RFC 3739 Qualified Certificates Profile March 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Changes since RFC 3039 . . . . . . . . . . . . . . . . . 3 1.2. Definitions. . . . . . . . . . . . . . . . . . . . . . . 4 2. Requirements and Assumptions . . . . . . . . . . . . . . . . . 4 2.1. Properties . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Statement of Purpose . . . . . . . . . . . . . . . . . . 5 2.3. Policy Issues. . . . . . . . . . . . . . . . . . . . . . 5 2.4. Uniqueness of Names. . . . . . . . . . . . . . . . . . . 6 3. Certificate and Certificate Extensions Profile . . . . . . . . 6 3.1. Basic Certificate Fields . . . . . . . . . . . . . . . . 6 3.1.1. Issuer . . . . . . . . . . . . . . . . . . . . . 6 3.1.2. Subject. . . . . . . . . . . . . . . . . . . . . 7 3.2. Certificate Extensions . . . . . . . . . . . . . . . . . 9 3.2.1. Subject Alternative Name . . . . . . . . . . . . 9 3.2.2. Subject Directory Attributes . . . . . . . . . . 9 3.2.3. Certificate Policies . . . . . . . . . . . . . . 11 3.2.4. Key Usage. . . . . . . . . . . . . . . . . . . . 11 3.2.5. Biometric Information. . . . . . . . . . . . . . 11 3.2.6. Qualified Certificate Statements . . . . . . . . 13 4. Security Considerations. . . . . . . . . . . . . . . . . . . . 15 A. ASN.1 Definitions. . . . . . . . . . . . . . . . . . . . . . . 17 A.1. 1988 ASN.1 Module (Normative). . . . . . . . . . . . . . 17 A.2. 1997 ASN.1 Module (Informative). . . . . . . . . . . . . 19 B. A Note on Attributes . . . . . . . . . . . . . . . . . . . . . 23 C. Example Certificate. . . . . . . . . . . . . . . . . . . . . . 23 C.1. ASN.1 Structure. . . . . . . . . . . . . . . . . . . . . 24 C.1.1. Extensions . . . . . . . . . . . . . . . . . . . 24 C.1.2. The Certificate. . . . . . . . . . . . . . . . . 25 C.2. ASN.1 Dump . . . . . . . . . . . . . . . . . . . . . . . 27 C.3. DER-encoding . . . . . . . . . . . . . . . . . . . . . . 30 C.4. CA's Public Key. . . . . . . . . . . . . . . . . . . . . 31 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 34 1. Introduction This specification is one part of a family of standards for the X.509 Public Key Infrastructure (PKI) for the Internet. It is based on [X.509] and [RFC 3280], which defines underlying certificate formats and semantics needed for a full implementation of this standard. This profile includes specific mechanisms intended for use with Qualified Certificates. The term Qualified Certificates and the assumptions that affect the scope of this document are discussed in Section 2. Santesson, et al. Standards Track