RFC 1424 (rfc1424) - Page 3 of 9
Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services
Alternative Format: Original Text Document
RFC 1424 Key Certification and Related Services February 1993
change in the requestor's distinguished name.
A certification authority signs a certificate only if both signatures
in the certification request are valid.
The new certificate contains the subject name and public key from the
self-signed certificate, and an issuer name, serial number, validity
period, and signature algorithm of the certification authority's
choice. (The validity period may be derived from the self-signed
certificate.) Following RFC 1422, the issuer may be any whose
distinguished name is superior to the subject's distinguished name,
typically the one closest to the subject. The certification authority
signs the certificate with the issuer's private key, then transforms
the request into a reply containing the new certificate (see Section
3.2 for details).
The certification reply includes a certification path from the new
certificate to the RFC 1422 Internet certification authority. It may
also include other certificates such as cross-certificates that the
certification authority considers helpful to the requestor.
2.2 CRL Storage
The CRL storage service stores CRLs. The service takes a CRL-storage
request (see Section 3.3) specifying the CRLs to be stored, stores
the CRLs, and returns a CRL-storage reply (see Section 3.4)
acknowledging the request.
The certification authority stores a CRL only if its signature and
certification path are valid, following concepts in RFC 1422
(Although a certification path is not required in a CRL-storage
request, it may help the certification authority validate the CRL.)
2.3 CRL Retrieval
The CRL retrieval service retrieves the latest CRLs of specified
certificate issuers. The service takes a CRL-retrieval request (see
Section 3.5), retrieves the latest CRLs the request specifies, and
returns a CRL-retrieval reply (see Section 3.6) containing the CRLs.
There may be more than one "latest" CRL for a given issuer, if that
issuer has more than one public key (see RFC 1422 for details).
The CRL-retrieval reply includes a certification path from each
retrieved CRL to the RFC 1422 Internet certification authority. It
may also include other certificates such as cross-certificates that
the certification authority considers helpful to the requestor.
Kaliski