Internet Engineering Task Force (IETF)                      S. Santesson
Request for Comments: 6170                                  3xA Security
Updates: 3709                                                 R. Housley
Category: Standards Track                                 Vigil Security
ISSN: 2070-1721                                                 S. Bajaj
                                                          Symantec Corp.
                                                            L. Rosenthol
                                                                   Adobe
                                                                May 2011
        
Internet Engineering Task Force (IETF)                      S. Santesson
Request for Comments: 6170                                  3xA Security
Updates: 3709                                                 R. Housley
Category: Standards Track                                 Vigil Security
ISSN: 2070-1721                                                 S. Bajaj
                                                          Symantec Corp.
                                                            L. Rosenthol
                                                                   Adobe
                                                                May 2011
        

Internet X.509 Public Key Infrastructure -- Certificate Image

Internet X.509公钥基础设施--证书映像

Abstract

摘要

This document specifies a method to bind a visual representation of a certificate in the form of a certificate image to a public key certificate as defined in RFC 5280, by defining a new "otherLogos" image type according to RFC 3709.

本文档指定了一种方法,通过根据RFC 3709定义新的“otherLogos”图像类型,将证书图像形式的可视表示绑定到RFC 5280中定义的公钥证书。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6170.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6170.

Copyright Notice

版权公告

Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................2
      1.1. Terminology ................................................3
   2. Certificate Image ...............................................3
   3. LogotypeImageInfo ...............................................4
   4. Embedded Images .................................................5
   5. Certificate Image Formats .......................................6
      5.1. PDF ........................................................6
      5.2. SVG ........................................................6
      5.3. PNG ........................................................7
   6. Security Considerations .........................................7
   7. Acknowledgements ................................................8
   8. References ......................................................9
      8.1. Normative References .......................................9
      8.2. Informative References .....................................9
   Appendix A.  ASN.1 Module .........................................10
   Appendix B.  Example ..............................................11
        
   1. Introduction ....................................................2
      1.1. Terminology ................................................3
   2. Certificate Image ...............................................3
   3. LogotypeImageInfo ...............................................4
   4. Embedded Images .................................................5
   5. Certificate Image Formats .......................................6
      5.1. PDF ........................................................6
      5.2. SVG ........................................................6
      5.3. PNG ........................................................7
   6. Security Considerations .........................................7
   7. Acknowledgements ................................................8
   8. References ......................................................9
      8.1. Normative References .......................................9
      8.2. Informative References .....................................9
   Appendix A.  ASN.1 Module .........................................10
   Appendix B.  Example ..............................................11
        
1. Introduction
1. 介绍

This standard specifies how to bind a certificate image to a certificate (defined in [RFC5280]), providing a visual representation of that certificate using the Logotype extension defined in [RFC3709] and specifying the certificate image as a new "otherLogos" type.

本标准规定了如何将证书映像绑定到证书(定义见[RFC5280]),使用[RFC3709]中定义的标识扩展提供该证书的可视表示,并将证书映像指定为新的“其他标识”类型。

The purpose of the certificate image is to aid human interpretation of a certificate by providing meaningful visual information to the user interface (UI).

证书图像的目的是通过向用户界面(UI)提供有意义的视觉信息来帮助人类解释证书。

Typical situations when a human needs to examine the visual representation of a certificate are:

当人员需要检查证书的视觉表示时,典型情况如下:

- A person establishes a secured channel with an authenticated service. The person needs to determine the identity of the service based on the authenticated credentials.

- 一个人用经过身份验证的服务建立一个安全通道。此人需要根据经过身份验证的凭据确定服务的标识。

- A person validates the signature on critical information, such as signed executable code, and needs to determine the identity of the signer based on the signer's certificate.

- 一个人根据关键信息(如已签名的可执行代码)验证签名,并需要根据签名者的证书确定签名者的身份。

- A person is required to select an appropriate certificate to be used when authenticating to a service or Identity Management infrastructure. The person needs to see the available certificates in order to distinguish between them in the selection process.

- 在对服务或身份管理基础架构进行身份验证时,要求人员选择要使用的适当证书。该人员需要查看可用的证书,以便在选择过程中区分它们。

The display of certificate information to humans is challenging due to lack of well-defined semantics for critical identity attributes. Unless the application has out-of-band knowledge about a particular certificate, the application will not know the exact nature of the data stored in common identification attributes such as serialNumber, organizationName, country, etc. Consequently, the application can display the actual data, but faces the problem of labeling that data in the UI and informing the human about the exact nature (semantics) of that data. It is also challenging for the application to determine which identification attributes are important to display and how to organize them in a logical order.

由于缺乏对关键身份属性的定义良好的语义,证书信息向人类的显示具有挑战性。除非应用程序具有特定证书的带外知识,否则应用程序将不知道存储在常见标识属性(如序列号、组织名称、国家/地区等)中的数据的确切性质。因此,应用程序可以显示实际数据,但面临的问题是在UI中标记该数据,并告知人类该数据的确切性质(语义)。对于应用程序来说,确定哪些标识属性需要显示以及如何按逻辑顺序组织它们也是一项挑战。

RFC 3709 [RFC3709] defines a certificate extension for binding images to a certificate, such as a community logo and issuer logo, enhancing the display of certificate information. The syntax is extensible and allows inclusion of new image types using the otherLogos structure. This standard defines how to include a complete certificate image using the extensibility mechanism of RFC 3709.

