GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc1422

Network Working Group S. Kent Request for Comments: 1422 BBN Obsoletes: 1114 IAB IRTF PSRG, IETF PEM

                                                         February 1993
         Privacy Enhancement for Internet Electronic Mail:
             Part II: Certificate-Based Key Management

Status of this Memo

 This RFC specifies an IAB standards track protocol for the Internet
 community, and requests discussion and suggestions for improvements.
 Please refer to the current edition of the "IAB Official Protocol
 Standards" for the standardization state and status of this protocol.
 Distribution of this memo is unlimited.

Acknowledgements

 This memo is the outgrowth of a series of meetings of the Privacy and
 Security Research Group of the Internet Research Task Force (IRTF)
 and the Privacy-Enhanced Electronic Mail Working Group of the
 Internet Engineering Task Force (IETF).  I would like to thank the
 members of the PSRG and the PEM WG for their comments and
 contributions at the meetings which led to the preparation of this
 document.  I also would like to thank contributors to the PEM-DEV
 mailing list who have provided valuable input which is reflected in
 this memo.

1. Executive Summary

 This is one of a series of documents defining privacy enhancement
 mechanisms for electronic mail transferred using Internet mail
 protocols.  RFC 1421 [6] prescribes protocol extensions and
 processing procedures for RFC-822 mail messages, given that suitable
 cryptographic keys are held by originators and recipients as a
 necessary precondition.  RFC 1423 [7] specifies algorithms, modes and
 associated identifiers for use in processing privacy-enhanced
 messages, as called for in RFC 1421 and this document.  This document
 defines a supporting key management architecture and infrastructure,
 based on public-key certificate techniques, to provide keying
 information to message originators and recipients.  RFC 1424 [8]
 provides additional specifications for services in conjunction with
 the key management infrastructure described herein.
 The key management architecture described in this document is
 compatible with the authentication framework described in CCITT 1988
 X.509 [2].  This document goes beyond X.509 by establishing

Kent [Page 1] RFC 1422 Certificate-Based Key Management February 1993

 procedures and conventions for a key management infrastructure for
 use with Privacy Enhanced Mail (PEM) and with other protocols, from
 both the TCP/IP and OSI suites, in the future.  There are several
 motivations for establishing these procedures and conventions (as
 opposed to relying only on the very general framework outlined in
 X.509):
  1. It is important that a certificate management infrastructure

for use in the Internet community accommodate a range of

         clearly-articulated certification policies for both users
         and   organizations in a well-architected fashion.
         Mechanisms must be provided to enable each user to be
         aware of the policies governing any certificate which the
         user may encounter.  This requires the introduction
         and standardization of procedures and conventions that are
         outside the scope of X.509.
  1. The procedures for authenticating originators and recipient in

the course of message submission and delivery should be

         simple, automated and uniform despite the existence of
         differing certificate management policies.  For example,
         users should not have to engage in careful examination of a
         complex set of certification relationships in order to
         evaluate the credibility of a claimed identity.
  1. The authentication framework defined by X.509 is designed to

operate in the X.500 directory server environment. However

         X.500 directory servers are not expected to be ubiquitous
         in the Internet in the near future, so some conventions
         are adopted to facilitate operation of the key management
         infrastructure in the near term.
  1. Public key cryptosystems are central to the authentication

technology of X.509 and those which enjoy the most

         widespread use are patented in the U.S.  Although this
         certification management scheme is compatible with
         the use of different digital signature algorithms, it is
         anticipated that the RSA cryptosystem will be used as
         the primary signature algorithm in establishing the
         Internet certification hierarchy.  Special license
         arrangements have been made to facilitate the
         use of this algorithm in the U.S. portion of Internet
         environment.
 The infrastructure specified in this document establishes a single
 root for all certification within the Internet, the Internet Policy
 Registration Authority (IPRA).  The IPRA establishes global policies,
 described in this document, which apply to all certification effected

Kent [Page 2] RFC 1422 Certificate-Based Key Management February 1993

 under this hierarchy.  Beneath IPRA root are Policy Certification
 Authorities (PCAs), each of which establishes and publishes (in the
 form of an informational RFC) its policies for registration of users
 or organizations.  Each PCA is certified by the IPRA. (It is
 desirable that there be a relatively small number of PCAs, each with
 a substantively different policy, to facilitate user familiarity with
 the set of PCA policies.  However there is no explicit requirement
 that the set of PCAs be limited in this fashion.)  Below PCAs,
 Certification Authorities (CAs) will be established to certify users
 and subordinate organizational entities (e.g., departments, offices,
 subsidiaries, etc.).  Initially, we expect the majority of users will
 be registered via organizational affiliation, consistent with current
 practices for how most user mailboxes are provided.  In this sense
 the registration is analogous to the issuance of a university or
 company ID card.
 Some CAs are expected to provide certification for residential users
 in support of users who wish to register independent of any
 organizational affiliation.  Over time, we anticipate that civil
 government entities which  already provide analogous identification
 services in other contexts, e.g.,  driver's licenses, may provide
 this service.  For users who wish anonymity while taking advantage of
 PEM privacy facilities, one or more PCAs will be established with
 policies that allow for registration of users, under subordinate CAs,
 who do not wish to disclose their identities.

2. Overview of Approach

 This document defines a key management architecture based on the use
 of public-key certificates, primarily in support of the message
 encipherment and authentication procedures defined in RFC 1421.  The
 concept of public-key certificates is defined in X.509 and this
 architecture is a compliant subset of that envisioned in X.509.
 Briefly, a (public-key) certificate is a data structure which
 contains the name of a user (the "subject"), the public component
 (This document adopts the terms "private component" and "public
 component" to refer to the quantities which are, respectively, kept
 secret and made publicly available in asymmetric cryptosystems.  This
 convention is adopted to avoid possible confusion arising from use of
 the term "secret key" to refer to either the former quantity or to a
 key in a symmetric cryptosystem.)  of that user, and the name of an
 entity (the "issuer") which vouches that the public component is
 bound to the named user.  This data, along with a time interval over
 which the binding is claimed to be valid, is cryptographically signed
 by the issuer using the issuer's private component.  The subject and
 issuer names in certificates are Distinguished Names (DNs) as defined
 in the directory system (X.500).

Kent [Page 3] RFC 1422 Certificate-Based Key Management February 1993

 Once signed, certificates can be stored in directory servers,
 transmitted via non-secure message exchanges, or distributed via any
 other means that make certificates easily accessible to message
 system users, without regard for the security of the transmission
 medium.  Certificates are used in PEM to provide the originator of a
 message with the (authenticated) public component of each recipient
 and to provide each recipient with the (authenticated) public
 component of the originator.  The following brief discussion
 illustrates the procedures for both originator and recipients.
 Prior to sending an encrypted message (using PEM), an originator must
 acquire a certificate for each recipient and must validate these
 certificates.  Briefly, validation is performed by checking the
 digital signature in the certificate, using the public component of
 the issuer whose private component was used to sign the certificate.
 The issuer's public component is made available via some out of band
 means (for the IPRA) or is itself distributed in a certificate to
 which this validation procedure is applied recursively.  In the
 latter case, the issuer of a user's certificate becomes the subject
 in a certificate issued by another certifying authority (or a PCA),
 thus giving rise to a certification hierarchy.  The validity interval
 for each certificate is checked and Certificate Revocation Lists
 (CRLs) are checked to ensure that none of the certificates employed
 in the validation process has been revoked by an issuer.
 Once a certificate for a recipient is validated, the public component
 contained in the certificate is extracted and used to encrypt the
 data encryption key (DEK), which, in turn, is used to encrypt the
 message itself.  The resulting encrypted DEK is incorporated into the
 Key-Info field of the message header.  Upon receipt of an encrypted
 message, a recipient employs his private component to decrypt this
 field, extracting the DEK, and then uses this DEK to decrypt the
 message.
 In order to provide message integrity and data origin authentication,
 the originator generates a message integrity code (MIC), signs
 (encrypts) the MIC using the private component of his public-key
 pair, and includes the resulting value in the message header in the
 MIC-Info field.  The certificate of the originator is (optionally)
 included in the header in the Certificate field as described in RFC
 1421.  This is done in order to facilitate validation in the absence
 of ubiquitous directory services.  Upon receipt of a privacy enhanced
 message, a recipient validates the originator's certificate (using
 the IPRA public component as the root of a certification path),
 checks to ensure that it has not been revoked, extracts the public
 component from the certificate, and uses that value to recover
 (decrypt) the MIC.  The recovered MIC is compared against the locally
 calculated MIC to verify the integrity and data origin authenticity

Kent [Page 4] RFC 1422 Certificate-Based Key Management February 1993

 of the message.

