Network Working Group S. Santesson
Request for Comments: 3039 AddTrust
Category: Standards Track W. Polk
NIST
P. Barzin
SECUDE
M. Nystrom
RSA Security
January 2001
Network Working Group S. Santesson
Request for Comments: 3039 AddTrust
Category: Standards Track W. Polk
NIST
P. Barzin
SECUDE
M. Nystrom
RSA Security
January 2001
Internet X.509 Public Key Infrastructure Qualified Certificates Profile
Internet X.509公钥基础结构合格证书配置文件
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
Abstract
摘要
This document forms a certificate profile for Qualified Certificates, based on RFC 2459, for use in the Internet. The term Qualified Certificate is used to describe a certificate with a certain qualified status within applicable governing law. Further, Qualified Certificates are issued exclusively to physical persons.
本文档基于RFC 2459形成合格证书的证书配置文件,供Internet使用。合格证书一词用于描述在适用管辖法律中具有某种合格状态的证书。此外,合格证书仅颁发给自然人。
The goal of this document is to define a general syntax independent of local legal requirements. The profile is however designed to allow further profiling in order to meet specific local needs.
本文件的目标是定义独立于当地法律要求的通用语法。然而,该概要文件的设计允许进一步分析,以满足特定的本地需求。
It is important to note that the profile does not define any legal requirements for Qualified Certificates.
需要注意的是,概要文件没有定义合格证书的任何法律要求。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不得”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119中的说明进行解释。
Table of Contents
目录
1 Introduction ................................................ 2
2 Requirements and Assumptions ................................ 3
2.1 Properties ................................................ 4
2.2 Statement of Purpose ...................................... 5
2.3 Policy Issues ............................................. 5
2.4 Uniqueness of names ....................................... 5
3 Certificate and Certificate Extensions Profile .............. 6
3.1 Basic Certificate Fields .................................. 6
3.1.1 Issuer .................................................. 6
3.1.2 Subject ................................................. 6
3.2 Certificate Extensions .................................... 9
3.2.1 Subject Directory Attributes ............................ 9
3.2.2 Certificate Policies .................................... 10
3.2.3 Key Usage ............................................... 10
3.2.4 Biometric Information ................................... 11
3.2.5 Qualified Certificate Statements ........................ 12
4 Security Considerations ..................................... 14
5 References .................................................. 15
6 Intellectual Property Rights ................................ 16
A ASN.1 definitions ........................................... 17
A.1 1988 ASN.1 Module ......................................... 17
A.2 1993 ASN.1 Module ......................................... 19
B A Note on Attributes ........................................ 24
C. Example Certificate ........................................ 24
C.1 ASN.1 Structure ........................................... 25
C.1.1 Extensions ............................................... 25
C.1.2 The certificate .......................................... 27
C.2 ASN.1 Dump ................................................ 29
C.3 DER-encoding .............................................. 32
C.4 CA's public key ........................................... 33
Authors' Addresses ............................................. 34
Full Copyright Statement ....................................... 35
1 Introduction ................................................ 2
2 Requirements and Assumptions ................................ 3
2.1 Properties ................................................ 4
2.2 Statement of Purpose ...................................... 5
2.3 Policy Issues ............................................. 5
2.4 Uniqueness of names ....................................... 5
3 Certificate and Certificate Extensions Profile .............. 6
3.1 Basic Certificate Fields .................................. 6
3.1.1 Issuer .................................................. 6
3.1.2 Subject ................................................. 6
3.2 Certificate Extensions .................................... 9
3.2.1 Subject Directory Attributes ............................ 9
3.2.2 Certificate Policies .................................... 10
3.2.3 Key Usage ............................................... 10
3.2.4 Biometric Information ................................... 11
3.2.5 Qualified Certificate Statements ........................ 12
4 Security Considerations ..................................... 14
5 References .................................................. 15
6 Intellectual Property Rights ................................ 16
A ASN.1 definitions ........................................... 17
A.1 1988 ASN.1 Module ......................................... 17
A.2 1993 ASN.1 Module ......................................... 19
B A Note on Attributes ........................................ 24
C. Example Certificate ........................................ 24
C.1 ASN.1 Structure ........................................... 25
C.1.1 Extensions ............................................... 25
C.1.2 The certificate .......................................... 27
C.2 ASN.1 Dump ................................................ 29
C.3 DER-encoding .............................................. 32
C.4 CA's public key ........................................... 33
Authors' Addresses ............................................. 34
Full Copyright Statement ....................................... 35
1 Introduction
1导言
This specification is one part of a family of standards for the X.509 Public Key Infrastructure (PKI) for the Internet. It is based on RFC 2459, which defines underlying certificate formats and semantics needed for a full implementation of this standard.
本规范是互联网X.509公钥基础设施(PKI)标准系列的一部分。它基于RFC2459,RFC2459定义了全面实现该标准所需的底层证书格式和语义。
The standard profiles the format for a specific type of certificates named Qualified Certificates. The term Qualified Certificates and the assumptions that affects the scope of this document are discussed in Section 2.
标准配置了名为合格证书的特定类型证书的格式。第2节讨论了影响本文件范围的术语合格证书和假设。
Section 3 defines requirements on information content in Qualified Certificates. This profile addresses two fields in the basic certificate as well as five certificate extensions. The certificate fields are the subject and issuer fields. The certificate extensions are subject directory attributes, certificate policies, key usage, a private extension for storage of biometric data and a private extension for storage of statements related to Qualified Certificates. The private extensions are presented in the 1993 Abstract Syntax Notation One (ASN.1), but in conformance with RFC 2459 the 1988 ASN.1 module in Appendix A contains all normative definitions (the 1993 module in Appendix A is informative).
第3节定义了合格证书中信息内容的要求。此配置文件处理基本证书中的两个字段以及五个证书扩展。证书字段是主题字段和颁发者字段。证书扩展是主题目录属性、证书策略、密钥使用、用于存储生物特征数据的专用扩展和用于存储与合格证书相关的声明的专用扩展。专用扩展在1993年抽象语法符号1(ASN.1)中给出,但根据RFC 2459,附录A中的1988 ASN.1模块包含所有规范性定义(附录A中的1993模块为信息性模块)。
In Section 4, some security considerations are discussed in order to clarify the security context in which Qualified Certificates are assumed to be utilized. Section 5 contains the references.
在第4节中,讨论了一些安全注意事项,以澄清假定使用合格证书的安全上下文。第5节包含参考文献。
Appendix A contains all relevant ASN.1 [X.680] structures that are not already defined in RFC 2459. Appendix B contains a note on attributes. Appendix C contains an example certificate. Appendix D contains authors' addresses and Appendix E contains the IETF Copyright Statement.
附录A包含RFC 2459中尚未定义的所有相关ASN.1[X.680]结构。附录B包含关于属性的说明。附录C包含一个示例证书。附录D包含作者地址,附录E包含IETF版权声明。
It should be noted that this specification does not define the specific semantics of Qualified Certificates, and does not define the policies that should be used with them. That is, this document defines what information should go into Qualified Certificates, but not what that information means. A system that uses Qualified Certificates must define its own semantics for the information in Qualified Certificates. It is expected that laws and corporate policies will make these definitions.
应该注意的是,本规范没有定义合格证书的特定语义,也没有定义应该与合格证书一起使用的策略。也就是说,本文档定义了合格证书中应该包含哪些信息,而不是这些信息的含义。使用合格证书的系统必须为合格证书中的信息定义自己的语义。预计法律和公司政策将做出这些定义。
2 Requirements and Assumptions
2要求和假设
The term "Qualified Certificate" has been used by the European Commission to describe a certain type of certificates with specific relevance for European legislation. This specification is intended to support this class of certificates, but its scope is not limited to this application.
“合格证书”一词已被欧盟委员会用于描述与欧洲立法具有特定相关性的某种类型的证书。本规范旨在支持此类证书,但其范围不限于此应用。
Within this standard the term "Qualified Certificate" is used more generally, describing the format for a certificate whose primary purpose is identifying a person with high level of assurance in public non-repudiation services. The actual mechanisms that will decide whether a certificate should or should not be considered to be a "Qualified Certificate" in regard to any legislation are outside the scope of this standard.
在本标准中,术语“合格证书”的使用更为普遍,描述了证书的格式,其主要目的是识别在公共不可否认服务中具有高水平保证的人员。就任何立法而言,决定证书是否应被视为“合格证书”的实际机制不在本标准的范围之内。
Harmonization in the field of Qualified Certificates is essential within several aspects that fall outside the scope of RFC 2459. The most important aspects that affect the scope of this specification are:
在RFC 2459范围之外的几个方面,合格证书领域的协调至关重要。影响本规范范围的最重要方面包括:
- Definition of names and identity information in order to identify the associated subject in a uniform way.
- 定义姓名和身份信息,以便以统一的方式识别相关主题。
- Definition of information which identifies the CA and the jurisdiction under which the CA operates when issuing a particular certificate.
- 在颁发特定证书时,标识CA和CA运行所在司法管辖区的信息的定义。
- Definition of key usage extension usage for Qualified Certificates.
- 限定证书的密钥用法扩展用法的定义。
- Definition of information structure for storage of biometric information.
- 生物特征信息存储的信息结构定义。
- Definition of a standardized way to store predefined statements with relevance for Qualified Certificates.
- 定义一种标准化方法,用于存储与合格证书相关的预定义语句。
- Requirements for critical extensions.
- 关键扩展的需求。
A Qualified Certificate as defined in this standard is assumed to have the following properties:
本标准中定义的合格证书应具有以下特性:
- The certificate is issued by a CA that makes a public statement that the certificate serves the purpose of a Qualified Certificate, as discussed in Section 2.2
- 该证书由CA颁发,CA公开声明该证书用于合格证书的目的,如第2.2节所述
- The certificate indicates a certificate policy consistent with liabilities, practices and procedures undertaken by the CA, as discussed in 2.3
- 证书表明证书政策与CA承担的责任、惯例和程序一致,如2.3所述
- The certificate is issued to a natural person (living human being).
- 证书颁发给自然人(活人)。
- The certificate contains an identity based on a pseudonym or a real name of the subject.
