Network Working Group S. Santesson
Request for Comments: 3739 Microsoft
Obsoletes: 3039 M. Nystrom
Category: Standards Track RSA Security
T. Polk
NIST
March 2004
Network Working Group S. Santesson
Request for Comments: 3739 Microsoft
Obsoletes: 3039 M. Nystrom
Category: Standards Track RSA Security
T. Polk
NIST
March 2004
Internet X.509 Public Key Infrastructure: Qualified Certificates Profile
Internet X.509公钥基础设施:合格证书配置文件
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004). All Rights Reserved.
版权所有(C)互联网协会(2004年)。版权所有。
Abstract
摘要
This document forms a certificate profile, based on RFC 3280, for identity certificates issued to natural persons.
本文件基于RFC 3280,为颁发给自然人的身份证书形成了一个证书配置文件。
The profile defines specific conventions for certificates that are qualified within a defined legal framework, named Qualified Certificates. However, the profile does not define any legal requirements for such Qualified Certificates.
配置文件定义了在定义的法律框架(称为合格证书)内合格的证书的特定约定。但是,该概要文件并未规定此类合格证书的任何法律要求。
The goal of this document is to define a certificate profile that supports the issuance of Qualified Certificates independent of local legal requirements. The profile is however not limited to Qualified Certificates and further profiling may facilitate specific local needs.
本文档的目标是定义一个支持独立于本地法律要求颁发合格证书的证书配置文件。但是,配置文件并不限于合格证书,进一步的配置文件可能有助于满足特定的本地需求。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Changes since RFC 3039 . . . . . . . . . . . . . . . . . 3
1.2. Definitions. . . . . . . . . . . . . . . . . . . . . . . 4
2. Requirements and Assumptions . . . . . . . . . . . . . . . . . 4
2.1. Properties . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Statement of Purpose . . . . . . . . . . . . . . . . . . 5
2.3. Policy Issues. . . . . . . . . . . . . . . . . . . . . . 5
2.4. Uniqueness of Names. . . . . . . . . . . . . . . . . . . 6
3. Certificate and Certificate Extensions Profile . . . . . . . . 6
3.1. Basic Certificate Fields . . . . . . . . . . . . . . . . 6
3.1.1. Issuer . . . . . . . . . . . . . . . . . . . . . 6
3.1.2. Subject. . . . . . . . . . . . . . . . . . . . . 7
3.2. Certificate Extensions . . . . . . . . . . . . . . . . . 9
3.2.1. Subject Alternative Name . . . . . . . . . . . . 9
3.2.2. Subject Directory Attributes . . . . . . . . . . 9
3.2.3. Certificate Policies . . . . . . . . . . . . . . 11
3.2.4. Key Usage. . . . . . . . . . . . . . . . . . . . 11
3.2.5. Biometric Information. . . . . . . . . . . . . . 11
3.2.6. Qualified Certificate Statements . . . . . . . . 13
4. Security Considerations. . . . . . . . . . . . . . . . . . . . 15
A. ASN.1 Definitions. . . . . . . . . . . . . . . . . . . . . . . 17
A.1. 1988 ASN.1 Module (Normative). . . . . . . . . . . . . . 17
A.2. 1997 ASN.1 Module (Informative). . . . . . . . . . . . . 19
B. A Note on Attributes . . . . . . . . . . . . . . . . . . . . . 23
C. Example Certificate. . . . . . . . . . . . . . . . . . . . . . 23
C.1. ASN.1 Structure. . . . . . . . . . . . . . . . . . . . . 24
C.1.1. Extensions . . . . . . . . . . . . . . . . . . . 24
C.1.2. The Certificate. . . . . . . . . . . . . . . . . 25
C.2. ASN.1 Dump . . . . . . . . . . . . . . . . . . . . . . . 27
C.3. DER-encoding . . . . . . . . . . . . . . . . . . . . . . 30
C.4. CA's Public Key. . . . . . . . . . . . . . . . . . . . . 31
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Changes since RFC 3039 . . . . . . . . . . . . . . . . . 3
1.2. Definitions. . . . . . . . . . . . . . . . . . . . . . . 4
2. Requirements and Assumptions . . . . . . . . . . . . . . . . . 4
2.1. Properties . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Statement of Purpose . . . . . . . . . . . . . . . . . . 5
2.3. Policy Issues. . . . . . . . . . . . . . . . . . . . . . 5
2.4. Uniqueness of Names. . . . . . . . . . . . . . . . . . . 6
3. Certificate and Certificate Extensions Profile . . . . . . . . 6
3.1. Basic Certificate Fields . . . . . . . . . . . . . . . . 6
3.1.1. Issuer . . . . . . . . . . . . . . . . . . . . . 6
3.1.2. Subject. . . . . . . . . . . . . . . . . . . . . 7
3.2. Certificate Extensions . . . . . . . . . . . . . . . . . 9
3.2.1. Subject Alternative Name . . . . . . . . . . . . 9
3.2.2. Subject Directory Attributes . . . . . . . . . . 9
3.2.3. Certificate Policies . . . . . . . . . . . . . . 11
3.2.4. Key Usage. . . . . . . . . . . . . . . . . . . . 11
3.2.5. Biometric Information. . . . . . . . . . . . . . 11
3.2.6. Qualified Certificate Statements . . . . . . . . 13
4. Security Considerations. . . . . . . . . . . . . . . . . . . . 15
A. ASN.1 Definitions. . . . . . . . . . . . . . . . . . . . . . . 17
A.1. 1988 ASN.1 Module (Normative). . . . . . . . . . . . . . 17
A.2. 1997 ASN.1 Module (Informative). . . . . . . . . . . . . 19
B. A Note on Attributes . . . . . . . . . . . . . . . . . . . . . 23
C. Example Certificate. . . . . . . . . . . . . . . . . . . . . . 23
C.1. ASN.1 Structure. . . . . . . . . . . . . . . . . . . . . 24
C.1.1. Extensions . . . . . . . . . . . . . . . . . . . 24
C.1.2. The Certificate. . . . . . . . . . . . . . . . . 25
C.2. ASN.1 Dump . . . . . . . . . . . . . . . . . . . . . . . 27
C.3. DER-encoding . . . . . . . . . . . . . . . . . . . . . . 30
C.4. CA's Public Key. . . . . . . . . . . . . . . . . . . . . 31
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 34
This specification is one part of a family of standards for the X.509 Public Key Infrastructure (PKI) for the Internet. It is based on [X.509] and [RFC 3280], which defines underlying certificate formats and semantics needed for a full implementation of this standard.
本规范是互联网X.509公钥基础设施(PKI)标准系列的一部分。它基于[X.509]和[RFC 3280],定义了全面实施本标准所需的底层证书格式和语义。
This profile includes specific mechanisms intended for use with Qualified Certificates. The term Qualified Certificates and the assumptions that affect the scope of this document are discussed in Section 2.
此配置文件包括用于合格证书的特定机制。第2节讨论了影响本文件范围的术语合格证书和假设。
Section 3 defines requirements on certificate information content. This specification provides profiles for two certificate fields: issuer and subject. It also provides profiles for four certificate extensions defined in RFC 3280: subject alternate name, subject directory attributes, certificate policies, and key usage, and it defines two additional extensions: biometric information and qualified certificate statements. The certificate extensions are presented in the 1997 Abstract Syntax Notation One (ASN.1) [X.680], but in conformance with RFC 3280 the 1988 ASN.1 module in Appendix A contains all normative definitions (the 1997 module in Appendix A is informative).
第3节定义了对证书信息内容的要求。本规范提供了两个证书字段的配置文件:颁发者和主题。它还为RFC 3280中定义的四个证书扩展提供了配置文件:使用者备用名称、使用者目录属性、证书策略和密钥使用,并定义了两个附加扩展:生物特征信息和合格证书声明。证书扩展在1997年抽象语法符号1(ASN.1)[X.680]中给出,但根据RFC 3280,附录A中的1988年ASN.1模块包含所有规范性定义(附录A中的1997模块为信息性模块)。
In Section 4, some security considerations are discussed in order to clarify the security context in which the standard may be utilized.
在第4节中,讨论了一些安全注意事项,以澄清可能使用标准的安全上下文。
Appendix A contains all relevant ASN.1 structures that are not already defined in RFC 3280. Appendix B contains a note on attributes. Appendix C contains an example certificate.
附录A包含RFC 3280中尚未定义的所有相关ASN.1结构。附录B包含关于属性的说明。附录C包含一个示例证书。
The appendices sections are followed by the References, Authors Addresses, and the Full Copyright Statement.
附录部分之后是参考文献、作者地址和完整的版权声明。
This specification obsoletes RFC 3039. This specification differs from RFC 3039 in the following basic areas:
本规范淘汰了RFC 3039。本规范在以下基本方面与RFC 3039不同:
* Some editorial clarifications have been made to introductory sections to clarify that this profile is generally applicable to a broad type of certificates, even if its prime purpose is to facilitate issuance of Qualified Certificates.
* 对导言部分进行了一些编辑性澄清,以澄清此概要通常适用于广泛类型的证书,即使其主要目的是促进合格证书的颁发。
* To align with RFC 3280, support for domainComponent and title attributes in subject names are included, and postalAddress is no longer supported.
* 为了与RFC 3280保持一致,包括对主题名称中的domainComponent和title属性的支持,并且不再支持postalAddress。
* To align with actual usage, support for the title attribute in the subject directory attributes extension is no longer supported.
* 为了与实际使用保持一致,不再支持“主题目录属性”扩展中的“标题”属性。
* To better facilitate broad applicability of this profile, some constraints on key usage settings in the key usage extension have been removed.
* 为了更好地促进此配置文件的广泛适用性,已删除密钥使用扩展中对密钥使用设置的一些限制。
* A new qc-Statement reflecting this second version of the profile has been defined in Section 3.2.6.1. This profile obsoletes RFC 3039, but the qc-statement reflecting compliance with RFC 3039 is also defined for backwards compatibility.
