RFC 3281 (rfc3281) - Page 2 of 40


An Internet Attribute Certificate Profile for Authorization



Alternative Format: Original Text Document



RFC 3281           An Internet Attribute Certificate          April 2002


           4.2.3  Issuer........................................... 12
           4.2.4  Signature........................................ 12
           4.2.5  Serial Number.................................... 12
           4.2.6  Validity Period.................................. 13
           4.2.7  Attributes....................................... 13
           4.2.8  Issuer Unique Identifier......................... 14
           4.2.9  Extensions....................................... 14
       4.3  Extensions............................................. 14
           4.3.1  Audit Identity................................... 14
           4.3.2  AC Targeting..................................... 15
           4.3.3  Authority Key Identifier......................... 17
           4.3.4  Authority Information Access..................... 17
           4.3.5  CRL Distribution Points.......................... 17
           4.3.6  No Revocation Available.......................... 18
       4.4  Attribute Types........................................ 18
           4.4.1  Service Authentication Information............... 19
           4.4.2  Access Identity.................................. 19
           4.4.3  Charging Identity................................ 20
           4.4.4  Group............................................ 20
           4.4.5  Role............................................. 20
           4.4.6  Clearance........................................ 21
       4.5  Profile of AC issuer's PKC............................. 22
   5. Attribute Certificate Validation............................. 23
   6. Revocation................................................... 24
   7. Optional Features............................................ 25
       7.1  Attribute Encryption................................... 25
       7.2  Proxying............................................... 27
       7.3  Use of ObjectDigestInfo................................ 28
       7.4  AA Controls............................................ 29
   8. Security Considerations...................................... 30
   9. IANA Considerations.......................................... 32
   10. References.................................................. 32
   Appendix A: Object Identifiers.................................. 34
   Appendix B: ASN.1 Module........................................ 35
   Author's Addresses.............................................. 39
   Acknowledgements................................................ 39
   Full Copyright Statement........................................ 40

1. Introduction

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14, RFC 2119.

   X.509 public key certificates (PKCs) [X.509-1997, X.509-2000,
   PKIXPROF] bind an identity and a public key.  An attribute
   certificate (AC) is a structure similar to a PKC; the main difference
   being that the AC contains no public key.  An AC may contain



Farrell & Housley           Standards Track