Major progress was made at the July meeting of ISO/IEC JTC1/SC21 on the
project to extend the X.509 certificate.
The meeting issued a defect report on the 1993 standard with a
proposed resolution (reproduced below) to add an extension field
similar to that proposed for ANSI X9.30-3.
Unless major objections are received in the defect ballot, or
from the implementor workshops (to which liaisons have been sent) then
this extension can become formally adopted at the December ISO
Directories group meeting in Phoenix.
In addition, a Working Draft for specific ISO standard extensions,
which will follow the usual ISO progression path, was produced (I can
supply this on request). The proposed extensions include:
- key identifier
- key usage
- secondary public key
- policies
- authority constraints
Other extensions can be developed by non-ISO groups (e.g., PEM) if
desired.
Extensions to CRLs are also proposed.
----------------------------------
PROPOSED RESOLUTION
Add an extensions field to the certificate as follows:
Certificate ::= SIGNED { SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name, -- CA's name
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
extensions [3] Extensions OPTIONAL } }
Extensions ::= SET OF Extension
Extension ::= SEQUENCE {
extnId EXTENSION.&id ({ExtensionSet}),
critical EXTENSION.&critical ({ExtensionSet} {(_at_)extnId}) }
extnValue EMBEDDED PDV -- Contains a
-- canonical encoding of a value of type &ExtnType for the
-- extension object identified by extnId --
-- Definition of the following information object set is deferred,
perhaps to
-- standardized profiles or to protocol implementation conformance
statements.
-- The set is required to specify a table constraint on the
critical component of
-- Extension.
-- ExtensionSet EXTENSION ::= { ... | ... }
The extensions field allows addition of new fields to the
structure without modification to the ASN.1 definition. An
extension consists of a unique identifier (an object ID), the
data type of the extension (some ASN.1 type), and a criticality
flag. If the criticality flag is FALSE, an implementation should
ignore unrecognized extensions. if the criticality flag is TRUE,
unrecognized extensions shall cause the structure to be
considered invalid, i.e., in a certificate, an unrecognized
critical extension would cause validation of a signature using
that certificate to fail.
The following object class is used to define specific extensions:
EXTENSION ::= CLASS
{
&id OBJECT IDENTIFIER UNIQUE,
&critical BOOLEAN DEFAULT FALSE,
&ExtnType
}
WITH SYNTAX
{
SYNTAX &ExtnType
[CRITICAL &critical]
IDENTIFIED BY &id
}
In Certificate Revocation Lists, the same extension field can be
added, in two places, as follows:
CertificateList ::= SIGNED { SEQUENCE {
signature AlgorithmIdentifier,
issuer Name,
thisUpdate UTCTime,
nextUpdate UTCTime OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate UTCTime,
crlEntryExtensions Extensions OPTIONAL } OPTIONAL,
crlExtensions [0] Extensions OPTIONAL }}