* 第3.2.6.1节中定义了反映该第二版配置文件的新qc声明。此配置文件淘汰了RFC 3039,但反映符合RFC 3039的qc声明也定义为向后兼容性。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, [RFC 2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、[RFC 2119]中的说明进行解释。
The term "Qualified Certificate" is used by the European Directive on Electronic Signature [EU-ESDIR] to refer to a specific type of certificates, with appliance in European electronic signature legislation. This specification is intended to support this class of certificates, but its scope is not limited to this application.
欧洲电子签名指令[EU-ESDIR]使用术语“合格证书”来指代一种特定类型的证书,适用于欧洲电子签名立法。本规范旨在支持此类证书,但其范围不限于此应用。
Within this standard, the term "Qualified Certificate" is used generally, describing a certificate whose primary purpose is to identify a person with a high level of assurance, where the certificate meets some qualification requirements defined by an applicable legal framework, such as the European Directive on Electronic Signature [EU-ESDIR]. The actual mechanisms that decide whether a certificate should or should not be considered a "Qualified Certificate" in regard to any legislation are outside the scope of this standard.
在本标准中,通常使用术语“合格证书”,描述其主要目的是识别具有高水平保证的人员的证书,该证书满足适用法律框架定义的某些资格要求,如欧洲电子签名指令[EU-ESDIR]。就任何立法而言,决定证书是否应被视为“合格证书”的实际机制不在本标准的范围之内。
Harmonization in the field of identity certificates issued to natural persons, in particular Qualified Certificates, is essential within several aspects that fall outside the scope of RFC 3280. The most important aspects that affect the scope of this specification are:
在不属于RFC 3280范围的几个方面,向自然人颁发的身份证书,特别是合格证书领域的统一至关重要。影响本规范范围的最重要方面包括:
- Definition of names and identity information in order to identify the associated subject in a uniform way.
- 定义姓名和身份信息,以便以统一的方式识别相关主题。
- Definition of information which identifies the CA and the jurisdiction under which the CA operates when issuing a particular certificate.
- 在颁发特定证书时,标识CA和CA运行所在司法管辖区的信息的定义。
- Definition of key usage extension usage for Qualified Certificates.
- 限定证书的密钥用法扩展用法的定义。
- Definition of information structure for storage of biometric information.
- 生物特征信息存储的信息结构定义。
- Definition of a standardized way to store predefined statements with relevance for Qualified Certificates.
- 定义一种标准化方法,用于存储与合格证书相关的预定义语句。
- Requirements for critical extensions.
- 关键扩展的需求。
This profile accommodates profiling needs for Qualified Certificates based on the assumptions that:
此配置文件满足基于以下假设的合格证书的配置需求:
- Qualified Certificates are issued by a CA that makes a statement that the certificate serves the purpose of a Qualified Certificate, as discussed in Section 2.2.
- 合格证书由CA颁发,CA声明该证书用于合格证书的目的,如第2.2节所述。
- The Qualified Certificate indicates a certificate policy consistent with liabilities, practices, and procedures undertaken by the CA, as discussed in Section 2.3.
- 合格证书表示与CA承担的责任、实践和程序一致的证书政策,如第2.3节所述。
- The Qualified Certificate is issued to a natural person (living human being).
- 合格证书颁发给自然人(活人)。
- The Qualified Certificate contains a name which may be either based on the real name of the subject or a pseudonym.
- 合格证书包含一个名称,该名称可以基于受试者的真实姓名,也可以基于笔名。
This profile defines conventions to declare within a certificate that it serves the purpose of being a Qualified Certificate. This enables the CA to explicitly define this intent.
此配置文件定义了在证书中声明其用作合格证书的约定。这使CA能够显式定义此意图。
The function of this declaration is thus to assist any concerned entity in evaluating the risk associated with creating or accepting signatures that are based on a Qualified Certificate.
因此,本声明的功能是帮助任何相关实体评估与创建或接受基于合格证书的签名相关的风险。
This profile defines two ways to include this information:
此配置文件定义了两种包含此信息的方式:
- As information defined by a certificate policy included in the certificate policies extension, and
- 由证书策略扩展中包含的证书策略定义的信息,以及
- As a statement included in the Qualified Certificates Statements extension.
- 作为合格证书语句扩展中包含的语句。
Certain policy aspects define the context in which this profile is to be understood and used. It is however outside the scope of this profile to specify any policies or legal aspects that will govern services that issue or utilize certificates according to this profile.
某些政策方面定义了理解和使用此概要文件的上下文。但是,指定将管理根据此配置文件颁发或使用证书的服务的任何策略或法律方面超出了此配置文件的范围。
It is however an underlying assumption in this profile that a responsible issuing CA will undertake to follow a certificate policy that is consistent with its liabilities, practices, and procedures.
然而,本简介中的一个基本假设是,负责签发证书的CA将承诺遵守与其责任、惯例和程序一致的证书政策。
Distinguished name is originally defined in X.501 [X.501] as a representation of a directory name, defined as a construct that identifies a particular object from among a set of all objects. The distinguished name MUST be unique for each subject entity certified by the one CA as defined by the issuer name field, for the whole life time of the CA.
可分辨名称最初在X.501[X.501]中定义为目录名的表示形式,定义为从一组对象中标识特定对象的构造。在CA的整个生命周期内,由“发卡机构名称”字段定义的一个CA认证的每个主体实体的可分辨名称必须是唯一的。
This section defines certificate profiling conventions. The profile is based on the Internet certificate profile RFC 3280, which in turn is based on the X.509 version 3 format. For full implementation of this section, implementers are REQUIRED to consult the underlying formats and semantics defined in RFC 3280.
本节定义证书配置约定。该配置文件基于Internet证书配置文件RFC 3280,后者又基于X.509版本3格式。对于本节的完整实现,实现者需要参考RFC3280中定义的底层格式和语义。
ASN.1 definitions, relevant for this section that are not supplied by RFC 3280, are supplied in Appendix A.
附录A中提供了RFC 3280未提供的与本节相关的ASN.1定义。
This section provides additional details regarding the contents of two fields in the basic certificate. These fields are the issuer and subject fields.
本节提供有关基本证书中两个字段内容的其他详细信息。这些字段是颁发者和主题字段。
The issuer field SHALL identify the organization responsible for issuing the certificate. The name SHOULD be an officially registered name of the organization.
颁发者字段应确定负责颁发证书的组织。该名称应为组织的正式注册名称。
The distinguished name of the issuer SHALL be specified using an appropriate subset of the following attributes:
应使用以下属性的适当子集指定发行人的可分辨名称:
domainComponent;
countryName;
stateOrProvinceName;
organizationName;
localityName; and
serialNumber.
domainComponent;
countryName;
stateOrProvinceName;
organizationName;
localityName; and
serialNumber.
The domainComponent attribute is defined in [RFC 2247], all other attributes are defined in [RFC 3280] and [X.520].
domainComponent属性在[RFC 2247]中定义,所有其他属性在[RFC 3280]和[X.520]中定义。
Additional attributes MAY be present, but they SHOULD NOT be necessary to identify the issuing organization.
可能存在其他属性,但它们不应是标识发布组织所必需的。
A relying party MAY have to consult associated certificate policies and/or the issuer's CPS, in order to determine the semantics of name fields.
依赖方可能必须参考相关的证书策略和/或发卡机构的CP,以确定名称字段的语义。
The subject field of a certificate compliant with this profile SHALL contain a distinguished name of the subject (see 2.4 for definition of distinguished name).
符合此配置文件的证书的主题字段应包含主题的可分辨名称(可分辨名称的定义见2.4)。
The subject field SHALL contain an appropriate subset of the following attributes:
主题字段应包含以下属性的适当子集:
domainComponent;
countryName;
commonName;
surname;
givenName;
pseudonym;
serialNumber;
title;
organizationName;
organizationalUnitName;
stateOrProvinceName; and
localityName.
domainComponent;
countryName;
commonName;
surname;
givenName;
pseudonym;
serialNumber;
title;
organizationName;
organizationalUnitName;
stateOrProvinceName; and
localityName.
The domainComponent attribute is defined in [RFC 2247], all other attributes are defined in [RFC 3280] and [X.520].
domainComponent属性在[RFC 2247]中定义,所有其他属性在[RFC 3280]和[X.520]中定义。
Other attributes MAY also be present; however, the use of other attributes MUST NOT be necessary to distinguish one subject name from another subject name. That is, the attributes listed above are sufficient to ensure unique subject names.
其他属性也可能存在;但是,不必使用其他属性来区分一个主题名称和另一个主题名称。也就是说,上面列出的属性足以确保唯一的主题名称。
Of these attributes, the subject field SHALL include at least one of the following:
在这些属性中,主题字段应至少包括以下一项:
Choice I: commonName Choice II: givenName Choice III: pseudonym
选择一:通用名称选择二:givenName选择三:笔名
The countryName attribute value specifies a general context in which other attributes are to be understood. The country attribute does not necessarily indicate the subject's country of citizenship or country of residence, nor does it have to indicate the country of issuance.
countryName属性值指定理解其他属性的一般上下文。国家属性不一定表示受试者的国籍国或居住国,也不一定表示发行国。
Note: Many X.500 implementations require the presence of countryName in the DIT. In cases where the subject name, as specified in the subject field, specifies a public X.500 directory entry, the countryName attribute SHOULD always be present.
注意:许多X.500实现需要在DIT中显示countryName。如果主题字段中指定的主题名称指定了公共X.500目录条目,则countryName属性应始终存在。
The commonName attribute value SHALL, when present, contain a name of the subject. This MAY be in the subject's preferred presentation format, or a format preferred by the CA, or some other format. Pseudonyms, nicknames, and names with spelling other than defined by the registered name MAY be used. To understand the nature of the name presented in commonName, complying applications MAY have to examine present values of the givenName and surname attributes, or the pseudonym attribute.
当存在commonName属性值时,该属性值应包含主题名称。这可能是受试者首选的演示格式,或CA首选的格式,或其他格式。可以使用笔名、昵称和拼写与注册名称不同的名称。为了理解commonName中显示的名称的性质,符合要求的应用程序可能必须检查givenName和姓氏属性或假名属性的当前值。
Note: Many client implementations presuppose the presence of the commonName attribute value in the subject field and use this value to display the subject's name regardless of present givenName, surname, or pseudonym attribute values.
