Connected: An Internet Encyclopedia
2.1 Key Certification

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 1424
Up: 2. Overview of Services
Prev: 2. Overview of Services
Next: 2.2 CRL Storage

2.1 Key Certification

2.1 Key Certification

The key-certification service signs a certificate containing a specified subject name and public key. The service takes a certification request (see Section 3.1), signs a certificate constructed from the request, and returns a certification reply (see Section 3.2) containing the new certificate.

The certification request specifies the requestor's subject name and public key in the form of a self-signed certificate. The certification request contains two signatures, both computed with the requestor's private key:

  1. The signature on the self-signed certificate, having the cryptographic purpose of preventing a requestor from requesting a certificate with another party's public key. (See Section 4.)

  2. A signature on some encapsulated text, having the practical purpose of allowing the certification authority to construct an ordinary RFC 1421 privacy-enhanced message as a reply, with user-friendly encapsulated text. (RFC 1421 does not provide for messages with certificates but no encapsulated text; and the self- signed certificate is not "user friendly" text.) The text should be something innocuous like "Hello world!"

A requestor would typically send a certification request after generating a public-key/private-key pair, but may also do so after a change in the requestor's distinguished name.

A certification authority signs a certificate only if both signatures in the certification request are valid.

The new certificate contains the subject name and public key from the self-signed certificate, and an issuer name, serial number, validity period, and signature algorithm of the certification authority's choice. (The validity period may be derived from the self-signed certificate.) Following RFC 1422, the issuer may be any whose distinguished name is superior to the subject's distinguished name, typically the one closest to the subject. The certification authority signs the certificate with the issuer's private key, then transforms the request into a reply containing the new certificate (see Section 3.2 for details).

The certification reply includes a certification path from the new certificate to the RFC 1422 Internet certification authority. It may also include other certificates such as cross-certificates that the certification authority considers helpful to the requestor.


Next: 2.2 CRL Storage

Connected: An Internet Encyclopedia
2.1 Key Certification