Network Working Group                                       S. SantessonRequest for Comments: 3039                                      AddTrustCategory: Standards Track                                        W. Polk                                                                    NIST                                                               P. Barzin                                                                  SECUDE                                                              M. Nystrom                                                            RSA Security                                                            January 2001                Internet X.509 Public Key Infrastructure                     Qualified Certificates ProfileStatus of this Memo   This document specifies an Internet standards track protocol for the   Internet community, and requests discussion and suggestions for   improvements.  Please refer to the current edition of the "Internet   Official Protocol Standards" (STD 1) for the standardization state   and status of this protocol.  Distribution of this memo is unlimited.Copyright Notice   Copyright (C) The Internet Society (2001).  All Rights Reserved.Abstract   This document forms a certificate profile for Qualified Certificates,   based on RFC 2459, for use in the Internet.  The term Qualified   Certificate is used to describe a certificate with a certain   qualified status within applicable governing law.  Further, Qualified   Certificates are issued exclusively to physical persons.   The goal of this document is to define a general syntax independent   of local legal requirements.  The profile is however designed to   allow further profiling in order to meet specific local needs.   It is important to note that the profile does not define any legal   requirements for Qualified Certificates.   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this   document are to be interpreted as described in RFC 2119.Santesson, et al.           Standards Track                     [Page 1]RFC 3039             Qualified Certificates Profile         January 2001Table of Contents   1  Introduction ................................................    2   2  Requirements and Assumptions ................................    3   2.1  Properties ................................................    4   2.2  Statement of Purpose ......................................    5   2.3  Policy Issues .............................................    5   2.4  Uniqueness of names .......................................    5   3  Certificate and Certificate Extensions Profile ..............    6   3.1  Basic Certificate Fields ..................................    6   3.1.1  Issuer ..................................................    6   3.1.2  Subject .................................................    6   3.2  Certificate Extensions ....................................    9   3.2.1  Subject Directory Attributes ............................    9   3.2.2  Certificate Policies ....................................   10   3.2.3  Key Usage ...............................................   10   3.2.4  Biometric Information ...................................   11   3.2.5  Qualified Certificate Statements ........................   12   4  Security Considerations .....................................   14   5  References ..................................................   15   6  Intellectual Property Rights ................................   16   A  ASN.1 definitions ...........................................   17   A.1  1988 ASN.1 Module .........................................   17   A.2  1993 ASN.1 Module .........................................   19   B  A Note on Attributes ........................................   24   C.  Example Certificate ........................................   24   C.1  ASN.1 Structure ...........................................   25   C.1.1 Extensions ...............................................   25   C.1.2 The certificate ..........................................   27   C.2  ASN.1 Dump ................................................   29   C.3  DER-encoding ..............................................   32   C.4  CA's public key ...........................................   33   Authors' Addresses .............................................   34   Full Copyright Statement .......................................   351  Introduction   This specification is one part of a family of standards for the X.509   Public Key Infrastructure (PKI) for the Internet.  It is based on RFC   2459, which defines underlying certificate formats and semantics   needed for a full implementation of this standard.   The standard profiles the format for a specific type of certificates   named Qualified Certificates.  The term Qualified Certificates and   the assumptions that affects the scope of this document are discussed   in Section 2.Santesson, et al.           Standards Track                     [Page 2]RFC 3039             Qualified Certificates Profile         January 2001   Section 3 defines requirements on information content in Qualified   Certificates.  This profile addresses two fields in the basic   certificate as well as five certificate extensions.  The certificate   fields are the subject and issuer fields.  The certificate extensions   are subject directory attributes, certificate policies, key usage, a   private extension for storage of biometric data and a private   extension for storage of statements related to Qualified   Certificates.  The private extensions are presented in the 1993   Abstract Syntax Notation One (ASN.1), but in conformance with RFC   2459 the 1988 ASN.1 module in Appendix A contains all normative   definitions (the 1993 module in Appendix A is informative).   In Section 4, some security considerations are discussed in order to   clarify the security context in which Qualified Certificates are   assumed to be utilized.  Section 5 contains the references.   Appendix A contains all relevant ASN.1 [X.680] structures that are   not already defined in RFC 2459.  Appendix B contains a note on   attributes.  Appendix C contains an example certificate.  Appendix D   contains authors' addresses and Appendix E contains the IETF   Copyright Statement.   It should be noted that this specification does not define the   specific semantics of Qualified Certificates, and does not define the   policies that should be used with them.  That is, this document   defines what information should go into Qualified Certificates, but   not what that information means.  A system that uses Qualified   Certificates must define its own semantics for the information in   Qualified Certificates.  It is expected that laws and corporate   policies will make these definitions.2  Requirements and Assumptions   The term "Qualified Certificate" has been used by the European   Commission to describe a certain type of certificates with specific   relevance for European legislation.  This specification is intended   to support this class of certificates, but its scope is not limited   to this application.   