| rfc9763v4.txt | rfc9763.txt | |||
|---|---|---|---|---|
| skipping to change at line 202 ¶ | skipping to change at line 202 ¶ | |||
| BinaryTime ::= INTEGER (0..MAX) | BinaryTime ::= INTEGER (0..MAX) | |||
| * The locationInfo field uses UniformResourceIdentifier to provide | * The locationInfo field uses UniformResourceIdentifier to provide | |||
| information on the location of the other certificate the | information on the location of the other certificate the | |||
| requesting entity owns. UniformResourceIdentifier is defined as: | requesting entity owns. UniformResourceIdentifier is defined as: | |||
| UniformResourceIdentifier ::= IA5String | UniformResourceIdentifier ::= IA5String | |||
| The UniformResourceIdentifier is a pointer to a location via | The UniformResourceIdentifier is a pointer to a location via | |||
| HTTP(S) or a dataURI. This field can contain one of two | HTTP(S) or a data URL. This field can contain one of two | |||
| acceptable values: | acceptable values: | |||
| - If the request for (new) Cert B is to the CA organization that | - If the request for (new) Cert B is to the CA organization that | |||
| also issued (existing) Cert A, then the | also issued (existing) Cert A, then the | |||
| UniformResourceIdentifier value SHOULD be a URL that points to | UniformResourceIdentifier value SHOULD be a URL that points to | |||
| a file containing a certificate or certificate chain that the | a file containing a certificate or certificate chain that the | |||
| requesting entity owns, as detailed in [RFC5280]; the URL is | requesting entity owns, as detailed in [RFC5280]; the URL is | |||
| made available via HTTP or HTTPS. The file must permit access | made available via HTTP or HTTPS. The file must permit access | |||
| to a CMS 'certs-only' message containing the end-entity | to a CMS 'certs-only' message containing the end-entity | |||
| certificate or the entire certificate chain. This option uses | certificate or the entire certificate chain. This option uses | |||
| less data than a dataURI. All certificates contained must be | less data than a data URL. All certificates contained must be | |||
| DER encoded. | DER encoded. | |||
| - If the request for (new) Cert B is to a CA organization | - If the request for (new) Cert B is to a CA organization | |||
| different than the CA organization that issued the certificate | different than the CA organization that issued the certificate | |||
| (existing) Cert A referenced in the CSR, then the | (existing) Cert A referenced in the CSR, then the | |||
| UniformResourceIdentifier value SHOULD be a dataURI [RFC2397] | UniformResourceIdentifier value SHOULD be a data URL [RFC2397] | |||
| containing inline degenerate PKCS#7 (see Sections 3.2.1 and 3.8 | containing inline degenerate PKCS#7 (see Sections 3.2.1 and 3.8 | |||
| of [RFC8551]) consisting of all the certificates and CRLs | of [RFC8551]) consisting of all the certificates and CRLs | |||
| required to validate Cert A. This allows the CA to perform | required to validate Cert A. This allows the CA to perform | |||
| validation (as described in Section 3.2) without having to | validation (as described in Section 3.2) without having to | |||
| retrieve certificates/CRLs from another CA. Further discussion | retrieve certificates/CRLs from another CA. Further discussion | |||
| of requirements for this scenario is in Section 5. | of requirements for this scenario is in Section 5. | |||
| * The signature field provides evidence that the requesting entity | * The signature field provides evidence that the requesting entity | |||
| owns the certificate indicated by the certID field. Specifically, | owns the certificate indicated by the certID field. Specifically, | |||
| the signature field contains a digital signature over the | the signature field contains a digital signature over the | |||
| skipping to change at line 489 ¶ | skipping to change at line 489 ¶ | |||
| algorithm for security. | algorithm for security. | |||
| Implementors should be aware of risks that arise from the retrieval | Implementors should be aware of risks that arise from the retrieval | |||
| of a related certificate via the UniformResourceIdentifier provided | of a related certificate via the UniformResourceIdentifier provided | |||
| in the relatedCertRequest CSR attribute, as a URL can point to | in the relatedCertRequest CSR attribute, as a URL can point to | |||
| malicious code. Implementors should ensure the data is properly | malicious code. Implementors should ensure the data is properly | |||
| formed and validate the retrieved data fully. | formed and validate the retrieved data fully. | |||
| CAs should be aware that retrieval of existing certificates may be | CAs should be aware that retrieval of existing certificates may be | |||
| subject to observation; if this is a concern, it is advisable to use | subject to observation; if this is a concern, it is advisable to use | |||
| the dataURI option described in Section 3.1. | the data URL option described in Section 3.1. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| This document defines an extension for use with X.509 certificates. | This document defines an extension for use with X.509 certificates. | |||
| IANA has registered the following OID in the "SMI Security for PKIX | IANA has registered the following OID in the "SMI Security for PKIX | |||
| Certificate Extension" registry (1.3.6.1.5.5.7.1): | Certificate Extension" registry (1.3.6.1.5.5.7.1): | |||
| +=========+===================+============+ | +=========+===================+============+ | |||
| | Decimal | Description | References | | | Decimal | Description | References | | |||
| +=========+===================+============+ | +=========+===================+============+ | |||
| End of changes. 4 change blocks. | ||||
| 4 lines changed or deleted | 4 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||