RFC 2986 (rfc2986) - Page 2 of 14
PKCS #10: Certification Request Syntax Specification Version 1
Alternative Format: Original Text Document
RFC 2986 Certification Request Syntax Specification November 2000
1. Introduction
This document describes syntax for certification requests. A
certification request consists of a distinguished name, a public key,
and optionally a set of attributes, collectively signed by the entity
requesting certification. Certification requests are sent to a
certification authority, which transforms the request into an X.509
[9] public-key certificate. (In what form the certification
authority returns the newly signed certificate is outside the scope
of this document. A PKCS #7 [2] message is one possibility.)
The intention of including a set of attributes is twofold: to provide
other information about a given entity , or a "challenge password" by
which the entity may later request certificate revocation; and to
provide attributes for inclusion in X.509 certificates. A non-
exhaustive list of attributes is given in PKCS #9 [3].
Certification authorities may also require non-electronic forms of
request and may return non-electronic replies. It is expected that
descriptions of such forms, which are outside the scope of this
document, will be available from certification authorities.
The preliminary intended application of this document is to support
PKCS #7 cryptographic messages, but it is expected that other
applications will be developed (see e.g. [4]).
2. Definitions and notation
2.1 Definitions
For the purposes of this document, the following definitions apply.
ALGORITHM An information object class defined in X.509 to
describe objects composed of an algorithm (a unique
object identifier) and its parameters (any ASN.1
type). The values of objects in this class can be
represented by the ASN.1 type AlgorithmIdentifier{}.
ALGORITHM is defined as the "useful" information
object class TYPE-IDENTIFIER, specified in [11],
Annex A.
AlgorithmIdentifier{}
A useful parameterized version of X.509 type
AlgorithmIdentifier is defined in this document.
This type tightly binds pairs of algorithm object
identifiers to their associated parameter types.
When referenced, the single parameter of
AlgorithmIdentifier{} specifies a constraint on the
Nystrom & Kaliski Informational