RFC 3709[RFC3709]定义了一个证书扩展,用于将图像绑定到证书,例如社区徽标和颁发者徽标,从而增强证书信息的显示。该语法是可扩展的,允许使用otherLogos结构包含新的图像类型。本标准定义了如何使用RFC3709的扩展机制包含完整的证书映像。

1.1. Terminology
1.1. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

2. Certificate Image
2. 证书映像

This section defines the certificate image as a new otherLogos type according to Section 4.1 of [RFC3709].

根据[RFC3709]第4.1节,本节将证书图像定义为新的otherLogos类型。

The certificate image otherLogos type is identified by the Object Identifier (OID) id-logo-certimage.

证书图像otherLogos类型由对象标识符(OID)id logo certimage标识。

      id-pkix  OBJECT IDENTIFIER  ::=
           { iso(1) identified-organization(3) dod(6) internet(1)
           security(5) mechanisms(5) pkix(7) }
        
      id-pkix  OBJECT IDENTIFIER  ::=
           { iso(1) identified-organization(3) dod(6) internet(1)
           security(5) mechanisms(5) pkix(7) }
        
      id-logo OBJECT IDENTIFIER ::= { id-pkix 20 }
        
      id-logo OBJECT IDENTIFIER ::= { id-pkix 20 }
        
      id-logo-certimage OBJECT IDENTIFIER ::= { id-logo 3 }
        
      id-logo-certimage OBJECT IDENTIFIER ::= { id-logo 3 }
        

When present, the certificate image MUST be a complete visual representation of the certificate. This means that the display of this certificate image represents all information about the certificate that the issuer subjectively defines as relevant to show to a typical human user within the typical intended use of the certificate, giving adequate information about at least the following three aspects of the certificate:

当存在时,证书图像必须是证书的完整视觉表示。这意味着,该证书图像的显示表示关于证书的所有信息,发卡机构主观上定义为在证书的典型预期用途内向典型人类用户显示相关信息,提供关于证书的至少以下三个方面的充分信息:

- Certificate Context

- 证书上下文

- Certificate Issuer

- 证书签发者

- Certificate Subject

- 证书科目

Certificate Context information is visual marks and/or textual information that helps the typical user to understand the typical usage and/or purpose of the certificate.

证书上下文信息是帮助典型用户理解证书的典型用法和/或目的的视觉标记和/或文本信息。

It is up to the issuer to decide what information -- in the form of text, graphical symbols, and elements -- represents a complete visual representation of the certificate. However, the visual representation of Certificate Subject and Certificate Issuer information from the certificate MUST have the same meaning as the textual representation of that information in the certificate itself.

由发行人决定哪些信息(以文本、图形符号和元素的形式)代表证书的完整视觉表示。但是,来自证书的证书主题和证书颁发者信息的视觉表示必须与证书本身中该信息的文本表示具有相同的含义。

Applications providing a Graphical User Interface (GUI) to the certificate user MAY present a certificate image according to this standard in any given application interface, as the only visual representation of a certificate.

向证书用户提供图形用户界面(GUI)的应用程序可以根据本标准在任何给定的应用程序界面中呈现证书图像,作为证书的唯一可视表示。

3. LogotypeImageInfo
3. LogotypeImageInfo

The optional LogotypeImageInfo structure is defined in [RFC3709] and is included here for convenience:

[RFC3709]中定义了可选LogotypeMageInfo结构,为方便起见,此处包括该结构:

     LogotypeImageInfo ::= SEQUENCE {
        type          [0] LogotypeImageType DEFAULT color,
        fileSize      INTEGER,  -- In octets
        xSize         INTEGER,  -- Horizontal size in pixels
        ySize         INTEGER,  -- Vertical size in pixels
        resolution    LogotypeImageResolution OPTIONAL,
        language      [4] IA5String OPTIONAL }  -- RFC 3066 Language Tag
        
     LogotypeImageInfo ::= SEQUENCE {
        type          [0] LogotypeImageType DEFAULT color,
        fileSize      INTEGER,  -- In octets
        xSize         INTEGER,  -- Horizontal size in pixels
        ySize         INTEGER,  -- Vertical size in pixels
        resolution    LogotypeImageResolution OPTIONAL,
        language      [4] IA5String OPTIONAL }  -- RFC 3066 Language Tag
        

NOTE: The referenced RFC 3066 in the structure above (from RFC 3709) is obsolete and is currently replaced by RFC 5646 [RFC5646]. The language tag may carry information about the language used to express any textual elements within the image as well as any audio information associated with the image.

注:上述结构中引用的RFC 3066(来自RFC 3709)已过时,目前由RFC 5646[RFC5646]取代。语言标签可以携带关于用于表示图像内任何文本元素的语言的信息以及与图像相关联的任何音频信息。

When the optional LogotypeImageInfo is included with a certificate image, the parameters shall be used with the following semantics and restrictions.

