Security - News

Abstract:

This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices.

This specification obsoletes [RFC3280]. Differences from RFC 3280 are summarized below:
* Enhanced support for internationalized names is specified in Section 7, with rules for encoding and comparing Internationalized Domain Names, Internationalized Resource Identifiers (IRIs), and distinguished names. These rules are aligned with comparison rules established in current RFCs, including [RFC3490], [RFC3987], and [RFC4518].
* Sections 4.1.2.4 and 4.1.2.6 incorporate the conditions for continued use of legacy text encoding schemes that were specified in [RFC4630]. Where in use by an established PKI, transition to UTF8String could cause denial of service based on name chaining failures or incorrect processing of name constraints.
* Section 4.2.1.4 in RFC 3280, which specified the privateKeyUsagePeriod certificate extension but deprecated its use, was removed. Use of this ISO standard extension is neither deprecated nor recommended for use in the Internet PKI.
* Section 4.2.1.5 recommends marking the policy mappings extension as critical. RFC 3280 required that the policy mappings extension be marked as non-critical.
* Section 4.2.1.11 requires marking the policy constraints extension as critical. RFC 3280 permitted the policy constraints extension to be marked as critical or non-critical.
* The Authority Information Access (AIA) CRL extension, as specified in [RFC4325], was added as Section 5.2.7.
* Sections 5.2 and 5.3 clarify the rules for handling unrecognized
CRL extensions and CRL entry extensions, respectively.
* Section 5.3.2 in RFC 3280, which specified the holdInstructionCode CRL entry extension, was removed.
* The path validation algorithm specified in Section 6 no longer tracks the criticality of the certificate policies extensions in a chain of certificates. In RFC 3280, this information was returned to a relying party.
* The Security Considerations section addresses the risk of circular dependencies arising from the use of https or similar schemes in the CRL distribution points, authority information access, or subject information access extensions.
* The Security Considerations section addresses risks associated with name ambiguity.
* The Security Considerations section references RFC 4210 for procedures to signal changes in CA operations.
The ASN.1 modules in Appendix A are unchanged from RFC 3280, except that ub-emailaddress-length was changed from 128 to 255 in order to align with PKCS #9 [RFC2985].

Autor: JP

Heuristické vyhledání souvisejících článků v archívu NEWS

• Nový draft - Attribute Certificate Policies extension
• Nový draft IETF PKIX - Attribute Certificate Policies extension
• Nová verze draftu IETF PKIX - Attribute Certificate Policies extension
• Nevýhody jednoho typu certifikát? (tzv. wildcard certificate)
• Internet X.509 Public Key Infrastructure - Certificate and Certificate Revocation List (CRL) Profile
• Nový draft - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile