JNSA Challenge PKI 2001

PKI PKI

1... 1-1 1.1.... 1-1 1.2.... 1-2 1.3. PKI... 1-3 1.4. PKI... 1-3 1.5.... 1-3 1.6. PKI... 1-5 1.7.... 1-5 1.8.... 1-6 1.9.... 1-6 2 PKI... 2-1 2.1. PKI FORUM... 2-1 2.1.1.... 2-1 2.1.2.... 2-2 2.1.3.... 2-3 2.2. PKI CHALLENGE... 2-5 2.2.1. PKI... 2-5 2.2.2. []... 2-6 2.2.3. [ II ]PKI... 2-6 2.2.4. [ III ] &... 2-7 3... 3-1 3.1. PKI... 3-1 3.2. CESGPKI ( )... 3-1 3.3. EMA CHALLENGE 2000... 3-3 3.4. GPKI... 3-3 3.4.1. GPKI... 3-4 3.4.2. GPKI... 3-5 3.4.3. GPKI... 3-5 3.5. DOD BCA TECHNOLOGY DEMONSTRATIONPHASE... 3-5 3.6. EEMA PKI CHALLENGE... 3-7 3.7. 3... 3-8 3.8. CHALLENGE PKI 2001... 3-9 4... 4-1 4.1. S/MIME... 4-1 4.1.1. S/MIME... 4-1 4.1.2.... 4-3 4.1.3. S/MIME... 4-4 4.1.4. S/MIME... 4-4 4.1.5. PKI... 4-5 4.2. TLSTRANSPORT LAYER SECURITY... 4-5 4.2.1. TLS... 4-5 4.2.2. TLS... 4-7 4.2.3. TLS... 4-7 4.2.4. TLS... 4-8 4.2.5. TLS PKI... 4-8 4.3. IKE (INTERNET KEY EXCHANGE)... 4-9 4.3.1.... 4-9 4.3.2. IKE... 4-10

4.3.3. IKE... 4-13 4.3.4. IKE PKI... 4-14 5 PKI... 5-1 5.1. PKI... 5-1 5.1.1. Single CA... 5-1 5.1.2. Strict Hierarchy... 5-2 5.1.3. Web... 5-3 5.1.4. Cross-Certification... 5-4 5.1.5. Bridge CA...5-5 5.2.... 5-5 5.2.1.... 5-5 5.2.2.... 5-8 5.2.3.... 5-14 6 PKI... 6-1 6.1.... 6-1 6.1.1.... 6-1 6.1.2.... 6-9 6.1.3.... 6-14 6.2.... 6-21 6.3. PKI... 6-22 6.4. VS... 6-23 7... 7-1 7.1.... 7-1 7.2.... 7-1 7.2.1.... 7-2 7.2.2.... 7-3 7.2.3.... 7-4 7.3.... 7-5 7.3.1.... 7-5 7.3.2. CA... 7-5 7.3.3. S/MIME... 7-6 7.3.4. IPsec... 7-7 7.3.5. 7.3.6. Web... 7-8 Web... 7-9 7.4.... 7-10 7.4.1.... 7-10 7.4.2. CA... 7-10 7.4.3. S/MIME...7-11 7.5.... 7-13 7.5.1.... 7-13 7.5.2. CA... 7-13 7.5.3. S/MIME... 7-14 8... 8-1 8.1.... 8-1 8.1.1. DER... 8-1 8.1.2. DN... 8-2 8.1.3. DirectoryString... 8-6 8.1.4. serialnumber... 8-8

8.1.5. basicconstraints.ca... 8-9 8.1.6. basicconstraints.pathlenconstraint... 8-10 8.1.7. keyusage...8-11 8.1.8.... 8-12 8.2.... 8-13 8.2.1. {subject authority}keyidentifier... 8-13 8.3.... 8-14 8.3.1. critical... 8-14 8.4.... 8-16 8.4.1.... 8-16 8.4.2.... 8-18 8.4.3.... 8-19 9... 9-1 9.1.... 9-1 9.1.1.... 9-1 9.1.2.... 9-1 9.1.3.... 9-2 9.2.... 9-2 9.2.1.... 9-2 9.2.2.... 9-3 9.3.... 9-4 9.3.1. PKI... 9-4 9.3.2. C... 9-4 9.3.3.... 9-5 9.3.4.... 9-5 9.3.5.... 9-5 9.4.... 9-6

PKI PKI IPA PKI NPO JNSA PKI CA Challenge PKI 2001 Challenge PKI 2001 CA PKI PKI ITU IETF ITU X.509 IETF/PKIX RFC2459 PKI PKI X.509 RFC2459 X.509 RFC2459 PKI PKI PKI Forum PKI Forum PKI PKI X.509 RFC2459 Identrus GPKI PKI PKI PKI PKI PKI PKI

PKI Challenge PKI 2001 CA PKI PKI Challenge PKI 2001 (1) CA (2) PKI (3) PKI (1) (2)(3) PKI PKI PKI Challenge PKI 2001 PKI PKI CA PKI (1) PKI CA PKI PKI PKI PKI CA

(2) PKI PKI PKI PKI PKI PKI PKI PKI PKI PKI CA CP/CPS PKI PKI PKI PKI Forum White paper PKI Interoperability Framework EEMAEuropean Forum for Electronic Business PKI PKI Challenge 2 PKI Challenge PKI 2001 PKI PKI PKI PKI EEMA PKI PKI Challenge WP2NO13- Interoperability Test Criteria http://www.eema.org/pki-challenge/files/wp2-n013.pdf PKI Challenge 9 PKI PKI

PKI PKI ITU X.509 PKIX RFC2459 PKI X.509RFC2459 Challenge PKI 2001 X.509 RFC2459 CA Challenge PKI 2001 GPKI GPKI GPKI PKI http://www.gpki.go.jp/session/010514_2.pdf

Challenge PKI 2001 CA CA CA CA CA PKI Forum White PaperCA-CA Interoperability CA-CA Interoperability White Paper http://www.pkiforum.org/resources.html 5 PKI PKI PKI CA PKI SSL IPsec S/MIME (1) CA 2 CA

(2) (3) GPKI GPKI (4) SSL / IPsec/IKE S/MIME 4 7 PKI Challenge PKI 2001 PKI 8 8 PKI 4 5 PKI 6 PKI PKI PKI JNSA 9 CA PKI 9 CA CA

PKI S/MIME S/MIME

Challenge PKI 2001 CA PKI PKI Forum PKI Challenge PKI Forum PKI Interoperability Framework http://www.pkiforum.org/pdfs/pkiinteroperabilityframework.pdf Challenge PKI Interoperability Test Criteria http://www.eema.org/pki-challenge/files/wp2-n013.pdf Challenge PKI 2001 PKI Forum PKI PKI White Paper White Paper PKI Forum PKI Interoperability Framework PKI Interoperability Framework PKI PKI PKI Interoperability Framework PKI PKI Interoperability Framework

(1) PKI CA-CA CA-RA -CA -RA (2) PKI (3) PKI (4) (5) Challenge PKI 2001 CA CA-CA (1) (2) (3) (4) (1) -RA CA-RA 2 S/MIME PKI Challenge PKI 2001 IPsec PKI Interoperability Framework (1) (2)

(3) (4) (5) CA PKI Challenge PKI 2001 S/MIMEIPsecSSL Challenge PKI 2001 CA 2 PKI PKI 2-2 1 2 PKI

PKI 2 PKI (1) PKI (2) 1 PKI PKI PKI Challenge PKI 2001 PKI Challenge PKI 2001 PKI

PKI Challenge EEMAEuropean Forum for Electronic BusinessEU PKI PKI Challenge PKI PKI PKI PKI Challenge 3 [] [ II ]PKI [ III ] & 3 END ENTITY A I END ENTITY B Applications COMMUNICATIONS Applications Crypto Directory & Validation Services III Crypto II PKI A PKI B RA CA RA RA CA CA RA X.509 V3 X.509 V3 X.509 V3 X.509 V3