3. Architecture

 3.1  Scope and Restrictions
 The architecture described below is intended to provide a basis for
 managing public-key cryptosystem values in support of privacy
 enhanced electronic mail in the Internet environment.  The
 architecture describes procedures for registering certification
 authorities and users, for generating and distributing certificates,
 and for generating and distributing CRLs.  RFC 1421 describes the
 syntax and semantics of header fields used to transfer certificates
 and to represent the DEK and MIC in this public-key context.
 Definitions of the algorithms, modes of use and associated
 identifiers are separated in RFC 1423 to facilitate the adoption of
 additional algorithms in the future.  This document focuses on the
 management aspects of certificate-based, public-key cryptography for
 privacy enhanced mail.
 The proposed architecture imposes conventions for the certification
 hierarchy which are not strictly required by the X.509 recommendation
 nor by the technology itself.  These conventions are motivated by
 several factors, primarily the need for authentication semantics
 compatible with automated validation and the automated determination
 of the policies under which certificates are issued.
 Specifically, the architecture proposes a system in which user (or
 mailing list) certificates represent the leaves in a certification
 hierarchy.  This certification hierarchy is largely isomorphic to the
 X.500 directory naming hierarchy, with two exceptions: the IPRA forms
 the root of the tree (the root of the X.500 DIT is not instantiated
 as a node), and a number of Policy Certification Authorities (PCAs)
 form the "roots" of subtrees, each of which represents a different
 certification policy.
 Not every level in the directory hierarchy need correspond to a
 certification authority.  For example, the appearance of geographic
 entities in a distinguished name (e.g., countries, states, provinces,
 localities) does not require that various governments become
 certifying authorities in order to instantiate this architecture.
 However, it is anticipated that, over time, a number of such points
 in the hierarchy will be instantiated as CAs in order to simplify
 later transition of management to appropriate governmental
 authorities.
 These conventions minimize the complexity of validating user
 certificates, e.g., by making explicit the relationship between a

Kent [Page 5] RFC 1422 Certificate-Based Key Management February 1993

 certificate issuer and the user (via the naming hierarchy). Note that
 in this architecture, only PCAs may be certified by the IPRA, and
 every CA's certification path can be traced to a PCA, through zero or
 more CAs.  If a CA is certified by more than one PCA, each
 certificate issued by a PCA for the CA must contain a distinct public
 component.  These conventions result in a certification hierarchy
 which is a compatible subset of that permitted under X.509, with
 respect to both syntax and semantics.
 Although the key management architecture described in this document
 has been designed primarily to support privacy enhanced mail, this
 infrastructure also may, in principle, be used to support X.400 mail
 security facilities (as per 1988 X.411) and X.500 directory
 authentication facilities.  Thus, establishment of this
 infrastructure paves the way for use of these and other OSI protocols
 in the Internet in the future.  In the future, these certificates
 also may be employed in the provision of security services in other
 protocols in the TCP/IP and OSI suites as well.
 3.2  Relation to X.509 Architecture
 CCITT 1988 Recommendation X.509, "The Directory - Authentication
 Framework", defines a framework for authentication of entities
 involved in a distributed directory service.  Strong authentication,
 as defined in X.509, is accomplished with the use of public-key
 cryptosystems.  Unforgeable certificates are generated by
 certification authorities; these authorities may be organized
 hierarchically, though such organization is not required by X.509.
 There is no implied mapping between a certification hierarchy and the
 naming hierarchy imposed by directory system naming attributes.
 This document interprets the X.509 certificate mechanism to serve the
 needs of PEM in the Internet environment.  The certification
 hierarchy proposed in this document in support of privacy enhanced
 mail is intentionally a subset of that allowed under X.509.  This
 certification hierarchy also embodies semantics which are not
 explicitly addressed by X.509, but which are consistent with X.509
 precepts.  An overview of the rationale for these semantics is
 provided in Section 1.
 3.3  Certificate Definition
 Certificates are central to the key management architecture for X.509
 and PEM.  This section provides an overview of the syntax and a
 description of the semantics of certificates.  Appendix A includes
 the ASN.1 syntax for certificates.   A certificate includes the
 following contents:

Kent [Page 6] RFC 1422 Certificate-Based Key Management February 1993

     1.  version
     2.  serial number
     3.  signature (algorithm ID and parameters)
     4.  issuer name
     5.  validity period
     6.  subject name
     7.  subject public key (and associated algorithm ID)
 3.3.1  Version Number
 The version number field is intended to facilitate orderly changes in
 certificate formats over time.  The initial version number for
 certificates used in PEM is the X.509 default which has a value of
 zero (0), indicating the 1988 version.  PEM implementations are
 encouraged to accept later versions as they are endorsed by
 CCITT/ISO.
 3.3.2  Serial Number
 The serial number field provides a short form, unique identifier for
 each certificate generated by an issuer.  An issuer must ensure that
 no two distinct certificates with the same issuer DN contain the same
 serial number.  (This requirement must be met even when the
 certification function is effected on a distributed basis and/or when
 the same issuer DN is certified under two different PCAs.  This is
 especially critical for residential CAs certified under different
 PCAs.) The serial number is used in CRLs to identify revoked
 certificates, as described in Section 3.4.3.4.  Although this
 attribute is an integer, PEM UA processing of this attribute need not
 involve any arithmetic operations.  All PEM UA implementations must
 be capable of processing serial numbers at least 128 bits in length,
 and size-independent support serial numbers is encouraged.
 3.3.3  Signature
 This field specifies the algorithm used by the issuer to sign the
 certificate, and any parameters associated with the algorithm. (The
 certificate signature is appended to the data structure, as defined
 by the signature macro in X.509.  This algorithm identification
 information is replicated with the signature.)  The signature is
 validated by the UA processing a certificate, in order to determine
 that the integrity of its contents have not been modified subsequent

Kent [Page 7] RFC 1422 Certificate-Based Key Management February 1993

 to signing by a CA (IPRA, or PCA).  In this context, a signature is
 effected through the use of a Certificate Integrity Check (CIC)
 algorithm and a public-key encryption algorithm.  RFC 1423 contains
 the definitions and algorithm IDs for signature algorithms employed
 in this architecture.
 3.3.4  Subject Name
 A certificate provides a representation of its subject's identity in
 the form of a Distinguished Name (DN).  The fundamental binding
 ensured by the key management architecture is that between the public
 component and the user's identity in this form.  A distinguished name
 is an X.500 directory system concept and if a user is already
 registered in an X.500 directory, his distinguished name is defined
 via that registration.  Users who are not registered in a directory
 should keep in mind likely directory naming structure (schema) when
 selecting a distinguished name for inclusion in a certificate.
 3.3.5  Issuer Name
 A certificate provides a representation of its issuer's identity, in
 the form of a Distinguished Name.  The issuer identification is used
 to select the appropriate issuer public component to employ in
 performing certificate validation.  (If an issuer (CA) is certified
 by multiple PCAs, then the issuer DN does not uniquely identify the
 public component used to sign the certificate.  In such circumstances
 it may be necessary to attempt certificate validation using multiple
 public components, from certificates held by the issuer under
 different PCAs.  If the 1992 version of a certificate is employed,
 the issuer may employ distinct issuer UIDs in the certificates it
 issues, to further facilitate selection of the right issuer public
 component.) The issuer is the certifying authority (IPRA, PCA or CA)
 who vouches for the binding between the subject identity and the
 public key contained in the certificate.
 3.3.6  Validity Period
 A certificate carries a pair of date and time indications, indicating
 the start and end of the time period over which a certificate is
 intended to be used.  The duration of the interval may be constant
 for all user certificates issued by a given CA or it might differ
 based on the nature of the user's affiliation.  For example, an
 organization might issue certificates with shorter intervals to
 temporary employees versus permanent employees.  It is recommended
 that the UTCT (Coordinated Universal Time) values recorded here
 specify granularity to no more than the minute, even though finer
 granularity can be expressed in the format.  (Implementors are warned
 that no DER is defined for UTCT in X.509, thus transformation between

