Network Working Group                                        T. Freeman
Request for Comments: 5055                               Microsoft Corp
Category: Standards Track                                    R. Housley
                                                         Vigil Security
                                                             A. Malpani
                                            Malpani Consulting Services
                                                              D. Cooper
                                                                W. Polk
                                                                   NIST
                                                          December 2007
        
Network Working Group                                        T. Freeman
Request for Comments: 5055                               Microsoft Corp
Category: Standards Track                                    R. Housley
                                                         Vigil Security
                                                             A. Malpani
                                            Malpani Consulting Services
                                                              D. Cooper
                                                                W. Polk
                                                                   NIST
                                                          December 2007
        

Server-Based Certificate Validation Protocol (SCVP)

基于服务器的证书验证协议(SCVP)

Status of This Memo

关于下段备忘

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Abstract

摘要

The Server-Based Certificate Validation Protocol (SCVP) allows a client to delegate certification path construction and certification path validation to a server. The path construction or validation (e.g., making sure that none of the certificates in the path are revoked) is performed according to a validation policy, which contains one or more trust anchors. It allows simplification of client implementations and use of a set of predefined validation policies.

基于服务器的证书验证协议(SCVP)允许客户端将证书路径构造和证书路径验证委托给服务器。根据包含一个或多个信任锚的验证策略执行路径构造或验证(例如,确保路径中的任何证书均未被吊销)。它允许简化客户端实现和使用一组预定义的验证策略。

Table of Contents

目录

   1. Introduction ....................................................4
      1.1. Terminology ................................................4
      1.2. SCVP Overview ..............................................5
      1.3. SCVP Requirements ..........................................5
      1.4. Validation Policies ........................................6
      1.5. Validation Algorithm .......................................7
      1.6. Validation Requirements ....................................8
   2. Protocol Overview ...............................................9
   3. Validation Request ..............................................9
      3.1. cvRequestVersion ..........................................12
      3.2. query .....................................................12
           3.2.1. queriedCerts .......................................13
           3.2.2. checks .............................................15
        
   1. Introduction ....................................................4
      1.1. Terminology ................................................4
      1.2. SCVP Overview ..............................................5
      1.3. SCVP Requirements ..........................................5
      1.4. Validation Policies ........................................6
      1.5. Validation Algorithm .......................................7
      1.6. Validation Requirements ....................................8
   2. Protocol Overview ...............................................9
   3. Validation Request ..............................................9
      3.1. cvRequestVersion ..........................................12
      3.2. query .....................................................12
           3.2.1. queriedCerts .......................................13
           3.2.2. checks .............................................15
        
           3.2.3. wantBack ...........................................16
           3.2.4. validationPolicy ...................................19
                  3.2.4.1. validationPolRef ..........................20
                           3.2.4.1.1. Default Validation Policy ......21
                  3.2.4.2. validationAlg .............................22
                           3.2.4.2.1. Basic Validation Algorithm .....22
                           3.2.4.2.2. Basic Validation
                                      Algorithm Errors ...............23
                           3.2.4.2.3. Name Validation Algorithm ......24
                           3.2.4.2.4. Name Validation
                                      Algorithm Errors ...............25
                  3.2.4.3. userPolicySet .............................26
                  3.2.4.4. inhibitPolicyMapping ......................26
                  3.2.4.5. requireExplicitPolicy .....................27
                  3.2.4.6. inhibitAnyPolicy ..........................27
                  3.2.4.7. trustAnchors ..............................27
                  3.2.4.8. keyUsages .................................28
                  3.2.4.9. extendedKeyUsages .........................28
                  3.2.4.10. specifiedKeyUsages .......................29
           3.2.5. responseFlags ......................................30
                  3.2.5.1. fullRequestInResponse .....................30
                  3.2.5.2. responseValidationPolByRef ................30
                  3.2.5.3. protectResponse ...........................31
                  3.2.5.4. cachedResponse ............................31
           3.2.6. serverContextInfo ..................................32
           3.2.7. validationTime .....................................32
           3.2.8. intermediateCerts ..................................33
           3.2.9. revInfos ...........................................34
           3.2.10. producedAt ........................................35
           3.2.11. queryExtensions ...................................35
                  3.2.11.1. extnID ...................................35
                  3.2.11.2. critical .................................35
                  3.2.11.3. extnValue ................................36
      3.3. requestorRef ..............................................36
      3.4. requestNonce ..............................................36
      3.5. requestorName .............................................37
      3.6. responderName .............................................37
      3.7. requestExtensions .........................................38
           3.7.1. extnID .............................................38
           3.7.2. critical ...........................................38
           3.7.3. extnValue ..........................................38
      3.8. signatureAlg ..............................................38
      3.9. hashAlg ...................................................39
      3.10. requestorText ............................................39
      3.11. SCVP Request Authentication ..............................40
   4. Validation Response.............................................40
     4.1. cvResponseVersion...........................................43
     4.2. serverConfigurationID.......................................43
        
           3.2.3. wantBack ...........................................16
           3.2.4. validationPolicy ...................................19
                  3.2.4.1. validationPolRef ..........................20
                           3.2.4.1.1. Default Validation Policy ......21
                  3.2.4.2. validationAlg .............................22
                           3.2.4.2.1. Basic Validation Algorithm .....22
                           3.2.4.2.2. Basic Validation
                                      Algorithm Errors ...............23
                           3.2.4.2.3. Name Validation Algorithm ......24
                           3.2.4.2.4. Name Validation
                                      Algorithm Errors ...............25
                  3.2.4.3. userPolicySet .............................26
                  3.2.4.4. inhibitPolicyMapping ......................26
                  3.2.4.5. requireExplicitPolicy .....................27
                  3.2.4.6. inhibitAnyPolicy ..........................27
                  3.2.4.7. trustAnchors ..............................27
                  3.2.4.8. keyUsages .................................28
                  3.2.4.9. extendedKeyUsages .........................28
                  3.2.4.10. specifiedKeyUsages .......................29
           3.2.5. responseFlags ......................................30
                  3.2.5.1. fullRequestInResponse .....................30
                  3.2.5.2. responseValidationPolByRef ................30
                  3.2.5.3. protectResponse ...........................31
                  3.2.5.4. cachedResponse ............................31
           3.2.6. serverContextInfo ..................................32
           3.2.7. validationTime .....................................32
           3.2.8. intermediateCerts ..................................33
           3.2.9. revInfos ...........................................34
           3.2.10. producedAt ........................................35
           3.2.11. queryExtensions ...................................35
                  3.2.11.1. extnID ...................................35
                  3.2.11.2. critical .................................35
                  3.2.11.3. extnValue ................................36
      3.3. requestorRef ..............................................36
      3.4. requestNonce ..............................................36
      3.5. requestorName .............................................37
      3.6. responderName .............................................37
      3.7. requestExtensions .........................................38
           3.7.1. extnID .............................................38
           3.7.2. critical ...........................................38
           3.7.3. extnValue ..........................................38
      3.8. signatureAlg ..............................................38
      3.9. hashAlg ...................................................39
      3.10. requestorText ............................................39
      3.11. SCVP Request Authentication ..............................40
   4. Validation Response.............................................40
     4.1. cvResponseVersion...........................................43
     4.2. serverConfigurationID.......................................43
        
     4.3. producedAt..................................................44
     4.4. responseStatus..............................................44
     4.5. respValidationPolicy........................................46
     4.6. requestRef..................................................47
           4.6.1. requestHash ........................................47
           4.6.2. fullRequest ........................................48
     4.7. requestorRef................................................48
     4.8. requestorName...............................................48
     4.9. replyObjects................................................49
           4.9.1. cert................................................50
           4.9.2. replyStatus.........................................50
           4.9.3. replyValTime .......................................51
           4.9.4. replyChecks ........................................51
           4.9.5. replyWantBacks .....................................53
           4.9.6. validationErrors ...................................56
           4.9.7. nextUpdate .........................................56
           4.9.8. certReplyExtensions ................................56
     4.10. respNonce..................................................57
     4.11. serverContextInfo..........................................57
     4.12. cvResponseExtensions ......................................58
     4.13. requestorText .............................................58
     4.14. SCVP Response Validation ..................................59
           4.14.1. Simple Key Validation .............................59
           4.14.2. SCVP Server Certificate Validation ................59
   5. Server Policy Request...........................................60
      5.1. vpRequestVersion...........................................60
      5.2. requestNonce...............................................60
   6. Validation Policy Response......................................61
      6.1. vpResponseVersion..........................................62
      6.2. maxCVRequestVersion........................................62
      6.3. maxVPRequestVersion........................................62
      6.4. serverConfigurationID......................................62
      6.5. thisUpdate.................................................63
      6.6. nextUpdate and requestNonce................................63
      6.7. supportedChecks............................................63
      6.8. supportedWantBacks.........................................64
      6.9. validationPolicies.........................................64
      6.10. validationAlgs............................................64
      6.11. authPolicies..............................................64
      6.12. responseTypes.............................................64
      6.13. revocationInfoTypes.......................................64
      6.14. defaultPolicyValues.......................................65
      6.15. signatureGeneration ......................................65
      6.16. signatureVerification ....................................65
      6.17. hashAlgorithms ...........................................66
      6.18. serverPublicKeys .........................................66
      6.19. clockSkew ................................................66
   7. SCVP Server Relay...............................................67
        
     4.3. producedAt..................................................44
     4.4. responseStatus..............................................44
     4.5. respValidationPolicy........................................46
     4.6. requestRef..................................................47
           4.6.1. requestHash ........................................47
           4.6.2. fullRequest ........................................48
     4.7. requestorRef................................................48
     4.8. requestorName...............................................48
     4.9. replyObjects................................................49
           4.9.1. cert................................................50
           4.9.2. replyStatus.........................................50
           4.9.3. replyValTime .......................................51
           4.9.4. replyChecks ........................................51
           4.9.5. replyWantBacks .....................................53
           4.9.6. validationErrors ...................................56
           4.9.7. nextUpdate .........................................56
           4.9.8. certReplyExtensions ................................56
     4.10. respNonce..................................................57
     4.11. serverContextInfo..........................................57
     4.12. cvResponseExtensions ......................................58
     4.13. requestorText .............................................58
     4.14. SCVP Response Validation ..................................59
           4.14.1. Simple Key Validation .............................59
           4.14.2. SCVP Server Certificate Validation ................59
   5. Server Policy Request...........................................60
      5.1. vpRequestVersion...........................................60
      5.2. requestNonce...............................................60
   6. Validation Policy Response......................................61
      6.1. vpResponseVersion..........................................62
      6.2. maxCVRequestVersion........................................62
      6.3. maxVPRequestVersion........................................62
      6.4. serverConfigurationID......................................62
      6.5. thisUpdate.................................................63
      6.6. nextUpdate and requestNonce................................63
      6.7. supportedChecks............................................63
      6.8. supportedWantBacks.........................................64
      6.9. validationPolicies.........................................64
      6.10. validationAlgs............................................64
      6.11. authPolicies..............................................64
      6.12. responseTypes.............................................64
      6.13. revocationInfoTypes.......................................64
      6.14. defaultPolicyValues.......................................65
      6.15. signatureGeneration ......................................65
      6.16. signatureVerification ....................................65
      6.17. hashAlgorithms ...........................................66
      6.18. serverPublicKeys .........................................66
      6.19. clockSkew ................................................66
   7. SCVP Server Relay...............................................67
        
   8. SCVP ASN.1 Module...............................................68
   9. Security Considerations.........................................76
   10.IANA Considerations.............................................78
   11. References.....................................................78
       11.1. Normative References.....................................78
       11.2. Informative References...................................79
   12. Acknowledgments................................................80
   Appendix A. MIME Media Type Registrations..........................81
        A.1. application/scvp-cv-request..............................81
        A.2. application/scvp-cv-response.............................82
        A.3. application/scvp-vp-request..............................83
        A.4. application/scvp-vp-response.............................84
   Appendix B. SCVP over HTTP.........................................85
        B.1. SCVP Request.............................................85
        B.2. SCVP Response............................................85
        B.3. SCVP Policy Request......................................86
        B.4. SCVP Policy Response.....................................86
        
   8. SCVP ASN.1 Module...............................................68
   9. Security Considerations.........................................76
   10.IANA Considerations.............................................78
   11. References.....................................................78
       11.1. Normative References.....................................78
       11.2. Informative References...................................79
   12. Acknowledgments................................................80
   Appendix A. MIME Media Type Registrations..........................81
        A.1. application/scvp-cv-request..............................81
        A.2. application/scvp-cv-response.............................82
        A.3. application/scvp-vp-request..............................83
        A.4. application/scvp-vp-response.............................84
   Appendix B. SCVP over HTTP.........................................85
        B.1. SCVP Request.............................................85
        B.2. SCVP Response............................................85
        B.3. SCVP Policy Request......................................86
        B.4. SCVP Policy Response.....................................86
        
1. Introduction
1. 介绍

Certificate validation is complex. If certificate handling is to be widely deployed in a variety of applications and environments, the amount of processing an application needs to perform before it can accept a certificate needs to be reduced. There are a variety of applications that can make use of public key certificates, but these applications are burdened with the overhead of constructing and validating the certification paths. SCVP reduces this overhead for two classes of certificate-using applications.

证书验证非常复杂。如果要在各种应用程序和环境中广泛部署证书处理,则需要减少应用程序在接受证书之前需要执行的处理量。有各种各样的应用程序可以使用公钥证书,但是这些应用程序承担着构建和验证证书路径的开销。SCVP减少了使用两类证书的应用程序的这种开销。

The first class of applications wants just two things: confirmation that the public key belongs to the identity named in the certificate and confirmation that the public key can be used for the intended purpose. Such clients can completely delegate certification path construction and validation to the SCVP server. This is often referred to as delegated path validation (DPV).

第一类应用程序只需要两件事:确认公钥属于证书中指定的标识,以及确认公钥可用于预期目的。这样的客户端可以完全将证书路径构造和验证委托给SCVP服务器。这通常称为委托路径验证(DPV)。

The second class of applications can perform certification path validation, but they lack a reliable or efficient method of constructing a valid certification path. Such clients delegate certification path construction to the SCVP server, but not validation of the returned certification path. This is often referred to as delegated path discovery (DPD).

第二类应用程序可以执行认证路径验证,但它们缺乏可靠或有效的方法来构造有效的认证路径。此类客户端将证书路径构造委托给SCVP服务器,但不委托验证返回的证书路径。这通常称为委托路径发现(DPD)。

1.1. Terminology
1.1. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [STDWORDS].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[STDWORDS]中的说明进行解释。

1.2. SCVP Overview
1.2. SCVP概述

The primary goals of SCVP are to make it easier to deploy Public Key Infrastructure (PKI)-enabled applications by delegating path discovery and/or validation processing to a server, and to allow central administration of validation policies within an organization. SCVP can be used by clients that do much of the certificate processing themselves but simply want an untrusted server to collect information for them. However, when the client has complete trust in the SCVP server, SCVP can be used to delegate the work of certification path construction and validation, and SCVP can be used to ensure that policies are consistently enforced throughout an organization.

SCVP的主要目标是通过将路径发现和/或验证处理委托给服务器,使部署支持公钥基础设施(PKI)的应用程序更加容易,并允许在组织内集中管理验证策略。SCVP可由客户机使用,这些客户机自己执行大部分证书处理,但只是希望不受信任的服务器为其收集信息。但是,当客户机完全信任SCVP服务器时,SCVP可用于委托证书路径构建和验证工作,SCVP可用于确保在整个组织内一致地实施策略。

Untrusted SCVP servers can provide clients the certification paths. They can also provide clients the revocation information, such as Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responses, that the clients need to validate the certification paths constructed by the SCVP server. These services can be valuable to clients that do not implement the protocols needed to find and download intermediate certificates, CRLs, and OCSP responses.

不受信任的SCVP服务器可以为客户端提供认证路径。它们还可以向客户端提供吊销信息,如证书吊销列表(CRL)和联机证书状态协议(OCSP)响应,客户端需要这些信息来验证SCVP服务器构建的证书路径。这些服务对于未实现查找和下载中间证书、CRL和OCSP响应所需的协议的客户机非常有用。

Trusted SCVP servers can perform certification path construction and validation for the client. For a client that uses these services, the client inherently trusts the SCVP server as much as it would its own certification path validation software (if it contained such software). There are two main reasons that a client may want to trust such an SCVP server:

受信任的SCVP服务器可以为客户端执行证书路径构造和验证。对于使用这些服务的客户机,客户机天生信任SCVP服务器,就像信任自己的认证路径验证软件一样(如果它包含此类软件)。客户机希望信任此类SCVP服务器的主要原因有两个:

1. The client does not want to incur the overhead of including certification path validation software and running it for each certificate it receives.

1. 客户机不希望产生包括认证路径验证软件并为其收到的每个证书运行该软件的开销。

2. The client is in an organization or community that wants to centralize management of validation policies. These policies might dictate that particular trust anchors are to be used and the types of policy checking that are to be performed during certification path validation.

2. 客户机所在的组织或社区希望集中管理验证策略。这些策略可能规定要使用特定的信任锚,以及在验证路径验证期间要执行的策略检查的类型。

1.3. SCVP Requirements
1.3. SCVP要求

SCVP meets the mandatory requirements documented in [RQMTS] for DPV and DPD.

SCVP符合[RQMTS]中记录的DPV和DPD的强制性要求。

Note that RFC 3379 states the following requirement:

请注意,RFC 3379规定了以下要求:

The DPD response MUST indicate one of the following status alternatives:

DPD响应必须指示以下状态备选方案之一:

1) one or more certification paths was found according to the path discovery policy, with all of the requested revocation information present.

1) 根据路径发现策略找到了一个或多个证书路径,并且存在所有请求的吊销信息。

2) one or more certification paths was found according to the path discovery policy, with a subset of the requested revocation information present.

2) 根据路径发现策略找到了一个或多个证书路径,并且存在请求的吊销信息的子集。

3) one or more certification paths was found according to the path discovery policy, with none of the requested revocation information present.

3) 根据路径发现策略找到了一个或多个证书路径,但不存在任何请求的吊销信息。

4) no certification path was found according to the path discovery policy.

4) 根据路径发现策略,未找到任何证书路径。

5) path construction could not be performed due to an error.

5) 由于错误,无法执行路径构造。

DPD responses constructed by SCVP servers do not differentiate between states 2) and 3). This property was discussed on the PKIX working group list and determined to be conformant with the intent of [RQMTS].

SCVP服务器构造的DPD响应不区分状态2)和状态3)。PKIX工作组列表中讨论了该属性,并确定该属性符合[RQMTS]的意图。

1.4. Validation Policies
1.4. 验证策略

A validation policy (as defined in RFC 3379 [RQMTS]) specifies the rules and parameters to be used by the SCVP server when validating a certificate. In SCVP, the validation policy to be used by the server either can be fully referenced in the request by the client (and thus no additional parameters are necessary) or can be referenced in the request by the client with additional parameters.

验证策略(如RFC 3379[RQMTS]中所定义)指定SCVP服务器在验证证书时要使用的规则和参数。在SCVP中,服务器使用的验证策略可以由客户端在请求中完全引用(因此不需要附加参数),也可以由客户端在请求中使用附加参数引用。

Policy definitions can be quite long and complex, and some policies may allow for the setting of a few parameters. The request can therefore be very simple if an object identifier (OID) is used to specify both the algorithm to be used and all the associated parameters of the validation policy. The request can be more complex if the validation policy fixes many of the parameters but allows the client to specify some of them. When the validation policy defines every parameter necessary, an SCVP request needs only to contain the certificate to be validated, the referenced validation policy, and any run-time parameters for the request.

策略定义可能非常长且复杂,有些策略可能允许设置一些参数。因此,如果使用对象标识符(OID)指定要使用的算法和验证策略的所有相关参数,则请求可能非常简单。如果验证策略修复了许多参数,但允许客户端指定其中一些参数,则请求可能会更复杂。当验证策略定义了每个必需的参数时,SCVP请求只需要包含要验证的证书、引用的验证策略以及请求的任何运行时参数。

A server publishes the references of the validation policies it supports. When these policies have parameters that may be overridden, the server communicates the default values for these parameters as well. The client can simplify the request by omitting a parameter from a request if the default value published by the server for a given validation policy reference is acceptable. However, if there is a desire to demonstrate to someone else that a specific validation policy with all its parameters has been used, the client will need to ask the server for the inclusion of the full validation policy with all the parameters in the response.

服务器发布其支持的验证策略的引用。当这些策略具有可能被覆盖的参数时,服务器也会传递这些参数的默认值。如果服务器为给定的验证策略引用发布的默认值是可接受的,则客户端可以通过从请求中省略参数来简化请求。但是,如果希望向其他人证明使用了特定的验证策略及其所有参数,则客户端需要请求服务器在响应中包含完整的验证策略及其所有参数。

The inputs to the basic certification path processing algorithm used by SCVP are defined by [PKIX-1] in Section 6.1.1 and comprise:

SCVP使用的基本认证路径处理算法的输入由第6.1.1节中的[PKIX-1]定义,包括:

Certificate to be validated (by value or by reference);

待验证的证书(通过价值或参考);

Validation time;

验证时间;

The initial policy set;

初始策略集;

Initial inhibit policy mapping setting;

初始禁止策略映射设置;

Initial inhibit anyPolicy setting; and

初始策略设置;和

Initial require explicit policy setting.

初始策略需要明确的策略设置。

The basic certification path processing algorithm also supports specification of one or more trust anchors (by value or reference) as an input. Where the client demands a certification path originating with a specific Certification Authority (CA), a single trust anchor is specified. Where the client is willing to accept paths beginning with any of several CAs, a set of trust anchors is specified.

基本认证路径处理算法还支持指定一个或多个信任锚(通过值或引用)作为输入。当客户端要求使用特定证书颁发机构(CA)发起的证书路径时,将指定单个信任锚点。如果客户机愿意接受以多个CA中的任何CA开头的路径,则指定一组信任锚。

The basic certification path processing algorithm also supports the following parameters, which are defined in [PKIX-1], Section 4:

基本认证路径处理算法还支持[PKIX-1]第4节中定义的以下参数:

The usage of the key contained in the certificate (e.g., key encipherment, key agreement, signature); and

证书中包含的密钥的使用(例如,密钥加密、密钥协议、签名);和

Other application-specific purposes for which the certified public key may be used.

可使用认证公钥的其他特定应用目的。

1.5. Validation Algorithm
1.5. 验证算法

The validation algorithm is determined by agreement between the client and the server and is represented as an OID. The algorithm defines the checking that will be performed by the server to determine whether the certificate is valid. A validation algorithm

验证算法由客户端和服务器之间的协议确定,并表示为OID。该算法定义了服务器将执行的检查,以确定证书是否有效。一种验证算法

is one of the parameters to a validation policy. SCVP defines a basic validation algorithm that implements the basic path validation algorithm as defined in [PKIX-1], and it permits the client to request additional information about the certificate to be validated. New validation algorithms can be specified that define additional checks if needed. These new validation algorithms may specify additional parameters. The values for these parameters may be defined by any validation policy that uses the algorithm or may be included by the client in the request.

是验证策略的参数之一。SCVP定义了一个基本验证算法,该算法实现[PKIX-1]中定义的基本路径验证算法,并允许客户端请求有关待验证证书的附加信息。如果需要,可以指定定义附加检查的新验证算法。这些新的验证算法可能会指定额外的参数。这些参数的值可以由使用该算法的任何验证策略定义,也可以由客户端包含在请求中。

Application-specific validation algorithms, in addition to those defined in this document, can be defined to meet specific requirements not covered by the basic validation algorithm. The validation algorithms documented here should serve as a guide for the development of further application-specific validation algorithms. For example, a new application-specific validation algorithm might require the presence of a particular name form in the subject alternative name extension of the certificate.

除本文档中定义的验证算法外,还可以定义特定于应用程序的验证算法,以满足基本验证算法未涵盖的特定要求。此处记录的验证算法应作为进一步开发特定于应用程序的验证算法的指南。例如,一个新的特定于应用程序的验证算法可能需要在证书的subject alternative name extension中存在一个特定的名称表单。

1.6. Validation Requirements
1.6. 验证要求

For a certification path to be considered valid under a particular validation policy, it MUST be a valid certification path as defined in [PKIX-1], and all validation policy constraints that apply to the certification path MUST be verified.

若要在特定验证策略下视为有效的验证路径,它必须是[PKIX-1]中定义的有效验证路径,并且必须验证应用于该验证路径的所有验证策略约束。

Revocation checking is one aspect of certification path validation defined in [PKIX-1]. However, revocation checking is an optional feature in [PKIX-1], and revocation information is distributed in multiple formats. Clients specify in requests whether revocation checking should be performed and whether revocation information should be returned in the response.

撤销检查是[PKIX-1]中定义的证书路径验证的一个方面。但是,吊销检查是[PKIX-1]中的可选功能,吊销信息以多种格式分发。客户端在请求中指定是否应执行吊销检查以及是否应在响应中返回吊销信息。

Servers MUST be capable of indicating the sources of revocation information that they are capable of processing:

服务器必须能够指示其能够处理的撤销信息的来源:

1. full CRLs (or full Authority Revocation Lists);

1. 完整的CRL(或完整的权限撤销列表);

2. OCSP responses, using [OCSP];

2. OCSP响应,使用[OCSP];

3. delta CRLs; and

3. delta-CRLs;和

4. indirect CRLs.

4. 间接CRL。

2. Protocol Overview
2. 协议概述

SCVP uses a simple request-response model. That is, the SCVP client creates a request and sends it to the SCVP server, and then the SCVP server creates a single response and sends it to the client. The typical use of SCVP is expected to be over HTTP [HTTP], but it can also be used with email or any other protocol that can transport digitally signed objects. Appendices A and B provide the details necessary to use SCVP with HTTP.

SCVP使用一个简单的请求-响应模型。也就是说,SCVP客户端创建一个请求并将其发送到SCVP服务器,然后SCVP服务器创建一个响应并将其发送到客户端。SCVP的典型用途是通过HTTP[HTTP],但也可以与电子邮件或任何其他可以传输数字签名对象的协议一起使用。附录A和B提供了将SCVP与HTTP一起使用所需的详细信息。

SCVP includes two request-response pairs. The primary request-response pair handles certificate validation. The secondary request-response pair is used to determine the list of validation policies and default parameters supported by a specific SCVP server.

SCVP包括两个请求-响应对。主请求-响应对处理证书验证。辅助请求-响应对用于确定特定SCVP服务器支持的验证策略和默认参数的列表。

Section 3 defines the certificate validation request.

第3节定义了证书验证请求。

Section 4 defines the corresponding certificate validation response.

第4节定义了相应的证书验证响应。

Section 5 defines the validation policies request.

第5节定义了验证策略请求。

Section 6 defines the corresponding validation policies response.

第6节定义了相应的验证策略响应。

Appendix A registers MIME types for SCVP requests and responses, and Appendix B describes the use of these MIME types with HTTP.

附录A为SCVP请求和响应注册MIME类型,附录B描述了这些MIME类型与HTTP的使用。

3. Validation Request
3. 验证请求

An SCVP client request to the server MUST be a single CVRequest item. When a CVRequest is encapsulated in a MIME body part, application/scvp-cv-request MUST be used. There are two forms of SCVP request: unprotected and protected. A protected request is used to authenticate the client to the server or to provide anonymous client integrity over the request-response pair. The protection is provided by a digital signature or message authentication code (MAC). In the later case, the MAC key is derived using a key agreement algorithm, such as Diffie-Hellman. If the client's public key is contained in a certificate, then it may be used to authenticate the client. More commonly, the client's key agreement public key will be ephemeral, supporting anonymous client integrity.

对服务器的SCVP客户端请求必须是单个CVVP请求项。当CVRequest封装在MIME主体部分中时,必须使用application/scvp cv request。SCVP请求有两种形式:未受保护和受保护。受保护的请求用于向服务器验证客户端,或通过请求-响应对提供匿名客户端完整性。保护由数字签名或消息认证码(MAC)提供。在后一种情况下,使用密钥协商算法(如Diffie-Hellman)导出MAC密钥。如果客户机的公钥包含在证书中,则可以使用它对客户机进行身份验证。更常见的是,客户机的密钥协议公钥将是短暂的,支持匿名客户机完整性。

A server MAY require all requests to be protected, and a server MAY discard all unprotected requests. Alternatively, a server MAY choose to process unprotected requests.

服务器可能要求保护所有请求,而服务器可能放弃所有未保护的请求。或者,服务器可以选择处理未受保护的请求。

The unprotected request consists of a CVRequest encapsulated in a Cryptographic Message Syntax (CMS) ContentInfo [CMS]. An overview of this structure is provided below and is only intended as

未受保护的请求由封装在加密消息语法(CMS)ContentInfo[CMS]中的CVRequest组成。下文提供了该结构的概述,仅用于

illustrative. The definitive ASN.1 is found in [CMS]. Many details are not shown, but the way that SCVP makes use of CMS is clearly illustrated.

说明性的。最终ASN.1见[CMS]。许多细节未显示,但SCVP使用CMS的方式已清楚说明。

      ContentInfo {
        contentType        id-ct-scvp-certValRequest,
                                     -- (1.2.840.113549.1.9.16.1.10)
        content            CVRequest }
        
      ContentInfo {
        contentType        id-ct-scvp-certValRequest,
                                     -- (1.2.840.113549.1.9.16.1.10)
        content            CVRequest }
        

The protected request consists of a CVRequest encapsulated in either a SignedData or AuthenticatedData, which is in turn encapsulated in a ContentInfo. That is, the EncapsulatedContentInfo field of either SignedData or AuthenticatedData consists of an eContentType field with a value of id-ct-scvp-certValRequest and an eContent field that contains a Distinguished Encoding Rules (DER)-encoded CVRequest. SignedData is used when the request is digitally signed. AuthenticatedData is used with a message authentication code (MAC).

受保护的请求由封装在SignedData或AuthenticatedData中的CVRequest组成,后者又封装在ContentInfo中。也就是说,SignedData或AuthenticatedData的封装ContentInfo字段由一个值为ct scvp certValRequest的eContentType字段和一个包含可分辨编码规则(DER)编码的CVRequest的eContent字段组成。对请求进行数字签名时使用SignedData。AuthenticatedData与消息身份验证码(MAC)一起使用。

All SCVP clients and servers MUST support SignedData for signed requests and responses. SCVP clients and servers SHOULD support AuthenticatedData for MAC-protected requests and responses.

所有SCVP客户端和服务器必须支持签名请求和响应的签名数据。SCVP客户端和服务器应支持MAC保护请求和响应的AuthenticatedData。

If the client uses SignedData, it MUST have a public key that has been bound to a subject identity by a certificate that conforms to the PKIX profile [PKIX-1], and that certificate MUST be suitable for signing the SCVP request. That is:

如果客户端使用SignedData,则它必须具有一个公钥,该公钥已通过符合PKIX配置文件[PKIX-1]的证书绑定到使用者身份,并且该证书必须适合对SCVP请求进行签名。即:

1. If the key usage extension is present, either the digital signature or the non-repudiation bit MUST be asserted.

1. 如果存在密钥使用扩展,则必须断言数字签名或不可否认位。

2. If the extended key usage extension is present, it MUST contain either the SCVP client OID (see Section 3.11), the anyExtendedKeyUsage OID, or another OID acceptable to the SCVP server.

2. 如果存在扩展密钥使用扩展,则它必须包含SCVP客户端OID(参见第3.11节)、anyExtendedKeyUsage OID或SCVP服务器可接受的其他OID。

The client MUST put an unambiguous reference to its certificate in the SignedData that encapsulates the request. The client SHOULD include its certificate in the request, but MAY omit the certificate to reduce the size of the request. The client MAY include other certificates in the request to aid the validation of its certificates by the SCVP server. The signerInfos field of SignedData MUST include exactly one SignerInfo. The SignedData MUST NOT include the unsignedAttrs field.

客户端必须在封装请求的SignedData中明确引用其证书。客户端应在请求中包含其证书,但可以省略证书以减小请求的大小。客户端可以在请求中包括其他证书,以帮助SCVP服务器验证其证书。SignedData的signerInfos字段必须仅包含一个SignerInfo。SignedData不能包含unsignedAttrs字段。

The client MUST put its key agreement public key, or an unambiguous reference to a certificate that contains its key agreement public key, in the AuthenticatedData that encapsulates the request. If an ephemeral key agreement key pair is used, then the ephemeral key agreement public key is carried in the originatorKey field of KeyAgreeRecipientInfo, which requires the client to obtain the server's key agreement public key before computing the message authentication code (MAC). An SCVP server's key agreement key is included in its validation policy response message (see Section 6). The recipientInfos field of AuthenticatedData MUST include exactly one RecipientInfo, which contains information for the SCVP server. The AuthenticatedData MUST NOT include the unauthAttrs field.

客户端必须将其密钥协议公钥或对包含其密钥协议公钥的证书的明确引用放入封装请求的AuthenticatedData中。如果使用临时密钥协议密钥对,则临时密钥协议公钥将携带在KeyAgreentRecipientInfo的Originatorey字段中,这要求客户端在计算消息身份验证码(MAC)之前获取服务器的密钥协议公钥。SCVP服务器的密钥协议密钥包含在其验证策略响应消息中(请参阅第6节)。AuthenticatedData的recipientInfos字段必须只包含一个RecipientInfo,其中包含SCVP服务器的信息。经验证的数据不得包含unauthAttrs字段。

The syntax and semantics for SignedData, AuthenticatedData, and ContentInfo are defined in [CMS]. The syntax and semantics for CVRequest are defined below. The CVRequest item contains the client request. The CVRequest contains the cvRequestVersion and query items; the CVRequest MAY also contain the requestorRef, requestNonce, requestorName, responderName, requestExtensions, signatureAlg, and hashAlg items.

[CMS]中定义了SignedData、AuthenticatedData和ContentInfo的语法和语义。CVRequest的语法和语义定义如下。CVRequest项包含客户端请求。CVRequest包含cvRequestVersion和查询项;CVRequest还可能包含requestorRef、requestNonce、requestorName、responderName、requestExtensions、SignatureLog和hashAlg项。

The CVRequest MUST have the following syntax:

CVRequest必须具有以下语法:

      CVRequest ::= SEQUENCE {
        cvRequestVersion        INTEGER DEFAULT 1,
        query                   Query,
        requestorRef        [0] GeneralNames OPTIONAL,
        requestNonce        [1] OCTET STRING OPTIONAL,
        requestorName       [2] GeneralName OPTIONAL,
        responderName       [3] GeneralName OPTIONAL,
        requestExtensions   [4] Extensions OPTIONAL,
        signatureAlg        [5] AlgorithmIdentifier OPTIONAL,
        hashAlg             [6] OBJECT IDENTIFIER OPTIONAL,
        requestorText       [7] UTF8String (SIZE (1..256)) OPTIONAL }
        
      CVRequest ::= SEQUENCE {
        cvRequestVersion        INTEGER DEFAULT 1,
        query                   Query,
        requestorRef        [0] GeneralNames OPTIONAL,
        requestNonce        [1] OCTET STRING OPTIONAL,
        requestorName       [2] GeneralName OPTIONAL,
        responderName       [3] GeneralName OPTIONAL,
        requestExtensions   [4] Extensions OPTIONAL,
        signatureAlg        [5] AlgorithmIdentifier OPTIONAL,
        hashAlg             [6] OBJECT IDENTIFIER OPTIONAL,
        requestorText       [7] UTF8String (SIZE (1..256)) OPTIONAL }
        

Conforming clients MUST be able to construct requests with cvRequestVersion and query. Conforming clients MUST DER encode the CVRequest in both protected and unprotected messages to facilitate unambiguous hash-based referencing in the corresponding response message. SCVP clients that insist on creation of a fresh response (e.g., to protect against a replay attack or ensure information is up to date) MUST support requestNonce. Support for the remaining items is optional in client implementations.

一致性客户端必须能够使用cvRequestVersion和query构造请求。一致性客户端必须在受保护和未受保护的消息中对CVRequest进行DER编码,以便于在相应的响应消息中进行明确的基于哈希的引用。坚持创建新响应(例如,防止重播攻击或确保信息最新)的SCVP客户端必须支持requestNonce。在客户端实现中,对其余项的支持是可选的。

Conforming servers MUST be able to parse CVRequests that contain any or all of the optional items.

一致性服务器必须能够解析包含任何或所有可选项的请求。

Each of the items within the CVRequest is described in the following sections.

CVRequest中的每个项目将在以下部分中描述。

3.1. cvRequestVersion
3.1. cvRequestVersion

The cvRequestVersion item defines the version of the SCVP CVRequest used in a request. The subsequent response MUST use the same version number. The value of the cvRequestVersion item MUST be one (1) for a client implementing this specification. Future updates to this specification must specify other values if there are any changes to syntax or semantics. However, new extensions may be defined without changing the version number.

cvRequestVersion项定义请求中使用的SCVP CVRequest的版本。后续响应必须使用相同的版本号。对于实现本规范的客户端,cvRequestVersion项的值必须为一(1)。如果对语法或语义有任何更改,则此规范的未来更新必须指定其他值。但是,可以在不更改版本号的情况下定义新的扩展。

SCVP clients MUST support asserting this value and SCVP servers MUST be capable of processing this value.

SCVP客户端必须支持断言此值,并且SCVP服务器必须能够处理此值。

3.2. query
3.2. 查询

The query item specifies one or more certificates that are the subject of the request; the certificates can be either public key certificates [PKIX-1] or attribute certificates [PKIX-AC]. A query MUST contain a queriedCerts item as well as one checks item, and one validationPolicy item; a query MAY also contain wantBack, responseFlags, serverContextInfo, validationTime, intermediateCerts, revInfos, producedAt, and queryExtensions items.

查询项指定作为请求主题的一个或多个证书;证书可以是公钥证书[PKIX-1]或属性证书[PKIX-AC]。查询必须包含一个queriedCerts项、一个checks项和一个validationPolicy项;查询还可能包含wantBack、responseFlags、serverContextInfo、validationTime、intermediateCerts、RevInfo、producedAt和queryExtensions项。

A Query MUST have the following syntax:

查询必须具有以下语法:

      Query ::= SEQUENCE {
        queriedCerts            CertReferences,
        checks                  CertChecks,
         -- Note: tag [0] not used --
        wantBack            [1] WantBack OPTIONAL,
        validationPolicy        ValidationPolicy,
        responseFlags           ResponseFlags OPTIONAL,
        serverContextInfo   [2] OCTET STRING OPTIONAL,
        validationTime      [3] GeneralizedTime OPTIONAL,
        intermediateCerts   [4] CertBundle OPTIONAL,
        revInfos            [5] RevocationInfos OPTIONAL,
        producedAt          [6] GeneralizedTime OPTIONAL,
        queryExtensions     [7] Extensions OPTIONAL }
        
      Query ::= SEQUENCE {
        queriedCerts            CertReferences,
        checks                  CertChecks,
         -- Note: tag [0] not used --
        wantBack            [1] WantBack OPTIONAL,
        validationPolicy        ValidationPolicy,
        responseFlags           ResponseFlags OPTIONAL,
        serverContextInfo   [2] OCTET STRING OPTIONAL,
        validationTime      [3] GeneralizedTime OPTIONAL,
        intermediateCerts   [4] CertBundle OPTIONAL,
        revInfos            [5] RevocationInfos OPTIONAL,
        producedAt          [6] GeneralizedTime OPTIONAL,
        queryExtensions     [7] Extensions OPTIONAL }
        

The list of certificate references in the queriedCerts item tells the server the certificate(s) for which the client wants information. The checks item specifies the checking that the client wants performed. The wantBack item specifies the objects that the client wants the server to return in the response. The validationPolicy item specifies the validation policy that the client wants the server

queriedCerts项中的证书引用列表告诉服务器客户端需要其信息的证书。检查项指定客户端希望执行的检查。wantBack项指定客户端希望服务器在响应中返回的对象。validationPolicy项指定客户端希望服务器使用的验证策略

to employ. The responseFlags item allows the client to request optional features for the response. The serverContextInfo item tells the server that additional information from a previous request-response is desired. The validationTime item tells the date and time relative to which the client wants the server to perform the checks. The intermediateCerts and revInfos items provide context for the client request. The queryExtensions item provides for future expansion of the query syntax. The syntax and semantics of each of these items are discussed in the following sections.

雇用。responseFlags项允许客户端请求响应的可选功能。serverContextInfo项告诉服务器需要来自上一个请求响应的附加信息。validationTime项告诉客户机希望服务器执行检查的日期和时间。intermediateCerts和RevInfo项为客户端请求提供上下文。queryExtensions项提供查询语法的未来扩展。以下各节将讨论这些项的语法和语义。

Conforming clients MUST be able to construct a Query with a queriedCerts item that specifies at least one certificate, checks, and validationPolicy. Conforming SCVP clients MAY support specification of multiple certificates and MAY support the optional items in the Query structure.

一致性客户机必须能够使用指定至少一个证书、检查和验证策略的queriedCerts项构造查询。符合条件的SCVP客户端可以支持多个证书的规范,并且可以支持查询结构中的可选项。

SCVP clients that support delegated path discovery (DPD) as defined in [RQMTS] MUST support wantBack and responseFlags. SCVP clients that insist on creation of a fresh response (e.g., to protect against a replay attack or ensure information is up to date) MUST support responseFlags.

支持[RQMTS]中定义的委托路径发现(DPD)的SCVP客户端必须支持wantBack和responseFlags。坚持创建新响应(例如,防止重播攻击或确保信息最新)的SCVP客户端必须支持responseFlags。

Conforming servers MUST be able to process a Query that contains any of the optional items, and MUST be able to process a Query that specifies multiple certificates.

一致性服务器必须能够处理包含任意可选项的查询,并且必须能够处理指定多个证书的查询。

3.2.1. queriedCerts
3.2.1. queriedCerts

The queriedCerts item is a SEQUENCE of one or more certificates, each of which is a subject of the request. The specified certificates are either public key certificates or attribute certificates; if more than one certificate is specified, all must be of the same type. Each certificate is either directly included, or it is referenced. When referenced, a hash value of the referenced item is included to ensure that the SCVP client and the SCVP server both obtain the same certificate when the referenced certificate is fetched. Certificate references use the SCVPCertID type, which is described below. A single request MAY contain both directly included and referenced certificates.

queriedCerts项是一个或多个证书的序列,每个证书都是请求的主题。指定的证书是公钥证书或属性证书;如果指定了多个证书,则所有证书必须为同一类型。每个证书要么直接包含,要么被引用。引用时,将包含引用项的哈希值,以确保获取引用的证书时SCVP客户端和SCVP服务器都获得相同的证书。证书引用使用SCVPCertID类型,如下所述。单个请求可以包含直接包含的证书和引用的证书。

CertReferences has the following syntax:

CertReferences具有以下语法:

   CertReferences ::= CHOICE {
     pkcRefs     [0] SEQUENCE SIZE (1..MAX) OF PKCReference,
     acRefs      [1] SEQUENCE SIZE (1..MAX) OF ACReference }
        
   CertReferences ::= CHOICE {
     pkcRefs     [0] SEQUENCE SIZE (1..MAX) OF PKCReference,
     acRefs      [1] SEQUENCE SIZE (1..MAX) OF ACReference }
        
   PKCReference ::= CHOICE {
     cert        [0] Certificate,
     pkcRef      [1] SCVPCertID }
        
   PKCReference ::= CHOICE {
     cert        [0] Certificate,
     pkcRef      [1] SCVPCertID }
        
   ACReference ::= CHOICE {
     attrCert    [2] AttributeCertificate,
     acRef       [3] SCVPCertID }
        
   ACReference ::= CHOICE {
     attrCert    [2] AttributeCertificate,
     acRef       [3] SCVPCertID }
        
   SCVPCertID ::= SEQUENCE {
     certHash        OCTET STRING,
     issuerSerial    SCVPIssuerSerial,
     hashAlgorithm   AlgorithmIdentifier DEFAULT { algorithm sha-1 } }
        
   SCVPCertID ::= SEQUENCE {
     certHash        OCTET STRING,
     issuerSerial    SCVPIssuerSerial,
     hashAlgorithm   AlgorithmIdentifier DEFAULT { algorithm sha-1 } }
        

The ASN.1 definition of Certificate is imported from [PKIX-1] and the definition of AttributeCertificate is imported from [PKIX-AC].

ASN.1证书定义从[PKIX-1]导入,AttributeCertificate定义从[PKIX-AC]导入。

When creating a SCVPCertID, the certHash is computed over the entire DER-encoded certificate including the signature. The hash algorithm used to compute certHash is specified in hashAlgorithm. The hash algorithm used to compute certHash SHOULD be one of the hash algorithms specified in the hashAlgorithms item of the server's validation policy response message.

在创建SCVPCertID时,certHash将在整个DER编码证书(包括签名)上计算。用于计算certHash的哈希算法在hashAlgorithm中指定。用于计算certHash的哈希算法应该是在服务器的验证策略响应消息的hashAlgorithms项中指定的哈希算法之一。

When encoding SCVPIssuerSerial, serialNumber is the serial number that uniquely identifies the certificate. For public key certificates, the issuer MUST contain only the issuer name from the certificate encoded in the directoryName choice of GeneralNames. For attribute certificates, the issuer MUST contain the issuer name field from the attribute certificate.

对SCVPISSUPERSERIAL进行编码时,serialNumber是唯一标识证书的序列号。对于公钥证书,颁发者必须仅包含在GeneralName的directoryName选项中编码的证书中的颁发者名称。对于属性证书,颁发者必须包含属性证书中的颁发者名称字段。

Conforming clients MUST be able to reference a certificate by direct inclusion. Clients SHOULD be able to specify a certificate using the SCVPCertID. Conforming clients MAY be able to reference multiple certificates and MAY be able to reference both public key and attribute certificates.

合规客户必须能够通过直接包含的方式引用证书。客户端应该能够使用SCVPCertID指定证书。一致性客户端可以引用多个证书,并且可以同时引用公钥和属性证书。

Conforming SCVP Server implementations MUST be able to process CertReferences with multiple certificates. Conforming SCVP server implementations MUST be able to parse CertReferences that contain either public key or attribute certificates. Conforming SCVP server implementations MUST be able to parse both the cert and pkcRef choices in PKCReference. Conforming SCVP server implementations that process attribute certificates MUST be able to parse both the attrCert and acRef choices in ACReference.

符合要求的SCVP服务器实现必须能够处理具有多个证书的证书引用。符合要求的SCVP服务器实现必须能够解析包含公钥或属性证书的CertReference。符合要求的SCVP服务器实现必须能够解析PKCReference中的cert和pkcRef选项。符合流程属性证书的SCVP服务器实现必须能够解析ACReference中的attrCert和acRef选项。

3.2.2. checks
3.2.2. 检查

The checks item describes the checking that the SCVP client wants the SCVP server to perform on the certificate(s) in the queriedCerts item. The checks item contains a sequence of object identifiers (OIDs). Each OID tells the SCVP server what checking the client expects the server to perform. For each check specified in the request, the SCVP server MUST perform the requested check, or return an error. A server may choose to perform additional checks (e.g., a server that is only asked to build a validated certification path may choose to also perform revocation status checks), although the server cannot indicate in the response that the additional checks have been performed, except in the case of an error response.

checks项描述了SCVP客户端希望SCVP服务器对queriedCerts项中的证书执行的检查。检查项包含一系列对象标识符(OID)。每个OID都告诉SCVP服务器客户端希望服务器执行的检查。对于请求中指定的每个检查,SCVP服务器必须执行请求的检查,或返回错误。服务器可以选择执行附加检查(例如,仅被要求构建经验证的认证路径的服务器也可以选择执行吊销状态检查),尽管服务器无法在响应中指示已执行附加检查,但错误响应的情况除外。

The checks item uses the CertChecks type, which has the following syntax:

checks项使用CertChecks类型,该类型具有以下语法:

      CertChecks ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
        
      CertChecks ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
        

For public key certificates, the following checks are defined in this document:

对于公钥证书,本文档中定义了以下检查:

- id-stc-build-pkc-path: Build a prospective certification path to a trust anchor (as defined in Section 6.1 of [PKIX-1]);

- id stc build pkc path:构建到信任锚的预期认证路径(定义见[PKIX-1]第6.1节);

- id-stc-build-valid-pkc-path: Build a validated certification path to a trust anchor (revocation checking not required);

- id stc build valid pkc path:构建到信任锚的已验证证书路径(不需要撤销检查);

- id-stc-build-status-checked-pkc-path: Build a validated certification path to a trust anchor and perform revocation status checks on the certification path.

- id stc build status checked pkc path:构建到信任锚点的已验证证书路径,并在证书路径上执行吊销状态检查。

Conforming SCVP server implementations that support delegated path discovery (DPD) as defined in [RQMTS] MUST support the id-stc-build-pkc-path check. Conforming SCVP server implementations that support delegated path validation (DPV) as defined in [RQMTS] MUST support the id-stc-build-valid-pkc-path and id-stc-build-status-checked-pkc-path checks.

支持[RQMTS]中定义的委托路径发现(DPD)的一致性SCVP服务器实现必须支持id stc build pkc路径检查。支持[RQMTS]中定义的委托路径验证(DPV)的一致性SCVP服务器实现必须支持id stc生成有效pkc路径和id stc生成状态检查pkc路径检查。

For attribute certificates, the following checks are defined in this document:

对于属性证书,本文档中定义了以下检查:

- id-stc-build-aa-path: Build a prospective certification path to a trust anchor for the Attribute Certificate (AC) issuer;

- id stc build aa path:为属性证书(AC)颁发者构建指向信任锚的预期证书路径;

- id-stc-build-valid-aa-path: Build a validated certification path to a trust anchor for the AC issuer;

- id stc build valid aa path:为AC颁发者构建到信任锚的已验证认证路径;

- id-stc-build-status-checked-aa-path: Build a validated certification path to a trust anchor for the AC issuer and perform revocation status checks on the certification path for the AC issuer;

- id stc build status checked aa path:为AC颁发者构建到信任锚的已验证认证路径,并对AC颁发者的认证路径执行吊销状态检查;

- id-stc-status-check-ac-and-build-status-checked-aa-path: Build a validated certification path to a trust anchor for the AC issuer and perform revocation status checks on the AC as well as the certification path for the AC issuer.

- id stc status check ac和build status checked aa path:为ac颁发者构建到信任锚的已验证认证路径,并对ac以及ac颁发者的认证路径执行吊销状态检查。

Conforming SCVP server implementations MAY support the attribute certificates checks.

符合要求的SCVP服务器实现可能支持属性证书检查。

For these purposes, the following OIDs are defined:

为此,定义了以下OID:

      id-stc OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
              dod(6) internet(1) security(5) mechanisms(5) pkix(7) 17 }
        
      id-stc OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
              dod(6) internet(1) security(5) mechanisms(5) pkix(7) 17 }
        
      id-stc-build-pkc-path         OBJECT IDENTIFIER ::= { id-stc 1 }
      id-stc-build-valid-pkc-path   OBJECT IDENTIFIER ::= { id-stc 2 }
      id-stc-build-status-checked-pkc-path
                                    OBJECT IDENTIFIER ::= { id-stc 3 }
      id-stc-build-aa-path          OBJECT IDENTIFIER ::= { id-stc 4 }
      id-stc-build-valid-aa-path    OBJECT IDENTIFIER ::= { id-stc 5 }
      id-stc-build-status-checked-aa-path
                                    OBJECT IDENTIFIER ::= { id-stc 6 }
      id-stc-status-check-ac-and-build-status-checked-aa-path
                                    OBJECT IDENTIFIER ::= { id-stc 7 }
        
      id-stc-build-pkc-path         OBJECT IDENTIFIER ::= { id-stc 1 }
      id-stc-build-valid-pkc-path   OBJECT IDENTIFIER ::= { id-stc 2 }
      id-stc-build-status-checked-pkc-path
                                    OBJECT IDENTIFIER ::= { id-stc 3 }
      id-stc-build-aa-path          OBJECT IDENTIFIER ::= { id-stc 4 }
      id-stc-build-valid-aa-path    OBJECT IDENTIFIER ::= { id-stc 5 }
      id-stc-build-status-checked-aa-path
                                    OBJECT IDENTIFIER ::= { id-stc 6 }
      id-stc-status-check-ac-and-build-status-checked-aa-path
                                    OBJECT IDENTIFIER ::= { id-stc 7 }
        

Other specifications may define additional checks.

其他规范可能会定义其他检查。

Conforming client implementations MUST support assertion of at least one of the standard checks. Conforming clients MAY support assertion of multiple checks. Conforming clients need not support all of the checks defined in this section.

一致性客户端实现必须支持至少一个标准检查的断言。一致性客户可能支持多个检查的断言。合格客户无需支持本节中定义的所有检查。

3.2.3. wantBack
3.2.3. wantBack

The optional wantBack item describes any information the SCVP client wants from the SCVP server for the certificate(s) in the queriedCerts item in addition to the results of the checks specified in the checks item. If present, the wantBack item MUST contain a sequence of object identifiers (OIDs). Each OID tells the SCVP server what the client wants to know about the queriedCerts item. For each type of information specified in the request, the server MUST return information regarding its finding (in a successful response).

可选的wantBack项描述了SCVP客户端希望从SCVP服务器获得的、与queriedCerts项中的证书相关的任何信息,以及检查项中指定的检查结果。如果存在,wantBack项必须包含一系列对象标识符(OID)。每个OID都会告诉SCVP服务器客户端希望了解的有关queriedCerts项的信息。对于请求中指定的每种类型的信息,服务器必须返回有关其查找的信息(在成功响应中)。

For example, a request might include a checks item that only specifies certification path building and include a wantBack item that requests the return of the certification path built by the server. In this case, the response would not include a status for the validation of the certification path, but it would include a prospective certification path. A client that wants to perform its own certification path validation might use a request of this form.

例如,请求可能包括仅指定证书路径生成的检查项,以及请求返回服务器生成的证书路径的wantBack项。在这种情况下,响应将不包括验证路径的状态,但将包括预期的验证路径。想要执行自己的认证路径验证的客户端可能会使用此表单的请求。

Alternatively, a request might include a checks item that requests the server to build a certification path and validate it, including revocation checking, and not include a wantBack item. In this case, the response would include only a status for the validation of the certification path. A client that completely delegates certification path validation might use a request of this form.

或者,请求可能包括一个检查项目,该项目请求服务器构建一个认证路径并对其进行验证,包括撤销检查,而不包括wantBack项目。在这种情况下,响应将只包括验证路径的状态。完全委托认证路径验证的客户端可能会使用此表单的请求。

The wantBack item uses the WantBack type, which has the following syntax:

wantBack项使用wantBack类型,该类型具有以下语法:

      WantBack ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
        
      WantBack ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
        

For public key certificates, the following wantBacks are defined in this document:

对于公钥证书,本文档中定义了以下WANTBACK:

- id-swb-pkc-cert: The certificate that was the subject of the request;

- id swb pkc证书:作为请求主题的证书;

- id-swb-pkc-best-cert-path: The certification path built for the certificate including the certificate that was validated;

- id swb pkc best cert path:为证书构建的证书路径,包括已验证的证书;

- id-swb-pkc-revocation-info: Proof of revocation status for each certificate in the certification path;

- id swb pkc吊销信息:证书路径中每个证书的吊销状态证明;

- id-swb-pkc-public-key-info: The public key from the certificate that was the subject of the request;

- id swb pkc公钥信息:作为请求主题的证书中的公钥;

- id-swb-pkc-all-cert-paths: A set of certification paths for the certificate that was the subject of the request;

- id swb pkc all cert path:作为请求主题的证书的一组证书路径;

- id-swb-pkc-ee-revocation-info: Proof of revocation status for the end entity certificate in the certification path; and

- id swb pkc ee吊销信息:证书路径中终端实体证书的吊销状态证明;和

- id-swb-pkc-CAs-revocation-info: Proof of revocation status for each CA certificate in the certification path.

- id swb pkc CAs吊销信息:证书路径中每个CA证书的吊销状态证明。

All conforming SCVP server implementations MUST support the id-swb-pkc-cert and id-swb-pkc-public-key-info wantBacks. Conforming SCVP server implementations that support delegated path discovery (DPD) as defined in [RQMTS] MUST support the id-swb-pkc-best-cert-path and id-swb-pkc-revocation-info wantBacks.

所有符合要求的SCVP服务器实现必须支持id swb pkc证书和id swb pkc公钥信息WANTBACK。支持[RQMTS]中定义的委托路径发现(DPD)的一致性SCVP服务器实现必须支持id swb pkc最佳证书路径和id swb pkc撤销信息WANTBACK。

SCVP provides two methods for a client to obtain multiple certification paths for a certificate. The client could use serverContextInfo to request one path at a time (see Section 3.2.6). After obtaining each path, the client could submit the serverContextInfo from the previous request to obtain another path until either the client found a suitable path or the server indicated (by not returning a serverContextInfo) that no more paths were available. Alternatively, the client could send a single request with an id-swb-pkc-all-cert-paths wantBack, in which case the server would return all of the available paths in a single response.

SCVP为客户端提供了两种方法来获取证书的多个证书路径。客户端可以使用serverContextInfo一次请求一个路径(请参阅第3.2.6节)。在获得每个路径后,客户机可以提交来自上一个请求的serverContextInfo以获得另一个路径,直到客户机找到合适的路径或服务器指示(不返回serverContextInfo)没有更多的路径可用为止。或者,客户端可以发送一个id为swb pkc all cert PATH wantBack的请求,在这种情况下,服务器将在一个响应中返回所有可用路径。

The server may, at its discretion, limit the number of paths that it returns in response to the id-swb-pkc-all-cert-paths. When the request includes an id-swb-pkc-all-cert-paths wantBack, the response SHOULD NOT include a serverContextInfo.

服务器可自行决定限制其响应id swb pkc all cert PATH返回的路径数。当请求包含id swb pkc all cert PATH wantBack时,响应不应包含serverContextInfo。

For attribute certificates, the following wantBacks are defined in this document:

对于属性证书,本文档中定义了以下WANTBACK:

- id-swb-ac-cert: The attribute certificate that was the subject of the request;

- id swb ac cert:作为请求主题的属性证书;

- id-swb-aa-cert-path: The certification path built for the AC issuer certificate;

- id swb aa cert path:为AC颁发者证书构建的证书路径;

- id-swb-ac-revocation-info: Proof of revocation status for each certificate in the AC issuer certification path; and

- id swb ac吊销信息:ac颁发者证书路径中每个证书的吊销状态证明;和

- id-swb-aa-revocation-info: Proof of revocation status for the attribute certificate.

- id swb aa吊销信息:属性证书的吊销状态证明。

Conforming SCVP server implementations MAY support the attribute certificate wantBacks.

符合要求的SCVP服务器实现可能支持属性证书WANTBACK。

The following wantBack can be used for either public key or attribute certificates:

以下wantBack可用于公钥或属性证书:

- id-swb-relayed-responses: Any SCVP responses received by the server that were used to generate the response to this query.

- id swb中继响应:服务器接收的用于生成对此查询的响应的任何SCVP响应。

Conforming SCVP servers MAY support the id-swb-relayed-responses wantBack.

符合要求的SCVP服务器可支持id swb中继响应wantBack。

For these purposes, the following OIDs are defined:

为此,定义了以下OID:

      id-swb OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
              dod(6) internet(1) security(5) mechanisms(5) pkix(7) 18 }
        
      id-swb OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
              dod(6) internet(1) security(5) mechanisms(5) pkix(7) 18 }
        
      id-swb-pkc-best-cert-path      OBJECT IDENTIFIER ::= { id-swb 1 }
      id-swb-pkc-revocation-info     OBJECT IDENTIFIER ::= { id-swb 2 }
      id-swb-pkc-public-key-info     OBJECT IDENTIFIER ::= { id-swb 4 }
      id-swb-aa-cert-path            OBJECT IDENTIFIER ::= { id-swb 5 }
      id-swb-aa-revocation-info      OBJECT IDENTIFIER ::= { id-swb 6 }
      id-swb-ac-revocation-info      OBJECT IDENTIFIER ::= { id-swb 7 }
      id-swb-relayed-responses       OBJECT IDENTIFIER ::= { id-swb 9 }
      id-swb-pkc-cert                OBJECT IDENTIFIER ::= { id-swb 10}
      id-swb-ac-cert                 OBJECT IDENTIFIER ::= { id-swb 11}
      id-swb-pkc-all-cert-paths      OBJECT IDENTIFIER ::= { id-swb 12}
      id-swb-pkc-ee-revocation-info  OBJECT IDENTIFIER ::= { id-swb 13}
      id-swb-pkc-CAs-revocation-info OBJECT IDENTIFIER ::= { id-swb 14}
        
      id-swb-pkc-best-cert-path      OBJECT IDENTIFIER ::= { id-swb 1 }
      id-swb-pkc-revocation-info     OBJECT IDENTIFIER ::= { id-swb 2 }
      id-swb-pkc-public-key-info     OBJECT IDENTIFIER ::= { id-swb 4 }
      id-swb-aa-cert-path            OBJECT IDENTIFIER ::= { id-swb 5 }
      id-swb-aa-revocation-info      OBJECT IDENTIFIER ::= { id-swb 6 }
      id-swb-ac-revocation-info      OBJECT IDENTIFIER ::= { id-swb 7 }
      id-swb-relayed-responses       OBJECT IDENTIFIER ::= { id-swb 9 }
      id-swb-pkc-cert                OBJECT IDENTIFIER ::= { id-swb 10}
      id-swb-ac-cert                 OBJECT IDENTIFIER ::= { id-swb 11}
      id-swb-pkc-all-cert-paths      OBJECT IDENTIFIER ::= { id-swb 12}
      id-swb-pkc-ee-revocation-info  OBJECT IDENTIFIER ::= { id-swb 13}
      id-swb-pkc-CAs-revocation-info OBJECT IDENTIFIER ::= { id-swb 14}
        

Other specifications may define additional wantBacks.

其他规范可能会定义其他WANTBACK。

Conforming client implementations that support delegated path validation (DPV) as defined in [RQMTS] SHOULD support assertion of at least one wantBack. Conforming client implementations that support delegated path discovery (DPD) as defined in [RQMTS] MUST support assertion of at least one wantBack. Conforming clients MAY support assertion of multiple wantBacks. Conforming clients need not support all of the wantBacks defined in this section.

支持[RQMTS]中定义的委托路径验证(DPV)的一致性客户端实现应支持至少一个wantBack的断言。支持[RQMTS]中定义的委托路径发现(DPD)的一致性客户端实现必须支持至少一个wantBack的断言。一致性客户端可能支持多个WANTBACK的断言。一致性客户端不需要支持本节中定义的所有WANTBACK。

3.2.4. validationPolicy
3.2.4. 验证策略

The validationPolicy item defines the validation policy that the client wants the SCVP server to use during certificate validation. If this policy cannot be used for any reason, then the server MUST return an error response.

validationPolicy项定义客户端希望SCVP服务器在证书验证期间使用的验证策略。如果由于任何原因无法使用此策略,则服务器必须返回错误响应。

A validation policy MUST define default values for all parameters necessary for processing an SCVP request. For each parameter, a validation policy may either allow the client to specify a non-default value or forbid the use of a non-default value. If the client wishes to use the default values for all of the parameters, then the client need only supply a reference to the policy in this item. If the client wishes to use non-default values for one or more parameters, then the client supplies a reference to the policy plus whatever parameters are necessary to complete the request in this item. If there are any conflicts between the policy referenced in the request and any supplied parameter values in the request, then the server MUST return an error response.

验证策略必须为处理SCVP请求所需的所有参数定义默认值。对于每个参数,验证策略可以允许客户端指定非默认值,也可以禁止使用非默认值。如果客户端希望为所有参数使用默认值,则客户端只需提供对该项中策略的引用。如果客户端希望对一个或多个参数使用非默认值,则客户端将提供对策略的引用以及完成此项中的请求所需的任何参数。如果请求中引用的策略与请求中提供的任何参数值之间存在任何冲突,则服务器必须返回错误响应。

The syntax of the validationPolicy item is:

validationPolicy项的语法为:

      ValidationPolicy ::= SEQUENCE {
        validationPolRef          ValidationPolRef,
        validationAlg         [0] ValidationAlg OPTIONAL,
        userPolicySet         [1] SEQUENCE SIZE (1..MAX) OF OBJECT
                                    IDENTIFIER OPTIONAL,
        inhibitPolicyMapping  [2] BOOLEAN OPTIONAL,
        requireExplicitPolicy [3] BOOLEAN OPTIONAL,
        inhibitAnyPolicy      [4] BOOLEAN OPTIONAL,
        trustAnchors          [5] TrustAnchors OPTIONAL,
        keyUsages             [6] SEQUENCE OF KeyUsage OPTIONAL,
        extendedKeyUsages     [7] SEQUENCE OF KeyPurposeId OPTIONAL,
        specifiedKeyUsages    [8] SEQUENCE OF KeyPurposeId OPTIONAL }
        
      ValidationPolicy ::= SEQUENCE {
        validationPolRef          ValidationPolRef,
        validationAlg         [0] ValidationAlg OPTIONAL,
        userPolicySet         [1] SEQUENCE SIZE (1..MAX) OF OBJECT
                                    IDENTIFIER OPTIONAL,
        inhibitPolicyMapping  [2] BOOLEAN OPTIONAL,
        requireExplicitPolicy [3] BOOLEAN OPTIONAL,
        inhibitAnyPolicy      [4] BOOLEAN OPTIONAL,
        trustAnchors          [5] TrustAnchors OPTIONAL,
        keyUsages             [6] SEQUENCE OF KeyUsage OPTIONAL,
        extendedKeyUsages     [7] SEQUENCE OF KeyPurposeId OPTIONAL,
        specifiedKeyUsages    [8] SEQUENCE OF KeyPurposeId OPTIONAL }
        

The validationPolRef item is required, but the remaining items are optional. The optional items are used to provide validation policy parameters. When the client uses the validation policy's default values for all parameters, all of the optional items are absent.

validationPolRef项是必需的,但其余项是可选的。可选项用于提供验证策略参数。当客户端对所有参数使用验证策略的默认值时,将缺少所有可选项。

At a minimum, conforming SCVP client implementations MUST support the validationPolRef item. Conforming client implementations MAY support any or all of the optional items in ValidationPolicy.

至少,符合要求的SCVP客户端实现必须支持validationPolRef项。一致性客户端实现可能支持ValidationPolicy中的任何或所有可选项。

Conforming SCVP servers MUST support processing of a ValidationPolicy that contains any or all of the optional items.

符合要求的SCVP服务器必须支持包含任何或所有可选项的ValidationPolicy的处理。

The validationAlg item specifies the validation algorithm. The userPolicySet item provides an acceptable set of certificate policies. The inhibitPolicyMapping item inhibits certificate policy mapping during certification path validation. The requireExplicitPolicy item requires at least one valid certificate policy in the certificate policies extension. The inhibitAnyPolicy item indicates whether the anyPolicy certificate policy OID is processed or ignored when evaluating certificate policy. The trustAnchors item indicates the trust anchors that are acceptable to the client. The keyUsages item indicates the technical usage of the public key that is to be confirmed by the server as acceptable. The extendedKeyUsages item indicates the application-specific usage of the public key that is to be confirmed by the server as acceptable. The syntax and semantics of each of these items are discussed in the following sections.

ValidationAG项指定验证算法。userPolicySet项提供一组可接受的证书策略。inhibitPolicyMapping项在证书路径验证期间禁止证书策略映射。requireExplicitPolicy项要求证书策略扩展中至少有一个有效的证书策略。inhibitAnyPolicy项指示在评估证书策略时是处理还是忽略anyPolicy证书策略OID。trustAnchors项表示客户端可以接受的信任锚。keyUsages项表示公钥的技术用法,该公钥将由服务器确认为可接受。extendedKeyUsages项指示特定于应用程序的公钥用法,该公钥将由服务器确认为可接受。以下各节将讨论这些项的语法和语义。

3.2.4.1. validationPolRef
3.2.4.1. 验证polref

The reference to the validation policy is an OID that the client and server have agreed represents a particular validation policy.

对验证策略的引用是一个OID,客户机和服务器已同意该OID表示特定的验证策略。

The syntax of the validationPolRef item is:

validationPolRef项的语法为:

      ValidationPolRef::= SEQUENCE {
        valPolId              OBJECT IDENTIFIER,
        valPolParams          ANY DEFINED BY valPolId OPTIONAL }
        
      ValidationPolRef::= SEQUENCE {
        valPolId              OBJECT IDENTIFIER,
        valPolParams          ANY DEFINED BY valPolId OPTIONAL }
        

Where a validation policy supports additional policy-specific parameter settings, these values are specified using the valPolParams item. The syntax and semantics of the parameters structure are defined by the object identifier encoded as the valPolId. Where a validation policy has no parameters, such as the default validation policy (see Section 3.2.4.1.1), this item MUST be omitted.

如果验证策略支持其他特定于策略的参数设置,则使用valPolParams项指定这些值。参数结构的语法和语义由编码为valPolId的对象标识符定义。如果验证策略没有参数,如默认验证策略(见第3.2.4.1.1节),则必须省略该项。

Parameters specified in this item are independent of the validation algorithm and the validation algorithm's parameters (see Section 3.2.4.2). For example, a server may support a validation policy where it validates a certificate using the name validation algorithm and also makes a determination regarding the creditworthiness of the subject. In this case, the validation policy parameters could be used to specify the value of the transaction. The validation algorithm parameters are used to specify the application identifier and name for the name validation algorithm.

本项中规定的参数独立于验证算法和验证算法的参数(见第3.2.4.2节)。例如,服务器可能支持验证策略,其中它使用名称验证算法验证证书,并且还确定主体的信誉度。在这种情况下,验证策略参数可用于指定事务的值。验证算法参数用于指定名称验证算法的应用程序标识符和名称。

Conforming SCVP client implementations MUST support specification of a validation policy. Conforming SCVP client implementations MAY be able to specify parameters for a validation policy. Conforming SCVP server implementations MUST be able to process valPolId and MAY be able to process valPolParams.

符合要求的SCVP客户端实现必须支持验证策略的规范。符合要求的SCVP客户端实现可能能够指定验证策略的参数。符合要求的SCVP服务器实现必须能够处理valPolId,并且可能能够处理valPolParams。

3.2.4.1.1. Default Validation Policy
3.2.4.1.1. 默认验证策略

The client can request the SCVP server's default validation policy or another validation policy. The default validation policy corresponds to standard certification path processing as defined in [PKIX-1] with server-chosen default values (e.g., with a server-determined policy set and trust anchors). The default values can be distributed out of band or using the policy request mechanism (see Section 5). This mechanism permits the deployment of an SCVP server without obtaining a new object identifier.

客户端可以请求SCVP服务器的默认验证策略或其他验证策略。默认验证策略对应于[PKIX-1]中定义的标准认证路径处理,具有服务器选择的默认值(例如,具有服务器确定的策略集和信任锚)。默认值可以在带外分发,也可以使用策略请求机制(参见第5节)。此机制允许部署SCVP服务器,而无需获取新的对象标识符。

The object identifier that identifies the default validation policy is:

标识默认验证策略的对象标识符为:

      id-svp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             dod(6) internet(1) security(5) mechanisms(5) pkix(7) 19 }
        
      id-svp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             dod(6) internet(1) security(5) mechanisms(5) pkix(7) 19 }
        
      id-svp-defaultValPolicy OBJECT IDENTIFIER ::= { id-svp 1 }
        
      id-svp-defaultValPolicy OBJECT IDENTIFIER ::= { id-svp 1 }
        

The default validation policy MUST use the basic validation algorithm as its default validation algorithm (see Section 3.2.4.2.1), and has no validation policy parameters (see Section 3.2.4.1).

默认验证策略必须使用基本验证算法作为其默认验证算法(见第3.2.4.2.1节),并且没有验证策略参数(见第3.2.4.1节)。

When using the default validation policy, the client can override any of the default parameter values by supplying a specific value in the request. The SCVP server MUST make use of the provided parameter values or return an error response.

使用默认验证策略时,客户端可以通过在请求中提供特定值来覆盖任何默认参数值。SCVP服务器必须使用提供的参数值或返回错误响应。

Conforming implementations of SCVP servers MUST support the default policy. However, an SCVP server may be configured to send an error response to all requests using the default policy to meet local security requirements.

SCVP服务器的一致性实现必须支持默认策略。但是,可以将SCVP服务器配置为使用默认策略向所有请求发送错误响应,以满足本地安全要求。

3.2.4.2. validationAlg
3.2.4.2. 验证

The optional validationAlg item defines the validation algorithm to be used by the SCVP server during certificate validation. The value of this item can be determined by agreement between the client and the server. The validation algorithm is represented by an object identifier.

可选的ValidationAG项定义了SCVP服务器在证书验证期间使用的验证算法。此项的值可由客户端和服务器之间的协议确定。验证算法由对象标识符表示。

The syntax of the validationAlg item is:

ValidationAG项的语法为:

      ValidationAlg ::= SEQUENCE {
        valAlgId              OBJECT IDENTIFIER,
        parameters            ANY DEFINED BY valAlgId OPTIONAL }
        
      ValidationAlg ::= SEQUENCE {
        valAlgId              OBJECT IDENTIFIER,
        parameters            ANY DEFINED BY valAlgId OPTIONAL }
        

The following section specifies the basic validation algorithm and the name validation algorithm.

以下部分指定基本验证算法和名称验证算法。

SCVP servers MUST recognize and support both validation algorithms defined in this section. SCVP clients that support explicit assertion of the validation algorithm MUST support the basic validation algorithm and SHOULD support the name validation algorithm. Other validation algorithms can be specified in other documents for use with specific applications. SCVP clients and servers MAY support any such validation algorithms.

SCVP服务器必须识别并支持本节中定义的两种验证算法。支持显式断言验证算法的SCVP客户端必须支持基本验证算法,并且应该支持名称验证算法。其他验证算法可在其他文档中指定,以用于特定应用。SCVP客户端和服务器可能支持任何此类验证算法。

3.2.4.2.1. Basic Validation Algorithm
3.2.4.2.1. 基本验证算法

The client can request use of the SCVP basic validation algorithm or another algorithm. For identity certificates, the basic validation algorithm MUST implement the certification path validation algorithm as defined in Section 6 of [PKIX-1]. For attribute certificates, the basic validation algorithm MUST implement certification path validation as defined in Section 5 of [PKIX-AC]. Other validation algorithms MAY implement functions over and above those in the basic

客户端可以请求使用SCVP基本验证算法或其他算法。对于身份证书,基本验证算法必须实现[PKIX-1]第6节中定义的认证路径验证算法。对于属性证书,基本验证算法必须实现[PKIX-AC]第5节中定义的证书路径验证。其他验证算法可以实现基本算法之外的功能

algorithm, but validation algorithms MUST generate results compliant with the basic validation algorithm. That is, none of the validation requirements in the basic algorithm may be omitted from any newly defined validation algorithms. However, other validation algorithms MAY reject paths that are valid using the basic validation algorithm. The object identifier to identify the basic validation algorithm is:

算法,但验证算法必须生成符合基本验证算法的结果。也就是说,任何新定义的验证算法都不能省略基本算法中的任何验证要求。但是,其他验证算法可能会拒绝使用基本验证算法的有效路径。用于标识基本验证算法的对象标识符为:

      id-svp-basicValAlg OBJECT IDENTIFIER ::= { id-svp 3 }
        
      id-svp-basicValAlg OBJECT IDENTIFIER ::= { id-svp 3 }
        

When id-svp-basicValAlg appears in valAlgId, the parameters item MUST be absent.

当id svp basicValAlg出现在valAlgId中时,参数项必须不存在。

3.2.4.2.2. Basic Validation Algorithm Errors
3.2.4.2.2. 基本验证算法错误

The following errors are defined for the basic validation algorithm for inclusion in the validationErrors item in the response (see Section 4.9.6). These errors can be used by any other validation algorithm since all validation algorithms MUST implement the functionality of the basic validation algorithm.

为响应中validationErrors项中包含的基本验证算法定义了以下错误(见第4.9.6节)。任何其他验证算法都可以使用这些错误,因为所有验证算法都必须实现基本验证算法的功能。

      id-bvae OBJECT IDENTIFIER ::= id-svp-basicValAlg
        
      id-bvae OBJECT IDENTIFIER ::= id-svp-basicValAlg
        
      id-bvae-expired              OBJECT IDENTIFIER ::= { id-bvae 1 }
      id-bvae-not-yet-valid        OBJECT IDENTIFIER ::= { id-bvae 2 }
      id-bvae-wrongTrustAnchor     OBJECT IDENTIFIER ::= { id-bvae 3 }
      id-bvae-noValidCertPath      OBJECT IDENTIFIER ::= { id-bvae 4 }
      id-bvae-revoked              OBJECT IDENTIFIER ::= { id-bvae 5 }
      id-bvae-invalidKeyPurpose    OBJECT IDENTIFIER ::= { id-bvae 9 }
      id-bvae-invalidKeyUsage      OBJECT IDENTIFIER ::= { id-bvae 10 }
      id-bvae-invalidCertPolicy    OBJECT IDENTIFIER ::= { id-bvae 11 }
        
      id-bvae-expired              OBJECT IDENTIFIER ::= { id-bvae 1 }
      id-bvae-not-yet-valid        OBJECT IDENTIFIER ::= { id-bvae 2 }
      id-bvae-wrongTrustAnchor     OBJECT IDENTIFIER ::= { id-bvae 3 }
      id-bvae-noValidCertPath      OBJECT IDENTIFIER ::= { id-bvae 4 }
      id-bvae-revoked              OBJECT IDENTIFIER ::= { id-bvae 5 }
      id-bvae-invalidKeyPurpose    OBJECT IDENTIFIER ::= { id-bvae 9 }
      id-bvae-invalidKeyUsage      OBJECT IDENTIFIER ::= { id-bvae 10 }
      id-bvae-invalidCertPolicy    OBJECT IDENTIFIER ::= { id-bvae 11 }
        

The id-bvae-expired value means that the validation time used for the request was later than the notAfter time in the end certificate (the certificate specified in the queriedCerts item).

id bvae expired值表示用于请求的验证时间晚于结束证书(queryedcerts项中指定的证书)中的notAfter时间。

The id-bvae-not-yet-valid value means that the validation time used for the request was before the notBefore time in the end certificate.

id bvae not valid值表示用于请求的验证时间早于结束证书中的notBefore时间。

The id-bvae-wrongTrustAnchor value means that a certification path could not be constructed for the client-specified trust anchor(s), but a path exists for one of the trust anchors specified in the server's default validation policy.

id bvae ErrorTrustAnchor值表示无法为客户端指定的信任锚点构造证书路径,但存在服务器默认验证策略中指定的某个信任锚点的路径。

The id-bvae-noValidCertPath value means that the server could not construct a sequence of intermediate certificates between the trust anchor and the target certificate that satisfied the request.

id bvae noValidCertPath值表示服务器无法在信任锚点和满足请求的目标证书之间构造中间证书序列。

The id-bvae-revoked value means that the end certificate has been revoked.

id bvae RECASTED值表示结束证书已被吊销。

The id-bvae-invalidKeyPurpose value means that the extended key usage extension ([PKIX-1], Section 4.2.1.13) in the end certificate does not satisfy the validation policy.

id bvae invalidKeyPurpose值表示结束证书中的扩展密钥使用扩展([PKIX-1],第4.2.1.13节)不满足验证策略。

The id-bvae-invalidKeyUsage value means that the keyUsage extension ([PKIX-1], Section 4.2.1.3) in the end certificate does not satisfy the validation policy. For example, the keyUsage extension in the certificate may assert only the keyEncipherment bit, but the validation policy specifies in the keyUsages item that digitalSignature is required.

id bvae invalidKeyUsage值表示结束证书中的keyUsage扩展([PKIX-1],第4.2.1.3节)不满足验证策略。例如,证书中的keyUsage扩展可能只声明KeyEncryption位,但验证策略在keyUsages项中指定需要数字签名。

The id-bvae-invalidCertPolicy value means that the path is not valid under any of the policies specified in the user policy set and explicit policies are required. That is, the valid_policy_tree is NULL and the explicit_policy variable is zero ([PKIX-1], Section 6.1.5).

id bvae invalidCertPolicy值表示路径在用户策略集中指定的任何策略下无效,需要显式策略。也就是说,有效的_policy_树为NULL,显式的_policy变量为零([PKIX-1],第6.1.5节)。

3.2.4.2.3. Name Validation Algorithm
3.2.4.2.3. 名称验证算法

The name validation algorithm allows the client to specify one or more subject names that MUST appear in the end certificate in addition to the requirements specified for the basic validation algorithm. The name validation algorithm allows the client to supply an application identifier and a name to the server. The application identifier defines the name matching rules to use in comparing the name supplied in the request with the names in the certificate.

除了为基本验证算法指定的要求外,名称验证算法允许客户端指定一个或多个必须出现在最终证书中的主题名称。名称验证算法允许客户端向服务器提供应用程序标识符和名称。应用程序标识符定义用于将请求中提供的名称与证书中的名称进行比较的名称匹配规则。

      id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 }
        
      id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 }
        

When the id-svp-nameValAlg appears as a valAlgId, the parameters MUST use the NameValidationAlgParms syntax:

当id svp nameValAlg显示为ValalId时,参数必须使用NameValidationAgArms语法:

      NameValidationAlgParms ::= SEQUENCE {
        nameCompAlgId     OBJECT IDENTIFIER,
        validationNames   GeneralNames }
        
      NameValidationAlgParms ::= SEQUENCE {
        nameCompAlgId     OBJECT IDENTIFIER,
        validationNames   GeneralNames }
        

GeneralNames is defined in [PKIX-1].

[PKIX-1]中定义了通用名称。

If more than one name is supplied in the validationNames value, all names MUST be of the same type. The certificate must contain a matching name for each of the names supplied in validationNames according to the name matching rules associated with the nameCompAlgId. This specification defines three sets of name matching rules.

如果validationNames值中提供了多个名称,则所有名称必须为同一类型。根据与nameCompAlgId关联的名称匹配规则,证书必须包含validationNames中提供的每个名称的匹配名称。此规范定义了三组名称匹配规则。

If the nameCompAlgId supplied in the request is id-nva-dnCompAlg, then GeneralNames supplied in the request MUST be a directoryName, and the matching rules to be used are defined in [PKIX-1]. The certificate must contain a matching name in either the subject field or a directoryName in the subjectAltName extension. This specification defines the OID for id-nva-dnCompAlg as follows:

如果请求中提供的nameCompAlgId是id nva dnCompAlg,则请求中提供的GeneralNames必须是directoryName,并且要使用的匹配规则在[PKIX-1]中定义。证书必须在subject字段中包含匹配的名称,或者在subjectAltName扩展名中包含directoryName。本规范对id nva dnCompAlg的OID定义如下:

      id-nva-dnCompAlg   OBJECT IDENTIFIER ::= { id-svp 4 }
        
      id-nva-dnCompAlg   OBJECT IDENTIFIER ::= { id-svp 4 }
        

If the nameCompAlgId supplied in the request is id-kp-serverAuth [PKIX-1], then GeneralNames supplied in the request MUST be a dNSName, and the matching rules to be used are defined in [PKIX-1].

如果请求中提供的nameCompAlgId是id kp serverAuth[PKIX-1],则请求中提供的通用名称必须是dNSName,并且要使用的匹配规则在[PKIX-1]中定义。

If a subjectAltName extension is present and includes one or more names of type dNSName, a match in any one of the set is considered acceptable. If the subjectAltName extension is omitted, or does not include any names of type dNSName, the (most specific) Common Name field in the subject field of the certificate MUST be used.

如果存在subjectAltName扩展名,并且包含一个或多个dNSName类型的名称,则认为集合中的任何一个匹配项都是可接受的。如果省略subjectAltName扩展名,或不包括任何dNSName类型的名称,则必须使用证书的subject字段中的(最具体的)Common Name字段。

Names may contain the wildcard character *, which is considered to match any single domain name component. That is, *.a.com matches foo.a.com but not bar.foo.a.com.

名称可能包含通配符*,通配符被视为与任何单个域名组件匹配。也就是说,*.a.com与foo.a.com匹配,但与bar.foo.a.com不匹配。

If the nameCompAlgId supplied in the request is id-kp-mailProtection [PKIX-1], then GeneralNames supplied in the request MUST be an rfc822Name, and the matching rules are defined in [SMIME-CERT].

如果请求中提供的nameCompAlgId是id kp mailProtection[PKIX-1],则请求中提供的GeneralNames必须是RFC822名称,并且匹配规则在[SMIME-CERT]中定义。

Conforming SCVP servers MUST support the name validation algorithm and the matching rules associated with id-nva-dnCompAlg, id-kp-serverAuth, and id-kp-mailProtection. SCVP servers MAY support other name matching rules.

符合要求的SCVP服务器必须支持名称验证算法以及与id nva dnCompAlg、id kp serverAuth和id kp mailProtection关联的匹配规则。SCVP服务器可能支持其他名称匹配规则。

3.2.4.2.4. Name Validation Algorithm Errors
3.2.4.2.4. 名称验证算法错误

The following errors are defined for the name validation algorithm:

名称验证算法定义了以下错误:

      id-nvae OBJECT IDENTIFIER ::= id-svp-nameValAlg
        
      id-nvae OBJECT IDENTIFIER ::= id-svp-nameValAlg
        
      id-nvae-name-mismatch    OBJECT IDENTIFIER ::= { id-nvae 1 }
      id-nvae-no-name          OBJECT IDENTIFIER ::= { id-nvae 2 }
      id-nvae-unknown-alg      OBJECT IDENTIFIER ::= { id-nvae 3 }
      id-nvae-bad-name         OBJECT IDENTIFIER ::= { id-nvae 4 }
      id-nvae-bad-name-type    OBJECT IDENTIFIER ::= { id-nvae 5 }
      id-nvae-mixed-names      OBJECT IDENTIFIER ::= { id-nvae 6 }
        
      id-nvae-name-mismatch    OBJECT IDENTIFIER ::= { id-nvae 1 }
      id-nvae-no-name          OBJECT IDENTIFIER ::= { id-nvae 2 }
      id-nvae-unknown-alg      OBJECT IDENTIFIER ::= { id-nvae 3 }
      id-nvae-bad-name         OBJECT IDENTIFIER ::= { id-nvae 4 }
      id-nvae-bad-name-type    OBJECT IDENTIFIER ::= { id-nvae 5 }
      id-nvae-mixed-names      OBJECT IDENTIFIER ::= { id-nvae 6 }
        

The id-nvae-name-mismatch value means the client supplied a name with the request, which the server recognized and the server found a corresponding name type in the certificate, but was unable to find a

id nvae名称不匹配值表示客户端为请求提供了一个名称,服务器可以识别该名称,并且服务器在证书中找到了相应的名称类型,但找不到相应的名称

match to the name supplied. For example, the client supplied a DNS name of example1.com, and the certificate contained a DNS name of example.com.

与提供的名称匹配。例如,客户端提供了一个DNS名称example1.com,证书包含一个DNS名称example.com。

The id-nvae-no-name value means the client supplied a name with the request, which the server recognized, but the server could not find the corresponding name type in the certificate. For example, the client supplied a DNS name of example1.com, and the certificate only contained a rfc822Name of user@example.com.

id nvae no name值表示客户端为请求提供了一个名称,服务器可以识别该名称,但服务器在证书中找不到相应的名称类型。例如,客户端提供了一个DNS名称example1.com,而证书仅包含一个RFC822名称example1.comuser@example.com.

The id-nvae-unknown-alg value means the client supplied a nameCompAlgId that the server does not recognize.

id nvae unknown alg值表示客户端提供了服务器无法识别的NameCompalId。

The id-nvae-bad-name value means the client supplied either an empty or malformed name in the request.

id nvae bad name值表示客户端在请求中提供的名称为空或格式错误。

The id-nvae-bad-name-type value means the client supplied an inappropriate name type for the application identifier. For example, the client specified a nameCompAlgId of id-kp-serverAuth, and an rfc822Name of user@example.com.

id nvae bad name type值表示客户端为应用程序标识符提供了不适当的名称类型。例如,客户端指定了id为kp serverAuth的nameCompAlgId和id为kp serverAuth的RFC822名称user@example.com.

The id-nvae-mixed-names value means the client supplied multiple names in the request of different types.

id nvae mixed names值表示客户端在不同类型的请求中提供了多个名称。

3.2.4.3. userPolicySet
3.2.4.3. 用户策略集

The userPolicySet item specifies a list of certificate policy identifiers that the SCVP server MUST use when constructing and validating a certification path. The userPolicySet item specifies the user-initial-policy-set as defined in Section 6 of [PKIX-1]. A userPolicySet containing the anyPolicy OID indicates a user-initial-policy-set of any-policy.

userPolicySet项指定SCVP服务器在构造和验证证书路径时必须使用的证书策略标识符列表。userPolicySet项指定[PKIX-1]第6节中定义的用户初始策略集。包含anyPolicy OID的userPolicySet表示任何策略的用户初始策略集。

SCVP clients SHOULD support the userPolicySet item in requests, and SCVP servers MUST support the userPolicySet item in requests.

SCVP客户端应支持请求中的userPolicySet项,SCVP服务器必须支持请求中的userPolicySet项。

3.2.4.4. inhibitPolicyMapping
3.2.4.4. 禁止策略映射

The inhibitPolicyMapping item specifies an input to the certification path validation algorithm, and it controls whether policy mapping is allowed during certification path validation (see [PKIX-1], Section 6.1.1). If the client wants the server to inhibit policy mapping, inhibitPolicyMapping is set to TRUE in the request. SCVP clients MAY support inhibiting policy mapping. SCVP servers SHOULD support inhibiting policy mapping.

inhibitPolicyMapping项指定对认证路径验证算法的输入,并控制在认证路径验证期间是否允许策略映射(请参见[PKIX-1],第6.1.1节)。如果客户端希望服务器禁止策略映射,则inhibitPolicyMapping在请求中设置为TRUE。SCVP客户端可能支持禁止策略映射。SCVP服务器应支持禁止策略映射。

3.2.4.5. requireExplicitPolicy
3.2.4.5. 要求解释政策

The requireExplicitPolicy item specifies an input to the certification path validation algorithm, and it controls whether there must be at least one valid policy in the certificate policies extension (see [PKIX-1], Section 6.1.1). If the client wants the server to require at least one policy, requireExplicitPolicy is set to TRUE in the request.

requireExplicitPolicy项指定证书路径验证算法的输入,并控制证书策略扩展中是否必须至少有一个有效策略(请参见[PKIX-1],第6.1.1节)。如果客户端希望服务器至少需要一个策略,则在请求中将requireExplicitPolicy设置为TRUE。

SCVP clients MAY support requiring explicit policies. SCVP servers SHOULD support requiring explicit policies.

SCVP客户端可能支持需要明确策略的操作。SCVP服务器应支持需要明确策略的操作。

3.2.4.6. inhibitAnyPolicy
3.2.4.6. 禁止性政策

The inhibitAnyPolicy item specifies an input to the certification path validation algorithm (see [PKIX-1], Section 6.1.1), and it controls whether the anyPolicy OID is processed or ignored when evaluating certificate policy. If the client wants the server to ignore the anyPolicy OID, inhibitAnyPolicy MUST be set to TRUE in the request.

inhibitAnyPolicy项指定证书路径验证算法的输入(请参见[PKIX-1],第6.1.1节),并控制在评估证书策略时是处理还是忽略anyPolicy OID。如果客户端希望服务器忽略anyPolicy OID,则必须在请求中将InhibitionAnyPolicy设置为TRUE。

SCVP clients MAY support ignoring the anyPolicy OID. SCVP servers SHOULD support ignoring the anyPolicy OID.

SCVP客户端可能支持忽略anyPolicy OID。SCVP服务器应支持忽略anyPolicy OID。

3.2.4.7. trustAnchors
3.2.4.7. 信任人

The trustAnchors item specifies the trust anchors at which the certification path must terminate if the path is to be considered valid by the SCVP server for the request. If a trustAnchors item is present, the server MUST NOT consider any certification paths ending in other trust anchors as valid.

trustAnchors项指定如果SCVP服务器认为路径对请求有效,则证书路径必须终止的信任锚。如果存在TraceCudior项,则服务器不能认为终止在其他信任锚中的任何证书路径有效。

The TrustAnchors type contains one or more trust anchor specifications. A certificate reference can be used to identify the trust anchor by certificate hash and distinguished name with serial number. Alternatively, trust anchors can be provided directly. The order of trust anchor specifications within the sequence is not important. Any CA certificate that meets the requirements of [PKIX-1] for signing certificates can be provided as a trust anchor. If a trust anchor is supplied that does not meet these requirements, the server MUST return an error response.

信任锚类型包含一个或多个信任锚规范。证书引用可用于通过证书哈希和带序列号的可分辨名称来识别信任锚。或者,可以直接提供信任锚。序列中信任锚规范的顺序并不重要。任何满足[PKIX-1]签名证书要求的CA证书都可以作为信任锚提供。如果提供的信任锚不满足这些要求,服务器必须返回错误响应。

The trust anchor itself, regardless of its form, MUST NOT be included in any certification path returned by the SCVP server.

信任锚点本身,无论其形式如何,都不能包含在SCVP服务器返回的任何证书路径中。

TrustAnchors has the following syntax:

信任锚具有以下语法:

      TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference
        
      TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference
        

SCVP servers MUST support trustAnchors. SCVP clients SHOULD support trustAnchors.

SCVP服务器必须支持信任锚。SCVP客户端应支持信任锚。

3.2.4.8. keyUsages
3.2.4.8. 关键用法

The key usage extension ([PKIX-1], Section 4.2.1.3) in the certificate defines the technical purpose (such as encipherment, signature, and CRL signing) of the key contained in the certificate. If the client wishes to confirm the technical usage, then it can communicate the usage it wants to validate by the same structure using the same semantics as defined in [PKIX-1]. For example, if the client obtained the certificate in the context of a digital signature, it can confirm this use by including a keyUsage structure with the digital signature bit set.

证书中的密钥使用扩展([PKIX-1],第4.2.1.3节)定义了证书中包含的密钥的技术用途(如加密、签名和CRL签名)。如果客户希望确认技术用途,则可以使用[PKIX-1]中定义的相同语义,通过相同的结构传达其想要验证的用途。例如,如果客户机在数字签名的上下文中获得了证书,则它可以通过将keyUsage结构与数字签名位集包括在一起来确认此使用。

If the keyUsages item is present and contains an empty sequence, it indicates that the client does not require any particular key usage.

如果keyUsages项存在并且包含空序列,则表示客户端不需要任何特定的密钥用法。

If the keyUsages item contains one or more keyUsage definitions, then the certificate MUST satisfy at least one of the specified keyUsage definitions. If the client is willing to accept multiple possibilities, then the client passes in a sequence of possible patterns. Each keyUsage can contain a set of one or more bits set in the request, all bits MUST be set in the certificate to match against an instance of the keyUsage in the SCVP request. The certificate key usage extension may contain more usages than requested. For example, if a client wishes to check for either digital signature or non-repudiation, then the client provides two keyUsage values, one with digital signature set and the other with non-repudiation set. If the key usage extension is absent from the certificate, the certificate MUST be considered good for all usages and therefore any pattern in the SCVP request will match.

如果keyUsages项包含一个或多个keyUsage定义,则证书必须满足至少一个指定的keyUsage定义。如果客户愿意接受多种可能性,那么客户将按照一系列可能的模式传递。每个keyUsage都可以包含一组请求中设置的一个或多个位,证书中的所有位都必须设置为与SCVP请求中的keyUsage实例相匹配。证书密钥用法扩展可能包含比请求的用法更多的用法。例如,如果客户端希望检查数字签名或不可否认性,则客户端提供两个keyUsage值,一个设置了数字签名,另一个设置了不可否认性。如果证书中没有密钥使用扩展,则必须认为该证书适用于所有用途,因此SCVP请求中的任何模式都将匹配。

SCVP clients SHOULD support keyUsages, and SCVP servers MUST support keyUsages.

SCVP客户端应该支持keyUsages,而SCVP服务器必须支持keyUsages。

3.2.4.9. extendedKeyUsages
3.2.4.9. 扩展键用法

The extended key usage extension ([PKIX-1], Section 4.2.1.13) defines more specific technical purposes, in addition to, or in place of, the purposes indicated in the key usage extension, for which the certified public key may be used. If the client will accept certificates that are consistent with a particular value (or values) in the extended key usage extension, then it can communicate the appropriate usages using the same semantics as defined in [PKIX-1].

扩展密钥使用扩展([PKIX-1],第4.2.1.13节)定义了更具体的技术目的,除了或代替密钥使用扩展中指示的目的,认证公钥可用于这些目的。如果客户端将接受与扩展密钥使用扩展中的特定值(一个或多个值)一致的证书,则它可以使用[PKIX-1]中定义的相同语义传达适当的使用。

For example, if the client obtained the certificate in the context of a Transport Layer Security (TLS) server, it can confirm the certificate is consistent with this usage by including the extended key usage structure with the id-kp-serverAuth object identifier.

例如,如果客户端在传输层安全(TLS)服务器的上下文中获得了证书,则它可以通过将扩展密钥使用结构包含在id为kp serverAuth对象标识符中来确认证书与此用法一致。

If the extension is absent, or is present and asserts the anyExtendedKeyUsage OID, then all usages specified in the request are a match. If the extension is present and does not assert the anyExtendedKeyUsage OID, all usages in the request MUST be present in the certificate. The certificate extension may contain more usages than requested.

如果扩展不存在或存在并断言anyExtendedKeyUsage OID,则请求中指定的所有用法都是匹配的。如果扩展存在且未断言anyExtendedKeyUsage OID,则请求中的所有用法都必须存在于证书中。证书扩展可能包含比请求更多的用法。

Where the client does not require any particular extended key usage, the client can specify an empty SEQUENCE. This may be used to override extended key usage requirements imposed in the validation policy specified by valPolId.

当客户端不需要任何特定的扩展密钥使用时,客户端可以指定一个空序列。这可用于覆盖valPolId指定的验证策略中规定的扩展密钥使用要求。

SCVP clients SHOULD support extendedKeyUsages, and SCVP servers MUST support extendedKeyUsages.

SCVP客户端应该支持ExtendedKeyUsage,而SCVP服务器必须支持ExtendedKeyUsage。

3.2.4.10. specifiedKeyUsages
3.2.4.10. 指定用途

The extended key usage extension ([PKIX-1], Section 4.2.1.13) defines more specific technical purposes, in addition to or in place of the purposes indicated in the key usage extension, for which the certified public key may be used. If the client requires that a particular value (or values) appear in the extended key usage extension, then it can specify the required usage(s) using the same semantics as defined in [PKIX-1]. For example, if the client obtained the certificate in the context of a TLS server, it might require that the server certificate include the extended key usage structure with the id-kp-serverAuth object identifier. In this case, the client would include a specifiedKeyUsages item in the request and assert the id-kp-serverAuth object identifier.

扩展密钥使用扩展([PKIX-1],第4.2.1.13节)定义了更具体的技术用途,除了或代替密钥使用扩展中指明的用途,可使用认证公钥。如果客户端要求在扩展密钥使用扩展中显示特定值,则可以使用[PKIX-1]中定义的相同语义指定所需的使用。例如,如果客户端在TLS服务器的上下文中获得证书,则可能需要服务器证书包含id为kp serverAuth对象标识符的扩展密钥使用结构。在这种情况下,客户端将在请求中包含一个指定的KeyUsages项,并断言id kp serverAuth对象标识符。

If one or more specified usages are included in the request, the certificate MUST contain the extended key usage extension, and all usages specified in the request MUST be present in the certificate extension. The certificate extension may contain more usages than specified in the request. Specified key usages are not satisfied by the presence of the anyExtendedKeyUsage OID.

如果请求中包含一个或多个指定用法,则证书必须包含扩展密钥用法扩展,并且请求中指定的所有用法都必须存在于证书扩展中。证书扩展可能包含比请求中指定的更多的用法。anyExtendedKeyUsage OID的存在不满足指定的密钥用法。

Where the client does not require any particular extended key usage, the client can specify an empty SEQUENCE. This may be used to override specified key usage requirements imposed in the validation policy specified by valPolId.

当客户端不需要任何特定的扩展密钥使用时,客户端可以指定一个空序列。这可用于覆盖valPolId指定的验证策略中规定的密钥使用要求。

SCVP clients SHOULD support specifiedKeyUsages, and SCVP servers MUST support specifiedKeyUsages.

SCVP客户端应支持指定的KeyUsage,SCVP服务器必须支持指定的KeyUsage。

3.2.5. responseFlags
3.2.5. 反应滞后

The optional responseFlags item allows the client to indicate which optional features in the CVResponse it wants the server to include. If the default values for all of the flags are used, then the responseFlags item MUST NOT be included in the request.

可选的responseFlags项允许客户端指示它希望服务器在CVResponse中包括哪些可选功能。如果使用了所有标志的默认值,则请求中不得包含responseFlags项。

The syntax of the responseFlags item is:

responseFlags项的语法为:

      ResponseFlags ::= SEQUENCE {
        fullRequestInResponse      [0] BOOLEAN DEFAULT FALSE,
        responseValidationPolByRef [1] BOOLEAN DEFAULT TRUE,
        protectResponse            [2] BOOLEAN DEFAULT TRUE,
        cachedResponse             [3] BOOLEAN DEFAULT TRUE }
        
      ResponseFlags ::= SEQUENCE {
        fullRequestInResponse      [0] BOOLEAN DEFAULT FALSE,
        responseValidationPolByRef [1] BOOLEAN DEFAULT TRUE,
        protectResponse            [2] BOOLEAN DEFAULT TRUE,
        cachedResponse             [3] BOOLEAN DEFAULT TRUE }
        

Each of the response flags is described in the following sections.

以下各节将介绍每个响应标志。

3.2.5.1. fullRequestInResponse
3.2.5.1. 完整请求响应

By default, the server includes a hash of the request in non-cached responses to allow the client to identify the response. If the client wants the server to include the full request in the non-cached response, fullRequestInResponse is set to TRUE. The main reason a client would request the server to include the full request in the response is to archive the request-response exchange in a single object. That is, the client wants to archive a single object that includes both request and response.

默认情况下,服务器在非缓存响应中包含请求的哈希,以允许客户端识别响应。如果客户端希望服务器在非缓存响应中包含完整请求,则将fullRequestInResponse设置为TRUE。客户端请求服务器在响应中包含完整请求的主要原因是将请求-响应交换归档到单个对象中。也就是说,客户机希望归档一个包含请求和响应的对象。

SCVP clients and servers MUST support the default behavior. SCVP clients MAY support requesting and processing the full request. SCVP servers SHOULD support returning the full request.

SCVP客户端和服务器必须支持默认行为。SCVP客户端可能支持请求和处理完整请求。SCVP服务器应支持返回完整请求。

3.2.5.2. responseValidationPolByRef
3.2.5.2. responseValidationPolByRef

The responseValidationPolByRef item controls whether the response includes just a reference to the policy or a reference to the policy plus all the parameters by value of the policy used to process the request. The response MUST contain a reference to the validation policy. If the client wants the validation policy parameters to be included by value also, then responseValidationPolByRef is set to FALSE. The main reason a client would request the server to include validation policy to be included by value is to archive the request-response exchange in a single object. That is, the client wants to archive the CVResponse and have it include every aspect of the validation policy.

responseValidationPolByRef项控制响应是仅包含对策略的引用,还是包含对策略的引用加上所有参数(按用于处理请求的策略的值)。响应必须包含对验证策略的引用。如果客户端希望验证策略参数也包含在值中,则responseValidationPolByRef设置为FALSE。客户机请求服务器包含要按值包含的验证策略的主要原因是将请求-响应交换归档到单个对象中。也就是说,客户机希望归档CVResponse并使其包含验证策略的各个方面。

SCVP clients MUST support requesting and processing the validation policy by reference, and SCVP servers MUST support returning the validation policy by reference. SCVP clients MAY support requesting and processing the validation policy by values. SVCP servers SHOULD support returning the validation policy by values.

