Network Working Group M. Nystrom
Request for Comments: 2986 B. Kaliski
Obsoletes: 2314 RSA Security
Category: Informational November 2000
Network Working Group M. Nystrom
Request for Comments: 2986 B. Kaliski
Obsoletes: 2314 RSA Security
Category: Informational November 2000
PKCS #10: Certification Request Syntax Specification Version 1.7
PKCS#10:认证请求语法规范1.7版
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document.
本备忘录代表了RSA Laboratories公钥加密标准(PKCS)系列PKCS#10 v1.7的再版,PKCS流程中保留了更改控制。除安全注意事项部分外,本文件正文直接取自PKCS 9 v2.0或PKCS 10 v1.7文件。
This memo describes a syntax for certification requests.
本备忘录描述了认证请求的语法。
Table of Contents
目录
1. Introduction ................................................. 2
2. Definitions and notation ..................................... 2
2.1 Definitions ................................................. 2
2.2 Notation .................................................... 4
3. Overview ..................................................... 4
4. Certification request syntax ................................. 5
4.1 CertificationRequestInfo .................................... 5
4.2 CertificationRequest ........................................ 7
5. Security Considerations ...................................... 8
6. Authors' Addresses ........................................... 8
A. ASN.1 module ................................................. 9
B. Intellectual property considerations ........................ 10
C. Revision history ............................................ 10
D. References .................................................. 11
E. Contact information & About PKCS ............................ 12
Full Copyright Statement ........................................ 14
1. Introduction ................................................. 2
2. Definitions and notation ..................................... 2
2.1 Definitions ................................................. 2
2.2 Notation .................................................... 4
3. Overview ..................................................... 4
4. Certification request syntax ................................. 5
4.1 CertificationRequestInfo .................................... 5
4.2 CertificationRequest ........................................ 7
5. Security Considerations ...................................... 8
6. Authors' Addresses ........................................... 8
A. ASN.1 module ................................................. 9
B. Intellectual property considerations ........................ 10
C. Revision history ............................................ 10
D. References .................................................. 11
E. Contact information & About PKCS ............................ 12
Full Copyright Statement ........................................ 14
This document describes syntax for certification requests. A certification request consists of a distinguished name, a public key, and optionally a set of attributes, collectively signed by the entity requesting certification. Certification requests are sent to a certification authority, which transforms the request into an X.509 [9] public-key certificate. (In what form the certification authority returns the newly signed certificate is outside the scope of this document. A PKCS #7 [2] message is one possibility.)
本文档描述了认证请求的语法。认证请求由可分辨名称、公钥和可选的一组属性组成,这些属性由请求认证的实体共同签名。证书请求被发送到证书颁发机构,该机构将请求转换为X.509[9]公钥证书。(证书颁发机构以何种形式返回新签署的证书不在本文档范围内。PKCS#7[2]消息是一种可能性。)
The intention of including a set of attributes is twofold: to provide other information about a given entity , or a "challenge password" by which the entity may later request certificate revocation; and to provide attributes for inclusion in X.509 certificates. A non-exhaustive list of attributes is given in PKCS #9 [3].
包含一组属性的意图有两个:提供关于给定实体的其他信息,或实体稍后可以通过其请求证书撤销的“质询密码”;并提供包含在X.509证书中的属性。PKCS#9[3]中给出了一个非详尽的属性列表。
Certification authorities may also require non-electronic forms of request and may return non-electronic replies. It is expected that descriptions of such forms, which are outside the scope of this document, will be available from certification authorities.
认证机构还可以要求非电子形式的请求,并可以返回非电子形式的答复。预计认证机构将提供不在本文件范围内的此类表格的说明。
The preliminary intended application of this document is to support PKCS #7 cryptographic messages, but it is expected that other applications will be developed (see e.g. [4]).
本文件的初步预期应用旨在支持PKCS#7加密消息,但预计将开发其他应用程序(参见示例[4])。
For the purposes of this document, the following definitions apply.
在本文件中,以下定义适用。
ALGORITHM An information object class defined in X.509 to describe objects composed of an algorithm (a unique object identifier) and its parameters (any ASN.1 type). The values of objects in this class can be represented by the ASN.1 type AlgorithmIdentifier{}. ALGORITHM is defined as the "useful" information object class TYPE-IDENTIFIER, specified in [11], Annex A.
