[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

X.509 Extensions Enhancements

To: ietf-pkix@xxxxxxx
Subject: X.509 Extensions Enhancements
From: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Date: Tue, 12 Jun 2001 12:18:09 -0400
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I have just been made aware that the most recent X.509 includes two additional reason codes. This impacts the reasons in the CRL Distribution Points certificate extension and the onlySomeReasons in the Issuing Distribution Point CRL extension. Both of these fields use the ReasonFlags type. It also impacts the Reason Code CRL entry extension, which uses the CRLReason type. I have provided the new definitions below.

   ReasonFlags ::= BIT STRING {
        unused                  (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        privilegeWithdrawn      (7),
        aACompromise            (8) }

   CRLReason ::= ENUMERATED {
        unspecified             (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        removeFromCRL           (8),
        privilegeWithdrawn      (9),
        aaCompromise           (10) }

The Issuing Distribution Point CRL extension has also been enhanced to include a boolean that indicates whether the CRL contains only entries associated with attribute certificates. The new definition is:

   IssuingDistributionPoint ::= SEQUENCE {
        distributionPoint          [0] DistributionPointName OPTIONAL,
        onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
        onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
        onlySomeReasons            [3] ReasonFlags OPTIONAL,
        indirectCRL                [4] BOOLEAN DEFAULT FALSE,
        onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }

The original OIDs are still being used with these "enhanced" definitions, therefore I will be adding them to son-of-rfc2459.

Russ

Follow-Ups:
- RE: X.509 Extensions Enhancements
  - From: Carlin Covey

Prev by Date: RE: Online Certificate Revocation Protocol
Next by Date: RE: Online Certificate Revocation Protocol
Previous by thread: "Bent" keys
Next by thread: RE: X.509 Extensions Enhancements
Index(es):
- Date
- Thread