S/MIME XML HTML Web VPN EDI PKI Forum Challenge PKI 2001 IPsec VPNSSLS/MIME PKI CA CA/RA CA RA END ENTITY A END ENTITY B Crypto Crypto Sub Sub CA RA Sub CA RA Smart Card II Sub Sub CA RA Sub CA RA Root CA Root CA PKI A PKI B

CA PKIX-CMP CRMF CA/RA CA RA CA RA RA CA RA Challenge PKI 2001 CA Challenge PKI 2001 PKI & LDAP CRLDP & deltacrl OCSP X.500 DAP Challenge PKI 2001 LDAP

CA PKI Challenge PKI 2001 Challenge PKI 2001 PKI CESG PKI EMA Challenge 2000 GPKI BCA Technology DemonstrationPhase 2 EEMA PKI Challenge ( EU ) PKI (1) CMPv2 (2) (3) CA-CA (4) (5) OCSP (6) CMC White Paper Challenge PKI 2001 (3) CA-CA - Communications-Electronics Security Group CESG 10 PKI PKI 2001 2 5 CLOUD COVER PKI CESG PKI PKI PKI HMG Root Authority CESG PKI PKI

PKI CLOUD COVER PKI http://www.cesg.gov.uk/technology/pki/interop/media/pkidemonstratorfinalr eport.pdf CLOUD COVER PKI IMPLEMENTOR'S GUIDE http://www.cesg.gov.uk/technology/pki/cloud-cover/media/impgd0a.pdf Baltimore Technologies Root CA Compaq Entegrity Solutions Entrust Reflex Magnetics Spyrus XCert RSA Security SSE S/MIME Shym Novell Baltimore Technologies Root CA Baltimore Technologies CA 7 CA CA CA S/MIME S/MIME CESG RSA DSA SHA-1 S/MIMEv3 CLOUD COVER Challenge PKI 2001 S/MIME RSA

EMAElectronic Messaging Association The EMA Secure Messaging Challenge http://www.ema.org/challenge/index.htm Challenge 1 (1996) - X.400 Challenge 2 (1997) - Directory Challenge 3 (1999) - PKI Bridged Certificate Authority Challenge 4 (2001) - Secure Messaging EMA PKI 2000 Challenge 3 (1999) - PKI Bridged Certificate Authority PKI Electronic Messaging Association Challenge 2000 http://csrc.ncsl.nist.gov/pki/documents/emareport_20001015.pdf Electronic Messaging Association Challenge 2000 2000 4 FBCA PKI 5 CA EntrustCybertrust SpyrusCygnaCom 4 PKI 7 PKI S/MIME CA PKI Challenge PKI 2001 PKI EMA Challenge 2000 GPKI GPKI GPKI CP/CPS

GPKI GPKI 2000 GPKI CA CA 1 4 4 PKI (1) (2) (3) PKI OCSP OCSP CRL/ARL GPKI http://www.gpki.go.jp/ GPKI http://www.gpki.go.jp/documents/arch.html GPKI http://www.gpki.go.jp/session/index.html Challenge PKI 2001 GPKI GPKI CRL/ARL

GPKI CRL/ARL CA 3 EE ( ) EE CA GPKI CA OCSP & 4 EE EE CA

DoD BCA Technology Demonstration Phase PKI PKI PKI PKI COTS ( Commercial Off-The-Shelf ) PKI PKI COTS NSA CA EE CRL/ARL EMA Challenge 2000 Web S/MIMEv3 ( Phase1 ) RSA/MD5 DSA/SHA-1 ( NSA ) CA Cygnacom(BCA)EntrustBaltimoreSETECSSpyrusMotorola EntgrityGetronicsA&N Associates http://www.anassoc.com/bca.html http://www.anassoc.com/bcarpt.pdf http://bcatest.atl.getronicsgov.com/index.htm BCA Technology DemonstrationPhase DoD Getronics BITSBridge Certification Authority Interoperability Test Suite BITS Web Site Web Site http://bcatest.atl.getronicsgov.com/

(1) Phase II BCA Interoperability Demonstration Final Report (2) Technical Interoperability Profile (TIP) (3) BCA Demonstration Cert-CRL Profiles (4) BCA Interoperability Test Description (5) BCA Phase II Directory Profile BITS CRL/ARLPKCS#12 LDAP Phase II Bridge CA Demonstration Data http://bcatest.atl.getronicsgov.com/downloads.htm BITS LDAP ldap://bcatest.atl.getronicsgov.com/ Challenge PKI 2001 Phase II Bridge CA Demonstration Phase II Bridge CA Demonstration PKI PKI Challenge PKI EEMA EEMA European Forum for Electronic Business 32 273 PKI Challenge 2001 Q1 2 PKI Challenge Entrust Baltimore PKI Globalsign UK Post KPMG PKI Challenge

PKI Challenge PKI PKI PKI Challenge Challenge PKI 2001 3 B2B NEC NTT

3 Challenge PKI 2001 3 PKI 3 PKI http://www.apki-j.gr.jp/ http://www.apki-j.gr.jp/suishin/suishin_index.htm

GPKI CESG PKI EEMA PKI Challenge Challenge PKI 2001 Challenge PKI 2001 PKI 9 CA PKI

S/MIMESSLIPsec IKE 3 PKI S/MIME MIME MIME S/MIME MIME RSA Security PKCS#7 PKCS#7 RFC2315 S/MIME 2 RFC2311 RFC2312 S/MIME 3 RFC2632 RFC2633 S/MIME S/MIME 2 S/MIME 2 S/MIME PKCS#7 PKCS#7 data signed data enveloped data signed-and-enveloped data digested data encrypted data

PKCS#7 S/MIME PKCS#7 content type content type MIME content type MIME signed-data content type PKCS#7 signed data 4-1 signed data signed data signed-data content type CRL 1. 2. 1 3. PKCS#7 SignerInfo CRL 4. PKCS#7 SignedData

signed data Distinguished Name subjectkeyidentifier signeddata certificate S/MIME S/MIME 80 PKCS#7 MIME 80 S/MIME 4-2 S/MIME PKCS#7 enveloped data enveloped data 4-2 enveloped data

enveloped-data enveloped-data 1. content-encryption content-encryption 2. content-encryption content-encryption content-encryption content-encryption 3. content-encryption RecipientInfo 4. content-encryption 5. RecipientInfo envelopeddata enveloped data content-encryption content-encryption S/MIME PKCS#7 ExtendedCertificateAndCertificates CA PKCS#7 CertificateRevocationLists CRL CRL S/MIME 2 RFC2312

basicconstraints basicconstraints email address From RFC822 DN Email Address subjectaltname From email address keyusage S/MIME digitalsignature keyenchpherment 4.1.3 PKCS#7 CA PKI CA PKCS#7 ExtendedCertificateAndCertificates S/MIME TLS TLS TLS TLSv1.0 Netscape SSLv3.0 TLSv1.0 SSLv3.0 TLSv1.0 RFC2246 TLS TLS TLS 2 TLS TLS TLS TLS MAC TLS TLS

TLS X.509 48 TLS

TLS 4-3 ClientHello Certificate* ClientKeyExchange CertificateRequest* CertificateVerify* [ChangeCipherSpec] Finished Application Data ServerHello Certificate* ServerKeyExchange* CertificateRequest* ServerHelloDone [ChangeCipherSpec] Finished Application Data ClientHello ServerHello ServerCertificate CertificateRequest ClientCertificate Certificate Certificate CA TLS Web URI IP

subjectaltname dnsname ipaddress IP IP TLS KeyUsage digitalsignature KeyUsage keyencipherment Diffie-Hellman keyagreement subjectaltname dnsname ipaddress IP RFC2459 extendedkeyusage id-kp-serverauth id-kp-clientauth TLS bad_certificate unsupported_certificate certificate_revoked certificate_expired certificate_unknown unknown_ca CA access_denied TLS TLS

TLS Certificate CA PKI PKI CA CA IKE Security AssociationSA IKE Oakley/ISAKMP SKEME RFC2409 IKE SA Diffie-Hellman IKE SA IPsec RIPv2OSPF SA Domain of InterpretationDOI IPsec DOIRIP DOIOSPF DOI IKE SA IKE SA SA ISAKMP SA ISAKMP SA ISAKMP SA SA 4-4 IKE ISAKMP SA IKE IPsec SA