算法X.509中定义的信息对象类,用于描述由算法(唯一对象标识符)及其参数(任何ASN.1类型)组成的对象。此类中对象的值可以用ASN.1类型的算法标识符{}表示。算法定义为附录A[11]中规定的“有用”信息对象类类型标识符。
AlgorithmIdentifier{} A useful parameterized version of X.509 type AlgorithmIdentifier is defined in this document. This type tightly binds pairs of algorithm object identifiers to their associated parameter types. When referenced, the single parameter of AlgorithmIdentifier{} specifies a constraint on the
AlgorithmIdentifier{}本文档定义了一个有用的参数化版本的X.509类型的AlgorithmIdentifier。此类型将成对的算法对象标识符与其关联的参数类型紧密绑定。引用时,AlgorithmIdentifier{}的单个参数指定
pairs of values that may appear in that instance of the type. The encoded values of AlgorithmIdentifier{} are equivalent to those of type AlgorithmIdentifier.
可能出现在该类型实例中的值对。AlgorithmIdentifier{}的编码值与AlgorithmIdentifier类型的编码值等效。
ASN.1 Abstract Syntax Notation One, as defined in the ASN.1 standards ([10], [11], [12], and [13]).
ASN.1抽象语法符号1,如ASN.1标准([10]、[11]、[12]和[13])中所定义。
ATTRIBUTE This class describes objects composed of an attribute (a unique object identifier) and an associated set of attribute values (any ASN.1 type). The values of objects in this class can be represented by type Attribute{}.
属性此类描述由一个属性(唯一的对象标识符)和一组相关的属性值(任何ASN.1类型)组成的对象。此类中对象的值可以用类型属性{}表示。
Attribute{} A useful parameterized version of X.501 [8] type Attribute is defined in this document. This type tightly binds pairs of attribute type object identifiers to one or more attribute values types. In the ASN.1 open type notation, an attribute type is defined as ATTRIBUTE.&id and an attribute value as ATTRIBUTE.&Type. When referenced, the single parameter of Attribute{} specifies a constraint on the pairs of values that may appear in an instance of the type. The encoded values of Attribute{} are equivalent to those of type Attribute.
属性{}本文档定义了一个有用的参数化版本的X.501[8]类型属性。此类型将属性类型对象标识符对紧密绑定到一个或多个属性值类型。在ASN.1开放式类型表示法中,属性类型定义为attribute.&id,属性值定义为attribute.&type。引用时,属性{}的单个参数指定对可能出现在类型实例中的值对的约束。属性{}的编码值与属性类型的编码值等效。
BER Basic Encoding Rules for ASN.1, as defined in X.690 ([14]).
ASN.1的BER基本编码规则,如X.690([14])中所定义。
Certificate A type that binds a subject entity's distinguished name to a public key with a digital signature. This type is defined in X.509. This type also contains the distinguished name of the certificate issuer (the signer), an issuer-specific serial number, the issuer's signature algorithm identifier, a validity period, and an optional set of certificate extensions.
证书将主体实体的可分辨名称绑定到具有数字签名的公钥的类型。该类型在X.509中定义。此类型还包含证书颁发者(签名者)的可分辨名称、特定于颁发者的序列号、颁发者的签名算法标识符、有效期和可选的证书扩展集。
DER Distinguished Encoding Rules for ASN.1, as defined in X.690. DER is a subset of BER.
ASN.1的DER区分编码规则,如X.690中所定义。DER是BER的子集。
Name A type that uniquely identifies or "distinguishes" objects in an X.500 [7] directory. This type is defined in X.501. In an X.509 certificate, the type identifies the certificate issuer and the certificate subject, the entity whose public key is certified.
命名唯一标识或“区分”X.500[7]目录中对象的类型。该类型在X.501中定义。在X.509证书中,该类型标识证书颁发者和证书主体,即其公钥经过认证的实体。
No special notation is used in this document.
