RFC 3820 (rfc3820) - Page 2 of 37

Internet X

Alternative Format: Original Text Document
< Previous
Next >
RFC 3820            X.509 Proxy Certificate Profile            June 2004


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Overview of Approach . . . . . . . . . . . . . . . . . . . . .  4
       2.1.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  4
       2.2.  Background . . . . . . . . . . . . . . . . . . . . . . .  5
       2.3.  Motivation for Proxying. . . . . . . . . . . . . . . . .  5
       2.4.  Motivation for Restricted Proxies. . . . . . . . . . . .  7
       2.5.  Motivation for Unique Proxy Name . . . . . . . . . . . .  8
       2.6.  Description Of Approach. . . . . . . . . . . . . . . . .  9
       2.7.  Features Of This Approach. . . . . . . . . . . . . . . . 10
   3.  Certificate and Certificate Extensions Profile . . . . . . . . 12
       3.1.  Issuer . . . . . . . . . . . . . . . . . . . . . . . . . 12
       3.2.  Issuer Alternative Name. . . . . . . . . . . . . . . . . 12
       3.3.  Serial Number. . . . . . . . . . . . . . . . . . . . . . 12
       3.4.  Subject. . . . . . . . . . . . . . . . . . . . . . . . . 13
       3.5.  Subject Alternative Name . . . . . . . . . . . . . . . . 13
       3.6.  Key Usage and Extended Key Usage . . . . . . . . . . . . 13
       3.7.  Basic Constraints. . . . . . . . . . . . . . . . . . . . 14
       3.8.  The ProxyCertInfo Extension. . . . . . . . . . . . . . . 14
   4.  Proxy Certificate Path Validation. . . . . . . . . . . . . . . 17
       4.1.  Basic Proxy Certificate Path Validation. . . . . . . . . 19
       4.2.  Using the Path Validation Algorithm. . . . . . . . . . . 23
   5.  Commentary . . . . . . . . . . . . . . . . . . . . . . . . . . 24
       5.1.  Relationship to Attribute Certificates . . . . . . . . . 24
       5.2.  Kerberos 5 Tickets . . . . . . . . . . . . . . . . . . . 28
       5.3.  Examples of usage of Proxy Restrictions. . . . . . . . . 28
       5.4.  Delegation Tracing . . . . . . . . . . . . . . . . . . . 29
   6.  Security Considerations. . . . . . . . . . . . . . . . . . . . 30
       6.1.  Compromise of a Proxy Certificate. . . . . . . . . . . . 30
       6.2.  Restricting Proxy Certificates . . . . . . . . . . . . . 31
       6.3.  Relying Party Trust of Proxy Certificates. . . . . . . . 31
       6.4.  Protecting Against Denial of Service with Key Generation 32
       6.5.  Use of Proxy Certificates in a Central Repository. . . . 32
   7.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 33
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 33
       8.1.  Normative References . . . . . . . . . . . . . . . . . . 33
       8.2.  Informative References . . . . . . . . . . . . . . . . . 33
   9.  Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 34
   Appendix A. 1988 ASN.1 Module. . . . . . . . . . . . . . . . . . . 35
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36
   Full Copyright Notice. . . . . . . . . . . . . . . . . . . . . . . 37









Tuecke, et al.              Standards Track
< Previous
Next >