Internet X.509 Public Key Infrastructure Warranty Certificate Extension
RFC 4059

Document Type RFC - Informational (May 2005; No errata)
Authors Sue Pontius  , Alice Sturgeon  , Duane Linsenbardt 
Last updated 2015-10-14
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4059 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Sam Hartman
Send notices to <>
Network Working Group                                     D. Linsenbardt
Request for Comments: 4059                                    S. Pontius
Category: Informational                                      A. Sturgeon
                                                                May 2005

                Internet X.509 Public Key Infrastructure
                     Warranty Certificate Extension

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).


   This document describes a certificate extension to explicitly state
   the warranty offered by a Certificate Authority (CA) for the
   certificate containing the extension.

1.  Introduction

   The warranty certificate extension identifies the warranty policy
   associated with a X.509 public key certificate [X.509-97, PROFILE].
   Often the Certificate Authority (CA) will obtain an insurance policy
   to ensure coverage of the warranty.

   The certificate warranty provides an extended monetary coverage for
   the end entities.  The certificate warranty primarily concerns the
   use, storage, and reliance on a certificate by a subscriber, a
   relying party, and the CA.  It is common for a CA to establish
   reliance limits on the use of a certificate.  It is not uncommon for
   a CA to attempt through contractual means to exclude its liability
   entirely.  However, this undermines the confidence that commerce
   requires to gainfully use certificates.

   Alternatively a CA may provide extended coverage for the use of the
   certificate.  Usually, the subscriber pays for the extended warranty
   coverage.  In turn, subscribers are covered by an appropriately
   drafted insurance policy.  The certificate warranty is backed by an
   insurance policy issued by a licensed insurance company, which
   results in a financial backing that is far greater than that of the

Linsenbardt, et al.          Informational                      [Page 1]
RFC 4059             Warranty Certificate Extension             May 2005

   CA.  This extra financial backing provides a further element of
   confidence necessary to encourage the use of certificates in

   A relying party that has a warranty from a CA may obtain compensation
   from a CA depending on the conditions for such compensation expressed
   in either the CA's Certificate Policy, the CA's insurance policy, or
   both.  Evidence of an extended warranty, provided through the
   certificate extension, will give the relying party additional
   confidence that compensation is possible, and therefore will enhance
   trust in the process.  Risk for a non-subscriber relying party may be
   reduced by the presence of a warranty extension with an explicit
   warranty stated.  The warranty extension allows this aspect of risk
   management to be automated.

   When a certificate contains a warranty certificate extension, the
   extension MUST be non-critical, and MUST contain either a NULL to
   indicate that no warranty is provided or base warranty data to
   indicate that a warranty is provided.  The extension MAY contain
   optional qualifiers.

1.1.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

2.  Warranty Extension Format

   Like all X.509 certificate extensions, the warranty certificate
   extension is defined using ASN.1 [X.208-88, X.209-88].

   The non-critical warranty extension is identified by id-pe-warranty.

   PKIX Object Identifier Registry
   id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
              dod(6) internet(1) security(5) mechanisms(5) pkix(7) }

   PKIX Arcs
   id-mod  OBJECT IDENTIFIER ::= { id-pkix 0 }    -- modules
   id-pe   OBJECT IDENTIFIER ::= { id-pkix 1 }    -- private
   certificate extensions

   PKIX modules
   id-mod-warranty-extn         OBJECT IDENTIFIER ::= { id-mod 27 }

   id-pe-warranty OBJECT IDENTIFIER  ::=  { id-pe 16 }

Linsenbardt, et al.          Informational                      [Page 2]
RFC 4059             Warranty Certificate Extension             May 2005

   A non-null warranty always includes a base warranty.  The warranty
   information includes the period during which the warranty applies, a
   warranty value, and a warranty type.  The warranty type tells the
   warranty limit against claims.  The extension definition supports two
   alternatives: aggregated and per-transaction.  With aggregation,
   claims are fulfilled until a ceiling value is reached.  After that,
   no further claims are fulfilled.  With per-transaction, a ceiling
   value is imposed on each claim, but each transaction is considered
Show full document text