一、证书相关规范
二、RFC5280翻译
Status of This Memo
此备忘录状态
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
本文档详细说明了互联网社区的 Internet 标准跟踪协议,并请求讨论和改进建议。
有关此协议的标准化状态和状态,请参阅当前版本的"互联网官方协议标准"(STD 1)。
Abstract(摘要)
This memo profiles the X.509 v3 certificate and X.509 v2 certificate
revocation list (CRL) for use in the Internet. An overview of this
approach and model is provided as an introduction. The X.509 v3
certificate format is described in detail, with additional
information regarding the format and semantics of Internet name
forms. Standard certificate extensions are described and two
Internet-specific extensions are defined. A set of required
certificate extensions is specified. The X.509 v2 CRL format is
described in detail along with standard and Internet-specific
extensions. An algorithm for X.509 certification path validation is
described. An ASN.1 module and examples are provided in the
appendices.
此备忘录扼要描述了用于 Internet的X509 V3证书 和X509 V2 证书吊销列表。
本介绍概述了X509的方法和模型。
详细介绍了 X.509 v3 证书格式,并提供了有关 Internet 命名形式的格式和语义的其他信息。
描述了标准证书扩展,并定义了两个明确的Internet 的扩展。详细定义一组必需的证书扩展。
详细描述X.509 v2 CRL 格式以及标准、明确的Internet 扩展。
描述了X.509认证路径验证算法。
附录中提供了 ASN.1 模块和示例。
目录
。。。
1. Introduction
This specification is one part of a family of standards for the X.509
Public Key Infrastructure (PKI) for the Internet.
This specification profiles the format and semantics of certificates
and certificate revocation lists (CRLs) for the Internet PKI.
Procedures are described for processing of certification paths in the
Internet environment. Finally, ASN.1 modules are provided in the
appendices for all data structures defined or referenced.
Section 2 describes(说明) Internet PKI requirements(需求) and the assumptions(设想)
that affect the scope of this document. Section 3 presents an
architectural model and describes its relationship to previous IETF
and ISO/IEC/ITU-T standards. In particular, this document's
relationship with the IETF PEM specifications and the ISO/IEC/ITU-T
X.509 documents is described.
Section 4 profiles the X.509 version 3 certificate, and Section 5
profiles the X.509 version 2 CRL. The profiles include the
identification of ISO/IEC/ITU-T and ANSI extensions that may be
useful in the Internet PKI. The profiles are presented in the 1988
Abstract Syntax Notation One (ASN.1) rather than the 1997 ASN.1
syntax used in the most recent ISO/IEC/ITU-T standards.
Section 6 includes certification path validation procedures. These
procedures are based upon the ISO/IEC/ITU-T definition.
Implementations are REQUIRED(要求) to derive the same results but are not
required to use the specified procedures.
1.介绍
此规范是 Internet X.509 公钥基础结构 (PKI) 标准系列的一部分。此规范扼要描述 Internet PKI 的证书和证书吊销列表 (CRLs) 的格式和语义。介绍了在 Internet 环境中处理认证路径的程序(过程)。最后,在附录中提供了定义或引用的所有数据结构的ASN.1模型。第 2 节说明 Internet PKI 需求和影响本文档范围的假设。第 3 节介绍了一个架构模型,并描述了其与以前的 IETF 和 ISO/IEC/ITU-T 标准的关系。第 4 节描述 X.509 V3版本证书,第 5 节描述 X.509 V2版本的CRL。内容还包括在互联网 PKI 中可能有用的 ISO/IEC/ITU-T 标识和 ANSI 扩展。描述使用 1988 年抽象语法符号 (ASN.1) 而不是 1997 年 ASN.1 语法(用于最新的 ISO/IEC/ITU-T 标准)。第 6 节包括认证路径验证过程。 这些程序(过程)基于 ISO/IEC/ITU-T 定义。实现要求派生相同的结果,但不需要使用指定的过程。
Procedures for identification and encoding of public key materials and digital signatures are defined in [RFC3279], [RFC4055], and [RFC4491]. Implementations of this specification are not required to use any particular cryptographic algorithms. However, conforming implementations that use the algorithms identified in [RFC3279], [RFC4055], and [RFC4491] MUST identify and encode the public key materials and digital signatures as described in those specifications.
