|
docs:security:certificates 2006/01/01 23:44 |
docs:security:certificates 2008/10/03 08:25 current |
| - | This page is more or less a resume of RFC3280. | + | ======SSL Certificates====== |
| | | | |
| - | ======Certificates====== | + | =====Glossary===== |
| | | | |
| - | =====Basic Constraints==== | + | * [[docs:security:certificates:attributes|X509 Attributs]] |
| | + | * [[docs:security:certificates:pkcs|PKCS]] (Public Key Cryptography Standards) |
| | | | |
| - | ====Basic Contraints==== | + | =====Some example of CA policy===== |
| - | | + | |
| - | This extension MUST appear as a critical extension in all CA | + | |
| - | certificates that contain public keys used to validate digital | + | |
| - | signatures on certificates. This extension MAY appear as a critical | + | |
| - | or non-critical extension in CA certificates that contain public keys | + | |
| - | used exclusively for purposes other than validating digital | + | |
| - | signatures on certificates. Such CA certificates include ones that | + | |
| - | contain public keys used exclusively for validating digital | + | |
| - | signatures on CRLs and ones that contain key management public keys | + | |
| - | used with certificate enrollment protocols. This extension MAY | + | |
| - | appear as a critical or non-critical extension in end entity | + | |
| - | certificates. | + | |
| - | | + | |
| - | ====CA Field=== | + | |
| - | | + | |
| - | The cA boolean indicates whether the certified public key belongs to | + | |
| - | a CA. If the cA boolean is not asserted, then the keyCertSign bit in | + | |
| - | the key usage extension MUST NOT be asserted. | + | |
| - | | + | |
| - | =====Key Usage===== | + | |
| - | | + | |
| - | ====Digital Signature==== | + | |
| - | | + | |
| - | The digitalSignature bit is asserted when the subject public key | + | |
| - | is used with a digital signature mechanism to support security | + | |
| - | services other than certificate signing (bit 5), or CRL signing | + | |
| - | (bit 6). Digital signature mechanisms are often used for entity | + | |
| - | authentication and data origin authentication with integrity. | + | |
| - | | + | |
| - | ====Non Repudiation==== | + | |
| - | | + | |
| - | The nonRepudiation bit is asserted when the subject public key is | + | |
| - | used to verify digital signatures used to provide a non- | + | |
| - | repudiation service which protects against the signing entity | + | |
| - | falsely denying some action, excluding certificate or CRL signing. | + | |
| - | In the case of later conflict, a reliable third party may | + | |
| - | determine the authenticity of the signed data. | + | |
| - | | + | |
| - | ====Note about nonRepudiation and digitalSignature==== | + | |
| - | | + | |
| - | Further distinctions between the digitalSignature and | + | |
| - | nonRepudiation bits may be provided in specific certificate | + | |
| - | policies. | + | |
| - | | + | |
| - | ====Key Encipherment==== | + | |
| - | | + | |
| - | The keyEncipherment bit is asserted when the subject public key is | + | |
| - | used for key transport. For example, when an RSA key is to be | + | |
| - | used for key management, then this bit is set. | + | |
| - | | + | |
| - | ====data Encipherment==== | + | |
| - | | + | |
| - | The dataEncipherment bit is asserted when the subject public key | + | |
| - | is used for enciphering user data, other than cryptographic keys. | + | |
| - | | + | |
| - | ====Key Agreement==== | + | |
| - | | + | |
| - | The keyAgreement bit is asserted when the subject public key is | + | |
| - | used for key agreement. For example, when a Diffie-Hellman key is | + | |
| - | to be used for key management, then this bit is set. | + | |
| - | | + | |
| - | ====Key Cert Sign ===== | + | |
| - | | + | |
| - | The keyCertSign bit is asserted when the subject public key is | + | |
| - | used for verifying a signature on public key certificates. If the | + | |
| - | keyCertSign bit is asserted, then the cA bit in the basic | + | |
| - | constraints extension (section 4.2.1.10) MUST also be asserted. | + | |
| - | | + | |
| - | ====CRL Sign==== | + | |
| - | | + | |
| - | The cRLSign bit is asserted when the subject public key is used | + | |
| - | for verifying a signature on certificate revocation list (e.g., a | + | |
| - | CRL, delta CRL, or an ARL). This bit MUST be asserted in | + | |
| - | certificates that are used to verify signatures on CRLs. | + | |
| - | | + | |
| - | ====encipher Only==== | + | |
| - | | + | |
| - | The meaning of the encipherOnly bit is undefined in the absence of | + | |
| - | the keyAgreement bit. When the encipherOnly bit is asserted and | + | |
| - | the keyAgreement bit is also set, the subject public key may be | + | |
| - | used only for enciphering data while performing key agreement. | + | |
| - | | + | |
| - | ====decipher Only==== | + | |
| - | | + | |
| - | The meaning of the decipherOnly bit is undefined in the absence of | + | |
| - | the keyAgreement bit. When the decipherOnly bit is asserted and | + | |
| - | the keyAgreement bit is also set, the subject public key may be | + | |
| - | used only for deciphering data while performing key agreement. | + | |
| | | | |
| | + | * [[http://www.hecker.org/mozilla/ca-certificate-policy|Mozilla CA Certificate Policy]] |