- 该证书包含基于主题的笔名或实名的身份。
For a certificate to serve the purpose of being a Qualified Certificate, this profile assumes that the CA will have to include in the certificate information that explicitly defines this intent.
为了使证书成为合格证书,此配置文件假定CA必须在证书中包含明确定义此意图的信息。
The function of this information is thus to assist any concerned entity in evaluating the risk associated with creating or accepting signatures that are based on a Qualified Certificate.
因此,该信息的功能是帮助任何相关实体评估与创建或接受基于合格证书的签名相关的风险。
This profile defines two complementary ways to include this information:
此配置文件定义了两种补充方式来包含此信息:
- As information defined by a certificate policy included in the certificate policies extension, and
- 由证书策略扩展中包含的证书策略定义的信息,以及
- As a statement included in the Qualified Certificates Statements extension.
- 作为合格证书语句扩展中包含的语句。
Certain policy aspects define the context in which this profile is to be understood and used. It is however outside the scope of this profile to specify any policies or legal aspects that will govern services that issue or utilize certificates according to this profile.
某些政策方面定义了理解和使用此概要文件的上下文。但是,指定将管理根据此配置文件颁发或使用证书的服务的任何策略或法律方面超出了此配置文件的范围。
It is however assumed that the issuing CA will undertake to follow a publicly available certificate policy that is consistent with its liabilities, practices and procedures.
但是,假设发证机构将承诺遵守与其责任、惯例和程序一致的公开证书政策。
Distinguished name is originally defined in X.501 [X.501] as a representation of a directory name, defined as a construct that identifies a particular object from among the set of all objects. An object can be assigned a distinguished name without being represented by an entry in the Directory, but this name is then the name its object entry could have had if it were represented in the Directory. In the context of qualified certificates, a distinguished name denotes a set of attribute values [X.501] which forms a name that is unambiguous within a certain domain that forms either a real or a virtual DIT (Directory Information Tree)[X.501]. In the case of subject names the domain is assumed to be at least the issuing domain of the CA. The distinguished name MUST be unique for each subject entity certified by the one CA as defined by the issuer name field, during the whole life time of the CA.
可分辨名称最初在X.501[X.501]中定义为目录名的表示形式,定义为从所有对象集中标识特定对象的构造。可以为对象分配一个可分辨名称,而不必用目录中的条目表示,但如果该名称在目录中表示,则该名称就是其对象条目可能拥有的名称。在限定证书的上下文中,可分辨名称表示一组属性值[X.501],该属性值在形成真实或虚拟DIT(目录信息树)[X.501]的特定域中形成明确的名称。在主体名称的情况下,假设域至少是CA的发行域。在CA的整个生命周期内,由一个CA认证的每个主体实体的可分辨名称必须是唯一的,如发卡机构名称字段所定义。
3 Certificate and Certificate Extensions Profile
3证书和证书扩展配置文件
This section defines a profile for Qualified Certificates. The profile is based on the Internet certificate profile RFC 2459 which in turn is based on the X.509 version 3 format. For full implementation of this section implementers are REQUIRED to consult the underlying formats and semantics defined in RFC 2459.
本节定义了合格证书的配置文件。该配置文件基于Internet证书配置文件RFC 2459,后者又基于X.509版本3格式。对于本节的全面实施,实施者需要参考RFC2459中定义的底层格式和语义。
ASN.1 definitions relevant for this section that are not supplied by RFC 2459 are supplied in Appendix A.
附录A中提供了RFC 2459未提供的与本节相关的ASN.1定义。
This specification provides additional details regarding the contents of two fields in the basic certificate. These fields are the issuer and subject fields.
本规范提供了有关基本证书中两个字段内容的其他详细信息。这些字段是颁发者和主题字段。
The issuer field SHALL identify the organization responsible for issuing the certificate. The name SHOULD be an officially registered name of the organization.
颁发者字段应确定负责颁发证书的组织。该名称应为组织的正式注册名称。
The identity of the issuer SHALL be specified using an appropriate subset of the following attributes:
应使用以下属性的适当子集指定发行人的身份:
domainComponent;
countryName;
stateOrProvinceName;
organizationName;
localityName; and
serialNumber.
domainComponent;
countryName;
stateOrProvinceName;
organizationName;
localityName; and
serialNumber.
Additional attributes MAY be present but they SHOULD NOT be necessary to identify the issuing organization.
可能存在其他属性,但不需要它们来标识发布组织。
Attributes present in the issuer field SHOULD be consistent with the laws under which the issuer operates.
“发行人”字段中的属性应符合发行人运营所依据的法律。
A relying party MAY have to consult associated certificate policies and/or the issuer's CPS, in order to determine the semantics of name fields and the laws under which the issuer operates.
依赖方可能必须咨询相关的证书政策和/或发行人的CP,以确定名称字段的语义和发行人运营所依据的法律。
The subject field of a certificate compliant with this profile SHALL contain a distinguished name of the subject (see 2.4 for definition of distinguished name).
符合此配置文件的证书的主题字段应包含主题的可分辨名称(可分辨名称的定义见2.4)。
The subject field SHALL contain an appropriate subset of the following attributes:
主题字段应包含以下属性的适当子集:
countryName;
commonName;
surname;
givenName;
pseudonym;
serialNumber;
organizationName;
organizationalUnitName;
stateOrProvinceName
localityName and
postalAddress.
countryName;
commonName;
surname;
givenName;
pseudonym;
serialNumber;
organizationName;
organizationalUnitName;
stateOrProvinceName
localityName and
postalAddress.
Other attributes may be present but MUST NOT be necessary to distinguish the subject name from other subject names within the issuer domain.
可能存在其他属性,但不必将主题名称与发卡机构域内的其他主题名称区分开来。
Of these attributes, the subject field SHALL include at least one of the following:
在这些属性中,主题字段应至少包括以下一项:
Choice I: commonName Choice II: givenName Choice III: pseudonym
选择一:通用名称选择二:givenName选择三:笔名
The countryName attribute value specifies a general context in which other attributes are to be understood. The country attribute does not necessarily indicate the subject's country of citizenship or country of residence, nor does it have to indicate the country of issuance.
countryName属性值指定理解其他属性的一般上下文。国家属性不一定表示受试者的国籍国或居住国,也不一定表示发行国。
Note: Many X.500 implementations require the presence of countryName in the DIT. In cases where the subject name, as specified in the subject field, specifies a public X.500 directory entry, the countryName attribute SHOULD always be present.
注意:许多X.500实现需要在DIT中显示countryName。如果主题字段中指定的主题名称指定了公共X.500目录条目,则countryName属性应始终存在。
The commonName attribute value SHALL, when present, contain a name of the subject. This MAY be in the subject's preferred presentation format, or a format preferred by the CA, or some other format. Pseudonyms, nicknames and names with spelling other than defined by the registered name MAY be used. To understand the nature of the name presented in commonName, complying applications MAY have to examine present values of the givenName and surname attributes, or the pseudonym attribute.
当存在commonName属性值时,该属性值应包含主题名称。这可能是受试者首选的演示格式,或CA首选的格式,或其他格式。可以使用笔名、昵称和拼写与注册名称不同的名称。为了理解commonName中显示的名称的性质,符合要求的应用程序可能必须检查givenName和姓氏属性或假名属性的当前值。
Note: Many client implementations presuppose the presence of the commonName attribute value in the subject field and use this value to display the subject's name regardless of present givenName, surname or pseudonym attribute values.
注意:许多客户端实现预先假定主题字段中存在commonName属性值,并使用此值显示主题的名称,而不管当前的给定名称、姓氏或假名属性值如何。
The surname and givenName attribute types SHALL, if present, contain the registered name of the subject, in accordance with the laws under which the CA prepares the certificate. These attributes SHALL be used in the subject field if the commonName attribute is not present. In cases where the subject only has a single name registered, the givenName attribute SHALL be used and the surname attribute SHALL be omitted.
根据CA编制证书所依据的法律,姓氏和givenName属性类型(如果存在)应包含受试者的注册名称。如果commonName属性不存在,则应在主题字段中使用这些属性。如果受试者只注册了一个姓名,则应使用givenName属性,并省略姓氏属性。
The pseudonym attribute type SHALL, if present, contain a pseudonym of the subject. Use of the pseudonym attribute MUST NOT be combined with use of any of the attributes surname and/or givenName.
笔名属性类型(如果存在)应包含主题的笔名。笔名属性的使用不得与任何姓氏和/或givenName属性的使用相结合。
The serialNumber attribute type SHALL, when present, be used to differentiate between names where the subject field would otherwise be identical. This attribute has no defined semantics beyond ensuring uniqueness of subject names. It MAY contain a number or code assigned by the CA or an identifier assigned by a government or civil authority. It is the CA's responsibility to ensure that the serialNumber is sufficient to resolve any subject name collisions.
如果存在serialNumber属性类型,则应使用该属性类型区分主题字段相同的名称。除了确保主题名称的唯一性外,该属性没有定义的语义。它可能包含由CA分配的编号或代码,或由政府或民事机构分配的标识符。CA有责任确保序列号足以解决任何主题名称冲突。
The organizationName and the organizationalUnitName attribute types SHALL, when present, be used to store the name and relevant information of an organization with which the subject is associated. The type of association between the organization and the subject is beyond the scope of this document.
organizationName和organizationalUnitName属性类型(如果存在)应用于存储与主题相关的组织的名称和相关信息。组织与主题之间的关联类型超出了本文档的范围。
The postalAddress, the stateOrProvinceName and the localityName attribute types SHALL, when present, be used to store address and geographical information with which the subject is associated. If an organizationName value also is present then the postalAddress, stateOrProvinceName and localityName attribute values SHALL be associated with the specified organization. The type of association between the postalAddress, stateOrProvinceName and the localityName and either the subject or the organizationName is beyond the scope of this document.
邮寄地址、州或省名称和LocationName属性类型(当存在时)应用于存储与主题相关的地址和地理信息。如果还存在organizationName值,则PostLaddress、stateOrProvinceName和LocationName属性值应与指定的组织相关联。PostLaddress、stateOrProvinceName和LocationName以及subject或organizationName之间的关联类型超出了本文档的范围。
Compliant implementations SHALL be able to interpret the attributes named in this section.
