Network Working Group D. Pinkas
Request for Comments: 4043 Bull
Category: Standards Track T. Gindin
IBM
May 2005
Network Working Group D. Pinkas
Request for Comments: 4043 Bull
Category: Standards Track T. Gindin
IBM
May 2005
Internet X.509 Public Key Infrastructure Permanent Identifier
Internet X.509公钥基础设施永久标识符
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
Abstract
摘要
This document defines a new form of name, called permanent identifier, that may be included in the subjectAltName extension of a public key certificate issued to an entity.
本文档定义了一种新的名称形式,称为永久标识符,可包含在颁发给实体的公钥证书的subjectAltName扩展中。
The permanent identifier is an optional feature that may be used by a CA to indicate that two or more certificates relate to the same entity, even if they contain different subject name (DNs) or different names in the subjectAltName extension, or if the name or the affiliation of that entity stored in the subject or another name form in the subjectAltName extension has changed.
永久标识符是一种可选功能,CA可以使用它来指示两个或多个证书与同一实体相关,即使它们包含不同的使用者名称(DNs)或subjectAltName扩展中的不同名称,或者如果主体中存储的实体名称或从属关系或主体名称扩展名中的其他名称形式已更改。
The subject name, carried in the subject field, is only unique for each subject entity certified by the one CA as defined by the issuer name field. However, the new name form can carry a name that is unique for each subject entity certified by a CA.
“主体”字段中的主体名称仅对由“发行人名称”字段定义的一个CA认证的每个主体实体是唯一的。但是,新的名称表单可以包含CA认证的每个主体实体的唯一名称。
Table of Contents
目录
1. Introduction.................................................. 2
2. Definition of a Permanent Identifier.......................... 3
3. IANA Considerations........................................... 6
4. Security Considerations....................................... 6
5. References.................................................... 7
5.1. Normative References.................................... 7
5.2. Informative References.................................. 8
Appendix A. ASN.1 Syntax.......................................... 9
A.1. 1988 ASN.1 Module....................................... 9
A.2. 1993 ASN.1 Module....................................... 10
Appendix B. OID's for organizations............................... 11
B.1. Using IANA (Internet Assigned Numbers Authority)........ 11
B.2. Using an ISO Member Body................................ 12
B.3. Using an ICD (International Code Designator) From
British Standards Institution to Specify a New or
an Existing Identification Scheme....................... 12
Authors' Addresses................................................ 14
Full Copyright Statement.......................................... 15
1. Introduction.................................................. 2
2. Definition of a Permanent Identifier.......................... 3
3. IANA Considerations........................................... 6
4. Security Considerations....................................... 6
5. References.................................................... 7
5.1. Normative References.................................... 7
5.2. Informative References.................................. 8
Appendix A. ASN.1 Syntax.......................................... 9
A.1. 1988 ASN.1 Module....................................... 9
A.2. 1993 ASN.1 Module....................................... 10
Appendix B. OID's for organizations............................... 11
B.1. Using IANA (Internet Assigned Numbers Authority)........ 11
B.2. Using an ISO Member Body................................ 12
B.3. Using an ICD (International Code Designator) From
British Standards Institution to Specify a New or
an Existing Identification Scheme....................... 12
Authors' Addresses................................................ 14
Full Copyright Statement.......................................... 15
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
This specification is based on [RFC3280], which defines underlying certificate formats and semantics needed for a full implementation of this standard.
本规范基于[RFC3280],它定义了全面实施本标准所需的基础证书格式和语义。
The subject field of a public key certificate identifies the entity associated with the public key stored in the subject public key field. Names and identities of a subject may be carried in the subject field and/or the subjectAltName extension. Where subject field is non-empty, it MUST contain an X.500 distinguished name (DN). The DN MUST be unique for each subject entity certified by a single CA as defined by the issuer name field.
公钥证书的subject字段标识与存储在subject公钥字段中的公钥相关联的实体。主题的名称和身份可以在主题字段和/或主题名称扩展中携带。如果主题字段非空,则必须包含X.500可分辨名称(DN)。对于由单个CA认证的每个主体实体,DN必须是唯一的,如发卡机构名称字段所定义。
The subject name changes whenever any of the components of that name gets changed. There are several reasons for such a change to happen.
