Internet X.509 Public Key Infrastructure (PKI) Proxy ... - Clizio.com

More documents

Recommendations

Info

RFC 3820 X.509 Proxy Certificate Profile June 2004o A compromised PC private key does NOT compromise the EECprivate key. This makes a short term, or an otherwiserestricted PC attractive for day-to-day use, since acompromised PC does not require the user to go through theusually cumbersome and time consuming process of having the EECwith a new private key reissued by the CA.See Section 5 below for more discussion on how Proxy Certificatesrelate to Attribute Certificates.3. Certificate and Certificate Extensions ProfileThis section defines the usage of X.509 certificate fields andextensions in Proxy Certificates, and defines one new extension forProxy Certificate Information.All Proxy Certificates MUST include the Proxy Certificate Information(ProxyCertInfo) extension defined in this section and the extensionMUST be critical.3.1. IssuerThe Proxy Issuer of a Proxy Certificate MUST be either an End EntityCertificate, or another Proxy Certificate.The Proxy Issuer MUST NOT have an empty subject field.The issuer field of a Proxy Certificate MUST contain the subjectfield of its Proxy Issuer.If the Proxy Issuer certificate has the KeyUsage extension, theDigital Signature bit MUST be asserted.3.2. Issuer Alternative NameThe issuerAltName extension MUST NOT be present in a ProxyCertificate.3.3. Serial NumberThe serial number of a Proxy Certificate (PC) SHOULD be uniqueamongst all Proxy Certificates issued by a particular Proxy Issuer.However, a Proxy Issuer MAY use an approach to assigning serialnumbers that merely ensures a high probability of uniqueness.Tuecke, et al. Standards Track [Page 12]
RFC 3820 X.509 Proxy Certificate Profile June 2004For example, a Proxy Issuer MAY use a sequentially assigned integeror a UUID to assign a unique serial number to a PC it issues. Or aProxy Issuer MAY use a SHA-1 hash of the PC public key to assign aserial number with a high probability of uniqueness.3.4. SubjectThe subject field of a Proxy Certificate MUST be the issuer field(that is the subject of the Proxy Issuer) appended with a singleCommon Name component.The value of the Common Name SHOULD be unique to each ProxyCertificate bearer amongst all Proxy Certificates with the sameissuer.If a Proxy Issuer issues two proxy certificates to the same bearer,the Proxy Issuer MAY choose to use the same Common Name for both.Examples of this include Proxy Certificates for different uses (e.g.,signing vs encryption) or the re-issuance of an expired ProxyCertificate.The Proxy Issuer MAY use an approach to assigning Common Name valuesthat merely ensures a high probability of uniqueness. This value MAYbe the same value used for the serial number.The result of this approach is that all subject names of ProxyCertificates are derived from the name of the issuing EEC (it will bethe first part of the subject name appended with one or more CNcomponents) and are unique to each bearer.3.5. Subject Alternative NameThe subjectAltName extension MUST NOT be present in a ProxyCertificate.3.6. Key Usage and Extended Key UsageIf the Proxy Issuer certificate has a Key Usage extension, theDigital Signature bit MUST be asserted.This document places no constraints on the presence or contents ofthe key usage and extended key usage extension. However, section 4.2explains what functions should be allowed a proxy certificate by arelying party.Tuecke, et al. Standards Track [Page 13]
Page 1 and 2: Network Working GroupRequest for Co
Page 3 and 4: RFC 3820 X.509 Proxy Certificate Pr
Page 11: RFC 3820 X.509 Proxy Certificate Pr
Page 37: RFC 3820 X.509 Proxy Certificate Pr

Internet X.509 Public Key Infrastructure (PKI) Proxy ... - Clizio.com

Create successful ePaper yourself

Delete template?

Save as template?