本文件中未使用特殊符号。
A certification request consists of three parts: "certification request information," a signature algorithm identifier, and a digital signature on the certification request information. The certification request information consists of the entity's distinguished name, the entity's public key, and a set of attributes providing other information about the entity.
认证请求由三部分组成:“认证请求信息”、签名算法标识符和认证请求信息上的数字签名。认证请求信息由实体的可分辨名称、实体的公钥和一组提供实体其他信息的属性组成。
The process by which a certification request is constructed involves the following steps:
构建认证请求的过程包括以下步骤:
1. A CertificationRequestInfo value containing a subject distinguished name, a subject public key, and optionally a set of attributes is constructed by an entity requesting certification.
1. CertificationRequestInfo值包含主题可分辨名称、主题公钥和可选的一组属性,由请求认证的实体构造。
2. The CertificationRequestInfo value is signed with the subject entity's private key. (See Section 4.2.)
2. CertificationRequestInfo值使用主体实体的私钥签名。(见第4.2节。)
3. The CertificationRequestInfo value, a signature algorithm identifier, and the entity's signature are collected together into a CertificationRequest value, defined below.
3. CertificationRequestInfo值、签名算法标识符和实体的签名一起收集为CertificationRequest值,定义如下。
A certification authority fulfills the request by authenticating the requesting entity and verifying the entity's signature, and, if the request is valid, constructing an X.509 certificate from the distinguished name and public key, the issuer name, and the certification authority's choice of serial number, validity period, and signature algorithm. If the certification request contains any PKCS #9 attributes, the certification authority may also use the values in these attributes as well as other information known to the certification authority to construct X.509 certificate extensions.
认证机构通过认证请求实体并验证实体的签名来满足请求,如果请求有效,则根据可分辨名称和公钥、颁发者名称以及认证机构对序列号、有效期的选择来构造X.509证书,以及签名算法。如果认证请求包含任何PKCS#9属性,则认证机构还可以使用这些属性中的值以及认证机构已知的其他信息来构造X.509证书扩展。
In what form the certification authority returns the new certificate is outside the scope of this document. One possibility is a PKCS #7 cryptographic message with content type signedData, following the degenerate case where there are no signers. The return message may include a certification path from the new certificate to the certification authority. It may also include other certificates such as cross-certificates that the certification authority considers helpful, and it may include certificate-revocation lists (CRLs). Another possibility is that the certification authority inserts the new certificate into a central database.
证书颁发机构以何种形式返回新证书不在本文件范围内。一种可能性是内容类型为signedData的PKCS#7加密消息,在没有签名者的退化情况下。返回消息可以包括从新证书到证书颁发机构的证书路径。它还可能包括证书颁发机构认为有用的其他证书,如交叉证书,并且可能包括证书吊销列表(CRL)。另一种可能性是证书颁发机构将新证书插入中央数据库。
Note 1 - An entity would typically send a certification request after generating a public-key/private-key pair, but may also do so after a change in the entity's distinguished name.
注1-实体通常会在生成公钥/私钥对后发送认证请求,但也可能在实体的可分辨名称更改后发送。
Note 2 - The signature on the certification request prevents an entity from requesting a certificate with another party's public key. Such an attack would give the entity the minor ability to pretend to be the originator of any message signed by the other party. This attack is significant only if the entity does not know the message being signed and the signed part of the message does not identify the signer. The entity would still not be able to decrypt messages intended for the other party, of course.
注2-认证请求上的签名阻止实体使用另一方的公钥请求证书。这样的攻击将使实体具有假装是另一方签署的任何消息的发起人的次要能力。只有当实体不知道正在签名的消息并且消息的签名部分未识别签名者时,此攻击才具有重要意义。当然,该实体仍然无法解密打算发送给另一方的消息。
Note 3 - How the entity sends the certification request to a certification authority is outside the scope of this document. Both paper and electronic forms are possible.
注3:实体如何向认证机构发送认证请求不在本文件范围内。纸质和电子形式都可以。
Note 4 - This document is not compatible with the certification request syntax for Privacy-Enhanced Mail, as described in RFC 1424 [5]. The syntax here differs in three respects: It allows a set of attributes; it does not include issuer name, serial number, or validity period; and it does not require an "innocuous" message to be signed. This document is designed to minimize request size, an important feature for certification authorities accepting requests on paper.