只要名称的任何组成部分发生更改,主题名称就会更改。发生这种变化有几个原因。
For employees of a company or organization, the person may get a different position within the same company and thus will move from one organization unit to another one. Including the organization unit in the name may however be very useful to allow the relying parties (RP's) using that certificate to identify the right individual.
对于一家公司或组织的员工,此人可能会在同一家公司内获得不同的职位,因此会从一个组织单位转移到另一个组织单位。但是,在名称中包含组织单位可能非常有用,以允许使用该证书的依赖方(RP)识别正确的个人。
For citizens, an individual may change their name by legal processes, especially as a result of marriage.
对于公民来说,个人可以通过法律程序更改姓名,特别是因为结婚。
Any certificate subject identified by geographical location may relocate and change at least some of the location attributes (e.g., country name, state or province, locality, or street).
根据地理位置确定的任何证书主体可能会重新定位和更改至少一些位置属性(例如,国家名称、州或省、地区或街道)。
A permanent identifier consists of an identifier value assigned within a given naming space by the organization which is authoritative for that naming space. The organization assigning the identifier value may be the CA that has issued the certificate or a different organization called an Assigner Authority.
永久标识符由对该命名空间具有权威的组织在给定命名空间内分配的标识符值组成。分配标识符值的组织可以是已颁发证书的CA或称为分配者机构的不同组织。
An Assigner Authority may be a government, a government agency, a corporation, or any other sort of organization. It MUST have a unique identifier to distinguish it from any other such authority. In this standard, that identifier MUST be an object identifier.
转让机构可以是政府、政府机构、公司或任何其他类型的组织。它必须具有唯一标识符,以便与任何其他此类机构区分开来。在本标准中,该标识符必须是对象标识符。
A permanent identifier may be useful in three contexts: access control, non-repudiation and audit records.
永久标识符在三种情况下可能有用:访问控制、不可否认性和审计记录。
For access control, the permanent identifier may be used in an ACL (Access Control List) instead of the DN or any other form of name and would not need to be changed, even if the subject name of the entity changes. For non-repudiation, the permanent identifier may be used to link different transactions to the same entity, even when the subject name of the entity changes.
对于访问控制,可以在ACL(访问控制列表)中使用永久标识符,而不是DN或任何其他形式的名称,并且即使实体的主体名称发生更改,也不需要更改永久标识符。对于不可否认性,永久标识符可用于将不同交易链接到同一实体,即使实体的主体名称发生变化。
For audit records, the permanent identifier may be used to link different audit records to the same entity, even when the subject name of the entity changes.
对于审计记录,可使用永久标识符将不同的审计记录链接到同一实体,即使实体的主体名称发生变化。
For two certificates which have been both verified to be valid according to a given validation policy and which contain a permanent identifier, those certificates relate to the same entity if their permanent identifiers match, whatever the content of the DN or other subjectAltName components may be.
对于已根据给定验证策略验证为有效且包含永久标识符的两个证书,如果其永久标识符匹配,则这些证书与同一实体相关,无论DN或其他subjectAltName组件的内容如何。
Since the use of permanent identifiers may conflict with privacy, CAs SHOULD advertise to purchasers of certificates the use of permanent identifiers in certificates.
由于永久标识符的使用可能与隐私冲突,CA应向证书购买者公布证书中永久标识符的使用。
This Permanent Identifier is a name defined as a form of otherName from the GeneralName structure in SubjectAltName, as defined in [X.509] and [RFC3280].
此永久标识符是一个名称,定义为[X.509]和[RFC3280]中定义的SubjectAltName中的GeneralName结构中的otherName的一种形式。
A CA which includes a permanent identifier in a certificate is certifying that any public key certificate containing the same values for that identifier refers to the same entity.
在证书中包含永久标识符的CA正在证明任何包含该标识符相同值的公钥证书都引用同一实体。
The use of a permanent identifier is OPTIONAL. The permanent identifier is defined as follows:
永久标识符的使用是可选的。永久标识符的定义如下:
id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 }
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String OPTIONAL,
-- if absent, use a serialNumber attribute,
-- if there is such an attribute present
-- in the subject DN
assigner OBJECT IDENTIFIER OPTIONAL
-- if absent, the assigner is
-- the certificate issuer
}
id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 }
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String OPTIONAL,
-- if absent, use a serialNumber attribute,
-- if there is such an attribute present
-- in the subject DN
assigner OBJECT IDENTIFIER OPTIONAL
-- if absent, the assigner is
-- the certificate issuer
}
The identifierValue field is optional.
identifierValue字段是可选的。
When the identifierValue field is present, then the identifierValue supports one syntax: UTF8String.
