Network Working Group D. Linsenbardt
Request for Comments: 4059 S. Pontius
Category: Informational A. Sturgeon
SPYRUS
May 2005
Internet X.509 Public Key Infrastructure
Warranty Certificate Extension
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes a certificate extension to explicitly state
the warranty offered by a Certificate Authority (CA) for the
certificate containing the extension.
1. Introduction
The warranty certificate extension identifies the warranty policy
associated with a X.509 public key certificate [X.509-97, PROFILE].
Often the Certificate Authority (CA) will obtain an insurance policy
to ensure coverage of the warranty.
The certificate warranty provides an extended monetary coverage for
the end entities. The certificate warranty primarily concerns the
use, storage, and reliance on a certificate by a subscriber, a
relying party, and the CA. It is common for a CA to establish
reliance limits on the use of a certificate. It is not uncommon for
a CA to attempt through contractual means to exclude its liability
entirely. However, this undermines the confidence that commerce
requires to gainfully use certificates.
Alternatively a CA may provide extended coverage for the use of the
certificate. Usually, the subscriber pays for the extended warranty
coverage. In turn, subscribers are covered by an appropriately
drafted insurance policy. The certificate warranty is backed by an
insurance policy issued by a licensed insurance company, which
results in a financial backing that is far greater than that of the
Linsenbardt, et al. Informational [Page 1]RFC 4059 Warranty Certificate Extension May 2005
CA. This extra financial backing provides a further element of
confidence necessary to encourage the use of certificates in
commerce.
A relying party that has a warranty from a CA may obtain compensation
from a CA depending on the conditions for such compensation expressed
in either the CA's Certificate Policy, the CA's insurance policy, or
both. Evidence of an extended warranty, provided through the
certificate extension, will give the relying party additional
confidence that compensation is possible, and therefore will enhance
trust in the process. Risk for a non-subscriber relying party may be
reduced by the presence of a warranty extension with an explicit
warranty stated. The warranty extension allows this aspect of risk
management to be automated.
When a certificate contains a warranty certificate extension, the
extension MUST be non-critical, and MUST contain either a NULL to
indicate that no warranty is provided or base warranty data to
indicate that a warranty is provided. The extension MAY contain
optional qualifiers.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Warranty Extension Format
Like all X.509 certificate extensions, the warranty certificate
extension is defined using ASN.1 [X.208-88, X.209-88].
The non-critical warranty extension is identified by id-pe-warranty.
PKIX Object Identifier Registry
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
PKIX Arcs
id-mod OBJECT IDENTIFIER ::= { id-pkix 0 } -- modules
id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } -- private
certificate extensions
PKIX modules
id-mod-warranty-extn OBJECT IDENTIFIER ::= { id-mod 27 }
id-pe-warranty OBJECT IDENTIFIER ::= { id-pe 16 }
Linsenbardt, et al. Informational [Page 2]RFC 4059 Warranty Certificate Extension May 2005
A non-null warranty always includes a base warranty. The warranty
information includes the period during which the warranty applies, a
warranty value, and a warranty type. The warranty type tells the
datatracker.ietf.org