注意:许多客户端实现预先假定主题字段中存在commonName属性值,并使用此值显示主题的名称,而不管当前的给定名称、姓氏或假名属性值如何。
The surname and givenName attribute types SHALL be used in the subject field if neither the commonName attribute nor the pseudonym attribute is present. In cases where the subject only has a givenName, the surname attribute SHALL be omitted.
如果commonName属性和假名属性均不存在,则应在主题字段中使用姓氏和givenName属性类型。如果主体只有一个给定名称,则应省略姓氏属性。
The pseudonym attribute type SHALL, if present, contain a pseudonym of the subject. Use of the pseudonym attribute MUST NOT be combined with use of any of the attributes surname and/or givenName.
笔名属性类型(如果存在)应包含主题的笔名。笔名属性的使用不得与任何姓氏和/或givenName属性的使用相结合。
The serialNumber attribute type SHALL, when present, be used to differentiate between names where the subject field would otherwise be identical. This attribute has no defined semantics beyond ensuring uniqueness of subject names. It MAY contain a number or code assigned by the CA or an identifier assigned by a government or civil authority. It is the CA's responsibility to ensure that the serialNumber is sufficient to resolve any subject name collisions.
如果存在serialNumber属性类型,则应使用该属性类型区分主题字段相同的名称。除了确保主题名称的唯一性外,该属性没有定义的语义。它可能包含由CA分配的编号或代码,或由政府或民事机构分配的标识符。CA有责任确保序列号足以解决任何主题名称冲突。
The title attribute type SHALL, when present, be used to store a designated position or function of the subject within the organization specified by present organizational attributes in the subject field. The association between the title, the subject, and the organization is beyond the scope of this document.
标题属性类型(如果存在)应用于存储主题字段中当前组织属性指定的组织内主题的指定位置或功能。标题、主题和组织之间的关联超出了本文档的范围。
The organizationName and the organizationalUnitName attribute types SHALL, when present, be used to store the name and relevant information of an organization with which the subject is
organizationName和organizationalUnitName属性类型(如果存在)应用于存储主题所在组织的名称和相关信息
associated. The type of association between the organization and the subject is beyond the scope of this document.
相关。组织与主题之间的关联类型超出了本文档的范围。
The stateOrProvinceName and the localityName attribute types SHALL, when present, be used to store geographical information with which the subject is associated. If an organizationName value is also present, then the stateOrProvinceName and localityName attribute values SHALL be associated with the specified organization. The type of association between the stateOrProvinceName and the localityName and either the subject or the organizationName is beyond the scope of this document.
stateOrProvinceName和LocationName属性类型(如果存在)应用于存储与主题相关联的地理信息。如果还存在organizationName值,则stateOrProvinceName和LocationName属性值应与指定的组织相关联。stateOrProvinceName和LocationName以及subject或organizationName之间的关联类型超出了本文档的范围。
Compliant implementations SHALL be able to interpret the attributes named in this section.
合规实施应能够解释本节中指定的属性。
This section provides additional details regarding the contents of four certificate extensions defined in RFC 3280: Subject Alternative Name, Subject directory attributes, Certificate policies, and Key usage. This section also defines two additional extensions: biometric information and qualified certificate statements.
本节提供有关RFC 3280中定义的四个证书扩展的内容的其他详细信息:使用者替代名称、使用者目录属性、证书策略和密钥使用。本节还定义了两个附加扩展:生物特征信息和合格证书声明。
If the subjectAltName extension is present, and it contains a directoryName name, then the directoryName MUST follow the conventions specified in section 3.1.2 of this profile.
如果存在subjectAltName扩展名,并且它包含directoryName名称,则directoryName必须遵循本配置文件第3.1.2节中指定的约定。
The subjectDirectoryAttributes extension MAY be present and MAY contain additional attributes associated with the subject, as a complement to present information in the subject field and the subject alternative name extension.
subjectDirectoryAttributes扩展可以存在,并且可以包含与主题相关联的附加属性,作为在主题字段和主题备选名称扩展中呈现信息的补充。
Attributes suitable for storage in this extension are attributes which are not part of the subject's distinguished name, but which MAY still be useful for other purposes (e.g., authorization).
适合在此扩展中存储的属性是不属于受试者可分辨名称的属性,但这些属性可能仍对其他用途有用(例如,授权)。
This extension MUST NOT be marked critical.
此扩展不能标记为关键。
Compliant implementations SHALL be able to interpret the following attributes:
合规实施应能够解释以下属性:
dateOfBirth;
placeOfBirth;
gender;
dateOfBirth;
placeOfBirth;
gender;
countryOfCitizenship; and countryOfResidence.
公民国家;和居住国。
Other attributes MAY be included according to local definitions.
根据本地定义,可以包括其他属性。
The dateOfBirth attribute SHALL, when present, contain the value of the date of birth of the subject. The manner in which the date of birth is associated with the subject is outside the scope of this document. The date of birth is defined in the GeneralizedTime format and SHOULD specify GMT 12.00.00 (noon) down to the granularity of seconds, in order to prevent accidental change of date due to time zone adjustments. For example, a birth date of September 27, 1959 is encoded as "19590927120000Z". Compliant certificate parsing applications SHOULD ignore any time data and just present the contained date without any time zone adjustments.
dateOfBirth属性存在时,应包含受试者出生日期的值。出生日期与受试者的关联方式不在本文件范围内。出生日期以GeneralizedTime格式定义,应将GMT 12.00.00(中午)指定为秒级,以防止因时区调整而意外更改日期。例如,1959年9月27日的出生日期编码为“19590927120000Z”。兼容的证书解析应用程序应忽略任何时间数据,只显示包含的日期,而不进行任何时区调整。
The placeOfBirth attribute SHALL, when present, contain the value of the place of birth of the subject. The manner in which the place of birth is associated with the subject is outside the scope of this document.
出生地点属性存在时,应包含受试者出生地点的值。出生地与受试者的关联方式不在本文件范围内。
The gender attribute SHALL, when present, contain the value of the gender of the subject. For females the value "F" (or "f"), and for males the value "M" (or "m"), have to be used. The manner in which the gender is associated with the subject is outside the scope of this document.
性别属性存在时,应包含主体性别的价值。对于女性,必须使用值“F”(或“F”),对于男性,必须使用值“M”(或“M”)。性别与主题的关联方式不在本文件范围内。
The countryOfCitizenship attribute SHALL, when present, contain the identifier of at least one of the subject's claimed countries of citizenship at the time the certificate was issued. If more than one country of citizenship is specified, each country of citizenship SHOULD be specified through a separate, single-valued countryOfCitizenship attribute. Determination of citizenship is a matter of law and is outside the scope of this document.
“公民身份国家”属性在出现时应包含至少一个主体在颁发证书时声称的公民身份国家的标识符。如果指定了一个以上的公民身份国家,则每个公民身份国家应通过单独的、单一价值的公民身份国家属性指定。公民身份的确定是一个法律问题,不在本文件的范围之内。
The countryOfResidence attribute SHALL, when present, contain the value of at least one country in which the subject is resident. If more than one country of residence is specified, each country of residence SHOULD be specified through a separate, single-valued countryOfResidence attribute. Determination of residence is a matter of law and is outside the scope of this document.
当存在countryOfResidence属性时,该属性应包含受试者居住的至少一个国家的值。如果指定了多个居住国,则应通过单独的、单值的countryOfResidence属性指定每个居住国。确定居住地是一个法律问题,不在本文件的范围之内。
The certificate policies extension SHALL be present and SHALL contain the identifier of at least one certificate policy which reflects the practices and procedures undertaken by the CA. The certificate policy extension MAY be marked critical.
证书政策扩展应存在,并应包含至少一个证书政策的标识符,该标识符反映CA采取的实践和程序。证书政策扩展可标记为关键。
Information provided by the issuer stating the purpose of the certificate, as discussed in Section 2.2, SHOULD be evident through indicated policies.
如第2.2节所述,发行人提供的说明证书目的的信息应通过指定的政策予以证明。
The certificate policies extension MUST include all policy information needed for certification path validation. If policy related statements are included in the QCStatements extension (see 3.2.6), then these statements SHOULD also be contained in the identified policies.
证书策略扩展必须包括证书路径验证所需的所有策略信息。如果政策相关声明包含在QCStatements扩展中(见3.2.6),则这些声明也应包含在已识别的政策中。
Certificate policies MAY be combined with any qualifier defined in RFC 3280.
证书策略可以与RFC 3280中定义的任何限定符组合。
The key usage extension SHALL be present. Key usage settings SHALL be set in accordance with RFC 3280 definitions. Further requirements on key usage settings MAY be defined by local policy and/or local legal requirements.
应提供密钥使用扩展。密钥使用设置应根据RFC 3280定义进行设置。有关密钥使用设置的进一步要求可由当地政策和/或当地法律要求确定。
The key usage extension SHOULD be marked critical.
密钥使用扩展应标记为关键。
This section defines an OPTIONAL extension for storage of biometric information. Biometric information is stored in the form of a hash of a biometric template.
本节定义了生物特征信息存储的可选扩展。生物测定信息以生物测定模板的散列形式存储。
The purpose of this extension is to provide a means for the authentication of biometric information. The biometric information that corresponds to the stored hash is not stored in this extension, but the extension MAY include a URI (sourceDataUri) that references a file containing this information.
此扩展的目的是为生物特征信息的认证提供一种方法。与存储的散列相对应的生物识别信息不存储在此扩展中,但该扩展可以包括引用包含此信息的文件的URI(sourceDataUri)。
If included, the URI MUST use the HTTP scheme (http://) [HTTP/1.1] or the HTTPS scheme (https://) [RFC 2818]. Since the fact that identifying data is being checked may itself be sensitive information, those deploying this mechanism may also wish to consider using URIs which cannot be easily tied by outsiders to the identities of those whose information is being retrieved.
如果包含,URI必须使用HTTP方案(HTTP://)[HTTP/1.1]或HTTPS方案(HTTPS://)[RFC 2818]。由于识别数据正在被检查的事实本身可能是敏感的信息,部署这种机制的人也希望考虑使用URI,这些URI不能容易地被局外人绑定到那些正在检索信息的人的身份上。
Use of the URI option presumes that the data encoding format of the file content is determined through means outside the scope of this specification, such as file naming conventions and metadata inside the file. Use of this URI option does not imply that it is the only way to access this information.