当identifierValue字段存在时,identifierValue支持一种语法:UTF8String。
When the identifierValue field is absent, then the value of the serialNumber attribute (as defined in section 5.2.9 of [X.520]) from the deepest RDN of the subject DN is the value to be taken for the identifierValue. In such a case, there MUST be at least one serialNumber attribute in the subject DN, otherwise the PermanentIdentifier SHALL NOT be used.
如果缺少identifierValue字段,则主体DN最深RDN的serialNumber属性(如[X.520]第5.2.9节所定义)的值为identifierValue的值。在这种情况下,主题DN中必须至少有一个serialNumber属性,否则不应使用永久标识符。
The assigner field is optional.
assigner字段是可选的。
When the assigner field is present, then it is an OID which identifies a naming space, i.e., both an Assigner Authority and the type of that field. Characteristically, the prefix of the OID identifies the Assigner Authority, and a suffix is used to identify the type of permanent identifier.
当存在分配者字段时,它是一个标识命名空间的OID,即分配者权限和该字段的类型。特征上,OID的前缀标识转让人权限,后缀用于标识永久标识符的类型。
When the assigner field is absent, then the permanent identifier is locally unique to the CA.
如果缺少assigner字段,则永久标识符对CA是本地唯一的。
The various combinations are detailed below:
以下详细介绍了各种组合:
1. Both the assigner and the identifierValue fields are present:
1. assigner和identifierValue字段都存在:
The identifierValue is the value for that type of identifier. The assigner field identifies the Assigner Authority and the type of permanent identifier being identified.
identifierValue是该类型标识符的值。“分配者”字段标识分配者权限和要标识的永久标识符的类型。
The permanent identifier is globally unique among all CAs. In such a case, two permanent identifiers of this type match if and only if their assigner fields match and the contents of the identifierValue field in the two permanent identifiers consist of the same Unicode code points presented in the same order.
永久标识符在所有CA中是全局唯一的。在这种情况下,此类型的两个永久标识符匹配当且仅当其赋值器字段匹配且两个永久标识符中的identifierValue字段的内容由以相同顺序呈现的相同Unicode代码点组成。
2. The assigner field is absent and the identifierValue field is present:
2. 赋值人字段不存在,identifierValue字段存在:
The Assigner Authority is the CA that has issued the certificate. The identifierValue is given by the CA and the permanent identifier is only local to the CA that has issued the certificate.
转让人机构是颁发证书的CA。identifierValue由CA提供,永久标识符仅为颁发证书的CA的本地标识符。
In such a case, two permanent identifiers of this type match if and only if the issuer DN's in the certificates which contain them match using the distinguishedNameMatch rule, as defined in X.501, and the two values of the identifierValue field consist of the same Unicode code points presented in the same order.
在这种情况下,当且仅当包含它们的证书中的颁发者DN使用DiscriminatedNameMatch规则(如X.501中所定义)匹配时,此类型的两个永久标识符匹配,并且identifierValue字段的两个值由以相同顺序呈现的相同Unicode代码点组成。
3. Both the assigner and the identifierValue fields are absent:
3. assigner和identifierValue字段均不存在:
If there are one or more RDNs containing a serialNumber attribute (alone or accompanied by other attributes), then the value contained in the serialNumber of the deepest such RDN SHALL be used as the identifierValue; otherwise, the Permanent Identifier definition is invalid and the Permanent Identifier SHALL NOT be used.
如果有一个或多个RDN包含serialNumber属性(单独或伴随其他属性),则该RDN的serialNumber中包含的值应用作identifierValue;否则,永久标识符定义无效,不得使用永久标识符。
The permanent identifier is only local to the CA that has issued the certificate. In such a case, two permanent identifiers of this type match if and only if the issuer DN's in the certificates which contain them match and the serialNumber attributes within the subject DN's of those same certificates also match using the caseIgnoreMatch rule.