合规实施应能够解释本节中指定的属性。
This specification provides additional details regarding the contents of five certificate extensions. These extensions are the subject directory attributes, certificate policies, key usage, private extension for biometric information and private extension for Qualified Certificate statements.
本规范提供了有关五个证书扩展内容的其他详细信息。这些扩展是主题目录属性、证书策略、密钥使用、生物特征信息的专用扩展和合格证书声明的专用扩展。
The subjectDirectoryAttributes extension MAY contain additional attributes, associated with the subject, as complement to present information in the subject field and the subject alternative name extension.
subjectDirectoryAttributes扩展可以包含与主题相关的附加属性,作为对主题字段和主题备选名称扩展中显示信息的补充。
Attributes suitable for storage in this extension are attributes, which are not part of the subject's distinguished name, but which MAY still be useful for other purposes (e.g., authorization).
适合在此扩展中存储的属性是属性,这些属性不是受试者可分辨名称的一部分,但仍可能用于其他目的(例如授权)。
This extension MUST NOT be marked critical.
此扩展不能标记为关键。
Compliant implementations SHALL be able to interpret the following attributes:
合规实施应能够解释以下属性:
title;
dateOfBirth;
placeOfBirth;
gender;
countryOfCitizenship; and
countryOfResidence.
title;
dateOfBirth;
placeOfBirth;
gender;
countryOfCitizenship; and
countryOfResidence.
Other attributes MAY be included according to local definitions.
根据本地定义,可以包括其他属性。
The title attribute type SHALL, when present, be used to store a designated position or function of the subject within the organization specified by present organizational attributes in the subject field. The association between the title, the subject and the organization is beyond the scope of this document.
标题属性类型(如果存在)应用于存储主题字段中当前组织属性指定的组织内主题的指定位置或功能。标题、主题和组织之间的关联超出了本文件的范围。
The dateOfBirth attribute SHALL, when present, contain the value of the date of birth of the subject. The manner in which the date of birth is associated with the subject is outside the scope of this document.
dateOfBirth属性存在时,应包含受试者出生日期的值。出生日期与受试者的关联方式不在本文件范围内。
The placeOfBirth attribute SHALL, when present, contain the value of the place of birth of the subject. The manner in which the place of birth is associated with the subject is outside the scope of this document.
出生地点属性存在时,应包含受试者出生地点的值。出生地与受试者的关联方式不在本文件范围内。
The gender attribute SHALL, when present, contain the value of the gender of the subject. For females the value "F" (or "f") and for males the value "M" (or "m") have to be used. The manner in which the gender is associated with the subject is outside the scope of this document.
性别属性存在时,应包含主体性别的价值。对于女性,必须使用值“F”(或“F”),对于男性,必须使用值“M”(或“M”)。性别与主题的关联方式不在本文件范围内。
The countryOfCitizenship attribute SHALL, when present, contain the identifier of at least one of the subject's claimed countries of citizenship at the time that the certificate was issued. If the subject is a citizen of more than one country, more than one country MAY be present. Determination of citizenship is a matter of law and is outside the scope of this document.
“公民身份国家”属性在出现时应包含至少一个主体在颁发证书时声称的公民身份国家的标识符。如果受试者是一个以上国家的公民,则可能有一个以上的国家在场。公民身份的确定是一个法律问题,不在本文件的范围之内。
The countryOfResidence attribute SHALL, when present, contain the value of at least one country in which the subject is resident. If the subject is a resident of more than one country, more than one country MAY be present. Determination of residence is a matter of law and is outside the scope of this document.
当存在countryOfResidence属性时,该属性应包含受试者居住的至少一个国家的值。如果受试者是一个以上国家的居民,则可能有一个以上的国家在场。确定居住地是一个法律问题,不在本文件的范围之内。
The certificate policies extension SHALL contain the identifier of at least one certificate policy which reflects the practices and procedures undertaken by the CA. The certificate policy extension MAY be marked critical.
证书策略扩展应包含至少一个证书策略的标识符,该标识符反映CA采取的实践和程序。证书策略扩展可标记为关键。
Information provided by the issuer stating the purpose of the certificate as discussed in Section 2.2 SHOULD be evident through indicated policies.
发行人提供的说明第2.2节中讨论的证书目的的信息应通过指定的政策予以证明。
The certificate policies extension SHOULD include all policy information needed for validation of the certificate. If policy information is included in the QCStatements extension (see 3.2.5), then this information SHOULD also be defined by indicated policies.
证书策略扩展应包括验证证书所需的所有策略信息。如果政策信息包含在QCStatements扩展中(见3.2.5),则该信息也应通过指定的政策进行定义。
Certificate policies MAY be combined with any qualifier defined in RFC 2459.
证书策略可以与RFC 2459中定义的任何限定符组合。
The key usage extension SHALL be present. If the key usage nonRepudiation bit is asserted then it SHOULD NOT be combined with any other key usage , i.e., if set, the key usage non-repudiation SHOULD be set exclusively.
应提供密钥使用扩展。如果断言密钥使用不可否认位,则不应将其与任何其他密钥使用组合,即,如果设置,则应以独占方式设置密钥使用不可否认。
The key usage extension MAY be marked critical.
密钥使用扩展可能被标记为关键。
This section defines an extension for storage of biometric information. Biometric information is stored in the form of a hash of a biometric template.
本节定义了生物特征信息存储的扩展。生物测定信息以生物测定模板的散列形式存储。
The purpose of this extension is to provide means for authentication of biometric information. The biometric information that corresponds to the stored hash is not stored in this extension, but the extension MAY include an URI pointing to a location where this information can be obtained. If included, this URI does not imply that this is the only way to access this information.
此扩展的目的是提供生物特征信息的身份验证方法。与存储的散列相对应的生物测定信息不存储在该扩展中,但是该扩展可以包括指向可以获得该信息的位置的URI。如果包含此URI,则此URI并不意味着这是访问此信息的唯一方法。
It is RECOMMENDED that biometric information in this extension is limited to information types suitable for human verification, i.e., where the decision of whether the information is an accurate representation of the subject is naturally performed by a person. This implies a usage where the biometric information is represented by, for example, a graphical image displayed to the relying party, which MAY be used by the relying party to enhance identification of the subject.
建议此扩展中的生物特征信息仅限于适合人类验证的信息类型,即,信息是否是受试者的准确表示的决定自然由人执行。这意味着使用生物测定信息由例如显示给依赖方的图形图像表示,依赖方可以使用该图形图像来增强对象的识别。
This extension MUST NOT be marked critical.
此扩展不能标记为关键。
biometricInfo EXTENSION ::= {
SYNTAX BiometricSyntax
IDENTIFIED BY id-pe-biometricInfo }
biometricInfo EXTENSION ::= {
SYNTAX BiometricSyntax
IDENTIFIED BY id-pe-biometricInfo }
id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2}
id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2}
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL }
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataID OBJECT IDENTIFIER }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataID OBJECT IDENTIFIER }
PredefinedBiometricType ::= INTEGER { picture(0),
handwritten-signature(1)} (picture|handwritten-signature,...)
PredefinedBiometricType ::= INTEGER { picture(0),
handwritten-signature(1)} (picture|handwritten-signature,...)
The predefined biometric type picture, when present, SHALL identify that the source picture is in the form of a displayable graphical image of the subject. The hash of the graphical image SHALL only be calculated over the image data excluding any labels defining the image type.
预定义的生物特征类型图片(当存在时)应确定源图片为可显示的对象图形图像形式。图形图像的散列仅应在图像数据上计算,不包括定义图像类型的任何标签。
The predefined biometric type handwritten-signature, when present, SHALL identify that the source data is in the form of a displayable graphical image of the subject's handwritten signature. The hash of the graphical image SHALL only be calculated over the image data excluding any labels defining the image type.
预定义的生物特征类型手写签名(如有)应确定源数据为受试者手写签名的可显示图形图像形式。图形图像的散列仅应在图像数据上计算,不包括定义图像类型的任何标签。
This section defines an extension for inclusion of defined statements related to Qualified Certificates.
本节定义了一个扩展,用于包含与合格证书相关的已定义语句。
A typical statement suitable for inclusion in this extension MAY be a statement by the issuer that the certificate is issued as a Qualified Certificate in accordance with a particular legal system (as discussed in Section 2.2).
适用于本扩展的典型声明可能是发行人声明,根据特定法律制度(如第2.2节所述),证书作为合格证书发行。
Other statements suitable for inclusion in this extension MAY be statements related to the applicable legal jurisdiction within which the certificate is issued. As an example this MAY include a maximum reliance limit for the certificate indicating restrictions on CA's liability.
适用于本扩展的其他声明可能是与颁发证书的适用法律管辖区相关的声明。例如,这可能包括证书的最大信赖限额,表明对CA责任的限制。
Each statement SHALL include an object identifier for the statement and MAY also include optional qualifying data contained in the statementInfo parameter.
每个语句应包括语句的对象标识符,还可以包括statementInfo参数中包含的可选限定数据。
If the statementInfo parameter is included then the object identifier of the statement SHALL define the syntax and SHOULD define the semantics of this parameter. If the object identifier does not define the semantics, a relying party may have to consult a relevant certificate policy or CPS to determine the exact semantics.
如果包含statementInfo参数,则语句的对象标识符应定义语法,并应定义此参数的语义。如果对象标识符没有定义语义,依赖方可能必须咨询相关的证书策略或CPS以确定确切的语义。
This extension may be critical or non-critical. If the extension is critical, this means that all statements included in the extension are regarded as critical.
此扩展可能是关键的,也可能是非关键的。如果扩展是关键的,这意味着扩展中包含的所有语句都被视为关键的。
qcStatements EXTENSION ::= {
SYNTAX QCStatements
IDENTIFIED BY id-pe-qcStatements }
qcStatements EXTENSION ::= {
SYNTAX QCStatements
IDENTIFIED BY id-pe-qcStatements }
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 }
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 }
QCStatements ::= SEQUENCE OF QCStatement
QCStatements ::= SEQUENCE OF QCStatement
QCStatement ::= SEQUENCE {
statementId QC-STATEMENT.&Id({SupportedStatements}),
statementInfo QC-STATEMENT.&Type
({SupportedStatements}{@statementId}) OPTIONAL }
QCStatement ::= SEQUENCE {
statementId QC-STATEMENT.&Id({SupportedStatements}),
statementInfo QC-STATEMENT.&Type
({SupportedStatements}{@statementId}) OPTIONAL }
SupportedStatements QC-STATEMENT ::= { qcStatement-1,...}
SupportedStatements QC-STATEMENT ::= { qcStatement-1,...}
This profile includes one predefined object identifier (id-qcs-pkixQCSyntax-v1), identifying conformance with syntax and semantics defined in this profile. This Qualified Certificate profile is referred to as version 1.