URI选项的使用假定文件内容的数据编码格式是通过本规范范围之外的方式确定的,例如文件命名约定和文件内的元数据。使用此URI选项并不意味着它是访问此信息的唯一方法。
It is RECOMMENDED that biometric information in this extension be limited to information types suitable for human verification, i.e., where the decision of whether the information is an accurate representation of the subject is naturally performed by a person. This implies a usage where the biometric information is represented by, for example, a graphical image displayed to the relying party, which MAY be used by the relying party to enhance identification of the subject.
建议将此扩展中的生物特征信息限制为适合人类验证的信息类型,即信息是否是受试者的准确表示的决定自然由人执行。这意味着使用生物测定信息由例如显示给依赖方的图形图像表示,依赖方可以使用该图形图像来增强对象的识别。
This extension MUST NOT be marked critical.
此扩展不能标记为关键。
biometricInfo EXTENSION ::= {
SYNTAX BiometricSyntax
IDENTIFIED BY id-pe-biometricInfo }
biometricInfo EXTENSION ::= {
SYNTAX BiometricSyntax
IDENTIFIED BY id-pe-biometricInfo }
id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2}
id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2}
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL }
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataID OBJECT IDENTIFIER }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataID OBJECT IDENTIFIER }
PredefinedBiometricType ::= INTEGER { picture(0),
handwritten-signature(1)} (picture|handwritten-signature,...)
PredefinedBiometricType ::= INTEGER { picture(0),
handwritten-signature(1)} (picture|handwritten-signature,...)
The predefined biometric type picture, when present, SHALL identify that the source picture is in the form of a displayable graphical image of the subject. The hash of the graphical image SHALL be calculated over the whole referenced image file.
预定义的生物特征类型图片(当存在时)应确定源图片为可显示的对象图形图像形式。应在整个参考图像文件上计算图形图像的散列。
The predefined biometric type handwritten-signature, when present, SHALL identify that the source data is in the form of a displayable graphical image of the subject's handwritten signature. The hash of the graphical image SHALL be calculated over the whole referenced image file.
预定义的生物特征类型手写签名(如有)应确定源数据为受试者手写签名的可显示图形图像形式。应在整个参考图像文件上计算图形图像的散列。
This section defines an OPTIONAL extension for the inclusion of statements defining explicit properties of the certificate.
本节定义了一个可选扩展,用于包含定义证书显式属性的语句。
Each statement SHALL include an object identifier for the statement and MAY also include optional qualifying data contained in the statementInfo parameter.
每个语句应包括语句的对象标识符,还可以包括statementInfo参数中包含的可选限定数据。
If the statementInfo parameter is included, then the object identifier of the statement SHALL define the syntax and SHOULD define the semantics of this parameter. If the object identifier does not define the semantics, a relying party may have to consult a relevant certificate policy or CPS to determine the exact semantics.
如果包含statementInfo参数,则语句的对象标识符应定义语法,并应定义此参数的语义。如果对象标识符没有定义语义,依赖方可能必须咨询相关的证书策略或CPS以确定确切的语义。
This extension may be critical or non-critical. If the extension is critical, this means that all statements included in the extension are regarded as critical.
此扩展可能是关键的,也可能是非关键的。如果扩展是关键的,这意味着扩展中包含的所有语句都被视为关键的。
qcStatements EXTENSION ::= {
SYNTAX QCStatements
IDENTIFIED BY id-pe-qcStatements }
qcStatements EXTENSION ::= {
SYNTAX QCStatements
IDENTIFIED BY id-pe-qcStatements }
-- NOTE: This extension does not allow to mix critical and
-- non-critical Qualified Certificate Statements. Either all
-- statements must be critical or all statements must be
-- non-critical.
-- NOTE: This extension does not allow to mix critical and
-- non-critical Qualified Certificate Statements. Either all
-- statements must be critical or all statements must be
-- non-critical.
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 }
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 }
QCStatements ::= SEQUENCE OF QCStatement
QCStatement ::= SEQUENCE {
statementId QC-STATEMENT.&Id({SupportedStatements}),
statementInfo QC-STATEMENT.&Type
({SupportedStatements}{@statementId}) OPTIONAL }
QCStatements ::= SEQUENCE OF QCStatement
QCStatement ::= SEQUENCE {
statementId QC-STATEMENT.&Id({SupportedStatements}),
statementInfo QC-STATEMENT.&Type
({SupportedStatements}{@statementId}) OPTIONAL }
SupportedStatements QC-STATEMENT ::= { qcStatement-1,...}
SupportedStatements QC-STATEMENT ::= { qcStatement-1,...}
A statement suitable for inclusion in this extension MAY be a statement by the issuer that the certificate is issued as a Qualified Certificate in accordance with a particular legal system (as discussed in Section 2.2).
适用于本扩展的声明可以是发行人的声明,即该证书是根据特定法律制度(如第2.2节所述)作为合格证书发行的。
Other statements suitable for inclusion in this extension MAY be statements related to the applicable legal jurisdiction within which the certificate is issued. As an example, this MAY include a maximum reliance limit for the certificate indicating restrictions on CA's liability.
适用于本扩展的其他声明可能是与颁发证书的适用法律管辖区相关的声明。例如,这可能包括证书的最大信赖限制,表明对CA责任的限制。
The certificate statement (id-qcs-pkixQCSyntax-v1), identifies conformance with requirements defined in the obsoleted RFC 3039 (Version 1). This statement is thus provided for identification of old certificates issued in conformance with RFC 3039. This statement MUST NOT be included in certificates issued in accordance with this profile.
证书声明(id-qcs-pkixQCSyntax-v1)确定了与废弃RFC 3039(版本1)中定义的要求的一致性。因此,本声明用于识别根据RFC 3039颁发的旧证书。本声明不得包含在根据本概要文件颁发的证书中。
This profile includes a new qualified certificate statement (identified by the OID id-qcs-pkixQCSyntax-v2), identifying conformance with requirements defined in this profile. This Qualified Certificate profile is referred to as version 2, while RFC 3039 is referred to as version 1.
此概要文件包括一个新的合格证书声明(由OID id-qcs-pkixQCSyntax-v2标识),用于标识与此概要文件中定义的要求的一致性。此合格证书配置文件称为版本2,而RFC 3039称为版本1。
qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v1 }
-- This statement identifies conformance with requirements
-- defined in RFC 3039 (Version 1). This statement may
-- optionally contain additional semantics information as
-- specified below.
qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v1 }
-- This statement identifies conformance with requirements
-- defined in RFC 3039 (Version 1). This statement may
-- optionally contain additional semantics information as
-- specified below.
qcStatement-2 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v2 }
-- This statement identifies conformance with requirements
-- defined in this Qualified Certificate profile
-- (Version 2). This statement may optionally contain
-- additional semantics information as specified below.
qcStatement-2 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v2 }
-- This statement identifies conformance with requirements
-- defined in this Qualified Certificate profile
-- (Version 2). This statement may optionally contain
-- additional semantics information as specified below.
SemanticsInformation ::= SEQUENCE {
semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities
OPTIONAL }
(WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})
SemanticsInformation ::= SEQUENCE {
semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities
OPTIONAL }
(WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF
GeneralName
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF
GeneralName
The SementicsInformation component identified by id-qcs-pkixQCSyntax-v1 MAY contain a semantics identifier and MAY identify one or more name registration authorities.
id-qcs-pkixQCSyntax-v1标识的SementicsInformation组件可以包含语义标识符,并且可以标识一个或多个名称注册机构。
The semanticsIdentifier component, if present, SHALL contain an OID, defining semantics for attributes and names in basic certificate fields and certificate extensions. The OID may define semantics for all, or for a subgroup of all present attributes and/or names.
SemanticIdentifier组件(如果存在)应包含OID,定义基本证书字段和证书扩展中属性和名称的语义。OID可以定义所有属性和/或名称的语义,或定义所有现有属性和/或名称的子组的语义。
The NameRegistrationAuthorities component, if present, SHALL contain a name of one or more name registration authorities, responsible for registration of attributes or names associated with the subject. The association between an identified name registration authority and present attributes MAY be defined by a semantics identifier OID, by a certificate policy (or CPS), or some other implicit factors.
NameRegistrationAuthorities组件(如果存在)应包含一个或多个名称注册机构的名称,负责注册与主题相关的属性或名称。可通过语义标识符OID、证书策略(或CPS)或某些其他隐式因素来定义已识别名称注册机构与当前属性之间的关联。
If a value of type SemanticsInformation is present in a QCStatement where the statementID component is set to id-qcs-pkix-QCSyntax-v1 or id-qcs-pkix-QCSyntax-v2, then at least one of the semanticsIdentifier or nameRegistrationAuthorities fields must be present, as indicated. Note that the statementInfo component need not be present in a QCStatement value even if the statementID component is set to id-qcs-pkix-QCSyntax-v1 or id-qcs-pkix-QCSyntax-v2.
如果在statementID组件设置为id-qcs-pkix-QCSyntax-v1或id-qcs-pkix-QCSyntax-v2的QCStatement中存在SemanticInformation类型的值,则必须至少存在一个SemanticIdentifier或nameRegistrationAuthorities字段,如图所示。请注意,即使statementID组件设置为id-qcs-pkix-QCSyntax-v1或id-qcs-pkix-QCSyntax-v2,statementInfo组件也不必出现在QCStatement值中。
The legal value of a digital signature that is validated with a Qualified Certificate will be highly dependent upon the policy governing the use of the associated private key. Both the private key holder, as well as the relying party, should make sure that the private key is used only with the consent of the legitimate key holder.
使用合格证书验证的数字签名的法律价值在很大程度上取决于管理相关私钥使用的策略。私钥持有人和依赖方都应确保私钥仅在合法密钥持有人同意的情况下使用。
Since the public keys are for public use with legal implications for involved parties, certain conditions should exist before CAs issue certificates as Qualified Certificates. The associated private keys must be unique for the subject, and must be maintained under the subject's sole control. That is, a CA should not issue a qualified certificate if the means to use the private key is not protected against unintended usage. This implies that the CA has some knowledge about the subject's cryptographic module.