永久标识符仅为已颁发证书的CA的本地标识符。在这种情况下,此类型的两个永久标识符匹配,当且仅当包含它们的证书中的颁发者DN匹配,并且这些相同证书的主题DN中的serialNumber属性也使用caseIgnoreMatch规则匹配时。
4. The assigner field is present and the identifierValue field is absent:
4. 分配者字段存在,而identifierValue字段不存在:
If there are one or more RDNs containing a serialNumber attribute (alone or accompanied by other attributes), then the value contained in the serialNumber of the deepest such RDN SHALL be used as the identifierValue; otherwise, the Permanent Identifier definition is invalid and the Permanent Identifier SHALL NOT be used.
如果有一个或多个RDN包含serialNumber属性(单独或伴随其他属性),则该RDN的serialNumber中包含的值应用作identifierValue;否则,永久标识符定义无效,不得使用永久标识符。
The assigner field identifies the Assigner Authority and the type of permanent identifier being identified.
“分配者”字段标识分配者权限和要标识的永久标识符的类型。
The permanent identifier is globally unique among all CAs. In such a case, two permanent identifiers of this type match if and only if their assigner fields match and the contents of the serialNumber attributes within the subject DN's of those same certificates match using the caseIgnoreMatch rule.
永久标识符在所有CA中是全局唯一的。在这种情况下,此类型的两个永久标识符匹配当且仅当其赋值器字段匹配且这些证书的主题DN内的serialNumber属性的内容使用caseIgnoreMatch规则匹配时才匹配。
Note: The full arc of the object identifier used to identify the permanent identifier name form is derived using:
注:用于标识永久标识符名称表单的对象标识符的完整弧使用以下公式推导:
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms
id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms
No IANA actions are necessary. However, a Private Enterprise Number may be used to construct an OID for the assigner field (see Annex B.1.).
无需IANA操作。但是,可使用私营企业编号为转让人字段构建OID(见附录B.1.)。
A given entity may have at an instant of time or at different instants of time multiple forms of identities. If the permanent identifier is locally unique to the CA (i.e., the assigner field is not present), then two certificates from the same CA can be compared.
一个给定的实体可能在某一时刻或不同时刻具有多种形式的身份。如果永久标识符对CA是本地唯一的(即,不存在assigner字段),则可以比较来自同一CA的两个证书。
When two certificates contain identical permanent identifiers, then a relying party may determine that they refer to the same entity.
当两个证书包含相同的永久标识符时,依赖方可确定它们引用同一实体。
If the permanent identifier is globally unique among all CAs (i.e., the assigner field is present), then two certificates from different CAs can be compared. When they contain two identical permanent identifiers, then a relying party may determine that they refer to the same entity. It is the responsibility of the CA to verify that the permanent identifier being included in the certificate refers to the subject being certified.
如果永久标识符在所有CA中是全局唯一的(即存在assigner字段),则可以比较来自不同CA的两个证书。当它们包含两个相同的永久标识符时,依赖方可确定它们指的是同一实体。CA有责任验证证书中包含的永久标识符是否指被认证的主体。
The permanent identifier identifies the entity, irrespective of any attribute extension. When a public key certificate contains attribute extensions, the permanent identifier, if present, should not be used for access control purposes but only for audit purposes. The reason is that since these attributes may change, access could be granted on attributes that were originally present in a certificate issued to that entity but are no longer present in the current certificate.
永久标识符标识实体,与任何属性扩展无关。当公钥证书包含属性扩展时,永久标识符(如果存在)不应用于访问控制目的,而应仅用于审核目的。原因是,由于这些属性可能会更改,因此可以对颁发给该实体的证书中最初存在但当前证书中不再存在的属性授予访问权限。
Subject names in certificates are chosen by the issuing CA and are mandated to be unique for each CA; so there can be no name collision between subject names from the same CA. Such a name may be an end-entity name when the certificate is a leaf certificate, or a CA name, when it is a CA certificate.