此配置文件包括一个预定义的对象标识符(id-qcs-pkixQCSyntax-v1),用于标识与此配置文件中定义的语法和语义的一致性。此合格证书配置文件称为版本1。
qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v1 }
-- This statement identifies conformance with syntax and
-- semantics defined in this Qualified Certificate profile
-- (Version 1). The SemanticsInformation may optionally contain
-- additional semantics information as specified.
qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v1 }
-- This statement identifies conformance with syntax and
-- semantics defined in this Qualified Certificate profile
-- (Version 1). The SemanticsInformation may optionally contain
-- additional semantics information as specified.
SemanticsInformation ::= SEQUENCE {
semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities
OPTIONAL }
(WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})
SemanticsInformation ::= SEQUENCE {
semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities
OPTIONAL }
(WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF
GeneralName
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF
GeneralName
The SementicsInformation component identified by id-qcs-pkixQCSyntax-v1 MAY contain a semantics identifier and MAY identify one or more name registration authorities.
id-qcs-pkixQCSyntax-v1标识的SementicsInformation组件可以包含语义标识符,并且可以标识一个或多个名称注册机构。
The semanticsIdentifier component, if present, SHALL contain an OID, defining semantics for attributes and names in basic certificate fields and certificate extensions. The OID may define semantics for all, or for a subgroup of all present attributes and/or names.
SemanticIdentifier组件(如果存在)应包含OID,定义基本证书字段和证书扩展中属性和名称的语义。OID可以定义所有属性和/或名称的语义,或定义所有现有属性和/或名称的子组的语义。
The NameRegistrationAuthorities component, if present, SHALL contain a name of one or more name registration authorities, responsible for registration of attributes or names associated with the subject. The association between an identified name registration authority and present attributes MAY be defined by a semantics identifier OID, by a certificate policy (or CPS) or some other implicit factors.
NameRegistrationAuthorities组件(如果存在)应包含一个或多个名称注册机构的名称,负责注册与主题相关的属性或名称。可通过语义标识符OID、证书策略(或CPS)或某些其他隐式因素来定义已识别名称注册机构与当前属性之间的关联。
If a value of type SemanticsInformation is present in a QCStatement then at least one of the fields semanticsIdentifier and nameRegistrationAuthorities must be present, as indicated.
如果QCStatement中存在SemanticInformation类型的值,则必须至少存在SemanticIdentifier和nameRegistrationAuthorities字段中的一个,如图所示。
4 Security Considerations
4安全考虑
The legal value of a digital signature that is validated with a Qualified Certificate will be highly dependent upon the policy governing the use of the associated private key. Both the private key holder as well as the relying party should make sure that the private key is used only with the consent of the legitimate key holder.
使用合格证书验证的数字签名的法律价值在很大程度上取决于管理相关私钥使用的策略。私钥持有人和依赖方均应确保私钥仅在合法密钥持有人同意的情况下使用。
Since the public keys are for public use with legal implications for involved parties, certain conditions should exist before CAs issue certificates as Qualified Certificates. The associated private keys must be unique for the subject, and must be maintained under the subject's sole control. That is, a CA should not issue a qualified certificate if the means to use the private key is not protected against unintended usage. This implies that the CA have some knowledge about the subject's cryptographic module.
由于公钥是供公众使用的,对相关方有法律影响,因此在CAs将证书作为合格证书颁发之前,应具备某些条件。相关的私钥对于主体而言必须是唯一的,并且必须由主体单独控制。也就是说,如果使用私钥的方法未受到保护以防止意外使用,则CA不应颁发合格证书。这意味着CA对主体的加密模块有一些了解。
The CA must further verify that the public key contained in the certificate is legitimately representing the subject.
CA必须进一步验证证书中包含的公钥是否合法地代表主题。
CAs should not issue CA certificates with policy mapping extensions indicating acceptance of another CA's policy unless these conditions are met.
CA不应颁发带有策略映射扩展的CA证书,以表明接受另一CA的策略,除非满足这些条件。
Combining the nonRepudiation bit in the keyUsage certificate extension with other keyUsage bits may have security implications and this specification therefore recommends against such practices.
将keyUsage证书扩展中的非否认位与其他keyUsage位组合可能会带来安全隐患,因此本规范建议不要使用此类做法。
The ability to compare two qualified certificates to determine if they represent the same physical entity is dependent on the semantics of the subjects' names. The semantics of a particular attribute may be different for different issuers. Comparing names without knowledge of the semantics of names in these particular certificates may provide misleading results.
比较两个合格证书以确定它们是否代表同一物理实体的能力取决于受试者姓名的语义。对于不同的发行人,特定属性的语义可能不同。在不了解这些特定证书中名称的语义的情况下比较名称可能会产生误导性结果。
This specification is a profile of RFC 2459. The security considerations section of that document applies to this specification as well.
本规范是RFC 2459的概要。该文件的安全注意事项部分也适用于本规范。
5 References
5参考文献
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC 2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC 2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S. Sataluri, "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247, January 1998.
[RFC 2247]Kille,S.,Wahl,M.,Grimstad,A.,Huber,R.和S.Sataluri,“使用LDAP/X.500可分辨名称中的域”,RFC 2247,1998年1月。
[RFC 2459] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet X.509 Public Key Infrastructure: Certificate and CRL Profile", RFC 2459, January 1999.
[RFC 2459]Housley,R.,Ford,W.,Polk,W.和D.Solo,“互联网X.509公钥基础设施:证书和CRL配置文件”,RFC 2459,1999年1月。
[RFC 2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object Classes and Attribute Types Version 2.0", RFC 2985, November 2000.
[RFC 2985]Nystrom,M.和B.Kaliski,“PKCS#9:选定对象类和属性类型版本2.0”,RFC 2985,2000年11月。
[X.501] ITU-T Recommendation X.501: Information Technology - Open Systems Interconnection - The Directory: Models, June 1993.
[X.501]ITU-T建议X.501:信息技术-开放系统互连-目录:模型,1993年6月。
[X.509] ITU-T Recommendation X.509: Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, June 1997.
[X.509]ITU-T建议X.509:信息技术-开放系统互连-目录:认证框架,1997年6月。
[X.520] ITU-T Recommendation X.520: Information Technology - Open Systems Interconnection - The Directory: Selected Attribute Types, June 1993.
[X.520]ITU-T建议X.520:信息技术-开放系统互连-目录:选定属性类型,1993年6月。
[X.680] ITU-T Recommendation X.680: Information Technology - Abstract Syntax Notation One, 1997.
[X.680]ITU-T建议X.680:信息技术——抽象语法符号1,1997年。
[ISO 3166] ISO Standard 3166: Codes for the representation of names of countries, 1993.
[ISO 3166]ISO标准3166:国家名称表示代码,1993年。
6 Intellectual Property Rights
6知识产权
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。
A. ASN.1 definitions
A.ASN.1定义
As in RFC 2459, ASN.1 modules are supplied in two different variants of the ASN.1 syntax.
与RFC2459一样,ASN.1模块以ASN.1语法的两种不同变体提供。
Appendix A.1 is in the 1988 syntax, and does not use macros. However, since the module imports type definitions from modules in RFC 2459 which are not completely in the 1988 syntax, the same comments as in RFC 2459 regarding its use applies here as well; i.e., Appendix A.1 may be parsed by an 1988 ASN.1-parser by removing the definitions for the UNIVERSAL types and all references to them in RFC 2459's 1988 modules.
附录A.1采用1988年的语法,不使用宏。但是,由于模块从RFC 2459中的模块导入类型定义,这些模块不完全符合1988年的语法,因此与RFC 2459中关于其使用的相同注释也适用于此处;i、 例如,附录A.1可由1988 ASN.1解析器通过删除通用类型的定义和RFC 2459 1988模块中对通用类型的所有引用来解析。
Appendix A.2 is in the 1993 syntax. However, since the module imports type definitions from modules in RFC 2459 which are not completely in the 1993 syntax, the same comments as in RFC 2459 regarding its use applies here as well; i.e., Appendix A.2 may be parsed by an 1993 ASN.1-parser by removing the UTF8String choice from the definition of DirectoryString in the module PKIX1Explicit93 in RFC 2459. Appendix A.2 may be parsed "as is" by an 1997 ASN.1 parser, however.
附录A.2采用1993年的语法。然而,由于模块从RFC 2459中的模块导入类型定义,这些模块不完全符合1993年的语法,因此与RFC 2459中关于其使用的相同注释也适用于此处;i、 例如,附录A.2可由1993 ASN.1解析器通过从RFC 2459中模块PKIX1Explicit93中的DirectoryString定义中删除UTF8String选项来解析。然而,附录A.2可以由1997年ASN.1解析器“按原样”进行解析。
In case of discrepancies between these modules, the 1988 module is the normative one.