由于公钥是供公众使用的,对相关方有法律影响,因此在CAs将证书作为合格证书颁发之前,应具备某些条件。相关的私钥对于主体而言必须是唯一的,并且必须由主体单独控制。也就是说,如果使用私钥的方法未受到保护以防止意外使用,则CA不应颁发合格证书。这意味着CA对主体的加密模块有一些了解。
The CA must further verify that the public key contained in the certificate is legitimately representing the subject.
CA必须进一步验证证书中包含的公钥是否合法地代表主题。
CAs should not issue CA certificates with policy mapping extensions indicating acceptance of another CA's policy unless these conditions are met.
CA不应颁发带有策略映射扩展的CA证书,以表明接受另一CA的策略,除非满足这些条件。
Combining the nonRepudiation bit in the keyUsage certificate extension with other keyUsage bits may have security implications depending on the context in which the certificate is to be used. Applications validating electronic signatures based on such certificates should determine whether the present key usage combination is appropriate for their use.
根据要使用证书的上下文,将keyUsage证书扩展中的非否认位与其他keyUsage位组合可能具有安全含义。基于此类证书验证电子签名的应用程序应确定当前密钥使用组合是否适合其使用。
The ability to compare two qualified certificates to determine if they represent the same physical entity is dependent on the semantics of the subjects' names. The semantics of a particular attribute may be different for different issuers. Comparing names without knowledge of the semantics of names in these particular certificates may provide misleading results.
比较两个合格证书以确定它们是否代表同一物理实体的能力取决于受试者姓名的语义。对于不同的发行人,特定属性的语义可能不同。在不了解这些特定证书中名称的语义的情况下比较名称可能会产生误导性结果。
This specification is a profile of RFC 3280. The security considerations section of that document applies to this specification as well.
本规范是RFC 3280的概要。该文件的安全注意事项部分也适用于本规范。
A. ASN.1 Definitions
A.ASN.1定义
As in RFC 3280, ASN.1 modules are supplied in two different variants of the ASN.1 syntax.
与RFC3280一样,ASN.1模块以ASN.1语法的两种不同变体提供。
Appendix A.1 is in the 1988 syntax, and does not use macros. However, since the module imports type definitions from modules in RFC 3280 which are not completely in the 1988 syntax, the same comments as in RFC 3280 regarding its use applies here as well; i.e., Appendix A.1 may be parsed by an 1988 ASN.1-parser by removing the definitions for the UNIVERSAL types and all references to them in RFC 3280's 1988 modules.
附录A.1采用1988年的语法,不使用宏。但是,由于模块从RFC 3280中的模块导入类型定义,这些模块不完全符合1988年的语法,因此与RFC 3280中关于其使用的相同注释也适用于此处;i、 例如,附录A.1可由1988 ASN.1解析器通过删除通用类型的定义以及RFC 3280 1988模块中对通用类型的所有引用来解析。
Appendix A.2 is in the 1997 syntax.
附录A.2采用1997年的语法。
In case of discrepancies between these modules, the 1988 module is the normative one.
如果这些模块之间存在差异,则1988模块为规范模块。
PKIXqualified88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-qualified-cert(31) }
PKIXqualified88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-qualified-cert(31) }
DEFINITIONS EXPLICIT TAGS ::=
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
--全部出口--
IMPORTS
进口
GeneralName
FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-implicit(19)}
GeneralName
FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-implicit(19)}
AlgorithmIdentifier, DirectoryString, AttributeType, id-pkix, id-pe
FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18)};
AlgorithmIdentifier, DirectoryString, AttributeType, id-pkix, id-pe
FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18)};
-- Locally defined OIDs
--局部定义的OID
-- Arc for QC personal data attributes
id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
-- Arc for QC personal data attributes
id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
-- Arc for QC statements
id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 }
-- Arc for QC statements
id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 }
-- Personal data attributes
--个人资料属性
id-pda-dateOfBirth AttributeType ::= { id-pda 1 }
DateOfBirth ::= GeneralizedTime
id-pda-dateOfBirth AttributeType ::= { id-pda 1 }
DateOfBirth ::= GeneralizedTime
id-pda-placeOfBirth AttributeType ::= { id-pda 2 }
PlaceOfBirth ::= DirectoryString
id-pda-placeOfBirth AttributeType ::= { id-pda 2 }
PlaceOfBirth ::= DirectoryString
id-pda-gender AttributeType ::= { id-pda 3 }
Gender ::= PrintableString (SIZE(1))
-- "M", "F", "m" or "f"
id-pda-gender AttributeType ::= { id-pda 3 }
Gender ::= PrintableString (SIZE(1))
-- "M", "F", "m" or "f"
id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
CountryOfCitizenship ::= PrintableString (SIZE (2))
-- ISO 3166 Country Code
id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
CountryOfCitizenship ::= PrintableString (SIZE (2))
-- ISO 3166 Country Code
id-pda-countryOfResidence AttributeType ::= { id-pda 5 }
CountryOfResidence ::= PrintableString (SIZE (2))
-- ISO 3166 Country Code
id-pda-countryOfResidence AttributeType ::= { id-pda 5 }
CountryOfResidence ::= PrintableString (SIZE (2))
-- ISO 3166 Country Code
-- Certificate extensions
--证书扩展
-- Biometric info extension
--生物特征信息扩展
id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2}
id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2}
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL }
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataOid OBJECT IDENTIFIER }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataOid OBJECT IDENTIFIER }
PredefinedBiometricType ::= INTEGER {
picture(0), handwritten-signature(1)}
(picture|handwritten-signature)
PredefinedBiometricType ::= INTEGER {
picture(0), handwritten-signature(1)}
(picture|handwritten-signature)
-- QC Statements Extension
-- NOTE: This extension does not allow to mix critical and
-- non-critical Qualified Certificate Statements. Either all
-- statements must be critical or all statements must be
-- non-critical.
-- QC Statements Extension
-- NOTE: This extension does not allow to mix critical and
-- non-critical Qualified Certificate Statements. Either all
-- statements must be critical or all statements must be
-- non-critical.
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3}
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3}
QCStatements ::= SEQUENCE OF QCStatement
QCStatements ::= SEQUENCE OF QCStatement
QCStatement ::= SEQUENCE {
statementId OBJECT IDENTIFIER,
statementInfo ANY DEFINED BY statementId OPTIONAL}
QCStatement ::= SEQUENCE {
statementId OBJECT IDENTIFIER,
statementInfo ANY DEFINED BY statementId OPTIONAL}
-- QC statements
id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 }
-- This statement identifies conformance with requirements
-- defined in RFC 3039 (Version 1). This statement may
-- optionally contain additional semantics information as specified
-- below.
-- QC statements
id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 }
-- This statement identifies conformance with requirements
-- defined in RFC 3039 (Version 1). This statement may
-- optionally contain additional semantics information as specified
-- below.
id-qcs-pkixQCSyntax-v2 OBJECT IDENTIFIER ::= { id-qcs 2 }
-- This statement identifies conformance with requirements
-- defined in this Qualified Certificate profile
-- (Version 2). This statement may optionally contain
-- additional semantics information as specified below.
id-qcs-pkixQCSyntax-v2 OBJECT IDENTIFIER ::= { id-qcs 2 }
-- This statement identifies conformance with requirements
-- defined in this Qualified Certificate profile
-- (Version 2). This statement may optionally contain
-- additional semantics information as specified below.
SemanticsInformation ::= SEQUENCE {
semanticsIndentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL
} -- At least one field shall be present
SemanticsInformation ::= SEQUENCE {
semanticsIndentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL
} -- At least one field shall be present
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName
END
终止
PKIXqualified97 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-qualified-cert-97(35) }
PKIXqualified97 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-qualified-cert-97(35) }
DEFINITIONS EXPLICIT TAGS ::=
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
--全部出口--
IMPORTS
进口
informationFramework, certificateExtensions, selectedAttributeTypes,
authenticationFramework, upperBounds, id-at
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
usefulDefinitions(0) 3 }
informationFramework, certificateExtensions, selectedAttributeTypes,
authenticationFramework, upperBounds, id-at
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
usefulDefinitions(0) 3 }
ub-name FROM UpperBounds upperBounds
来自上限的ub名称上限
GeneralName FROM CertificateExtensions certificateExtensions
来自CertificateExtensions CertificateExtensions的常规名称
ATTRIBUTE, AttributeType FROM InformationFramework informationFramework
属性,来自InformationFramework的AttributeType InformationFramework
DirectoryString FROM SelectedAttributeTypes selectedAttributeTypes
SelectedAttributeType中的DirectoryString SelectedAttributeType
AlgorithmIdentifier, Extension, EXTENSION FROM AuthenticationFramework authenticationFramework
算法标识符,扩展,来自AuthenticationFramework AuthenticationFramework的扩展AuthenticationFramework
id-pkix, id-pe
FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18) };
id-pkix, id-pe
FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18) };
-- Locally defined OIDs
--局部定义的OID
-- Arc for QC personal data attributes
id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
-- Arc for QC personal data attributes
id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
-- Arc for QC statements
id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 }
-- Arc for QC statements
id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 }
-- Personal data attributes
--个人资料属性
id-pda-dateOfBirth AttributeType ::= { id-pda 1 }
id-pda-placeOfBirth AttributeType ::= { id-pda 2 }
id-pda-gender AttributeType ::= { id-pda 3 }
id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
id-pda-countryOfResidence AttributeType ::= { id-pda 5 }
id-pda-dateOfBirth AttributeType ::= { id-pda 1 }
id-pda-placeOfBirth AttributeType ::= { id-pda 2 }
id-pda-gender AttributeType ::= { id-pda 3 }
id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
id-pda-countryOfResidence AttributeType ::= { id-pda 5 }
-- Certificate extensions
--证书扩展
id-pe-biometricInfo OBJECT IDENTIFIER ::= { id-pe 2 }
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 }
id-pe-biometricInfo OBJECT IDENTIFIER ::= { id-pe 2 }
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 }
-- QC statements
--质量控制声明
id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 }
id-qcs-pkixQCSyntax-v2 OBJECT IDENTIFIER ::= { id-qcs 2 }
id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 }
id-qcs-pkixQCSyntax-v2 OBJECT IDENTIFIER ::= { id-qcs 2 }
-- Personal data attributes
--个人资料属性
dateOfBirth ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
ID id-pda-dateOfBirth }
dateOfBirth ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
ID id-pda-dateOfBirth }
placeOfBirth ATTRIBUTE ::= {
WITH SYNTAX DirectoryString {ub-name}
ID id-pda-placeOfBirth }
placeOfBirth ATTRIBUTE ::= {
WITH SYNTAX DirectoryString {ub-name}
ID id-pda-placeOfBirth }
gender ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE(1) ^ FROM("M"|"F"|"m"|"f"))
ID id-pda-gender }
gender ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE(1) ^ FROM("M"|"F"|"m"|"f"))
ID id-pda-gender }
countryOfCitizenship ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE (2))
(CONSTRAINED BY { -- ISO 3166 codes only -- })
ID id-pda-countryOfCitizenship }
countryOfCitizenship ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE (2))
(CONSTRAINED BY { -- ISO 3166 codes only -- })
ID id-pda-countryOfCitizenship }
countryOfResidence ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE (2))
(CONSTRAINED BY { -- ISO 3166 codes only -- })
ID id-pda-countryOfResidence }
countryOfResidence ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE (2))
(CONSTRAINED BY { -- ISO 3166 codes only -- })
ID id-pda-countryOfResidence }
-- Certificate extensions
--证书扩展
-- Biometric info extension
--生物特征信息扩展
biometricInfo EXTENSION ::= {
SYNTAX BiometricSyntax
IDENTIFIED BY id-pe-biometricInfo }
biometricInfo EXTENSION ::= {
SYNTAX BiometricSyntax
IDENTIFIED BY id-pe-biometricInfo }
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL,
... -- For future extensions -- }
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL,
... -- For future extensions -- }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataOid OBJECT IDENTIFIER }
生物特征数据对象标识符}
PredefinedBiometricType ::= INTEGER {
picture(0), handwritten-signature(1)}
(picture|handwritten-signature,...)
