1. Introduction
This specification is one part of a family of standards for the X.509 Public Key Infrastructure (PKI) for the Internet. It is based on [X.509] and [RFC3280], which defines underlying certificate formats and semantics needed for a full implementation of this standard. This profile includes specific mechanisms intended for use with Qualified Certificates. The term Qualified Certificates and the assumptions that affect the scope of this document are discussed in Section 2. Section 3 defines requirements on certificate information content. This specification provides profiles for two certificate fields: issuer and subject. It also provides profiles for four certificate extensions defined in RFC 3280prop: subject alternate name, subject directory attributes, certificate policies, and key usage, and it defines two additional extensions: biometric information and qualified certificate statements. The certificate extensions are presented in the 1997 Abstract Syntax Notation One (ASN.1) [X.680], but in conformance with RFC 3280prop the 1988 ASN.1 module in Appendix A contains all normative definitions (the 1997 module in Appendix A is informative). In Section 4, some security considerations are discussed in order to clarify the security context in which the standard may be utilized. Appendix A contains all relevant ASN.1 structures that are not already defined in RFC 3280prop. Appendix B contains a note on attributes. Appendix C contains an example certificate. The appendices sections are followed by the References, Authors Addresses, and the Full Copyright Statement.
1.1. Changes since RFC 3039(-> 3739prop)
This specification obsoletes RFC 3039(-> 3739prop). This specification differs from RFC 3039(-> 3739prop) in the following basic areas: * Some editorial clarifications have been made to introductory sections to clarify that this profile is generally applicable to a broad type of certificates, even if its prime purpose is to facilitate issuance of Qualified Certificates. * To align with RFC 3280prop, support for domainComponent and title attributes in subject names are included, and postalAddress is no longer supported. * To align with actual usage, support for the title attribute in the subject directory attributes extension is no longer supported. * To better facilitate broad applicability of this profile, some constraints on key usage settings in the key usage extension have been removed. * A new qc-Statement reflecting this second version of the profile has been defined in Section 3.2.6.1. This profile obsoletes RFC 3039(-> 3739prop), but the qc-statement reflecting compliance with RFC 3039(-> 3739prop) is also defined for backwards compatibility.
1.2. Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, [RFC2119].