如果这些模块之间存在差异,则1988模块为规范模块。
PKIXqualified88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-qualified-cert-88(10) }
PKIXqualified88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-qualified-cert-88(10) }
DEFINITIONS EXPLICIT TAGS ::=
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
--全部出口--
IMPORTS
进口
GeneralName
FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-implicit-88(2)}
GeneralName
FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-implicit-88(2)}
AlgorithmIdentifier, DirectoryString, Attribute, AttributeType,
id-pkix, id-pe, id-at
FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
AlgorithmIdentifier, DirectoryString, Attribute, AttributeType,
id-pkix, id-pe, id-at
FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit-88(1)};
id-pkix1-explicit-88(1)};
-- Locally defined OIDs
--局部定义的OID
-- Arc for QC personal data attributes
id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
-- Arc for QC statements
id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 }
-- Arc for QC personal data attributes
id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
-- Arc for QC statements
id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 }
-- Attributes
--属性
id-at-serialNumber AttributeType ::= { id-at 5 }
SerialNumber ::= PrintableString (SIZE(1..64))
id-at-serialNumber AttributeType ::= { id-at 5 }
SerialNumber ::= PrintableString (SIZE(1..64))
id-at-postalAddress AttributeType ::= { id-at 16 }
PostalAddress ::= SEQUENCE SIZE (1..6) OF DirectoryString
id-at-postalAddress AttributeType ::= { id-at 16 }
PostalAddress ::= SEQUENCE SIZE (1..6) OF DirectoryString
id-at-pseudonym AttributeType ::= { id-at 65 }
Pseudonym ::= DirectoryString
id-at-pseudonym AttributeType ::= { id-at 65 }
Pseudonym ::= DirectoryString
domainComponent AttributeType ::=
{ 0 9 2342 19200300 100 1 25 }
DomainComponent ::= IA5String
domainComponent AttributeType ::=
{ 0 9 2342 19200300 100 1 25 }
DomainComponent ::= IA5String
id-pda-dateOfBirth AttributeType ::= { id-pda 1 }
DateOfBirth ::= GeneralizedTime
id-pda-dateOfBirth AttributeType ::= { id-pda 1 }
DateOfBirth ::= GeneralizedTime
id-pda-placeOfBirth AttributeType ::= { id-pda 2 }
PlaceOfBirth ::= DirectoryString
id-pda-placeOfBirth AttributeType ::= { id-pda 2 }
PlaceOfBirth ::= DirectoryString
id-pda-gender AttributeType ::= { id-pda 3 }
Gender ::= PrintableString (SIZE(1))
-- "M", "F", "m" or "f"
id-pda-gender AttributeType ::= { id-pda 3 }
Gender ::= PrintableString (SIZE(1))
-- "M", "F", "m" or "f"
id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
CountryOfCitizenship ::= PrintableString (SIZE (2))
-- ISO 3166 Country Code
id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
CountryOfCitizenship ::= PrintableString (SIZE (2))
-- ISO 3166 Country Code
id-pda-countryOfResidence AttributeType ::= { id-pda 5 }
CountryOfResidence ::= PrintableString (SIZE (2))
-- ISO 3166 Country Code
id-pda-countryOfResidence AttributeType ::= { id-pda 5 }
CountryOfResidence ::= PrintableString (SIZE (2))
-- ISO 3166 Country Code
-- Private extensions
--专用扩展
-- Biometric info extension
--生物特征信息扩展
id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2}
id-pe-biometricInfo OBJECT IDENTIFIER ::= {id-pe 2}
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL }
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataOid OBJECT IDENTIFIER }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataOid OBJECT IDENTIFIER }
PredefinedBiometricType ::= INTEGER {
picture(0),handwritten-signature(1)}
(picture|handwritten-signature)
PredefinedBiometricType ::= INTEGER {
picture(0),handwritten-signature(1)}
(picture|handwritten-signature)
-- QC Statements Extension
--质量控制声明扩展
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3}
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3}
QCStatements ::= SEQUENCE OF QCStatement
QCStatements ::= SEQUENCE OF QCStatement
QCStatement ::= SEQUENCE {
statementId OBJECT IDENTIFIER,
statementInfo ANY DEFINED BY statementId OPTIONAL}
QCStatement ::= SEQUENCE {
statementId OBJECT IDENTIFIER,
statementInfo ANY DEFINED BY statementId OPTIONAL}
-- QC statements
id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 }
-- QC statements
id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 }
-- This statement identifies conformance with syntax and
-- semantics defined in this Qualified Certificate profile
-- (Version 1). This statement may optionally contain
-- additional semantics information as specified below.
-- This statement identifies conformance with syntax and
-- semantics defined in this Qualified Certificate profile
-- (Version 1). This statement may optionally contain
-- additional semantics information as specified below.
SemanticsInformation ::= SEQUENCE {
semanticsIndentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL
} -- At least one field shall be present
SemanticsInformation ::= SEQUENCE {
semanticsIndentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL
} -- At least one field shall be present
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName
END
终止
PKIXqualified93 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-qualified-cert-93(11) }
PKIXqualified93 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-qualified-cert-93(11) }
DEFINITIONS EXPLICIT TAGS ::=
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
--全部出口--
IMPORTS
进口
authorityKeyIdentifier, subjectKeyIdentifier, keyUsage,
extendedKeyUsage, privateKeyUsagePeriod, certificatePolicies,
policyMappings, subjectAltName, issuerAltName, basicConstraints,
nameConstraints, policyConstraints, cRLDistributionPoints,
subjectDirectoryAttributes, authorityInfoAccess, GeneralName,
OTHER-NAME
FROM PKIX1Implicit93 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-implicit-93(4)}
authorityKeyIdentifier, subjectKeyIdentifier, keyUsage,
extendedKeyUsage, privateKeyUsagePeriod, certificatePolicies,
policyMappings, subjectAltName, issuerAltName, basicConstraints,
nameConstraints, policyConstraints, cRLDistributionPoints,
subjectDirectoryAttributes, authorityInfoAccess, GeneralName,
OTHER-NAME
FROM PKIX1Implicit93 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-implicit-93(4)}
id-pkix, AlgorithmIdentifier, ATTRIBUTE, Extension, EXTENSION,
DirectoryString{}, ub-name, id-pe, id-at, id-at-commonName,
id-at-surname, id-at-countryName, id-at-localityName,
id-at-stateOrProvinceName, id-at-organizationName,
id-at-organizationalUnitName, id-at-givenName, id-at-dnQualifier,
pkcs9email, title, organizationName, organizationalUnitName,
stateOrProvinceName, localityName, countryName,
generationQualifier, dnQualifier, initials, givenName, surname,
commonName, name
FROM PKIX1Explicit93 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit-93(3)};
id-pkix, AlgorithmIdentifier, ATTRIBUTE, Extension, EXTENSION,
DirectoryString{}, ub-name, id-pe, id-at, id-at-commonName,
id-at-surname, id-at-countryName, id-at-localityName,
id-at-stateOrProvinceName, id-at-organizationName,
id-at-organizationalUnitName, id-at-givenName, id-at-dnQualifier,
pkcs9email, title, organizationName, organizationalUnitName,
stateOrProvinceName, localityName, countryName,
generationQualifier, dnQualifier, initials, givenName, surname,
commonName, name
FROM PKIX1Explicit93 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit-93(3)};
-- Object Identifiers
--对象标识符
-- Externally defined OIDs
id-at-serialNumber OBJECT IDENTIFIER ::= { id-at 5}
id-at-postalAddress OBJECT IDENTIFIER ::= { id-at 16 }
id-at-pseudonym OBJECT IDENTIFIER ::= { id-at 65 }
id-domainComponent OBJECT IDENTIFIER ::= { 0 9 2342 19200300 100 1 25 }
-- Externally defined OIDs
id-at-serialNumber OBJECT IDENTIFIER ::= { id-at 5}
id-at-postalAddress OBJECT IDENTIFIER ::= { id-at 16 }
id-at-pseudonym OBJECT IDENTIFIER ::= { id-at 65 }
id-domainComponent OBJECT IDENTIFIER ::= { 0 9 2342 19200300 100 1 25 }
-- Locally defined OIDs
--局部定义的OID
-- Arc for QC personal data attributes
--QC个人数据属性的Arc
id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
-- Arc for QC statements
id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 }
id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
-- Arc for QC statements
id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 }
-- Private extensions
--专用扩展
id-pe-biometricInfo OBJECT IDENTIFIER ::= { id-pe 2 }
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 }
id-pe-biometricInfo OBJECT IDENTIFIER ::= { id-pe 2 }
id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 }
-- Personal data attributes
id-pda-dateOfBirth OBJECT IDENTIFIER ::= { id-pda 1 }
id-pda-placeOfBirth OBJECT IDENTIFIER ::= { id-pda 2 }
id-pda-gender OBJECT IDENTIFIER ::= { id-pda 3 }
id-pda-countryOfCitizenship OBJECT IDENTIFIER ::= { id-pda 4 }
id-pda-countryOfResidence OBJECT IDENTIFIER ::= { id-pda 5 }
-- Personal data attributes
id-pda-dateOfBirth OBJECT IDENTIFIER ::= { id-pda 1 }
id-pda-placeOfBirth OBJECT IDENTIFIER ::= { id-pda 2 }
id-pda-gender OBJECT IDENTIFIER ::= { id-pda 3 }
id-pda-countryOfCitizenship OBJECT IDENTIFIER ::= { id-pda 4 }
id-pda-countryOfResidence OBJECT IDENTIFIER ::= { id-pda 5 }
-- QC statements
id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 }
-- QC statements
id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 }
-- Object Sets
--对象集
-- The following information object set is defined to constrain the
-- set of legal certificate extensions. Note that this set is an
-- extension of the ExtensionSet defined in RFC 2459.
ExtensionSet EXTENSION ::= {
authorityKeyIdentifier |
subjectKeyIdentifier |
keyUsage |
extendedKeyUsage |
privateKeyUsagePeriod |
certificatePolicies |
policyMappings |
subjectAltName |
issuerAltName |
basicConstraints |
nameConstraints |
policyConstraints |
cRLDistributionPoints |
subjectDirectoryAttributes |
authorityInfoAccess |
biometricInfo |
qcStatements, ... }
-- The following information object set is defined to constrain the
-- set of legal certificate extensions. Note that this set is an
-- extension of the ExtensionSet defined in RFC 2459.
ExtensionSet EXTENSION ::= {
authorityKeyIdentifier |
subjectKeyIdentifier |
keyUsage |
extendedKeyUsage |
privateKeyUsagePeriod |
certificatePolicies |
policyMappings |
subjectAltName |
issuerAltName |
basicConstraints |
nameConstraints |
policyConstraints |
cRLDistributionPoints |
subjectDirectoryAttributes |
authorityInfoAccess |
biometricInfo |
qcStatements, ... }
-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize in
-- distinguished names. The set may of course be augmented to meet
-- local requirements. Note that deleting members of the set may
-- prevent interoperability with conforming implementations, and that
-- this set is an extension of the SupportedAttributes set in RFC 2459.
