Cryptography Reference
In-Depth Information
services to the general public. Unfortunately, only a few of these companies and
organizations have succeeded and actually provide such services that can be taken
seriously.
Many standardization bodies are working in the field of public key certificates
and PKIs. Most importantly, the Telecommunication Standardization Sector of the
International Telecommunication Union (ITU-T) has released and is periodically
updating a recommendation that is commonly referred to as ITU-T X.509 [14], or
X.509 in short. The current version of ITU-T X.509 is version 3. Meanwhile, the
ITU-T X.509 has also been adopted by many other standardization bodies, including,
for example, the ISO/IEC JTC1 [15].
The format of an X.509v3 certificate is specified in the abstract syntax notation
one (ASN.1),
4
and the resulting certificates are encoded according to specific encod-
ing rules
5
to produce a series of bits and bytes suitable for transmission. Anyway, an
X.509 public-key certificate contains the following data items:
1. A version number (identifying version 1, version 2, or version 3);
2. A serial number (i.e., a unique integer value assigned by the issuer);
3. An object identifier (OID) that specifies the signature algorithm that is used to
sign the public key certificate;
4. The distinguished name (DN)
6
of the issuer (i.e., the name of the CA that
actually signed the certificate);
5. A validity period that specifies an interval in which the certificate is valid;
6. The DN of the subject (i.e., the owner of the certificate);
7. Information related to the public key of the subject (i.e., the key and the OID
of the algorithm);
8. Some optional information related to the issuer (defined for versions 2 and 3
only);
9. Some optional information related to the subject (defined for versions 2 and 3
only);
10. Some optional extensions (defined for version 3 only).
4
ASN.1 is officially specified in ITU-T X.680 and ISO/IEC 8824.
5
There are three standardized encoding rules, namely the basic encoding rules (BER), the distin-
guished encoding rules (DER), and the packet encoding rules (PER). Obviously, anybody can spec-
ify and use their own set of encoding rules.
6
The DN is assumed to uniquely identify an entity (i.e., a public key certificate owner or a CA) in a
globally unique namespace.
