datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 3280

Document type: RFC - Proposed Standard (May 2002; Errata)
Obsoleted by RFC 5280
Updated by RFC 4325, RFC 4630
Obsoletes RFC 2459
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 3280 (Proposed Standard)
Responsible AD: (None)
Send notices to: No addresses provided

Network Working Group                                         R. Housley
Request for Comments: 3280                              RSA Laboratories
Obsoletes: 2459                                                  W. Polk
Category: Standards Track                                           NIST
                                                                 W. Ford
                                                                VeriSign
                                                                 D. Solo
                                                               Citigroup
                                                              April 2002

                Internet X.509 Public Key Infrastructure
       Certificate and Certificate Revocation List (CRL) Profile

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   This memo profiles the X.509 v3 certificate and X.509 v2 Certificate
   Revocation List (CRL) for use in the Internet.  An overview of this
   approach and model are provided as an introduction.  The X.509 v3
   certificate format is described in detail, with additional
   information regarding the format and semantics of Internet name
   forms.  Standard certificate extensions are described and two
   Internet-specific extensions are defined.  A set of required
   certificate extensions is specified.  The X.509 v2 CRL format is
   described in detail, and required extensions are defined.  An
   algorithm for X.509 certification path validation is described.  An
   ASN.1 module and examples are provided in the appendices.

Table of Contents

   1  Introduction  . . . . . . . . . . . . . . . . . . . . . .   4
   2  Requirements and Assumptions  . . . . . . . . . . . . . .   5
   2.1  Communication and Topology  . . . . . . . . . . . . . .   6
   2.2  Acceptability Criteria  . . . . . . . . . . . . . . . .   6
   2.3  User Expectations . . . . . . . . . . . . . . . . . . .   7
   2.4  Administrator Expectations  . . . . . . . . . . . . . .   7
   3  Overview of Approach  . . . . . . . . . . . . . . . . . .   7

Housley, et. al.            Standards Track                     [Page 1]
RFC 3280        Internet X.509 Public Key Infrastructure      April 2002

   3.1  X.509 Version 3 Certificate . . . . . . . . . . . . . .   8
   3.2  Certification Paths and Trust . . . . . . . . . . . . .   9
   3.3  Revocation  . . . . . . . . . . . . . . . . . . . . . .  11
   3.4  Operational Protocols . . . . . . . . . . . . . . . . .  13
   3.5  Management Protocols  . . . . . . . . . . . . . . . . .  13
   4  Certificate and Certificate Extensions Profile  . . . . .  14
   4.1  Basic Certificate Fields  . . . . . . . . . . . . . . .  15
   4.1.1  Certificate Fields  . . . . . . . . . . . . . . . . .  16
   4.1.1.1  tbsCertificate  . . . . . . . . . . . . . . . . . .  16
   4.1.1.2  signatureAlgorithm  . . . . . . . . . . . . . . . .  16
   4.1.1.3  signatureValue  . . . . . . . . . . . . . . . . . .  16
   4.1.2  TBSCertificate  . . . . . . . . . . . . . . . . . . .  17
   4.1.2.1  Version . . . . . . . . . . . . . . . . . . . . . .  17
   4.1.2.2  Serial number . . . . . . . . . . . . . . . . . . .  17
   4.1.2.3  Signature . . . . . . . . . . . . . . . . . . . . .  18
   4.1.2.4  Issuer  . . . . . . . . . . . . . . . . . . . . . .  18
   4.1.2.5  Validity  . . . . . . . . . . . . . . . . . . . . .  22
   4.1.2.5.1  UTCTime . . . . . . . . . . . . . . . . . . . . .  22
   4.1.2.5.2  GeneralizedTime . . . . . . . . . . . . . . . . .  22
   4.1.2.6  Subject . . . . . . . . . . . . . . . . . . . . . .  23
   4.1.2.7  Subject Public Key Info . . . . . . . . . . . . . .  24
   4.1.2.8  Unique Identifiers  . . . . . . . . . . . . . . . .  24
   4.1.2.9 Extensions . . . . . . . . . . . . . . . . . . . . .  24
   4.2  Certificate Extensions  . . . . . . . . . . . . . . . .  24
   4.2.1  Standard Extensions . . . . . . . . . . . . . . . . .  25
   4.2.1.1  Authority Key Identifier  . . . . . . . . . . . . .  26
   4.2.1.2  Subject Key Identifier  . . . . . . . . . . . . . .  27
   4.2.1.3  Key Usage . . . . . . . . . . . . . . . . . . . . .  28
   4.2.1.4  Private Key Usage Period  . . . . . . . . . . . . .  29
   4.2.1.5  Certificate Policies  . . . . . . . . . . . . . . .  30
   4.2.1.6  Policy Mappings . . . . . . . . . . . . . . . . . .  33
   4.2.1.7  Subject Alternative Name  . . . . . . . . . . . . .  33
   4.2.1.8  Issuer Alternative Name . . . . . . . . . . . . . .  36

[include full document text]