Within this standard the term "Qualified Certificate" is used more   generally, describing the format for a certificate whose primary   purpose is identifying a person with high level of assurance in   public non-repudiation services.  The actual mechanisms that will   decide whether a certificate should or should not be considered to be   a "Qualified Certificate" in regard to any legislation are outside   the scope of this standard.Santesson, et al.           Standards Track                     [Page 3]RFC 3039             Qualified Certificates Profile         January 2001   Harmonization in the field of Qualified Certificates is essential   within several aspects that fall outside the scope of RFC 2459.  The   most important aspects that affect the scope of this specification   are:   -  Definition of names and identity information in order to identify      the associated subject in a uniform way.   -  Definition of information which identifies the CA and the      jurisdiction under which the CA operates when issuing a particular      certificate.   -  Definition of key usage extension usage for Qualified      Certificates.   -  Definition of information structure for storage of biometric      information.   -  Definition of a standardized way to store predefined statements      with relevance for Qualified Certificates.   -  Requirements for critical extensions.2.1  Properties   A Qualified Certificate as defined in this standard is assumed to   have the following properties:   -  The certificate is issued by a CA that makes a public statement      that the certificate serves the purpose of a Qualified      Certificate, as discussed in Section 2.2   -  The certificate indicates a certificate policy consistent with      liabilities, practices and procedures undertaken by the CA, as      discussed in 2.3   -  The certificate is issued to a natural person (living human      being).   -  The certificate contains an identity based on a pseudonym or a      real name of the subject.Santesson, et al.           Standards Track                     [Page 4]RFC 3039             Qualified Certificates Profile         January 20012.2  Statement of Purpose   For a certificate to serve the purpose of being a Qualified   Certificate, this profile assumes that the CA will have to include in   the certificate information that explicitly defines this intent.   The function of this information is thus to assist any concerned   entity in evaluating the risk associated with creating or accepting   signatures that are based on a Qualified Certificate.   This profile defines two complementary ways to include this   information:   -  As information defined by a certificate policy included in the      certificate policies extension, and   -  As a statement included in the Qualified Certificates Statements      extension.2.3  Policy Issues   Certain policy aspects define the context in which this profile is to   be understood and used.  It is however outside the scope of this   profile to specify any policies or legal aspects that will govern   services that issue or utilize certificates according to this   profile.   It is however assumed that the issuing CA will undertake to follow a   publicly available certificate policy that is consistent with its   liabilities, practices and procedures.2.4  Uniqueness of names   Distinguished name is originally defined in X.501 [X.501] as a   representation of a directory name, defined as a construct that   identifies a particular object from among the set of all objects.  An   object can be assigned a distinguished name without being represented   by an entry in the Directory, but this name is then the name its   object entry could have had if it were represented in the Directory.   In the context of qualified certificates, a distinguished name   denotes a set of attribute values [X.501] which forms a name that is   unambiguous within a certain domain that forms either a real or a   virtual DIT (Directory Information Tree)[X.501].  In the case of   subject names the domain is assumed to be at least the issuing domain   of the CA.  The distinguished name MUST be unique for each subject   entity certified by the one CA as defined by the issuer name field,   during the whole life time of the CA.Santesson, et al.           Standards Track                     [Page 5]RFC 3039             Qualified Certificates Profile         January 20013  Certificate and Certificate Extensions Profile   This section defines a profile for Qualified Certificates.  The   profile is based on the Internet certificate profile RFC 2459 which   in turn is based on the X.509 version 3 format.  For full   implementation of this section implementers are REQUIRED to consult   the underlying formats and semantics defined in RFC 2459.   ASN.1 definitions relevant for this section that are not supplied by   RFC 2459 are supplied in Appendix A.3.1  Basic Certificate Fields   This specification provides additional details regarding the contents   of two fields in the basic certificate.  These fields are the issuer   and subject fields.3.1.1  Issuer   The issuer field SHALL identify the organization responsible for   issuing the certificate.  The name SHOULD be an officially registered   name of the organization.   The identity of the issuer SHALL be specified using an appropriate   subset of the following attributes:         domainComponent;         countryName;         stateOrProvinceName;         organizationName;         localityName; and         serialNumber.   Additional attributes MAY be present but they SHOULD NOT be necessary   to identify the issuing organization.   Attributes present in the issuer field SHOULD be consistent with the   laws under which the issuer operates.   A relying party MAY have to consult associated certificate policies   and/or the issuer's CPS, in order to determine the semantics of name   fields and the laws under which the issuer operates.3.1.2  Subject   The subject field of a certificate compliant with this profile SHALL   contain a distinguished name of the subject (see 2.4 for definition   of distinguished name).Santesson, et al.           Standards Track                     [Page 6]RFC 3039             Qualified Certificates Profile         January 2001   The subject field SHALL contain an appropriate subset of the   following attributes:      countryName;      commonName;      surname;      givenName;      pseudonym;      serialNumber;      organizationName;      organizationalUnitName;      stateOrProvinceName      localityName and      postalAddress.   Other attributes may be present but MUST NOT be necessary to   distinguish the subject name from other subject names within the   issuer domain.   Of these attributes, the subject field SHALL include at least one of   the following:      Choice   I:  commonName      Choice  II:  givenName      Choice III:  pseudonym   The countryName attribute value specifies a general context in which   other attributes are to be understood.  The country attribute does   not necessarily indicate the subject's country of citizenship or   country of residence, nor does it have to indicate the country of   issuance.   Note: Many X.500 implementations require the presence of countryName