The ISO/IEC/ITU group responsible for X.509 last week issued Draft Technical
Corrigenda adding extensibility mechanisms to the X.509 certificate and CRL
formats. These result in the definition of the v3 certificate format and v2
CRL
format. These formats are as follows.
-----------------------------------
Certificate Format:
Certificate ::= SIGNED { SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version must be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version must be v2 or v3
extensions [3] Extensions OPTIONAL
-- If present, version must be v3 --} }
Version ::= INTEGER { v1(0), v2(1), v3(2) }
Extensions ::= SEQUENCE OF Extension
Extension ::= SEQUENCE {
extnId EXTENSION.&id ({ExtensionSet}),
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
-- contains a DER encoding of a value of type
&ExtnType
-- for the extension object identified by
extnId -- }
The extensions field allows addition of new fields to the structure without
modification to the ASN.1 definition. An extension field consists of an
extension identifier, a criticality flag, and a canonical encoding of a data
value of an ASN.1 type associated with the identified extension. When an
implementation processing a certificate does not recognize an extension, if the
criticality flag is FALSE, it may ignore that extension. If the criticality
flag is TRUE, unrecognized extensions shall cause the structure to be
considered
invalid, i.e., in a certificate, an unrecognized critical extension would cause
validation of a signature using that certificate to fail.
The following object class is used to define specific extensions. Specific
extensions may be defined in ITU-T Recommendations | International Standards or
by any organization which has a need.
EXTENSION ::= CLASS
{
&id OBJECT IDENTIFIER UNIQUE,
&ExtnType
}
WITH SYNTAX
{
SYNTAX &ExtnType
IDENTIFIED BY &id
}
--------------------------------------
CRL Format:
CertificateList ::= SIGNED { SEQUENCE {
version Version OPTIONAL,
-- if present, version must be
v2--
signature AlgorithmIdentifier,
issuer Name,
thisUpdate UTCTime,
nextUpdate UTCTime OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate UTCTime,
crlEntryExtensions Extensions OPTIONAL }
OPTIONAL,
crlExtensions [0] Extensions OPTIONAL }}
If any extensions included in a CertificateList are defined as critical, the
version element of the CertificateList shall be present. If no extensions
defined as critical are included, the version element shall be absent.
----------------------------------
In addition, the group approved issue of a Proposed Draft Amendment to X.509
defining a set of standard extensions. Draft descriptions of some samples of
extensions of likely interest to this list are given below. The full text
will be available mid-January and will be posted to this list. This text will
constitute a complete specification suitable for experimental implementation.
12.2.2.1 Authority Key Identifier Field
This field enables distinct keys used by the same certification
authority to be differentiated (e.g., as key updating occurs). The
key may be identified by an explicit key identifier, by
identification of a certificate for the key (giving certificate
issuer and certificate serial number), or both. The following
ASN.1 type defines this field:
AuthorityKeyIdentifier EXTENSION ::= {
SYNTAX AuthorityKeyId
IDENTIFIED BY { ce 1 } }
AuthorityKeyId ::= SEQUENCE {
keyIdentifier KeyIdentifier OPTIONAL,
certIssuer Name OPTIONAL,
certSerialNumber CertificateSerialNumber OPTIONAL
-- certIssuer and certSerialNumber constitute a logical pair,
-- and if either is present both must be present. Either this
-- pair or the keyIdentifier field shall be present. If all
-- three fields are present, then the certificate issuer
-- shall ensure they are consistent -- }
KeyIdentifier ::= OCTET STRING
This extension is always non-critical. A key identifier
must be unique with respect to all key identifiers for the
subject with which it is used.
12.4.2.1 Subject Alternative Name Field
This field provides a name, of a name form other than that of
Directory names, which is bound by the CA to the certified public
key. The following ASN.1 type defines this field:
SubjectAltName EXTENSION ::= {
SYNTAX AltName
IDENTIFIED BY { ce 8 } }
AltName ::= CHOICE {
rfc822Name [0] IA5String,
dNSName [1] IA5String,
x400Address [2] ORAddress -- Imported from X.400 --,
privateName [3] INSTANCE OF PRIVATE-NAME }
PRIVATE-NAME ::= TYPE-IDENTIFIER
This extension is always non-critical. An implementation
which recognizes this extension is not required to be able
to process all alternatives of the CHOICE. If the
alternative used is not supported by the implementation, the
extension field is ignored.
Use of the TYPE-IDENTIFIER class is described in Annexes A
and C of ITU-T Rec. X.681 | ISO/IEC 8824-2.
12.4.2.2 Issuer Alternative Name Field
This field provides a name, of a name form other than that of
Directory names, for the certificate issuer. The following ASN.1
type defines this field:
IssuerAltName EXTENSION ::= {
SYNTAX AltName
IDENTIFIED BY { ce 9 } }
This extension is always non-critical. An implementation
which recognizes this extension is not required to be able
to process all alternatives of the CHOICE. If the
alternative used is not supported by the implementation, the
extension field is ignored.
12.4.2.3 Directory Attributes Field
This field conveys any desired Directory attribute values for the
subject of the certificate. The following ASN.1 type defines this
field:
DirectoryAttributes EXTENSION ::= {
SYNTAX AttributesSyntax
IDENTIFIED BY { ce 10 } }
AttributesSyntax ::= SEQUENCE OF Attribute
-- Imported from X.501 InformationFramework
This extension is always non-critical.
12.2.2.4 Certificate Policies Field
This extension field lists certificate policies that the
certificate is expressly recognized as supporting, together with
optional qualifier information pertaining to these policies.
The following ASN.1 type defines this field:
CertificatePolicies EXTENSION ::= {
SYNTAX PolicyInformation
IDENTIFIED BY { ce 4 } }
PolicyInformation ::= SEQUENCE OF SEQUENCE {
certPolicyId CERTIFICATEPOLICY.&id,
qualifier CERTIFICATEPOLICY.&Qualifier {(_at_)certPolicyId}
OPTIONAL }
This extension is always non-critical.
A certificate policy may be defined by any organization with a
need. Object identifiers used to identify certificate policies
shall be assigned in accordance with CCITT Rec. X.660 | ISO/IEC
9834-1. The following ASN.1 object class is used in defining
specific certificate policies:
CERTIFICATEPOLICY ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Qualifier OPTIONAL }
WITH SYNTAX {
POLICY-IDENTIFIER &id
[QUALIFIER-TYPE &Qualifier]}
----------------------------------
Warwick Ford