SCVP客户端必须支持通过引用请求和处理验证策略,SCVP服务器必须支持通过引用返回验证策略。SCVP客户端可能支持按值请求和处理验证策略。SVCP服务器应支持按值返回验证策略。

3.2.5.3. protectResponse
3.2.5.3. 保护响应

The protectResponse item indicates whether the client requires the server to protect the response. If the client is performing full certification path validation on the response and it is not concerned about the source of the response, then the client does not benefit from a digital signature or MAC on the response. In this case, the client can indicate to the server that protecting the message is unnecessary. However, the server is always permitted to return a protected response.

protectResponse项指示客户端是否要求服务器保护响应。如果客户机正在响应上执行完整的认证路径验证,并且它不关心响应的来源,则客户机不会从响应上的数字签名或MAC中受益。在这种情况下,客户端可以向服务器指示不需要保护消息。但是,始终允许服务器返回受保护的响应。

SCVP clients that support delegated path discovery (DPD) as defined in [RQMTS] MUST support setting this value to FALSE.

支持[RQMTS]中定义的委托路径发现(DPD)的SCVP客户端必须支持将此值设置为FALSE。

SCVP clients that support delegated path validation (DPV) as defined in [RQMTS] require an authenticated response. Unless a protected transport mechanism (such as TLS) is used, such clients MUST always set this value to TRUE or omit the responseFlags item entirely, which requires the server to return a protected response.

支持[RQMTS]中定义的委托路径验证(DPV)的SCVP客户端需要经过身份验证的响应。除非使用受保护的传输机制(如TLS),否则此类客户端必须始终将此值设置为TRUE或完全忽略responseFlags项,这要求服务器返回受保护的响应。

SCVP servers MUST support returning protected responses, and SCVP servers SHOULD support returning unprotected responses. Based on local policy, the server can be configured to return protected or unprotected responses if this value is set to FALSE. If, based on local policy, the server is unable to return protected responses, then the server MUST return an error if this value is set to TRUE.

SCVP服务器必须支持返回受保护的响应,而SCVP服务器应支持返回未受保护的响应。根据本地策略,如果此值设置为FALSE,则可以将服务器配置为返回受保护或未受保护的响应。如果基于本地策略,服务器无法返回受保护的响应,则如果此值设置为TRUE,则服务器必须返回错误。

3.2.5.4. cachedResponse
3.2.5.4. 缓存响应

The cachedResponse item indicates whether the client will accept a cached response. To enhance performance and limit the exposure of signing keys, an SCVP service may be designed to cache responses until new revocation information is expected. Where cachedResponse is set to TRUE, the client will accept a previously cached response.

cachedResponse项指示客户端是否接受缓存响应。为了提高性能并限制签名密钥的公开,可以设计SCVP服务来缓存响应,直到预期新的撤销信息。当cachedResponse设置为TRUE时,客户端将接受以前缓存的响应。

Clients may insist on creation of a fresh response to protect against a replay attack and ensure that information is up to date. Where cachedResponse is FALSE, the client will not accept a cached response. To ensure that a response is fresh, the client MUST also include the requestNonce as defined in Section 3.4.

客户端可能会坚持创建新的响应,以防止重播攻击,并确保信息是最新的。如果cachedResponse为FALSE,则客户端将不接受缓存响应。为了确保响应是新的,客户端还必须包括第3.4节中定义的requestNonce。

Servers MUST process the cachedResponse flag. Where cachedResponse is FALSE, servers that cannot produce fresh responses MUST reply with an error message. Servers MAY choose to provide fresh responses even where cachedResponse is set to TRUE.

服务器必须处理cachedResponse标志。如果cachedResponse为FALSE,则无法生成新响应的服务器必须使用错误消息进行响应。即使cachedResponse设置为TRUE,服务器也可以选择提供新的响应。

3.2.6. serverContextInfo
3.2.6. 服务器上下文信息

The optional serverContextInfo item, if present, contains context from a previous request-response exchange with the same SCVP server. It allows the server to return more than one certification path for the same certificate to the client. For example, if a server constructs a particular certification path for a certificate, but the client finds it unacceptable, the client can then send the same query back to the server with the serverContextInfo from the first response, and the server will be able to provide a different certification path (if another one can be found).

可选的serverContextInfo项(如果存在)包含以前与同一SCVP服务器的请求-响应交换的上下文。它允许服务器向客户端返回同一证书的多个证书路径。例如,如果服务器为证书构造了一个特定的认证路径,但客户端发现它不可接受,那么客户端可以使用第一个响应中的serverContextInfo将相同的查询发送回服务器,并且服务器将能够提供不同的认证路径(如果可以找到另一个)。

Contents of the serverContextInfo are opaque to the SCVP client. That is, the client only knows that it needs to return the value provided by the server with the subsequent request to get a different certification path. Note that the subsequent query needs to be identical to the previous query with the exception of the following:

serverContextInfo的内容对于SCVP客户端是不透明的。也就是说,客户机只知道它需要在后续请求中返回服务器提供的值,以获得不同的认证路径。请注意,后续查询需要与前一查询相同,但以下情况除外:

- requestNonce,

- 请求暂停,

- serverContextInfo, and

- serverContextInfo,以及

- the client's digital signature or MAC on the request.

- 请求时客户端的数字签名或MAC。

SCVP clients MAY support serverContextInfo, and SCVP servers SHOULD support serverContextInfo.

SCVP客户端可能支持serverContextInfo,SCVP服务器应该支持serverContextInfo。

3.2.7. validationTime
3.2.7. 验证时间

The optional validationTime item, if present, tells the date and time relative to which the SCVP client wants the server to perform the checks. If the validationTime is not present, the server MUST perform the validation using the date and time at which the server processes the request. If the validationTime is present, it MUST be encoded as GeneralizedTime. The validationTime provided MUST be a retrospective time since the server can only perform a validity check using the current time (default) or previous time. A server can ignore the validationTime provided in the request if the time is within the clock skew of the server's current time.

可选的validationTime项(如果存在)告诉SCVP客户端希望服务器执行检查的日期和时间。如果validationTime不存在,服务器必须使用服务器处理请求的日期和时间执行验证。如果存在validationTime,则必须将其编码为GeneralizedTime。提供的validationTime必须是追溯时间,因为服务器只能使用当前时间(默认)或以前的时间执行有效性检查。如果时间在服务器当前时间的时钟偏差范围内,则服务器可以忽略请求中提供的validationTime。

The revocation status information is obtained with respect to the validation time. When specifying a validation time other than the current time, the validation time should not necessarily be identical to the time when the private key was used. The validation time specified by the client may be adjusted to compensate for:

获取与验证时间相关的撤销状态信息。指定当前时间以外的验证时间时,验证时间不一定与使用私钥的时间相同。客户规定的验证时间可以调整,以补偿:

1) time for the end-entity to realize that its private key has been, or could possibly be, compromised, and/or

1) 终端实体意识到其私钥已经或可能被泄露和/或

2) time for the end-entity to report the key compromise, and/or

2) 最终实体报告关键妥协的时间,和/或

3) time for the revocation authority to process the revocation request from the end-entity, and/or

3) 撤销机构处理来自最终实体的撤销请求的时间,和/或

4) time for the revocation authority to update and distribute the revocation status information.

4) 吊销机构更新和分发吊销状态信息的时间。

GeneralizedTime values MUST be expressed in Universal Coordinated Time (UTC) (which is also known as Greenwich Mean Time and Zulu time) and MUST include seconds (i.e., times are YYYYMMDDHHMMSSZ), even when the number of seconds is zero. GeneralizedTime values MUST NOT include fractional seconds.

广义时间值必须以世界协调时间(UTC)(也称为格林威治标准时间和祖鲁时间)表示,并且必须包括秒(即时间为YYYYMMDDHHMMSSZ),即使秒数为零。GeneralizedTime值不能包含小数秒。

The information in the corresponding CertReply item in the response MUST be formatted as if the server created the response at the time indicated in the validationTime. However, if the server does not have appropriate historical information, the server MUST return an error response.

响应中相应CertReply项中的信息的格式必须与服务器在validationTime中指定的时间创建响应的格式相同。但是,如果服务器没有适当的历史信息,则服务器必须返回错误响应。

SCVP servers MUST apply a clock skew to the validation time to allow for minor time synchronization errors. The default value is 10 minutes. If the server uses a value other than the default, it MUST include the clock skew value in the validation policy response.

SCVP服务器必须对验证时间应用时钟偏差,以允许出现较小的时间同步错误。默认值为10分钟。如果服务器使用的值不是默认值,则必须在验证策略响应中包含时钟偏移值。

SCVP clients MAY support validationTime other than the current time. SCVP servers MUST support using its current time, and SHOULD support the client setting the validationTime in the request.

SCVP客户端可能支持当前时间以外的验证时间。SCVP服务器必须支持使用其当前时间,并且应支持客户端在请求中设置validationTime。

3.2.8. intermediateCerts
3.2.8. 中期

The optional intermediateCerts item may help the SCVP server create valid certification paths. The intermediateCerts item, when present, provides certificates that the server MAY use when forming a certification path. When building certification paths, the server MAY use the certificates in the intermediateCerts item in addition to any other certificates that the server can access. When present, the intermediateCerts item MUST contain at least one certificate, and

可选的intermediateCerts项可以帮助SCVP服务器创建有效的认证路径。intermediateCerts项(如果存在)提供服务器在形成证书路径时可以使用的证书。在构建证书路径时,服务器可以使用intermediateCerts项中的证书以及服务器可以访问的任何其他证书。存在时,intermediateCerts项必须至少包含一个证书,并且

the intermediateCerts item MUST be structured as a CertBundle. The certificates in the intermediateCerts item MUST NOT be considered as valid by the server just because they are present in this item.

intermediateCerts项必须结构化为CertBundle。intermediateCerts项中的证书不能仅因为存在于该项中而被服务器视为有效。

The CertBundle type contains one or more certificates. The order of the entries in the bundle is not important. CertBundle has the following syntax:

CertBundle类型包含一个或多个证书。捆绑中条目的顺序并不重要。CertBundle具有以下语法:

      CertBundle ::= SEQUENCE SIZE (1..MAX) OF Certificate
        
      CertBundle ::= SEQUENCE SIZE (1..MAX) OF Certificate
        

SCVP clients SHOULD support intermediateCerts, and SCVP servers MUST support intermediateCerts.

SCVP客户端应支持intermediateCerts,而SCVP服务器必须支持intermediateCerts。

3.2.9. revInfos
3.2.9. 复习资料

The optional revInfos item specifies revocation information such as CRLs, delta CRLs [PKIX-1], and OCSP responses [OCSP] that the SCVP server MAY use when validating certification paths. The purpose of the revInfos item is to provide revocation information to which the server might not otherwise have access, such as an OCSP response that the client received along with the certificate. Note that the information in the revInfos item might not be used by the server. For example, the revocation information might be associated with certificates that the server does not use in the certification path that it constructs.

可选的revInfos项指定SCVP服务器在验证证书路径时可能使用的撤销信息,如CRL、增量CRL[PKIX-1]和OCSP响应[OCSP]。RevInfo项的目的是提供服务器可能无法访问的吊销信息,例如客户端随证书一起收到的OCSP响应。请注意,服务器可能不使用revinfo项中的信息。例如,吊销信息可能与服务器在其构造的证书路径中不使用的证书相关联。

Clients SHOULD be courteous to the SCVP server by separating CRLs and delta CRLs. However, since the two share a common syntax, SCVP servers SHOULD accept delta CRLs even if they are identified as regular CRLs by the SCVP client.

客户机应该通过分离CRL和增量CRL对SCVP服务器保持礼貌。但是,由于两者共享一个公共语法,因此SCVP服务器应该接受增量CRL,即使SCVP客户端将它们标识为常规CRL。

CRLs, delta CRLs, and OCSP responses can be provided as revocation information. If needed, additional object identifiers can be assigned for additional revocation information types in the future.

CRL、增量CRL和OCSP响应可以作为撤销信息提供。如果需要,将来可以为其他吊销信息类型分配其他对象标识符。

The revInfos item uses the RevocationInfos type, which has the following syntax:

Revinfo项使用RevocationFos类型,该类型具有以下语法:

      RevocationInfos ::= SEQUENCE SIZE (1..MAX) OF RevocationInfo
        
      RevocationInfos ::= SEQUENCE SIZE (1..MAX) OF RevocationInfo
        
      RevocationInfo ::= CHOICE {
        crl                    [0] CertificateList,
        delta-crl              [1] CertificateList,
        ocsp                   [2] OCSPResponse,
        other                  [3] OtherRevInfo }
        
      RevocationInfo ::= CHOICE {
        crl                    [0] CertificateList,
        delta-crl              [1] CertificateList,
        ocsp                   [2] OCSPResponse,
        other                  [3] OtherRevInfo }
        
      OtherRevInfo ::= SEQUENCE {
        riType                     OBJECT IDENTIFIER,
        riValue                    ANY DEFINED BY riType }
        
      OtherRevInfo ::= SEQUENCE {
        riType                     OBJECT IDENTIFIER,
        riValue                    ANY DEFINED BY riType }
        
3.2.10. producedAt
3.2.10. 生产

The client MAY allow the server to use a cached SCVP response. When doing so, the client MAY use the producedAt item to express requirements on the freshness of the cached response. The producedAt item tells the earliest date and time at which an acceptable cached response could have been produced. The producedAt item represents the date and time in UTC, using the GeneralizedTime type. The value in the producedAt item is independent of the validation time.

客户端可能允许服务器使用缓存的SCVP响应。这样做时,客户机可以使用producedAt项来表示对缓存响应新鲜度的要求。producedAt项告诉可以产生可接受的缓存响应的最早日期和时间。producedAt项使用GeneralizedTime类型表示UTC中的日期和时间。producedAt项中的值与验证时间无关。

GeneralizedTime value MUST be expressed in UTC, as defined in Section 3.2.7.

如第3.2.7节所定义,GeneralizedTime值必须以UTC表示。

SCVP clients MAY support using producedAt values in the request. SCVP servers MAY support the producedAt values in the request. SCVP servers that support cached responses SHOULD support the producedAt value in requests.

SCVP客户端可能支持在请求中使用producedAt值。SCVP服务器可能支持请求中的producedAt值。支持缓存响应的SCVP服务器应支持请求中的producedAt值。

3.2.11. queryExtensions
3.2.11. 查询扩展

The optional queryExtensions item contains extensions. If present, each extension in the sequence extends the query. This specification does not define any extensions; the facility is provided to allow future specifications to extend SCVP. The syntax for Extensions is imported from [PKIX-1]. The queryExtensions item, when present, MUST contain a sequence of Extension items, and each of the extensions MUST contain extnID, critical, and extnValue items. Each of these is described in the following sections.

可选的queryExtensions项包含扩展名。如果存在,序列中的每个扩展都会扩展查询。本规范未定义任何扩展;提供该设施是为了允许将来的规范扩展SCVP。扩展的语法是从[PKIX-1]导入的。queryExtensions项(如果存在)必须包含一系列扩展项,并且每个扩展项必须包含extnID、critical和extnValue项。以下各节将对其中的每一项进行描述。

3.2.11.1. extnID
3.2.11.1. extnID

The extnID item is an identifier for the extension. It contains the object identifier that names the extension.

extnID项是扩展的标识符。它包含命名扩展的对象标识符。

3.2.11.2. critical
3.2.11.2. 批评的

The critical item is a BOOLEAN. Each extension is designated as either critical (with a value of TRUE) or non-critical (with a value of FALSE). By default, the extension is non-critical. An SCVP server MUST reject the query if it encounters a critical extension that it does not recognize; however, a non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized.

关键项是布尔值。每个扩展都被指定为关键(值为TRUE)或非关键(值为FALSE)。默认情况下,扩展是非关键的。如果遇到无法识别的关键扩展,则SCVP服务器必须拒绝查询;但是,如果未识别非关键扩展,则可能会忽略它,但如果已识别,则必须对其进行处理。

3.2.11.3. extnValue
3.2.11.3. 外部值

The extnValue item contains an OCTET STRING. Within the OCTET STRING is the extension value. An ASN.1 type is specified for each extension, identified by the associated extnID object identifier.

extnValue项包含一个八位字节字符串。在八进制字符串中是扩展值。为每个扩展指定ASN.1类型,由关联的extnID对象标识符标识。

3.3. requestorRef
3.3. 请求者引用

The optional requestorRef item contains a list of names identifying SCVP servers, and it is intended for use in environments where SCVP relay is employed. Although requestorRef is encoded as a SEQUENCE, no order is implied. The requestorRef item is used to detect looping in some configurations. The value and use of requestorRef are described in Section 7.

可选的requestorRef项包含标识SCVP服务器的名称列表,用于使用SCVP中继的环境。尽管requestorRef被编码为一个序列,但没有隐含顺序。requestorRef项用于检测某些配置中的循环。requestorRef的值和用法在第7节中描述。

Conforming SCVP clients MAY support specification of the requestorRef value. Conforming SCVP server implementations MUST process the requestorRef value if present. If the SCVP client includes a requestorRef value in the request, then the SCVP server MUST return the same value in a non-cached response. The SCVP server MAY omit the requestorRef value from cached SCVP responses.

符合要求的SCVP客户端可能支持requestorRef值的规范。符合要求的SCVP服务器实现必须处理requestorRef值(如果存在)。如果SCVP客户端在请求中包含requestorRef值,则SCVP服务器必须在非缓存响应中返回相同的值。SCVP服务器可以从缓存的SCVP响应中忽略requestorRef值。

The requestorRef item MUST be a sequence of GeneralName. No provisions are made to ensure uniqueness of the requestorRef GeneralName values.

requestorRef项必须是GeneralName的序列。没有规定确保requestorRef GeneralName值的唯一性。

3.4. requestNonce
3.4. 请求时间

The optional requestNonce item contains a request identifier generated by the SCVP client. If the client includes a requestNonce value in the request, it is expressing a preference that the SCVP server SHOULD return a non-cached response. If the server returns a non-cached response, it MUST include the value of requestNonce from the request in the response as the respNonce item; however, the server MAY return a cached response which MUST NOT have a respNonce.

可选的requestNonce项包含由SCVP客户端生成的请求标识符。如果客户端在请求中包含requestNonce值,则表示SCVP服务器应返回非缓存响应的首选项。如果服务器返回一个非缓存响应,它必须在响应中包含来自请求的requestNonce值作为Responce项;但是,服务器可能返回一个缓存响应,该响应不能有respnce。

SCVP clients that insist on creation of a fresh response (e.g., to protect against a replay attack or ensure information is up to date) MUST support requestNonce. Conforming SCVP server implementations MUST process the requestNonce value if present.

坚持创建新响应(例如,防止重播攻击或确保信息最新)的SCVP客户端必须支持requestNonce。符合要求的SCVP服务器实现必须处理requestNonce值(如果存在)。

If the client includes a requestNonce and also sets the cachedResponse flag to FALSE as described in Section 3.2.5.4, the client is indicating that the SCVP server MUST return either a non-cached response including the respNonce or an error response. The client SHOULD include a requestNonce item in every request to prevent

如第3.2.5.4节所述,如果客户端包括requestNonce,并且还将cachedResponse标志设置为FALSE,则客户端指示SCVP服务器必须返回包括Responce的非缓存响应或错误响应。客户端应在每个请求中包含requestNonce项,以防止

an attacker from acting as a man-in-the-middle by replaying old responses from the server. The requestNonce value SHOULD change with every request sent by the client.

攻击者可以通过重播服务器的旧响应来避免充当中间人。requestNonce值应随客户端发送的每个请求而更改。

The client MUST NOT set the cachedResponse flag to FALSE without also including a requestNonce. A server receiving such a request SHOULD return an invalidRequest error response.

如果不包括requestNonce,客户端不得将cachedResponse标志设置为FALSE。接收此类请求的服务器应返回invalidRequest错误响应。

The requestNonce item, if present, MUST be an OCTET STRING that was generated exclusively for this request.

requestNonce项(如果存在)必须是专门为此请求生成的八位字节字符串。

3.5. requestorName
3.5. 请求者名称

The optional requestorName item is used by the client to include an identifier in the request. The client MAY include this information for the DPV server to copy into the response.

客户端使用可选的requestorName项在请求中包含标识符。客户端可以包括该信息,以便DPV服务器复制到响应中。

Conforming SCVP clients MAY support specification of this item in requests. SCVP servers MUST be able to process requests that include this item.

符合要求的SCVP客户可在请求中支持该项目的规范。SCVP服务器必须能够处理包含此项的请求。

3.6. responderName
3.6. 应答器名称

The optional responderName item is used by the client to indicate the identity of the SCVP server that the client expects to sign the SCVP response if the response is digitally signed. The responderName item SHOULD only be included if:

客户端使用可选的responderName项来指示SCVP服务器的标识,如果响应是数字签名的,则客户端希望对SCVP响应进行签名。只有在以下情况下,才应包括responderName项:

1. the request is either unprotected or digitally signed (i.e., is not protected using a MAC), and

1. 请求未受保护或经过数字签名(即,未使用MAC进行保护),并且

2. the responseFlags item is either absent or present with the protectResponse set to TRUE.

2. responseFlags项不存在或存在,protectResponse设置为TRUE。

Conforming SCVP clients MAY support specification of this item in requests. SCVP servers MUST be able to process requests that include this item. SCVP servers that maintain a single private key for signing SCVP responses or that are unable to return digitally signed responses MAY ignore the value in this item. SCVP servers that maintain more than one private key for signing SCVP responses SHOULD either (a) digitally sign the response using a private key that corresponds to a certificate that includes the name specified in responderName in either subject field or subjectAltName extension or (b) return a error indicating that the server does not possess a certificate that asserts the specified name.

符合要求的SCVP客户可在请求中支持该项目的规范。SCVP服务器必须能够处理包含此项的请求。维护用于签名SCVP响应的单个私钥或无法返回数字签名响应的SCVP服务器可能会忽略此项中的值。维护多个用于签名SCVP响应的私钥的SCVP服务器应(a)使用私钥对响应进行数字签名,该私钥对应于包含responderName中在subject字段或subjectAltName扩展中指定的名称的证书,或(b)返回一个错误,指示服务器不具有断言指定名称的证书。

3.7. requestExtensions
3.7. 请求扩展

The OPTIONAL requestExtensions item contains extensions. If present, each extension in the sequence extends the request. This specification does not define any extensions; the facility is provided to allow future specifications to extend SCVP. The syntax for Extensions is imported from [PKIX-1]. The requestExtensions item, when present, MUST contain a sequence of Extension items, and each of the extensions MUST contain extnID, critical, and extnValue items. Each of these is described in the following sections.

可选的requestExtensions项包含扩展。如果存在,序列中的每个扩展都会扩展请求。本规范未定义任何扩展;提供该设施是为了允许将来的规范扩展SCVP。扩展的语法是从[PKIX-1]导入的。requestExtensions项(如果存在)必须包含一系列扩展项,并且每个扩展项必须包含extnID、critical和extnValue项。以下各节将对其中的每一项进行描述。

3.7.1. extnID
3.7.1. extnID

The extnID item is an identifier for the extension. It contains the object identifier that names the extension.

extnID项是扩展的标识符。它包含命名扩展的对象标识符。

3.7.2. critical
3.7.2. 批评的

The critical item is a BOOLEAN. Each extension is designated as either critical (with a value of TRUE) or non-critical (with a value of FALSE). By default, the extension is non-critical. An SCVP server MUST reject the query if it encounters a critical extension it does not recognize. A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized.

关键项是布尔值。每个扩展都被指定为关键(值为TRUE)或非关键(值为FALSE)。默认情况下,扩展是非关键的。如果遇到无法识别的关键扩展,则SCVP服务器必须拒绝该查询。如果无法识别非关键扩展,则可以忽略它,但如果能够识别,则必须对其进行处理。

3.7.3. extnValue
3.7.3. 外部值

The extnValue item contains an OCTET STRING. Within the OCTET STRING is the extension value. An ASN.1 type is specified for each extension, identified by the associated extnID object identifier.

extnValue项包含一个八位字节字符串。在八进制字符串中是扩展值。为每个扩展指定ASN.1类型,由关联的extnID对象标识符标识。

3.8. signatureAlg
3.8. 签名

The signatureAlg item contains an AlgorithmIdentifier indicating which algorithm the server should use to sign the response message. The signatureAlg item SHOULD only be included if:

SignatureLog项包含一个AlgorithmIdentifier,指示服务器应该使用哪个算法对响应消息进行签名。只有在以下情况下,才应包括签名项:

1. the request is either unprotected or digitally signed (i.e., is not protected using a MAC), and

1. 请求未受保护或经过数字签名(即,未使用MAC进行保护),并且

2. the responseFlags item is either absent or present with the protectResponse set to TRUE.

2. responseFlags项不存在或存在,protectResponse设置为TRUE。

If included, the signatureAlg item SHOULD specify one of the signature algorithms specified in the signatureGeneration item of the server's validation policy response message.

如果包含,SignatureLog项应指定服务器验证策略响应消息的signatureGeneration项中指定的签名算法之一。

SCVP servers MUST be able to process requests that include this item. If the server is returning a digitally signed response to this message, then:

SCVP服务器必须能够处理包含此项的请求。如果服务器返回对此消息的数字签名响应,则:

1. If the signatureAlg item is present and specifies an algorithm that is included in the signatureGeneration item of the server's validation policy response message, the server MUST sign the response using the signature algorithm specified in signatureAlg.

1. 如果存在SignatureLog项并指定了包含在服务器验证策略响应消息的signatureGeneration项中的算法,则服务器必须使用SignatureLog中指定的签名算法对响应进行签名。

2. Otherwise, if the signatureAlg item is absent or is present but specifies an algorithm that is not supported by the server, the server MUST sign the response using the server's default signature algorithm as specified in the signatureGeneration item of the server's validation policy response message.

2. 否则,如果SignatureLog项不存在或存在,但指定了服务器不支持的算法,则服务器必须使用服务器的验证策略响应消息的signatureGeneration项中指定的服务器默认签名算法对响应进行签名。

3.9. hashAlg
3.9. 哈沙尔格

The hashAlg item contains an object identifier indicating which hash algorithm the server should use to compute the hash value for the requestHash item in the response. SCVP clients SHOULD NOT include this item if fullRequestInResponse is set to TRUE. If included, the hashAlg item SHOULD specify one of the hash algorithms specified in the hashAlgorithms item of the server's validation policy response message.

hashAlg项包含一个对象标识符,指示服务器应该使用哪个哈希算法来计算响应中requestHash项的哈希值。如果fullRequestInResponse设置为TRUE,则SCVP客户端不应包含此项。如果包含,hashAlg项应指定在服务器的验证策略响应消息的hashAlgorithms项中指定的哈希算法之一。

SCVP servers MUST be able to process requests that include this item. If the server is returning a response to this message that includes a requestHash, then:

SCVP服务器必须能够处理包含此项的请求。如果服务器返回包含requestHash的对此消息的响应,则:

1. If the hashAlg item is present and specifies an algorithm that is included in the hashAlgorithms item of the server's validation policy response message, the server MUST use the algorithm specified in hashAlg to compute the requestHash.

1. 如果hashAlg项存在,并且指定了包含在服务器的验证策略响应消息的hashalgoriths项中的算法,则服务器必须使用hashAlg中指定的算法来计算requestHash。

2. Otherwise, if the hashAlg item is absent or is present but specifies an algorithm that is not supported by the server, the server MUST compute the requestHash using the server's default hash algorithm as specified in the hashAlgorithms item of the server's validation policy response message.

2. 否则,如果hashAlg项不存在或存在,但指定了服务器不支持的算法,则服务器必须使用服务器的验证策略响应消息的hashAlgorithms项中指定的服务器默认哈希算法计算requestHash。

3.10. requestorText
3.10. 请求文本

SCVP clients MAY use the requestorText item to provide text for inclusion in the corresponding response. For example, this field may describe the nature or reason for the request.

SCVP客户端可以使用requestorText项提供文本以包含在相应的响应中。例如,此字段可以描述请求的性质或原因。

Conforming SCVP client implementations MAY support inclusion of this item in requests. Conforming SCVP server implementations MUST accept requests that include this item. When generating non-cached responses, conforming SCVP server implementations MUST copy the contents of this item into the requestorText item in the corresponding response (see Section 4.13).

符合标准的SCVP客户端实现可能支持在请求中包含此项。符合要求的SCVP服务器实施必须接受包含此项的请求。生成非缓存响应时,符合要求的SCVP服务器实现必须将此项的内容复制到相应响应中的requestorText项中(请参见第4.13节)。

3.11. SCVP Request Authentication
3.11. SCVP请求身份验证

It is a matter of local policy what validation policy the server uses when authenticating requests. When authenticating protected SCVP requests, the SCVP servers SHOULD use the validation algorithm defined in Section 6 of [PKIX-1].

服务器在验证请求时使用什么验证策略是本地策略的问题。在验证受保护的SCVP请求时,SCVP服务器应使用[PKIX-1]第6节中定义的验证算法。

If the certificate used to validate a SignedData validation request includes the key usage extension ([PKIX-1], Section 4.2.1.3), it MUST have either the digital signature bit set, the non-repudiation bit set, or both bits set.

如果用于验证签名数据验证请求的证书包含密钥使用扩展([PKIX-1],第4.2.1.3节),则必须设置数字签名位、不可否认位或同时设置这两个位。

If the certificate used to validate an AuthenticatedData validation request includes the key usage extension, it MUST have the key agreement bit set.

如果用于验证AuthenticatedData验证请求的证书包含密钥使用扩展,则必须设置密钥协议位。

If the certificate used on a validation request contains the extended key usage extension ([PKIX-1], Section 4.2.1.13), the server SHALL verify that it contains the SCVP client OID, the anyExtendedKeyUsage OID, or another OID acceptable to the server. The SCVP client OID is defined as follows:

如果验证请求中使用的证书包含扩展密钥使用扩展([PKIX-1],第4.2.1.13节),则服务器应验证其是否包含SCVP客户端OID、anyExtendedKeyUsage OID或服务器可接受的其他OID。SCVP客户端OID的定义如下:

      id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
                dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 }
        
      id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
                dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 }
        
      id-kp-scvpClient             OBJECT IDENTIFIER ::= { id-kp 16 }
        
      id-kp-scvpClient             OBJECT IDENTIFIER ::= { id-kp 16 }
        

If a protected request fails to meet the validation policy of the server, it MUST be treated as an unauthenticated request.

如果受保护的请求未能满足服务器的验证策略,则必须将其视为未经验证的请求。

4. Validation Response
4. 验证响应

An SCVP server response to the client MUST be a single CVResponse item. When a CVResponse is encapsulated in a MIME body part, application/scvp-cv-response MUST be used.

SCVP服务器对客户端的响应必须是单个CVResponse项。当CVResponse封装在MIME主体部分中时,必须使用application/scvp cv response。

There are a number of forms of an SCVP response:

SCVP响应有多种形式:

1. A success response to a request that has protectResponse set to FALSE. These responses SHOULD NOT be protected by the server.

1. 对protectResponse设置为FALSE的请求的成功响应。服务器不应保护这些响应。

2. The server MUST protect all other success responses. If the server is unable to return a protected success response due to local policy, then it MUST return an error response.

2. 服务器必须保护所有其他成功响应。如果由于本地策略,服务器无法返回受保护的成功响应,则必须返回错误响应。

3. An error response to a request made over a protected transport such as TLS. These responses SHOULD NOT be protected by the server.

3. 对通过受保护的传输(如TLS)发出的请求的错误响应。服务器不应保护这些响应。

4. An error response to a request that has protectResponse set to FALSE. These responses SHOULD NOT be protected by the server.

4. 对protectResponse设置为FALSE的请求的错误响应。服务器不应保护这些响应。

5. An error response to an authenticated request. The server SHOULD protect these responses.

5. 对经过身份验证的请求的错误响应。服务器应该保护这些响应。

6. An error response to an AuthenticatedData request where MAC is valid. The server MUST protect these responses.

6. 对MAC有效的AuthenticatedData请求的错误响应。服务器必须保护这些响应。

7. All other error responses MUST NOT be protected by the server.

7. 服务器不得保护所有其他错误响应。

Successful responses are made when the server has fully complied with the request. That is, the server was able to attempt to build a certification path using the referenced or supplied validation policy, and it was able to comply with all the requested parameters. If the server is unable to perform validations using the required validation policy or the request contains an unsupported option, then the server MUST return an error response.

当服务器完全符合请求时,会做出成功响应。也就是说,服务器能够尝试使用引用的或提供的验证策略构建证书路径,并且能够符合所有请求的参数。如果服务器无法使用所需的验证策略执行验证,或者请求包含不受支持的选项,则服务器必须返回错误响应。

For protected requests and responses, SCVP servers MUST support SignedData and SHOULD support AuthenticatedData. It is a matter of local policy which types are used. Where a protected response is required, SCVP servers MUST use SignedData or AuthenticatedData, even if the transaction is performed using a protected transport (e.g., TLS).

对于受保护的请求和响应,SCVP服务器必须支持SignedData并应支持AuthenticatedData。使用哪种类型是当地政策的问题。如果需要受保护的响应,SCVP服务器必须使用SignedData或AuthenticatedData,即使事务是使用受保护的传输(例如TLS)执行的。

If the server is making a protected response to a protected request, then the server MUST use the same protection mechanism (SignedData or AuthenticatedData) as in the request.

如果服务器对受保护的请求做出受保护的响应,则服务器必须使用与请求中相同的保护机制(SignedData或AuthenticatedData)。

An overview of the structure used for an unprotected response is provided below. Many details are not shown, but the way that SCVP makes use of CMS is clearly illustrated.

下文概述了用于无保护响应的结构。许多细节未显示,但SCVP使用CMS的方式已清楚说明。

      ContentInfo {
        contentType        id-ct-scvp-certValResponse,
                                    -- (1.2.840.113549.1.9.16.1.11)
        content            CVResponse }
        
      ContentInfo {
        contentType        id-ct-scvp-certValResponse,
                                    -- (1.2.840.113549.1.9.16.1.11)
        content            CVResponse }
        

The protected response consists of a CVResponse encapsulated in either a SignedData or an AuthenticatedData, which is in turn encapsulated in a ContentInfo. That is, the EncapsulatedContentInfo field of either SignedData or AuthenticatedData consists of an eContentType field with a value of id-ct-scvp-certValResponse and an eContent field that contains a DER-encoded CVResponse.

受保护的响应由封装在SignedData或AuthenticatedData中的CVResponse组成,后者又封装在ContentInfo中。也就是说,SignedData或AuthenticatedData的封装ContentInfo字段由一个值为id ct scvp certValResponse的eContentType字段和一个包含DER编码CVResponse的eContent字段组成。

The SCVP server MUST include its own certificate in the certificates field within SignedData. Other certificates MAY also be included.

SCVP服务器必须在SignedData中的证书字段中包含自己的证书。也可包括其他证书。

The SCVP server MAY also provide one or more CRLs in the crls field within SignedData. The signerInfos field of SignedData MUST include exactly one SignerInfo. The SignedData MUST NOT include the unsignedAttrs field.

SCVP服务器还可以在SignedData中的CRLs字段中提供一个或多个CRL。SignedData的signerInfos字段必须仅包含一个SignerInfo。SignedData不能包含unsignedAttrs字段。

The signedAttrs field within SignerInfo MUST include the content-type and message-digest attributes defined in [CMS], and it SHOULD include the signing-certificate attribute as defined in [ESS]. Within the signing-certificate attribute, the first certificate identified in the sequence of certificate identifiers MUST be the certificate of the SCVP server. The inclusion of other certificate identifiers in the signing-certificate attribute is OPTIONAL. The inclusion of policies in the signing-certificate is OPTIONAL.

SignerInfo中的signedAttrs字段必须包括[CMS]中定义的内容类型和消息摘要属性,并应包括[ESS]中定义的签名证书属性。在signing certificate属性中,证书标识符序列中标识的第一个证书必须是SCVP服务器的证书。在签名证书属性中包含其他证书标识符是可选的。在签名证书中包含策略是可选的。

The recipientInfos field of AuthenticatedData MUST include exactly one RecipientInfo, which contains information for the client that sent the request. The AuthenticatedData MUST NOT include the unauthAttrs field.

AuthenticatedData的recipientInfos字段必须只包含一个RecipientInfo,其中包含发送请求的客户端的信息。经验证的数据不得包含unauthAttrs字段。

The CVResponse item contains the server's response. The CVResponse MUST contain the cvResponseVersion, serverConfigurationID, producedAt, and responseStatus items. The CVResponse MAY also contain the respValidationPolicy, requestRef, requestorRef, requestorName, replyObjects, respNonce, serverContextInfo, and cvResponseExtensions items. The replyObjects item MUST contain exactly one CertReply item for each certificate requested. The requestorRef item MUST be included if the request included a requestorRef item and a non-cached response is provided. The respNonce item MUST be included if the request included a requestNonce item and a non-cached response is provided.

CVResponse项包含服务器的响应。CVResponse必须包含cvResponseVersion、serverConfigurationID、producedAt和responseStatus项。CVResponse还可能包含respValidationPolicy、requestRef、requestorRef、requestorName、ReplyObject、Responce、serverContextInfo和cvResponseExtensions项。对于每个请求的证书,ReplyObject项必须仅包含一个CertReply项。如果请求包含requestorRef项并且提供了非缓存响应,则必须包含requestorRef项。如果请求包含requestNonce项并且提供了非缓存响应,则必须包含Responce项。

The CVResponse MUST have the following syntax:

CVResponse必须具有以下语法:

      CVResponse ::= SEQUENCE {
        cvResponseVersion         INTEGER,
        serverConfigurationID     INTEGER,
        producedAt                GeneralizedTime,
        responseStatus            ResponseStatus,
        respValidationPolicy  [0] RespValidationPolicy OPTIONAL,
        requestRef            [1] RequestReference OPTIONAL,
        requestorRef          [2] GeneralNames OPTIONAL,
        requestorName         [3] GeneralNames OPTIONAL,
        replyObjects          [4] ReplyObjects OPTIONAL,
        respNonce             [5] OCTET STRING OPTIONAL,
        serverContextInfo     [6] OCTET STRING OPTIONAL,
        cvResponseExtensions  [7] Extensions OPTIONAL,
        requestorText         [8] UTF8String (SIZE (1..256)) OPTIONAL }
        
      CVResponse ::= SEQUENCE {
        cvResponseVersion         INTEGER,
        serverConfigurationID     INTEGER,
        producedAt                GeneralizedTime,
        responseStatus            ResponseStatus,
        respValidationPolicy  [0] RespValidationPolicy OPTIONAL,
        requestRef            [1] RequestReference OPTIONAL,
        requestorRef          [2] GeneralNames OPTIONAL,
        requestorName         [3] GeneralNames OPTIONAL,
        replyObjects          [4] ReplyObjects OPTIONAL,
        respNonce             [5] OCTET STRING OPTIONAL,
        serverContextInfo     [6] OCTET STRING OPTIONAL,
        cvResponseExtensions  [7] Extensions OPTIONAL,
        requestorText         [8] UTF8String (SIZE (1..256)) OPTIONAL }
        

Conforming SCVP servers MAY be capable of constructing a CVResponse that includes the serverContextInfo or cvResponseExtensions items. Conforming SCVP servers MUST be capable of constructing a CVResponse with any of the remaining optional items. Conforming SCVP clients MUST be capable of processing a CVResponse with the following optional items: respValidationPolicy, requestRef, requestorName, replyObjects, and respNonce.

符合要求的SCVP服务器可能能够构造包含serverContextInfo或cvResponseExtensions项的CVResponse。符合要求的SCVP服务器必须能够使用任何剩余可选项构建CVVP响应。符合条件的SCVP客户端必须能够处理具有以下可选项的CVResponse:respValidationPolicy、requestRef、requestorName、ReplyObject和Respnce。

Conforming SCVP clients that are capable of including requestorRef in a request MUST be capable of processing a CVResponse that includes the requestorRef item. Conforming SCVP clients MUST be capable of processing a CVResponse that includes the serverContextInfo or cvResponseExtensions items. Conforming clients MUST be able to determine if critical extensions are present in the cvResponseExtensions item.

能够在请求中包含requestorRef的一致性SCVP客户端必须能够处理包含requestorRef项的CVResponse。符合要求的SCVP客户端必须能够处理包含serverContextInfo或cvResponseExtensions项的CVResponse。合规客户必须能够确定cvResponseExtensions项中是否存在关键扩展。

4.1. cvResponseVersion
4.1. CVD响应外翻

The syntax and semantics of cvResponseVersion are the same as cvRequestVersion as described in Section 3.1. The cvResponseVersion MUST match the cvRequestVersion in the request. If the server cannot generate a response with a matching version number, then the server MUST return an error response that indicates the highest version number that the server supports as the version number.

cvResponseVersion的语法和语义与第3.1节中描述的cvRequestVersion相同。cvResponseVersion必须与请求中的cvRequestVersion匹配。如果服务器无法生成具有匹配版本号的响应,则服务器必须返回一个错误响应,指出服务器支持的最高版本号作为版本号。

4.2. serverConfigurationID
4.2. 服务器配置ID

The server configuration ID item represents the version of the SCVP server configuration when it processed the request. See Section 6.4 for details.

服务器配置ID项表示处理请求时SCVP服务器配置的版本。详见第6.4节。

4.3. producedAt
4.3. 生产

The producedAt item tells the date and time at which the SCVP server generated the response. The producedAt item MUST be expressed in UTC, and it MUST be interpreted as defined in Section 3.2.7. This value is independent of the validation time.

producedAt项告诉SCVP服务器生成响应的日期和时间。产品数据项必须以UTC表示,并且必须按照第3.2.7节中的定义进行解释。此值与验证时间无关。

4.4. responseStatus
4.4. 反应状态

The responseStatus item gives status information to the SCVP client about its request. The responseStatus item has a numeric status code and an optional string that is a sequence of characters from the ISO/IEC 10646-1 character set encoded with the UTF-8 transformation format defined in [UTF8].

responseStatus项向SCVP客户端提供有关其请求的状态信息。responseStatus项具有一个数字状态代码和一个可选字符串,该字符串是ISO/IEC 10646-1字符集中的一个字符序列,该字符集使用[UTF8]中定义的UTF-8转换格式进行编码。

The string MAY be used to transmit status information. The client MAY choose to display the string to a human user. However, because there is often no way to know the languages understood by a human user, the string may be of little or no assistance.

该字符串可用于传输状态信息。客户端可以选择向用户显示字符串。但是,由于通常无法了解人类用户所理解的语言,因此字符串可能没有什么帮助。

The responseStatus item uses the ResponseStatus type, which has the following syntax:

responseStatus项使用responseStatus类型,该类型具有以下语法:

      ResponseStatus ::= SEQUENCE {
        statusCode            CVStatusCode DEFAULT  okay,
        errorMessage          UTF8String OPTIONAL }
        
      ResponseStatus ::= SEQUENCE {
        statusCode            CVStatusCode DEFAULT  okay,
        errorMessage          UTF8String OPTIONAL }
        
      CVStatusCode ::= ENUMERATED {
        okay                               (0),
        skipUnrecognizedItems              (1),
        tooBusy                           (10),
        invalidRequest                    (11),
        internalError                     (12),
        badStructure                      (20),
        unsupportedVersion                (21),
        abortUnrecognizedItems            (22),
        unrecognizedSigKey                (23),
        badSignatureOrMAC                 (24),
        unableToDecode                    (25),
        notAuthorized                     (26),
        unsupportedChecks                 (27),
        unsupportedWantBacks              (28),
        unsupportedSignatureOrMAC         (29),
        invalidSignatureOrMAC             (30),
        protectedResponseUnsupported      (31),
        unrecognizedResponderName         (32),
        relayingLoop                      (40),
        unrecognizedValPol                (50),
        
      CVStatusCode ::= ENUMERATED {
        okay                               (0),
        skipUnrecognizedItems              (1),
        tooBusy                           (10),
        invalidRequest                    (11),
        internalError                     (12),
        badStructure                      (20),
        unsupportedVersion                (21),
        abortUnrecognizedItems            (22),
        unrecognizedSigKey                (23),
        badSignatureOrMAC                 (24),
        unableToDecode                    (25),
        notAuthorized                     (26),
        unsupportedChecks                 (27),
        unsupportedWantBacks              (28),
        unsupportedSignatureOrMAC         (29),
        invalidSignatureOrMAC             (30),
        protectedResponseUnsupported      (31),
        unrecognizedResponderName         (32),
        relayingLoop                      (40),
        unrecognizedValPol                (50),
        

unrecognizedValAlg (51), fullRequestInResponseUnsupported (52), fullPolResponseUnsupported (53), inhibitPolicyMappingUnsupported (54), requireExplicitPolicyUnsupported (55), inhibitAnyPolicyUnsupported (56), validationTimeUnsupported (57), unrecognizedCritQueryExt (63), unrecognizedCritRequestExt (64) }

unrecognizedValAlg(51)、fullRequestInResponseUnsupported(52)、fullPolResponseUnsupported(53)、inhibitPolicyMappingUnsupported(54)、RequiredExplicitPolicyUnsupported(55)、inhibitAnyPolicyUnsupported(56)、validationTimeUnsupported(57)、UnrecognizedCritQueryText(63)、UnrecognizedCritRequestText(64)}

The CVStatusCode values have the following meaning:

CVStatusCode值具有以下含义:

0 The request was fully processed. 1 The request included some unrecognized non-critical extensions; however, processing was able to continue ignoring them. 10 Too busy; try again later. 11 The server was able to decode the request, but there was some other problem with the request. 12 An internal server error occurred. 20 The structure of the request was wrong. 21 The version of request is not supported by this server. 22 The request included unrecognized items, and the server was not able to continue processing. 23 The server could not validate the key used to protect the request. 24 The signature or message authentication code did not match the body of the request. 25 The encoding was not understood. 26 The request was not authorized. 27 The request included unsupported checks items, and the server was not able to continue processing. 28 The request included unsupported wantBack items, and the server was not able to continue processing. 29 The server does not support the signature or message authentication code algorithm used by the client to protect the request. 30 The server could not validate the client's signature or message authentication code on the request. 31 The server could not generate a protected response as requested by the client. 32 The server does not have a certificate matching the requested responder name. 40 The request was previously relayed by the same server. 50 The request contained an unrecognized validation policy reference. 51 The request contained an unrecognized validation algorithm OID. 52 The server does not support returning the full request in the response.

0请求已完全处理。1该请求包括一些未识别的非关键扩展;但是,处理过程能够继续忽略它们。10太忙;请稍后再试。11服务器能够解码该请求,但该请求存在其他一些问题。12发生内部服务器错误。20请求的结构是错误的。21此服务器不支持请求的版本。22请求包含无法识别的项目,服务器无法继续处理。23服务器无法验证用于保护请求的密钥。24签名或消息身份验证代码与请求正文不匹配。25编码不清楚。26该请求未获批准。27请求包含不受支持的检查项目,服务器无法继续处理。28请求包含不受支持的wantBack项目,服务器无法继续处理。29服务器不支持客户端用于保护请求的签名或消息身份验证代码算法。30服务器无法在请求上验证客户端的签名或消息身份验证代码。31服务器无法生成客户端请求的受保护响应。32服务器没有与请求的响应程序名称匹配的证书。40该请求先前由同一服务器转发。50该请求包含无法识别的验证策略引用。51该请求包含无法识别的验证算法OID。52服务器不支持在响应中返回完整请求。

53 The server does not support returning the full validation policy by value in the response. 54 The server does not support the requested value for inhibit policy mapping. 55 The server does not support the requested value for require explicit policy. 56 The server does not support the requested value for inhibit anyPolicy. 57 The server only validates requests using current time. 63 The query item in the request contains a critical extension whose OID is not recognized. 64 The request contains a critical request extension whose OID is not recognized.

53服务器不支持在响应中按值返回完整验证策略。54服务器不支持禁止策略映射的请求值。55服务器不支持要求显式策略的请求值。56服务器不支持策略的请求值。57服务器仅使用当前时间验证请求。63请求中的查询项包含无法识别其OID的关键扩展名。64该请求包含一个关键请求扩展,其OID无法识别。

Status codes 0-9 are reserved for codes that indicate the request was processed by the server and therefore MUST be sent in a success response. Status codes 10 and above indicate an error and MUST therefore be sent in an error response.

状态代码0-9保留用于指示请求已由服务器处理,因此必须在成功响应中发送的代码。状态代码10及以上表示错误,因此必须在错误响应中发送。

4.5. respValidationPolicy
4.5. 响应验证策略

The respValidationPolicy item contains either a reference to the full validation policy or the full policy by value used by the server to validate the request. It MUST be present in success responses and MUST NOT be present in error responses. The choice between returning the policy by reference or by value is controlled by the responseValidationPolByRef item in the request. The resultant validation policy is the union of the following:

respValidationPolicy项包含对服务器用于验证请求的完整验证策略或完整策略by值的引用。它必须出现在成功响应中,而不能出现在错误响应中。通过引用或通过值返回策略之间的选择由请求中的responseValidationPolByRef项控制。结果验证策略是以下各项的联合:

1. Values from the request.

1. 请求中的值。

2. For values that are not explicitly included in the request, values from the validation policy specified by reference in the request.

2. 对于未明确包含在请求中的值,请使用请求中引用指定的验证策略中的值。

The RespValidationPolicy syntax is:

RespValidationPolicy语法为:

      RespValidationPolicy ::= ValidationPolicy
        
      RespValidationPolicy ::= ValidationPolicy
        

The validationPolicy item is defined in Section 3.2.4. When responseValidationPolByRef is set to FALSE in the request, all items in the validationPolicy item MUST be populated. When responseValidationPolByRef is set to TRUE, OPTIONAL items in the validationPolicy item only need to be populated for items for which the value in the request differs from the value from the referenced validation policy.

validationPolicy项在第3.2.4节中定义。在请求中将responseValidationPolByRef设置为FALSE时,必须填充validationPolicy项中的所有项。当responseValidationPolByRef设置为TRUE时,validationPolicy项中的可选项只需要为请求中的值与引用的验证策略中的值不同的项填充。

Conforming SCVP clients MUST be capable of processing the validation policy by reference. SCVP clients MAY be capable of processing the optional items in the validation policy.

合格的SCVP客户必须能够通过引用处理验证策略。SCVP客户端可能能够处理验证策略中的可选项。

Conforming SCVP server implementations MUST be capable of asserting the policy by reference, and MUST be capable of including the optional items.

符合要求的SCVP服务器实现必须能够通过引用断言策略,并且必须能够包括可选项。

4.6. requestRef
4.6. 请求参考

The requestRef item allows the SCVP client to identify the request that corresponds to this response from the server. It associates the response to a particular request using either a hash of the request or a copy of CVRequest from the request.

requestRef项允许SCVP客户端识别与来自服务器的此响应相对应的请求。它使用请求的散列或来自请求的CVRequest的副本将响应与特定请求相关联。

The requestRef item does not provide authentication, but does allow the client to determine that the request was not maliciously modified.

requestRef项不提供身份验证,但允许客户端确定请求未被恶意修改。

The requestRef item allows the client to associate a response with a request. The requestNonce provides an alternative mechanism for matching requests and responses. When the fullRequest alternative is used, the response provides a single data structure that is suitable for archive of the transaction.

requestRef项允许客户端将响应与请求相关联。requestNonce为匹配请求和响应提供了另一种机制。当使用fullRequest替代方案时,响应将提供一个适合事务存档的单一数据结构。

The requestRef item uses the RequestReference type, which has the following syntax:

requestRef项使用RequestReference类型,该类型具有以下语法:

      RequestReference ::= CHOICE {
        requestHash       [0] HashValue, -- hash of CVRequest
        fullRequest       [1] CVRequest }
        
      RequestReference ::= CHOICE {
        requestHash       [0] HashValue, -- hash of CVRequest
        fullRequest       [1] CVRequest }
        

SCVP clients MUST support requestHash, and they MAY support fullRequest. SCVP servers MUST support using requestHash, and they SHOULD support using fullRequest.

SCVP客户端必须支持requestHash,并且可以支持fullRequest。SCVP服务器必须支持使用requestHash,并且应该支持使用fullRequest。

4.6.1. requestHash
4.6.1. 请求哈希

The requestHash item is the hash of the CVRequest. The one-way hash function used to compute the hash of the CVRequest is as specified in Section 3.9. The requestHash item serves two purposes. First, it allows a client to determine that the request was not maliciously modified. Second, it allows the client to associate a response with a request when using connectionless protocols. The requestNonce provides an alternative mechanism for matching requests and responses.

requestHash项是CVRequest的哈希。用于计算CVRequest哈希的单向哈希函数如第3.9节所述。requestHash项有两个用途。首先,它允许客户端确定请求没有被恶意修改。其次,它允许客户端在使用无连接协议时将响应与请求关联起来。requestNonce为匹配请求和响应提供了另一种机制。

The requestHash item uses the HashValue type, which has the following syntax:

requestHash项使用HashValue类型,该类型具有以下语法:

      HashValue ::= SEQUENCE {
        algorithm       AlgorithmIdentifier DEFAULT { algorithm sha-1 },
        value           OCTET STRING }
        
      HashValue ::= SEQUENCE {
        algorithm       AlgorithmIdentifier DEFAULT { algorithm sha-1 },
        value           OCTET STRING }
        
      sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
          oiw(14) secsig(3) algorithm(2) 26 }
        
      sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
          oiw(14) secsig(3) algorithm(2) 26 }
        

The algorithm identifier for SHA-1 is imported from [PKIX-ALG]. It is repeated here for convenience.

SHA-1的算法标识符从[PKIX-ALG]导入。为了方便起见,这里重复这一点。

4.6.2. fullRequest
4.6.2. 完整请求

Like requestHash, the fullRequest alternative allows a client to determine that the request was not maliciously modified. It also provides a single data structure that is suitable for archive of the transaction.

与requestHash一样,fullRequest替代方案允许客户端确定请求未被恶意修改。它还提供了一个适合于事务归档的单一数据结构。

The fullRequest item uses the CVRequest type. The syntax and semantics of the CVRequest type are described in Section 3.

fullRequest项使用CVRequest类型。CVRequest类型的语法和语义在第3节中描述。

4.7. requestorRef
4.7. 请求者引用

The optional requestorRef item is used by the client to identify the original requestor in cases where SCVP relay is used. The value is only of local significance to the client. If the SCVP client includes a requestorRef value in the request, then the SCVP server MUST return the same value if the server is generating a non-cached response.

在使用SCVP中继的情况下,客户端使用可选的requestorRef项来标识原始请求者。该值仅对客户具有本地意义。如果SCVP客户端在请求中包含requestorRef值,则如果服务器正在生成非缓存响应,则SCVP服务器必须返回相同的值。

4.8. requestorName
4.8. 请求者名称

The optional requestorName item is used by the server to return one or more identities associated with the client in the response.

服务器使用可选的requestorName项返回响应中与客户端关联的一个或多个标识。

The SCVP server MAY choose to include any or all of the following:

SCVP服务器可以选择包括以下任何或所有内容:

(1) the identity asserted by the client in the requestorName item of the request,

(1) 客户端在请求的requestorName项中声明的标识,

(2) an authenticated identity for the client from a certificate or other credential used to authenticate the request, or

(2) 来自用于验证请求的证书或其他凭据的客户端身份验证,或

(3) a client identifier from an out-of-band mechanism.

(3) 来自带外机制的客户端标识符。

Alternatively, the SCVP server MAY omit this item.

或者,SCVP服务器可以省略此项。

In the case of non-cached responses to authenticated requests, the SCVP server SHOULD return a requestor name.

对于未缓存的对经过身份验证的请求的响应,SCVP服务器应返回请求者名称。

SCVP servers that support authenticated requests SHOULD support this item.

支持已验证请求的SCVP服务器应支持此项。

SCVP clients MUST be able to process responses that include this item, although the item value might not impact the processing in any manner.

SCVP客户端必须能够处理包含此项的响应,尽管项值可能不会以任何方式影响处理。

4.9. replyObjects
4.9. 答复对象

The replyObjects item returns requested objects to the SCVP client, each of which tells the client about a single certificate from the request. The replyObjects item MUST be present in the response, unless the response is reporting an error. The CertReply item MUST contain cert, replyStatus, replyValTime, replyChecks, and replyWantBacks items, and the CertReply item MAY contain the validationErrors, nextUpdate, and certReplyExtensions items.

replyObjects项将请求的对象返回给SCVP客户端,每个对象都告诉客户端来自请求的单个证书。除非响应报告错误,否则响应中必须存在replyObjects项。CertReply项必须包含cert、replyStatus、replyValTime、replyChecks和ReplyHandbacks项,CertReply项可能包含validationErrors、nextUpdate和certReplyExtensions项。

A success response MUST contain one CertReply for each certificate specified in the queriedCerts item in the request. The order is important. The first CertReply in the sequence MUST correspond to the first certificate in the request, the second CertReply in the sequence MUST correspond to the second certificate in the request, and so on.

对于请求中queriedCerts项中指定的每个证书,成功响应必须包含一个CertReply。订单很重要。序列中的第一个CertReply必须对应于请求中的第一个证书,序列中的第二个CertReply必须对应于请求中的第二个证书,依此类推。

The checks item in the request determines the content of the replyChecks item in the response. The wantBack item in the request determines the content of the replyWantBacks item in the response. The queryExtensions items in the request controls the absence or the presence and content of the certReplyExtensions item in the response.

请求中的checks项确定响应中replyChecks项的内容。请求中的wantBack项确定响应中replyWantBacks项的内容。请求中的queryExtensions项控制响应中certReplyExtensions项的不存在或存在以及内容。

The replyObjects item uses the ReplyObjects type, which has the following syntax:

replyObjects项使用replyObjects类型,该类型具有以下语法:

      ReplyObjects ::= SEQUENCE SIZE (1..MAX) OF CertReply
        
      ReplyObjects ::= SEQUENCE SIZE (1..MAX) OF CertReply
        
      CertReply ::= SEQUENCE {
        cert                       CertReference,
        replyStatus                ReplyStatus DEFAULT success,
        replyValTime               GeneralizedTime,
        replyChecks                ReplyChecks,
        replyWantBacks             ReplyWantBacks,
        validationErrors       [0] SEQUENCE SIZE (1..MAX) OF
                                     OBJECT IDENTIFIER OPTIONAL,
        nextUpdate             [1] GeneralizedTime OPTIONAL,
        certReplyExtensions    [2] Extensions OPTIONAL }
        
      CertReply ::= SEQUENCE {
        cert                       CertReference,
        replyStatus                ReplyStatus DEFAULT success,
        replyValTime               GeneralizedTime,
        replyChecks                ReplyChecks,
        replyWantBacks             ReplyWantBacks,
        validationErrors       [0] SEQUENCE SIZE (1..MAX) OF
                                     OBJECT IDENTIFIER OPTIONAL,
        nextUpdate             [1] GeneralizedTime OPTIONAL,
        certReplyExtensions    [2] Extensions OPTIONAL }
        
4.9.1. cert
4.9.1. 证书

The cert item contains either the certificate or a reference to the certificate about which the client is requesting information. If the certificate was specified by reference in the request, the request included either the id-swb-pkc-cert or id-swb-aa-cert wantBack, and the server was able to obtain the referenced certificate, then this item MUST include the certificate. Otherwise, this item MUST include the same value as was used in the queriedCerts item in the request.

证书项包含证书或对客户端请求信息的证书的引用。如果在请求中通过引用指定了证书,则请求包含id swb pkc cert或id swb aa cert wantBack,并且服务器能够获得引用的证书,则此项必须包含证书。否则,此项必须包含与请求中queriedCerts项中使用的值相同的值。

CertReference has the following syntax:

CertReference具有以下语法:

      CertReference ::= CHOICE {
        pkc                   PKCReference,
        ac                    ACReference }
        
      CertReference ::= CHOICE {
        pkc                   PKCReference,
        ac                    ACReference }
        
4.9.2. replyStatus
4.9.2. 回复状态

The replyStatus item gives status information to the client about the request for the specific certificate. Note that the responseStatus item is different from the replyStatus item. The responseStatus item is the status of the whole request, while the replyStatus item is the status for the individual query item.

replyStatus项向客户端提供有关特定证书请求的状态信息。请注意,responseStatus项与replyStatus项不同。responseStatus项是整个请求的状态,而replyStatus项是单个查询项的状态。

The replyStatus item uses the ReplyStatus type, which has the following syntax:

replyStatus项使用replyStatus类型,该类型具有以下语法:

      ReplyStatus ::= ENUMERATED {
          success                    (0),
          malformedPKC               (1),
          malformedAC                (2),
          unavailableValidationTime  (3),
          referenceCertHashFail      (4),
          certPathConstructFail      (5),
          certPathNotValid           (6),
          certPathNotValidNow        (7),
          wantBackUnsatisfied        (8) }
        
      ReplyStatus ::= ENUMERATED {
          success                    (0),
          malformedPKC               (1),
          malformedAC                (2),
          unavailableValidationTime  (3),
          referenceCertHashFail      (4),
          certPathConstructFail      (5),
          certPathNotValid           (6),
          certPathNotValidNow        (7),
          wantBackUnsatisfied        (8) }
        

The meanings of the various ReplyStatus values are:

各种ReplyStatus值的含义如下:

0 Success: all checks were performed successfully. 1 Failure: the public key certificate was malformed. 2 Failure: the attribute certificate was malformed. 3 Failure: historical data for the requested validation time is not available. 4 Failure: the server could not locate the reference certificate or the referenced certificate did not match the hash value provided. 5 Failure: no certification path could be constructed.

0成功:已成功执行所有检查。1失败:公钥证书格式不正确。2失败:属性证书的格式不正确。3失败:请求的验证时间的历史数据不可用。4失败:服务器找不到引用证书或引用的证书与提供的哈希值不匹配。5失败:无法构造任何证书路径。

6 Failure: the constructed certification path is not valid with respect to the validation policy. 7 Failure: the constructed certification path is not valid with respect to the validation policy, but a query at a later time may be successful. 8 Failure: all checks were performed successfully; however, one or more of the wantBacks could not be satisfied.

6失败:构造的证书路径对于验证策略无效。7失败:构造的证书路径对于验证策略无效,但稍后的查询可能会成功。8失败:所有检查均成功执行;但是,无法满足一个或多个WantBack。

Codes 1 and 2 are used to tell the client that the request was properly formed, but the certificate in question was not. This is especially useful to clients that do not parse certificates.

代码1和2用于告知客户机请求的格式正确,但相关证书的格式不正确。这对于不解析证书的客户端特别有用。

Code 7 is used to tell the client that a valid certification path was found with the exception that a certificate in the path is on hold, current revocation information is unavailable, or the validation time precedes the notBefore time in one or more certificates in the path.

代码7用于告诉客户端找到了有效的证书路径,但路径中的证书处于保留状态、当前吊销信息不可用或路径中的一个或多个证书的验证时间早于notBefore时间除外。

For codes 1, 2, 3, and 4, the replyChecks and replyWantBacks items are not populated (i.e., they MUST be an empty sequence). For codes 5, 6, 7, and 8, replyChecks MUST include an entry corresponding to each check in the request; the replyWantBacks item is not populated.

对于代码1、2、3和4,不填充replyChecks和replyWantBacks项(即,它们必须是空序列)。对于代码5、6、7和8,replyChecks必须包含与请求中的每个检查对应的条目;未填充replyWantBacks项。

4.9.3. replyValTime
4.9.3. 答复时间

The replyValTime item tells the time at which the information in the CertReply was correct. The replyValTime item represents the date and time in UTC, using GeneralizedTime type. The encoding rules for GeneralizedTime in Section 3.2.7 MUST be used.

replyValTime项表示CertReply中信息正确的时间。replyValTime项使用GeneralizedTime类型表示UTC中的日期和时间。必须使用第3.2.7节中的GeneratedTime编码规则。

Within the request, the optional validationTime item tells the date and time relative to which the SCVP client wants the server to perform the checks. If the validationTime is not present, the server MUST respond as if the client provided the date and time at which the server processes the request.

在请求中,可选的validationTime项告诉SCVP客户端希望服务器执行检查的日期和时间。如果validationTime不存在,服务器必须做出响应,就像客户端提供了服务器处理请求的日期和时间一样。

The information in the CertReply item MUST be formatted as if the server created this portion of the response at the time indicated in the validationTime item of the query. However, if the server does not have appropriate historical information, the server MAY either return an error or return information for a later time.

CertReply项中的信息的格式必须与服务器在查询的validationTime项中指示的时间创建响应的这一部分一样。但是,如果服务器没有适当的历史信息,服务器可能会返回错误或稍后返回信息。

4.9.4. replyChecks
4.9.4. 答复检查

The replyChecks item contains the responses to the checks item in the query. The replyChecks item includes the object identifier (OID) from the query and an integer. The value of the integer indicates whether the requested check was successful. The OIDs in the checks item of the query are used to identify the corresponding replyChecks

replyChecks项包含对查询中的checks项的响应。replyChecks项包括查询中的对象标识符(OID)和一个整数。整数的值指示请求的检查是否成功。查询检查项中的OID用于标识相应的replyChecks

values. Each OID specified in the checks item in the request MUST be matched by an OID in the replyChecks item of the response. In the case of an error response, the server MAY include additional checks in the response to further explain the error. Clients MUST ignore any unrecognized ReplyCheck included in the response.

价值观请求中检查项中指定的每个OID必须与响应的replyChecks项中的OID匹配。在错误响应的情况下,服务器可以在响应中包括额外的检查以进一步解释错误。客户端必须忽略响应中包含的任何无法识别的ReplyCheck。

The replyChecks item uses the ReplyChecks type, which has the following syntax:

replyChecks项使用replyChecks类型,该类型具有以下语法:

      ReplyChecks ::= SEQUENCE OF ReplyCheck
        
      ReplyChecks ::= SEQUENCE OF ReplyCheck
        
      ReplyCheck ::= SEQUENCE {
        check                      OBJECT IDENTIFIER,
        status                     INTEGER DEFAULT 0 }
        
      ReplyCheck ::= SEQUENCE {
        check                      OBJECT IDENTIFIER,
        status                     INTEGER DEFAULT 0 }
        

The status value for public key certification path building to a trusted root, { id-stc 1 }, can be one of the following:

生成到受信任根{id stc 1}的公钥证书路径的状态值可以是以下值之一:

0: Built a path 1: Could not build a path

0:生成了路径1:无法生成路径

The status value for public key certification path building to a trusted root along with simple validation processing, { id-stc 2 }, can be one of the following:

生成到受信任根目录的公钥证书路径以及简单验证处理的状态值{id stc 2}可以是以下值之一:

0: Valid 1: Not valid

0:有效1:无效

The status value for public key certification path building to a trusted root along with complete status checking, { id-stc 3 }, can be one of the following:

生成到受信任根目录的公钥证书路径以及完整状态检查的状态值{id stc 3}可以是以下值之一:

0: Valid 1: Not valid 2: Revocation off-line 3: Revocation unavailable 4: No known source for revocation information

0:有效1:无效2:吊销脱机3:吊销不可用4:吊销信息的来源未知

Revocation off-line means that the server or distribution point for the revocation information was connected to successfully without a network error but either no data was returned or if data was returned it was stale. Revocation unavailable means that a network error was returned when an attempt was made to reach the server or distribution point. No known source for revocation information means that the server was able to build a valid certification path but was unable to locate a source for revocation information for one or more certificates in the path.

撤销离线意味着撤销信息的服务器或分发点已成功连接,没有网络错误,但未返回任何数据,或者如果返回数据,则数据已过时。吊销不可用意味着在尝试访问服务器或分发点时返回网络错误。没有已知的吊销信息源表示服务器能够构建有效的证书路径,但无法找到路径中一个或多个证书的吊销信息源。

The status value for AC issuer certification path building to a trusted root, { id-stc 4 }, can be one of the following:

生成到受信任根{id stc 4}的AC颁发者证书路径的状态值可以是以下值之一:

0: Built a path 1: Could not build a path

0:生成了路径1:无法生成路径

The status value for AC issuer certification path building to a trusted root along with simple validation processing, { id-stc 5 }, can be one of the following:

生成到受信任根的AC颁发者证书路径以及简单验证处理的状态值{id stc 5}可以是以下值之一:

0: Valid 1: Not valid

0:有效1:无效

The status value for AC issuer certification path building to a trusted root along with complete status checking, { id-stc 6 }, can be one of the following:

生成到受信任根的AC颁发者证书路径以及完整状态检查的状态值{id stc 6}可以是以下值之一:

0: Valid 1: Not valid 2: Revocation off-line 3: Revocation unavailable 4: No known source for revocation information

0:有效1:无效2:吊销脱机3:吊销不可用4:吊销信息的来源未知

The status value for revocation status checking of an AC as well as AC issuer certification path building to a trusted root along with complete status checking, { id-stc 7 }, can be one of the following:

AC的吊销状态检查以及AC颁发者证书路径生成到受信任根目录以及完整状态检查的状态值{id stc 7}可以是以下值之一:

0: Valid 1: Not valid 2: Revocation off-line 3: Revocation unavailable 4: No known source for revocation information

0:有效1:无效2:吊销脱机3:吊销不可用4:吊销信息的来源未知

4.9.5. replyWantBacks
4.9.5. 回信

The replyWantBacks item contains the responses to the wantBack item in the request. The replyWantBacks item includes the object identifier (OID) from the wantBack item in the request and an OCTET STRING. Within the OCTET STRING is the requested value. The OIDs in the wantBack item in the request are used to identify the corresponding reply value. The OIDs in the replyWantBacks item MUST match the OIDs in the wantBack item in the request. For a non-error response, replyWantBacks MUST include exactly one ReplyWantBack for each wantBack specified in the request (excluding id-swb-pkc-cert and id-swb-ac-cert, where the requested information is included in the cert item).

replyWantBacks项包含对请求中wantBack项的响应。replyWantBacks项包括请求中wantBack项的对象标识符(OID)和八位字节字符串。在八位字节字符串中是请求的值。请求中wantBack项中的OID用于标识相应的应答值。replyWantBacks项中的OID必须与请求中wantBack项中的OID匹配。对于非错误响应,对于请求中指定的每个wantBack,ReplyWantBack必须只包含一个ReplyWantBack(不包括id swb pkc证书和id swb ac证书,其中请求的信息包含在证书项中)。

The replyWantBacks item uses the ReplyWantBacks type, which has the following syntax:

replyWantBacks项使用replyWantBacks类型,该类型具有以下语法:

      ReplyWantBacks ::= SEQUENCE OF ReplyWantBack
        
      ReplyWantBacks ::= SEQUENCE OF ReplyWantBack
        
      ReplyWantBack::= SEQUENCE {
        wb                         OBJECT IDENTIFIER,
        value                      OCTET STRING }
        
      ReplyWantBack::= SEQUENCE {
        wb                         OBJECT IDENTIFIER,
        value                      OCTET STRING }
        

The OCTET STRING value for the certification path used to verify the certificate in the request, { id-swb 1 }, contains the CertBundle type. The syntax and semantics of the CertBundle type are described in Section 3.2.8. This CertBundle includes all the certificates in the path, starting with the end certificate and ending with the certificate issued by the trust anchor.

用于验证请求{id swb 1}中的证书的证书路径的八位字节字符串值包含CertBundle类型。CertBundle类型的语法和语义如第3.2.8节所述。此CertBundle包括路径中的所有证书,从end证书开始,到trust anchor颁发的证书结束。

The OCTET STRING value for the proof of revocation status, { id-swb 2 }, contains the RevInfoWantBack type. The RevInfoWantBack type is a SEQUENCE of the RevocationInfos type and an optional CertBundle. The syntax and semantics of the RevocationInfos type are described in Section 3.2.9. The CertBundle MUST be included if any certificates required to validate the revocation information were not returned in the id-swb-pkc-best-cert-path or id-swb-pkc-all-cert-paths wantBack. The CertBundle MUST include all such certificates, but there are no ordering requirements.

吊销状态证明的八位字节字符串值{id swb 2}包含RevInfoWantBack类型。RevInfo WantBack类型是RevocationFos类型和可选CertBundle的序列。第3.2.9节描述了RevocationFos类型的语法和语义。如果id swb pkc best cert path或id swb pkc all cert path wantBack中未返回验证吊销信息所需的任何证书,则必须包含CertBundle。CertBundle必须包括所有此类证书,但没有订购要求。

      RevInfoWantBack ::= SEQUENCE {
        revocationInfo             RevocationInfos,
        extraCerts                 CertBundle OPTIONAL }
        
      RevInfoWantBack ::= SEQUENCE {
        revocationInfo             RevocationInfos,
        extraCerts                 CertBundle OPTIONAL }
        

The OCTET STRING value for the public key information, { id-swb 4 }, contains the SubjectPublicKeyInfo type. The syntax and semantics of the SubjectPublicKeyInfo type are described in [PKIX-1].

公钥信息的八位字节字符串值{id swb 4}包含SubjectPublicKeyInfo类型。主题PublicKeyInfo类型的语法和语义在[PKIX-1]中有描述。

The OCTET STRING value for the AC issuer certification path used to verify the certificate in the request, { id-swb 5 }, contains the CertBundle type. The syntax and semantics of the CertBundle type are described in Section 3.2.8. This CertBundle includes all the certificates in the path, beginning with the AC issuer certificate and ending with the certificate issued by the trust anchor.

用于验证请求{id swb 5}中的证书的AC颁发者证书路径的八位字节字符串值包含CertBundle类型。CertBundle类型的语法和语义如第3.2.8节所述。此CertBundle包括路径中的所有证书,从AC颁发者证书开始,到信任锚颁发的证书结束。

The OCTET STRING value for the proof of revocation status of the AC issuer certification path, { id-swb 6 }, contains the RevInfoWantBack type. The RevInfoWantBack type is a SEQUENCE of the RevocationInfos type and an optional CertBundle. The syntax and semantics of the RevocationInfos type are described in Section 3.2.9. The CertBundle

AC颁发者证书路径{id swb 6}的吊销状态证明的八位字节字符串值包含RevInfoWantBack类型。RevInfo WantBack类型是RevocationFos类型和可选CertBundle的序列。第3.2.9节描述了RevocationFos类型的语法和语义。证书包

MUST be included if any certificates required to validate the revocation information were not returned in the id-aa-cert-path wantBack. The CertBundle MUST include all such certificates, but there are no ordering requirements.

如果id aa证书路径wantBack中未返回验证吊销信息所需的任何证书,则必须包含。CertBundle必须包括所有此类证书,但没有订购要求。

The OCTET STRING value for the proof of revocation status of the attribute certificate, { id-swb 7 }, contains the RevInfoWantBack type. The RevInfoWantBack type is a SEQUENCE of the RevocationInfos type and an optional CertBundle. The syntax and semantics of the RevocationInfos type are described in Section 3.2.9. The CertBundle MUST be included if any certificates required to validate the revocation information were not returned in the id-swb-aa-cert-path wantBack. The CertBundle MUST include all such certificates, but there are no ordering requirements.

属性证书的吊销状态证明的八位字节字符串值{id swb 7}包含RevInfoWantBack类型。RevInfo WantBack类型是RevocationFos类型和可选CertBundle的序列。第3.2.9节描述了RevocationFos类型的语法和语义。如果id swb aa cert path wantBack中未返回验证吊销信息所需的任何证书,则必须包含CertBundle。CertBundle必须包括所有此类证书,但没有订购要求。

The OCTET STRING value for returning all paths, { id-swb 12 }, contains an ASN.1 type CertBundles, as defined below. The syntax and semantics of the CertBundle type are described in Section 3.2.8. Each CertBundle includes all the certificates in one path, starting with the end certificate and ending with the certificate issued by the trust anchor.

用于返回所有路径的八位字节字符串值{IDSWB12}包含ASN.1类型的CertBundles,定义如下。CertBundle类型的语法和语义如第3.2.8节所述。每个CertBundle包括一个路径中的所有证书,从end证书开始,到trust anchor颁发的证书结束。

      CertBundles ::= SEQUENCE SIZE (1..MAX) OF CertBundle
        
      CertBundles ::= SEQUENCE SIZE (1..MAX) OF CertBundle
        

The OCTET STRING value for relayed responses, { id-swb 9 }, contains an ASN.1 type SCVPResponses, as defined below. If the SCVP server used information obtained from other SCVP servers when generating this response, then SCVPResponses MUST include each of the SCVP responses received from those servers. If the SCVP server did not use information obtained from other SCVP servers when generating the response, then SCVPResponses MUST be an empty sequence.

中继响应的八位字节字符串值{IDSWB9}包含ASN.1类型的SCVPResponses,定义如下。如果SCVP服务器在生成此响应时使用了从其他SCVP服务器获得的信息,则SCVP响应必须包括从这些服务器接收到的每个SCVP响应。如果SCVP服务器在生成响应时未使用从其他SCVP服务器获得的信息,则SCVPResponses必须为空序列。

      SCVPResponses ::= SEQUENCE OF ContentInfo
        
      SCVPResponses ::= SEQUENCE OF ContentInfo
        

The OCTET STRING value for the proof of revocation status of the path's target certificate, { id-swb-13 }, contains the RevInfoWantBack type. The RevInfoWantBack type is a SEQUENCE of the RevocationInfos type and an optional CertBundle. The syntax and semantics of the RevocationInfos type are described in Section 3.2.9. The CertBundle MUST be included if any certificates required to validate the revocation information were not returned in the id-swb-pkc-best-cert-path or id-swb-pkc-all-cert-paths wantBack. The CertBundle MUST include all such certificates, but there are no ordering requirements.

路径的目标证书{id-swb-13}的吊销状态证明的八位字节字符串值包含revinfo-wantback类型。RevInfo WantBack类型是RevocationFos类型和可选CertBundle的序列。第3.2.9节描述了RevocationFos类型的语法和语义。如果id swb pkc best cert path或id swb pkc all cert path wantBack中未返回验证吊销信息所需的任何证书,则必须包含CertBundle。CertBundle必须包括所有此类证书,但没有订购要求。

The OCTET STRING value for the proof of revocation status of the intermediate certificates in the path, { id-swb 14 }, contains the RevInfoWantBack type. The RevInfoWantBack type is a SEQUENCE of the

路径{id swb 14}中中间证书吊销状态证明的八位字节字符串值包含RevInfoWantBack类型。REVINFOWNTBACK类型是

RevocationInfos type and an optional CertBundle. The syntax and semantics of the RevocationInfos type are described in Section 3.2.9. The CertBundle MUST be included if any certificates required to validate the revocation information were not returned in the id-swb-pkc-best-cert-path or id-swb-pkc-all-cert-paths wantBack. The CertBundle MUST include all such certificates, but there are no ordering requirements.

撤销FOS类型和可选CertBundle。第3.2.9节描述了RevocationFos类型的语法和语义。如果id swb pkc best cert path或id swb pkc all cert path wantBack中未返回验证吊销信息所需的任何证书,则必须包含CertBundle。CertBundle必须包括所有此类证书,但没有订购要求。

4.9.6. validationErrors
4.9.6. 验证错误

The validationErrors item MUST only be present in failure responses. If present, it MUST contain one or more OIDs representing the reason the validation failed (validation errors for the basic validation algorithm and name validation algorithm are defined in Sections 3.2.4.2.2 and 3.2.4.2.4). The validationErrors item SHOULD only be included when the replyStatus is 3, 5, 6, 7, or 8. SCVP servers are not required to specify all of the reasons that validation failed. SCVP clients MUST NOT assume that the OIDs included in validationErrors represent all of the validation errors for the certification path.

validationErrors项只能出现在故障响应中。如果存在,则必须包含一个或多个OID,表示验证失败的原因(第3.2.4.2.2节和第3.2.4.2.4节中定义了基本验证算法和名称验证算法的验证错误)。只有当replyStatus为3、5、6、7或8时,才应包括validationErrors项。SCVP服务器不需要指定验证失败的所有原因。SCVP客户端不得假设validationErrors中包含的OID代表认证路径的所有验证错误。

4.9.7. nextUpdate
4.9.7. 下一个日期

The nextUpdate item tells the time at which the server expects a refresh of information regarding the validity of the certificate to become available. The nextUpdate item is especially interesting if the certificate revocation status information is not available or the certificate is suspended. The nextUpdate item represents the date and time in UTC, using the GeneralizedTime type. The encoding rules for GeneralizedTime in Section 3.2.7 MUST be used.

nextUpdate项表示服务器希望刷新有关证书有效性的信息的时间。如果证书吊销状态信息不可用或证书已挂起,则nextUpdate项尤其有趣。nextUpdate项使用GeneralizedTime类型表示UTC中的日期和时间。必须使用第3.2.7节中的GeneratedTime编码规则。

4.9.8. certReplyExtensions
4.9.8. certReplyExtensions

The certReplyExtensions item contains the responses to the queryExtensions item in the request. The certReplyExtensions item uses the Extensions type defined in [PKIX-1]. The object identifiers (OIDs) in the queryExtensions item in the request are used to identify the corresponding reply values. The certReplyExtensions item, when present, contains a sequence of Extension items, each of which contains an extnID item, a critical item, and an extnValue item.

certReplyExtensions项包含对请求中queryExtensions项的响应。certReplyExtensions项使用[PKIX-1]中定义的扩展类型。请求中queryExtensions项中的对象标识符(OID)用于标识相应的应答值。certReplyExtensions项(如果存在)包含一系列扩展项,每个扩展项都包含一个extnID项、一个critical项和一个extnValue项。

The extnID item is an identifier for the extension. It contains the OID that names the extension, and it MUST match one of the OIDs in the queryExtensions item in the request.

extnID项是扩展的标识符。它包含命名扩展的OID,并且必须与请求中queryExtensions项中的一个OID匹配。

The critical item is a BOOLEAN, and it MUST be set to FALSE.

关键项是布尔值,必须设置为FALSE。

The extnValue item contains an OCTET STRING. Within the OCTET STRING is the extension value. An ASN.1 type is specified for each extension, identified by the associated extnID object identifier.

extnValue项包含一个八位字节字符串。在八进制字符串中是扩展值。为每个扩展指定ASN.1类型,由关联的extnID对象标识符标识。

4.10. respNonce
4.10. 响应

The respNonce item contains an identifier to bind the request to the response.

Responce项包含一个标识符,用于将请求绑定到响应。

If the client includes a requestNonce value in the request and the server is generating a specific non-cached response to the request then the server MUST return the same value in the response.

如果客户端在请求中包含requestNonce值,并且服务器正在生成对请求的特定非缓存响应,则服务器必须在响应中返回相同的值。

If the server is using a cached response to the request then it MUST omit the respNonce item.

如果服务器正在使用对请求的缓存响应,则必须省略respnce项。

If the server is returning a specific non-cached response to a request without a nonce, then the server MAY include a message-specific nonce. For digitally signed messages, the server MAY use the value of the message-digest attribute in the signedAttrs within SignerInfo of the request as the value in the respNonce item.

如果服务器对请求返回特定的非缓存响应而没有nonce,则服务器可能包括消息特定的nonce。对于数字签名的消息,服务器可以使用请求的SignerInfo中SignedAttr中的message digest属性的值作为Responce项中的值。

The requestNonce item uses the OCTET STRING type.

requestNonce项使用八位字节字符串类型。

Conforming client implementations MUST be able to process a response that includes this item. Conforming servers MUST support respNonce.

符合要求的客户端实现必须能够处理包含此项的响应。一致性服务器必须支持Responce。

4.11. serverContextInfo
4.11. 服务器上下文信息

The serverContextInfo item in a response is a mechanism for the server to pass some opaque context information to the client. If the client does not like the certification path returned, it can make a new query and pass along this context information.

响应中的serverContextInfo项是服务器向客户端传递一些不透明上下文信息的机制。如果客户端不喜欢返回的证书路径,它可以进行新的查询并传递此上下文信息。

Section 3.2.6 contains information about the client's usage of this item.

第3.2.6节包含有关客户使用该物品的信息。

The context information is opaque to the client, but it provides information to the server that ensures that a different certification path will be returned (if another one can be found). The context information could indicate the state of the server, or it could contain a sequence of hashes of certification paths that have already been returned to the client. The protocol does not dictate any structure or requirements for this item. However, implementers should review the Security Considerations section of this document before selecting a structure.

上下文信息对客户端来说是不透明的,但它向服务器提供信息,以确保返回不同的认证路径(如果可以找到另一个认证路径)。上下文信息可以指示服务器的状态,也可以包含已返回到客户端的证书路径的哈希序列。本协议未规定本项目的任何结构或要求。但是,在选择结构之前,实现者应该查看本文档的安全注意事项部分。

Servers that are incapable of returning additional paths MUST NOT include the serverContextInfo item in the response.

无法返回其他路径的服务器不得在响应中包含serverContextInfo项。

4.12. cvResponseExtensions
4.12. cvResponseExtensions

If present, the cvResponseExtensions item contains a sequence of extensions that extend the response. This specification does not define any extensions. The facility is provided to allow future specifications to extend SCVP. The syntax for Extensions is imported from [PKIX-1]. The cvResponseExtensions item, when present, contains a sequence of Extension items, each of which contains an extnID item, a critical item, and an extnValue item.

如果存在,cvResponseExtensions项包含扩展响应的扩展序列。本规范未定义任何扩展。提供该设施是为了允许将来的规范扩展SCVP。扩展的语法是从[PKIX-1]导入的。cvResponseExtensions项(如果存在)包含一系列扩展项,每个扩展项都包含一个extnID项、一个critical项和一个extnValue项。

The extnID item is an identifier for the extension. It contains the object identifier (OID) that names the extension.

extnID项是扩展的标识符。它包含命名扩展的对象标识符(OID)。

The critical item is a BOOLEAN. Each extension is designated as either critical (with a value of TRUE) or non-critical (with a value of FALSE). An SCVP client MUST reject the response if it encounters a critical extension it does not recognize; however, a non-critical extension MAY be ignored if it is not recognized.

关键项是布尔值。每个扩展都被指定为关键(值为TRUE)或非关键(值为FALSE)。如果遇到无法识别的关键扩展,SCVP客户端必须拒绝响应;但是,如果未识别非关键扩展,则可能会忽略它。

The extnValue item contains an OCTET STRING. Within the OCTET STRING is the extension value. An ASN.1 type is specified for each extension, identified by the associated extnID object identifier.

extnValue项包含一个八位字节字符串。在八进制字符串中是扩展值。为每个扩展指定ASN.1类型,由关联的extnID对象标识符标识。

4.13. requestorText
4.13. 请求文本

The requestorText item contains a text field supplied by the client.

requestorText项包含客户端提供的文本字段。

If the client includes a requestorText value in the request and the server is generating a specific non-cached response to the request, then the server MUST return the same value in the response.

如果客户端在请求中包含requestorText值,并且服务器正在生成对请求的特定非缓存响应,则服务器必须在响应中返回相同的值。

If the server is using a cached response to the request, then it MUST omit the requestorText item.

如果服务器正在使用对请求的缓存响应,则必须忽略requestorText项。

The requestNonce item uses the UTF8 string type.

requestNonce项使用UTF8字符串类型。

Conforming client implementations that support the requestorText item in requests (see Section 3.10) MUST be able to process a response that includes this item. Conforming servers MUST support requestorText in responses.

支持请求中requestorText项的一致性客户端实现(见第3.10节)必须能够处理包含该项的响应。一致性服务器必须在响应中支持requestorText。

4.14. SCVP Response Validation
4.14. SCVP响应验证

There are two mechanisms for validation of SCVP responses, one based on the client's knowledge of a specific SCVP server key and the other based on validation of the certificate corresponding to the private key used to protect the SCVP response.

有两种验证SCVP响应的机制,一种基于客户端对特定SCVP服务器密钥的了解,另一种基于验证与用于保护SCVP响应的私钥相对应的证书。

4.14.1. Simple Key Validation
4.14.1. 简单密钥验证

The simple key validation method is where the SCVP client has a local policy of one or more SCVP server keys that directly identify the set of valid SCVP servers. Mechanisms for storage of server keys or identifiers are a local matter. For example, a client could store cryptographic hashes of public keys used to verify SignedData responses. Alternatively, a client could store shared symmetric keys used to verify MACs in AuthenticatedData responses.

简单密钥验证方法是,SCVP客户端具有一个或多个SCVP服务器密钥的本地策略,这些密钥直接标识一组有效的SCVP服务器。服务器密钥或标识符的存储机制是本地事务。例如,客户端可以存储用于验证SignedData响应的公钥加密散列。或者,客户端可以在AuthenticatedData响应中存储用于验证MAC的共享对称密钥。

Simple key validation MUST be used by SCVP clients that cannot validate PKIX-1 certificates and are therefore making delegated path validation requests to the SCVP server [RQMTS]. It is a matter of local policy with these clients whether to use SignedData or AuthenticatedData. Simple key validation MAY be used by other SCVP clients for other reasons.

无法验证PKIX-1证书并因此向SCVP服务器[RQMTS]发出委托路径验证请求的SCVP客户端必须使用简单密钥验证。是否使用SignedData或AuthenticatedData是这些客户端的本地策略问题。由于其他原因,其他SCVP客户端可能会使用简单密钥验证。

4.14.2. SCVP Server Certificate Validation
4.14.2. SCVP服务器证书验证

It is a matter of local policy what validation policy the client uses when validating responses. When validating protected SCVP responses, SCVP clients SHOULD use the validation algorithm defined in Section 6 of [PKIX-1]. SCVP clients may impose additional limitations on the algorithm, such as limiting the number of certificates in the path or establishing initial name constraints, as specified in Section 6.2 of [PKIX-1].

客户端在验证响应时使用什么验证策略是本地策略的问题。验证受保护的SCVP响应时,SCVP客户端应使用[PKIX-1]第6节中定义的验证算法。SCVP客户端可能会对算法施加额外的限制,如限制路径中的证书数量或建立初始名称约束,如[PKIX-1]第6.2节所述。

If the certificate used to sign the validation policy responses and SignedData validation responses contains the key usage extension ([PKIX-1], Section 4.2.1.3), it MUST have either the digital signature bit set, the non-repudiation bit set, or both bits set.

如果用于对验证策略响应和SignedData验证响应进行签名的证书包含密钥使用扩展([PKIX-1],第4.2.1.3节),则必须设置数字签名位、不可否认位或同时设置这两个位。

If the certificate for AuthenticatedData validation responses contains the key usage extension, it MUST have the key agreement bit set.

如果AuthenticatedData验证响应的证书包含密钥使用扩展,则必须设置密钥协议位。

If the certificate used on a validation policy response or a validation response contains the extended key usage extension ([PKIX-1], Section 4.2.1.13), it MUST contain either the anyExtendedKeyUsage OID or the following OID:

如果验证策略响应或验证响应上使用的证书包含扩展密钥使用扩展([PKIX-1],第4.2.1.13节),则它必须包含anyExtendedKeyUsage OID或以下OID:

      id-kp-scvpServer             OBJECT IDENTIFIER ::= { id-kp 15 }
        
      id-kp-scvpServer             OBJECT IDENTIFIER ::= { id-kp 15 }
        
5. Server Policy Request
5. 服务器策略请求

An SCVP client uses the ValPolRequest item to request information about an SCVP server's policies and configuration information, including the list of validation policies supported by the SCVP server. When a ValPolRequest is encapsulated in a MIME body part, it MUST be carried in an application/scvp-vp-request MIME body part.

SCVP客户端使用ValPolRequest项请求有关SCVP服务器策略和配置信息的信息,包括SCVP服务器支持的验证策略列表。当ValPolRequest封装在MIME主体部分中时,它必须包含在应用程序/scvp请求MIME主体部分中。

The request consists of a ValPolRequest encapsulated in a ContentInfo. The client does not sign the request.

该请求由封装在ContentInfo中的ValPolRequest组成。客户端未对请求进行签名。

      ContentInfo {
        contentType        id-ct-scvp-valPolRequest,
                                      -- (1.2.840.113549.1.9.16.1.12)
        content            ValPolRequest }
        
      ContentInfo {
        contentType        id-ct-scvp-valPolRequest,
                                      -- (1.2.840.113549.1.9.16.1.12)
        content            ValPolRequest }
        

The ValPolRequest type has the following syntax:

ValPolRequest类型具有以下语法:

      ValPolRequest ::= SEQUENCE {
        vpRequestVersion           INTEGER DEFAULT 1,
        requestNonce               OCTET STRING }
        
      ValPolRequest ::= SEQUENCE {
        vpRequestVersion           INTEGER DEFAULT 1,
        requestNonce               OCTET STRING }
        

Conforming SCVP server implementations MUST recognize and process the server policy request. Conforming clients SHOULD support the server policy request.

符合要求的SCVP服务器实现必须识别并处理服务器策略请求。一致性客户端应支持服务器策略请求。

5.1. vpRequestVersion
5.1. vpRequestVersion

The syntax and semantics of vpRequestVersion are the same as cvRequestVersion as described in Section 3.1.

vpRequestVersion的语法和语义与第3.1节中描述的cvRequestVersion相同。

5.2. requestNonce
5.2. 请求时间

The requestNonce item contains a request identifier generated by the SCVP client. If the server returns a specific response, it MUST include the requestNonce from the request in the response, but the server MAY return a cached response, which MUST NOT include a requestNonce.

requestNonce项包含由SCVP客户端生成的请求标识符。如果服务器返回特定响应,则必须在响应中包含来自请求的requestNonce,但服务器可能会返回缓存响应,其中不得包含requestNonce。

6. Validation Policy Response
6. 验证策略响应

In response to a ValPolRequest, the SCVP server provides a ValPolResponse. The ValPolResponse may not be unique to any ValPolRequest, so may be reused by the server in response to multiple ValPolRequests. The ValPolResponse also has an indication of how frequently the ValPolResponse may be reissued. The server MUST sign the response using its digital signature certificate. When a ValPolResponse is encapsulated in a MIME body part, it MUST be carried in an application/scvp-vp-response MIME body part.

为了响应VALPOL请求,SCVP服务器提供VALPOL响应。ValPolResponse对于任何ValPolRequest都可能不是唯一的,因此服务器可能会在响应多个ValPolRequest时重用它。ValPolResponse还指示了ValPolResponse重新发布的频率。服务器必须使用其数字签名证书对响应进行签名。当ValPolResponse封装在MIME主体部分中时,它必须携带在应用程序/scvp响应MIME主体部分中。

The response consists of a ValPolResponse encapsulated in a SignedData, which is in turn encapsulated in a ContentInfo. That is, the EncapsulatedContentInfo field of SignedData consists of an eContentType field with a value of id-ct-scvp-valPolResponse (1.2.840.113549.1.9.16.1.13) and an eContent field that contains a DER-encoded ValPolResponse. The SCVP server MUST include its own certificate in the certificates field within SignedData, and the signerInfos field of SignedData MUST include exactly one SignerInfo. The SignedData MUST NOT include the unsignedAttrs field.

响应由封装在SignedData中的ValPolResponse组成,而SignedData又封装在ContentInfo中。也就是说,SignedData的封装ContentInfo字段由一个值为id ct scvp valPolResponse(1.2.840.113549.1.9.16.1.13)的eContentType字段和一个包含DER编码valPolResponse的eContent字段组成。SCVP服务器必须在SignedData的certificates字段中包含自己的证书,SignedData的signerInfos字段必须仅包含一个SignerInfo。SignedData不能包含unsignedAttrs字段。

The ValPolResponse type has the following syntax:

ValPolResponse类型具有以下语法:

      ValPolResponse ::= SEQUENCE {
        vpResponseVersion               INTEGER,
        maxCVRequestVersion             INTEGER,
        maxVPRequestVersion             INTEGER,
        serverConfigurationID           INTEGER,
        thisUpdate                      GeneralizedTime,
        nextUpdate                      GeneralizedTime OPTIONAL,
        supportedChecks                 CertChecks,
        supportedWantBacks              WantBack,
        validationPolicies              SEQUENCE OF OBJECT IDENTIFIER,
        validationAlgs                  SEQUENCE OF OBJECT IDENTIFIER,
        authPolicies                    SEQUENCE OF AuthPolicy,
        responseTypes                   ResponseTypes,
        defaultPolicyValues             RespValidationPolicy,
        revocationInfoTypes             RevocationInfoTypes,
        signatureGeneration             SEQUENCE OF AlgorithmIdentifier,
        signatureVerification           SEQUENCE OF AlgorithmIdentifier,
        hashAlgorithms                  SEQUENCE SIZE (1..MAX) OF
                                           OBJECT IDENTIFIER,
        serverPublicKeys                SEQUENCE OF KeyAgreePublicKey
                                           OPTIONAL,
        clockSkew                       INTEGER DEFAULT 10,
        requestNonce                    OCTET STRING OPTIONAL }
        
      ValPolResponse ::= SEQUENCE {
        vpResponseVersion               INTEGER,
        maxCVRequestVersion             INTEGER,
        maxVPRequestVersion             INTEGER,
        serverConfigurationID           INTEGER,
        thisUpdate                      GeneralizedTime,
        nextUpdate                      GeneralizedTime OPTIONAL,
        supportedChecks                 CertChecks,
        supportedWantBacks              WantBack,
        validationPolicies              SEQUENCE OF OBJECT IDENTIFIER,
        validationAlgs                  SEQUENCE OF OBJECT IDENTIFIER,
        authPolicies                    SEQUENCE OF AuthPolicy,
        responseTypes                   ResponseTypes,
        defaultPolicyValues             RespValidationPolicy,
        revocationInfoTypes             RevocationInfoTypes,
        signatureGeneration             SEQUENCE OF AlgorithmIdentifier,
        signatureVerification           SEQUENCE OF AlgorithmIdentifier,
        hashAlgorithms                  SEQUENCE SIZE (1..MAX) OF
                                           OBJECT IDENTIFIER,
        serverPublicKeys                SEQUENCE OF KeyAgreePublicKey
                                           OPTIONAL,
        clockSkew                       INTEGER DEFAULT 10,
        requestNonce                    OCTET STRING OPTIONAL }
        
      ResponseTypes  ::= ENUMERATED {
        cached-only                (0),
        non-cached-only            (1),
        cached-and-non-cached      (2) }
        
      ResponseTypes  ::= ENUMERATED {
        cached-only                (0),
        non-cached-only            (1),
        cached-and-non-cached      (2) }
        
      RevocationInfoTypes ::= BIT STRING {
        fullCRLs                   (0),
        deltaCRLs                  (1),
        indirectCRLs               (2),
        oCSPResponses              (3) }
        
      RevocationInfoTypes ::= BIT STRING {
        fullCRLs                   (0),
        deltaCRLs                  (1),
        indirectCRLs               (2),
        oCSPResponses              (3) }
        

SCVP clients that support validation policy requests MUST support validation policy responses. SCVP servers MUST support validation policy responses.

支持验证策略请求的SCVP客户端必须支持验证策略响应。SCVP服务器必须支持验证策略响应。

SCVP servers MUST support cached policy responses and MAY support specific responses to policy requests.

SCVP服务器必须支持缓存的策略响应,并且可能支持对策略请求的特定响应。

6.1. vpResponseVersion
6.1. VP响应外翻

The syntax and semantics of the vpResponseVersion item are the same as cvRequestVersion as described in Section 3.1. The vpResponseVersion used MUST be the same as the vpRequestVersion unless the client has used a value greater than the values the server supports. If the client submits a vpRequestVersion greater than the version supported by the server, the server MUST return a vpResponseVersion using the highest version number the server supports as the version number.

vpResponseVersion项的语法和语义与第3.1节中描述的cvRequestVersion相同。使用的vpResponseVersion必须与vpRequestVersion相同,除非客户端使用的值大于服务器支持的值。如果客户端提交的vpRequestVersion大于服务器支持的版本,则服务器必须使用服务器支持的最高版本号作为版本号返回vpResponseVersion。

6.2. maxCVRequestVersion
6.2. maxCVRequestVersion

The maxCVRequestVersion item defines the maximum version number for CV requests that the server supports.

maxCVRequestVersion项定义服务器支持的CV请求的最大版本号。

6.3. maxVPRequestVersion
6.3. maxVPRequestVersion

The maxVPRequestVersion item defines the maximum version number for VP requests that the server supports.

maxVPRequestVersion项定义服务器支持的VP请求的最大版本号。

6.4. serverConfigurationID
6.4. 服务器配置ID

The serverConfigurationID item is an integer that uniquely represents the version of the server configuration as represented by the validationPolicies, validationAlgs, authPolicies, defaultPolicyValues, and clockSkew. If any of these values change, the server MUST create a new ValPolResponse with a new serverConfigurationID. If the configuration has not changed, then the server may reuse serverConfigurationID across multiple

serverConfigurationID项是一个整数,它唯一地表示由ValidationPolicys、ValidationAgs、AuthPolicys、DefaultPolicyValue和clockSkew表示的服务器配置版本。如果这些值中的任何一个发生更改,服务器必须使用新的serverConfigurationID创建新的ValPolResponse。如果配置没有更改,则服务器可以跨多个服务器重用serverConfigurationID

ValPolResponse messages. However, if the server reverts to an earlier configuration, the server MUST NOT revert the configuration ID as well, but MUST select another unique value.

Valpol响应消息。但是,如果服务器恢复到以前的配置,则服务器也不能恢复配置ID,而必须选择另一个唯一值。

6.5. thisUpdate
6.5. 此更新

This item indicates the signing date and time of this policy response.

此项表示此策略响应的签名日期和时间。

GeneralizedTime values MUST be expressed in Greenwich Mean Time (Zulu) and interpreted as defined in Section 3.2.7.

广义时间值必须以格林威治平均时间(Zulu)表示,并按照第3.2.7节的定义进行解释。

6.6. nextUpdate and requestNonce
6.6. nextUpdate和requestNonce

These items are used to indicate whether policy responses are specific to policy requests. Where policy responses are cached, these items indicate when the information will be updated. The optional nextUpdate item indicates the time by which the next policy response will be published. The optional requestNonce item links the response to a specific request by returning the nonce provided in the request.

这些项目用于指示策略响应是否特定于策略请求。在缓存策略响应的位置,这些项指示信息将在何时更新。可选的nextUpdate项表示下一个策略响应将发布的时间。可选的requestNonce项通过返回请求中提供的nonce将响应链接到特定请求。

If the nextUpdate item is omitted, it indicates a non-cached response generated in response to a specific request (i.e., the ValPolResponse is bound to a specific request). If this item is omitted, the requestNonce item MUST be present and MUST include the requestNonce value from the request.

如果省略nextUpdate项,则表示响应特定请求而生成的非缓存响应(即,ValPolResponse绑定到特定请求)。如果省略此项,则requestNonce项必须存在,并且必须包含请求中的requestNonce值。

If the nextUpdate item is present, it indicates a cached response that is not bound to a specific request. An SCVP server MUST periodically generate a new response as defined by the next update time, but MAY use the same ValPolResponse to respond to multiple requests. The requestNonce is omitted if the nextUpdate item is present.

如果存在nextUpdate项,则表示未绑定到特定请求的缓存响应。SCVP服务器必须定期生成下一次更新时定义的新响应,但可以使用相同的ValPolResponse来响应多个请求。如果存在nextUpdate项,则会忽略requestNonce。

It is a matter of local server policy to return a cached or non-cached specific response.

返回缓存或非缓存的特定响应是本地服务器策略的问题。

GeneralizedTime values in nextUpdate MUST be expressed in Greenwich Mean Time (Zulu) as specified in Section 3.2.7.

nextUpdate中的广义时间值必须按照第3.2.7节的规定以格林威治标准时间(Zulu)表示。

6.7. supportedChecks
6.7. 支持支票

The supportedChecks item contains a sequence of object identifiers representing the checks supported by the server.

supportedChecks项包含一系列表示服务器支持的检查的对象标识符。

6.8. supportedWantBacks
6.8. 支持的WantBacks

The supportedWantBacks item contains a sequence of object identifiers representing the wantBacks supported by the server.

supportedWantBacks项包含一系列表示服务器支持的wantBacks的对象标识符。

6.9. validationPolicies
6.9. 验证策略

The validationPolicies item contains a sequence of object identifiers representing the validation policies supported by the server. It is a matter of local policy if the server wishes to process requests using the default validation policy, and if it does not, then it MUST NOT include the id-svp-defaultValPolicy in this list.

ValidationPolicys项包含一系列表示服务器支持的验证策略的对象标识符。如果服务器希望使用默认验证策略处理请求,则这是本地策略的问题,如果服务器不希望使用默认验证策略,则不能在此列表中包含id svp defaultValPolicy。

6.10. validationAlgs
6.10. 验证

The validationAlgs item contains a sequence of OIDs. Each OID identifies a validation algorithm supported by the server.

ValidationAgs项包含一系列OID。每个OID标识服务器支持的验证算法。

6.11. authPolicies
6.11. 授权政策

The authPolicies item contains a sequence of policy references for authenticating to the SCVP server.

AuthPolicys项包含一系列用于向SCVP服务器进行身份验证的策略引用。

The reference to the authentication policy is an OID that the client and server have agreed represents an authentication policy. The list of policies is intended to document to the client if authentication is required for some requests and if so how.

对身份验证策略的引用是一个OID,客户端和服务器已同意该OID表示身份验证策略。策略列表旨在向客户端记录某些请求是否需要身份验证以及如何进行身份验证。

      AuthPolicy ::=  OBJECT IDENTIFIER
        
      AuthPolicy ::=  OBJECT IDENTIFIER
        
6.12. responseTypes
6.12. 响应类型

The responseTypes item allows the server to publish the range of response types it supports. Cached only means the server will only return cached responses to requests. Non-cached only means the server will return a specific response to the request, i.e., containing the requestor's nonce. Both means that the server supports both cached and non-cached response types and will return either a cached or non- cached response, depending on the request.

ResponseType项允许服务器发布其支持的响应类型范围。Cached only表示服务器将只返回对请求的缓存响应。非缓存仅表示服务器将返回对请求的特定响应,即包含请求者的nonce。这两者都意味着服务器支持缓存和非缓存响应类型,并将根据请求返回缓存或非缓存响应。

6.13. revocationInfoTypes
6.13. 撤销类型

The revocationInfoTypes item allows the server to indicate the sources of revocation information that it is capable of processing. For each bit in the RevocationInfoTypes BIT STRING, the server MUST set the bit to one if it is capable of processing the corresponding revocation information type and to zero if it cannot.

revocationInfoTypes项允许服务器指示其能够处理的吊销信息的来源。对于RevocationFotypes位字符串中的每个位,如果服务器能够处理相应的吊销信息类型,则必须将该位设置为1;如果不能,则必须将其设置为0。

6.14. defaultPolicyValues
6.14. DefaultPolicyValue

This is the default validation policy used by the server. It contains a RespValidationPolicy, which is defined in Section 4.5. All OPTIONAL items in the validationPolicy item MUST be populated. A server will use these default values when the request references the default validation policy and the client does not override the default values by supplying other values in the request.

这是服务器使用的默认验证策略。它包含第4.5节中定义的RespValidationPolicy。必须填充validationPolicy项中的所有可选项。当请求引用默认验证策略时,服务器将使用这些默认值,并且客户端不会通过在请求中提供其他值来覆盖默认值。

This allows the client to optimize the request by omitting parameters that match the server default values.

这允许客户端通过省略与服务器默认值匹配的参数来优化请求。

6.15. signatureGeneration
6.15. 签名生成

This sequence specifies the set of digital signature algorithms supported by an SCVP server for signing CVResponse messages. Each digital signature algorithm is specified as an AlgorithmIdentifier, using the encoding rules associated with the signatureAlgorithm field in a public key certificate [PKIX-1]. Supported algorithms are defined in [PKIX-ALG] and [PKIX-ALG2], but other signature algorithms may also be supported.

此序列指定SCVP服务器支持的一组数字签名算法,用于签名CVResponse消息。使用与公钥证书[PKIX-1]中的signatureAlgorithm字段相关联的编码规则,将每个数字签名算法指定为算法标识符。[PKIX-ALG]和[PKIX-ALG2]中定义了支持的算法,但也可能支持其他签名算法。

By including an algorithm (e.g., RSA with SHA-1) in this list, the server states that it has a private key and corresponding certified public key for that asymmetric algorithm, and supports the specified hash algorithm. The list is ordered; the first digital signature algorithm is the server's default algorithm. The default algorithm will be used by the server to protect signed messages unless the client specifies another algorithm.

通过在此列表中包括一个算法(例如,带有SHA-1的RSA),服务器声明它拥有该非对称算法的私钥和相应的认证公钥,并支持指定的哈希算法。列表是有序的;第一个数字签名算法是服务器的默认算法。除非客户端指定其他算法,否则服务器将使用默认算法来保护签名消息。

For servers that do not have an on-line private key, and cannot sign CVResponse messages, the signatureGeneration item is encoded as an empty sequence.

对于没有联机私钥且无法对CVResponse消息签名的服务器,signatureGeneration项被编码为空序列。

6.16. signatureVerification
6.16. 签名化

This sequence specifies the set of digital signature algorithms that can be verified by this SCVP server. Each digital signature algorithm is specified as an AlgorithmIdentifier, using the encoding rules associated with the signatureAlgorithm field in a public key certificate [PKIX-1]. Supported algorithms are defined in [PKIX-ALG] and [PKIX-ALG2], but other signature algorithms may also be supported.

此序列指定可由此SCVP服务器验证的数字签名算法集。使用与公钥证书[PKIX-1]中的signatureAlgorithm字段相关联的编码规则,将每个数字签名算法指定为算法标识符。[PKIX-ALG]和[PKIX-ALG2]中定义了支持的算法,但也可能支持其他签名算法。

For servers that do not verify signatures on CVRequest messages, the signatureVerification item is encoded as an empty sequence.

对于不验证CVRequest消息上的签名的服务器,signatureVerification项被编码为空序列。

6.17. hashAlgorithms
6.17. 哈希算法

This sequence specifies the set of hash algorithms that the server can use to hash certificates and requests. The list is ordered; the first hash algorithm is the server's default algorithm. The default algorithm will be used by the server to compute hashes included in responses unless the client specifies another algorithm. Each hash algorithm is specified as an object identifier. [PKIX-ALG2] specifies object identifiers for SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. Other hash algorithms may also be supported.

此序列指定服务器可用于哈希证书和请求的哈希算法集。列表是有序的;第一个哈希算法是服务器的默认算法。服务器将使用默认算法计算响应中包含的哈希值,除非客户端指定其他算法。每个哈希算法都指定为对象标识符。[PKIX-ALG2]指定SHA-1、SHA-224、SHA-256、SHA-384和SHA-512的对象标识符。也可以支持其他散列算法。

6.18. serverPublicKeys
6.18. 服务器公钥

The serverPublicKeys item is a sequence of one or more key agreement public keys and associated parameters. It is used by clients making AuthenticatedData requests to the server. Each item in the serverPublicKeys sequence is of the KeyAgreePublicKey type:

serverPublicKeys项是一个或多个密钥协议公钥和相关参数的序列。它由向服务器发出AuthenticatedData请求的客户端使用。serverPublicKeys序列中的每个项都属于KeyAgreePublicKey类型:

      KeyAgreePublicKey ::= SEQUENCE {
        algorithm            AlgorithmIdentifier,
        publicKey            BIT STRING,
        macAlgorithm         AlgorithmIdentifier,
        kDF                  AlgorithmIdentifier OPTIONAL }
        
      KeyAgreePublicKey ::= SEQUENCE {
        algorithm            AlgorithmIdentifier,
        publicKey            BIT STRING,
        macAlgorithm         AlgorithmIdentifier,
        kDF                  AlgorithmIdentifier OPTIONAL }
        

The KeyAgreePublicKey includes the algorithm identifier and the server's public key. SCVP servers that support the key agreement mode of AuthenticatedData for SCVP requests MUST support serverPublicKeys and the Diffie-Hellman key agreement algorithm as specified in [PKIX-ALG]. SCVP servers that support serverPublicKeys MUST support the 1024-bit Modular Exponential (MODP) group key (group 2) as defined in [IKE]. SCVP servers that support serverPublicKeys MAY support other Diffie-Hellman groups [IKE-GROUPS], as well as other key agreement algorithms.

KeyAgreePublicKey包括算法标识符和服务器的公钥。支持SCVP请求的AuthenticatedData密钥协议模式的SCVP服务器必须支持[PKIX-ALG]中规定的serverPublicKeys和Diffie-Hellman密钥协议算法。支持serverPublicKeys的SCVP服务器必须支持[IKE]中定义的1024位模块化指数(MODP)组密钥(组2)。支持服务器公钥的SCVP服务器可能支持其他Diffie-Hellman组[IKE-groups],以及其他密钥协商算法。

The macAlgorithm item specifies the symmetric algorithm the server expects the client to use with the result of the key agreement algorithm. A key derivation function (KDF), which derives symmetric key material from the key agreement result, may be implied by the macAlgorithm. Alternatively, the KDF may be explicitly specified using the optional kDF item.

macAlgorithm项指定服务器希望客户端使用的对称算法与密钥协商算法的结果。macAlgorithm可能隐含一个密钥派生函数(KDF),该函数从密钥协商结果派生对称密钥材料。或者,可以使用可选的KDF项显式指定KDF。

6.19. clockSkew
6.19. 时钟偏移

The clockSkew item is the number of minutes the server will allow for clock skew. The default value is 10 minutes.

clockSkew项是服务器允许时钟偏移的分钟数。默认值为10分钟。

7. SCVP Server Relay
7. 服务器中继

In some network environments, especially ones that include firewalls, an SCVP server might not be able to obtain all of the information that it needs to process a request. However, the server might be configured to use the services of one or more other SCVP servers to fulfill all requests. In such cases, the SCVP client is unaware that the initial SCVP server is using the services of other SCVP servers. The initial SCVP server acts as a client to another SCVP server. Unlike the original client, the SCVP server is expected to have moderate computing and memory resources. This section describes SCVP server-to-SCVP server exchanges. This section does not impose any requirements on SCVP clients that are not also SCVP servers. Further, this section does not impose any requirements on SCVP servers that do not relay requests to other SCVP servers.

在某些网络环境中,尤其是包含防火墙的网络环境中,SCVP服务器可能无法获取处理请求所需的所有信息。但是,服务器可能被配置为使用一个或多个其他SCVP服务器的服务来满足所有请求。在这种情况下,SCVP客户端不知道初始SCVP服务器正在使用其他SCVP服务器的服务。初始SCVP服务器充当另一个SCVP服务器的客户端。与原始客户端不同,SCVP服务器应具有适度的计算和内存资源。本节介绍SCVP服务器到SCVP服务器的交换。本节不会对不同时也是SCVP服务器的SCVP客户端施加任何要求。此外,本节不会对不将请求中继到其他SCVP服务器的SCVP服务器施加任何要求。

When one SCVP server relays a request to another server, in an incorrectly configured system of servers, it is possible that the same request will be relayed back again. Any SCVP server that relays requests MUST implement the conventions described in this section to detect and break loops.

当一台SCVP服务器将请求中继到另一台服务器时,在配置不正确的服务器系统中,可能会再次中继相同的请求。任何中继请求的SCVP服务器都必须实现本节所述的约定,以检测和中断环路。

When an SCVP server relays a request, the request MUST include the requestorRef item. If the request to be relayed already contains a requestorRef item, then the server-generated request MUST contain a requestorRef item constructed from this value and an additional GeneralName that contains an identifier of the SCVP server. If the request to be relayed does not contain a requestorRef item, then the server-generated request MUST contain a requestorRef item that includes a GeneralName that contains an identifier of the SCVP server.

当SCVP服务器中继请求时,该请求必须包括requestorRef项。如果要中继的请求已包含requestorRef项,则服务器生成的请求必须包含由该值构造的requestorRef项和包含SCVP服务器标识符的附加通用名称。如果要中继的请求不包含requestorRef项,则服务器生成的请求必须包含requestorRef项,该项包括包含SCVP服务器标识符的通用名称。

To prevent false loop detection, servers should use identifiers that are unique within their network of cooperating SCVP servers. SCVP servers that support relay SHOULD populate this item with the DNS name of the server or the distinguished name in the server's certificate. SCVP servers MAY choose other procedures for generating identifiers that are unique within their community.

为防止错误循环检测,服务器应使用在其协作SCVP服务器网络中唯一的标识符。支持中继的SCVP服务器应使用服务器的DNS名称或服务器证书中的可分辨名称填充此项。SCVP服务器可以选择其他过程来生成其社区内唯一的标识符。

When an SCVP server receives a request that contains a requestorRef item, the server MUST check the sequence of names in the requestorRef item for its own identifier. If the server discovers its own identifier in the requestorRef item, it MUST respond with an error, setting the statusCode in the responseStatus item to 40.

当SCVP服务器接收到包含requestorRef项的请求时,服务器必须检查requestorRef项中的名称序列以查找其自己的标识符。如果服务器在requestorRef项中发现自己的标识符,它必须响应一个错误,将responseStatus项中的statusCode设置为40。

When an SCVP server generates a non-cached response to a relayed request, the server MUST include the requestorRef item from the request in the response.

当SCVP服务器对中继请求生成非缓存响应时,服务器必须在响应中包含请求中的requestorRef项。

8. SCVP ASN.1 Module
8. SCVP ASN.1模块

This section defines the syntax for SCVP request-response pairs. The semantics for the messages are defined in Sections 3, 4, 5, and 6. The SCVP ASN.1 module follows.

本节定义了SCVP请求-响应对的语法。第3、4、5和6节定义了消息的语义。下面是SCVP ASN.1模块。

SCVP

SCVP

     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0) 21 }
        
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0) 21 }
        
   DEFINITIONS IMPLICIT TAGS ::= BEGIN
        
   DEFINITIONS IMPLICIT TAGS ::= BEGIN
        

IMPORTS

进口

   AlgorithmIdentifier, Attribute, Certificate, Extensions,
   -- Import UTF8String if required by compiler
   -- UTF8String, -- CertificateList, CertificateSerialNumber
     FROM PKIX1Explicit88 -- RFC 3280
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0) 18 }
        
   AlgorithmIdentifier, Attribute, Certificate, Extensions,
   -- Import UTF8String if required by compiler
   -- UTF8String, -- CertificateList, CertificateSerialNumber
     FROM PKIX1Explicit88 -- RFC 3280
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0) 18 }
        
   GeneralNames, GeneralName, KeyUsage, KeyPurposeId
     FROM PKIX1Implicit88 -- RFC 3280
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0) 19 }
        
   GeneralNames, GeneralName, KeyUsage, KeyPurposeId
     FROM PKIX1Implicit88 -- RFC 3280
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0) 19 }
        
   AttributeCertificate
     FROM PKIXAttributeCertificate -- RFC 3281
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0) 12 }
        
   AttributeCertificate
     FROM PKIXAttributeCertificate -- RFC 3281
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0) 12 }
        
   OCSPResponse
     FROM OCSP -- RFC 2560
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0) 14 }
        
   OCSPResponse
     FROM OCSP -- RFC 2560
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0) 14 }
        
   ContentInfo
     FROM CryptographicMessageSyntax2004 -- RFC 3852
     { iso(1) member-body(2) us(840) rsadsi(113549)
       pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } ;
        
   ContentInfo
     FROM CryptographicMessageSyntax2004 -- RFC 3852
     { iso(1) member-body(2) us(840) rsadsi(113549)
       pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } ;
        

-- SCVP Certificate Validation Request

--SCVP证书验证请求

   id-ct OBJECT IDENTIFIER ::= { iso(1) member-body(2)
             us(840) rsadsi(113549) pkcs(1) pkcs9(9)
             id-smime(16) 1 }
        
   id-ct OBJECT IDENTIFIER ::= { iso(1) member-body(2)
             us(840) rsadsi(113549) pkcs(1) pkcs9(9)
             id-smime(16) 1 }
        
   id-ct-scvp-certValRequest OBJECT IDENTIFIER ::= { id-ct 10 }
        
   id-ct-scvp-certValRequest OBJECT IDENTIFIER ::= { id-ct 10 }
        
   CVRequest ::= SEQUENCE {
     cvRequestVersion           INTEGER DEFAULT 1,
     query                      Query,
     requestorRef           [0] GeneralNames OPTIONAL,
     requestNonce           [1] OCTET STRING OPTIONAL,
     requestorName          [2] GeneralName OPTIONAL,
     responderName          [3] GeneralName OPTIONAL,
     requestExtensions      [4] Extensions OPTIONAL,
     signatureAlg           [5] AlgorithmIdentifier OPTIONAL,
     hashAlg                [6] OBJECT IDENTIFIER OPTIONAL,
     requestorText          [7] UTF8String (SIZE (1..256)) OPTIONAL }
        
   CVRequest ::= SEQUENCE {
     cvRequestVersion           INTEGER DEFAULT 1,
     query                      Query,
     requestorRef           [0] GeneralNames OPTIONAL,
     requestNonce           [1] OCTET STRING OPTIONAL,
     requestorName          [2] GeneralName OPTIONAL,
     responderName          [3] GeneralName OPTIONAL,
     requestExtensions      [4] Extensions OPTIONAL,
     signatureAlg           [5] AlgorithmIdentifier OPTIONAL,
     hashAlg                [6] OBJECT IDENTIFIER OPTIONAL,
     requestorText          [7] UTF8String (SIZE (1..256)) OPTIONAL }
        
   Query ::= SEQUENCE {
     queriedCerts             CertReferences,
     checks                   CertChecks,
     wantBack             [1] WantBack OPTIONAL,
     validationPolicy         ValidationPolicy,
     responseFlags            ResponseFlags OPTIONAL,
     serverContextInfo    [2] OCTET STRING OPTIONAL,
     validationTime       [3] GeneralizedTime OPTIONAL,
     intermediateCerts    [4] CertBundle OPTIONAL,
     revInfos             [5] RevocationInfos OPTIONAL,
     producedAt           [6] GeneralizedTime OPTIONAL,
     queryExtensions      [7] Extensions OPTIONAL }
        
   Query ::= SEQUENCE {
     queriedCerts             CertReferences,
     checks                   CertChecks,
     wantBack             [1] WantBack OPTIONAL,
     validationPolicy         ValidationPolicy,
     responseFlags            ResponseFlags OPTIONAL,
     serverContextInfo    [2] OCTET STRING OPTIONAL,
     validationTime       [3] GeneralizedTime OPTIONAL,
     intermediateCerts    [4] CertBundle OPTIONAL,
     revInfos             [5] RevocationInfos OPTIONAL,
     producedAt           [6] GeneralizedTime OPTIONAL,
     queryExtensions      [7] Extensions OPTIONAL }
        
   CertReferences ::= CHOICE {
     pkcRefs       [0] SEQUENCE SIZE (1..MAX) OF PKCReference,
     acRefs        [1] SEQUENCE SIZE (1..MAX) OF ACReference }
        
   CertReferences ::= CHOICE {
     pkcRefs       [0] SEQUENCE SIZE (1..MAX) OF PKCReference,
     acRefs        [1] SEQUENCE SIZE (1..MAX) OF ACReference }
        
   CertReference::= CHOICE {
     pkc               PKCReference,
     ac                ACReference }
        
   CertReference::= CHOICE {
     pkc               PKCReference,
     ac                ACReference }
        
   PKCReference ::= CHOICE {
     cert          [0] Certificate,
     pkcRef        [1] SCVPCertID }
        
   PKCReference ::= CHOICE {
     cert          [0] Certificate,
     pkcRef        [1] SCVPCertID }
        
   ACReference ::= CHOICE {
     attrCert      [2] AttributeCertificate,
     acRef         [3] SCVPCertID }
        
   ACReference ::= CHOICE {
     attrCert      [2] AttributeCertificate,
     acRef         [3] SCVPCertID }
        
   SCVPCertID ::= SEQUENCE {
       certHash        OCTET STRING,
       issuerSerial    SCVPIssuerSerial,
       hashAlgorithm   AlgorithmIdentifier DEFAULT { algorithm sha-1 } }
        
   SCVPCertID ::= SEQUENCE {
       certHash        OCTET STRING,
       issuerSerial    SCVPIssuerSerial,
       hashAlgorithm   AlgorithmIdentifier DEFAULT { algorithm sha-1 } }
        
   SCVPIssuerSerial ::= SEQUENCE {
        issuer         GeneralNames,
        serialNumber   CertificateSerialNumber
   }
        
   SCVPIssuerSerial ::= SEQUENCE {
        issuer         GeneralNames,
        serialNumber   CertificateSerialNumber
   }
        
   ValidationPolicy ::= SEQUENCE {
     validationPolRef           ValidationPolRef,
     validationAlg          [0] ValidationAlg OPTIONAL,
     userPolicySet          [1] SEQUENCE SIZE (1..MAX) OF OBJECT
                                  IDENTIFIER OPTIONAL,
     inhibitPolicyMapping   [2] BOOLEAN OPTIONAL,
     requireExplicitPolicy  [3] BOOLEAN OPTIONAL,
     inhibitAnyPolicy       [4] BOOLEAN OPTIONAL,
     trustAnchors           [5] TrustAnchors OPTIONAL,
     keyUsages              [6] SEQUENCE OF KeyUsage OPTIONAL,
     extendedKeyUsages      [7] SEQUENCE OF KeyPurposeId OPTIONAL,
     specifiedKeyUsages     [8] SEQUENCE OF KeyPurposeId OPTIONAL }
        
   ValidationPolicy ::= SEQUENCE {
     validationPolRef           ValidationPolRef,
     validationAlg          [0] ValidationAlg OPTIONAL,
     userPolicySet          [1] SEQUENCE SIZE (1..MAX) OF OBJECT
                                  IDENTIFIER OPTIONAL,
     inhibitPolicyMapping   [2] BOOLEAN OPTIONAL,
     requireExplicitPolicy  [3] BOOLEAN OPTIONAL,
     inhibitAnyPolicy       [4] BOOLEAN OPTIONAL,
     trustAnchors           [5] TrustAnchors OPTIONAL,
     keyUsages              [6] SEQUENCE OF KeyUsage OPTIONAL,
     extendedKeyUsages      [7] SEQUENCE OF KeyPurposeId OPTIONAL,
     specifiedKeyUsages     [8] SEQUENCE OF KeyPurposeId OPTIONAL }
        
   CertChecks ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
        
   CertChecks ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
        
   WantBack ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
        
   WantBack ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
        
   ValidationPolRef ::= SEQUENCE {
       valPolId             OBJECT IDENTIFIER,
       valPolParams         ANY DEFINED BY valPolId OPTIONAL }
        
   ValidationPolRef ::= SEQUENCE {
       valPolId             OBJECT IDENTIFIER,
       valPolParams         ANY DEFINED BY valPolId OPTIONAL }
        
   ValidationAlg ::= SEQUENCE {
     valAlgId               OBJECT IDENTIFIER,
     parameters             ANY DEFINED BY valAlgId OPTIONAL }
        
   ValidationAlg ::= SEQUENCE {
     valAlgId               OBJECT IDENTIFIER,
     parameters             ANY DEFINED BY valAlgId OPTIONAL }
        
   NameValidationAlgParms ::= SEQUENCE {
     nameCompAlgId          OBJECT IDENTIFIER,
     validationNames        GeneralNames }
        
   NameValidationAlgParms ::= SEQUENCE {
     nameCompAlgId          OBJECT IDENTIFIER,
     validationNames        GeneralNames }
        
   TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference
        
   TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference
        
   KeyAgreePublicKey ::= SEQUENCE {
     algorithm           AlgorithmIdentifier,
     publicKey           BIT STRING,
     macAlgorithm        AlgorithmIdentifier,
     kDF                 AlgorithmIdentifier OPTIONAL }
        
   KeyAgreePublicKey ::= SEQUENCE {
     algorithm           AlgorithmIdentifier,
     publicKey           BIT STRING,
     macAlgorithm        AlgorithmIdentifier,
     kDF                 AlgorithmIdentifier OPTIONAL }
        
   ResponseFlags ::= SEQUENCE {
     fullRequestInResponse      [0] BOOLEAN DEFAULT FALSE,
     responseValidationPolByRef [1] BOOLEAN DEFAULT TRUE,
     protectResponse            [2] BOOLEAN DEFAULT TRUE,
     cachedResponse             [3] BOOLEAN DEFAULT TRUE }
        
   ResponseFlags ::= SEQUENCE {
     fullRequestInResponse      [0] BOOLEAN DEFAULT FALSE,
     responseValidationPolByRef [1] BOOLEAN DEFAULT TRUE,
     protectResponse            [2] BOOLEAN DEFAULT TRUE,
     cachedResponse             [3] BOOLEAN DEFAULT TRUE }
        
   CertBundle ::= SEQUENCE SIZE (1..MAX) OF Certificate
        
   CertBundle ::= SEQUENCE SIZE (1..MAX) OF Certificate
        
   RevocationInfos ::= SEQUENCE SIZE (1..MAX) OF RevocationInfo
        
   RevocationInfos ::= SEQUENCE SIZE (1..MAX) OF RevocationInfo
        
   RevocationInfo ::= CHOICE {
     crl                    [0] CertificateList,
     delta-crl              [1] CertificateList,
     ocsp                   [2] OCSPResponse,
     other                  [3] OtherRevInfo }
        
   RevocationInfo ::= CHOICE {
     crl                    [0] CertificateList,
     delta-crl              [1] CertificateList,
     ocsp                   [2] OCSPResponse,
     other                  [3] OtherRevInfo }
        
   OtherRevInfo ::= SEQUENCE {
     riType                     OBJECT IDENTIFIER,
     riValue                    ANY DEFINED BY riType }
        
   OtherRevInfo ::= SEQUENCE {
     riType                     OBJECT IDENTIFIER,
     riValue                    ANY DEFINED BY riType }
        

-- SCVP Certificate Validation Response

--SCVP证书验证响应

   id-ct-scvp-certValResponse OBJECT IDENTIFIER ::= { id-ct 11 }
        
   id-ct-scvp-certValResponse OBJECT IDENTIFIER ::= { id-ct 11 }
        
   CVResponse ::= SEQUENCE {
     cvResponseVersion          INTEGER,
     serverConfigurationID      INTEGER,
     producedAt                 GeneralizedTime,
     responseStatus             ResponseStatus,
     respValidationPolicy   [0] RespValidationPolicy OPTIONAL,
     requestRef             [1] RequestReference OPTIONAL,
     requestorRef           [2] GeneralNames OPTIONAL,
     requestorName          [3] GeneralNames OPTIONAL,
     replyObjects           [4] ReplyObjects OPTIONAL,
     respNonce              [5] OCTET STRING OPTIONAL,
     serverContextInfo      [6] OCTET STRING OPTIONAL,
     cvResponseExtensions   [7] Extensions OPTIONAL,
     requestorText          [8] UTF8String (SIZE (1..256)) OPTIONAL }
        
   CVResponse ::= SEQUENCE {
     cvResponseVersion          INTEGER,
     serverConfigurationID      INTEGER,
     producedAt                 GeneralizedTime,
     responseStatus             ResponseStatus,
     respValidationPolicy   [0] RespValidationPolicy OPTIONAL,
     requestRef             [1] RequestReference OPTIONAL,
     requestorRef           [2] GeneralNames OPTIONAL,
     requestorName          [3] GeneralNames OPTIONAL,
     replyObjects           [4] ReplyObjects OPTIONAL,
     respNonce              [5] OCTET STRING OPTIONAL,
     serverContextInfo      [6] OCTET STRING OPTIONAL,
     cvResponseExtensions   [7] Extensions OPTIONAL,
     requestorText          [8] UTF8String (SIZE (1..256)) OPTIONAL }
        
   ResponseStatus ::= SEQUENCE {
       statusCode               CVStatusCode DEFAULT  okay,
       errorMessage             UTF8String OPTIONAL }
        
   ResponseStatus ::= SEQUENCE {
       statusCode               CVStatusCode DEFAULT  okay,
       errorMessage             UTF8String OPTIONAL }
        
   CVStatusCode ::= ENUMERATED {
       okay                               (0),
       skipUnrecognizedItems              (1),
       tooBusy                           (10),
       invalidRequest                    (11),
       internalError                     (12),
       badStructure                      (20),
       unsupportedVersion                (21),
       abortUnrecognizedItems            (22),
       unrecognizedSigKey                (23),
       badSignatureOrMAC                 (24),
        
   CVStatusCode ::= ENUMERATED {
       okay                               (0),
       skipUnrecognizedItems              (1),
       tooBusy                           (10),
       invalidRequest                    (11),
       internalError                     (12),
       badStructure                      (20),
       unsupportedVersion                (21),
       abortUnrecognizedItems            (22),
       unrecognizedSigKey                (23),
       badSignatureOrMAC                 (24),
        

unableToDecode (25), notAuthorized (26), unsupportedChecks (27), unsupportedWantBacks (28), unsupportedSignatureOrMAC (29), invalidSignatureOrMAC (30), protectedResponseUnsupported (31), unrecognizedResponderName (32), relayingLoop (40), unrecognizedValPol (50), unrecognizedValAlg (51), fullRequestInResponseUnsupported (52), fullPolResponseUnsupported (53), inhibitPolicyMappingUnsupported (54), requireExplicitPolicyUnsupported (55), inhibitAnyPolicyUnsupported (56), validationTimeUnsupported (57), unrecognizedCritQueryExt (63), unrecognizedCritRequestExt (64) }

无法删除(25)、未经授权(26)、未经支持的检查(27)、未经支持的Antbacks(28)、未经支持的签名RMAC(29)、无效签名RMAC(30)、受保护的响应受支持(31)、未经认可的响应名(32)、中继环路(40)、未经认可的Alpol(50)、未经认可的Alalg(51)、响应中的完整请求受支持(52),fullPolResponseUnsupported(53)、inhibitPolicyMappingUnsupported(54)、requireExplicitPolicyUnsupported(55)、inhibitAnyPolicyUnsupported(56)、validationTimeUnsupported(57)、UnrecognizedCritQueryText(63)、UnrecognizedCritRequestText(64)}

   RespValidationPolicy ::= ValidationPolicy
        
   RespValidationPolicy ::= ValidationPolicy
        
   RequestReference ::= CHOICE {
     requestHash   [0] HashValue, -- hash of CVRequest
     fullRequest   [1] CVRequest }
        
   RequestReference ::= CHOICE {
     requestHash   [0] HashValue, -- hash of CVRequest
     fullRequest   [1] CVRequest }
        
   HashValue ::= SEQUENCE {
     algorithm         AlgorithmIdentifier DEFAULT { algorithm sha-1 },
     value             OCTET STRING }
        
   HashValue ::= SEQUENCE {
     algorithm         AlgorithmIdentifier DEFAULT { algorithm sha-1 },
     value             OCTET STRING }
        
   sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             oiw(14) secsig(3) algorithm(2) 26 }
        
   sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             oiw(14) secsig(3) algorithm(2) 26 }
        
   ReplyObjects ::= SEQUENCE SIZE (1..MAX) OF CertReply
        
   ReplyObjects ::= SEQUENCE SIZE (1..MAX) OF CertReply
        
   CertReply ::= SEQUENCE {
     cert                       CertReference,
     replyStatus                ReplyStatus DEFAULT success,
     replyValTime               GeneralizedTime,
     replyChecks                ReplyChecks,
     replyWantBacks             ReplyWantBacks,
     validationErrors       [0] SEQUENCE SIZE (1..MAX) OF
                                  OBJECT IDENTIFIER OPTIONAL,
     nextUpdate             [1] GeneralizedTime OPTIONAL,
     certReplyExtensions    [2] Extensions OPTIONAL }
        
   CertReply ::= SEQUENCE {
     cert                       CertReference,
     replyStatus                ReplyStatus DEFAULT success,
     replyValTime               GeneralizedTime,
     replyChecks                ReplyChecks,
     replyWantBacks             ReplyWantBacks,
     validationErrors       [0] SEQUENCE SIZE (1..MAX) OF
                                  OBJECT IDENTIFIER OPTIONAL,
     nextUpdate             [1] GeneralizedTime OPTIONAL,
     certReplyExtensions    [2] Extensions OPTIONAL }
        
   ReplyStatus ::= ENUMERATED {
     success                    (0),
     malformedPKC               (1),
     malformedAC                (2),
     unavailableValidationTime  (3),
     referenceCertHashFail      (4),
     certPathConstructFail      (5),
     certPathNotValid           (6),
     certPathNotValidNow        (7),
     wantBackUnsatisfied        (8) }
        
   ReplyStatus ::= ENUMERATED {
     success                    (0),
     malformedPKC               (1),
     malformedAC                (2),
     unavailableValidationTime  (3),
     referenceCertHashFail      (4),
     certPathConstructFail      (5),
     certPathNotValid           (6),
     certPathNotValidNow        (7),
     wantBackUnsatisfied        (8) }
        
   ReplyChecks ::= SEQUENCE OF ReplyCheck
        
   ReplyChecks ::= SEQUENCE OF ReplyCheck
        
   ReplyCheck ::= SEQUENCE {
     check                      OBJECT IDENTIFIER,
     status                     INTEGER DEFAULT 0 }
        
   ReplyCheck ::= SEQUENCE {
     check                      OBJECT IDENTIFIER,
     status                     INTEGER DEFAULT 0 }
        
   ReplyWantBacks ::= SEQUENCE OF ReplyWantBack
        
   ReplyWantBacks ::= SEQUENCE OF ReplyWantBack
        
   ReplyWantBack::= SEQUENCE {
     wb                         OBJECT IDENTIFIER,
     value                      OCTET STRING }
        
   ReplyWantBack::= SEQUENCE {
     wb                         OBJECT IDENTIFIER,
     value                      OCTET STRING }
        
   CertBundles ::= SEQUENCE SIZE (1..MAX) OF CertBundle
        
   CertBundles ::= SEQUENCE SIZE (1..MAX) OF CertBundle
        
   RevInfoWantBack ::= SEQUENCE {
     revocationInfo             RevocationInfos,
     extraCerts                 CertBundle OPTIONAL }
        
   RevInfoWantBack ::= SEQUENCE {
     revocationInfo             RevocationInfos,
     extraCerts                 CertBundle OPTIONAL }
        
   SCVPResponses ::= SEQUENCE OF ContentInfo
        
   SCVPResponses ::= SEQUENCE OF ContentInfo
        

-- SCVP Validation Policies Request

--SCVP验证策略请求

   id-ct-scvp-valPolRequest     OBJECT IDENTIFIER ::= { id-ct 12 }
        
   id-ct-scvp-valPolRequest     OBJECT IDENTIFIER ::= { id-ct 12 }
        
   ValPolRequest ::= SEQUENCE {
     vpRequestVersion           INTEGER DEFAULT 1,
     requestNonce               OCTET STRING }
        
   ValPolRequest ::= SEQUENCE {
     vpRequestVersion           INTEGER DEFAULT 1,
     requestNonce               OCTET STRING }
        

-- SCVP Validation Policies Response

--SCVP验证策略响应

   id-ct-scvp-valPolResponse OBJECT IDENTIFIER ::= { id-ct 13 }
        
   id-ct-scvp-valPolResponse OBJECT IDENTIFIER ::= { id-ct 13 }
        
   ValPolResponse ::= SEQUENCE {
     vpResponseVersion                INTEGER,
     maxCVRequestVersion              INTEGER,
     maxVPRequestVersion              INTEGER,
     serverConfigurationID            INTEGER,
        
   ValPolResponse ::= SEQUENCE {
     vpResponseVersion                INTEGER,
     maxCVRequestVersion              INTEGER,
     maxVPRequestVersion              INTEGER,
     serverConfigurationID            INTEGER,
        

thisUpdate GeneralizedTime, nextUpdate GeneralizedTime OPTIONAL, supportedChecks CertChecks, supportedWantBacks WantBack, validationPolicies SEQUENCE OF OBJECT IDENTIFIER, validationAlgs SEQUENCE OF OBJECT IDENTIFIER, authPolicies SEQUENCE OF AuthPolicy, responseTypes ResponseTypes, defaultPolicyValues RespValidationPolicy, revocationInfoTypes RevocationInfoTypes, signatureGeneration SEQUENCE OF AlgorithmIdentifier, signatureVerification SEQUENCE OF AlgorithmIdentifier, hashAlgorithms SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER, serverPublicKeys SEQUENCE OF KeyAgreePublicKey OPTIONAL, clockSkew INTEGER DEFAULT 10, requestNonce OCTET STRING OPTIONAL }

此更新GeneralizedTime、下一个更新日期GeneralizedTime可选、supportedChecks CertChecks、supportedWantBacks WantBack、对象标识符的ValidationPolicys序列、对象标识符的ValidationAgs序列、AuthPolicy的AuthPolicys序列、ResponseType ResponseType、defaultPolicyValues ResponidationPolicy、,revocationInfoTypes revocationInfoTypes,算法标识符的signatureGeneration序列,算法标识符的signatureVerification序列,对象标识符的hashAlgorithms序列大小(1..MAX),KeyAgreePublicKey的serverPublicKeys序列可选,clockSkew整数默认值10,requestNonce八位字符串可选}

   ResponseTypes  ::= ENUMERATED {
     cached-only                (0),
     non-cached-only            (1),
     cached-and-non-cached      (2) }
        
   ResponseTypes  ::= ENUMERATED {
     cached-only                (0),
     non-cached-only            (1),
     cached-and-non-cached      (2) }
        
   RevocationInfoTypes ::= BIT STRING {
     fullCRLs                   (0),
     deltaCRLs                  (1),
     indirectCRLs               (2),
     oCSPResponses              (3) }
        
   RevocationInfoTypes ::= BIT STRING {
     fullCRLs                   (0),
     deltaCRLs                  (1),
     indirectCRLs               (2),
     oCSPResponses              (3) }
        
   AuthPolicy ::= OBJECT IDENTIFIER
        
   AuthPolicy ::= OBJECT IDENTIFIER
        

-- SCVP Check Identifiers

--检查标识符

   id-stc OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             dod(6) internet(1) security(5) mechanisms(5) pkix(7) 17 }
        
   id-stc OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             dod(6) internet(1) security(5) mechanisms(5) pkix(7) 17 }
        
   id-stc-build-pkc-path        OBJECT IDENTIFIER ::= { id-stc 1 }
   id-stc-build-valid-pkc-path  OBJECT IDENTIFIER ::= { id-stc 2 }
   id-stc-build-status-checked-pkc-path
                                OBJECT IDENTIFIER ::= { id-stc 3 }
   id-stc-build-aa-path         OBJECT IDENTIFIER ::= { id-stc 4 }
   id-stc-build-valid-aa-path   OBJECT IDENTIFIER ::= { id-stc 5 }
   id-stc-build-status-checked-aa-path
                                OBJECT IDENTIFIER ::= { id-stc 6 }
   id-stc-status-check-ac-and-build-status-checked-aa-path
                                OBJECT IDENTIFIER ::= { id-stc 7 }
        
   id-stc-build-pkc-path        OBJECT IDENTIFIER ::= { id-stc 1 }
   id-stc-build-valid-pkc-path  OBJECT IDENTIFIER ::= { id-stc 2 }
   id-stc-build-status-checked-pkc-path
                                OBJECT IDENTIFIER ::= { id-stc 3 }
   id-stc-build-aa-path         OBJECT IDENTIFIER ::= { id-stc 4 }
   id-stc-build-valid-aa-path   OBJECT IDENTIFIER ::= { id-stc 5 }
   id-stc-build-status-checked-aa-path
                                OBJECT IDENTIFIER ::= { id-stc 6 }
   id-stc-status-check-ac-and-build-status-checked-aa-path
                                OBJECT IDENTIFIER ::= { id-stc 7 }
        

-- SCVP WantBack Identifiers

--SCVP WantBack标识符

   id-swb OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             dod(6) internet(1) security(5) mechanisms(5) pkix(7) 18 }
        
   id-swb OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             dod(6) internet(1) security(5) mechanisms(5) pkix(7) 18 }
        
   id-swb-pkc-best-cert-path       OBJECT IDENTIFIER ::= { id-swb 1 }
   id-swb-pkc-revocation-info      OBJECT IDENTIFIER ::= { id-swb 2 }
   id-swb-pkc-public-key-info      OBJECT IDENTIFIER ::= { id-swb 4 }
   id-swb-aa-cert-path             OBJECT IDENTIFIER ::= { id-swb 5 }
   id-swb-aa-revocation-info       OBJECT IDENTIFIER ::= { id-swb 6 }
   id-swb-ac-revocation-info       OBJECT IDENTIFIER ::= { id-swb 7 }
   id-swb-relayed-responses        OBJECT IDENTIFIER ::= { id-swb 9 }
   id-swb-pkc-cert                 OBJECT IDENTIFIER ::= { id-swb 10}
   id-swb-ac-cert                  OBJECT IDENTIFIER ::= { id-swb 11}
   id-swb-pkc-all-cert-paths       OBJECT IDENTIFIER ::= { id-swb 12}
   id-swb-pkc-ee-revocation-info   OBJECT IDENTIFIER ::= { id-swb 13}
   id-swb-pkc-CAs-revocation-info  OBJECT IDENTIFIER ::= { id-swb 14}
        
   id-swb-pkc-best-cert-path       OBJECT IDENTIFIER ::= { id-swb 1 }
   id-swb-pkc-revocation-info      OBJECT IDENTIFIER ::= { id-swb 2 }
   id-swb-pkc-public-key-info      OBJECT IDENTIFIER ::= { id-swb 4 }
   id-swb-aa-cert-path             OBJECT IDENTIFIER ::= { id-swb 5 }
   id-swb-aa-revocation-info       OBJECT IDENTIFIER ::= { id-swb 6 }
   id-swb-ac-revocation-info       OBJECT IDENTIFIER ::= { id-swb 7 }
   id-swb-relayed-responses        OBJECT IDENTIFIER ::= { id-swb 9 }
   id-swb-pkc-cert                 OBJECT IDENTIFIER ::= { id-swb 10}
   id-swb-ac-cert                  OBJECT IDENTIFIER ::= { id-swb 11}
   id-swb-pkc-all-cert-paths       OBJECT IDENTIFIER ::= { id-swb 12}
   id-swb-pkc-ee-revocation-info   OBJECT IDENTIFIER ::= { id-swb 13}
   id-swb-pkc-CAs-revocation-info  OBJECT IDENTIFIER ::= { id-swb 14}
        

-- SCVP Validation Policy and Algorithm Identifiers

--SCVP验证策略和算法标识符

   id-svp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             dod(6) internet(1) security(5) mechanisms(5) pkix(7) 19 }
        
   id-svp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             dod(6) internet(1) security(5) mechanisms(5) pkix(7) 19 }
        
   id-svp-defaultValPolicy OBJECT IDENTIFIER ::= { id-svp 1 }
        
   id-svp-defaultValPolicy OBJECT IDENTIFIER ::= { id-svp 1 }
        

-- SCVP Basic Validation Algorithm Identifier

--基本验证算法标识符

   id-svp-basicValAlg OBJECT IDENTIFIER ::= { id-svp 3 }
        
   id-svp-basicValAlg OBJECT IDENTIFIER ::= { id-svp 3 }
        

-- SCVP Basic Validation Algorithm Errors

--SCVP基本验证算法错误

   id-bvae OBJECT IDENTIFIER ::= id-svp-basicValAlg
        
   id-bvae OBJECT IDENTIFIER ::= id-svp-basicValAlg
        
   id-bvae-expired              OBJECT IDENTIFIER ::= { id-bvae 1 }
   id-bvae-not-yet-valid        OBJECT IDENTIFIER ::= { id-bvae 2 }
   id-bvae-wrongTrustAnchor     OBJECT IDENTIFIER ::= { id-bvae 3 }
   id-bvae-noValidCertPath      OBJECT IDENTIFIER ::= { id-bvae 4 }
   id-bvae-revoked              OBJECT IDENTIFIER ::= { id-bvae 5 }
   id-bvae-invalidKeyPurpose    OBJECT IDENTIFIER ::= { id-bvae 9 }
   id-bvae-invalidKeyUsage      OBJECT IDENTIFIER ::= { id-bvae 10 }
   id-bvae-invalidCertPolicy    OBJECT IDENTIFIER ::= { id-bvae 11 }
        
   id-bvae-expired              OBJECT IDENTIFIER ::= { id-bvae 1 }
   id-bvae-not-yet-valid        OBJECT IDENTIFIER ::= { id-bvae 2 }
   id-bvae-wrongTrustAnchor     OBJECT IDENTIFIER ::= { id-bvae 3 }
   id-bvae-noValidCertPath      OBJECT IDENTIFIER ::= { id-bvae 4 }
   id-bvae-revoked              OBJECT IDENTIFIER ::= { id-bvae 5 }
   id-bvae-invalidKeyPurpose    OBJECT IDENTIFIER ::= { id-bvae 9 }
   id-bvae-invalidKeyUsage      OBJECT IDENTIFIER ::= { id-bvae 10 }
   id-bvae-invalidCertPolicy    OBJECT IDENTIFIER ::= { id-bvae 11 }
        

-- SCVP Name Validation Algorithm Identifier

--SCVP名称验证算法标识符

   id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 }
        
   id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 }
        

-- SCVP Name Validation Algorithm DN comparison algorithm

--SCVP名称验证算法DN比较算法

   id-nva-dnCompAlg   OBJECT IDENTIFIER ::= { id-svp 4 }
        
   id-nva-dnCompAlg   OBJECT IDENTIFIER ::= { id-svp 4 }
        

-- SCVP Name Validation Algorithm Errors

--SCVP名称验证算法错误

   id-nvae OBJECT IDENTIFIER ::= id-svp-nameValAlg
        
   id-nvae OBJECT IDENTIFIER ::= id-svp-nameValAlg
        
   id-nvae-name-mismatch          OBJECT IDENTIFIER ::= { id-nvae 1 }
   id-nvae-no-name                OBJECT IDENTIFIER ::= { id-nvae 2 }
   id-nvae-unknown-alg            OBJECT IDENTIFIER ::= { id-nvae 3 }
   id-nvae-bad-name               OBJECT IDENTIFIER ::= { id-nvae 4 }
   id-nvae-bad-name-type          OBJECT IDENTIFIER ::= { id-nvae 5 }
   id-nvae-mixed-names            OBJECT IDENTIFIER ::= { id-nvae 6 }
        
   id-nvae-name-mismatch          OBJECT IDENTIFIER ::= { id-nvae 1 }
   id-nvae-no-name                OBJECT IDENTIFIER ::= { id-nvae 2 }
   id-nvae-unknown-alg            OBJECT IDENTIFIER ::= { id-nvae 3 }
   id-nvae-bad-name               OBJECT IDENTIFIER ::= { id-nvae 4 }
   id-nvae-bad-name-type          OBJECT IDENTIFIER ::= { id-nvae 5 }
   id-nvae-mixed-names            OBJECT IDENTIFIER ::= { id-nvae 6 }
        

-- SCVP Extended Key Usage Key Purpose Identifiers

--SCVP扩展密钥使用密钥用途标识符

   id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 }
        
   id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
             dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 }
        
   id-kp-scvpServer               OBJECT IDENTIFIER ::= { id-kp 15 }
        
   id-kp-scvpServer               OBJECT IDENTIFIER ::= { id-kp 15 }
        
   id-kp-scvpClient               OBJECT IDENTIFIER ::= { id-kp 16 }
        
   id-kp-scvpClient               OBJECT IDENTIFIER ::= { id-kp 16 }
        

END

终止

9. Security Considerations
9. 安全考虑

For security considerations specific to the Cryptographic Message Syntax message formats, see [CMS]. For security considerations specific to the process of PKI certification path validation, see [PKIX-1].

有关特定于加密消息语法消息格式的安全注意事项,请参阅[CMS]。有关特定于PKI认证路径验证过程的安全注意事项,请参阅[PKIX-1]。

A client that trusts a server's response for validation of a certificate inherently trusts that server as much as it would trust its own validation software. This means that if an attacker compromises a trusted SCVP server, the attacker can change the validation processing for every client that relies on that server. Thus, an SCVP server must be protected at least as well as the trust anchors that the SCVP server trusts.

信任服务器对证书验证的响应的客户端本质上信任该服务器,就像信任自己的验证软件一样。这意味着,如果攻击者破坏受信任的SCVP服务器,则攻击者可以更改依赖该服务器的每个客户端的验证处理。因此,SCVP服务器必须至少与SCVP服务器信任的信任锚一样受到保护。

Clients MUST verify that the response matches their original request. Clients need to ensure that the server has performed the appropriate checks for the correct certificates under the requested validation policy for the specified validation time, and that the response includes the requested wantBacks and meets the client's freshness requirements.

客户端必须验证响应是否与其原始请求匹配。客户端需要确保服务器在指定的验证时间内已根据请求的验证策略对正确的证书执行了适当的检查,并且响应包括请求的wantBacks并满足客户端的新鲜度要求。

When the SCVP response is used to determine the validity of a certificate, the client MUST validate the digital signature or MAC on the response to ensure that the expected SCVP server generated it. If the client does not check the digital signature or MAC on the response, a man-in-the-middle attack could fool the client into believing modified responses from the server or responses to questions the client did not ask.

当使用SCVP响应来确定证书的有效性时,客户端必须验证响应上的数字签名或MAC,以确保预期的SCVP服务器生成了它。如果客户端没有检查响应上的数字签名或MAC,中间人攻击可能会欺骗客户端相信来自服务器的修改响应或对客户端未询问的问题的响应。

If the client does not include a requestNonce item, or if the client does not check that the requestNonce in the response matches the value in the request, an attacker can replay previous responses from the SCVP server.

如果客户端不包含requestNonce项,或者客户端未检查响应中的requestNonce是否与请求中的值匹配,则攻击者可以重播来自SCVP服务器的先前响应。

If the server does not require some sort of authorization (such as signed requests), an attacker can get the server to respond to arbitrary requests. Such responses may give the attacker information about weaknesses in the server or about the timeliness of the server's checking. This information may be valuable for a future attack.

如果服务器不需要某种授权(如签名请求),攻击者可以让服务器响应任意请求。此类响应可能会向攻击者提供有关服务器弱点或服务器检查及时性的信息。这些信息可能对未来的攻击很有价值。

If the server uses the serverContextInfo item to indicate some server state associated with a requestor, implementers must take appropriate measures against denial-of-service attacks where an attacker sends in a lot of requests at one time to force the server to keep a lot of state information.

如果服务器使用serverContextInfo项来指示与请求者相关联的某些服务器状态,则实现者必须采取适当的措施防止拒绝服务攻击,即攻击者一次发送大量请求以迫使服务器保留大量状态信息。

SCVP does not include any confidentiality mechanisms. If confidentiality is needed, it can be achieved with a lower-layer security protocol such as TLS [TLS].

SCVP不包括任何保密机制。如果需要保密,可以使用较低层的安全协议(如TLS[TLS])来实现。

If an SCVP client is not operating on a network with good physical protection, it must ensure that there is integrity over the SCVP request-response pair. The client can ensure integrity by using a protected transport such as TLS. It can ensure integrity by using MACs or digital signatures to individually protect the request and response messages.

如果SCVP客户端未在物理保护良好的网络上运行,则必须确保SCVP请求-响应对的完整性。客户端可以通过使用受保护的传输(如TLS)来确保完整性。它可以通过使用MAC或数字签名来单独保护请求和响应消息,从而确保完整性。

If an SCVP client populates the userPolicySet in a request with a value other than anyPolicy, but does not set the requireExplicitPolicy flag, the server may return an affirmative answer for paths that do not satisfy any of the specified policies. In general, when a client populates the userPolicySet in a request with a value other than anyPolicy, the requireExplicitPolicy flag should also be set. This guarantees that all valid paths satisfy at least one of the requested policies.

如果SCVP客户端在请求中使用anyPolicy以外的值填充userPolicySet,但未设置requireExplicitPolicy标志,则服务器可能会对不满足任何指定策略的路径返回肯定回答。通常,当客户机在请求中使用anyPolicy以外的值填充userPolicySet时,还应设置requireExplicitPolicy标志。这保证所有有效路径至少满足一个请求的策略。

In SCVP, historical validation of a certificate returns the known status of the certificate at the time specified in validationTime. This may be used to demonstrate due diligence, but does not necessarily provide the most complete information. A certificate may have been revoked after the time specified in validationTime, but the revocation notice may specify an invalidity date that precedes the validationTime. The SCVP server would provide an affirmative response even though the most current information available indicates the certificate should not be trusted at that time. SCVP clients may wish to specify a validationTime later than the actual time of interest to mitigate this risk.

在SCVP中,证书的历史验证返回证书在validationTime中指定的时间的已知状态。这可用于证明尽职调查,但不一定提供最完整的信息。证书可能在validationTime中指定的时间之后被撤销,但撤销通知可能会指定validationTime之前的无效日期。SCVP服务器将提供肯定的响应,即使可用的最新信息表明此时不应信任该证书。SCVP客户可能希望指定晚于实际关注时间的validationTime,以降低此风险。

10. IANA Considerations
10. IANA考虑

The details of SCVP requests and responses are communicated using object identifiers (OIDs). The objects are defined in an arc delegated by IANA to the PKIX Working Group. This document also includes four MIME type registrations in Appendix A. No further action by IANA is necessary for this document or any anticipated updates.

SCVP请求和响应的详细信息使用对象标识符(OID)进行通信。这些对象在IANA委托给PKIX工作组的arc中定义。本文件还包括附录A中的四个MIME类型注册。本文件或任何预期更新无需IANA采取进一步行动。

11. References
11. 工具书类
11.1. Normative References
11.1. 规范性引用文件

[STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[STDWORDS]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004.

[CMS]Housley,R.,“加密消息语法(CMS)”,RFC 38522004年7月。

[OCSP] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 2560, June 1999.

[OCSP]Myers,M.,Ankney,R.,Malpani,A.,Galperin,S.,和C.Adams,“X.509互联网公钥基础设施在线证书状态协议-OCSP”,RFC 25601999年6月。

[PKIX-1] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.

[PKIX-1]Housley,R.,Polk,W.,Ford,W.,和D.Solo,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)概要”,RFC 32802002年4月。

[PKIX-AC] Farrell, S. and R. Housley, "An Internet Attribute Certificate Profile for Authorization", RFC 3281, April 2002.

[PKIX-AC]Farrell,S.和R.Housley,“用于授权的Internet属性证书配置文件”,RFC 3281,2002年4月。

[PKIX-ALG] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, April 2002.

[PKIX-ALG]Bassham,L.,Polk,W.,和R.Housley,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件的算法和标识符”,RFC 3279,2002年4月。

[PKIX-ALG2] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, June 2005.

[PKIX-ALG2]Schaad,J.,Kaliski,B.,和R.Housley,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件中使用的RSA加密的其他算法和标识符”,RFC 4055,2005年6月。

[UTF8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003.

[UTF8]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,2003年11月。

[ESS] Hoffman, P., Ed., "Enhanced Security Services for S/MIME", RFC 2634, June 1999.

[ESS]Hoffman,P.,Ed.“S/MIME的增强安全服务”,RFC 2634,1999年6月。

[SMIME-CERT] Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling", RFC 3850, July 2004.

[SMIME-CERT]Ramsdell,B.,编辑,“安全/多用途Internet邮件扩展(S/MIME)版本3.1证书处理”,RFC 38502004年7月。

[IKE] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005.

[IKE]Kaufman,C.,编辑,“互联网密钥交换(IKEv2)协议”,RFC 4306,2005年12月。

[HTTP] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

[HTTP]菲尔丁,R.,盖蒂斯,J.,莫卧儿,J.,弗莱斯蒂克,H.,马斯特,L.,利奇,P.,和T.伯纳斯李,“超文本传输协议——HTTP/1.1”,RFC2616,1999年6月。

11.2. Informative References
11.2. 资料性引用

[IKE-GROUPS] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC 3526, May 2003.

[IKE-GROUPS]Kivinen,T.和M.Kojo,“互联网密钥交换(IKE)的更模指数(MODP)Diffie-Hellman群”,RFC 3526,2003年5月。

[RQMTS] Pinkas, D. and R. Housley, "Delegated Path Validation and Delegated Path Discovery Protocol Requirements", RFC 3379, September 2002.

[RQMTS]Pinkas,D.和R.Housley,“委托路径验证和委托路径发现协议要求”,RFC 3379,2002年9月。

[TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006.

[TLS]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.1”,RFC 4346,2006年4月。

12. Acknowledgments
12. 致谢

The lively debate in the PKIX Working Group has made a significant impact on this protocol. Special thanks to the following for their contributions to this document and diligence in greatly improving it.

PKIX工作组的热烈辩论对该协议产生了重大影响。特别感谢以下人员对本文件的贡献以及对本文件的大力改进。

Paul Hoffman Phillip Hallam-Baker Mike Myers Frank Balluffi Ameya Talwalkar John Thielens Peter Sylvester Yuriy Dzambasow Sean P. Turner Wen-Cheng Wang Francis Dupont Dave Engberg Faisal Maqsood

保罗·霍夫曼·菲利普·哈勒姆·贝克·迈克·迈尔斯·弗兰克·巴卢菲·阿梅亚·塔尔沃卡尔·约翰·蒂伦斯·彼得·西尔维斯特·尤里·德桑巴索·肖恩·特纳·文成王弗朗西斯·杜邦·戴夫·恩伯格·费萨尔·马苏德

Thanks also to working group chair Steve Kent for his support and help.

还感谢工作组主席史蒂夫·肯特的支持和帮助。

Appendix A. MIME Media Type Registrations
附录A.MIME媒体类型注册

Four MIME media type registrations are provided in this appendix.

本附录中提供了四种MIME媒体类型注册。

A.1. application/scvp-cv-request
A.1. 申请/scvp简历申请
   To: ietf-types@iana.org
   Subject: Registration of MIME media type application/scvp-cv-request
        
   To: ietf-types@iana.org
   Subject: Registration of MIME media type application/scvp-cv-request
        

MIME media type name: application

MIME媒体类型名称:应用程序

MIME subtype name: scvp-cv-request

MIME子类型名称:scvp cv请求

Required parameters: None

所需参数:无

Optional parameters: None

可选参数:无

Encoding considerations: Binary

编码注意事项:二进制

Security considerations: Carries a request for information. This request may optionally be cryptographically protected.

安全注意事项:携带信息请求。此请求可以选择加密保护。

Interoperability considerations: None

互操作性注意事项:无

Published specification: RFC 5055

已发布规范:RFC 5055

Applications that use this media type: SCVP clients sending certificate validation requests

使用此媒体类型的应用程序:发送证书验证请求的SCVP客户端

Additional information:

其他信息:

      Magic number(s): None
      File extension(s): .SCQ
      Macintosh File Type Code(s): None
        
      Magic number(s): None
      File extension(s): .SCQ
      Macintosh File Type Code(s): None
        
   Person & email address to contact for further information:
   Ambarish Malpani <ambarish@yahoo.com>
        
   Person & email address to contact for further information:
   Ambarish Malpani <ambarish@yahoo.com>
        

Intended usage: COMMON

预期用途:普通

Restrictions on usage: This media type can be used with any protocol that can transport digitally signed objects.

使用限制:此媒体类型可与任何可传输数字签名对象的协议一起使用。

   Author: Ambarish Malpani <ambarish@yahoo.com>
        
   Author: Ambarish Malpani <ambarish@yahoo.com>
        

Change controller: IESG

更改控制器:IESG

A.2. application/scvp-cv-response
A.2. 应用程序/scvp cv响应
   To: ietf-types@iana.org
   Subject: Registration of MIME media type application/scvp-cv-response
        
   To: ietf-types@iana.org
   Subject: Registration of MIME media type application/scvp-cv-response
        

MIME media type name: application

MIME媒体类型名称:应用程序

MIME subtype name: scvp-cv-response

MIME子类型名称:scvp cv响应

Required parameters: None

所需参数:无

Optional parameters: None

可选参数:无

Encoding considerations: Binary

编码注意事项:二进制

Security considerations: The client may require that this response be cryptographically protected, or may choose to use a secure transport mechanism. DPD responses may be unprotected, but the client validates the information provided in the request.

安全注意事项:客户端可能要求对此响应进行加密保护,或者可能选择使用安全传输机制。DPD响应可能不受保护,但客户端验证请求中提供的信息。

Interoperability considerations: None

互操作性注意事项:无

Published specification: RFC 5055

已发布规范:RFC 5055

Applications that use this media type: SCVP servers responding to certificate validation requests

使用此媒体类型的应用程序:响应证书验证请求的SCVP服务器

Additional information:

其他信息:

      Magic number(s): None
      File extension(s): .SCS
      Macintosh File Type Code(s): none
        
      Magic number(s): None
      File extension(s): .SCS
      Macintosh File Type Code(s): none
        
   Person & email address to contact for further information:
   Ambarish Malpani <ambarish@yahoo.com>
        
   Person & email address to contact for further information:
   Ambarish Malpani <ambarish@yahoo.com>
        

Intended usage: COMMON Restrictions on usage: This media type can be used with any protocol that can transport digitally signed objects.

预期用途:常见使用限制:此媒体类型可与任何可传输数字签名对象的协议一起使用。

   Author: Ambarish Malpani <ambarish@yahoo.com>
        
   Author: Ambarish Malpani <ambarish@yahoo.com>
        

Change controller: IESG

更改控制器:IESG

A.3. application/scvp-vp-request
A.3. 应用程序/scvp请求
   To: ietf-types@iana.org
   Subject: Registration of MIME media type application/scvp-vp-request
        
   To: ietf-types@iana.org
   Subject: Registration of MIME media type application/scvp-vp-request
        

MIME media type name: application

MIME媒体类型名称:应用程序

MIME subtype name: scvp-vp-request

MIME子类型名称:scvp请求

Required parameters: None

所需参数:无

Optional parameters: None

可选参数:无

Encoding considerations: Binary

编码注意事项:二进制

Security considerations: Carries a request for information.

安全注意事项:携带信息请求。

Interoperability considerations: None

互操作性注意事项:无

Published specification: RFC 5055

已发布规范:RFC 5055

Applications that use this media type: SCVP clients sending validation policy requests

使用此媒体类型的应用程序:发送验证策略请求的SCVP客户端

Additional information:

其他信息:

      Magic number(s): None
      File extension(s): .SPQ
      Macintosh File Type Code(s): none
        
      Magic number(s): None
      File extension(s): .SPQ
      Macintosh File Type Code(s): none
        
   Person & email address to contact for further information:
   Ambarish Malpani <ambarish@yahoo.com>
        
   Person & email address to contact for further information:
   Ambarish Malpani <ambarish@yahoo.com>
        

Intended usage: COMMON

预期用途:普通

Restrictions on usage: None

使用限制:无

   Author: Ambarish Malpani <ambarish@yahoo.com>
        
   Author: Ambarish Malpani <ambarish@yahoo.com>
        

Change controller: IESG

更改控制器:IESG

A.4. application/scvp-vp-response
A.4. 应用程序/scvp响应
   To: ietf-types@iana.org
   Subject: Registration of MIME media type application/scvp-vp-response
        
   To: ietf-types@iana.org
   Subject: Registration of MIME media type application/scvp-vp-response
        

MIME media type name: application

MIME媒体类型名称:应用程序

MIME subtype name: scvp-vp-response

MIME子类型名称:scvp响应

Required parameters: None

所需参数:无

Optional parameters: None

可选参数:无

Encoding considerations: Binary

编码注意事项:二进制

Security considerations: None

安全考虑:无

Interoperability considerations: None

互操作性注意事项:无

Published specification: RFC 5055

已发布规范:RFC 5055

Applications that use this media type: SCVP servers responding to validation policy requests

使用此媒体类型的应用程序:响应验证策略请求的SCVP服务器

Additional information:

其他信息:

      Magic number(s): None
      File extension(s): .SPP
      Macintosh File Type Code(s): none
        
      Magic number(s): None
      File extension(s): .SPP
      Macintosh File Type Code(s): none
        
   Person & email address to contact for further information:
   Ambarish Malpani <ambarish@yahoo.com>
        
   Person & email address to contact for further information:
   Ambarish Malpani <ambarish@yahoo.com>
        

Intended usage: COMMON

预期用途:普通

Restrictions on usage: This media type can be used with any protocol that can transport digitally signed objects.

使用限制:此媒体类型可与任何可传输数字签名对象的协议一起使用。

   Author: Ambarish Malpani <ambarish@yahoo.com>
        
   Author: Ambarish Malpani <ambarish@yahoo.com>
        

Change controller: IESG

更改控制器:IESG

Appendix B. SCVP over HTTP
附录B.HTTP上的SCVP

This appendix describes the formatting and transportation conventions for the SCVP request and response when carried by HTTP.

本附录描述了由HTTP承载的SCVP请求和响应的格式和传输约定。

In order for SCVP clients and servers using HTTP to interoperate, the following rules apply.

为了使使用HTTP的SCVP客户端和服务器能够互操作,以下规则适用。

- Clients MUST use the POST method to submit their requests.

- 客户端必须使用POST方法提交其请求。

- Servers MUST use the 200 response code for successful responses.

- 服务器必须使用200响应代码才能成功响应。

- Clients MAY attempt to send HTTPS requests using TLS 1.0 or later, although servers are not required to support TLS.

- 客户机可能会尝试使用TLS 1.0或更高版本发送HTTPS请求,但并不要求服务器支持TLS。

- Servers MUST NOT assume client support for any type of HTTP authentication such as cookies, Basic authentication, or Digest authentication.

- 服务器不得假定客户端支持任何类型的HTTP身份验证,如cookie、基本身份验证或摘要身份验证。

- Clients and servers are expected to follow the other rules and restrictions in [HTTP]. Note that some of those rules are for HTTP methods other than POST; clearly, only the rules that apply to POST are relevant for this specification.

- 客户端和服务器应遵循[HTTP]中的其他规则和限制。注意,其中一些规则是针对HTTP方法而不是POST;显然,只有适用于POST的规则与本规范相关。

B.1. SCVP Request
B.1. SCVP请求

An SCVP request using the POST method is constructed as follows:

使用POST方法的SCVP请求构造如下:

The Content-Type header MUST have the value "application/scvp-cv-request".

内容类型标头必须具有值“application/scvp cv request”。

The body of the message is the binary value of the DER encoding of the CVRequest, wrapped in a CMS body as described in Section 3.

消息体是CVRequest的DER编码的二进制值,如第3节所述封装在CMS体中。

B.2. SCVP Response
B.2. SCVP响应

An HTTP-based SCVP response is composed of the appropriate HTTP headers, followed by the binary value of the BER encoding of the CVResponse, wrapped in a CMS body as described in Section 4.

基于HTTP的SCVP响应由适当的HTTP头组成,后跟CVVP响应的BER编码的二进制值,如第4节所述封装在CMS正文中。

The Content-Type header MUST have the value "application/scvp-cv-response".

内容类型标题必须具有值“应用程序/scvp cv响应”。

B.3. SCVP Policy Request
B.3. SCVP策略请求

An SCVP request using the POST method is constructed as follows:

使用POST方法的SCVP请求构造如下:

The Content-Type header MUST have the value "application/scvp-vp-request".

内容类型标头的值必须为“应用程序/scvp请求”。

The body of the message is the binary value of the BER encoding of the ValPolRequest, wrapped in a CMS body as described in Section 5.

消息体是ValPolRequest的BER编码的二进制值,如第5节所述,封装在CMS体中。

B.4. SCVP Policy Response
B.4. SCVP政策响应

An HTTP-based SCVP policy response is composed of the appropriate HTTP headers, followed by the binary value of the DER encoding of the ValPolResponse, wrapped in a CMS body as described in Section 6. The Content-Type header MUST have the value "application/scvp-vp-response".

基于HTTP的SCVP策略响应由适当的HTTP头组成,后跟ValPolResponse的DER编码的二进制值,如第6节所述封装在CMS正文中。内容类型标题必须具有值“应用程序/scvp响应”。

Authors' Addresses

作者地址

Trevor Freeman Microsoft Corporation, One Microsoft Way Redmond, WA 98052 USA. EMail: trevorf@microsoft.com

特雷弗·弗里曼微软公司,美国华盛顿州雷德蒙微软大道一号,邮编:98052。电子邮件:trevorf@microsoft.com

Russell Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA EMail: housley@vigilsec.com

Russell Housley Vigil Security,LLC 918 Spring Knoll Drive Herndon,弗吉尼亚州20170美国电子邮件:housley@vigilsec.com

Ambarish Malpani Malpani Consulting Services EMail: ambarish@yahoo.com

Ambarish Malpani Malpani咨询服务电子邮件:ambarish@yahoo.com

David Cooper National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 EMail: david.cooper@nist.gov

David Cooper国家标准与技术研究所马里兰州盖瑟斯堡市局道100号邮政站8930邮编:20899-8930电子邮件:David。cooper@nist.gov

Tim Polk National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 EMail: wpolk@nist.gov

蒂姆·波尔克国家标准与技术研究所马里兰州盖瑟斯堡市局道100号邮政站8930邮编20899-8930电子邮件:wpolk@nist.gov

Full Copyright Statement

完整版权声明

Copyright (C) The IETF Trust (2007).

版权所有(C)IETF信托基金(2007年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.