-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize in
-- distinguished names. The set may of course be augmented to meet
-- local requirements. Note that deleting members of the set may
-- prevent interoperability with conforming implementations, and that
-- this set is an extension of the SupportedAttributes set in RFC 2459.
SupportedAttributes ATTRIBUTE ::= {
countryName | commonName | surname | givenName | pseudonym |
serialNumber | organizationName | organizationalUnitName |
stateOrProvinceName | localityName | postalAddress |
SupportedAttributes ATTRIBUTE ::= {
countryName | commonName | surname | givenName | pseudonym |
serialNumber | organizationName | organizationalUnitName |
stateOrProvinceName | localityName | postalAddress |
pkcs9email | domainComponent | dnQualifier, ... -- For future extensions -- }
pkcs9email |域组件| dnQualifier,…--对于将来的扩展--}
-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize in
-- subjectDirectoryAttribute extensions. The set may be augmented to
-- meet local requirements. Note that deleting members of the set
-- may prevent interoperability with conforming implementations.
PersonalDataAttributeSet ATTRIBUTE ::= {
title | dateOfBirth | placeOfBirth | gender | countryOfCitizenship |
countryOfResidence, ... }
-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize in
-- subjectDirectoryAttribute extensions. The set may be augmented to
-- meet local requirements. Note that deleting members of the set
-- may prevent interoperability with conforming implementations.
PersonalDataAttributeSet ATTRIBUTE ::= {
title | dateOfBirth | placeOfBirth | gender | countryOfCitizenship |
countryOfResidence, ... }
-- Attributes
--属性
-- serialNumber from X.520
serialNumber ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE(1..64))
ID id-at-serialNumber }
-- serialNumber from X.520
serialNumber ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE(1..64))
ID id-at-serialNumber }
-- postalAddress from X.520
postalAddress ATTRIBUTE ::= {
WITH SYNTAX SEQUENCE SIZE (1..6) OF DirectoryString { 30 }
ID id-at-postalAddress }
-- postalAddress from X.520
postalAddress ATTRIBUTE ::= {
WITH SYNTAX SEQUENCE SIZE (1..6) OF DirectoryString { 30 }
ID id-at-postalAddress }
-- pseudonym from (forthcoming) X.520)
pseudonym ATTRIBUTE ::= {
WITH SYNTAX DirectoryString { ub-name }
ID id-at-pseudonym }
-- pseudonym from (forthcoming) X.520)
pseudonym ATTRIBUTE ::= {
WITH SYNTAX DirectoryString { ub-name }
ID id-at-pseudonym }
-- domainComponent from RFC 2247
domainComponent ATTRIBUTE ::= {
WITH SYNTAX IA5String
ID id-domainComponent }
-- domainComponent from RFC 2247
domainComponent ATTRIBUTE ::= {
WITH SYNTAX IA5String
ID id-domainComponent }
dateOfBirth ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
ID id-pda-dateOfBirth }
dateOfBirth ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
ID id-pda-dateOfBirth }
placeOfBirth ATTRIBUTE ::= {
WITH SYNTAX DirectoryString { ub-name }
ID id-pda-placeOfBirth }
placeOfBirth ATTRIBUTE ::= {
WITH SYNTAX DirectoryString { ub-name }
ID id-pda-placeOfBirth }
gender ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE(1) ^ FROM("M"|"F"|"m"|"f"))
ID id-pda-gender }
gender ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE(1) ^ FROM("M"|"F"|"m"|"f"))
ID id-pda-gender }
countryOfCitizenship ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE (2))
countryOfCitizenship ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE (2))
(CONSTRAINED BY { -- ISO 3166 codes only -- })
ID id-pda-countryOfCitizenship }
(CONSTRAINED BY { -- ISO 3166 codes only -- })
ID id-pda-countryOfCitizenship }
countryOfResidence ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE (2))
(CONSTRAINED BY { -- ISO 3166 codes only -- })
ID id-pda-countryOfResidence }
countryOfResidence ATTRIBUTE ::= {
WITH SYNTAX PrintableString (SIZE (2))
(CONSTRAINED BY { -- ISO 3166 codes only -- })
ID id-pda-countryOfResidence }
-- Private extensions
--专用扩展
-- Biometric info extension
--生物特征信息扩展
biometricInfo EXTENSION ::= {
SYNTAX BiometricSyntax
IDENTIFIED BY id-pe-biometricInfo }
biometricInfo EXTENSION ::= {
SYNTAX BiometricSyntax
IDENTIFIED BY id-pe-biometricInfo }
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL,
... -- For future extensions -- }
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL,
... -- For future extensions -- }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataOid OBJECT IDENTIFIER }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataOid OBJECT IDENTIFIER }
PredefinedBiometricType ::= INTEGER { picture(0),
handwritten-signature(1)} (picture|handwritten-signature,...)
PredefinedBiometricType ::= INTEGER { picture(0),
handwritten-signature(1)} (picture|handwritten-signature,...)
-- QC Statements Extension
--质量控制声明扩展
qcStatements EXTENSION ::= {
SYNTAX QCStatements
IDENTIFIED BY id-pe-qcStatements }
qcStatements EXTENSION ::= {
SYNTAX QCStatements
IDENTIFIED BY id-pe-qcStatements }
QCStatements ::= SEQUENCE OF QCStatement
QCStatements ::= SEQUENCE OF QCStatement
QCStatement ::= SEQUENCE {
statementId QC-STATEMENT.&id({SupportedStatements}),
statementInfo QC-STATEMENT.&Type
({SupportedStatements}{@statementId}) OPTIONAL }
QCStatement ::= SEQUENCE {
statementId QC-STATEMENT.&id({SupportedStatements}),
statementInfo QC-STATEMENT.&Type
({SupportedStatements}{@statementId}) OPTIONAL }
QC-STATEMENT ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL }
QC-STATEMENT ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL }
WITH SYNTAX {
[SYNTAX &Type] IDENTIFIED BY &id }
WITH SYNTAX {
[SYNTAX &Type] IDENTIFIED BY &id }
qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v1}
-- This statement identifies conformance with syntax and
-- semantics defined in this Qualified Certificate profile
-- (Version 1). The SemanticsInformation may optionally contain
-- additional semantics information as specified.
qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation
IDENTIFIED BY id-qcs-pkixQCSyntax-v1}
-- This statement identifies conformance with syntax and
-- semantics defined in this Qualified Certificate profile
-- (Version 1). The SemanticsInformation may optionally contain
-- additional semantics information as specified.
SemanticsInformation ::= SEQUENCE {
semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL
}(WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})
SemanticsInformation ::= SEQUENCE {
semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL
}(WITH COMPONENTS {..., semanticsIdentifier PRESENT}|
WITH COMPONENTS {..., nameRegistrationAuthorities PRESENT})
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName
NameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralName
-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize as QCSs.
SupportedStatements QC-STATEMENT ::= {
qcStatement-1, ... -- For future extensions -- }
-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize as QCSs.
SupportedStatements QC-STATEMENT ::= {
qcStatement-1, ... -- For future extensions -- }
END
终止
B. A Note on Attributes
B.关于属性的说明
This document defines several new attributes, both for use in the subject field of issued certificates and in the subjectDirectoryAttributes extension. In the interest of conformity, they have been defined here using the ASN.1 ATTRIBUTE definition from RFC 2459, which is sufficient for the purposes of this document, but greatly simplified in comparison with ISO/ITU's definition. A complete definition of these new attributes (including matching rules), along with object classes to support them in LDAP-accessible directories, can be found in [PKCS 9].
本文档定义了几个新属性,用于已颁发证书的主题字段和subjectDirectoryAttributes扩展。为了一致性,此处使用RFC 2459中的ASN.1属性定义对其进行了定义,这对于本文件而言已经足够,但与ISO/ITU的定义相比,大大简化了定义。这些新属性(包括匹配规则)的完整定义,以及在LDAP可访问目录中支持它们的对象类,可以在[PKCS 9]中找到。
C. Example Certificate
C.证书范例
This section contains the ASN.1 structure, an ASN.1 dump, and the DER-encoding of a certificate issued in conformance with this profile. The example has been developed with the help of the OSS ASN.1 compiler. The certificate has the following characteristics:
本节包含ASN.1结构、ASN.1转储和根据此配置文件颁发的证书的DER编码。该示例是在OSS ASN.1编译器的帮助下开发的。该证书具有以下特点:
1. The certificate is signed with RSA and the SHA-1 hash algorithm 2. The issuer's distinguished name is O=GMD - Forschungszentrum Informationstechnik GmbH; C=DE
1. 证书使用RSA和SHA-1哈希算法2进行签名。发行人的专有名称为O=GMD-Forschungszentrum Information Stechnik GmbH;C=DE
3. The subject's distinguished name is CN=Petra M. Barzin, O=GMD - Forschungszentrum Informationstechnik GmbH, C=DE 4. The certificate was issued on May 1, 2000 and will expire on November 1, 2000 5. The certificate contains a 1024 bit RSA key 6. The certificate includes a critical key usage extension exclusively indicating non-repudiation 7. The certificate includes a certificate policy identifier extension indicating the practices and procedures undertaken by the issuing CA (object identifier 1.3.36.8.1.1). The certificate policy object identifier is defined by TeleTrust, Germany. It is required to be set in a certificate conformant to the German digital signature law. 8. The certificate includes a subject directory attributes extension containing the following attributes:
3. 受试者的专有名称为CN=Petra M.Barzin,O=GMD-Forschungszentrum Information Stechnik GmbH,C=DE 4。该证明书于二○○○年五月一日发出,将于二○○○年十一月一日届满。证书包含1024位RSA密钥6。该证书包括一个关键密钥使用扩展,专门指示不可否认性7。该证书包括一个证书策略标识符扩展,指示颁发CA采取的实践和程序(对象标识符1.3.36.8.1.1)。证书策略对象标识符由德国TeleTrust公司定义。它需要在符合德国数字签名法的证书中设置。8.该证书包括一个主题目录属性扩展,其中包含以下属性:
surname: Barzin given name: Petra date of birth: October, 14th 1971 place of birth: Darmstadt country of citizenship:Germany gender: Female
姓氏:巴津姓名:佩特拉出生日期:1971年10月14日出生地点:达姆施塔特国籍国:德国性别:女性
9. The certificate includes a qualified statement private extension indicating that the naming registration authority's name as "municipality@darmstadt.de". 10. The certificate includes, in conformance with RFC 2459, an authority key identifier extension.
