RFC 3820 X.509 Proxy Certificate Profile June 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview of Approach . . . . . . . . . . . . . . . . . . . . . 4 2.1. Terminology. . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Background . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. Motivation for Proxying. . . . . . . . . . . . . . . . . 5 2.4. Motivation for Restricted Proxies. . . . . . . . . . . . 7 2.5. Motivation for Unique Proxy Name . . . . . . . . . . . . 8 2.6. Description Of Approach. . . . . . . . . . . . . . . . . 9 2.7. Features Of This Approach. . . . . . . . . . . . . . . . 10 3. Certificate and Certificate Extensions Profile . . . . . . . . 12 3.1. Issuer . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2. Issuer Alternative Name. . . . . . . . . . . . . . . . . 12 3.3. Serial Number. . . . . . . . . . . . . . . . . . . . . . 12 3.4. Subject. . . . . . . . . . . . . . . . . . . . . . . . . 13 3.5. Subject Alternative Name . . . . . . . . . . . . . . . . 13 3.6. Key Usage and Extended Key Usage . . . . . . . . . . . . 13 3.7. Basic Constraints. . . . . . . . . . . . . . . . . . . . 14 3.8. The ProxyCertInfo Extension. . . . . . . . . . . . . . . 14 4. Proxy Certificate Path Validation. . . . . . . . . . . . . . . 17 4.1. Basic Proxy Certificate Path Validation. . . . . . . . . 19 4.2. Using the Path Validation Algorithm. . . . . . . . . . . 23 5. Commentary . . . . . . . . . . . . . . . . . . . . . . . . . . 24 5.1. Relationship to Attribute Certificates . . . . . . . . . 24 5.2. Kerberos 5 Tickets . . . . . . . . . . . . . . . . . . . 28 5.3. Examples of usage of Proxy Restrictions. . . . . . . . . 28 5.4. Delegation Tracing . . . . . . . . . . . . . . . . . . . 29 6. Security Considerations. . . . . . . . . . . . . . . . . . . . 30 6.1. Compromise of a Proxy Certificate. . . . . . . . . . . . 30 6.2. Restricting Proxy Certificates . . . . . . . . . . . . . 31 6.3. Relying Party Trust of Proxy Certificates. . . . . . . . 31 6.4. Protecting Against Denial of Service with Key Generation 32 6.5. Use of Proxy Certificates in a Central Repository. . . . 32 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 33 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33 8.1. Normative References . . . . . . . . . . . . . . . . . . 33 8.2. Informative References . . . . . . . . . . . . . . . . . 33 9. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 34 Appendix A. 1988 ASN.1 Module. . . . . . . . . . . . . . . . . . . 35 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36 Full Copyright Notice. . . . . . . . . . . . . . . . . . . . . . . 37 Tuecke, et al. Standards Track