Kent [Page 8] RFC 1422 Certificate-Based Key Management February 1993

 local and transfer syntax must be performed carefully, e.g., when
 computing the hash value for a certificate.  For example, a UTCT
 value which includes explict, zero values for seconds would not
 produce the same hash value as one in which the seconds were
 omitted.) It also recommended that all times be expressed as
 Greenwich Mean Time (Zulu), to simplify comparisons and avoid
 confusion relating to daylight savings time.  Note that UTCT
 expresses the value of a year modulo 100 (with no indication of
 century), hence comparisons involving dates in different centuries
 must be performed with care.
 The longer the interval, the greater the likelihood that compromise
 of a private component or name change will render it invalid and thus
 require that the certificate be revoked.  Once revoked, the
 certificate must remain on the issuer's CRL (see Section 3.4.3.4)
 until the validity interval expires.  PCAs may impose restrictions on
 the maximum validity interval that may be elected by CAs operating in
 their certification domain (see Appendix B).
 3.3.7  Subject Public Key
 A certificate carries the public component of its associated subject,
 as well as an indication of the algorithm, and any algorithm
 parameters, with which the public component is to be used.  This
 algorithm identifier is independent of that which is specified in the
 signature field described above.  RFC 1423 specifies the algorithm
 identifiers which may be used in this context.
 3.4  Roles and Responsibilities
 One way to explain the architecture proposed by this document is to
 examine the roles which are defined for various entities in the
 architecture and to describe what is required of each entity in order
 for the proposed system to work properly.  The following sections
 identify four types of entities within this architecture: users and
 user agents, the Internet Policy Registration Authority, Policy
 Certification Authorities, and other Certification Authorities.  For
 each type of entity, this document specifies the procedures which the
 entity must execute as part of the architecture and the
 responsibilities the entity assumes as a function of its role in the
 architecture.
 3.4.1  Users and User Agents
 The term User Agent (UA) is taken from CCITT X.400 Message Handling
 Systems (MHS) Recommendations, which define it as follows: "In the
 context of message handling, the functional object, a component of
 MHS, by means of which a single direct user engages in message

Kent [Page 9] RFC 1422 Certificate-Based Key Management February 1993

 handling."   In the Internet environment, programs such as rand mh
 and Gnu emacs rmail are UAs.  UAs exchange messages by calling on a
 supporting Message Transfer Service (MTS), e.g., the SMTP mail relays
 used in the Internet.
 3.4.1.1  Generating and Protecting Component Pairs
 A UA process supporting PEM must protect the private component of its
 associated entity (e.g., a human user or a mailing list) from
 disclosure, though the means by which this is effected is a local
 matter.  It is essential that the user take all available precautions
 to protect his private component as the secrecy of this value is
 central to the security offered by PEM to that user.   For example,
 the private component might be stored in encrypted form, protected
 with a locally managed symmetric encryption key (e.g., using DES).
 The user would supply a password or passphrase which would be
 employed as a symmetric key to decrypt the private component when
 required for PEM processing (either on a per message or per session
 basis).  Alternatively, the private component might be stored on a
 diskette which would be inserted by the user whenever he originated
 or received PEM messages.  Explicit zeroing of memory locations where
 this component transiently resides could provide further protection.
 Other precautions, based on local operating system security
 facilities, also should be employed.
 It is recommended that each user employ ancillary software (not
 otherwise associated with normal UA operation) or hardware to
 generate his personal public-key component pair.  Software for
 generating user component pairs will be available as part of the
 reference implementation of PEM distributed freely in the U.S.
 portion of the Internet.  It is critically important that the
 component pair generation procedure be effected in as secure a
 fashion as possible, to ensure that the resulting private component
 is unpredictable.  Introduction of adequate randomness into the
 component pair generation procedure is potentially the most difficult
 aspect of this process and the user is advised to pay particular
 attention to this aspect.  (Component pairs employed in public-key
 cryptosystems tend to be large integers which must be "randomly"
 selected subject to mathematical constraints imposed by the
 cryptosystem.  Input(s) used to seed the component pair generation
 process must be as unpredictable as possible.  An example of a poor
 random number selection technique is one in which a pseudo-random
 number generator is seeded solely with the current date and time.  An
 attacker who could determine approximately when a component pair was
 generated could easily regenerate candidate component pairs and
 compare the public component to the user's public component to detect
 when the corresponding private component had been found.)

Kent [Page 10] RFC 1422 Certificate-Based Key Management February 1993

 There is no requirement imposed by this architecture that anyone
 other than the user, including any certification authority, have
 access to the user's private component.  Thus a user may retain his
 component pair even if his certificate changes, e.g., due to rollover
 in the validity interval or because of a change of certifying
 authority.  Even if a user is issued a certificate in the context of
 his employment, there is generally no requirement that the employer
 have access to the user's private component.  The rationale is that
 any messages signed by the user are verifiable using his public
 component.   In the event that the corresponding private component
 becomes unavailable, any ENCRYPTED messages directed to the user
 would be indecipherable and would require retransmission.
 Note that if the user stores messages in ENCRYPTED form, these
 messages also would become indecipherable in the event that the
 private component is lost or changed.  To minimize the potential for
 loss of data in such circumstances messages can be transformed into
 MIC-ONLY or MIC-CLEAR form if cryptographically-enforced
 confidentiality is not required for the messages stored within the
 user's computer.  Alternatively, these transformed messages might be
 forwarded in ENCRYPTED form to a (trivial) distribution list which
 serves in a backup capacity and for which the user's employer holds
 the private component.
 A user may possess multiple certificates which may embody the same or
 different public components.  For example, these certificates might
 represent  a current and a former organizational user identity and a
 residential user identity.  It is recommended that a PEM UA be
 capable of supporting a user who possess multiple certificates,
 irrespective of whether the certificates associated with the user
 contain the same or different DNs or public components.
 3.4.1.2  User Registration
 Most details of user registration are a local matter, subject to
 policies established by the user's CA and the PCA under which that CA
 has been certified.  In general a user must provide, at a minimum,
 his public component and distinguished name to a CA, or a
 representative thereof, for inclusion in the user's certificate.
 (The user also might provide a  complete certificate, minus the
 signature, as described in RFC 1424.)  The CA will employ some means,
 specified by the CA in accordance with the policy of its PCA, to
 validate the user's claimed identity and to ensure that the public
 component provided is associated with the user whose distinguished
 name is to be bound into the certificate.  (In the case of PERSONA
 certificates, described below, the procedure is a bit different.) The
 certifying authority generates a certificate containing the user's
 distinguished name and public component, the authority's

Kent [Page 11] RFC 1422 Certificate-Based Key Management February 1993

 distinguished name and other information (see Section 3.3) and signs
 the result using the private component of the authority.
 3.4.1.3  CRL Management
 Mechanisms for managing a UA certificate cache are, in typical
 standards parlance, a local matter.  However, proper maintenance of
 such a cache is critical to the correct, secure operation of a PEM UA
 and provides a basis for improved performance.  Moreover, use of a
 cache permits a PEM UA to operate in the absence of directories (and
 in circumstances where directories are inaccessible).  The following
 discussion  provides a paradigm for one aspect of cache management,
 namely the processing of CRLs, the functional equivalent of which
 must be embodied in any PEM UA implementation compliant with this
 document.  The specifications for CRLs used with PEM are provided in
 Section 3.5.
 X.500 makes provision for the storage of CRLs as directory attributes
 associated with CA entries.  Thus, when X.500 directories become
 widely available, UAs can retrieve CRLs from directories as required.
 In the interim, the IPRA will coordinate with PCAs to provide a
 robust database facility which will contain CRLs issued by the IPRA,
 by PCAs, and by all CAs.  Access to this database will be provided
 through mailboxes maintained by each PCA.  Every PEM UA must provide
 a facility for requesting CRLs from this database using the
 mechanisms defined in RFC 1424.  Thus the UA must include a
 configuration parameter which specifies one or more mailbox addresses
 from which CRLs may be retrieved.  Access to the CRL database may be
 automated, e.g., as part of the certificate validation process (see
 Section 3.6) or may be user directed.  Responses to CRL requests will
 employ the PEM header format specified in RFC 1421 for CRL
 propagation.  As noted in RFC 1421, every PEM UA must be capable of
 processing CRLs distributed via such messages.  This message format
 also may be employed to support a "push" (versus a "pull") model of
 CRL distribution, i.e., to support unsolicited distribution of CRLs.
 CRLs received by a PEM UA must be validated (A CRL is validated in
 much the same manner as a certificate, i.e., the CIC (see RFC 1113)
 is calculated and compared against the decrypted signature value
 obtained from the CRL.  See Section 3.6 for additional details
 related to validation of certificates.) prior to being processed
 against any cached certificate information.  Any cache entries which
 match CRL entries should be marked as revoked, but it is not
 necessary to delete cache entries marked as revoked nor to delete
 subordinate entries.  In processing a CRL against the cache it is
 important to recall that certificate serial numbers are unique only
 for each issuer and that multiple, distinct CRLs may be issued under
 the same CA DN (signed using different private components), so care