ISAKMP SA Main Aggressive Aggressive Main SA Main Diffie-Hellman IKE IKE ISAKMP SA 4 IP IKE 4-5 (i) (r) SA SA KEi KEr IDi i IDr r ISAKMP 4-5 SA 4-5 SA SA SA Diffie-Hellman KE i KE r ID ID

IP ID IKE 4-6 (i) (r) SA SA KE i IDi [] i KE r IDr [] r SA Diffie-Hellman KE DSS RSA ID IKE 4-7

(i) (r) SA SA KE [ 1] {IDi}PKr { i}pkr KE {IDr}PKi { r}pki i r SA Diffie-Hellman KE 4-7 {IDi}PKr ID { i}pkr 2 1 ID 2 ID 4-8

(i) (r) SA { i}pkr {KE}Ki {IDi}Ki [{}Ki] i SA { r}pki {KE}Kr {IDr}Kr [{}Kr] r Ki Kr ID Ki Kr SA Diffie-Hellman KE IKE 1 Diffie-Hellman KE KE IKE ISAKMP CRL ISAKMP 4-1 PKCS #7 wrapped X.509 certificate PGP Certificate DNS Signed Key X.509 Certificate - Signature X.509 Certificate - Key Exchange Kerberos Tokens Certificate Revocation List (CRL) Authority Revocation List (ARL) SPKI Certificate X.509 Certificate - Attribute 1 2 3 4 5 6 7 8 9 10

IKE Internet-Draft A PKIX Profile for IKE <draft-ietf-ipsec-pki-req-05.txt> Internet-Draft extendedkeyusage ikeintermediateiso.org.dod.internet.security.mechanisms.ipsec.certificate.2 1.3.6.1.5.5.8.2.2 subjectaltname IP Fully Quallified Domain NameFQDN Internet-Draft IKE RFC2408 ISAKMP Internet-Draft A PKIX Profile for IKE CA Internet-Draft IKE PKI IKE ISAKMP Internet-Draft Protocol Requirements for Son-of-IKE <draft-ietf-ipsec-son-of-ike-protocol-reqts-00.txt> SKEYID IKE IPsec IPsec SA IKE

CA PKI PKI PKI PKI PKI PKI CA CA CA CA CA CRL RA CA CA CA CA

CA CA CA CA CA CA CA PKI CA CA CA CA CA CA CA CA CA X.5092000 CA CA cacertificate CA CA cacertificate

CA CA CA CA CA CA CA CA CA CA CA CA PKI CA PKI Web Web CA CA CA CA

CA 1 4 4 CA CA CA CA PKI PKI CA CA CA CA X.509 CA CA CA CA CA PKI PKI A B B C A C nameconstraints policyconstraints pathlenconstraint X.509 PKI PKI PKI CA CA PKI PKI

Bridge CA Bridge CA Bridge CA Bridge CA Bridge CA Bridge CA Bridge CA Bridge CA PKI Bridge CA PKI Bridge CA PKI Bridge CA Bridge CA Bridge CA Bridge CA Bridge CA CA PKI Bridge CA Bridge CA PKI PKI Bridge CA CA CA CA CA Issuer Subject CA CA

SSL/TLSS/MIMEIPsec CA CA CA CA CA CA CA-1 CA-2 CA CA Issuer CA Subject: CA-2 Issuer CA-2 Subject: CA CA CA2 CA CA CA X.509 CA cacertificate Web CRL X.509 CA certificaterevocationlist certificatedistributionpoints certificaterevocationlist CRL ARL ARL authorityrevocationlist Web CRL CA

X.509 CA Issuer cacertificate cacertificate AIA caissuers PKIX Authority Information AccessAIA caissuers URL SSL/TLS IPsec Web IPsec Certificate Payload S/MIME PKCS#7 CRL X.509 PKIX Authority Infomation AccessAIA ocsp AIA ocsp URL OCSPRFC2560Online Certificate Status Protocol OCSP certificatedistributionpointscrldp CRLDP directoryname URL CRL/ARL directoryname IP CA basicconstraints ca TRUE CRLDP authorityrevocationlist certificasterevocationlist CRLDP certificaterevocationlist CRLDP AIA

IP basicconstraints ca TRUE CA Issuer authorityrevocationlist certificaterevocationlist basicconstrasints ca FALSE basicconstraints Issuer certificaterevocationlist 2 CA 2 CA 2 CA CA CA CA CA CA CA CA CA CA PKI CA CA-1 CA-2

CA CA X.5092000 Issuer Subject CA subject CA subject CA CA CA CA CA CA CA CA CA CA-1 CA-2 CA-1 Subject CA-2 Issuer CA-1 Subject CA-1 Issuer CA-2 CA-2 CA-2 CA-1 Subject ALICE Issuer CA-1 Subject BOB Issuer CA-2 CA X.5092000

crosscertificatepair ATTRIBUTE ::= { WITH SYNTAX CertificatePair EQUALITY MATCHING RULE certificatepairexactmatch ID id-at-crosscertificatepair } CertificatePair ::= SEQUENCE { issuedtothisca [0] Certificate OPTIONAL, issuedbythisca [1] Certificate OPTIONAL -- at least one of the pair shall be present -- } (WITH COMPONENTS {, issuedtothisca PRESENT} WITH COMPONENTS {, issuedbythisca PRESENT}) issuedtothisca forward issuedbythisca Reverse issuedtothisca subject issuedbythisca issuer issuedbythisca subject issuedtothisca issuer CA CA c=jp LDAP o=a Company o=b Company ou=a-ca cacertificate A-CA B-CA ou=b-ca cacertificate certificaterevocationlist authorityrevocationlist crosscertificatepair with B issuedtothisca B-CA issuedbythisca A-CA certificaterevocationlist authorityrevocationlist crosscertificatepair with A issuedtothisca A-CA issuedbythisca B-CA CA CA

A CA EE-A EE-R CA B CA EE-B C CA EE-C CA c=jp LDAP o=reference ou=reference CA cacertificate crosscertpair With A crosscertpair With B crosscertpair With C cacertificate crosscertipair With R) o=a o=b o=c ou=b-ca ou=c-ca ou=d-ca cacertificate crosscertipair WithR) cacertificate crosscertipair With R) CA CA CA CA -1 x-1 subjectkeyidentifier x authoritykeyidentifier keyidentifier

CA-A CA-B Subject CA-A Issuer:CA-A SubjectKeyIdentifier AAA Subject CA-B Issuer:CA-A authoritykeyidentifier AAA subjectkeyidentifier BBB Subject BOB Issuer:CA-B authoritykeyidentifier BBB subjectkeyidentifier CCC AB subjectkeyidentifier authoritykeyidentifier CA CA CA CA crosscertificatepair with B issuedtothisca B-CA issuedbythisca A-CA crosscertificatepair with A issuedtothisca A-CA issuedbythisca B-CA CA-A CA-B Subject CA-A Issuer:CA-A Subject CA-B Issuer:CA-A Subject BOB Issuer:CA-B issuedbythisca issuedtothisca AB

Issuer: A-CA Subject: ALICE CA A-CA Issuer: B-CA Subject: A-CA Issuer: A-CA Subject: B-CA B-CA Issuer: B-CA Subject: BOB CA ARL (B-CA) OK! CA EE CRL certificaterevocationlistcrl authorityrevocationlist ARL crldistributionpoints CRLDP CRL/ARL CRL/ARL issuingdistributionpointsidp CRL/ARL CRLDPAIA CA CRL/ARL CA CRL/ARL CRL/ARL authoritykeyidentifier authoritykeyidentifier CRL CRL IDP CRL CA CRL ARL CRL ARL IDP CRL

onlycontainsusercerts ARL onlycontainsauthoritycerts TRUE pathlenconstraint nameconstraints policyconstraints CA critical TRUE CA CA basicconstraints ca TRUE CA CA ARL ARL ARL CRL basicconstraints ca FALSE basicconstraints CRL CRL PKI CA CA