PredefinedBiometricType ::= INTEGER {
picture(0), handwritten-signature(1)}
(picture|handwritten-signature,...)
-- QC Statements Extension
-- NOTE: This extension does not allow to mix critical and
-- non-critical Qualified Certificate Statements. Either all
-- statements must be critical or all statements must be
-- non-critical.
-- QC Statements Extension
-- NOTE: This extension does not allow to mix critical and
-- non-critical Qualified Certificate Statements. Either all
-- statements must be critical or all statements must be
-- non-critical.
qcStatements EXTENSION ::= {
SYNTAX QCStatements
IDENTIFIED BY id-pe-qcStatements }
qcStatements EXTENSION ::= {
SYNTAX QCStatements
IDENTIFIED BY id-pe-qcStatements }
QCStatements ::= SEQUENCE OF QCStatement
QCStatements ::= SEQUENCE OF QCStatement
QCStatement ::= SEQUENCE {
statementId QC-STATEMENT.&id({SupportedStatements}),
statementInfo QC-STATEMENT.&Type
({SupportedStatements}{@statementId}) OPTIONAL }
QCStatement ::= SEQUENCE {
statementId QC-STATEMENT.&id({SupportedStatements}),
statementInfo QC-STATEMENT.&Type
({SupportedStatements}{@statementId}) OPTIONAL }
QC-STATEMENT ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL }
WITH SYNTAX {
[SYNTAX &Type] IDENTIFIED BY &id }
QC-STATEMENT ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL }
WITH SYNTAX {
[SYNTAX &Type] IDENTIFIED BY &id }
qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v1}
-- This statement identifies conformance with requirements
-- defined in RFC 3039 (Version 1). This statement
-- may optionally contain additional semantics information
-- as specified below.
qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v1}
-- This statement identifies conformance with requirements
-- defined in RFC 3039 (Version 1). This statement
-- may optionally contain additional semantics information
-- as specified below.
qcStatement-2 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v2}
-- This statement identifies conformance with requirements
-- defined in this Qualified Certificate profile
-- (Version 2). This statement may optionally contain
-- additional semantics information as specified below.
qcStatement-2 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v2}
-- This statement identifies conformance with requirements
-- defined in this Qualified Certificate profile
-- (Version 2). This statement may optionally contain
-- additional semantics information as specified below.
SemanticsInformation ::= SEQUENCE {
semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL
}(WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})
SemanticsInformation ::= SEQUENCE {
semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL
}(WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName
-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize as QCSs.
SupportedStatements QC-STATEMENT ::= {
qcStatement-1 |
qcStatement-2 , ... -- For future extensions -- }
-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize as QCSs.
SupportedStatements QC-STATEMENT ::= {
qcStatement-1 |
qcStatement-2 , ... -- For future extensions -- }
END
终止
B. A Note on Attributes
B.关于属性的说明
This document defines several new attributes, both for use in the subject field of issued certificates and in the subjectDirectoryAttributes extension. A complete definition of these new attributes (including matching rules), along with object classes to support them in LDAP-accessible directories, can be found in PKCS 9 [RFC 2985].
本文档定义了几个新属性,用于已颁发证书的主题字段和subjectDirectoryAttributes扩展。PKCS 9[RFC 2985]中提供了这些新属性(包括匹配规则)的完整定义,以及在LDAP可访问目录中支持它们的对象类。
C. Example Certificate
C.证书范例
This section contains the ASN.1 structure, an ASN.1 dump, and the DER-encoding of a certificate issued in conformance with this profile. The example has been developed with the help of the OSS ASN.1 compiler. The certificate has the following characteristics:
本节包含ASN.1结构、ASN.1转储和根据此配置文件颁发的证书的DER编码。该示例是在OSS ASN.1编译器的帮助下开发的。该证书具有以下特点:
1. The certificate is signed with RSA and the SHA-1 hash algorithm
1. 证书使用RSA和SHA-1哈希算法签名
2. The issuer's distinguished name is (using the syntax specified in [RFC 2253]): O=GMD - Forschungszentrum Informationstechnik GmbH, C=DE
2. 发行人的专有名称为(使用[RFC 2253]中规定的语法):O=GMD-Forschungszentrum Information Stechnik GmbH,C=DE
3. The subject's distinguished name is (using the syntax specified in [RFC 2253]): GN=Petra+SN=Barzin, O=GMD - Forschungszentrum Informationstechnik GmbH, C=DE
3. 受试者的专有名称为(使用[RFC 2253]中规定的语法):GN=Petra+SN=Barzin,O=GMD-Forschungszentrum Information Stechnik GmbH,C=DE
4. The certificate was issued on 1 February, 2004 and will expire on 1 February, 2008
4. 该证书于2004年2月1日颁发,将于2008年2月1日到期
5. The certificate contains a 1024 bit RSA key
5. 证书包含1024位RSA密钥
6. The certificate includes a critical key usage extension exclusively indicating non-repudiation
6. 该证书包含一个关键密钥使用扩展,专门指示不可否认性
7. The certificate includes a certificate policy identifier extension indicating the practices and procedures undertaken by the issuing CA (object identifier 1.3.36.8.1.1). The
7. 该证书包括一个证书策略标识符扩展,指示颁发CA采取的实践和程序(对象标识符1.3.36.8.1.1)。这个
certificate policy object identifier is defined by TeleTrust, Germany.
证书策略对象标识符由德国TeleTrust公司定义。
8. The certificate includes a subject directory attributes extension containing the following attributes:
8. 该证书包括一个主题目录属性扩展,其中包含以下属性:
date of birth: October, 14th 1971 place of birth: Darmstadt country of citizenship:Germany gender: Female
出生日期:1971年10月14日出生地点:达姆施塔特国籍国:德国性别:女性
9. The certificate includes a qualified statement certificate extension indicating that the naming registration authority's name is "municipality@darmstadt.de".
9. 该证书包括一个合格声明证书扩展,表明命名登记机构的名称为“municipality@darmstadt.de".
10. The certificate includes, in conformance with RFC 3280, an authority key identifier extension.
10. 根据RFC 3280,该证书包括一个授权密钥标识符扩展。
Since extensions are DER-encoded already when placed in the structure to be signed, they are, for clarity, shown here in the value notation defined in [X.680].
由于扩展在放置到要签名的结构中时已经进行了DER编码,为了清楚起见,它们在[X.680]中定义的值表示法中显示。
certSubjDirAttrs AttributesSyntax ::= {
{
type id-pda-countryOfCitizenship,
values {
PrintableString : "DE"
}
},
{
type id-pda-gender,
values {
PrintableString : "F"
}
},
{
type id-pda-dateOfBirth,
values {
GeneralizedTime : "197110141200Z"
}
},
{
certSubjDirAttrs AttributesSyntax ::= {
{
type id-pda-countryOfCitizenship,
values {
PrintableString : "DE"
}
},
{
type id-pda-gender,
values {
PrintableString : "F"
}
},
{
type id-pda-dateOfBirth,
values {
GeneralizedTime : "197110141200Z"
}
},
{
type id-pda-placeOfBirth,
values {
DirectoryString : utf8String : "Darmstadt"
}
}
}
type id-pda-placeOfBirth,
values {
DirectoryString : utf8String : "Darmstadt"
}
}
}
certKeyUsage KeyUsage ::= {nonRepudiation}
certKeyUsage KeyUsage ::= {nonRepudiation}
certCertificatePolicies CertificatePoliciesSyntax ::= {
{
policyIdentifier {1 3 36 8 1 1}
}
}
certCertificatePolicies CertificatePoliciesSyntax ::= {
{
policyIdentifier {1 3 36 8 1 1}
}
}
certQCStatement QCStatements ::= {
{
statementId id-qcs-pkixQCSyntax-v2,
statementInfo SemanticsInformation : {
nameRegistrationAuthorities {
rfc822Name : "municipality@darmstadt.de"
}
}
}
}
certQCStatement QCStatements ::= {
{
statementId id-qcs-pkixQCSyntax-v2,
statementInfo SemanticsInformation : {
nameRegistrationAuthorities {
rfc822Name : "municipality@darmstadt.de"
}
}
}
}
certAKI AuthorityKeyIdentifier ::= {
keyIdentifier '000102030405060708090A0B0C0D0E0FFEDCBA98'H
}
certAKI AuthorityKeyIdentifier ::= {
keyIdentifier '000102030405060708090A0B0C0D0E0FFEDCBA98'H
}
The signed portion of the certificate is shown here in the value notation defined in [X.680]. Note that extension values are already DER encoded in this structure. Some values have been truncated for readability purposes.