Kent [Page 12] RFC 1422 Certificate-Based Key Management February 1993

 must be exercised in effecting this cache search.  (This situation
 may arise either because an organizational CA is certified by
 multiple PCAs, or because multiple residential CAs are certified
 under different PCAs.)
 This procedure applies to cache entries associated with PCAs and CAs,
 as well as user entries.  The UA also must retain each CRL to screen
 incoming messages to detect use of revoked certificates carried in
 PEM message headers.  Thus a UA must be capable of processing and
 retaining CRLs issued by the IPRA (which will list revoked PCA
 certificates), by any PCA (which will list revoked CA certificate
 issued by that PCA), and by any CA (which will list revoked user or
 subordinate CA certificates issued by that CA).
 3.4.1.4  Facilitating Interoperation
 In the absence of ubiquitous directory services or knowledge
 (acquired through out-of-band means) that a recipient already
 possesses the necessary issuer certificates, it is recommended that
 an originating (PEM) UA include sufficient certificates to permit
 validation of the user's public key.  To this end every PEM UA must
 be capable of including a full (originator) certification path, i.e.,
 including the user's certificate (using the "Originator-Certificate"
 field) and every superior (CA/PCA) certificate (using "Issuer-
 Certificate" fields) back to the IPRA, in a PEM message.  A PEM UA
 may send less than a full certification path, e.g., based on analysis
 of a recipient list, but a UA which provides this sort of
 optimization must also provide the user with a capability to force
 transmission of a full certification path.
 Optimization for the transmitted originator certification path may be
 effected by a UA as a side effect of the processing performed during
 message submission.  When an originator submits an ENCRYPTED message
 (as per RFC 1421, his UA must validate the certificates of the
 recipients (see Section 3.6).  In the course of performing this
 validation the UA can determine the minimum set of certificates which
 must be included to ensure that all recipients can process the
 received message.  Submission of a MIC-ONLY or MIC-CLEAR message (as
 per RFC 1421) does not entail validation of recipient certificates
 and thus it may not be possible for the originator's UA to determine
 the minimum certificate set as above.
 3.4.2  The Internet Policy Registration Authority (IPRA)
 The IPRA acts as the root of the certification hierarchy for the
 Internet community.  The public component of the IPRA forms the
 foundation for all certificate validation within this hierarchy.  The
 IPRA will be operated under the auspices of the Internet Society, an

Kent [Page 13] RFC 1422 Certificate-Based Key Management February 1993

 international, non-profit organization.  The IPRA certifies all PCAs,
 ensuring that they agree to abide by the Internet-wide policy
 established by the IPRA.  This policy, and the services provided by
 the IPRA, are detailed below.
 3.4.2.1  PCA Registration
 The IPRA certifies only PCAs, not CAs or users.  Each PCA must file
 with the IPRA a description of its proposed policy.  This document
 will be published as an informational RFC.  A copy of the document,
 signed by the IPRA (in the form of a PEM MIC-ONLY message) will be
 made available via electronic mail access by the IPRA.  This
 convention is adopted so that every Internet user has a reference
 point for determining the policies associated with the issuance of
 any certificate which he may encounter.  The existence of a digitally
 signed copy of the document ensures the immutability of the document.
 Authorization of a PCA to operate in the Internet hierarchy is
 signified by the publication of the policy document, and the issuance
 of a certificate to the PCA, signed by the IPRA.  An outline for PCA
 policy statements is contained in Section 3.4.3 of this document.
 As part of registration, each PCA will be required to execute a legal
 agreement with the IPRA, and to pay a fee to defray the costs of
 operating the IPRA.  Each a PCA must specify its distinguished name.
 The IPRA will take reasonable precautions to ensure that the
 distinguished name claimed by a PCA is legitimate, e.g., requiring
 the PCA to provide documentation supporting its claim to a DN.
 However, the certification of a PCA by the IPRA does not constitute a
 endorsement of the PCA's claim to this DN outside of the context of
 this certification system.
 3.4.2.2  Ensuring the Uniqueness of Distinguished Names
 A fundamental requirement of this certification scheme is that
 certificates are not issued to distinct entities under the same
 distinguished name.  This requirement is important to the success of
 distributed management for the certification hierarchy.  The IPRA
 will not certify two PCAs with the same distinguished name and no PCA
 may certify two CAs with the same DN.  However, since PCAs are
 expected to certify organizational CAs in widely disjoint portions of
 the directory namespace, and since X.500 directories are not
 ubiquitous, a facility is required for coordination among PCAs to
 ensure the uniqueness of CA DNs.  (This architecture allows multiple
 PCAs to certify residential CAs and thus multiple, distinct
 residential CAs with identical DNs may come into existence, at least
 until such time as civil authorities assume responsibilities for such
 certification.  Thus, on an interim basis, the architecture
 explicitly accommodates the potential for duplicate residential CA

Kent [Page 14] RFC 1422 Certificate-Based Key Management February 1993

 DNs.)
 In support of the uniqueness requirement, the IPRA will establish and
 maintain a database to detect potential, unintended duplicate
 certification of CA distinguished names.  This database will be made
 accessible to all PCAs via an email interface.  Each entry in this
 database will consist of a 4-tuple.  The first element in each entry
 is a hash value, computed on a canonical, ASN.1 encoded
 representation of a CA distinguished name.  The second element
 contains the subjectPublicKey that appears in the CA's certificate.
 The third element is the distinguished name of the PCA which
 registered the entry.  The fourth element consists of the date and
 time at which the entry was made, as established by the IPRA.  This
 database structure provides a degree of privacy for CAs registered by
 PCAs, while providing a facility for ensuring global uniqueness of CA
 DNs certified in this scheme.
 In order to avoid conflicts, a PCA should query the database using a
 CA DN hash value as a search key, prior to certifying a CA.  The
 database will return any entries which match the query, i.e., which
 have the same CA DN.  The PCA can use the information contained in
 any returned entries to determine if any PCAs should be contacted to
 resolve possible DN conflicts.  If no potential conflicts appear, a
 PCA can then submit a candidate entry, consisting of the first three
 element values, plus any entries returned by the query.  The database
 will register this entry, supplying the time and date stamp, only if
 two conditions are met: (1) the first two elements (the CA DN hash
 and the CA subjectPublicKey) of the candidate entry together must be
 unique and, (2) any other entries included in the submission must
 match what the current database would return if the query
 corresponding to the candidate entry were submitted.
 If the database detects a conflicting entry (failure of case 1
 above), or if the submission indicates that the PCA's perception of
 possible conflicting entries is not current (failure of case 2), the
 submission is rejected and the database will return the potential
 conflicting entry (entries).  If the submission is successful, the
 database will return the timestamped new entry.  The database does
 not, in itself, guarantee uniqueness of CA DNs as it allows for two
 DNs associated with different public components to be registered.
 Rather, it is the responsibility of PCAs to coordinate with one
 another whenever the database indicates a potential DN conflict and
 to resolve such conflicts prior to certification of CAs.  Details of
 the protocol used to access the database will be provided in another
 document.
 As noted earlier, a CA may be certified under more than one PCA,
 e.g., because the CA wants to issue certificates under two different