9. 该证书包括一个限定声明,表明命名登记机构的名称为“municipality@darmstadt.de". 10根据RFC 2459,该证书包括一个授权密钥标识符扩展。
Since extensions are DER-encoded already when placed in the structure to be signed, they are for clarity shown here in the value notation defined in [X.680].
由于扩展在放入要签名的结构中时已经进行了DER编码,因此为了清楚起见,在[X.680]中定义的值表示法中显示了扩展。
petrasSubjDirAttrs AttributesSyntax ::= {
{
type id-pda-countryOfCitizenship,
values {
PrintableString : "DE"
}
},
{
type id-pda-gender,
petrasSubjDirAttrs AttributesSyntax ::= {
{
type id-pda-countryOfCitizenship,
values {
PrintableString : "DE"
}
},
{
type id-pda-gender,
values {
PrintableString : "F"
}
},
{
type id-pda-dateOfBirth,
values {
GeneralizedTime : "197110140000Z"
}
},
{
type id-pda-placeOfBirth,
values {
DirectoryString : utf8String : "Darmstadt"
}
}
}
values {
PrintableString : "F"
}
},
{
type id-pda-dateOfBirth,
values {
GeneralizedTime : "197110140000Z"
}
},
{
type id-pda-placeOfBirth,
values {
DirectoryString : utf8String : "Darmstadt"
}
}
}
petrasKeyUsage KeyUsage ::= {nonRepudiation}
petrasKeyUsage KeyUsage ::= {nonRepudiation}
petrasCertificatePolicies CertificatePoliciesSyntax ::= {
{
policyIdentifier {1 3 36 8 1 1}
}
}
petrasCertificatePolicies CertificatePoliciesSyntax ::= {
{
policyIdentifier {1 3 36 8 1 1}
}
}
petrasQCStatement QCStatements ::= {
{
statementId id-qcs-pkixQCSyntax-v1,
statementInfo SemanticsInformation : {
nameRegistrationAuthorities {
rfc822Name : "municipality@darmstadt.de"
}
}
}
}
petrasQCStatement QCStatements ::= {
{
statementId id-qcs-pkixQCSyntax-v1,
statementInfo SemanticsInformation : {
nameRegistrationAuthorities {
rfc822Name : "municipality@darmstadt.de"
}
}
}
}
petrasAKI AuthorityKeyIdentifier ::= {
keyIdentifier '000102030405060708090A0B0C0D0E0FFEDCBA98'H
}
petrasAKI AuthorityKeyIdentifier ::= {
keyIdentifier '000102030405060708090A0B0C0D0E0FFEDCBA98'H
}
The signed portion of the certificate is shown here in the value notation defined in [X.680]. Note that extension values are already DER encoded in this structure. Some values has been truncated for readability purposes.
证书的签名部分在此以[X.680]中定义的值表示法显示。请注意,扩展值已经在此结构中进行了DER编码。出于可读性目的,某些值已被截断。
{
version v3,
serialNumber 1234567890,
signature
{
algorithm { 1 2 840 113549 1 1 5 },
parameters RSAParams : NULL
},
issuer rdnSequence :
{
{
{
type { 2 5 4 6 },
value PrintableString : "DE"
}
},
{
{
type { 2 5 4 10 },
value UTF8String :
"GMD - Forschungszentrum Informationstechnik GmbH"
}
}
},
validity
{
notBefore utcTime : "000501100000Z",
notAfter utcTime : "001101100000Z"
},
subject rdnSequence :
{
{
{
type { 2 5 4 6 },
value PrintableString : "DE"
}
},
{
{
type { 2 5 4 10 },
value UTF8String :
{
version v3,
serialNumber 1234567890,
signature
{
algorithm { 1 2 840 113549 1 1 5 },
parameters RSAParams : NULL
},
issuer rdnSequence :
{
{
{
type { 2 5 4 6 },
value PrintableString : "DE"
}
},
{
{
type { 2 5 4 10 },
value UTF8String :
"GMD - Forschungszentrum Informationstechnik GmbH"
}
}
},
validity
{
notBefore utcTime : "000501100000Z",
notAfter utcTime : "001101100000Z"
},
subject rdnSequence :
{
{
{
type { 2 5 4 6 },
value PrintableString : "DE"
}
},
{
{
type { 2 5 4 10 },
value UTF8String :
"GMD Forschungszentrum Informationstechnik GmbH"
}
},
{
{
type { 2 5 4 4 },
value UTF8String : "Barzin"
},
{
type { 2 5 4 42 },
value UTF8String : "Petra"
}
}
},
subjectPublicKeyInfo
{
algorithm
{
algorithm { 1 2 840 113549 1 1 1 },
parameters RSAParams : NULL
},
subjectPublicKey '00110000 10000001 10000111 00000010 1000 ...'B
},
extensions
{
{
extnId { 2 5 29 9 }, -- subjectDirectoryAttributes
extnValue '305B301006082B06010505070904310413024445300F0 ...'H
},
{
extnId { 2 5 29 15 }, -- keyUsage
critical TRUE,
extnValue '03020640'H
},
{
extnId { 2 5 29 32 }, -- certificatePolicies
extnValue '3009300706052B24080101'H
},
{
extnId { 2 5 29 35 }, -- authorityKeyIdentifier
extnValue '30168014000102030405060708090A0B0C0D0E0FFEDCBA98'H
},
{
extnId { 1 3 6 1 5 5 7 1 3 }, -- qcStatements
extnValue '302B302906082B06010505070B01301D301B81196D756 ...'H
}
}
}
"GMD Forschungszentrum Informationstechnik GmbH"
}
},
{
{
type { 2 5 4 4 },
value UTF8String : "Barzin"
},
{
type { 2 5 4 42 },
value UTF8String : "Petra"
}
}
},
subjectPublicKeyInfo
{
algorithm
{
algorithm { 1 2 840 113549 1 1 1 },
parameters RSAParams : NULL
},
subjectPublicKey '00110000 10000001 10000111 00000010 1000 ...'B
},
extensions
{
{
extnId { 2 5 29 9 }, -- subjectDirectoryAttributes
extnValue '305B301006082B06010505070904310413024445300F0 ...'H
},
{
extnId { 2 5 29 15 }, -- keyUsage
critical TRUE,
extnValue '03020640'H
},
{
extnId { 2 5 29 32 }, -- certificatePolicies
extnValue '3009300706052B24080101'H
},
{
extnId { 2 5 29 35 }, -- authorityKeyIdentifier
extnValue '30168014000102030405060708090A0B0C0D0E0FFEDCBA98'H
},
{
extnId { 1 3 6 1 5 5 7 1 3 }, -- qcStatements
extnValue '302B302906082B06010505070B01301D301B81196D756 ...'H
}
}
}
This section contains an ASN.1 dump of the signed portion of the certificate. Some values has been truncated for readability purposes.
本节包含证书签名部分的ASN.1转储。出于可读性目的,某些值已被截断。
TBSCertificate SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 631
version : tag = [0] constructed; length = 3
Version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1
2
serialNumber CertificateSerialNumber INTEGER: tag = [UNIVERSAL 2]
primitive; length = 4
1234567890
signature AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 9
{ 1 2 840 113549 1 1 5 }
parameters OpenType: NULL: tag = [UNIVERSAL 5] primitive;
length = 0
NULL
issuer Name CHOICE
rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16]
constructed; length = 72
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 11
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 9
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 6 }
value OpenType: PrintableString: tag = [UNIVERSAL 19]
primitive; length = 2
"DE"
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 57
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 55
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 10 }
value OpenType : UTF8String: tag = [UNIVERSAL 12]
primitive; length = 48
0x474d44202d20466f72736368756e67737a656e7472756d2049...
validity Validity SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 30
notBefore Time CHOICE
TBSCertificate SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 631
version : tag = [0] constructed; length = 3
Version INTEGER: tag = [UNIVERSAL 2] primitive; length = 1
2
serialNumber CertificateSerialNumber INTEGER: tag = [UNIVERSAL 2]
primitive; length = 4
1234567890
signature AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 9
{ 1 2 840 113549 1 1 5 }
parameters OpenType: NULL: tag = [UNIVERSAL 5] primitive;
length = 0
NULL
issuer Name CHOICE
rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16]
constructed; length = 72
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 11
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 9
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 6 }
value OpenType: PrintableString: tag = [UNIVERSAL 19]
primitive; length = 2
"DE"
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 57
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 55
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 10 }
value OpenType : UTF8String: tag = [UNIVERSAL 12]
primitive; length = 48
0x474d44202d20466f72736368756e67737a656e7472756d2049...
validity Validity SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 30
notBefore Time CHOICE
utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13
000501100000Z
notAfter Time CHOICE
utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13
001101100000Z
subject Name CHOICE
rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16]
constructed; length = 101
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 11
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 9
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 6 }
value OpenType: PrintableString: tag = [UNIVERSAL 19]
primitive; length = 2
"DE"
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 55
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 53
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 10 }
value OpenType: UTF8String: tag = [UNIVERSAL 12]
primitive; length = 46
0x474d4420466f72736368756e67737a656e7472756d20496e66...
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 29
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 4 }
value OpenType: UTF8String: tag = [UNIVERSAL 12]
primitive; length = 6
0x4261727a696e
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 12
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 42 }
value OpenType: UTF8String: tag = [UNIVERSAL 12]
primitive; length = 5
0x5065747261
subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE: tag =
[UNIVERSAL 16] constructed; length = 157
utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13
000501100000Z
notAfter Time CHOICE
utcTime UTCTime: tag = [UNIVERSAL 23] primitive; length = 13
001101100000Z
subject Name CHOICE
rdnSequence RDNSequence SEQUENCE OF: tag = [UNIVERSAL 16]
constructed; length = 101
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 11
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 9
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 6 }
value OpenType: PrintableString: tag = [UNIVERSAL 19]
primitive; length = 2
"DE"
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 55
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 53
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 10 }
value OpenType: UTF8String: tag = [UNIVERSAL 12]
primitive; length = 46
0x474d4420466f72736368756e67737a656e7472756d20496e66...