证书中的主体名称由颁发CA选择,并且每个CA必须是唯一的;因此,来自同一CA的使用者名称之间不可能存在名称冲突。当证书是叶证书时,这样的名称可能是最终实体名称;当证书是CA证书时,这样的名称可能是CA名称。
Since a name is only unique towards its superior CA, unless some naming constraints are being used, a name would only be guaranteed to be globally unique when considered to include a sequence of all the names of the superior CAs. Thus, two certificates that are issued under the same issuer DN and which contain the same permanent identifier extension without an assigner field do not necessarily refer to the same entity.
由于名称仅对其上级CA是唯一的,除非使用了某些命名约束,否则仅当认为名称包含上级CA的所有名称序列时,才能保证名称是全局唯一的。因此,在同一颁发者DN下颁发并包含相同永久标识符扩展(不带赋值者字段)的两个证书不一定指同一实体。
Additional checks need to be done, e.g., to check if the public key values of the two CAs which have issued the certificates to be compared are identical or if the sequence of CA names in the certification path from the trust anchor to the CA are identical.
需要进行额外的检查,例如,检查已颁发要比较的证书的两个CA的公钥值是否相同,或者从信任锚点到CA的证书路径中的CA名称序列是否相同。
When the above checks fail, the permanent identifiers may still match if there has been a CA key rollover. In such a case the checking is more complicated.
当上述检查失败时,如果存在CA密钥翻转,则永久标识符可能仍然匹配。在这种情况下,检查更加复杂。
The certification of different CAs with the same DN by different CAs has other negative consequences in various parts of the PKI, notably rendering the IssuerAndSerialNumber structure in [RFC3852] section 10.2.4 ambiguous.
不同CA对具有相同DN的不同CA的认证在PKI的不同部分具有其他负面影响,尤其是[RFC3852]第10.2.4节中的IssuerAndSerialNumber结构不明确。
The permanent identifier allows organizations to create links between different certificates associated with an entity issued with or without overlapping validity periods. This ability to link different certificates may conflict with privacy. It is therefore important that a CA clearly disclose any plans to issue certificates which include a permanent identifier to potential subjects of those certificates.
永久标识符允许组织在与实体相关联的不同证书之间创建链接,该实体具有或不具有重叠的有效期。这种链接不同证书的能力可能与隐私冲突。因此,CA必须清楚地披露向证书的潜在主体颁发证书的任何计划,其中包括永久标识符。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.
[RFC3280]Housley,R.,Polk,W.,Ford,W.,和D.Solo,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)概要”,RFC 32802002年4月。
[UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003.
[UTF-8]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,2003年11月。
[X.501] ITU-T Rec X.501 | ISO 9594-2: 2001: Information technology - Open Systems Interconnection - The Directory: Models, February 2001.
[X.501]ITU-T Rec X.501 | ISO 9594-2:2001:信息技术-开放系统互连-目录:模型,2001年2月。
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004.
[RFC3852]Housley,R.,“加密消息语法(CMS)”,RFC3852,2004年7月。
[X.509] ITU-T Recommendation X.509 (1997 E): Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, June 1997.
[X.509]ITU-T建议X.509(1997 E):信息技术——开放系统互连——目录:认证框架,1997年6月。
[X.520] ITU-T Recommendation X.520: Information Technology - Open Systems Interconnection - The Directory: Selected Attribute Types, June 1997.
[X.520]ITU-T建议X.520:信息技术-开放系统互连-目录:选定属性类型,1997年6月。
[X.660] ITU-T Recommendation X.660: Information Technology - Open Systems Interconnection - Procedures for the Operation of OSI Registration Authorities: General Procedures, 1992.
[X.660]ITU-T建议X.660:信息技术-开放系统互连-开放系统互连注册机构的操作程序:一般程序,1992年。
[X.680] ITU-T Recommendation X.680: Information Technology - Abstract Syntax Notation One, 1997.
[X.680]ITU-T建议X.680:信息技术——抽象语法符号1,1997年。
As in RFC 2459, ASN.1 modules are supplied in two different variants of the ASN.1 syntax.
与RFC2459一样,ASN.1模块以ASN.1语法的两种不同变体提供。
This section describes data objects used by conforming PKI components in an "ASN.1-like" syntax. This syntax is a hybrid of the 1988 and 1993 ASN.1 syntaxes. The 1988 ASN.1 syntax is augmented with 1993 the UNIVERSAL Type UTF8String.
