RFC 1424 (rfc1424) - Page 3 of 9

Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services

Alternative Format: Original Text Document
< Previous
Next >
RFC 1424        Key Certification and Related Services     February 1993


   change in the requestor's distinguished name.

   A certification authority signs a certificate only if both signatures
   in the certification request are valid.

   The new certificate contains the subject name and public key from the
   self-signed certificate, and an issuer name, serial number, validity
   period, and signature algorithm of the certification authority's
   choice. (The validity period may be derived from the self-signed
   certificate.) Following RFC 1422, the issuer may be any whose
   distinguished name is superior to the subject's distinguished name,
   typically the one closest to the subject. The certification authority
   signs the certificate with the issuer's private key, then transforms
   the request into a reply containing the new certificate (see Section
   3.2 for details).

   The certification reply includes a certification path from the new
   certificate to the RFC 1422 Internet certification authority. It may
   also include other certificates such as cross-certificates that the
   certification authority considers helpful to the requestor.

2.2 CRL Storage

   The CRL storage service stores CRLs. The service takes a CRL-storage
   request (see Section 3.3) specifying the CRLs to be stored, stores
   the CRLs, and returns a CRL-storage reply (see Section 3.4)
   acknowledging the request.

   The certification authority stores a CRL only if its signature and
   certification path are valid, following concepts in RFC 1422
   (Although a certification path is not required in a CRL-storage
   request, it may help the certification authority validate the CRL.)

2.3 CRL Retrieval

   The CRL retrieval service retrieves the latest CRLs of specified
   certificate issuers. The service takes a CRL-retrieval request (see
   Section 3.5), retrieves the latest CRLs the request specifies, and
   returns a CRL-retrieval reply (see Section 3.6) containing the CRLs.

   There may be more than one "latest" CRL for a given issuer, if that
   issuer has more than one public key (see RFC 1422 for details).

   The CRL-retrieval reply includes a certification path from each
   retrieved CRL to the RFC 1422 Internet certification authority. It
   may also include other certificates such as cross-certificates that
   the certification authority considers helpful to the requestor.




Kaliski
< Previous
Next >