Bookmark and Share

RFC4387

Internet X.509 Public Key Infrastructure Operational Protocols: Certificate Store Access via HTTP

The protocol conventions described in this document satisfy some of the operational requirements of the Internet Public Key Infrastructure (PKI). This document specifies the conventions for using the Hypertext Transfer Protocol (HTTP/HTTPS) as an interface mechanism to obtain certificates and certificate revocation lists (CRLs) from PKI repositories. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. [STANDARDS TRACK]

pozycje od 5 do 5 z 25,  strona 5 z 25
 <  1  2  3  4  5  6  7  8  9  10  11  12  13  14  >  >> 
RFC 4387           Certificate Store Access via HTTP       February 2006


   Implementations MUST verify that the base64-encoded values submitted
   in requests contain only characters in the ranges 'a'-'z', 'A'-'Z',
   '0'-'9', '+', and '/'.  Queries containing any other character MUST
   be rejected.  (See the implementation notes in Section 2.5 and the
   security considerations in Section 4 for more details on this
   requirement.)

2.2.  Attribute Types: X.509

   Permitted attribute types and associated values for use with X.509
   certificates and CRLs are described below.  Arbitrary-length binary
   values (as indicated in the table below) are converted into a search
   key by the process described in Section 2.1.  Note that the values
   are checked for an exact match (after decoding of any form-urlencoded
   [RFC2854] portions if this is necessary) and are therefore case
   sensitive.

   Attribute  Process Value
   ---------  ------- -----
   certHash    Hash   Search key derived from the SHA-1 hash of the
                      certificate (sometimes called the certificate
                      fingerprint or thumbprint).

   uri         None   Subject URI associated with the certificate,
                      without the (optional) scheme specifier.  The URI
                      type depends on the certificate.  For S/MIME
                      certificates, it would be an email address; for
                      SSL/TLS certificates, it would be the server's DNS
                      name (this is usually also specified as the
                      CommonName); for IPsec certificates, it would be
                      the DNS name/IP address; and so on.

   iHash       Hash   Search key derived from the DER-encoded issuer DN
                      as it appears in the certificate, CRL, or other
                      object.

   iAndSHash   Hash   Search key derived from the certificate's
                      DER-encoded issuerAndSerialNumber [RFC3852].

   name        None   Subject CommonName contained in the certificate.

   sHash       Hash   Search key derived from the DER-encoded subject
                      DN as it appears in the certificate or other
                      object.

   sKIDHash    Hash   Search key derived from the certificate's
                      subjectKeyIdentifier (specifically the contents
                      octets of the KeyIdentifier OCTET STRING).

Gutmann                     Standards Track                     [Page 5]
pozycje od 5 do 5 z 25,  strona 5 z 25
 <  1  2  3  4  5  6  7  8  9  10  11  12  13  14  >  >> 

Książki warte uwagi