Kent [Page 15] RFC 1422 Certificate-Based Key Management February 1993

 policies.  If a CA is certified by multiple different PCAs, the CA
 must employ a different public key pair for each PCA.  In such
 circumstances the certificate issued to the CA by each PCA will
 contain a different subjectPublicKey and thus will represent a
 different entry in this database.  The same situation may arise if
 multiple, equivalent residential CAs are certified by different PCAs.
 To complete the strategy for ensuring uniqueness of DNs, there is a
 DN subordination requirement levied on CAs.  In general, CAs are
 expected to sign certificates only if the subject DN in the
 certificate is subordinate to the issuer (CA) DN.  This ensures that
 certificates issued by a CA are syntactically constrained to refer to
 subordinate entities in the X.500 directory information tree (DIT),
 and this further limits the possibility of duplicate DN registration.
 CAs may sign certificates which do not comply with this requirement
 if the certificates are "cross-certificates" or "reverse
 certificates" (see X.509) used with applications other than PEM.
 The IPRA also will establish and maintain a separate database to
 detect potential duplicate certification of (residential) user
 distinguished names.  Each entry in this database will consist of 4-
 tuple as above, but the first components is the hash of a residential
 user DN and the third component is the DN of the residential CA DN
 which registered the user.  This structure provides a degree of
 privacy for users registered by CAs which service residential users
 while providing a facility for ensuring global uniqueness of user DNs
 certified under this scheme.  The same database access facilities are
 provided as described above for the CA database.  Here it is the
 responsibility of the CAs to coordinate whenever the database
 indicates a potential conflict and to resolve the conflict prior to
 (residential) user certification.
 3.4.2.3  Accuracy of Distinguished Names
 As noted above, the IPRA will make a reasonable effort to ensure that
 PCA DNs are accurate.  The procedures employed to ensure the accuracy
 of a CA distinguished name, i.e., the confidence attached to the
 DN/public component binding implied by a certificate, will vary
 according to PCA policy.  However, it is expected that every PCA will
 make a good faith effort to ensure the legitimacy of each CA DN
 certified by the PCA.  Part of this effort should include a check
 that the purported CA DN is consistent with any applicable national
 standards for DN assignment, e.g., NADF recommendations within North
 America [5,9].

Kent [Page 16] RFC 1422 Certificate-Based Key Management February 1993

 3.4.2.4  Distinguished Name Conventions
 A few basic DN conventions are included in the IPRA policy.  The IPRA
 will certify PCAs, but not CAs nor users.  PCAs will certify CAs, but
 not users.  These conventions are required to allow simple
 certificate validation within PEM, as described later.  Certificates
 issued by CAs (for use with PEM) will be for users or for other CAs,
 either of which must have DNs subordinate to that of the issuing CA.
 The attributes employed in constructing DNs will be specified in a
 list maintained by the IANA, to provide a coordinated basis for
 attribute identification for all applications employing DNs.  This
 list will initially be populated with attributes taken from X.520.
 This document does not impose detailed restrictions on the attributes
 used to identify different entities to which certificates are issued,
 but PCAs may impose such restrictions as part of their policies.
 PCAs, CAs and users are urged to employ only those DN attributes
 which have printable representations, to facilitate display and
 entry.
 3.4.2.5  CRL Management
 Among the procedures articulated by each PCA in its policy statement
 are procedures for the maintenance and distribution of CRLs by the
 PCA itself and by its subordinate CAs.  The frequency of issue of
 CRLs may vary according to PCA-specific policy, but every PCA and CA
 must issue a CRL upon inception to provide a basis for uniform
 certificate validation procedures throughout the Internet hierarchy.
 The IPRA will maintain a CRL for all the PCAs it certifies and this
 CRL will be updated monthly.  Each PCA will maintain a CRL for all of
 the CAs which it certifies and these CRLs will be updated in
 accordance with each PCA's policy.   The format for these CRLs is
 that specified in Section 3.5.2 of the document.
 In the absence of ubiquitous X.500 directory services, the IPRA will
 require each PCA to provide, for its users, robust database access to
 CRLs for the Internet hierarchy, i.e., the IPRA CRL, PCA CRLs, and
 CRLs from all CAs.  The means by which this database is implemented
 is to be coordinated between the IPRA and PCAs.  This database will
 be accessible via email as specified in RFC 1424, both for retrieval
 of (current) CRLs by any user, and for submission of new CRLs by CAs,
 PCAs and the IPRA.  Individual PCAs also may elect to maintain CRL
 archives for their CAs, but this is not required by this policy.
 3.4.2.6  Public Key Algorithm Licensing Issues
 This certification hierarchy is architecturally independent of any
 specific digital signature (public key) algorithm.  Some algorithms,

Kent [Page 17] RFC 1422 Certificate-Based Key Management February 1993

 employed for signing certificates and validating certificate
 signatures, are patented in some countries.  The IPRA will not grant
 a license to any PCA for the use of any signature algorithm in
 conjunction with the management of this certification hierarchy.  The
 IPRA will acquire, for itself, any licenses needed for it to sign
 certificates and CRLs for PCAs, for all algorithms which the IPRA
 supports.  Every PCA will be required to represent to the IPRA that
 the PCA has obtained any licenses required to issue (sign)
 certificates and CRLs in the environment(s) which the PCA will serve.
 For example, the RSA cryptosystem is patented in the United States
 and thus any PCA operating in the U.S. and using RSA to sign
 certificates and CRLs must represent that it has a valid license to
 employ the RSA algorithm in this fashion.  In contrast, a PCA
 employing RSA and operating outside of the U.S. would represent that
 it is exempt from these licensing constraints.
 3.4.3  Policy Certification Authorities
 The policy statement submitted by a prospective PCA must address the
 topics in the following outline.  Additional policy information may
 be contained in the statement, but PCAs are requested not to use
 these statements as advertising vehicles.
 1. PCA Identity-  The DN of the PCA must be specified.  A postal
 address, an Internet mail address, and telephone (and optional fax)
 numbers must be provided for (human) contact with the PCA.  The date
 on which this statement is effective, and its scheduled duration must
 be specified.
 2. PCA Scope- Each PCA must describe the community which the PCA
 plans to serve.  A PCA should indicate if it will certify
 organizational, residential, and/or PERSONA CAs.   There is not a
 requirement that a single PCA serve only one type of CA, but if a PCA
 serves multiple types of CAs, the policy statement must specify
 clearly how a user can distinguish among these classes.  If the PCA
 will operate CAs to directly serve residential or PERSONA users, it
 must so state.
 3. PCA Security & Privacy- Each PCA must specify the technical and
 procedural security measures it will employ in the generation and
 protection of its component pair.  If any security requirements are
 imposed on CAs certified by the PCA these must be specified as well.
 A PCA also must specify what measures it will take to protect the
 privacy of any information collected in the course of certifying CAs.
 If the PCA operates one or more CAs directly, to serve residential or
 PERSONA users, then this statement on privacy measures applies to
 these CAs as well.

Kent [Page 18] RFC 1422 Certificate-Based Key Management February 1993

 4. Certification Policy-  Each PCA must specify the policy and
 procedures which govern its certification of CAs and how this policy
 applies transitively to entities (users or subordinate CAs) certified
 by these CAs.  For example, a PCA must state what procedure is
 employed to verify the claimed identity of a CA, and the CA's right
 to use a DN.  Similarly, if any requirements are imposed on CAs to
 validate the identity of users, these requirements must be specified.
 Since all PCAs are required to cooperate in the resolution of
 potential DN conflicts, each PCA is required to specify the procedure
 it will employ to resolve such conflicts.  If the PCA imposes a
 maximum validity interval for the CA certificates it issues, and/or
 for user (or subordinate CA) certificates issued by the CAs it
 certifies, then these restrictions must be specified.
 5. CRL Management-  Each PCA must specify the frequency with which it
 will issue scheduled CRLs.  It also must specify any constraints it
 imposes on the frequency of scheduled issue of CRLs by the CAs it
 certifies, and by subordinate CAs.  Both maximum and minimum
 constraints should be specified.  Since the IPRA policy calls for
 each CRL issued by a CA to be forwarded to the cognizant PCA, each
 PCA must specify a mailbox address to which CRLs are to be
 transmitted.  The PCA also must specify a mailbox address for CRL
 queries.  If the PCA offers any additional CRL management services,
 e.g., archiving of old CRLs, then procedures for invoking these
 services must be specified.  If the PCA requires CAs to provide any
 additional CRL management services, such services must be specified
 here.
 6. Naming Conventions- If the PCA imposes any conventions on DNs used
 by the CAs it certifies, or by entities certified by these CAs, these
 conventions must be specified.  If any semantics are associated with
 such conventions, these semantics must be specified.
 7. Business Issues- If a legal agreement must be executed between a
 PCA and the CAs it certifies, reference to that agreement must be
 noted, but the agreement itself ought not be a part of the policy
 statement.  Similarly, if any fees are charged by the PCA this should
 be noted, but the fee structure per se ought not be part of this
 policy statement.
 8. Other- Any other topics the PCA deems relevant to a statement of
 its policy can be included.  However, the PCA should be aware that a
 policy statement is considered to be an immutable, long lived
 document and thus considerable care should be exercised in deciding
 what material is to be included in the statement.