CA 10 CA CA CA CA CA CA CA CA CA CA CA CA BCA CA CA CA CA

CA CA CA PKI CA CA CA Root CA CA CA CA CA CA CA PKI PKI CA PKI PKI CP PKI PKI PKI PCA CA PKI Class-1 Class-2 Class-3 Class-4 PCA Principal CA CA PCA PKI CA CA CA PKI High Middle Low CA CA Mesh Red Blue Yellow Black White

GPKI critical TRUE CA requireexplicitpolicy CA PKI PKI CA PKI policymappings CA PKI CA PKI policymappings Any-Policy Any-Policy any-policyoid2.5.29.32.0 CA certificatepolicies any-policy CA CA policyconstraints CA policyconstraints requireexplicitpolicy PKI PKI policyconstraints inhibitpolicymapping PKI AB C CA A B B C A B inhibitpoicymapping=0 A C

Any-Policy inhibitanypolicy Any-Policy CA CA inhibitanypolicy CA CA CA CA CA CA-A BCA CA-B crosscertificatepair with A issuedtothisca CA-A crosscertificatepair with BCA issuedbythisca BCAcrossCertificatePair with BCA issuedtothisca BCA issuedtothisca BCA issuedbythisca CA-A crosscertificatepair with B issuedbythisca CA-B issuedtothisca CA-B issuedbythisca BCA CA-A issuedbythisca BCA crosscertificatepair With B issuedbythisca BCA crosscertificatepair(with A)issuedByToCA CA-A issuedbytoca CA-ABCA BCACA-B Subject CA-A Issuer:CA-A Subject BCA Issuer:CA-A Subject CA-B Issuer:BCA Subject Bob Issuer:CA-B 5.2.2.7 CA CA CA PKI pathlenconstraint nameconstraints

policyconstraints CA critical TRUE CRL/ARL CA CA basicconstraints ca TRUE CA CA ARL ARL ARL CRL basicconstraints ca FALSE basicconstraints CRL CRL pathlenconstraintnameconstraints pathlenconstraint CA CA CA pathlenconstraint pathlenconstraint pathlenconstraint

CA-A BCA CA-B CA-X CA-ABCA BCACA-B EE-B Subject CA-A Issuer:CA-A Subject BCA Issuer:CA-A pathlenconstraint=1 Subject CA-B Issuer:BCA Subject BOB Issuer:CA-B CA CA-ABCA BCACA-B CA-BCA-X Subject CA-A Issuer:CA-A Subject BCA Issuer:CA-A pathlenconstraint=1 Subject CA-B Issuer:BCA Subject CA-X Issuer:CA-B EE-X Subject CAROL Issuer:CA-X nameconstraints CA CA nameconstraints permittedsubtrees permittedsubtrees Subject subjectaltname excludedsubtrees excludedsubtrees Subject subjectaltname initial-policy-set PKI Any-Policy initial-explicit-policy ON initial-explicit-policy 1 OFF policyconstraints requireexplicitpolicy initial-policy-mapping

ON PKI PKI Any-Policy initial-inhibit-policy ON Any-Policy CA policyqualifier CA CA PKIX-CMPRFC2510 CA CRL OldWithNew NewWithOld

CA CA NewWithOld OldWithNew CA OldWithNew NewWithOld CA cacertificate CRL NewWithOld CRL OldWithNew pathlenconstraintpolicyconstraints inhibitanypolicy

6-1 EE Issuer Issuer=Subject Issuer=Subject Issuer CA Issuer CA ( ) Subject

5 5.2.2 / Subject JNSA IPA JNSA CA C=JP,O=JNSA,CN=Root CA IPA CA C=JP,O=IPA,CN=Root CA 6-2 IPA JNSA JNSA IPA JNSAPKI IPAPKI JNSA JNSA Alice C=JP,O=JNSA,CN=JNSA Alice IPA IPA Bob C=JP,O=IPA,CN=IPA Bob IPA Bob 1 JNSA Alice JNSA CA 2

Alice Bob Issuer C=JP,O=IPA,CN=Root CA Alice Subject C=JP,O=IPA,CN=Root CA IPA IPA Bob Alice IPA Bob (6-3) IPA IPA IPA IPA IPA IPA IPA IPA Bob IPA Bob IPA JNSA Alice ( JNSA Alice JNSA JNSA JNSA JNSA JNSA JNSA JNSA Alice JNSA Alice ) IPA Subject C=JP,O=IPA,CN=Root CA JNSA IPA JNSA IPA Bob

Issuer C=JP,O=JNSA,CN=Root CA Alice Subject C=JP,O=JNSA,CN=Root CA JNSA JNSA JNSA IPA JNSA Alice Bob JNSA IPA Alice Bob Bob 6-4 IPA IPA IPA IPA IPA IPA IPA IPA Bob IPA Bob JNSA IPA JNSA Alice ( JNSA Alice JNSA JNSA JNSA JNSA JNSA JNSA JNSA Alice JNSA Alice ) JNSA IPA JNSA JNSA/IPA JNSA Subject C=JP,O=JNSA,CN=Root CA

Issuer C=JP,O=JNSA,CN=Root CA IPA JNSA IPA JNSA Issuer C=JP,O=IPA,CN=Root CA Subject C=JP,O=IPA,CN=Root CA IPA IPA JNSA JNSA/IPA 6-5 IPA IPA IPA IPA IPA IPA IPA IPA Bob IPA Bob JNSA/IPA JNSA/IPA JNSA Alice JNSA JNSA JNSA JNSA JNSA JNSA JNSA Alice JNSA Alice

5 5.2.3 2 6.1.1.1 JNSAC=JP,O=JNSA CA C=JP,O=JNSA,CN=Root CA /IPAC=JP,O=IPA CA C=JP,O=IPA,CN=Root CA C=JP,O=Bridge CA C=JP,O=Bridge, CN= Root CA 6-6 JNSAPKI PKI IPAPKI 6-7 IPA 6.1.1.1 Bridge IPA Bridge IPA Bob JNSA Bridge Bridge IPA JNSA JNSA Bridge JNSA Alice Bob Alice

JNSA Alice JNSA Bridge Bridge IPA JNSA Bridge IPA Bridge JNSA IPA Bridge JNSA Alice IPA Bob JNSA BridgeIPA Bridge 2 JNSA Subject C=JP,O=JNSA,CN=Root CA Issuer C=JP,O=JNSA,CN=Root CA JNSA Bridge JNSA Bridge Bridge Bridge Bridge JNSA JNSA Bridge

IPA Bob IPA Bob Bridge Bridge IPA Bridge IPA IPA Bridge IPA Bridge Bridge Bridge Bridge IPA JNSA Alice JNSA Alice Bridge JNSA Alice JNSA Alice JNSA JNSA JNSA JNSA JNSA JNSA JNSA Bridge Bridge IPA 6-9 Bridge Bridge IPA IPA IPA IPA Bridge IPA Bridge IPA Bridge Bridge Bridge IPA

IPA Bob IPA Bob Bridge Bridge IPA Bridge IPA IPA Bridge IPA Bridge IPA IPA Bridge IPA JNSA Alice JNSA Alice Bridge IPABridge JNSA Alice JNSA Alice JNSA JNSA JNSA JNSA JNSA JNSA X.509v3 Critical Flag Critical Flag Critical Flag True/False 2 / CriticalFlag True / OID Critical TRUE / False /

Subject/Issuer Subject/Issuer DistinguishedName DistinguishedName DirectoryString DirectoryString RFC2459 4.1.2.4 2003 12 31 DirectoryString 1. PrintableString PrintableString 2. BMPString BMPString 3. 12 UTF8String 4. 12 UTF8String 2004 1 UTF8String Subject/Issuer DirectoryString 1 PrintableString 4 UTF8String PrintableString PrintableString C=JP,O=JNSA,OU=PKI,CN=JNSA Alice PrintableString Subject C=JP,O=JNSA,CN=Root CA PrintableString Issuer PrintableString / JNSA jnsa Subject C=JP,O=JNSA,OU=PKI,CN=JNSA Alice C=JP,O=jnsa,OU=Pki,CN=Jnsa Alice Issuer C=JP,O=JNSA,CN=Root CA C=JP,O=jnsa,CN=ROOT CA