证书的签名部分在此以[X.680]中定义的值表示法显示。请注意,扩展值已经在此结构中进行了DER编码。出于可读性目的,某些值已被截断。
certCertInfo CertificateInfo ::= {
version v3,
serialNumber 1234567890,
certCertInfo CertificateInfo ::= {
version v3,
serialNumber 1234567890,
signature
{
algorithm { 1 2 840 113549 1 1 5 },
parameters RSAParams : NULL
},
issuer rdnSequence :
{
{
{
type { 2 5 4 6 },
value PrintableString : "DE"
}
},
{
{
type { 2 5 4 10 },
value UTF8String :
}
}
},
validity
{
notBefore utcTime : "040201100000Z",
notAfter utcTime : "080201100000Z"
},
subject rdnSequence :
{
{
{
type { 2 5 4 6 },
value PrintableString : "DE"
}
},
{
{
type { 2 5 4 10 },
value UTF8String :
"GMD Forschungszentrum Informationstechnik GmbH"
}
},
{
{
type { 2 5 4 4 },
value UTF8String : "Barzin"
},
{
type { 2 5 4 42 },
value UTF8String : "Petra"
signature
{
algorithm { 1 2 840 113549 1 1 5 },
parameters RSAParams : NULL
},
issuer rdnSequence :
{
{
{
type { 2 5 4 6 },
value PrintableString : "DE"
}
},
{
{
type { 2 5 4 10 },
value UTF8String :
}
}
},
validity
{
notBefore utcTime : "040201100000Z",
notAfter utcTime : "080201100000Z"
},
subject rdnSequence :
{
{
{
type { 2 5 4 6 },
value PrintableString : "DE"
}
},
{
{
type { 2 5 4 10 },
value UTF8String :
"GMD Forschungszentrum Informationstechnik GmbH"
}
},
{
{
type { 2 5 4 4 },
value UTF8String : "Barzin"
},
{
type { 2 5 4 42 },
value UTF8String : "Petra"
}
}
},
subjectPublicKeyInfo
{
algorithm
{
algorithm { 1 2 840 113549 1 1 1 },
parameters RSAParams : NULL
},
subjectPublicKey '30818902818100DCE74CD5...0203010001'H
},
extensions
{
{
extnId { 2 5 29 9 }, -- subjectDirectoryAttributes
extnValue '305B301006082B0601050507090...7374616474'H
},
{
extnId { 2 5 29 15 }, -- keyUsage
critical TRUE,
extnValue '03020640'H
},
{
extnId { 2 5 29 32 }, -- certificatePolicies
extnValue '3009300706052B24080101'H
},
{
extnId { 2 5 29 35 }, -- authorityKeyIdentifier
extnValue '30168014000102030405060708090A0B0C0D0E0FFEDCBA98'H
},
{
extnId { 1 3 6 1 5 5 7 1 3 }, -- qcStatements
extnValue '302B302906082B06010505070B0...4742E6465 'H
}
}
}
}
}
},
subjectPublicKeyInfo
{
algorithm
{
algorithm { 1 2 840 113549 1 1 1 },
parameters RSAParams : NULL
},
subjectPublicKey '30818902818100DCE74CD5...0203010001'H
},
extensions
{
{
extnId { 2 5 29 9 }, -- subjectDirectoryAttributes
extnValue '305B301006082B0601050507090...7374616474'H
},
{
extnId { 2 5 29 15 }, -- keyUsage
critical TRUE,
extnValue '03020640'H
},
{
extnId { 2 5 29 32 }, -- certificatePolicies
extnValue '3009300706052B24080101'H
},
{
extnId { 2 5 29 35 }, -- authorityKeyIdentifier
extnValue '30168014000102030405060708090A0B0C0D0E0FFEDCBA98'H
},
{
extnId { 1 3 6 1 5 5 7 1 3 }, -- qcStatements
extnValue '302B302906082B06010505070B0...4742E6465 'H
}
}
}
This section contains an ASN.1 dump of the signed portion of the certificate. Some values have been truncated for readability purposes.
本节包含证书签名部分的ASN.1转储。出于可读性目的,某些值已被截断。
CertificateInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 633
version : tag = [0] constructed; length = 3
Version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1
2
CertificateInfo SEQUENCE: tag = [UNIVERSAL 16] constructed; length = 633
version : tag = [0] constructed; length = 3
Version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1
2
serialNumber CertificateSerialNumber INTEGER: tag = [UNIVERSAL 2]
primitive; length = 4
1234567890
signature AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 9
{ 1 2 840 113549 1 1 5 }
parameters OpenType
NULL
issuer Name CHOICE
rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16]
constructed; length = 72
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 11
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 9
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 6 } -- id-at-countryName
value PrintableString
"DE"
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 57
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 55
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 10 } -- id-at-organizationName
value UTF8String
"GMD Forschungszentrum Informationstechnik GmbH"
validity Validity SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 30
notBefore Time CHOICE
utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13
040201100000Z
notAfter Time CHOICE
utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13
080201100000Z
subject Name CHOICE
rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16]
constructed; length = 101
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 11
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 9
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
serialNumber CertificateSerialNumber INTEGER: tag = [UNIVERSAL 2]
primitive; length = 4
1234567890
signature AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 9
{ 1 2 840 113549 1 1 5 }
parameters OpenType
NULL
issuer Name CHOICE
rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16]
constructed; length = 72
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 11
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 9
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 6 } -- id-at-countryName
value PrintableString
"DE"
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 57
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 55
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 10 } -- id-at-organizationName
value UTF8String
"GMD Forschungszentrum Informationstechnik GmbH"
validity Validity SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 30
notBefore Time CHOICE
utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13
040201100000Z
notAfter Time CHOICE
utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13
080201100000Z
subject Name CHOICE
rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16]
constructed; length = 101
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 11
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 9
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 6 } -- id-at-countryName
value PrintableString
"DE"
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 55
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 53
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 10 } -- id-at-organizationName
value UTF8String
"GMD Forschungszentrum Informationstechnik GmbH"
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 29
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 4 } -- id-at-surname
value UTF8String
"Barzin"
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 12
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 42 } -- id-at-givenName
value UTF8String
"Petra"
subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE:
tag = [UNIVERSAL 16] constructed; length = 159
algorithm AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 9
{ 1 2 840 113549 1 1 1 } -- rsaEncryption
parameters OpenType
NULL
subjectPublicKey BIT STRING: tag = [UNIVERSAL 3]
primitive; length = 141
0x0030818902818100dce74cd5a1d55aeb01cf5ecc20f3c3fca787...
extensions : tag = [3] constructed; length = 233
Extensions SEQUENCE OF: tag = [UNIVERSAL 16]
constructed; length = 230
Extension SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 100
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 29 9 } -- id-ce-subjectDirectoryAttributes
{ 2 5 4 6 } -- id-at-countryName
value PrintableString
"DE"
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 55
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 53
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 10 } -- id-at-organizationName
value UTF8String
"GMD Forschungszentrum Informationstechnik GmbH"
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 29
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 4 } -- id-at-surname
value UTF8String
"Barzin"
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 12
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 4 42 } -- id-at-givenName
value UTF8String
"Petra"
subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE:
tag = [UNIVERSAL 16] constructed; length = 159
algorithm AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 9
{ 1 2 840 113549 1 1 1 } -- rsaEncryption
parameters OpenType
NULL
subjectPublicKey BIT STRING: tag = [UNIVERSAL 3]
primitive; length = 141
0x0030818902818100dce74cd5a1d55aeb01cf5ecc20f3c3fca787...
extensions : tag = [3] constructed; length = 233
Extensions SEQUENCE OF: tag = [UNIVERSAL 16]
constructed; length = 230
Extension SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 100
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 29 9 } -- id-ce-subjectDirectoryAttributes
extnValue OCTET STRING: tag = [UNIVERSAL 4]
primitive; length = 93
0x305b301006082b06010505070904310413024445300f06082...
Extension SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 14
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 29 15 } -- id-ce-keyUsage
critical BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1
TRUE
extnValue OCTET STRING: tag = [UNIVERSAL 4]
primitive; length = 4
0x03020640
Extension SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 18
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 29 32 } -- id-ce-certificatePolicies
extnValue OCTET STRING: tag = [UNIVERSAL 4]
primitive; length = 11
0x3009300706052b24080101
Extension SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 31
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 29 35 } -- id-ce-authorityKeyIdentifier
extnValue OCTET STRING: tag = [UNIVERSAL 4]
primitive; length = 24
0x30168014000102030405060708090a0b0c0d0e0ffedcba98
Extension SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 57
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 8
{ 1 3 6 1 5 5 7 1 3 } -- id-pe-qcStatements
extnValue OCTET STRING: tag = [UNIVERSAL 4]
primitive; length = 45
0x302b302906082b06010505070b02301d301b81196d756e696...
extnValue OCTET STRING: tag = [UNIVERSAL 4]
primitive; length = 93
0x305b301006082b06010505070904310413024445300f06082...
Extension SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 14
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 29 15 } -- id-ce-keyUsage
critical BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1
TRUE
extnValue OCTET STRING: tag = [UNIVERSAL 4]
primitive; length = 4
0x03020640
Extension SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 18
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 29 32 } -- id-ce-certificatePolicies
extnValue OCTET STRING: tag = [UNIVERSAL 4]
primitive; length = 11
0x3009300706052b24080101
Extension SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 31
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 3
{ 2 5 29 35 } -- id-ce-authorityKeyIdentifier
extnValue OCTET STRING: tag = [UNIVERSAL 4]
primitive; length = 24
0x30168014000102030405060708090a0b0c0d0e0ffedcba98
Extension SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 57
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6]
primitive; length = 8
{ 1 3 6 1 5 5 7 1 3 } -- id-pe-qcStatements
extnValue OCTET STRING: tag = [UNIVERSAL 4]
primitive; length = 45
0x302b302906082b06010505070b02301d301b81196d756e696...
