《en-pkcs#6》由会员分享,可在线阅读,更多相关《en-pkcs#6(9页珍藏版)》请在金锄头文库上搜索。
1、PKCS #6: Extended-Certificate Syntax StandardAn RSA Laboratories Technical NoteVersion 1.5Revised November 1, 1993*Supersedes June 3, 1991 version, which was also published as NIST/OSI Implementors Workshop document SEC-SIG-91-21. PKCS documents are available by electronic mail to . 1. ScopeThis sta
2、ndard describes a syntax for extended certificates. An extended certificate consists of an X.509 public-key certificate and a set of attributes, collectively signed by the issuer of the X.509 public-key certificate. Thus the attributes and the enclosed X.509 public-key certificate can be verified wi
3、th a single public-key operation, and an ordinary X.509 certificate can be extracted if needed, e.g., for Privacy-Enhanced Mail (PEM).The intention of including a set of attributes is to extend the certification process beyond just the public key to certify other information about a given entity, su
4、ch as electronic-mail address. A non-exhaustive list of attributes is given in PKCS #9.The preliminary intended application of this standard is in PKCS #7 cryptographic messages, but it is expected that other applications will be developed.2. ReferencesPKCS #1RSA Laboratories. PKCS #1: RSA Encryptio
5、n Standard. Version 1.5, November 1993,PKCS #7RSA Laboratories. PKCS #7: Cryptographic Message Syntax Standard. Version 1.5, November 1993.PKCS #9RSA Laboratories. PKCS #9: Selected Attribute Types. Version 1.1, November 1993.RFC 1422S. Kent. RFC 1422: Privacy Enhancement for Internet Electronic Mai
6、l: Part II: Certificate-Based Key Management. February 1993.X.208CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988.X.209CCITT. Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1). 1988.X.500CCITT. Recommendation
7、X.500: The DirectoryOverview of Concepts, Models and Services. 1988.X.501CCITT. Recommendation X.501: The DirectoryModels. 1988.X.509CCITT. Recommendation X.509: The DirectoryAuthentication Framework. 1988.3. DefinitionsFor the purposes of this standard, the following definitions apply.AlgorithmIden
8、tifier: A type that identifies an algorithm (by object identifier) and any associated parameters. This type is defined in X.509.Attribute: A type that contains an attribute type (specified by object identifier) and one or more attribute values. This type is defined in X.501.ASN.1: Abstract Syntax No
9、tation One, as defined in X.208.BER: Basic Encoding Rules, as defined in X.209.Certificate: A type that binds an entitys distinguished name to a public key with a digital signature. This type is defined in X.509. This type also contains the distinguished name of the certificate issuer (the signer),
10、an issuer-specific serial number, the issuers signature algorithm identifier, and a validity period. Appendix A gives more information.DER: Distinguished Encoding Rules for ASN.1, as defined in X.509, Section 8.7.Name: A type that uniquely identifies or distinguishes objects in a X.500 directory. Th
11、is type is defined in X.501. In an X.509 certificate, the type identifies the certificate issuer and the entity whose public key is certified. PEM: Internet Privacy-Enhanced Mail, as defined in RFC 1422 and related documents.4. Symbols and abbreviationsNo symbols or abbreviations are defined in this
12、 standard.5. General overviewThe next section specifies extended-certificate syntax. An appendix reviews the meaning of X.509 certificates.This standard exports one type, ExtendedCertificate.6. Extended-certificate syntaxThis section gives the syntax for extended certificates.An extended certificate
13、 consists of three parts: extended-certificate information, a signature algorithm identifier, and a digital signature on the extended-certificate information. The extended-certificate information consists of an X.509 certificate (already signed by an issuer) and a set of attributes providing other i
14、nformation about the entity whose public key is certified in the X.509 certificate. The issuer that signs the extended certificate is the same as the one that signs the X.509 certificate.The process by which an extended certificate is constructed involves the following steps:1.An ExtendedCertificate
15、Info value containing an X.509 certificate and a set of attributes is constructed by a certificate issuer.2.The ExtendedCertificateInfo value is signed with the certificate issuers private key.3.The ExtendedCertificateInfo value, a signature algorithm identifier, and the certificate issuers signatur
16、e are collected together into an ExtendedCertificate value, defined below.This section is divided into two parts. The first part describes the extended-certificate-information type ExtendedCertificateInfo, and the second part describes the top-level type ExtendedCertificate.Notes.1.In applications where an extended certificate or an X.509 certificate can be processed, the