 12 DC CC 21 66 87 85 0F 98 C7 : 67 73 88 34 : } : } : } 492 326: SEQUENCE { 496 10: OBJECT IDENTIFIER : deltaCertificateDescriptor (2 16 840 1 114027 80 6 1) 508 310: OCTET STRING, encapsulates { 512 306: SEQUENCE { 516 20: INTEGER : 55 C5 4D 7E 27 28 8A 94 6C E1 CE 89 06 21 7B DF : 55 6D 0C B0 538 89: SEQUENCE { 540 19: SEQUENCE { 542 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 551 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) : } 561 66: BIT STRING : 04 6E 0E 66 2B D6 83 C3 EF 69 20 04 A0 CC 20 0D : 71 84 6E 81 74 9F 69 6B 53 1F 72 A0 EA D8 7F 9B : C8 72 6C FB D7 1E C1 46 12 79 B8 66 ED DA F9 2F : F9 44 F9 88 C3 BF 14 A0 13 29 22 A4 7E 4D F9 E8 : D7 : } 629 49: [4] { 631 47: SEQUENCE { 633 14: SEQUENCE { 635 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 640 1: BOOLEAN TRUE 643 4: OCTET STRING, encapsulates { 645 2: BIT STRING 7 unused bits : '1'B (bit 0) : } : } 649 29: SEQUENCE { 651 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 656 22: OCTET STRING, encapsulates { 658 20: OCTET STRING : A8 C6 C1 F8 F2 76 71 2B B4 1C CE 54 C8 8B CF 99 : 4F F4 9A BF : } : } : } : } 680 139: BIT STRING, encapsulates { 684 135: SEQUENCE { 687 65: INTEGER : 3B 77 7C A2 3D 2D 86 94 A6 48 8F 39 C4 BB AF 03 : DE F0 FD 02 91 85 D1 97 C0 FB 73 3B B5 5C 78 7D : EC 78 C8 8E 46 80 8B 3C A3 BC 19 F7 75 96 24 4B : B7 39 E1 CF B2 1B 99 56 D2 EB 85 9B C5 07 B8 41 : AC 754 66: INTEGER : 01 5E 4F 56 DA 6C 7D 8C 10 12 D3 F8 D1 97 20 A0 : 34 6B 38 AD 3F 5D 4B 03 FA F2 9D 8A 03 6E 29 DD : B4 FD 3C B7 12 1A F3 0F 4E D8 C8 46 D7 BD 3A 9E : B2 DC FB 3F 8F B2 D4 2A 5E 04 10 E6 16 BF 7E 7F : 7B 3C : } : } : } : } : } : } : } : } 822 10: SEQUENCE { 824 8: OBJECT IDENTIFIER ecdsaWithSHA512 (1 2 840 10045 4 3 4) : } 834 140: BIT STRING, encapsulates { 838 136: SEQUENCE { 841 66: INTEGER : 01 7A C8 68 27 AD 53 F1 7B F9 30 E4 60 18 C4 68 : 74 59 12 E8 F2 0C BD 88 73 4F 04 BB E8 83 05 1B : F3 B9 88 F1 BA 54 0A 08 96 91 16 B7 1B 7A 07 16 : F0 3F 0C 4E 4A C9 5B C6 F4 8F D3 E4 21 7B 8B 07 : 9D 70 909 66: INTEGER : 01 D3 FE 13 C7 88 61 51 0E 92 08 13 71 EF 49 86 : DA 43 9E 1E 98 19 07 AD 8A DD BD CF B7 2A 4E 26 : D5 16 4D 94 B9 5E 00 61 96 35 14 4E 67 6C 69 0B : 40 C2 2D 55 F9 CC 00 9D E8 26 BB 5E BC 97 8D E5 : 43 3D : } : } : }¶
Acknowledgments
TODO acknowledge.¶