RFC2459 4.1.2.4 PrintableString / (c) PrintableString BMPString/UTF8String / (b) X.500 / (a) Issuer/Subject Name rollover certificate Name rollover Issuer/Subject RFC2459 2004 CA /PKI 5

6.1.2.2 Subject/Issuer Subject C=JP,O=JNSA,CN=Root CA C=JP,O=JNSA,CN=Root CA 2000/01/01-2000/12/31 C=JP,O=JNSA,CN=Root CA C=JP,O=JNSA,CN=Root CA 2000/01/01-2000/12/31 C=JP,O=JNSA,CN=Root CA C=JP,O=JNSA,CN=Root CA 2000/01/01-2000/12/31 Subject CA C=JP,O=JNSA,CN=JNSA Alice C=JP,O=JNSA,CN=Root CA 2000/01/01-2000/12/31 CA SubjectKeyIdentifier/AuthorityKeyIdentifier SubjectKeyIdentifier KeyIdentifier KeyIdentifier 2 RFC 2459 1. SHA1 160bit 160bit 2. bit 0100 SHA1 160bit 60bit 64bit SubjectKeyIdentifier

C=JP,O=JNSA,OU=PKI,CN=JNSA Alice C=JP,O=JNSA,CN=Root CA 6-11 SubjectKeyIdentifier SubjectKeyIdentifier SubjectKeyIdentifier SubjectKeyIdentifier EE PKI SubjectKeyIdentifier KeyIdentifier AuthorityKeyIdentifier AuthorityKeyIdentifier SubejctKeyIdentifier KeyIdentifier authoritycertissuer authoritycertserialnumber

authoritycertissuer/authoritycertserialnumber OPTIONAL AuthorityKeyIdentifier keyidentifier 2. authoritycertissuer/authoritycertserialnumber 6-12 AuthorityKeyIdentifier C=JP,O=JNSA,CN=Root CA C=JP,O=JNSA,CN=Root CA 2000/01/01-2000/12/31 C=JP,O=JNSA,CN=Root CA C=JP,O=JNSA,CN=Root CA 2000/01/01-2000/12/31 C=JP,O=JNSA,CN=Root CA C=JP,O=JNSA,CN=Root CA 2000/01/01-2000/12/31 C=JP,O=JNSA,CN=JNSA Alice C=JP,O=JNSA,CN=Root CA 2000/01/01-2000/12/31 AuthorityKeyIdentifier CA AuthorityKeyIdentifier AuthorityKeyIdentifier authoritycertissuer/authoritycertserialnumber keyidentifier KeyIdentifier ID 1 AuthorityKeyIdentifier Validity DistinguishedName

RFC2459 Validity 2049 UTCTime GeneralizedTime UTCTime ASCII 020228000000ZYYMMDDHHMMSS 2002 2 28 0 0 0 UTC 991231000000 2 50 1999 12 31 GeneralizedTime ASCII 20500228000000 2050 2 28 0 0 0 UTC UTCTime/GeneralizedTime UTCTime GeneralizedTime Subject/Issuer DirectoryString 6.1.2.2 PrintableString/BMPString/UTF8String RFC2459 2049 1 1 2050 12 31 notbefore UTCTime notafter GeneralizedTime GeneralaizeTime 30 notafter 2000 Repository Directory PAPublication Authority PA 1. CRL 2. OCSP 2 CRL CRL CRL CRL CRLDistributionPoint

CRLDistributionPoint GeneralNames GeneralName CRLDistributionPoint 1. Directory DN 2. URI LDAP 3. URI HTTP CRLDistributionPoint Repository CRL 5.2.1.4(2) 5.2.1.4(2) Directory CRL Directory IP Repository Directory 1. CRLDistributionPoint Directory CRL 2. X.500 CRLDistributionPoint Directory Referal/Chainig

3. / 4. Directory LDAP / LDAP Directory LDAP LDAP HTTP LDAP HTTP CRLDistributionPoint HTTP CRL HTTP HTTP CRL EE CRLDistributionPoint Complete CRL EE CRL CA CA CRLDistributionPoint Complete CRL CA ARL OCSP OCSP RFC2560 / OCSP 1. OCSP 2. PKIX AuthorityInfoAccessAIA OCSP / / OCSP OCSP OCSP AuthorityInfoAccess

OCSP CRL OCSP CRL / OCSP CRL / 6-14 A B N ACRL BCRL CCRL CRL CRL CRL OCSP OCSP OCSP OCSP PKI CRL OCSP OCSP OCSP 1. OCSP CRL 2. OCSP AuthorityInfoAccessAIA IETF PKIX OCSP

OCSP OCSP CRL/OCSP CRL CRL 1. 2. 3. 4. CRL 5 EE CRLDistributionPoint CRL 1. EE 2. CA 3. CRL EE EE CRL CA CRL CRL X.509 IssuingDistributionPointIDP CRL CRL ARLAutority Revocation List

ARL onlycontainscacerts TRUE IDP CRL ARL EE CRL onlycontainsusercerts TRUE IDP CRL EE/CA CRL Complete CRL IDP RFC2459 5.2.5 Critical CRL IDP CRL IDP RFC2459 5.2.5 Critical IDP IDP CRL CRL CRL PKI IDP 6.1.2.1 Critical IDP CRL PKI Although CRL ( ) RFC2459

CRL CRL Complete CRL CRL 6.1.2.3 KeyIdentifier OCSP OCSPv1 / / CRL P.6-171 OCSP CRL OCSP OCSPv1 OCSP CA CA PKIX-CMPRFC2510 CA CRL

2001/01/01-2010/12/31 2001/01/01-2010/12/31 JNSA 2010/01/01-2020/12/31 JNSA 2010/01/01-2020/12/31 NewWith 2005/01/01-2015/12/31 NewWith 2005/01/01-2015/12/31 ithnew 2001/01/01-2010/12/31 ithnew 2001/01/01-2010/12/31 JNSA JNSA JNSA Old JNSA Old JNSAOldW JNSAOldW PKI SSL/TLS S/MIME IPsec 6-1 Subject SubjectAltName PKI Subject CN FQDN SubjectAltName DNSName SSL/TLS SubjectAltName IPAddress Subject Email S/MIME SubjectAltName RFC822Name SubjectAltName RFC822Name SubjectAltName DNSName IPsec(IKE) SubjectAltName IPAddress SSL/TLS SSL/TLS CN/SubjectAltName DNSName/SubjectAltName IPAddress IP VeriSign SSL/TLS Subject CN FQDN SSL/TLS Web SubjectAltName DNSName/IPAddress FQDN IP

S/MIME 3 SubjectAltName RFC822Name RFC S/MIME Subject Email S/MIME Web SSL/TLS S/MIME SubjectAltName IPsecIKE Pre-Shared Key PKI PKI IPsecIKE PKI PKI IPsecIKE/PKI IPsec PKI IPsecIKE SSL/TLSS/MIME IPsec IPsecIKE VPN / PKI Internet-Draft A PKIX Profile for IKE PKIX draft-ietf-ipsec-pki-req-05.txt PKI PDA GPKI IETF PKIX-WG DPDDelegated Path Discovery DPV Delegated Path Veification 2 Internet-Draft

ID

PKI SSL/TLSS/MIMEIPsec S/MIME CA S/MIME IPsec Web Web CA S/MIME CA S/MIME CA CRL

AliceCA CA CA CA RA BobCA CA CA CA BobEE BobCA RA Carol AliceCA CA BobCA CA CA BobCA AliceCA CA CA

AliceCA CA CA

AliceCA CA CA

CA CA CA CA EE PKI 1. CA CA 2. CA CA authoritykeyidentifier subjectkeyidentifier keyusage subjectaltname basicconstraints CA CA CA CA CA CA CA PKCS#10 CA X.509 1) CA CA 2) CA CA 3) CA CA CA 4) CA CA CA 5) CA S/MIME S/MIME SSL