当可选LogotypeMageInfo包含在证书图像中时,参数的使用应具有以下语义和限制。

xSize and ySize represent the recommended display size for the image. When a value of 0 (zero) is present, no recommended display size is specified. When non-zero values are present and these values differ

xSize和ySize表示图像的建议显示大小。当值为0(零)时,不指定建议的显示大小。当存在非零值且这些值不同时

from corresponding size values in the referenced image file, then the referenced image SHOULD be scaled to fit within the size parameters of LogotypeImageInfo, while keeping the x and y ratio intact.

根据参考图像文件中的相应大小值,则应缩放参考图像,使其符合LogotypeMageInfo的大小参数,同时保持x和y比率不变。

The resolution parameter is redundant for all image formats that are relevant for certificate images and MUST NOT be specified.

对于与证书图像相关的所有图像格式,resolution参数都是多余的,因此不能指定。

4. Embedded Images
4. 嵌入图像

The certificate image otherLogos type defined in this specification and all logotype types defined in RFC 3709 [RFC3709] MAY be stored within the logotype extension using the "data" URL scheme defined in RFC 2397 [RFC2397] if the logotype image is provided through direct addressing, i.e., the image is referenced using the LogotypeDetails structure.

如果标识图像是通过直接寻址提供的,则本规范中定义的证书图像和RFC 3709[RFC3709]中定义的所有标识类型可以使用RFC 2397[RFC2397]中定义的“数据”URL方案存储在标识扩展中,即。,使用LogotypeDetails结构引用图像。

The syntax of Logotype details defined in RFC 3709 is included here for convenience:

为方便起见,此处包含RFC 3709中定义的标识详细信息的语法:

      LogotypeDetails ::= SEQUENCE {
         mediaType       IA5String, -- MIME media type name and optional
                                    -- parameters (see Section 5)
         logotypeHash    SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
         logotypeURI     SEQUENCE SIZE (1..MAX) OF IA5String }
        
      LogotypeDetails ::= SEQUENCE {
         mediaType       IA5String, -- MIME media type name and optional
                                    -- parameters (see Section 5)
         logotypeHash    SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
         logotypeURI     SEQUENCE SIZE (1..MAX) OF IA5String }
        

The syntax of the "data" URL scheme defined in RFC 2397 is included here for convenience:

为方便起见,此处包含RFC 2397中定义的“数据”URL方案的语法:

      dataurl    := "data:" [ mediatype ] [ ";base64" ] "," data
      mediatype  := [ type "/" subtype ] *( ";" parameter )
      data       := *urlchar
      parameter  := attribute "=" value
        
      dataurl    := "data:" [ mediatype ] [ ";base64" ] "," data
      mediatype  := [ type "/" subtype ] *( ";" parameter )
      data       := *urlchar
      parameter  := attribute "=" value
        

When including the image data in the logotype extension using the "data" URL scheme, the following conventions apply.

当使用“数据”URL方案在标识扩展中包含图像数据时,以下约定适用。

- The value of mediaType in LogotypeDetails MUST be identical to the media type value in the "data" URL.

- LogotypeDetails中的媒体类型值必须与“数据”URL中的媒体类型值相同。

- The hash of the image MUST be included in logotypeHash and MUST be calculated over the same data as it would have been, had the image been referenced through a link to an external resource.

- 图像的哈希必须包含在logotypeHash中,并且必须使用与通过链接到外部资源引用图像相同的数据进行计算。

NOTE: As the "data" URL scheme is processed as a data source rather than as a URL, the image data is typically not limited by any URL length limit settings that otherwise apply to URLs in general.

注意:由于“数据”URL方案是作为数据源而不是URL处理的,因此图像数据通常不受任何URL长度限制设置的限制,这些设置通常适用于URL。

NOTE: Implementations need to be cautious about the size of images included in a certificate in order to ensure that the size of the certificate does not prevent the certificate from being used as intended.

注意:实现需要注意证书中包含的图像的大小,以确保证书的大小不会阻止证书按预期使用。

5. Certificate Image Formats
5. 证书图像格式

Implementations of this specification MUST support JPEG and GIF as defined in RFC 3709 [RFC3709]. In addition to these mandatory-to-implement formats, this specification specifies the use of the Portable Document Format (PDF), Scalable Vector Graphics (SVG), and Portable Network Graphics (PNG) as image formats.

本规范的实现必须支持RFC 3709[RFC3709]中定义的JPEG和GIF。除了这些强制实现的格式外,本规范还规定使用可移植文档格式(PDF)、可缩放矢量图形(SVG)和可移植网络图形(PNG)作为图像格式。

5.1. PDF
5.1. PDF

A certificate image MAY be provided in the form of a Portable Document Format (PDF) document according to [ISO32000] and following the conventions defined in this section. When a certificate image is formatted as a PDF document, it MUST also be formatted according to the profile PDF/A [ISO19005].

根据[ISO32000]并遵循本节中定义的约定,可以以可移植文档格式(PDF)文档的形式提供证书图像。将证书图像格式化为PDF文档时,还必须根据PDF/a[ISO19005]配置文件对其进行格式化。

When including a PDF document as a certificate image, the following MIME media type as specified in [RFC3778] MUST be used as mediaType in LogotypeDetails:

当包含PDF文档作为证书图像时,必须使用[RFC3778]中指定的以下MIME媒体类型作为LogotypeDetails中的媒体类型:

application/pdf

申请表格/pdf

5.2. SVG
5.2. SVG

A certificate image MAY be provided in the form of a Scalable Vector Graphics (SVG) image, which MUST follow the SVG Tiny profile [SVGT] with the following amendments:

可以以可缩放矢量图形(SVG)图像的形式提供证书图像,该图像必须遵循SVG微型配置文件[SVGT],并进行以下修改:

- The SVG image MUST NOT contain any Internationalized Resource Identifier (IRI) references to information stored outside of the SVG image of type B, C, or D, according to Section 14.1.4 of SVG Tiny 1.2 [SVGT].

- 根据SVG Tiny 1.2[SVGT]第14.1.4节,SVG图像不得包含对存储在B、C或D类SVG图像之外的信息的任何国际化资源标识符(IRI)引用。

- The SVG image MUST NOT contain any 'script' element, according to Section 15.2 of SVG Tiny 1.2 [SVGT].

- 根据SVG Tiny 1.2[SVGT]第15.2节,SVG图像不得包含任何“脚本”元素。

- The XML structure in the SVG file MUST use <LF> (linefeed 0x0A) as the end-of-line (EOL) character when calculating a hash over the SVG image.

- 在计算SVG图像上的哈希值时,SVG文件中的XML结构必须使用<LF>(linefeed 0x0A)作为行尾(EOL)字符。

The referenced SVG file MAY be provided in GZIP-compressed [RFC1952] form as an SVGZ file. In this case, the extension 'svgz' is used as an alias for 'svg.gz' [RFC1952], i.e., octet streams of type

引用的SVG文件可以以GZIP压缩[RFC1952]格式作为SVGZ文件提供。在本例中,扩展名“svgz”用作“svg.gz”[RFC1952]的别名,即类型为

image/svg+xml, subsequently compressed with gzip as specified in [SVGR]. The hash over the SVGZ file is calculated over the decompressed SVG content with canonicalized EOL characters (<LF>) as specified above.

image/svg+xml,随后按照[SVGR]中的规定使用gzip进行压缩。SVGZ文件上的散列是在解压的SVG内容上计算的,该内容具有上面指定的规范化EOL字符(<LF>)。

The following MIME media type, defined in Appendix M of [SVGT], MUST be included as mediaType in LogotypeDetails for all SVG and SVGZ images:

[SVGT]附录M中定义的以下MIME媒体类型必须作为媒体类型包含在所有SVG和SVGZ图像的LogotypeDetails中:

image/svg+xml

image/svg+xml

When the SVG image is embedded using the "data" URL scheme as defined in Section 4, SVG image data MUST be provided in SVGZ (GZIP compressed) form (i.e., it MUST NOT be provided in uncompressed SVG form).

当使用第4节中定义的“数据”URL方案嵌入SVG图像时,必须以SVGZ(GZIP压缩)形式提供SVG图像数据(即,不得以未压缩的SVG形式提供)。

Compliant implementations of this specification SHOULD be able to process SVG images that are formatted according to this section.

本规范的兼容实现应该能够处理根据本节格式化的SVG图像。

5.3. PNG
5.3. 巴布亚新几内亚

If a certificate image is provided as a bitmapped image, the PNG [ISO15948] format SHOULD be used.

如果证书图像作为位图图像提供,则应使用PNG[ISO15948]格式。

PNG images are identified by the following mediaType in LogotypeDetails:

PNG图像由LogotypeDetails中的以下媒体类型标识:

image/png

图像/png

6. Security Considerations
6. 安全考虑

This document is based on and inherits all security considerations from RFC 3709 [RFC3709]. In particular, RFC 3709 discusses several issues a Certificate Authority (CA) should take into consideration when evaluating a request to issue a certificate with a certificate image.

本文档基于并继承了RFC 3709[RFC3709]的所有安全注意事项。具体而言,RFC 3709讨论了证书颁发机构(CA)在评估使用证书映像颁发证书的请求时应考虑的几个问题。

Images incorporated according to RFC 3709 provide an additional possibility for a CA with bad intentions or bad security procedures to include false, conflicting, or malicious information to relying parties. Such a CA may, for example:

根据RFC 3709合并的图像为具有不良意图或不良安全程序的CA提供了向依赖方提供虚假、冲突或恶意信息的额外可能性。例如,此类CA可以:

- include information in graphical form that is in conflict with information in provided text-based attributes or other name forms, and

- 包括与提供的基于文本的属性或其他名称形式中的信息冲突的图形形式的信息,以及

- include malicious data that could exploit known security bugs in common software libraries used to render graphical images.

- 在用于渲染图形图像的常用软件库中包含可能利用已知安全漏洞进行攻击的恶意数据。

This underlines the necessity for CAs to provide reliable services, and the relying party's responsibility and need to carefully select which CAs are trusted to provide public key certificates.

这强调了CA提供可靠服务的必要性,以及依赖方的责任和需要仔细选择哪些CA受信任提供公钥证书。

This also underlines the general necessity for relying parties to use up-to-date software libraries to render or dereference data from external sources (such as certificates), to minimize risks related to processing potentially malicious data before the data has been adequately verified and validated.