本节以“ASN.1-like”语法描述一致性PKI组件使用的数据对象。这种语法是1988年和1993年ASN.1语法的混合。1988年的ASN.1语法由1993年的通用类型UTF8String扩展而来。
The ASN.1 syntax does not permit the inclusion of type statements in the ASN.1 module, and the 1993 ASN.1 standard does not permit use of the new UNIVERSAL types in modules using the 1988 syntax. As a result, this module does not conform to either version of the ASN.1 standard.
ASN.1语法不允许在ASN.1模块中包含类型语句,1993年ASN.1标准不允许在使用1988语法的模块中使用新的通用类型。因此,该模块不符合ASN.1标准的任何版本。
Appendix A.1 may be parsed by an 1988 ASN.1-parser by replacing the definitions for the UNIVERSAL Types with the 1988 catch-all "ANY".
附录A.1可由1988年ASN.1-解析器解析,方法是将通用类型的定义替换为1988年的“任何”。
Appendix A.2 may be parsed "as is" by an 1997-compliant ASN.1 parser.
附录A.2可由符合1997年ASN.1的解析器“按原样”进行解析。
In case of discrepancies between these modules, the 1988 module is the normative one.
如果这些模块之间存在差异,则1988模块为规范模块。
Appendix A.1. 1988 ASN.1 Module
附录A.1。1988 ASN.1模块
PKIXpermanentidentifier88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-perm-id-88(28) }
PKIXpermanentidentifier88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-perm-id-88(28) }
DEFINITIONS EXPLICIT TAGS ::=
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
--全部出口--
IMPORTS
进口
-- UTF8String, / move hyphens before slash if UTF8String does not
-- resolve with your compiler
-- The content of this type conforms to [UTF-8].
-- UTF8String, / move hyphens before slash if UTF8String does not
-- resolve with your compiler
-- The content of this type conforms to [UTF-8].
id-pkix
FROM PKIX1Explicit88 { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit(18) } ;
-- from [RFC3280]
id-pkix
FROM PKIX1Explicit88 { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit(18) } ;
-- from [RFC3280]
-- Permanent identifier Object Identifier and Syntax
--永久标识符对象标识符和语法
id-on OBJECT IDENTIFIER ::= { id-pkix 8 }
id-on OBJECT IDENTIFIER ::= { id-pkix 8 }
id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 }
id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 }
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String OPTIONAL,
-- if absent, use the serialNumber attribute
-- if there is a single such attribute present
-- in the subject DN
assigner OBJECT IDENTIFIER OPTIONAL
-- if absent, the assigner is
-- the certificate issuer
}
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String OPTIONAL,
-- if absent, use the serialNumber attribute
-- if there is a single such attribute present
-- in the subject DN
assigner OBJECT IDENTIFIER OPTIONAL
-- if absent, the assigner is
-- the certificate issuer
}
END
终止
Appendix A.2. 1993 ASN.1 Module
附录A.2。1993 ASN.1模块
PKIXpermanentidentifier93 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-perm-id-93(29) }
PKIXpermanentidentifier93 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-perm-id-93(29) }
DEFINITIONS EXPLICIT TAGS ::=
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
--全部出口--
IMPORTS
进口
id-pkix
FROM PKIX1Explicit88 { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit(18) }
-- from [RFC3280]
id-pkix
FROM PKIX1Explicit88 { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit(18) }
-- from [RFC3280]
ATTRIBUTE
FROM InformationFramework {joint-iso-itu-t ds(5) module(1)
informationFramework(1) 4};
-- from [X.501]
ATTRIBUTE
FROM InformationFramework {joint-iso-itu-t ds(5) module(1)
informationFramework(1) 4};
-- from [X.501]
-- Permanent identifier Object Identifiers
--永久标识符对象标识符
id-on OBJECT IDENTIFIER ::= { id-pkix 8 }
id-on OBJECT IDENTIFIER ::= { id-pkix 8 }
id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 }
id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 }
-- Permanent Identifier
--永久标识符
permanentIdentifier ATTRIBUTE ::= {
WITH SYNTAX PermanentIdentifier
ID id-on-permanentIdentifier }
permanentIdentifier ATTRIBUTE ::= {
WITH SYNTAX PermanentIdentifier
ID id-on-permanentIdentifier }
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String OPTIONAL,
-- if absent, use the serialNumber attribute
-- if there is a single such attribute present
-- in the subject DN
assigner OBJECT IDENTIFIER OPTIONAL
-- if absent, the assigner is
-- the certificate issuer
}
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String OPTIONAL,
-- if absent, use the serialNumber attribute
-- if there is a single such attribute present
-- in the subject DN
assigner OBJECT IDENTIFIER OPTIONAL
-- if absent, the assigner is
-- the certificate issuer
}
END
终止
In order to construct an OID for the assigner field, organizations need first to have a registered OID for themselves. Such an OID must be obtained from a registration authority following [X.660]. In some cases, OID's are provided for free. In other cases a one-time fee is required. The main difference lies in the nature of the information that is collected at the time of registration and how this information is verified for its accuracy.
