Below is the proposed extended X.509 certificate format that ANSI X9F1
has developed; it is also possible that ISO may adopt a similar
extension via an expedited process. Note the Extensions field. This
field is required for many purposes; it allows new fields to be added
to the certificate either in new standards or in community agreements.
Perhaps its existence will significantly assist the pem group in
resolving some current issues.
Warwick
--------------------------
CertificateInfo ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name, -- CA's name
validity Validity,
entity Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
extensions [3] Extensions }
Extensions ::= SET OF Extension
Extension { EXTENSION: ExtensionSet } ::= SEQUENCE {
type EXTENSION.&id ({ExtensionSet}),
value EXTENSION.&Type ({ExtensionSet} {(_at_)type}),
critical EXTENSION.&critical ({ExtensionSet}
{(_at_)type}) }
EXTENSION ::= CLASS
{
&id OBJECT IDENTIFIER UNIQUE,
&Type,
&critical BOOLEAN DEFAULT FALSE
}
WITH SYNTAX
{
SYNTAX &Type
[CRITICAL &critical]
IDENTIFIED BY &id
}
Certificate ::= SIGNED {CertificateInfo}
The extensions field allows addition of new fields to the structure
without modification to the ASN.1 definition. An extension consists of
a unique identifier (an object ID), the data type of the extension
(some ASN.1 type), and a criticality flag. If the criticality flag is
FALSE, an implementation should ignore unrecognized extensions. If the
criticality flag is TRUE, unrecognized extensions shall cause the
structure to be considered invalid. E.g., in a certificate, an
unrecognized critical extension would cause validation of a signature
using that certificate to fail.