• všechny e-ziny od 9/1999
  • celou databázi NEWS
  • soutěže 2000-2011
  • další články a BONUSY

Security - News


Crypto - News | Security - News

05 / 2008
Vybrali pro vás: TR - Tomáš Rosa, JP - Jaroslav Pinkava, PV - Pavel Vondruška, VK - Vlastimil Klíma

Vyšlo d?ležité rfc.5280 - pkix Certificate and Certificate Revocation List (CRL) Profile


This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices.

This specification obsoletes [RFC3280]. Differences from RFC 3280 are summarized below:
* Enhanced support for internationalized names is specified in Section 7, with rules for encoding and comparing Internationalized Domain Names, Internationalized Resource Identifiers (IRIs), and distinguished names. These rules are aligned with comparison rules established in current RFCs, including [RFC3490], [RFC3987], and [RFC4518].
* Sections and incorporate the conditions for continued use of legacy text encoding schemes that were specified in [RFC4630]. Where in use by an established PKI, transition to UTF8String could cause denial of service based on name chaining failures or incorrect processing of name constraints.
* Section in RFC 3280, which specified the privateKeyUsagePeriod certificate extension but deprecated its use, was removed. Use of this ISO standard extension is neither deprecated nor recommended for use in the Internet PKI.
* Section recommends marking the policy mappings extension as critical. RFC 3280 required that the policy mappings extension be marked as non-critical.
* Section requires marking the policy constraints extension as critical. RFC 3280 permitted the policy constraints extension to be marked as critical or non-critical.
* The Authority Information Access (AIA) CRL extension, as specified in [RFC4325], was added as Section 5.2.7.
* Sections 5.2 and 5.3 clarify the rules for handling unrecognized
CRL extensions and CRL entry extensions, respectively.
* Section 5.3.2 in RFC 3280, which specified the holdInstructionCode CRL entry extension, was removed.
* The path validation algorithm specified in Section 6 no longer tracks the criticality of the certificate policies extensions in a chain of certificates. In RFC 3280, this information was returned to a relying party.
* The Security Considerations section addresses the risk of circular dependencies arising from the use of https or similar schemes in the CRL distribution points, authority information access, or subject information access extensions.
* The Security Considerations section addresses risks associated with name ambiguity.
* The Security Considerations section references RFC 4210 for procedures to signal changes in CA operations.
The ASN.1 modules in Appendix A are unchanged from RFC 3280, except that ub-emailaddress-length was changed from 128 to 255 in order to align with PKCS #9 [RFC2985].
Zdroj: http://www.rfc-editor.org/rfc/rfc5280.txt
Autor: JP

<<- novější - Pot?ebujete v?bec antivir?
Phishingové podvody - nejnov?jší Top 10 - starší ->>
Design: Webdesign