为了为assigner字段构造OID,组织首先需要为自己注册一个OID。此类OID必须按照[X.660]的规定从登记机关获得。在某些情况下,OID是免费提供的。在其他情况下,需要一次性支付费用。主要区别在于登记时收集的信息的性质以及如何验证这些信息的准确性。
Appendix B.1. Using IANA (Internet Assigned Numbers Authority)
附录B.1。使用IANA(互联网分配号码管理局)
The application form for a Private Enterprise Number in the IANA's OID list is: http://www.iana.org/cgi-bin/enterprise.pl.
IANA OID列表中的私营企业编号申请表为:http://www.iana.org/cgi-bin/enterprise.pl.
Currently, IANA assigns numbers for free. The IANA-registered Private Enterprises prefix is: iso.org.dod.internet.private.enterprise (1.3.6.1.4.1)
目前,IANA免费分配号码。IANA注册的私营企业前缀为:iso.org.dod.internet.Private.enterprise(1.3.6.1.4.1)
These numbers are used, among other things, for defining private SNMP MIBs.
除其他外,这些数字用于定义专用SNMP MIB。
The official assignments under this OID are stored in the IANA file
"enterprise-numbers" available at:
http://www.iana.org/assignments/enterprise-numbers
The official assignments under this OID are stored in the IANA file
"enterprise-numbers" available at:
http://www.iana.org/assignments/enterprise-numbers
Appendix B.2. Using an ISO Member Body
附录B.2。使用ISO成员机构
ISO has defined the OID structure in a such a way so that every ISO member-body has its own unique OID. Then every ISO member-body is free to allocate its own arc space below.
ISO以这样的方式定义OID结构,以便每个ISO成员体都有自己独特的OID。然后,每个ISO成员机构都可以自由分配其自己的弧空间。
Organizations and enterprises may contact the ISO member-body where their organization or enterprise is established to obtain an organization/enterprise OID.
组织和企业可联系其组织或企业所在的ISO成员机构,以获取组织/企业OID。
Currently, ISO members do not assign organization/enterprise OID's for free.
目前,ISO成员不免费分配组织/企业OID。
Most of them do not publish registries of such OID's which they have assigned, sometimes restricting the access to registered organizations or preferring to charge inquirers for the assignee of an OID on a per-inquiry basis. The use of OID's from an ISO member organization which does not publish such a registry may impose extra costs on the CA that needs to make sure that the OID corresponds to the registered organization.
他们中的大多数人不公布他们所分配的此类OID的登记册,有时限制对已注册组织的访问,或者更倾向于按每次查询向查询者收取OID受让人的费用。使用未发布此类注册的ISO成员组织的OID可能会给CA带来额外成本,CA需要确保OID对应于注册组织。
As an example, AFNOR (Association Francaise de Normalisation - the French organization that is a member of ISO) has defined an arc to allocate OID's for companies:
例如,AFNOR(法国非标准化协会-作为ISO成员的法国组织)定义了一个arc来为公司分配OID:
{iso (1) member-body (2) fr (250) type-org (1) organisation (n)}
{iso(1)成员机构(2)fr(250)类型组织(1)组织(n)}
Appendix B.3. Using an ICD (International Code Designator) From British Standards Institution to Specify a New or an Existing Identification Scheme
附录B.3。使用英国标准协会的ICD(国际代码标识符)指定新的或现有的识别方案
The International Code Designator (ICD) is used to uniquely identify an ISO 6523 compliant organization identification scheme. ISO 6523 is a standard that defines the proper structure of an identifier and the registration procedure for an ICD. The conjunction of the ICD with an identifier issued by the registration authority is worldwide unique.