SSL SSL IPsec IPsec 6) CRL/ARL CA CRL 7) CRL/ARL CA CA CA S/MIME CA SSL CA S/MIME CA CRL S/MIME CA / 1) CA / S/MIME 2) 3) CA CRL 4) CA CRL 5) 6) CA CA CA ARL 7)

IPsec IPsecWG CA IPsecWG IPsecCA CA IPsecCA IPsec IPsec IKE 1) CA IPsecCA CA 2) IPsecCA IPsec 3) CA / IPsec IPsec 4) CA CRL 5) IPsec IPsecPC ping 6) IPsec IKE

Web Web SSL Web CA SSL 7-6 Web 1) CA Web 2) Web Web SSL 3) CA CRL 4) Web Web SSL

Web Web SSL Web CA SSL 1) CA / Web 2) Web Web SSL 3) CA CA CA ARL 4) Web Web SSL

CA CA 1. CA 2. PKI CA CA authoritykeyidentifier subjectkeyidentifier critical keyusage certificatepolicies subjectaltname basicconstraints CA critical issuingdistributionpoint CA CA 2 CA 1) CA CA 2) CA CA 3) CA CA 4) CA 5) CA CA 6) CA

7) CA S/MIME S/MIME 8) CRL/ARL CA CA S/MIME CA CRL CA ARL 9) CRL/ARL CA CA CA CA S/MIME CA CRL CA ARL S/MIME CA CA 1) CA / S/MIME 2) 3) CA CRL 4) / 5) / 6) CA CA ARL

7) 8)

GPKI 1. GPKI CA CA 2. GPKI GPKI non-critical authoritykeyidentifier subjectkeyidentifier critical keyusage certificatepolicies policymappings subjectaltname basicconstraints CA critical issuingdistributionpoint CA CA CA GPKI 1) CA CA CA 2) CA CA 3) CA CA 4) CA CA 5) CA

6) CA CA 7) CA CA 8) CA 9) CA CA S/MIME S/MIME 10) CRL/ARL CA CA CRL CA ARL 11) CRL/ARL CA CA CA CA S/MIME CA CRL CA ARL 12) CRL/ARL CA CA CA CA S/MIME CA CRL CA ARL S/MIME CA CA CA

1) CA / S/MIME 2) 3) CA CRL 4) / 5) CA CA CA ARL 6)

ITU/X.509 PKIX/RFC2459 X.509 DER 6.1 Digital signatures ( ) In the case where a signature is appended to a data type, the following ASN.1 may be used to define the data type resulting from applying a signature to the given data type. SIGNED { ToBeSigned } ::= SEQUENCE { tobesigned ToBeSigned, COMPONENTS OF SIGNATURE { ToBeSigned }} In order to enable the validation of SIGNED and SIGNATURE types in a distributed environment, a distinguished encoding is required. A distinguished encoding of a SIGNED or SIGNATURE data value shall be obtained by applying the Basic Encoding Rules defined in ITU-T Rec. X.690 (1997) ISO/IEC 8825:1998, with the following restrictions: a) the definite form of length encoding shall be used, encoded in the minimum number of octets; b) for string types, the constructed form of encoding shall not be used; c) if the value of a type is its default value, it shall be absent; d) the components of a Set type shall be encoded in ascending order of their tag value; e) the components of a Set-of type shall be encoded in ascending order of their octet value; f) if the value of a Boolean type is true, the encoding shall have its contents octet set to "FF"16; g) each unused bit in the final octet of the encoding of a Bit String value, if there are any, shall be set to zero; h) the encoding of a Real type shall be such that bases 8, 10, and 16 shall not be used, and the binary scaling factor shall be zero. i) the encoding of a UTC time shall be as specified in ITU-T Rec. X.690 (1997) ISO/IEC 8825-1:1998; j) the encoding of a Generalized time shall be as specified in ITU-T Rec. X.690 (1997) ISO/IEC 8825-1:1998. ( ) 7 Public-keys and public-key certificates ( ) Certificate ::= SIGNED { SEQUENCE { version [0] Version DEFAULT v1, serialnumber CertificateSerialNumber,

v2 or v3 v2 or v3 v3 -- } } signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectpublickeyinfo SubjectPublicKeyInfo, issueruniqueidentifier [1] IMPLICIT UniqueIdentifier OPTIONAL, -- if present, version shall be subjectuniqueidentifier [2] IMPLICIT UniqueIdentifier OPTIONAL, -- if present, version shall be extensions [3] Extensions OPTIONAL -- If present, version shall be RFC2459 X.509 DER CA BER keyusage DER a)c)g) ASN.1 bitbit STRING 0 BER DER BER keyusage bit BOOLEAN keyidentifier DN BER DNissuersubject DirectoryString X.520

5 Definition of selected attribute types This Directory Specification defines a number of attribute types which may be found useful across a range of applications of the Directory. Many of the attributes defined in this Specification are based on a common ASN.1 syntax: DirectoryString { INTEGER : maxsize } ::= CHOICE { teletexstring TeletexString (SIZE (1..maxSize)), printablestring PrintableString (SIZE (1..maxSize)), universalstring UniversalString (SIZE (1..maxSize)) } Some implementations of the Directory do not support the last of these choices, and will not be able to generate, match, or display attributes having such a syntax. RFC2459 4.1.2.4 Issuer DirectoryString ::= CHOICE { teletexstring TeletexString (SIZE (1..MAX)), printablestring PrintableString (SIZE (1..MAX)), universalstring UniversalString (SIZE (1..MAX)), utf8string UTF8String (SIZE (1.. MAX)), bmpstring BMPString (SIZE (1..MAX)) } The Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a DirectoryString. Name X.520 5.2.1 Name The Name attribute type is the attribute supertype from which string attribute types typically used for naming may be formed. name ATTRIBUTE ::= { WITH SYNTAX DirectoryString { ub-name } EQUALITY MATCHING RULE caseignorematch SUBSTRINGS MATCHING RULE caseignoresubstringsmatch ID id-at-name } X.520 6.1 String matching rules In the matching rules specified in 7.1.1 through 7.1.11, the following spaces are regarded as not significant: leading spaces (i.e., those preceding the first printing character); trailing spaces (i.e., those following the last printing character); multiple consecutive internal spaces (these are taken as equivalent to a single space character). In the matching rules to which these apply, the strings to be matched shall be matched as if

the insignificant spaces were not present in either string. 6.1.1 Case Ignore Match The Case Ignore Match rule compares for equality a presented string with an attribute value of type DirectoryString, without regard to the case (upper or lower) of the strings (e.g., Dundee and DUNDEE match). caseignorematch MATCHING-RULE ::= { SYNTAX DirectoryString {ub-match} ID id-mr-caseignorematch } The rule returns TRUE if the strings are the same length and corresponding characters are identical except possibly with regard to case. Where the strings being matched are of different ASN.1 syntax, the comparison proceeds as normal so long as the corresponding characters are in both character sets. Otherwise matching fails. RFC2253 2.4. Converting an AttributeValue from ASN.1 to a String If the AttributeValue is of a type which does not have a string representation defined for it, then it is simply encoded as an octothorpe character ('#' ASCII 35) followed by the hexadecimal representation of each of the bytes of the BER encoding of the X.500 AttributeValue. This form SHOULD be used if the AttributeType is of the dotted-decimal form. Otherwise, if the AttributeValue is of a type which has a string representation, the value is converted first to a UTF-8 string according to its syntax specification (see for example section 6 of [4]). If the UTF-8 string does not have any of the following characters which need escaping, then that string can be used as the string representation of the value. o o a space or "#" character occurring at the beginning of the string a space character occurring at the end of the string o one of the characters ",", "+", """, " ", "<", ">" or ";" Implementations MAY escape other characters. If a character to be escaped is one of the list shown above, then it is prefixed by a backslash (' ' ASCII 92). Otherwise the character to be escaped is replaced by a backslash and two hex digits, which form a single byte in the code of the character. Examples of the escaping mechanism are shown in section 5.