Kent [Page 19] RFC 1422 Certificate-Based Key Management February 1993

 3.4.4  Certification Authorities
 In X.509 the term "certification authority" is defined as "an
 authority trusted by one or more users to create and assign
 certificates".  X.509 imposes few constraints on CAs, but practical
 implementation of a worldwide certification system requires
 establishment of technical and procedural conventions by which all
 CAs are expected to abide.  Such conventions are established
 throughout this document.  All CAs are required to maintain a
 database of the DNs which they have certified and to take measures to
 ensure that they do not certify duplicate DNs, either for users or
 for subordinate CAs.
 It is critical that the private component of a CA be afforded a high
 level of security, otherwise the authenticity guarantee implied by
 certificates signed by the CA is voided.  Some PCAs may impose
 stringent requirements on CAs within their purview to ensure that a
 high level of security is afforded the certificate signing process,
 but not all PCAs are expected to impose such constraints.
 3.4.4.1  Organizational CAs
 Many of the CAs certified by PCAs are expected to represent
 organizations.  A wide range of organizations are encompassed by this
 model: commercial, governmental, educational, non-profit,
 professional societies, etc.  The common thread is that the entities
 certified by these CAs have some form of affiliation with the
 organization.  The object classes for organizations, organizational
 units, organizational persons, organizational roles, etc., as defined
 in X.521, form the models for entities certified by such CAs.  The
 affiliation implied by organizational certification motivates the DN
 subordination requirement cited in Section 3.4.2.4.
 As an example, an organizational user certificate might contain a
 subject DN of the form: C = "US" SP = "Massachusetts" L = "Cambridge"
 O = "Bolt Beranek and Newman" OU = "Communications Division" CN =
 "Steve Kent".  The issuer of this certificate might have a DN of the
 form: C = "US" SP = "Massachusetts" L = "Cambridge" O= "Bolt Beranek
 and Newman".  Note that the organizational unit attribute is omitted
 from the issuer DN, implying that there is no CA dedicated to the
 "Communications Division".
 3.4.4.2  Residential CAs
 Users may wish to obtain certificates which do not imply any
 organizational affiliation but which do purport to accurately and
 uniquely identify them.  Such users can be registered as residential
 persons and the DN of such a user should be consistent with the

Kent [Page 20] RFC 1422 Certificate-Based Key Management February 1993

 attributes of the corresponding X.521 object class.  Over time we
 anticipate that such users will be accommodated by civil government
 entities who will assume electronic certification responsibility at
 geographically designated points in the naming hierarchy.  Until
 civil authorities are prepared to issue certificates of this form,
 residential user CAs will accommodate such users.
 Because residential CAs may be operated under the auspices of
 multiple PCAs, there is a potential for the same residential CA DN to
 be assumed by several distinct entities.  This represents the one
 exception to the rule articulated throughout this document that no
 two entities may have the same DN.  This conflict is tolerated so as
 to allow residential CAs to be established offering different
 policies.  Two requirements are levied upon residential CAs as a
 result: (1) residential CAs must employ the residential DN conflict
 detection database maintained by the IPRA, and (2) residential CAs
 must coordinate to ensure that they do not assign duplicate
 certificate serial numbers.
 As an example, a residential user certificate might include a subject
 name of the form: C = "US" SP = "Massachusetts" L = "Boston" PA = "19
 North Square" CN = "Paul Revere."  The issuer of that certificate
 might have a DN of the form: C = "US"  SP = "Massachusetts" L =
 "Boston".  Note that the issuer DN is superior to the subject DN, as
 required by the IPRA policy described earlier.
 3.4.4.3  PERSONA CAs
 One or more CAs will be established to accommodate users who wish to
 conceal their identities while making use of PEM security features,
 e.g., to preserve the anonymity offered by "arbitrary" mailbox names
 in the current mail environment.  In this case the certifying
 authority is explicitly NOT vouching for the identity of the user.
 All such certificates are issued under a PERSONA CA, subordinate to a
 PCA with a PERSONA policy, to warn users explicitly that the subject
 DN is NOT a validated user identity.  To minimize the possibility of
 syntactic confusion with certificates which do purport to specify an
 authenticated user identity, a PERSONA certificate is issued as a
 form of organizational user certificate, not a residential user
 certificate.  There are no explicit, reserved words used to identify
 PERSONA user certificates.
 A CA issuing PERSONA certificates must institute procedures to ensure
 that it does not issue the same subject DN to multiple users (a
 constraint required for all certificates of any type issued by any
 CA).  There are no requirements on an issuer of PERSONA certificates
 to maintain any other records that might bind the true identity of
 the subject to his certificate.  However, a CA issuing such

Kent [Page 21] RFC 1422 Certificate-Based Key Management February 1993

 certificates must establish procedures (not specified in this
 document) in order to allow the holder of a PERSONA certificate to
 request that his certificate be revoked (i.e., listed on a CRL).
 As an example, a PERSONA user certificate might include a subject DN
 of the form:  C = "US" SP = "Massachusetts" L = "Boston" O =
 "Pseudonyms R US" CN = "Paul Revere."  The issuer of this certificate
 might have a DN of the form: C = "US"  SP = "Massachusetts" L =
 "Boston" O = "Pseudonyms R US".  Note the differences between this
 PERSONA user certificate for "Paul Revere" and the corresponding
 residential user certificate for the same common name.
 3.4.4.4  CA Responsibilities for CRL Management
 As X.500 directory servers become available, CRLs should be
 maintained and accessed via these servers.  However, prior to
 widespread deployment of X.500 directories, this document adopts some
 additional requirements for CRL management by CAs and PCAs.  As per
 X.509, each CA is required to maintain a CRL (in the format specified
 by this document in Appendix A) which contains entries for all
 certificates issued and later revoked by the CA.  Once a certificate
 is entered on a CRL it remains there until the validity interval
 expires.  Each PCA is required to maintain a CRL for revoked CA
 certificates within its domain.  The interval at which a CA issues a
 CRL is not fixed by this document, but the PCAs may establish minimum
 and maximum intervals for such issuance.
 As noted earlier, each PCA will provide access to a database
 containing CRLs issued by the IPRA, PCAs, and all CAs.  In support of
 this requirement, each CA must supply its current CRL to its PCA in a
 fashion consistent with CRL issuance rules imposed by the PCA and
 with the next scheduled issue date specified by the CA (see Section
 3.5.1).  CAs may distribute CRLs to subordinate UAs using the CRL
 processing type available in PEM messages (see RFC 1421).  CAs also
 may provide access to CRLs via the database mechanism described in
 RFC 1424 and alluded to immediately above.
 3.5  Certificate Revocation
 3.5.1  X.509 CRLs
 X.509 states that it is a CA's responsibility to maintain: "a time-
 stamped list of the certificates it issued which have been revoked."
 There are two primary reasons for a CA to revoke a certificate, i.e.,
 suspected compromise of a private component (invalidating the
 corresponding public component) or change of user affiliation
 (invalidating the DN).  The use of Certificate Revocation Lists
 (CRLs) as defined in X.509 is one means of propagating information

Kent [Page 22] RFC 1422 Certificate-Based Key Management February 1993

 relative to certificate revocation, though it is not a perfect
 mechanism.  In particular, an X.509 CRL indicates only the age of the
 information contained in it; it does not provide any basis for
 determining if the list is the most current CRL available from a
 given CA.
 The proposed architecture establishes a format for a CRL in which not
 only the date of issue, but also the next scheduled date of issue is
 specified.  Adopting this convention, when the next scheduled issue
 date arrives a CA (Throughout this section, when the term "CA" is
 employed, it should be interpreted broadly, to include the IPRA and
 PCAs as well as organizational, residential, and PERSONA CAs.) will
 issue a new CRL, even if there are no changes in the list of entries.
 In this fashion each CA can independently establish and advertise the
 frequency with which CRLs are issued by that CA.  Note that this does
 not preclude CRL issuance on a more frequent basis, e.g., in case of
 some emergency, but no system-wide mechanisms are architected for
 alerting users that such an unscheduled issuance has taken place.
 This scheduled CRL issuance convention allows users (UAs) to
 determine whether a given CRL is "out of date," a facility not
 available from the (1988) X.509 CRL format.
 The description of CRL management in the text and the format for CRLs
 specified in X.509 (1988) are inconsistent.  For example, the latter
 associates an issuer distinguished name with each revoked certificate
 even though the text states that a CRL contains entries for only a
 single issuer (which is separately specified in the CRL format).  The
 CRL format adopted for PEM is a (simplified) format consistent with
 the text of X.509, but not identical to the accompanying format. The
 ASN.1 format for CRLs used with PEM is provided in Appendix A.
 X.509 also defines a syntax for the "time-stamped list of revoked
 certificates representing other CAs."  This syntax, the
 "AuthorityRevocationList" (ARL) allows the list to include references
 to certificates issued by CAs other than the list maintainer.  There
 is no syntactic difference between these two lists except as they are
 stored in directories.  Since PEM is expected to be used prior to
 widespread directory deployment, this distinction between ARLs and
 CRLs is not syntactically significant.  As a simplification, this
 document specifies the use the CRL format defined below for
 revocation both of user and of CA certificates.
 3.5.2  PEM CRL Format
 Appendix A contains the ASN.1 description of CRLs specified by this
 document.  This section provides an informal description of CRL
 components analogous to that provided for certificates in Section
 3.3.

