X.509 Cert Extensions - Base Certificate Formats

ANSI X9 and ISO/IEC JTC1/SC21 are developing extension capabilities for the 
X.509 certificates, with a view to achieving an aligned specification for both 
groups.  Following is the detailed specification of the ANSI format as agreed 
at 
the Oct 25-27 X9F1 meeting.  It is the same as the July ISO SC21 specification, 
except for the following minor changes:

(1) Identify a certificate containing an extensions field as a v3 certificate, 
rather than redefine the v2 certificate.
(2) Encode the canonical representation of the extension value as an OCTET 
STRING rather than EMBEDDED PDV.
(3) Add a versions field to the CRL and make the new format v3.

Comments welcome.

Warwick Ford
-----------------------------------
Certificate ::= SIGNED { SEQUENCE {
     version        [0]  Version DEFAULT v1,
     serialNumber        CertificateSerialNumber,
     signature           AlgorithmIdentifier,
     issuer              Name,
     validity            Validity,
     subject             Name,
     subjectPublicKeyInfo     SubjectPublicKeyInfo,
     issuerUniqueID      [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version must be v2 or v3
     subjectUniqueID     [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version must be v2 or v3
     extensions          [3]  Extensions OPTIONAL
                         -- If present, version must be v3 --}    }

Version ::= INTEGER { v1(0), v2(1), v3(2) }

Extensions ::= SEQUENCE OF Extension

Extension ::= SEQUENCE {
     extnId         EXTENSION.&id ({ExtensionSet}),
     critical       EXTENSION.&critical ({ExtensionSet}{(_at_)extnId}),
     extnValue      OCTET STRING
                    -- contains a DER encoding of a value of type &ExtnType
                    -- for the extension object identified by extnId -- }

-- Definition of the following information object set is deferred, perhaps to
-- standardized profiles or to protocol implementation conformance statements.
-- The set is required to specify a table constraint on the critical component 
-- of Extension.
--   ExtensionSet   EXTENSION ::=  { ... | ... }



The following object class is used to define specific extensions:

EXTENSION ::= CLASS
{
     &id       OBJECT IDENTIFIER UNIQUE,
     &critical BOOLEAN DEFAULT FALSE,
     &ExtnType
}
WITH SYNTAX
{
     SYNTAX         &ExtnType
     [CRITICAL      &critical]
     IDENTIFIED BY  &id
}

--------------------------------------
CRL Format:


CertificateList ::= SIGNED { SEQUENCE {
     signature           AlgorithmIdentifier,
     issuer              Name,
     thisUpdate               UTCTime,
     nextUpdate               UTCTime OPTIONAL,
     revokedCertificates      SEQUENCE OF SEQUENCE {
          userCertificate          CertificateSerialNumber,
          revocationDate      UTCTime,
          crlEntryExtensions  Extensions OPTIONAL
                      -- If present, version must be v3 -- } OPTIONAL,
     version             [0] Version DEFAULT v1,
                         -- If present, version must be v3
     crlExtensions       [1] Extensions OPTIONAL
                         -- If present, version must be v3 -- }}

<Prev in Thread]	Current Thread	[Next in Thread>
X.509 Cert Extensions - Base Certificate Formats, warwick (w.s.) ford <=

Previous by Date:	ABA Information Security Committee Meeting, Michael S Baum
Next by Date:	X.509 Cert Extensions - Latest Draft from X9, warwick (w.s.) ford
Previous by Thread:	ABA Information Security Committee Meeting, Michael S Baum
Next by Thread:	X.509 Cert Extensions - Latest Draft from X9, warwick (w.s.) ford
Indexes:	[Date] [Thread] [Top] [All Lists]