这也强调了依赖方普遍需要使用最新的软件库来提供或取消引用来自外部来源(如证书)的数据,以便在数据得到充分验证和验证之前将处理潜在恶意数据的风险降至最低。

Referenced image files are hashed in order to bind the image to the signature of the certificate. Some image types, such as SVG, allow part of the image to be collected from an external source by incorporating a reference to an external image file. If this feature were used within a certificate image file, the hash of the image file would only cover the URI reference to the external image file, but not the referenced image data. Clients SHOULD verify that SVGT images meet all requirements listed in Section 5.2 and reject images that contain references to external data.

引用的图像文件被散列,以便将图像绑定到证书的签名。某些图像类型(如SVG)允许通过合并对外部图像文件的引用从外部源收集部分图像。如果在证书映像文件中使用此功能,则映像文件的哈希将只覆盖外部映像文件的URI引用,而不覆盖引用的映像数据。客户应验证SVGT图像符合第5.2节中列出的所有要求,并拒绝包含外部数据参考的图像。

CAs issuing certificates with embedded certificate images should be cautious when accepting graphics from the certificate requestor for inclusion in the certificate if the hash algorithm used to sign the certificate is vulnerable to collision attacks. In such a case, the accepted image may contain data that could help an attacker to obtain colliding certificates with identical certificate signatures.

如果用于签署证书的哈希算法容易受到冲突攻击,则在接受来自证书请求者的图形以包含在证书中时,颁发带有嵌入式证书映像的证书的CA应谨慎。在这种情况下,接受的图像可能包含数据,这些数据可以帮助攻击者获得具有相同证书签名的冲突证书。

Certificates, and hence their certificate images, are commonly public objects and as such usually will not contain privacy-sensitive information. However, when a certificate image that is referenced from a certificate contains privacy-sensitive information, appropriate security controls should be in place to protect the privacy of that information. Details of such controls are outside the scope of this document.

证书及其证书图像通常是公共对象,因此通常不包含隐私敏感信息。但是,当从证书引用的证书映像包含隐私敏感信息时,应实施适当的安全控制以保护该信息的隐私。此类控制的详细信息不在本文件范围内。

7. Acknowledgements
7. 致谢

The authors recognize valuable contributions from members of the PKIX working group, the CA Browser Forum, and James Manger, for their review and sample data.

作者们感谢PKIX工作组、CA浏览器论坛和James Manger成员的宝贵贡献,感谢他们的审查和样本数据。

8. References
8. 工具书类
8.1. Normative References
8.1. 规范性引用文件

[RFC1952] Deutsch, P., "GZIP file format specification version 4.3", RFC 1952, May 1996.

[RFC1952]Deutsch,P.,“GZIP文件格式规范版本4.3”,RFC1952,1996年5月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2397] Masinter, L., "The "data" URL scheme", RFC 2397, August 1998.

[RFC2397]Masinter,L.“数据”URL方案”,RFC 2397,1998年8月。

[RFC3709] Santesson, S., Housley, R., and T. Freeman, "Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates", RFC 3709, February 2004.

[RFC3709]Santesson,S.,Housley,R.,和T.Freeman,“互联网X.509公钥基础设施:X.509证书中的标识类型”,RFC 37092004年2月。

[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.

[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 52802008年5月。

[RFC5646] Phillips, A., Ed., and M. Davis, Ed., "Tags for Identifying Languages", BCP 47, RFC 5646, September 2009.

[RFC5646]Phillips,A.,Ed.,和M.Davis,Ed.,“识别语言的标签”,BCP 47,RFC 5646,2009年9月。

[ISO15948] ISO/IEC 15948:2004, "Information technology -- Computer graphics and image processing -- Portable Network Graphics (PNG): Functional specification", 2004.

[ISO15948]ISO/IEC 15948:2004,“信息技术——计算机图形和图像处理——便携式网络图形(PNG):功能规范”,2004年。

[ISO19005] ISO 19005-1:2005, "Document management -- Electronic document file format for long-term preservation -- Part 1: Use of PDF 1.4 (PDF/A-1)", 2005.

[ISO19005]ISO 19005-1:2005,“文件管理——长期保存的电子文件格式——第1部分:PDF 1.4(PDF/A-1)的使用”,2005年。

[ISO32000] ISO 32000-1:2008, "Document management -- Portable document format -- Part 1: PDF 1.7", April 2008.

[ISO32000]ISO 32000-1:2008,“文件管理——可移植文件格式——第1部分:PDF 1.7”,2008年4月。

[SVGT] W3C Recommendation, "Scalable Vector Graphics (SVG) Tiny 1.2 Specification", December 2008.

[SVGT]W3C建议,“可缩放矢量图形(SVG)Tiny 1.2规范”,2008年12月。

8.2. Informative References
8.2. 资料性引用

[RFC3778] Taft, E., Pravetz, J., Zilles, S., and L. Masinter, "The application/pdf Media Type", RFC 3778, May 2004.

[RFC3778]Taft,E.,Pravetz,J.,Zilles,S.,和L.Masinter,“应用程序/pdf媒体类型”,RFC 3778,2004年5月。

[SVGR] "Media Type Registration for image/svg+xml", http://dev.w3.org/SVG/profiles/1.1F2/master/mimereg.html.

[SVGR]“图像/svg+xml的媒体类型注册”,http://dev.w3.org/SVG/profiles/1.1F2/master/mimereg.html.