UTF8String PrintableString UTF8String subject UTF8String UTF8String <-> PrintableString UTF8String LDAPbisWG draft-ietf-ldapbis-dn-06.txt / CA subject EE issuer CA EE case-sensitive CA case-insensitive CA issuer subject subject CA DN UTF8String PrintableString subject CSR CA UTF8String PrintableString subject CA CSR CA issuer CA issuer UTF8String issuer PrintableString CA DN DN CA

X.501 DirectoryString 9.2 Names in General ( ) Each initial subsequence of the name of an object is also the name of an object. The sequence of objects so identified, starting with the root and ending with the object being named, is such that each is the immediate superior of that which follows it in the sequence. RFC2253 DirectoryString 2.1. Converting the RDNSequence If the RDNSequence is an empty sequence, the result is the empty or zero length string. Otherwise, the output consists of the string encodings of each RelativeDistinguishedName in the RDNSequence (according to 2.2), starting with the last element of the sequence and moving backwards toward the first. The encodings of adjoining RelativeDistinguishedNames are separated by a comma character (',' ASCII 44). SEQUENCE RFC1779 2.3 Formal definition The name is presented/input in a little-endian order (most significant component last). When an address is written in a context where there is a need to delimit the entire address (e.g., in free text), it is recommended that the delimiters <> are used. The terminator > is a special in the notation to facilitate this delimitation. DirectoryString ASN.1 SEQUENCE CA CA PKCS#10 PKCS#10 subject SEQUENCE CA

DN DirectoryString issuer subject

X.501 RFC1779RFC2253 ou=alice, ou=challengepki2001, o=jnsa, c=jp 1 DirectoryString PKI X.500 LDAP X.509 X.500 X.500 subject DirectoryString subject PKCS#10 subject subject subject CA CA DirectoryString subject X.500 X.509 X.509 RFC2459 serialnumber INTEGER INTEGER ASN.1 X.680 ASN.1

3.8.40 integer type: A simple type with distinguished values which are the positive and negative whole numbers, including zero (as a single value). NOTE Particular encoding rules limit the range of an integer, but such limitations are chosen so as not to affect any user of ASN.1. CA 32bit serialnumber serialnumber crlscope serialnumberrange serialnumber BufferOverflow X.509 basicconstraints CA 8.4.2.1 Basic constraints extension This field indicates if the subject may act as a CA, with the certified public key being used to verify certificate signatures. If so, a certification path length constraint may also be specified. () RFC2459 CA EE basicconstraints 4.2.1.10 Basic Constraints The basic constraints extension identifies whether the subject of the certificate is a CA and how deep a certification path may exist through that CA. ( ) This extension MUST appear as a critical extension in all CA certificates. This extension SHOULD NOT appear in end entity certificates. ()

CA EE basicconstraints CA EE basicconstraints.ca=false X.509 RFC2459 CA basicconstraints CA EE CA RFC2459 EE false-positive X.509 ca TRUE 0 EE 8.4.2.1 Basic constraints extension The pathlenconstraint component shall be present only if ca is set to true. It gives the maximum number of CA-certificates that may follow this certificate in a certification path. Value 0 indicates that the subject of this certificate may issue certificates only to end-entities and not to further CAs. If no pathlenconstraint field appears in any certificate of a certification path, there is no limit to the allowed length of the certification path. ( ) pathlenconstraint 0 EE MAY pathlenconstraint pathlenconstraint CA=TRUE X.509 RFC2459 CA pathlenconstraint basicconstraints pathlenconstraint pathlenconstraint

CA CA X.509 keyusage digitalsignature digitalsignature SSL/TLS keyusage keyencipherment 8.2.2.3 Key usage extension ( ) Bits in the KeyUsage type are as follows: a) digitalsignature: for verifying digital signatures that have purposes other than those identified in b), f), or g) below; b) nonrepudiation: for verifying digital signatures used in providing a non-repudiation service which protects against the signing entity falsely denying some action (excluding certificate or CRL signing, as in f) or g) below); c) keyencipherment: for enciphering keys or other security information, e.g. for key transport; d) dataencipherment: for enciphering user data, but not keys or other security information as in c) above; e) keyagreement: for use as a public key agreement key; f) keycertsign: for verifying a CA's signature on certificates; g) crlsign: for verifying an authority's signature on CRLs. h) encipheronly: public key agreement key for use only in enciphering data when used with keyagreement bit also set (meaning with other key usage bit set is undefined); i) decipheronly: public key agreement key for use only in deciphering data when used with keyagreement bit also set (meaning with other key usage bit set is undefined); () RFC2459 critical critical-flag RFC2459 critical CA keyusage non-critical

critical-flag critical-flag critical CA CA CA certificatepolicies policymappings policyconstraints CA critical-flag non-critical CA CA CRL/ARL authoritykeyidentifier issuingdistributionpoint CRL/ARL CRL/ARL CA CA crlnumber AuthorityKeyIdentifier issuingdistributionpoints

X.509 keyidentifier a) CRL issuer issuer b) keyidentifier 8.2.2.1 Authority key identifier extension ( ) The key may be identified by an explicit key identifier in the keyidentifier component, by identification of a certificate for the key (giving certificate issuer in the authoritycertissuer component and certificate serial number in the authoritycertserialnumber component), or by both explicit key identifier and identification of a certificate for the key. If both forms of identification are used then the certificate or CRL issuer shall ensure they are consistent. A key identifier shall be unique with respect to all key identifiers for the issuing authority for the certificate or CRL containing the extension. An implementation which supports this extension is not required to be able to process all name forms in the authoritycertissuer component. (See 8.3.2.1 for details of the GeneralNames type.) Certification authorities shall assign certificate serial numbers such that every (issuer, certificate serial number) pair uniquely identifies a single certificate. The keyidentifier form can be used to select CA certificates during path construction. The authoritycertissuer, authorityserialnumber pair can only be used to provide preference to one certificate over others during path construction. ( ) RFC2459 Recommendations keyidentifier 160bitSHA-1 60bit SHA-1 4.2.1.2 Subject Key Identifier ( ) For CA certificates, subject key identifiers SHOULD be derived from the public key or a method that generates unique values. Two common methods for generating key identifiers from the public key are: (1) The keyidentifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectpublickey (excluding the tag, length, and number of unused bits). (2) The keyidentifier is composed of a four bit type field with the value 0100 followed by the least significant 60 bits of the SHA-1 hash of the value of the BIT STRING subjectpublickey. ( )

keyidentifier RFC2459 (1) 160bit SHA-1 keyidentifier CA keyidentifier keyidentifier X.509 critical 7 Public-keys and public-key certificates ( ) Some extensions can only be marked critical. In these cases a validation engine that understands the extension, processes it and acceptance/rejection of the certificate is dependent (at least in part) on the content of the extension. A validation engine that does not understand the extension rejects the certificate. Some extensions can only be marked non-critical. In these cases a validation engine that understands the extension processes it and acceptance/rejection of the certificate is dependent (at least in part) on the content of the extension. A validation engine that does not understand the extension accepts the certificate (unless factors other than this extension cause it to be rejected). Some extensions can be marked critical or non-critical. In these cases a validation engine that understands the extension processes it and acceptance/rejection of the certificate is dependent (at least in part) on the content of the extension, regardless of the criticality flag. A validation engine that does not understand the extension accepts the certificate if the extension is marked non-critical (unless factors other than this extension cause it to be rejected) and rejects the certificate if the extension is marked critical. ( ) RFC2459