This section contains the full, DER-encoded certificate, in hex.
本节包含完整的DER编码证书(十六进制)。
30820310 30820279 A0030201 02020449 9602D230 0D06092A 864886F7 0D010105 05003048 310B3009 06035504 06130244 45313930 37060355 040A0C30 474D4420 2D20466F 72736368 756E6773 7A656E74 72756D20 496E666F 726D6174 696F6E73 74656368 6E696B20 476D6248 301E170D 30343032 30313130 30303030 5A170D30 38303230 31313030 3030305A 3065310B 30090603 55040613 02444531 37303506 0355040A 0C2E474D 4420466F 72736368 756E6773 7A656E74 72756D20 496E666F
30820310 30820279 A0030201 02040449 9602D230 0D06092A 864886F7 0D010105 0503048 310B3009 06035504 06130244 45313930 37060355 040A0C30 474D4420 2D20466F 72736368 756E6773 7A656E74 72756D20 496E66F 726D6174 696F6E63636368 476D630248 170D 30343032 30303030 5A170D30 3861230 313030 303305A02444531 37303506 0355040A 0C2E474D 4420466F 72736368 756E6773 7A656E74 72756D20 496E666F
726D6174 696F6E73 74656368 6E696B20 476D6248 311D300C 06035504 2A0C0550 65747261 300D0603 5504040C 06426172 7A696E30 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 DCE74CD5 A1D55AEB 01CF5ECC 20F3C3FC A787CFCB 571A21AA 8A20AD5D FF015130 DE724E5E D3F95392 E7BB16C4 A71D0F31 B3A9926A 8F08EA00 FDC3A8F2 BB016DEC A3B9411B A2599A2A 8CB655C6 DFEA25BF EDDC73B5 94FAA0EF E595C612 A6AE5B8C 7F0CA19C EC4FE7AB 60546768 4BB2387D 5F2F7EBD BC3EF0A6 04F6B404 01176925 02030100 01A381E9 3081E630 64060355 1D09045D 305B3010 06082B06 01050507 09043104 13024445 300F0608 2B060105 05070903 31031301 46301D06 082B0601 05050709 01311118 0F313937 31313031 34313230 3030305A 30170608 2B060105 05070902 310B0C09 4461726D 73746164 74300E06 03551D0F 0101FF04 04030206 40301206 03551D20 040B3009 30070605 2B240801 01301F06 03551D23 04183016 80140001 02030405 06070809 0A0B0C0D 0E0FFEDC BA983039 06082B06 01050507 0103042D 302B3029 06082B06 01050507 0B02301D 301B8119 6D756E69 63697061 6C697479 40646172 6D737461 64742E64 65300D06 092A8648 86F70D01 01050500 03818100 8F8C80BB B2D86B75 F4E21F82 EFE0F20F 6C558890 A6E73118 8359B9C7 8CE71C92 0C66C600 53FBC924 825090F2 95B08826 EAF3FF1F 5917C80B B4836129 CFE5563E 78592B5B B0F9ACB5 2915F0F2 BC36991F 21436520 E9064761 D932D871 F71FFEBD AD648FA7 CF3C1BC0 96F112D4 B882B39F E1A16A90 AE1A80B8 A9676518 B5AA7E97
726D6174 696F6E73 74656368 6E696B20 476D6248311D300C 06035504 2A0C0550 65747261 300D0603 5504040C 06426172 7A696E30 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 DCE74CD5 A1D55AEB 01CF5ECC 20F3C3FC A787CFB 5711AA 8A20AD5D FF015130 DE724E5E D3F952 E7B16C41 B3A998F08CFB18A29A 26CFB19A211B8CB655C6 DFEA25BF EDDC73B5 94FAA0EF E595C612 A6AE5B8C 7F0CA19C EC4FE7AB 60546768 4B2387D 5F2F7EBD BC3EF0A6 04F6B404 01176925 02030100 01A381E9 3081E630 64060355 1D09045D 305B010 062B06 010507 09043104 13024445 300F0608 2B060105 0570903 31031301 46301406D06 082B06 082B06 0505707070903 31031709 013131318 F313937 3030170505070902 310B0C09 4461726D 73746164 74300E06 03551D00101FF04 0403006 40301206 03551D20 040B3009 30070605 2B24080101F06 03551D23 04183016 80140001 02030405 06070809 0A0B0C0D 0E0FFEDC BA983039 06082B006 010505007 0103042D 302B3029 06082B006 01050505050505007 0B02301D 3011B8119 6D7566D6E69 63697061 6C697479 40646172 64642D086686F70D01 01050500 03818100 8F8C80BB B2D86B75 F4E21F82 EFE0F20F 6C558890 A6E73118 8359B9C7 8CE71C92 0C6600 53FBC924 825090F2 95B08826 EAF3FF1F 5917C80B B48366129 CFE5563E 78592B5B B0F9ACB5 2915F0F2 BC36991F 21436520 E9064761 D932D871 F71FFBD AD64FA7 CF3C1B96F112B517B58
This section contains the DER-encoded public RSA key of the CA who signed the example certificate. It is included with the purpose of simplifying verifications of the example certificate.
本节包含签署示例证书的CA的DER编码公钥RSA。其目的在于简化示例证书的验证。
30818902818100c88f4bdb66f713ba3dd7a9069880e888d4321acb53cda7fcdf da89b834e25430b956d46a438baa6798035af30db378424e00a8296b012b1b24 f9cf0b3f83be116cd8a36957dc3f54cbd7c58a10c380b3dfa15bd2922ea8660f 96e1603d81357c0442ad607c5161d083d919fd5307c1c3fa6dfead0e6410999e 8b8a8411d525dd0203010001
30818902818100C88F4BDB66F713BA3DD7A9069880E888D4321ACB53CD7FCDF DA89B834E25430B956D46A438BAA6798035AF30DB378424E00A8296B012B1B24F9CF0B3F83BE116CD8A36957DC3F54CBD7C58A10C380B3DFA15BD292EA8660F 96E1603D81357C0442AD60C5161D083D919FD5307C1FA6DF0E641099E EAD00100001
References
工具书类
Normative References
规范性引用文件
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC 2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC 2247] Kille, S., Wahl, M., Grimstad, A., Huber R. and S. Sataluri, "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247, January 1998.
[RFC 2247]Kille,S.,Wahl,M.,Grimstad,A.,Huber R.和S.Sataluri,“使用LDAP/X.500可分辨名称中的域”,RFC 2247,1998年1月。
[RFC 2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC 2818]Rescorla,E.,“TLS上的HTTP”,RFC 2818,2000年5月。
[RFC 2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object Classes and Attribute Types Version 2.0", RFC 2985, November 2000.
[RFC 2985]Nystrom,M.和B.Kaliski,“PKCS#9:选定对象类和属性类型版本2.0”,RFC 2985,2000年11月。
[RFC 3280] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet X.509 Public Key Infrastructure: Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.
[RFC 3280]Housley,R.,Polk,W.,Ford,W.和D.Solo,“Internet X.509公钥基础设施:证书和证书撤销列表(CRL)配置文件”,RFC 3280,2002年4月。
[X.509] ITU-T Recommendation X.509 (2000) | ISO/IEC 9594-8:2001, Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks
[X.509]ITU-T建议X.509(2000)| ISO/IEC 9594-8:2001,信息技术-开放系统互连-目录:公钥和属性证书框架
[X.520] ITU-T Recommendation X.520 (2001) | ISO/IEC 9594-6:2001, Information Technology - Open Systems Interconnection - The Directory: Selected Attribute Types, 2001.
[X.520]ITU-T建议X.520(2001)| ISO/IEC 9594-6:2001,信息技术-开放系统互连-目录:选定属性类型,2001。
[X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002), Information Technology - Abstract Syntax Notation One, 2002.
[X.680]ITU-T建议X.680(2002)| ISO/IEC 8824-1:2002),信息技术-抽象语法符号,2002年。
[ISO 3166] ISO 3166-1:1997, Codes for the representation of names of countries, 1997.
[ISO 3166]ISO 3166-1:1997,国家名称表示代码,1997年。
[HTTP/1.1] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[HTTP/1.1]菲尔丁,R.,盖蒂斯,J.,莫卧儿,J.,弗莱斯蒂克,H.,马斯特,L.,利奇,P.和T.伯纳斯·李,“超文本传输协议——HTTP/1.1”,RFC 2616,1999年6月。
Informative References
资料性引用
[X.501] ITU-T recommendation X.501 (2001) | ISO/IEC 9594-2:2001, Information Technology - Open Systems Interconnection - The Directory: Models, 2001.
[X.501]ITU-T建议X.501(2001)| ISO/IEC 9594-2:2001,信息技术-开放系统互连-目录:模型,2001。
[EU-ESDIR] Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, 1999.
[EU-ESDIR]欧洲议会和理事会1999年12月13日关于共同体电子签名框架的第1999/93/EC号指令,1999年。
[RFC 2253] Wahl, M., Kille, S. and T. Howes, "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", RFC 2253, December 1997.
[RFC 2253]Wahl,M.,Kille,S.和T.Howes,“轻量级目录访问协议(v3):可分辨名称的UTF-8字符串表示”,RFC 2253,1997年12月。
Authors' Addresses
作者地址
Stefan Santesson Microsoft Denmark Tuborg Boulevard 12 DK-2900 Hellerup Denmark
Stefan Santesson微软丹麦图堡大道12号DK-2900 Hellerup丹麦
EMail: stefans@microsoft.com
EMail: stefans@microsoft.com
Tim Polk NIST Building 820, Room 426 Gaithersburg, MD 20899, USA
美国马里兰州盖瑟斯堡426室820号NIST大楼Tim Polk 20899
EMail: wpolk@nist.gov
EMail: wpolk@nist.gov
Magnus Nystrom RSA Security Box 10704 S-121 29 Stockholm Sweden
Magnus Nystrom RSA安全信箱10704 S-121 29瑞典斯德哥尔摩
EMail: magnus@rsasecurity.com
EMail: magnus@rsasecurity.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78 and except as set forth therein, the authors retain all their rights.
版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。