注4-本文件与RFC 1424[5]中描述的隐私增强邮件的认证请求语法不兼容。这里的语法在三个方面有所不同:它允许一组属性;不包括发行人名称、序列号或有效期;而且它不需要签署“无害”的消息。本文档旨在最小化请求大小,这是认证机构接受书面请求的一项重要功能。
This section is divided into two parts. The first part describes the certification-request-information type CertificationRequestInfo, and the second part describes the top-level type CertificationRequest.
本节分为两部分。第一部分描述了认证请求信息类型CertificationRequestInfo,第二部分描述了顶级类型CertificationRequest。
Certification request information shall have ASN.1 type CertificationRequestInfo:
认证申请信息应具有ASN.1类型认证申请信息:
CertificationRequestInfo ::= SEQUENCE {
version INTEGER { v1(0) } (v1,...),
subject Name,
subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
attributes [0] Attributes{{ CRIAttributes }}
}
CertificationRequestInfo ::= SEQUENCE {
version INTEGER { v1(0) } (v1,...),
subject Name,
subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
attributes [0] Attributes{{ CRIAttributes }}
}
SubjectPublicKeyInfo { ALGORITHM : IOSet} ::= SEQUENCE {
algorithm AlgorithmIdentifier {{IOSet}},
subjectPublicKey BIT STRING
}
SubjectPublicKeyInfo { ALGORITHM : IOSet} ::= SEQUENCE {
algorithm AlgorithmIdentifier {{IOSet}},
subjectPublicKey BIT STRING
}
PKInfoAlgorithms ALGORITHM ::= {
... -- add any locally defined algorithms here -- }
PKInfoAlgorithms ALGORITHM ::= {
... -- add any locally defined algorithms here -- }
Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}
Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}
CRIAttributes ATTRIBUTE ::= {
... -- add any locally defined attributes here -- }
CRIAttributes ATTRIBUTE ::= {
... -- add any locally defined attributes here -- }
Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
type ATTRIBUTE.&id({IOSet}),
values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
}
Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
type ATTRIBUTE.&id({IOSet}),
values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
}
The components of type CertificationRequestInfo have the following meanings:
CertificationRequestInfo类型的组件具有以下含义:
version is the version number, for compatibility with future revisions of this document. It shall be 0 for this version of the standard.
版本是版本号,用于与本文档的未来版本兼容。对于本版本的标准,该值应为0。
subject is the distinguished name of the certificate subject (the entity whose public key is to be certified).
subject是证书主体(其公钥将被认证的实体)的可分辨名称。
subjectPublicKeyInfo contains information about the public key being certified. The information identifies the entity's public-key algorithm (and any associated parameters); examples of public-key algorithms include the rsaEncryption object identifier from PKCS #1 [1]. The information also includes a bit-string representation of the entity's public key. For the public-key algorithm just mentioned, the bit string contains the DER encoding of a value of PKCS #1 type RSAPublicKey. The values of type SubjectPublicKeyInfo{} allowed for subjectPKInfo are constrained to the values specified by the information object set PKInfoAlgorithms, which includes the extension marker (...). Definitions of specific algorithm objects are left to specifications that reference this document. Such specifications will be interoperable with their future versions if any additional algorithm objects are added after the extension marker.
subjectPublicKeyInfo包含有关正在认证的公钥的信息。该信息标识实体的公钥算法(以及任何相关参数);公钥算法的示例包括PKCS#1[1]中的RSA加密对象标识符。该信息还包括实体公钥的位字符串表示。对于刚才提到的公钥算法,位字符串包含PKCS#1类型RSAPublicKey的值的DER编码。subjectPKInfo允许的SubjectPublicKeyInfo{}类型的值被约束为信息对象集PKInfo算法指定的值,其中包括扩展标记(…)。特定算法对象的定义由引用本文档的规范决定。如果在扩展标记之后添加了任何其他算法对象,则此类规范将与其未来版本互操作。
attributes is a collection of attributes providing additional information about the subject of the certificate. Some attribute types that might be useful here are defined in PKCS #9. An example is the challenge-password attribute, which specifies a password by which the entity may request certificate revocation. Another example is information to appear in X.509 certificate extensions (e.g. the extensionRequest attribute from PKCS #9). The values of type
属性是提供有关证书主题的附加信息的属性集合。PKCS#9中定义了一些可能有用的属性类型。质询密码属性就是一个例子,它指定了一个密码,实体可以通过该密码请求证书撤销。另一个例子是出现在X.509证书扩展中的信息(例如PKCS#9中的extensionRequest属性)。类型的值
Attributes{} allowed for attributes are constrained to the values specified by the information object set CRIAttributes. Definitions of specific attribute objects are left to specifications that reference this document. Such specifications will be interoperable with their future versions if any additional attribute objects are added after the extension marker.
属性允许的属性{}约束为信息对象集属性指定的值。特定属性对象的定义留给引用本文档的规范。如果在扩展标记之后添加了任何其他属性对象,则此类规范将与其未来版本互操作。
A certification request shall have ASN.1 type CertificationRequest:
认证申请应具有ASN.1类型认证申请:
CertificationRequest ::= SEQUENCE {
certificationRequestInfo CertificationRequestInfo,
signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
signature BIT STRING
}
CertificationRequest ::= SEQUENCE {
certificationRequestInfo CertificationRequestInfo,
signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
signature BIT STRING
}
AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE {
algorithm ALGORITHM.&id({IOSet}),
parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
}
AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE {
algorithm ALGORITHM.&id({IOSet}),
parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
}
SignatureAlgorithms ALGORITHM ::= {
... -- add any locally defined algorithms here -- }
SignatureAlgorithms ALGORITHM ::= {
... -- add any locally defined algorithms here -- }
The components of type CertificationRequest have the following meanings:
类型CertificationRequest的组件具有以下含义:
certificateRequestInfo is the "certification request information." It is the value being signed.
certificateRequestInfo是“认证请求信息”。它是正在签名的值。
signatureAlgorithm identifies the signature algorithm (and any associated parameters) under which the certification-request information is signed. For example, a specification might include an ALGORITHM object for PKCS #1's md5WithRSAEncryption in the information object set SignatureAlgorithms:
signatureAlgorithm标识签名算法(以及任何相关参数),在该算法下对认证请求信息进行签名。例如,规范可能在信息对象集SignatureAlgorithms中包含PKCS#1的MD5WithRSA加密算法对象:
SignatureAlgorithms ALGORITHM ::= {
...,
{ NULL IDENTIFIED BY md5WithRSAEncryption }
}
SignatureAlgorithms ALGORITHM ::= {
...,
{ NULL IDENTIFIED BY md5WithRSAEncryption }
}
signature is the result of signing the certification request information with the certification request subject's private key.
签名是使用认证请求主体的私钥对认证请求信息进行签名的结果。
The signature process consists of two steps:
签名过程包括两个步骤:
1. The value of the certificationRequestInfo component is DER encoded, yielding an octet string.
1. certificationRequestInfo组件的值经过DER编码,产生一个八位字节字符串。
2. The result of step 1 is signed with the certification request subject's private key under the specified signature algorithm, yielding a bit string, the signature.
2. 在指定的签名算法下,使用认证请求主体的私钥对步骤1的结果进行签名,生成一个位字符串,即签名。
Note - An equivalent syntax for CertificationRequest could be written:
注意-可以编写CertificationRequest的等效语法:
CertificationRequest ::= SIGNED { EncodedCertificationRequestInfo }
(CONSTRAINED BY { -- Verify or sign encoded
-- CertificationRequestInfo -- })
CertificationRequest ::= SIGNED { EncodedCertificationRequestInfo }
(CONSTRAINED BY { -- Verify or sign encoded
-- CertificationRequestInfo -- })
EncodedCertificationRequestInfo ::=
TYPE-IDENTIFIER.&Type(CertificationRequestInfo)
EncodedCertificationRequestInfo ::=
TYPE-IDENTIFIER.&Type(CertificationRequestInfo)
SIGNED { ToBeSigned } ::= SEQUENCE {
toBeSigned ToBeSigned,
algorithm AlgorithmIdentifier { {SignatureAlgorithms} },
signature BIT STRING
}
SIGNED { ToBeSigned } ::= SEQUENCE {
toBeSigned ToBeSigned,
algorithm AlgorithmIdentifier { {SignatureAlgorithms} },
signature BIT STRING
}
Security issues are discussed throughout this memo.
本备忘录中讨论了安全问题。
Magnus Nystrom RSA Security Box 10704 S-121 29 Stockholm Sweden
Magnus Nystrom RSA安全信箱10704 S-121 29瑞典斯德哥尔摩
EMail: magnus@rsasecurity.com
EMail: magnus@rsasecurity.com
Burt Kaliski RSA Security 20 Crosby Drive Bedford, MA 01730 USA
美国马萨诸塞州贝德福德克罗斯比大道20号Burt Kaliski RSA Security 01730
EMail: bkaliski@rsasecurity.com
EMail: bkaliski@rsasecurity.com
APPENDICES
附录
A. ASN.1 Module
A.ASN.1模块
This appendix includes all of the ASN.1 type and value definitions contained in this document in the form of the ASN.1 module PKCS-10.
本附录包括本文件中以ASN.1模块PKCS-10形式包含的所有ASN.1类型和值定义。
PKCS-10 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-10(10) modules(1) pkcs-10(1)}
PKCS-10 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-10(10) modules(1) pkcs-10(1)}
DEFINITIONS IMPLICIT TAGS ::=
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS All --
--全部出口--
-- All types and values defined in this module are exported for use
-- in other ASN.1 modules.
-- All types and values defined in this module are exported for use
-- in other ASN.1 modules.
IMPORTS
进口
informationFramework, authenticationFramework
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
usefulDefinitions(0) 3}
informationFramework, authenticationFramework
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
usefulDefinitions(0) 3}
ATTRIBUTE, Name FROM InformationFramework informationFramework
属性,来自InformationFramework的名称InformationFramework
ALGORITHM FROM AuthenticationFramework authenticationFramework;
来自AuthenticationFramework AuthenticationFramework的算法;
-- Certificate requests
CertificationRequestInfo ::= SEQUENCE {
version INTEGER { v1(0) } (v1,...),
subject Name,
subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
attributes [0] Attributes{{ CRIAttributes }}
}
-- Certificate requests
CertificationRequestInfo ::= SEQUENCE {
version INTEGER { v1(0) } (v1,...),
subject Name,
subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
attributes [0] Attributes{{ CRIAttributes }}
}
SubjectPublicKeyInfo {ALGORITHM: IOSet} ::= SEQUENCE {
algorithm AlgorithmIdentifier {{IOSet}},
subjectPublicKey BIT STRING
}
SubjectPublicKeyInfo {ALGORITHM: IOSet} ::= SEQUENCE {
algorithm AlgorithmIdentifier {{IOSet}},
subjectPublicKey BIT STRING
}
PKInfoAlgorithms ALGORITHM ::= {
... -- add any locally defined algorithms here -- }
PKInfoAlgorithms ALGORITHM ::= {
... -- add any locally defined algorithms here -- }
Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}
Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }}
CRIAttributes ATTRIBUTE ::= {
... -- add any locally defined attributes here -- }
CRIAttributes ATTRIBUTE ::= {
... -- add any locally defined attributes here -- }
Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
type ATTRIBUTE.&id({IOSet}),
values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
}
Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
type ATTRIBUTE.&id({IOSet}),
values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
}
CertificationRequest ::= SEQUENCE {
certificationRequestInfo CertificationRequestInfo,
signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
signature BIT STRING
}
CertificationRequest ::= SEQUENCE {
certificationRequestInfo CertificationRequestInfo,
signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
signature BIT STRING
}
AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE {
algorithm ALGORITHM.&id({IOSet}),
parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
}
AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE {
algorithm ALGORITHM.&id({IOSet}),
parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL
}
SignatureAlgorithms ALGORITHM ::= {
... -- add any locally defined algorithms here -- }
SignatureAlgorithms ALGORITHM ::= {
... -- add any locally defined algorithms here -- }
END
终止
B. Intellectual property considerations
B.知识产权方面的考虑
RSA Security makes no patent claims on the general constructions described in this document, although specific underlying techniques may be covered.