4.2 Standard Certificate Extensions The extensions defined for X.509 v3 certificates provide methods for associating additional attributes with users or public keys and for managing the certification hierarchy. The X.509 v3 certificate format also allows communities to define private extensions to carry information unique to those communities. Each extension in a certificate may be designated as critical or non-critical. A certificate using system MUST reject the certificate if it encounters a critical extension it does not recognize; however, a non-critical extension may be ignored if it is not recognized. The following sections present recommended extensions used within Internet certificates and standard locations for information. Communities may elect to use additional extensions; however, caution should be exercised in adopting any critical extensions in certificates which might prevent use in a general context. ( ) Conforming CAs MUST support key identifiers (see sec. 4.2.1.1 and 4.2.1.2), basic constraints (see sec. 4.2.1.10), key usage (see sec. 4.2.1.3), and certificate policies (see sec. 4.2.1.5) extensions. If the CA issues certificates with an empty sequence for the subject field, the CA MUST support the subject alternative name extension (see sec. 4.2.1.7). Support for the remaining extensions is OPTIONAL. Conforming CAs may support extensions that are not identified within this specification; certificate issuers are cautioned that marking such extensions as critical may inhibit interoperability. At a minimum, applications conforming to this profile MUST recognize the extensions which must or may be critical in this specification. These extensions are: key usage (see sec. 4.2.1.3), certificate policies (see sec. 4.2.1.5), the subject alternative name (see sec. 4.2.1.7), basic constraints (see sec. 4.2.1.10), name constraints (see sec. 4.2.1.11), policy constraints (see sec. 4.2.1.12), and extended key usage (see sec. 4.2.1.13). In addition, this profile RECOMMENDS application support for the authority and subject key identifier (see sec. 4.2.1.1 and 4.2.1.2) extensions. keyusage basicconstraints non-critical RFC2459 keyusage RFC2459 keyusage keyusage critical

RFC2459 non-critical keyusage keyusage digitalsignature SSL keyusage critical keyusage SSL critical OCSP CRL CRL/ARL X.509 CRL X.509 8.6.2.1 CRL distribution points extension ( ) This field identifies the CRL distribution point or points to which a certificate user should refer to ascertain if the certificate has been revoked. A certificate user can obtain a CRL from an applicable distribution point or it may be able to obtain a current complete CRL from the authority directory entry. The distributionpoint component identifies the location from which the CRL can be obtained. If this component is absent, the distribution point name defaults to the CRL issuer name. 8.6.2.2 Issuing distribution point extension This CRL extension field identifies the CRL distribution point for this particular CRL, and indicates if the CRL is limited to revocations for end-entity certificates only, for authority certificates only, or for a limited set of reasons only. The CRL is signed by the CRL issuer's key - CRL distribution points do not have their own key pairs. However, for a CRL distributed via the Directory, the CRL is stored in the entry of the CRL distribution point, which may not be the directory entry of the CRL issuer. If this field is absent, the CRL shall contain entries for all revoked unexpired certificates issued by the CRL issuer.

Annex B CRL Generation and Processing Rules ( ) B.3.2 End-entity with no critical CRL DP If the certificate is an end-entity certificate and the crldistributionpoints extension is absent from the certificate or present and not flagged critical, revocation status for the reason codes of interest may be satisfied by any combination of the following CRLs: Distribution point CRLs (if present); Complete CRLs; Complete EPRLs. () B.3.4 CA with no critical CRL DP If the certificate is a CA certificate and the crldistributionpoints extension is absent from the certificate or present and not flagged critical, revocation status for the reason codes of interest may be satisfied by any combination of the following CRLs: Distribution point CRLs/CARLs (if present); Complete CRLs; Complete CARLs. If the freshest CRL extension is also present in the certificate and if flagged critical, one or more CRLs/CARLs shall also be obtained from one or more of the nominated distribution points in that extension, ensuring that freshest revocation information for all reason codes of interest is checked. a) crldistributionpoint a-1) distributionpoint.fullname directoryname IP directoryname certificaterevocationlist authorityrevocationlist a-2) distributionpoint.fullname URI URI URI HTTP LDAP b) crldistributionpoint issuer a-1) issuer certificaterevocationlist authorityrevocationlist a) b) certificaterevocationlist authorityrevocationlist ca issuingdistributionpoint

CRL URI CRLDP URI LDAPHTTP CRL CRLDP CRLDP CRL CRLDP CRL out-of-bounds CRL crldistributionpoints nextupdate X.509 RFC2459 B.1.2 CRL processing ( ) If a relying party is using CRLs as the mechanism to determine if a certificate is revoked, they shall be sure to use the appropriate CRL(s) for that certificate. This annex describes a procedure for obtaining and processing appropriate CRLs by walking through a number of specific steps. An implementation shall be functionally equivalent to the external behaviour resulting from this procedure. The algorithm used by a particular implementation to derive the correct output (i.e. revocation status for a certificate) from the given inputs (the certificate itself and input from local policy) is not standardized. For example, although this procedure is described as a sequence of steps to be processed in order, an implementation may use CRLs which are in its local cache rather than retrieving CRLs each time it processes a certificate, providing those CRLs are complete for the scope of the certificate and do not violate any of the parameters of the certificate or policy. ( ) 3.1 X.509 Version 3 Certificate ( )

A certificate has a limited valid lifetime which is indicated in its signed contents. Because a certificate's signature and timeliness can be independently checked by a certificate-using client, certificates can be distributed via untrusted communications and server systems, and can be cached in unsecured storage in certificate-using systems. ( ) crldistributionpoints issuingdistributionpoint distributionpoint CRL nextupdate CRL CRL CRL static ARL CA CA CA CA CA nextupdate ARL CA X.509 B.5.3 Validity and currency checks on the base CRL In order to verify that a base CRL is accurate and has not been modified since its issuance, all

of the following conditions shall be satisfied: The relying party shall be able to obtain the public key of the issuer identified in the CRL using authenticated means; and The signature on the base CRL shall be verified using this authenticated public key; and If the nextupdate field is present, the current time should be prior to the nextupdate field; and The issuer name in the CRL shall match the issuer name in the certificate that is being checked for revocation, unless the CRL is retrieved from the CRL DP in the certificate and the CRL DP extension contains the CRL issuer component. In that case, one of the names in CRL issuer component in the CRL DP extension shall match issuer name in the CRL. ( ) RFC2459 critical issuingdistributionpoint RFC2459 draft-ietf-pkix-new-part1-12.txt 5.2.5 Issuing Distribution Point The issuing distribution point is a critical CRL extension that identifies the CRL distribution point for a particular CRL, and it indicates whether the CRL covers revocation for end entity certificates only, CA certificates only, or a limitied set of reason codes. Although the extension is critical, conforming implementations are not required to support this extension. ( ) thisupdatenextupdate issuer critical issuingdistributionpoint X.509 RFC2459

8 PKI X.509v3 v3 CRLv2 X.509v3 CRLv2 1997 X.509 1997 X.509 14 PKI PKI PKI PKI PKI PKI PKI PKI Challenge PKI 2001 PKI v3 v3 PKI Challenge PKI 2001 PKI Challenge PKI 2001 EEMA PKI Challenge 9 PKI

Challenge PKI 2001 PKI X.509 RFC2459 CA PKI Challenge PKI 2001 CA CA Challenge PKI 2001 GPKI Windows 2000 IE OutlookExpress GPKI Windows-XP GPKI CA PKI Entrust GPKI CRL ARL Entrust CRL/ARL CA CRL/ARL Entrust CRL/ARL Challenge PKI 2001 Challenge PKI 2001 NPO JNSA

SI Challenge PKI 2001 PKI Challenge Challenge PKI 2001 Challenge PKI 2001 Challenge PKI 2001 PKI Challenge PKI 2001 3 CA CA CA PKI EEMA PKI Challenge NIST

Challenge PKI 2001 PKI Challenge PKI 2001 PKI EEMA PKI Challenge PKI 3 Challenge PKI 2001 CA PKI EEMA PKI Challenge EEMA PKI Challenge EU Challenge PKI 2001 PKI EEMA PKI Challenge Challenge PKI 2001 EEMA PKI Challenge PKI Challenge PKI 2001 3 CA CA OCSP GPKI OCSP Challenge PKI 2001 CRL OCSP/CRL OCSP Challenge PKI 2001 PKI

GPKI Challenge PKI 2001 3 3 PKI Challenge PKI 2001 PKI PKI NIST X.509 Path Validation Test Suite, Version 1.0 http://csrc.nist.gov/pki/testing/x509paths.html X.509 76 PKI Challenge PKI 2001 3 1 3 Getronics PKI

PKI PKI PKI PKI PKI PKI PKI PKI PKI PKI

FAX FAX 03-5978-7518 IPA