certificate
Click on the red underlined text to get to the source
...
This document defines two X.509 v3 certificate extensions that
authorize the transfer of the right-to-use for a set of IP addresses
...
... IP address prefixes, to the subject (private key
holder) of a certificate. The second binds a list of autonomous
system (AS) identifiers ...
... blocks and AS identifiers to the subject of the certificate. These
certificates provide a scalable means of verifying the right-to-use
...
... subject of the certificate. These
certificates provide a scalable means of verifying the right-to-use
for a set of IP address prefixes and AS identifiers ...
... they allow relying parties to use one-pass algorithms when performing
certification path validation; in particular, the relying parties do
not need to sort the information, or to implement extra code in the
...
... Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile" [RFC3280 ...
...
trust anchor - a certificate that is to be trusted when performing
certification path validation ...
... trust anchor - a certificate that is to be trusted when performing
certification path validation (see [RFC3280]).
...
... allocating IP address space. As described in Section 1 above, this
will be achieved by issuing certificates carrying the extension
described in this section. An example of one use of the information
in this extension is an entity ...
... CRITICAL to convey the notion that a relying party MUST understand
the semantics of the extension to make use of the certificate for the
purpose it was issued. Newly created applications that use
...
... purpose it was issued. Newly created applications that use
certificates containing this extension are expected to recognize the
extension.
...
... issuer's
issuer's certificate, recursively, until a certificate containing an
IPAddressChoice containing an addressesOrRanges element ...
... issuer's certificate, recursively, until a certificate containing an
IPAddressChoice containing an addressesOrRanges element is located.
...
... comparison of IP address blocks when performing
certification path validation, a maximum IP address MUST contain at
...
... Certification path validation of a certificate containing the IP
address delegation extension requires additional processing. As each
...
... IP
address delegation extension requires additional processing. As each
certificate in a path is validated, the IP addresses in the IP
address ...
... IP addresses in the IP
address delegation extension of that certificate MUST be subsumed by
IP addresses in the IP address ...
... delegation extension in the issuer's
certificate. Validation MUST fail when this is not the case. A
...
... Validation MUST fail when this is not the case. A
certificate that is a trust anchor for certification path validation ...
... certification path validation
of certificates containing the IP address delegation extension, as
...
... IP address delegation extension, as
well as all certificates along the path, MUST each contain the IP
address delegation extension. The initial set of allowed address ...
... AS identifiers.
As described in Section 1 above, this will be achieved by issuing
certificates carrying the extension described in this section. An
example of one use of the information in this extension is an entity
...
... that a relying party must understand the semantics of the extension
to make use of the certificate for the purpose it was issued. Newly
created applications that use certificates ...
... use of the certificate for the purpose it was issued. Newly
created applications that use certificates containing this extension
are expected to recognize the extension.
...
... AS identifiers is taken from the issuer's
certificate, or from the issuer's issuer's certificate ...
... certificate, or from the issuer's issuer's certificate, recursively,
until a certificate containing an ASIdentifierChoice containing an
...
... issuer's certificate, recursively,
until a certificate containing an ASIdentifierChoice containing an
asIdsOrRanges element is located. If no authorization ...
... identifier delegation extension requires additional
processing. As each certificate in a path is validated, the AS
identifiers in the autonomous system ...
... identifier delegation extension
of that certificate MUST be subsumed by the AS identifiers in the
autonomous system ...
... delegation extension in the issuer's
certificate. Validation MUST fail when this is not the case. A
certificate ...
... certificate. Validation MUST fail when this is not the case. A
certificate that is a trust anchor for certification path validation ...
... identifier
delegation extension, as well as all certificates along the path,
MUST each contain the autonomous system identifier ...
...
This specification describes two X.509 extensions. Since X.509
certificates are digitally signed, no additional integrity service is
necessary. Certificates ...
... X.509
certificates are digitally signed, no additional integrity service is
necessary. Certificates with these extensions need not be kept
secret, and unrestricted and anonymous access to these certificates
...
... necessary. Certificates with these extensions need not be kept
secret, and unrestricted and anonymous access to these certificates
has no security implications.
...
... However, security factors outside the scope of this specification
will affect the assurance provided to certificate users. This
section highlights critical issues that should be considered by
...
... contexts. In the secure BGP context, certificates containing these
extensions function as capabilities: the certificate asserts that the
...
... context, certificates containing these
extensions function as capabilities: the certificate asserts that the
holder of the private key (the Subject ...
... prefixes 10/8 and 172.16/12, and which inherits all IPv4 multicast
addresses from the issuer's certificate would be (in hexadecimal):
30 3d Extension {
...
... domain identifiers from the issuer's
certificate would be (in hexadecimal):
30 2b Extension {
...
... Appendix D -- Use of X.509 Attribute Certificates ...
...
This appendix discusses issues arising from a proposal to use
attribute certificates (ACs, as specified in [RFC3281]) to convey,
...
... 3281prop, two reasons are given for why the use of
ACs might be preferable to the use of public key certificates (PKCs)
with extensions that convey the authorization information ...
... Authorization information may be placed in a PKC extension or
placed in a separate attribute certificate (AC). The placement of
authorization information ...
... AS identifier authorizations, these
reasons do not apply. First, the public key certificates are issued
exclusively for authorization, so the certificate ...
... public key certificates are issued
exclusively for authorization, so the certificate lifetime
corresponds exactly to the authorization lifetime ...
... Subject and Issuer names are only
used for chaining during certification path validation, and the names
need not correspond to any physical ...
... PKCs may actually be randomly assigned by the issuing CA, allowing
the resource holder limited anonymity. Second, the certificate
hierarchy is constructed so that the certificate issuer ...
... the resource holder limited anonymity. Second, the certificate
hierarchy is constructed so that the certificate issuer is
authoritative for the authorization information ...
... RFC 3281prop specifies several requirements that a conformant Attribute
Certificate must meet. In relation to S-BGP, the more-significant
requirements ...
... intended use requires that the extensions be critical so that the
certificates containing them cannot be used as identity
certificates ...
... certificates containing them cannot be used as identity
certificates by an unsuspecting application.
3 from section 4.5: "an AC ...
... issuer in addition to its CA. There
would be twice as many certificate issuers and CRLs to process to
...
... issuers and CRLs to process to
support Attribute certificates than are needed if PKCs are used.
The possibility of mis-alignment also arises when there are two
...
... The possibility of mis-alignment also arises when there are two
issuers issuing certificates for a single purpose.
The AC ...
... This is not true in the case of a right-to-use for an IP address
block, which is allocated through a hierarchy. Certification path
validation of the AC ...
... validate an
AC is larger than for the mechanism that places the certificate
extensions defined in this document in the PKCs. There would be
twice as many certificates ...
... certificate
extensions defined in this document in the PKCs. There would be
twice as many certificates to be validated, in addition to the
ACs ...
... Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile ...
... X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280prop ...
... Farrell, S. and R. Housley, "An Internet Attribute Certificate Profile for Authorization", RFC 3281prop ...