Kent [Page 23] RFC 1422 Certificate-Based Key Management February 1993

     1. signature (signature algorithm ID and parameters)
     2. issuer
     3. last update
     4. next update
     5. revoked certificates
 The "signature" is a data item completely analogous to the signature
 data item in a certificate. Similarly, the "issuer" is the DN of the
 CA which signed the CRL.  The "last update" and "next update" fields
 contain time and date values (UTCT format) which specify,
 respectively, when this CRL was issued and when the next CRL is
 scheduled to be issued.  Finally, "revoked certificates" is a
 sequence of ordered pairs, in which the first element is the serial
 number of the revoked certificate and the second element is the time
 and date of the revocation for that certificate.
 The semantics for this second element are not made clear in X.509.
 For example, the time and date specified might indicate when a
 private component was thought to have been compromised or it may
 reflect when the report of such compromise was reported to the CA.
 For uniformity, this document adopts the latter convention, i.e., the
 revocation date specifies the time and date at which a CA formally
 acknowledges a report of a compromise or a change or DN attributes.
 As with certificates, it is recommended that the UTCT values be of no
 finer granularity than minutes and that all values be stated in terms
 of Zulu.
 3.6  Certificate Validation
 3.6.1  Validation Basics
 Every UA must contain the public component of the IPRA as the root
 for its certificate validation database.  Public components
 associated with PCAs must be identified as such, so that the
 certificate validation process described below can operate correctly.
 Whenever a certificate for a PCA is entered into a UA cache, e.g., if
 encountered in a PEM message encapsulated header, the certificate
 must NOT be entered into the cache automatically.  Rather, the user
 must be notified and must explicitly direct the UA to enter any PCA
 certificate data into the cache.  This precaution is essential
 because introduction of a PCA certificate into the cache implies user
 recognition of the policy associated with the PCA.

Kent [Page 24] RFC 1422 Certificate-Based Key Management February 1993

 Validating a certificate begins with verifying that the signature
 affixed to the certificate is valid, i.e., that the hash value
 computed on the certificate contents matches the value that results
 from decrypting the signature field using the public component of the
 issuer.  In order to perform this operation the user must possess the
 public component of the issuer, either via some integrity-assured
 channel, or by extracting it from another (validated) certificate.
 In order to rapidly terminate this recursive validation process, we
 recommend each PCA sign certificates for all CAs within its domain,
 even CAs which are certified by other, superior CAs in the
 certification hierarchy.
 The public component needed to validate certificates signed by the
 IPRA is made available to each user as part of the registration or
 via the PEM installation process.  Thus a user will be able to
 validate any PCA certificate immediately.  CAs are certified by PCAs,
 so validation of a CA certificate requires processing a validation
 path of length two.  User certificates are issued by CAs (either
 immediately subordinate to PCAs or subordinate to other CAs), thus
 validation of a user certificate may require three or more steps.
 Local caching of validated certificates by a UA can be used to speed
 up this process significantly.
 Consider the situation in which a user receives a privacy enhanced
 message from an originator with whom the recipient has never
 previously corresponded, and assume that the message originator
 includes a full certification path in the PEM message header.  First
 the recipient can use the IPRA's public component to validate a PCA
 certificate contained in an Issuer-Certificate field.  Using the
 PCA's public component extracted from this certificate, the CA
 certificate in an Issuer-Certificate field also can be validated.
 This process cam be repeated until the certificate for the
 originator, from the Originator-Certificate field, is validated.
 Having performed this certificate validation process, the recipient
 can extract the originator's public component and use it to decrypt
 the content of the MIC-Info field.  By comparing the decrypted
 contents of this field against the MIC computed locally on the
 message the user verifies the data origin authenticity and integrity
 of the message.  It is recommended that implementations of privacy
 enhanced mail cache validated public components (acquired from
 incoming mail) to speed up this process.  If a message arrives from
 an originator whose public component is held in the recipient's cache
 (and if the cache is maintained in a fashion that ensures timely
 incorporation of received CRLs), the recipient can immediately employ
 that public component without the need for the certificate validation
 process described here. (For some digital signature algorithms, the
 processing required for certificate validation is considerably faster

Kent [Page 25] RFC 1422 Certificate-Based Key Management February 1993

 than that involved in signing a certificate.  Use of such algorithms
 serves to minimize the computational burden on UAs.)
 3.6.2  Display of Certificate Validation Data
 PEM provides authenticated identities for message recipients and
 originators expressed in the form of distinguished names.  Mail
 systems in which PEM is employed may employ identifiers other than
 DNs as the primary means of identifying recipients or originators.
 Thus, in order to benefit from these authentication facilities, each
 PEM implementation must employ some means of binding native mail
 system identifiers to distinguished names in a fashion which does not
 undermine this basic PEM functionality.
 For example, if a human user interacts directly with PEM, then the
 full DN of the originator of any message received using PEM should be
 displayed for the user.  Merely displaying the PEM-protected message
 content, containing an originator name from the native mail system,
 does not provide equivalent security functionality and could allow
 spoofing.  If the recipient of a message is a forwarding agent such
 as a list exploder or mail relay, display of the originator's DN is
 not a relevant requirement.  In all cases the essential requirement
 is that the ultimate recipient of a PEM message be able to ascertain
 the identity of the originator based on the PEM certification system,
 not on unauthenticated identification information, e.g., extracted
 from the native message system.
 Conversely, for the originator of an ENCRYPTED message, it is
 important that recipient identities be linked to the DNs as expressed
 in PEM certificates.  This can be effected in a variety of ways by
 the PEM implementation, e.g., by display of recipient DNs upon
 message submission or by a tightly controlled binding between local
 aliases and the DNs.  Here too, if the originator is a forwarding
 process this linkage might be effected via various mechanisms not
 applicable to direct human interaction.  Again, the essential
 requirement is to avoid procedures which might undermine the
 authentication services provided by PEM.
 As described above, it is a local matter how and what certification
 information is displayed for a human user in the course of submission
 or delivery of a PEM message.  Nonetheless all PEM implementations
 must provide a user with the ability to display a full certification
 path for any certificate employed in PEM upon demand.  Implementors
 are urged to not overwhelm the user with certification path
 information which might confuse him or distract him from the critical
 information cited above.