Appendix A. ASN.1 Module
附录A.ASN.1模块
   CERT-IMAGE-MODULE { iso(1) identified-organization(3) dod(6)
       internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
       id-mod-logotype-certimage(68) }
        
   CERT-IMAGE-MODULE { iso(1) identified-organization(3) dod(6)
       internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
       id-mod-logotype-certimage(68) }
        
   DEFINITIONS EXPLICIT TAGS ::=
   BEGIN
        
   DEFINITIONS EXPLICIT TAGS ::=
   BEGIN
        

EXPORTS ALL; -- export all items from this module

全部出口;——从该模块导出所有项目

       id-logo-certImage  OBJECT IDENTIFIER  ::=
             { iso(1) identified-organization(3) dod(6) internet(1)
             security(5) mechanisms(5) pkix(7) id-logo(20) 3 }
        
       id-logo-certImage  OBJECT IDENTIFIER  ::=
             { iso(1) identified-organization(3) dod(6) internet(1)
             security(5) mechanisms(5) pkix(7) id-logo(20) 3 }
        

END

终止

Appendix B. Example
附录B.示例

The following example stores an embedded svgz-encoded SVG image using the "data" URL scheme.

以下示例使用“数据”URL方案存储嵌入式svgz编码的SVG图像。

      data:image/svg+xml;base64,H4sICLXutU0AA0NlcnRJbWFnZURlbW8uc3ZnANVa
      W2/bOBZ+n19BqBigwdoS7xK9jmeapB0EWHQHzez2WZZoR1tZMiQ5jvvr95CSL7Gl1E
      m8C9d9iERSPOd85+O5EB3+9jhL0YMuyiTPLh3iYgfpLMrjJJteOv/661M/cFBZhVkc
      pnmmL50sd34b/TIsH6YoiS+da11UySSJwkqj21k41Q6CDbNyUMSTS+e+quYDz1sul+
      6SuXkx9YhSysPUo7QPK/rlKqvCx35Wvmu+a/uGYow9EOigh0Qvr/LHSwcjjDjGiGHQ
      914n0/sKlMf4Vwctk7i6X7/sGEYdNA5L/WeRT5IUDKmSbLVWNoo2cqNCh1XyoKN8Ns
      uz0iqwVW8Qb1fOF0Vqp+PI06me6awqPeISzxn9goYzXYVxWIUWpfWLCMwcGoLpgy83
      n8wzGkbR4GtefENmMBznC7DEroKpOBpM8mIWVqPEYGtA+BvoMfS2E5uF1Wqu7R6FLv
      NFEelWReNolpiV3l2VpGntMW9nk6RKdf0+9BrFrMbeVuWhtzbHvMR6UlobPyVpBWjX
      Bk7six2vH5nCwY6nXCo5xb7YusvFVPqCOGh16fSxSxglmPkScLfvmDDmC4FlDc1wov
      8IF2WZhNlVumgEPRliimDD3PhGPyTgUUMC6lKqKAjxaptq1boUJvQFsvi+LOJyxZkP
      E/vCwHuAmXmoj1AarnRBatzqkbv7cK5Ls2ORfwM/vsOG5lURZqXxOnDXPKZw5t5jVz
      IhFKO0B6D6hARSXDR6Fzqq7H7mQeJAOQiUSPvFIrUHOfuui3zrFI5dYVeAmpcOcOb9
      u63vLjae4kYX4yRifYPrTa2SlMigYdO+cEWeGADMLZLH96SH4R9xRYApl6q3Y02f+N
      zlRAl+cZSKhB6qSIVa80fsqMnWOqZJpmsXwAPoyNaQ95uNIGasKPwhxGzQzOXzMIIz
      BKabmLIil470zfSjWWn+kvpvLQ9g1l3yRIc8gukz0uysEcakcDfy3KMk+l0SOXlOop
      ltJL7EPtUlzZfP4tnM70k8xkKCySt92MwfIXPoTe0pnu4dYbp7hJ/kxWySN0ey0o/1
      qbiCsxDXJMWWo37QekBcAUFPSGkPCnUJF5wwBacDK5cGlEp4BC2lYoJcrNNGVc7DzI
      qxT4CKsPlrAG8mL8whRejiQe9EmImIAoz3sds9NxP4RZEzugqzb7c3Q89u3WQKY9ae
      gbsA/AUJB/bJs6pfJt9BHFEuk5DWITzOH5uZSThLUsDjQ5GE6RMsyihMTaQLfA6BIi
      AQMAhnHHN1sd61WtUhDVJiuhkrdBXd740+hLB9Vm1HjQe4ywLOBLWOMMiyQAXNB8sm
      9Gx2qdGgGkMG6wY8aLfqgH4dfnmrVc+pPrE/Z/QnZOs8C1Okb2/ggwLdxlDC1D6DFP
      ZDD98txv8xQf5TEc7Ax6ZyaDf6BC4SylWKCMqtizp80+UMchATal63qHq0M3ZTs83O
      b/XO6LYsFzpGVY5+iLxdWvwY+NaKoR/0iJIXL3dBjT2hG+wO+NXm53XStSh1eogfeo
      jV35BTOaqh/cmPUe2Mdp91pQp2CjWOO2k7OamhjU1HB3DLGm66n6iajz4bqn2oICmN
      FxDR/x2mC5s+rKhlkUA3Ne3P8lgP0qJfjf9uvu+HWXSfFwNoH4uqGUmTadYMtOc7yj
      EEd9EUhkwEEOcDSHKQ+yhnSvUYRH8miQo2FK5TCjWZZGWKB8iHPud16wApnCvTOzjI
      FAj9TQdCxa+ddOTizaa1xJvD0qMrKx+Ydaj6iwJQG0vaSdYWpTv4HwVRAP3Z6ONjOJ
      unEIeKRVmhujpA2+wPmQR9WFQAFhh9bGQzFEXX+WwOnXq8pV35P2Acdn0pGebcMg7O
      gQKaEdOKEAkFlk/9HuEKGBVwucc4AjnJ/LBYU09hVwWY1F0HlBUC2lbyIuYF58O8p+
      adMwUt9YAoX/IwRtAC9NAdBAyGuEB3VR59u8/TGYx9/Xjz8bPB/Z/F9B0SghBK+4xx
      fiwtr0GXECqedQQ9PRVpEAQ+26MidbGSmPm8RwRzcQsT17EPSmoorH3+av4Jcj78O/
      vIp/uzMEkHKAE6/F7VHHSj8HddR0Q3ymcGZfRVjwfmOnNn3GuWR+FzhcPmPqiptHca
      yacT28T8j3Cs0/LQCwo6J2iYxP4R58AsobjFegusoJhuq7VNS2evRPcqASvQki+gbk
      BYwETNPt/1A2pT6UErR1zMzUITZRvF5Lp5basO1fk2U4aBSjkji8quL3cDyW7TpI3u
      nxezMcSTNhQJhfpGctKgKN2Amo7/7ShSev4oXicPSYS+6GkCm9a1Qw3VEchCUA+z5H
      tTcbQhK6F14YFUp+Yn7WgmzwpZCDf5DDiXT9B7U6RdHAHpdb7IqmLVjqZSLnTW61zj
      Q7/G7D3hm9E846uTDZoNMADmLlm7IG2ieXfUtu1US9TeNGUHibE9Nv//2jRJGZfQmK
      3v7ykJJOv1IXjBsDCPpmgWppe6sHxR3KVSQKqp+WIqammuJbtqkxZmMHry4oS/9pLh
      dCXKq8uR0R+LDEqCKRxqc5VXdvPvIP+ggwR0RkyBfO9iKZvrWGAKVdz31cuocvoO/q
      emClFMYEFEH7oI+vpkek4s4bCMBqK+5mHQUlDpE/oylpy+2/6pWXK31PEYagP04epV
      1cE50UMy6IQZeQM7+Ol74Z+eHfpHNc7OjffQ/HeV0X8BopoDkGEkAAA=
        