RSA Security未就本文档中描述的一般结构提出专利要求,尽管可能涉及特定的底层技术。
License to copy this document is granted provided that it is identified as "RSA Security Inc. Public-Key Cryptography Standards (PKCS)" in all material mentioning or referencing this document.
如果在提及或引用本文档的所有材料中,本文档被标识为“RSA Security Inc.公钥加密标准(PKCS)”,则授予复制本文档的许可证。
RSA Security makes no representations regarding intellectual property claims by other parties. Such determination is the responsibility of the user.
RSA Security不对其他方的知识产权主张作出任何陈述。此类确定由用户负责。
C. Revision history
C.修订历史
Version 1.0
版本1.0
Version 1.0 was the previous version of this document (also published as "version 1.5" in [6]).
版本1.0是本文件的前一版本(在[6]中也以“版本1.5”的形式发布)。
Version 1.7
版本1.7
This version incorporates several editorial changes, including updates to the references, and changes to ASN.1 type definitions. The following substantive changes have been made:
此版本包含了一些编辑性更改,包括对参考的更新和对ASN.1类型定义的更改。作出了以下实质性改变:
- This version refers to X.680-X.690, the current international standards for ASN.1 and its encoding rules. All references to X.208 and X.209 have been eliminated.
- 本版本参考了ASN.1的现行国际标准X.680-X.690及其编码规则。已删除对X.208和X.209的所有引用。
- The X.690 standard requires that the encoded values of SET OF components be sorted in ascending order under DER. Regardless of this, applications should not rely on the ordering of attribute components.
- X.690标准要求在DER下按升序对组件集的编码值进行排序。不管怎样,应用程序不应该依赖于属性组件的顺序。
- All references to PKCS #6 Extended-Certificate Syntax Standard have been removed. With the addition of extensions to X.509 version 3 certificates, RSA Laboratories is withdrawing support for PKCS #6.
- 已删除对PKCS#6扩展证书语法标准的所有引用。随着X.509版本3证书的扩展,RSA实验室正在撤销对PKCS#6的支持。
Note - The reason for using version 1.7 for this document is to avoid confusion with [6], which is named version 1.5, and an unsupported PKCS #10 version named Version 1.6.
注-本文件使用1.7版的原因是为了避免与[6]混淆,后者命名为1.5版,而PKCS#10版本命名为1.6版,不受支持。
D. References
D.参考资料
[1] RSA Laboratories. PKCS #1: RSA Encryption Standard. Version 2.0, October 1998.
[1] RSA实验室。PKCS#1:RSA加密标准。版本2.0,1998年10月。
[2] RSA Laboratories. PKCS #7: Cryptographic Message Syntax Standard. Version 1.5, November 1993.
[2] RSA实验室。PKCS#7:加密消息语法标准。1.5版,1993年11月。
[3] RSA Laboratories. PKCS #9: Selected Attribute Types. Version 2.0, February 2000.
[3] RSA实验室。PKCS#9:选定的属性类型。版本2.0,2000年2月。
[4] Adams, C. and S. Farrell, "Internet X.509 Public Key Infrastructure - Certificate Management Protocols", RFC 2510, March 1999.
[4] Adams,C.和S.Farrell,“互联网X.509公钥基础设施-证书管理协议”,RFC2510,1999年3月。
[5] Kaliski, B., "Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services", RFC 1424, February 1993.
[5] Kaliski,B.,“因特网电子邮件的隐私增强:第四部分:关键认证和相关服务”,RFC 1424,1993年2月。
[6] Kaliski, B., "PKCS #10: Certification Request Syntax Version 1.5", RFC 2314, March 1998.
[6] Kaliski,B.,“PKCS#10:认证请求语法版本1.5”,RFC 2314,1998年3月。
[7] ITU-T Recommendation X.500 (1997) | ISO/IEC 9594-1:1998, Information technology - Open Systems Interconnection - The Directory: Overview of concepts, models and services.