Kent [Page 26] RFC 1422 Certificate-Based Key Management February 1993

 3.6.3  Validation Procedure Details
 Every PEM implementation is required to perform the following
 validation steps for every public component employed in the
 submission of an ENCRYPTED PEM message or the delivery of an
 ENCRYPTED, MIC-ONLY, or MIC-CLEAR PEM message.  Each public component
 may be acquired from an internal source, e.g., from a (secure) cache
 at the originator/recipient or it may be obtained from an external
 source, e.g., the PEM header of an incoming message or a directory.
 The following procedures applies to the validation of certificates
 from either type of source.
 Validation of a public component involves constructing a
 certification path between the component and the public component of
 the IPRA.  The validity interval for every certificate in this path
 must be checked.  PEM software must, at a minimum, warn the user if
 any certificate in the path fails the validity interval check, though
 the form of this warning is a local matter.  For example, the warning
 might indicate which certificate in the path had expired.  Local
 security policy may prohibit use of expired certificates.
 Each certificate also must be checked against the current CRL from
 the certificate's issuer to ensure that revoked certificates are not
 employed.  If the UA does not have access to the current CRL for any
 certificate in the path, the user must be warned.  Again, the form of
 the warning is a local matter.  For example, the warning might
 indicate whether the CRL is unavailable or, if available but not
 current, the CRL issue date should be displayed. Local policy may
 prohibit use of a public component which cannot be checked against a
 current CRL, and in such cases the user should receive the same
 information provided by the warning indications described above.
 If any revoked certificates are encountered in the construction of a
 certification path, the user must be warned.  The form of the warning
 is a local matter, but it is recommended that this warning be more
 stringent than those previously alluded to above.  For example, this
 warning might display the issuer and subject DNs from the revoked
 certificate and the date of revocation, and then require the user to
 provide a positive response before the submission or delivery process
 may proceed.  In the case of message submission, the warning might
 display the identity of the recipient affected by this validation
 failure and the user might be provided with the option to specify
 that this recipient be dropped from recipient list processing without
 affecting PEM processing for the remaining recipients.  Local policy
 may prohibit PEM processing if a revoked certificate is encountered
 in the course of constructing a certification path.
 Note that in order to comply with these validation procedures, a

Kent [Page 27] RFC 1422 Certificate-Based Key Management February 1993

 certificate cache must maintain all of the information contained in a
 certificate, not just the DNs and the public component.  For example
 the serial number and validity interval must be associated with the
 cache entry to comply with the checks described above.  Also note
 that these procedures apply to human interaction in message
 submission and delivery and are not directly applicable to forwarding
 processes.  When non human interaction is involved, a compliant PEM
 implementation must provide parameters to enable a process to specify
 whether certificate validation will succeed or fail if any of the
 conditions arise which would result in warnings to a human user.
 Finally, in the course of validating certificates as described above,
 one additional check must be performed: the subject DN of every
 certificate must be subordinate to the certificate issuer DN, except
 if the issuer is the IPRA or a PCA (hence another reason to
 distinguish the IPRA and PCA entries in a certificate cache).  This
 requirement is levied upon all PEM implementations as part of
 maintaining the certification hierarchy constraints defined in this
 document.  Any certificate which does not comply with these
 requirements is considered invalid and must be rejected in PEM
 submission or delivery processing.  The user  must be notified of the
 nature of this fatal error.

Kent [Page 28] RFC 1422 Certificate-Based Key Management February 1993

A. Appendix A: ASN.1 Syntax for Certificates and CRLs

A.1 Certificate Syntax

 The X.509 certificate format is defined by the following ASN.1
 syntax:
 Certificate ::= SIGNED SEQUENCE{
         version [0]     Version DEFAULT v1988,
         serialNumber    CertificateSerialNumber,
         signature       AlgorithmIdentifier,
         issuer          Name,
         validity        Validity,
         subject         Name,
         subjectPublicKeyInfo    SubjectPublicKeyInfo}
 Version ::=     INTEGER {v1988(0)}
 CertificateSerialNumber ::=     INTEGER
 Validity ::=    SEQUENCE{
         notBefore       UTCTime,
         notAfter        UTCTime}
 SubjectPublicKeyInfo ::=        SEQUENCE{
         algorithm               AlgorithmIdentifier,
         subjectPublicKey        BIT STRING}
 AlgorithmIdentifier ::= SEQUENCE{
         algorithm       OBJECT IDENTIFIER,
         parameters      ANY DEFINED BY algorithm OPTIONAL}
 The components of this structure are defined by ASN.1 syntax defined
 in the X.500 Series Recommendations.  RFC 1423 provides references
 for and the values of AlgorithmIdentifiers used by PEM in the
 subjectPublicKeyInfo and the signature data items.  It also describes
 how a signature is generated and the results represented.  Because
 the certificate is a signed data object, the distinguished encoding
 rules (see X.509, section 8.7) must be applied prior to signing.

Kent [Page 29] RFC 1422 Certificate-Based Key Management February 1993

A.2 Certificate Revocation List Syntax

 The following ASN.1 syntax, derived from X.509 and aligned with the
 suggested format in recently submitted defect reports, defines the
 format of CRLs for use in the PEM environment.
 CertificateRevocationList ::= SIGNED SEQUENCE{
         signature       AlgorithmIdentifier,
         issuer          Name,
         lastUpdate      UTCTime,
         nextUpdate      UTCTime,
         revokedCertificates
                         SEQUENCE OF CRLEntry OPTIONAL}
 CRLEntry ::= SEQUENCE{
         userCertificate SerialNumber,
         revocationDate UTCTime}

References

 [1] CCITT Recommendation X.411 (1988), "Message Handling Systems:
     Message Transfer System: Abstract Service Definition and
     Procedures".
 [2] CCITT Recommendation X.509 (1988), "The Directory -
     Authentication Framework".
 [3] CCITT Recommendation X.520 (1988), "The Directory - Selected
     Attribute Types".
 [4] NIST Special Publication 500-183, "Stable Agreements for Open
     Systems Interconnection Protocols," Version 4, Edition 1,
     December 1990.
 [5] North American Directory Forum, "A Naming Scheme for c=US", RFC
     1255, NADF, September 1991.
 [6] Linn, J., "Privacy Enhancement for Internet Electronic Mail: Part
     I: Message Encryption and Authentication Procedures", RFC 1421,
     DEC, February 1993.
 [7] Balenson, D., "Privacy Enhancement for Internet Electronic Mail:
     Part III: Algorithms, Modes, and Identifiers", RFC 1423, TIS,
     February 1993.
 [8] Balaski, B., "Privacy Enhancement for Internet Electronic Mail:
     Part IV: Notary, Co-Issuer, CRL-Storing and CRL-Retrieving
     Services", RFC 1424, RSA Laboratories, February 1993.

Kent [Page 30] RFC 1422 Certificate-Based Key Management February 1993

 [9] North American Directory Forum, "NADF Standing Documents: A Brief
     Overview", RFC 1417, NADF, February 1993.

Patent Statement

 This version of Privacy Enhanced Mail (PEM) relies on the use of
 patented public key encryption technology for authentication and
 encryption.  The Internet Standards Process as defined in RFC 1310
 requires a written statement from the Patent holder that a license
 will be made available to applicants under reasonable terms and
 conditions prior to approving a specification as a Proposed, Draft or
 Internet Standard.
 The Massachusetts Institute of Technology and the Board of Trustees
 of the Leland Stanford Junior University have granted Public Key
 Partners (PKP) exclusive sub-licensing rights to the following
 patents issued in the United States, and all of their corresponding
 foreign patents:
    Cryptographic Apparatus and Method
    ("Diffie-Hellman")............................... No. 4,200,770
    Public Key Cryptographic Apparatus
    and Method ("Hellman-Merkle").................... No. 4,218,582
    Cryptographic Communications System and
    Method ("RSA")................................... No. 4,405,829
    Exponential Cryptographic Apparatus
    and Method ("Hellman-Pohlig").................... No. 4,424,414
 These patents are stated by PKP to cover all known methods of
 practicing the art of Public Key encryption, including the variations
 collectively known as El Gamal.
 Public Key Partners has provided written assurance to the Internet
 Society that parties will be able to obtain, under reasonable,
 nondiscriminatory terms, the right to use the technology covered by
 these patents.  This assurance is documented in RFC 1170 titled
 "Public Key Standards and Licenses".  A copy of the written assurance
 dated April 20, 1990, may be obtained from the Internet Assigned
 Number Authority (IANA).
 The Internet Society, Internet Architecture Board, Internet
 Engineering Steering Group and the Corporation for National Research
 Initiatives take no position on the validity or scope of the patents
 and patent applications, nor on the appropriateness of the terms of
 the assurance.  The Internet Society and other groups mentioned above

Kent [Page 31] RFC 1422 Certificate-Based Key Management February 1993

 have not made any determination as to any other intellectual property
 rights which may apply to the practice of this standard. Any further
 consideration of these matters is the user's own responsibility.

Security Considerations

 This entire document is about security.

Author's Address

 Steve Kent
 BBN Communications
 50 Moulton Street
 Cambridge, MA 02138
 Phone: (617) 873-3988
 EMail: kent@BBN.COM

Kent [Page 32]

/data/webs/external/dokuwiki/data/pages/rfc/rfc1422.txt · Last modified: 1993/02/09 00:19 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki