X.509 Extensions Enhancements

"Housley, Russ" <rhousley@rsasecurity.com> Tue, 12 June 2001 17:10 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA19767 for <pkix-archive@odin.ietf.org>; Tue, 12 Jun 2001 13:10:04 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f5CGKAE06361 for ietf-pkix-bks; Tue, 12 Jun 2001 09:20:10 -0700 (PDT)
Received: from nebula.x509.com (nebula.x509.com [199.175.150.19]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f5CGK8J06357 for <ietf-pkix@imc.org>; Tue, 12 Jun 2001 09:20:08 -0700 (PDT)
Received: from crack.x509.com (mail.x509.com [199.175.150.1]) by nebula.x509.com (8.11.3/XCERT) with ESMTP id f5CGK2i10648 for <ietf-pkix@imc.org>; Tue, 12 Jun 2001 09:20:02 -0700 (PDT)
Received: from exvan01.x509.com (exvan01.x509.com [10.9.22.50]) by crack.x509.com (8.11.3/XCERT) with ESMTP id f5CGK2U19238 for <ietf-pkix@imc.org>; Tue, 12 Jun 2001 09:20:02 -0700 (PDT)
Received: by exvan01.x509.com with Internet Mail Service (5.5.2653.19) id <L2KC5FBC>; Tue, 12 Jun 2001 09:20:36 -0700
Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.92]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id LR8TG1LL; Tue, 12 Jun 2001 12:18:51 -0400
Message-Id: <5.0.1.4.2.20010612120440.02009ef8@exna07.securitydynamics.com>
X-Sender: rhousley@exna07.securitydynamics.com
X-Mailer: QUALCOMM Windows Eudora Version 5.0.1
Date: Tue, 12 Jun 2001 12:18:09 -0400
To: ietf-pkix@imc.org
From: "Housley, Russ" <rhousley@rsasecurity.com>
Subject: X.509 Extensions Enhancements
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>

I have just been made aware that the most recent X.509 includes two 
additional reason codes.  This impacts the reasons in the CRL Distribution 
Points certificate extension and the onlySomeReasons in the Issuing 
Distribution Point CRL extension.  Both of these fields use the ReasonFlags 
type.  It also impacts the Reason Code CRL entry extension, which uses the 
CRLReason type.  I have provided the new definitions below.

    ReasonFlags ::= BIT STRING {
         unused                  (0),
         keyCompromise           (1),
         cACompromise            (2),
         affiliationChanged      (3),
         superseded              (4),
         cessationOfOperation    (5),
         certificateHold         (6),
         privilegeWithdrawn      (7),
         aACompromise            (8) }

    CRLReason ::= ENUMERATED {
         unspecified             (0),
         keyCompromise           (1),
         cACompromise            (2),
         affiliationChanged      (3),
         superseded              (4),
         cessationOfOperation    (5),
         certificateHold         (6),
         removeFromCRL           (8),
         privilegeWithdrawn      (9),
         aaCompromise           (10) }

The Issuing Distribution Point CRL extension has also been enhanced to 
include a boolean that indicates whether the CRL contains only entries 
associated with attribute certificates.  The new definition is:

    IssuingDistributionPoint ::= SEQUENCE {
         distributionPoint          [0] DistributionPointName OPTIONAL,
         onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
         onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
         onlySomeReasons            [3] ReasonFlags OPTIONAL,
         indirectCRL                [4] BOOLEAN DEFAULT FALSE,
         onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }

The original OIDs are still being used with these "enhanced" definitions, 
therefore I will be adding them to son-of-rfc2459.

Russ