RelativeDistinguishedName SET OF: tag = [UNIVERSAL 17]
constructed; length = 29
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 4 }
value OpenType: UTF8String: tag = [UNIVERSAL 12]
primitive; length = 6
0x4261727a696e
AttributeTypeAndValue SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 12
type OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 4 42 }
value OpenType: UTF8String: tag = [UNIVERSAL 12]
primitive; length = 5
0x5065747261
subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE: tag =
[UNIVERSAL 16] constructed; length = 157
algorithm AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 9
{ 1 2 840 113549 1 1 1 }
parameters OpenType: NULL: tag = [UNIVERSAL 5] primitive;
length = 0
NULL
subjectPublicKey BIT STRING: tag = [UNIVERSAL 3] primitive;
length = 139
0x0030818702818100b8488400d4b6088be48ead459ca19ec717aaf3d1d...
extensions : tag = [3] constructed; length = 233
Extensions SEQUENCE OF: tag = [UNIVERSAL 16] constructed;
length = 230
Extension SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 100
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 29 9 }
extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive;
length = 93
0x305b301006082b06010505070904310413024445300f06082b060...
Extension SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 14
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 29 15 }
critical BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1
TRUE
extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive;
length = 4
0x03020640
Extension SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 18
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 29 32 }
extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive;
length = 11
0x3009300706052b24080101
Extension SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 31
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 29 35 }
extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive;
length = 24
0x30168014000102030405060708090a0b0c0d0e0ffedcba98
algorithm AlgorithmIdentifier SEQUENCE: tag = [UNIVERSAL 16]
constructed; length = 13
algorithm OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 9
{ 1 2 840 113549 1 1 1 }
parameters OpenType: NULL: tag = [UNIVERSAL 5] primitive;
length = 0
NULL
subjectPublicKey BIT STRING: tag = [UNIVERSAL 3] primitive;
length = 139
0x0030818702818100b8488400d4b6088be48ead459ca19ec717aaf3d1d...
extensions : tag = [3] constructed; length = 233
Extensions SEQUENCE OF: tag = [UNIVERSAL 16] constructed;
length = 230
Extension SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 100
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 29 9 }
extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive;
length = 93
0x305b301006082b06010505070904310413024445300f06082b060...
Extension SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 14
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 29 15 }
critical BOOLEAN: tag = [UNIVERSAL 1] primitive; length = 1
TRUE
extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive;
length = 4
0x03020640
Extension SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 18
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 29 32 }
extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive;
length = 11
0x3009300706052b24080101
Extension SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 31
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 3
{ 2 5 29 35 }
extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive;
length = 24
0x30168014000102030405060708090a0b0c0d0e0ffedcba98
Extension SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 57
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 8
{ 1 3 6 1 5 5 7 1 3 }
extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive;
length = 45
0x302b302906082b06010505070b01301d301b81196d756e6963697...
Extension SEQUENCE: tag = [UNIVERSAL 16] constructed;
length = 57
extnId OBJECT IDENTIFIER: tag = [UNIVERSAL 6] primitive;
length = 8
{ 1 3 6 1 5 5 7 1 3 }
extnValue OCTET STRING: tag = [UNIVERSAL 4] primitive;
length = 45
0x302b302906082b06010505070b01301d301b81196d756e6963697...
This section contains the full, DER-encoded certificate, in hex.
本节包含完整的DER编码证书(十六进制)。
3082030E30820277A0030201020204499602D2300D06092A864886F70D010105
05003048310B300906035504061302444531393037060355040A0C30474D4420
2D20466F72736368756E67737A656E7472756D20496E666F726D6174696F6E73
746563686E696B20476D6248301E170D3030303530313130303030305A170D30
30313130313130303030305A3065310B30090603550406130244453137303506
0355040A0C2E474D4420466F72736368756E67737A656E7472756D20496E666F
726D6174696F6E73746563686E696B20476D6248311D300C060355042A0C0550
65747261300D06035504040C064261727A696E30819D300D06092A864886F70D
010101050003818B0030818702818100B8488400D4B6088BE48EAD459CA19EC7
17AAF3D1D4EE3ECCA496128A13597D16CC8B85EB37EFCE110C63B01E684E5CF6
32291EAC60FD153C266EAAC36AD4CEA92319F9BFDD261AD2BFE41EAB4E17FE67
8341EE52D9A0A8B4DEC07B7ACC76762514045CEE9994E0CF37BAE05F8DE33B35
FF98BCE77742CE4B12273BD122137FE9020105A381E93081E630640603551D09
045D305B301006082B06010505070904310413024445300F06082B0601050507
09033103130146301D06082B060105050709013111180F313937313130313430
30303030305A301706082B06010505070902310B0C094461726D737461647430
0E0603551D0F0101FF04040302064030120603551D20040B3009300706052B24
080101301F0603551D23041830168014000102030405060708090A0B0C0D0E0F
FEDCBA98303906082B06010505070103042D302B302906082B06010505070B01
301D301B81196D756E69636970616C697479406461726D73746164742E646530
0D06092A864886F70D01010505000381810048FD14D9AFE961E4321D9AA40CC0
1C12893550CF76FBECBDE448926B0AE6F904AB89E7B5F808666FB007218AC18D
28CE1E2D40FBF8C16B275CBA0547D7885B74059DEC736223368FC1602A510BC1
EB31E39F3967BE6B413D48BC743A0AB19C57FD20F3B393E8FEBD8B05CAA5007D
AD36F9D789AEF636A0AC0F93BCB3711B5907
3082030E30820277A0030201020204499602D2300D06092A864886F70D010105
05003048310B300906035504061302444531393037060355040A0C30474D4420
2D20466F72736368756E67737A656E7472756D20496E666F726D6174696F6E73
746563686E696B20476D6248301E170D3030303530313130303030305A170D30
30313130313130303030305A3065310B30090603550406130244453137303506
0355040A0C2E474D4420466F72736368756E67737A656E7472756D20496E666F
726D6174696F6E73746563686E696B20476D6248311D300C060355042A0C0550
65747261300D06035504040C064261727A696E30819D300D06092A864886F70D
010101050003818B0030818702818100B8488400D4B6088BE48EAD459CA19EC7
17AAF3D1D4EE3ECCA496128A13597D16CC8B85EB37EFCE110C63B01E684E5CF6
32291EAC60FD153C266EAAC36AD4CEA92319F9BFDD261AD2BFE41EAB4E17FE67
8341EE52D9A0A8B4DEC07B7ACC76762514045CEE9994E0CF37BAE05F8DE33B35
FF98BCE77742CE4B12273BD122137FE9020105A381E93081E630640603551D09
045D305B301006082B06010505070904310413024445300F06082B0601050507
09033103130146301D06082B060105050709013111180F313937313130313430
30303030305A301706082B06010505070902310B0C094461726D737461647430
0E0603551D0F0101FF04040302064030120603551D20040B3009300706052B24
080101301F0603551D23041830168014000102030405060708090A0B0C0D0E0F
FEDCBA98303906082B06010505070103042D302B302906082B06010505070B01
301D301B81196D756E69636970616C697479406461726D73746164742E646530
0D06092A864886F70D01010505000381810048FD14D9AFE961E4321D9AA40CC0
1C12893550CF76FBECBDE448926B0AE6F904AB89E7B5F808666FB007218AC18D
28CE1E2D40FBF8C16B275CBA0547D7885B74059DEC736223368FC1602A510BC1
EB31E39F3967BE6B413D48BC743A0AB19C57FD20F3B393E8FEBD8B05CAA5007D
AD36F9D789AEF636A0AC0F93BCB3711B5907
This section contains the DER-encoded public RSA key of the CA who signed the example certificate. It is included with the purpose of simplifying verifications of the example certificate.
本节包含签署示例证书的CA的DER编码公钥RSA。其目的在于简化示例证书的验证。
30818902818100ad1f35964b3674c807b9f8a645d2c8174e514b69a4b46a7382 915abbc44eccede914dae8fcc023abcea9c53380e641795cb0dda664b872fc10 9f9bbb852bf42d994f634c681608e388dce240b558513e5b60027bd1a07cef9c 9b6db37c7e1f1abd238eed96e4b669056b260f55e83f14e6027127c9deb3ad18 afcd3f8a5f5bf50203010001
30818902818100ad1f35964b3674c807b9f8a645d2c8174e514b69a4b46a7382 915ABC44ECCEADE8FCC023ABCEA9C53380E641795CB0DDA664B664B872FC10 9F9BBB852BF42D994F634C681608E388DCE240B55513E5B60027BD1A07CEF9C 9B6B37C7E1238EED96E469056B260F55E83F4027127BF03010001
Authors' Addresses
作者地址
Stefan Santesson AddTrust AB P.O. Box 465 S-201 24 Malmo Sweden
Stefan Santesson AddTrust AB邮政信箱465 S-201 24瑞典马尔默
EMail: stefan@addtrust.com
EMail: stefan@addtrust.com
Tim Polk NIST Building 820, Room 426 Gaithersburg, MD 20899, USA
美国马里兰州盖瑟斯堡426室820号NIST大楼Tim Polk 20899
EMail: wpolk@nist.gov
EMail: wpolk@nist.gov
Petra Barzin SECUDE - Sicherheitstechnologie Informationssysteme GmbH Landwehrstrasse 50a D-64293 Darmstadt Germany
Petra Barzin SECUDE-Sicherheitstechnologie informations system GmbH德国达姆施塔特市兰德韦尔斯特拉斯50a D-64293
EMail: barzin@secude.com
EMail: barzin@secude.com
Magnus Nystrom RSA Security AB Box 10704 S-121 29 Stockholm Sweden
Magnus Nystrom RSA Security AB信箱10704 S-121 29瑞典斯德哥尔摩
EMail: magnus@rsasecurity.com
EMail: magnus@rsasecurity.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。