Appendix A: The ITU-T X.509 Standard for Certificate and CRL Formats


These tables list and explain the different fields that make up an X.509 certificate and CRL. More detailed information can be found in the ITU-TX.509 Recommendation (version 03/2000), which can be downloaded from the ITU Web site at www.itu.int.

Table A.1: X.509 Certificate Format

X.509 Field Name

Field Meaning

X.509 Version/Optional-Required/Criticality for Extensions

Version

X.509 version of the encoded certificate

V1 Required

SerialNumber

Unique serial number of the certificate. The serial number together with the issuer name identify a unique certificate.

V1 Required

Signature

Contains the algorithm identifier for the algorithm and hash function used by the CA when signing the certificate.

V1 Required

Issuer

Identifies the entity that has signed and issued the certificate.

V1 Required

Validity

Start and end date of the certificate or the time interval during which the CA warrants that it will maintain status information of the

V1 Required

Subject

Identifies the entity associated with the public key found in the subject public key field.

V1 Required

SubjectPublicKeyInfo

Carries public key being certified and identifies the algorithm of which the public key is an instance.

V1 Required

IssuerUniqueIdentifer

Used to uniquely identify an issuer in case of a name reuse.

V2 Optional

SubjectUniqueIdentifier

Used to uniquely identify a subject in case of a name reuse.

V2 Optional

Extensions

Allows addition of new fields to the certificate structure.

V3 Optional

AuthorityKeyIdentifier

Identifies public key to be used for certificate signature verification.

V3 Optional—always Noncritical

SubjectKeyIdentifier

Identifies public key being certified .

V3 Optional—always Noncritical

KeyUsage

Identifies purpose for which the certified public key is used.

V3 Optional—Critical or Non-critical

PrivateKeyUsagePeriod

Indicates period of use of private key corresponding to certified public key.

V3 Optional—always Noncritical

Certificate Policies

Identifies certificate policies, recognized by issuing CA, that apply to this certificate.

V3 Optional—Critical or Non-critical

PolicyMappings

For CA certificates only: Maps certificate policy defined in one domain to policy in another domain.

V3 Optional—always Noncritical

SubjectAltName

Alternative names for the certificate subject.

V3 Optional—Critical or Non-critical

IssuerAltName

Alternative names for the certificate issuer.

V3 Optional—Critical or Non-critical

SubjectDirectoryAttributes

Lists directory attributes for the certificate

V3 Optional—always Noncritical

BasicConstraints

“CA” field: Can public key listed in this certificate be used to verify other certificates?

“PathLengthConstraint” field: Maximum number of certificates that can follow this certificate in certification path.

V3 Optional—Critical or Non-critical

NameConstraints

Indicates name space within which all subject names in subsequent certificates in a certification path shall be located.

V3 Optional—Critical or Non-critical

PolicyConstraints

Specifies constraints that may require explicit certificate policy identification or inhibit policy mapping for the remainder of the certification path.

V3 Optional—Critical or Non-critical

InhibitAnyPolicy

Specifies that any-policy is not considered an explicit match for other certificate policies.

V3 Optional—Critical or Non-critical

CRLDistributionPoints

Identifies CRL Distribution Point to which a certificate user should refer to ascertain if the certificate has been revoked.

V3 Optional—Critical or Non-critical

Signature

Digital signature on certificate content.

V1 Required

Table A.2: x.509 CRL Format

X.509 Field Name

Field Meaning

X.509 version/Optional-Required/Criticality for Extensions

Version

X.509 version of the encoded CRL.

Optional

Signature

Contains the algorithm identifier for the algorithm and hash function used by the CA when signing the CRL.

Required

Issuer

Identifies the entity that has signed and issued the CRL.

Required

ThisUpdate

Indicates the issue date of the CRL.

Required

NextUpdate

Indicates the date by which the next CRL will be issued.

Optional

RevokedCertificates

Lists the revoked certificates.

Optional

UserCertificate

Serial number of the revoked certificate.

Required

Revocationdate

Specifies date on which revocation occurred.

Required

CRLentryExtensions

Used to provide additional information on single CRL entries.

Optional—V2 only

ReasonCode

Identifies reason for certificate revocation

Optional—always Noncritical

HoldInstructionCode

Provides a registered instruction identifier indicating the action to be taken after encountering a certificate that has been placed on hold.

Optional—always Noncritical

Invaliditydate

Provides date on which it is suspected that the private key was compromised.

Optional—always Noncritical

CertificateIssuer

Allows a CRL to include entries from more than one certificate issuer.

Optional—always Critical

CrlExtensions

Used to provide additional information on the whole CRL.

Optional—V2 only

AuthorityKeyIdentifier

Provides a means to identify the public key that is needed to validate the CRL signature.

Optional—always Noncritical

IssuerAltName

Allows additional name forms to be associated with the CRL issuer.

Optional—Critical or Noncritical

CRLNumber

Increasing sequence number for each CRL issued by the CRL issuer.

Optional—always Noncritical

deltaCRLIndicator

Identifies a CRL as a delta CRL,

Optional—always Critical

IssuingDistributionPoint

Identifies the CRL distribution point for a CRL and indicates whether the CRL covers revocation for end entity certificates only, CA certificates only, or a limited set of reason codes.

Optional—always Critical

FreshestCRL

Identifies how to obtain delta CRL information for the base CRL containing the extension.

Optional—always Noncritical

SignatureValue

Digital signature on CRL content.

Required




Windows Server 2003 Security Infrastructures. Core Security Features of Windows. NET
Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
ISBN: 1555582834
EAN: 2147483647
Year: 2003
Pages: 137
Authors: Jan De Clercq

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net