[7] ITU-T建议X.500(1997)| ISO/IEC 9594-1:1998,信息技术-开放系统互连-目录:概念、模型和服务概述。
[8] ITU-T Recommendation X.501 (1993) | ISO/IEC 9594-2:1995, Information technology - Open Systems Interconnection - The Directory: Models.
[8] ITU-T建议X.501(1993)| ISO/IEC 9594-2:1995,信息技术-开放系统互连-目录:模型。
[9] ITU-T Recommendation X.509 (1997) | ISO/IEC 9594-8:1998, Information technology - Open Systems Interconnection -The Directory: Authentication framework.
[9] ITU-T建议X.509(1997)| ISO/IEC 9594-8:1998,信息技术-开放系统互连-目录:认证框架。
[10] ITU-T Recommendation X.680 (1997) | ISO/IEC 8824-1:1998, Information Technology - Abstract Syntax Notation One (ASN.1): Specification of Basic Notation.
[10] ITU-T建议X.680(1997)| ISO/IEC 8824-1:1998,信息技术-抽象语法符号1(ASN.1):基本符号规范。
[11] ITU-T Recommendation X.681 (1997) | ISO/IEC 8824-2:1998, Information Technology - Abstract Syntax Notation One (ASN.1): Information Object Specification.
[11] ITU-T建议X.681(1997)| ISO/IEC 8824-2:1998,信息技术-抽象语法符号1(ASN.1):信息对象规范。
[12] ITU-T Recommendation X.682 (1997) | ISO/IEC 8824-3:1998, Information Technology - Abstract Syntax Notation One (ASN.1): Constraint Specification.
[12] ITU-T建议X.682(1997)| ISO/IEC 8824-3:1998,信息技术-抽象语法符号1(ASN.1):约束规范。
[13] ITU-T Recommendation X.683 (1997) | ISO/IEC 8824-4:1998, Information Technology - Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 Specifications.
[13] ITU-T建议X.683(1997)| ISO/IEC 8824-4:1998,信息技术-抽象语法符号1(ASN.1):ASN.1规范的参数化。
[14] ITU-T Recommendation X.690 (1997) | ISO/IEC 8825-1:1998, Information Technology - ASN.1 Encoding Rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER).
[14] ITU-T建议X.690(1997)| ISO/IEC 8825-1:1998,信息技术-ASN.1编码规则:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)规范。
E. Contact Information & About PKCS
E.联系信息和关于PKCS的信息
The Public-Key Cryptography Standards are specifications produced by RSA Laboratories in cooperation with secure systems developers worldwide for the purpose of accelerating the deployment of public-key cryptography. First published in 1991 as a result of meetings with a small group of early adopters of public-key technology, the PKCS documents have become widely referenced and implemented. Contributions from the PKCS series have become part of many formal and de facto standards, including ANSI X9 documents, PKIX, SET, S/MIME, and SSL.
公钥加密标准是RSA实验室与全球安全系统开发人员合作制定的规范,旨在加速公钥加密的部署。PKCS文件于1991年首次出版,是与一小群早期采用公钥技术的人举行会议的结果。PKCS文件已被广泛引用和实施。PKCS系列的贡献已成为许多正式和事实标准的一部分,包括ANSI X9文档、PKIX、SET、S/MIME和SSL。
Further development of PKCS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, contact:
通过邮件列表讨论和偶尔的研讨会进一步开发PKCS,欢迎提出改进建议。有关详细信息,请联系:
PKCS Editor RSA Laboratories 20 Crosby Drive Bedford, MA 01730 USA pkcs-editor@rsasecurity.com http://www.rsasecurity.com/rsalabs/pkcs
PKCS编辑器RSA实验室美国马萨诸塞州贝德福德克罗斯比大道20号PKCS 01730-editor@rsasecurity.com http://www.rsasecurity.com/rsalabs/pkcs
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society 2000. All Rights Reserved.
版权所有(C)2000年互联网协会。版权所有。
This document and translations of it may be copied and furnished to others provided that the above copyright notice and this paragraph are included on all such copies. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as required to translate it into languages other than English.
只要上述版权声明和本段包含在所有此类副本中,本文件及其译本可复制并提供给其他人。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非需要将其翻译成英语以外的语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。