国际代码标识符(ICD)用于唯一标识符合ISO 6523的组织标识方案。ISO 6523是一个标准,定义了ICD标识符的正确结构和注册程序。ICD与注册机构发布的标识符的结合是全球唯一的。
The basic structure of the code contains the following components:
代码的基本结构包含以下组件:
- the ICD value: The International Code Designator issued to the identification scheme makes the identifier worldwide unique (up to 4 digits),
- ICD值:颁发给标识方案的国际代码标识符使标识符在全球范围内唯一(最多4位),
- the Organization, usually a company or governmental body (up to 35 characters),
- 组织,通常是公司或政府机构(最多35个字符),
- an Organization Part (OPI - Organization Part Identifier). An identifier allocated to a particular Organization Part (optional, up to 35 characters)
- 组织部件(OPI-组织部件标识符)。分配给特定组织部分的标识符(可选,最多35个字符)
The ICD is also equivalent to an object identifier (OID) under the arc {1(iso). 3(identified organization)}.
ICD也相当于arc{1(iso).3(已识别组织)}下的对象标识符(OID)。
On behalf of ISO, British Standards Institution (BSI) is the Registration Authority for organizations under the arc {iso (1) org(3)}. This means BSI registers code issuing authorities (organizations) by ICD values which are equivalent to OIDs of the form {iso (1) org(3) icd(xxxx)}. The corresponding IdentifierValue is the code value of the scheme identified by icd(xxxx).
英国标准协会(BSI)代表ISO是arc{ISO(1)组织(3)}下组织的注册机构。这意味着BSI通过ICD值注册代码发布机构(组织),ICD值相当于{iso(1)组织(3)ICD(xxxx)}形式的OID。对应的IdentifierValue是icd(xxxx)标识的方案的代码值。
As an example, the ICD 0012 was allocated to European Computer Manufacturers Association: ECMA. Thus the OID for ECMA is {iso(1) org(3) ecma(12)}.
例如,ICD 0012分配给欧洲计算机制造商协会:ECMA。因此,ECMA的OID是{iso(1)org(3)ECMA(12)}。
For registration with BSI, a "Sponsoring Authority" has to vouch for the Applying organization. Registration is not free. Recognized "Sponsoring Authorities" are: ISO Technical Committees or (Sub)Committees, Member Bodies of ISO or International Organizations having a liaison status with ISO or with any of its Technical (Sub)Committees.
在BSI注册时,“主办机构”必须为申请机构提供担保。注册不是免费的。公认的“赞助机构”是:ISO技术委员会或(子)委员会、ISO成员机构或与ISO或其任何技术(子)委员会具有联络地位的国际组织。
An example of a Sponsoring Authority is the EDIRA Association (EDI/EC Registration Authority, web: http://www.edira.org, email:info@edira.org).
发起机构的一个例子是EDIRA协会(EDI/EC注册机构,网址:http://www.edira.org,电邮:info@edira.org).
The numerical list of all ICDs that have been issued is posted on its
webpage: http://www.edira.org/documents.htm#icd-List
The numerical list of all ICDs that have been issued is posted on its
webpage: http://www.edira.org/documents.htm#icd-List
Note: IANA owns ICD code 0090, but (presumably) it isn't intending to use it for the present purpose.
注:IANA拥有ICD代码0090,但(大概)它不打算将其用于当前用途。
Authors' Addresses
作者地址
Denis Pinkas Bull Rue Jean-Jaures BP 68 78340 Les Clayes-sous-Bois FRANCE
Denis Pinkas Bull Rue Jean Jaures BP 68 78340 Les Clays sous Bois FRANCE
EMail: Denis.Pinkas@bull.net
EMail: Denis.Pinkas@bull.net
Thomas Gindin IBM Corporation 6710 Rockledge Drive Bethesda, MD 20817 USA
美国马里兰州贝塞斯达罗克利奇大道6710号托马斯·金丁IBM公司,邮编:20817
EMail: tgindin@us.ibm.com
EMail: tgindin@us.ibm.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。