      data:image/svg+xml;base64,H4sICLXutU0AA0NlcnRJbWFnZURlbW8uc3ZnANVa
      W2/bOBZ+n19BqBigwdoS7xK9jmeapB0EWHQHzez2WZZoR1tZMiQ5jvvr95CSL7Gl1E
      m8C9d9iERSPOd85+O5EB3+9jhL0YMuyiTPLh3iYgfpLMrjJJteOv/661M/cFBZhVkc
      pnmmL50sd34b/TIsH6YoiS+da11UySSJwkqj21k41Q6CDbNyUMSTS+e+quYDz1sul+
      6SuXkx9YhSysPUo7QPK/rlKqvCx35Wvmu+a/uGYow9EOigh0Qvr/LHSwcjjDjGiGHQ
      914n0/sKlMf4Vwctk7i6X7/sGEYdNA5L/WeRT5IUDKmSbLVWNoo2cqNCh1XyoKN8Ns
      uz0iqwVW8Qb1fOF0Vqp+PI06me6awqPeISzxn9goYzXYVxWIUWpfWLCMwcGoLpgy83
      n8wzGkbR4GtefENmMBznC7DEroKpOBpM8mIWVqPEYGtA+BvoMfS2E5uF1Wqu7R6FLv
      NFEelWReNolpiV3l2VpGntMW9nk6RKdf0+9BrFrMbeVuWhtzbHvMR6UlobPyVpBWjX
      Bk7six2vH5nCwY6nXCo5xb7YusvFVPqCOGh16fSxSxglmPkScLfvmDDmC4FlDc1wov
      8IF2WZhNlVumgEPRliimDD3PhGPyTgUUMC6lKqKAjxaptq1boUJvQFsvi+LOJyxZkP
      E/vCwHuAmXmoj1AarnRBatzqkbv7cK5Ls2ORfwM/vsOG5lURZqXxOnDXPKZw5t5jVz
      IhFKO0B6D6hARSXDR6Fzqq7H7mQeJAOQiUSPvFIrUHOfuui3zrFI5dYVeAmpcOcOb9
      u63vLjae4kYX4yRifYPrTa2SlMigYdO+cEWeGADMLZLH96SH4R9xRYApl6q3Y02f+N
      zlRAl+cZSKhB6qSIVa80fsqMnWOqZJpmsXwAPoyNaQ95uNIGasKPwhxGzQzOXzMIIz
      BKabmLIil470zfSjWWn+kvpvLQ9g1l3yRIc8gukz0uysEcakcDfy3KMk+l0SOXlOop
      ltJL7EPtUlzZfP4tnM70k8xkKCySt92MwfIXPoTe0pnu4dYbp7hJ/kxWySN0ey0o/1
      qbiCsxDXJMWWo37QekBcAUFPSGkPCnUJF5wwBacDK5cGlEp4BC2lYoJcrNNGVc7DzI
      qxT4CKsPlrAG8mL8whRejiQe9EmImIAoz3sds9NxP4RZEzugqzb7c3Q89u3WQKY9ae
      gbsA/AUJB/bJs6pfJt9BHFEuk5DWITzOH5uZSThLUsDjQ5GE6RMsyihMTaQLfA6BIi
      AQMAhnHHN1sd61WtUhDVJiuhkrdBXd740+hLB9Vm1HjQe4ywLOBLWOMMiyQAXNB8sm
      9Gx2qdGgGkMG6wY8aLfqgH4dfnmrVc+pPrE/Z/QnZOs8C1Okb2/ggwLdxlDC1D6DFP
      ZDD98txv8xQf5TEc7Ax6ZyaDf6BC4SylWKCMqtizp80+UMchATal63qHq0M3ZTs83O
      b/XO6LYsFzpGVY5+iLxdWvwY+NaKoR/0iJIXL3dBjT2hG+wO+NXm53XStSh1eogfeo
      jV35BTOaqh/cmPUe2Mdp91pQp2CjWOO2k7OamhjU1HB3DLGm66n6iajz4bqn2oICmN
      FxDR/x2mC5s+rKhlkUA3Ne3P8lgP0qJfjf9uvu+HWXSfFwNoH4uqGUmTadYMtOc7yj
      EEd9EUhkwEEOcDSHKQ+yhnSvUYRH8miQo2FK5TCjWZZGWKB8iHPud16wApnCvTOzjI
      FAj9TQdCxa+ddOTizaa1xJvD0qMrKx+Ydaj6iwJQG0vaSdYWpTv4HwVRAP3Z6ONjOJ
      unEIeKRVmhujpA2+wPmQR9WFQAFhh9bGQzFEXX+WwOnXq8pV35P2Acdn0pGebcMg7O
      gQKaEdOKEAkFlk/9HuEKGBVwucc4AjnJ/LBYU09hVwWY1F0HlBUC2lbyIuYF58O8p+
      adMwUt9YAoX/IwRtAC9NAdBAyGuEB3VR59u8/TGYx9/Xjz8bPB/Z/F9B0SghBK+4xx
      fiwtr0GXECqedQQ9PRVpEAQ+26MidbGSmPm8RwRzcQsT17EPSmoorH3+av4Jcj78O/
      vIp/uzMEkHKAE6/F7VHHSj8HddR0Q3ymcGZfRVjwfmOnNn3GuWR+FzhcPmPqiptHca
      yacT28T8j3Cs0/LQCwo6J2iYxP4R58AsobjFegusoJhuq7VNS2evRPcqASvQki+gbk
      BYwETNPt/1A2pT6UErR1zMzUITZRvF5Lp5basO1fk2U4aBSjkji8quL3cDyW7TpI3u
      nxezMcSTNhQJhfpGctKgKN2Amo7/7ShSev4oXicPSYS+6GkCm9a1Qw3VEchCUA+z5H
      tTcbQhK6F14YFUp+Yn7WgmzwpZCDf5DDiXT9B7U6RdHAHpdb7IqmLVjqZSLnTW61zj
      Q7/G7D3hm9E846uTDZoNMADmLlm7IG2ieXfUtu1US9TeNGUHibE9Nv//2jRJGZfQmK
      3v7ykJJOv1IXjBsDCPpmgWppe6sHxR3KVSQKqp+WIqammuJbtqkxZmMHry4oS/9pLh
      dCXKq8uR0R+LDEqCKRxqc5VXdvPvIP+ggwR0RkyBfO9iKZvrWGAKVdz31cuocvoO/q
      emClFMYEFEH7oI+vpkek4s4bCMBqK+5mHQUlDpE/oylpy+2/6pWXK31PEYagP04epV
      1cE50UMy6IQZeQM7+Ol74Z+eHfpHNc7OjffQ/HeV0X8BopoDkGEkAAA=
        

Authors' Addresses

作者地址

Stefan Santesson 3xA Security (AAA-sec.com) Bjornstorp 744 247 98 Genarp Sweden EMail: sts@aaa-sec.com

Stefan Santesson 3xA Security(AAA sec.com)Bjornstorp 744 247 98 Genarp瑞典电子邮件:sts@aaa-证券交易委员会

Russell Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA EMail: housley@vigilsec.com

Russell Housley Vigil Security,LLC 918 Spring Knoll Drive Herndon,弗吉尼亚州20170美国电子邮件:housley@vigilsec.com

Siddharth Bajaj Symantec Corp. 350 Ellis Street Mountain View, CA 94043 USA EMail: siddharthietf@gmail.com

Siddharth Bajaj Symantec Corp.美国加利福尼亚州埃利斯街山景城350号邮编94043电子邮件:siddharthietf@gmail.com

Leonard Rosenthol 3533 Sunset Way Huntingdon Valley, PA 19006 USA EMail: leonardr@adobe.com

宾夕法尼亚州亨廷顿谷日落大道3533号伦纳德·罗森索尔19006美国电子邮件:leonardr@adobe.com