公钥材料和数字签名相关的身份认证和编码过程在RFC3297,RFC4055和RFC4491定义。此规范的实现不要求使用任何特定的加密算法。但是,符合要求的实现,其算法在RFC3279、RFC4055和RFC4491定义,必须身份验证和编码的公钥材料和签名算法必须是这些规范定义的范围内。
Finally, three appendices are provided to aid implementers. AppendixA contains all ASN.1 structures defined or referenced within this specification. As above, the material is presented in the 1988 ASN.1. Appendix B contains notes on less familiar features of the ASN.1 notation used within this specification. Appendix C contains examples of conforming certificates and a conforming CRL
最后,提供三个附录帮助实现者。附录A包含本规范定义或引用的所有ASN.1结构。
This specification obsoletes [RFC3280]. Differences from RFC 3280 are summarized below:
此规范废弃RFC3280, 与RFC3280不同之处总结如下:
* Enhanced support for internationalized names is specified in Section 7, with rules for encoding and comparing Internationalized Domain Names, Internationalized Resource Identifiers (IRIs), and distinguished names. These rules are aligned with comparison rules established in current RFCs, including [RFC3490], [RFC3987], and [RFC4518].
第 7 节中指定了对国际化名称的增强支持,并指定了用于编码和比较国际化域名、国际化资源标识符 (IRIs) 和可分辨名称的规则。这些规则与当前 RFCs 中建立的比较规则一致,包括 [RFC3490], [RFC3987], 和 [RFC4518].
* Sections 4.1.2.4 and 4.1.2.6 incorporate the conditions for continued use of legacy text encoding schemes that were specified in [RFC4630]. Where in use by an established PKI, transition to UTF8String could cause denial of service based on name chaining failures or incorrect processing of name constraints.
第 4.1.2.4 节和 4.1.2.6 节包含了继续使用 [RFC4630] 中指定的旧文本编码方案的条件。在已建立的 PKI 使用中,过渡到 UTF8String 可能会导致基于名称链接失败或名称约束处理不正确的拒绝服务。
* Section 4.2.1.4 in RFC 3280, which specified the privateKeyUsagePeriod certificate extension but deprecated its use, was removed. Use of this ISO standard extension is neither deprecated nor recommended for use in the Internet PKI.
RFC 3280 中的第 4.2.1.4 节(指定了privateKeyUsagePeriod 证书扩展,但已弃用)已被删除。此 ISO 标准扩展的不弃用,也不建议在 Internet PKI 中使用。
* Section 4.2.1.5 recommends marking the policy mappings extensionas critical. RFC 3280 required that the policy mappings extension be marked as non-critical.
第 4.2.1.5 节建议将策略映射扩展标记为关键。 RFC 3280 要求将策略映射扩展标记为非关键。
* Section 4.2.1.11 requires marking the policy constraints extension as critical. RFC 3280 permitted the policy constraints extension to be marked as critical or non-critical.
第 4.2.1.11 节要求将策略约束扩展标记为关键。 RFC 3280 允许将策略约束扩展标记为关键或非关键。
* The Authority Information Access (AIA) CRL extension, as specified in [RFC4325], was added as Section 5.2.7.
[RFC4325] 中指定的颁发机构信息访问 (AIA) CRL 扩展名已添加为第 5.2.7 节。
* Sections 5.2 and 5.3 clarify the rules for handling unrecognized CRL extensions and CRL entry extensions, respectively.
第 5.2 节和第 5.3 节分别阐明了处理未识别的 CRL 扩展和 CRL 条目扩展的规则。
* Section 5.3.2 in RFC 3280, which specified the holdInstructionCode CRL entry extension, was removed.
RFC 3280 中第 5.3.2 节(定义holdInstructionCode CRL 条目扩展名)已被删除。
* The path validation algorithm specified in Section 6 no longer tracks the criticality of the certificate policies extensions in a chain of certificates. In RFC 3280, this information was returned to a relying party.
第 6 节中定义的路径验证算法不再跟踪证书链中证书策略扩展的关键。 在 RFC 3280 中,此信息返回到依赖方。
* The Security Considerations section addresses the risk of circular dependencies arising from the use of https or similar schemes in the CRL distribution points, authority information access, or subject information access extensions.
"安全注意事项"部分讨论在 CRL 分发点、权限信息访问或主题信息访问扩展中使用 https 或类似方案导致循环依赖的风险。
* The Security Considerations section addresses risks associated with name ambiguity.
"安全注意事项"部分解决了与名称歧义相关的风险。
* The Security Considerations section references RFC 4210 for procedures to signal changes in CA operations.
"安全注意事项"部分引用 RFC 4210,用于处理CA 操作签名变化过程。
The ASN.1 modules in Appendix A are unchanged from RFC 3280, except that ub-emailaddress-length was changed from 128 to 255 in order to align with PKCS #9 [RFC2985].
附录 A 中的 ASN.1 模块与 RFC 3280 不一致,但 ub-emailaddress-length从 128 更改为 255,以便与 PKCS #9 [RFC2985] 对齐。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
RFC2119定义了关键字"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
