/
917.txt
117 lines (85 loc) · 5.65 KB
/
917.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
[3] [DFN[[CODE[[[subject]]]]]] [[欄]]は、[[subject public key]] [[欄]]に[[蓄積]]された[[公開鍵]]に関連付けられた[[実体]]を識別するものです [SRC[>>1]]。
* 仕様書
[REFS[
- [1] '''[CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) <http://tools.ietf.org/html/rfc5280#section-4.1.2.6>'''
- [10] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) <http://tools.ietf.org/html/rfc5280#section-4.2.1.6>
]REFS]
* 構文
[9] [CODE[[[subject]]]] [[欄]]の値は、 [[X.501 Name]] です [SRC[>>1]]。
* subject name
[2] [[subject name]] は、 [[subject]] [[欄]]と [CODE[[[subjectAltName]]]]
[[拡張]]の一方または両方に指定できます [SRC[>>1]]。
[[インターネット電子メールアドレス]]、[[DNS名]]、[[IPアドレス]]、[[URI]]
を [[subject]] とする時は、 [[SAN]] も使わなければ[['''なりません''']] [SRC[>>10]]。
[4] [[subject]] が [[CA]] の場合 (例えば [[basic constraints extension]] があり、
[CODE[[[cA]]]] の値が [[TRUE]] の場合) には、 [[subject]] [[欄]]は
[[subject]] [[CA]] が発行したすべての[[証明書]]の [CODE[[[issuer]]]]
[[欄]]の内容と一致するような非[[空]]の [[distinguished name]]
を含んでいなければ[['''なりません''']] [SRC[>>1]]。
[5] [[subject]] が [[CRL発行者]]の場合 (例えば [[key usage extension]]
があり、 [CODE[[[cRLSign]]]] が [[TRUE]] の場合) には、 [[subject]] [[欄]]は
[[subject]] [[CRL発行者]]が発行したすべての [[CRL]] の [CODE[[[issuer]]]]
[[欄]]の内容と[[一致]]するような非[[空]]の [[distinguished name]]
を含んでいなければ[['''なりません''']] [SRC[>>1]]。
[6] [[subject]] の naming information が [CODE[[[subjectAltName]]]] 拡張にのみ示される場合
(例えば[[電子メールアドレス]]や [[URI]] にのみ[[束縛]]された[[鍵]]の場合) には、
[[subject name]] は[[空]]の[[列]]とし、 [CODE[[[subjectAltName]]]]
拡張を [[critical]] としなければ[['''なりません''']] [SRC[>>1]]。
[7] [CODE[[[subject]]]] が[[空]]でない場合には、 [[X.500]]
[[distinguished name]] ([[DN]]) を含まなければ[['''なりません''']]。 [SRC[>>1]]
[8] [[DN]] は、 [CODE[[[issuer]]]] [[欄]]に示された [[CA]] が [[certify]]
した [[subject]] [[実体]]にわたって[[固有]]でなければ[['''なりません''']]。
[[CA]] は、同じ [[DN]] の[[証明書]]を同じ [[subject]] [[実体]]に複数[[発行]]して構いません。 [SRC[>>1]]
* SAN
[16] [[SAN]] も参照。
* メモ
[FIG(quote)[
[FIGCAPTION[
[11] [CITE@en[RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)]]
([TIME[2015-03-13 22:27:53 +09:00]] 版)
<https://tools.ietf.org/html/rfc6125#section-1.8>
]FIGCAPTION]
> subject name: In an overall sense, a subject's name(s) can be
> represented by or in the subject field, the subjectAltName
> extension, or both (see '''['''PKIX''']''' for details). More specifically,
> the term often refers to the name of a PKIX certificate's subject,
> encoded as the X.501 type Name and conveyed in a certificate's
> subject field (see Section 4.1.2.6 of '''['''PKIX''']''').
]FIG]
[FIG(quote)[
[FIGCAPTION[
[12] ([TIME[2014-11-01 05:54:38 +09:00]] 版)
<https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf#page=12>
]FIGCAPTION]
> Subject: The natural person, device, system, unit, or Legal Entity identified in a Certificate as the Subject. The
> Subject is either the Subscriber or a device under the control and operation of the Subscriber.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[13] ([TIME[2014-11-01 05:54:38 +09:00]] 版)
<https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf#page=12>
]FIGCAPTION]
> Subject Identity Information: Information that identifies the Certificate Subject. Subject Identity Information
> does not include a domain name listed in the subjectAltName extension or the Subject commonName field.
]FIG]
[14] [[BR]] は [[SAN]] を指定することを要求しています。
[15] [[オレオレ証明書]]などで [[BR]] に従わない[[証明書]]は、
[[SAN]] を含まず [[CN-ID]] のみで[[ドメイン名]]を記述していることが今でもあります。
[FIG(quote)[
[FIGCAPTION[
[17] [CITE@en[Self signed certificates and a "This certificate has an invalid digital signature" error | SAMUSU]]
([TIME[2018-03-06 00:37:24 +09:00]])
<http://plobbes.blogspot.com/2016/02/self-signed-certificates-and-this.html>
]FIGCAPTION]
> Having unique DN's is desirable, but interestingly enough, in this case it's really fatal. The browser simply doesn't let you bypass this scenario. I failed to find this being documented by MS, but it's highly likely I missed something somewhere.
> Looking at RFC's, perhaps this was considered justification? RFC5280 Section 4.1.2.6
> Where it is non-empty, the subject field MUST contain an X.500 distinguished name (DN). The DN MUST be unique for each subject entity certified by the one CA as defined by the issuer field. ...
]FIG]
[18]
[[Windows]] は[[自己署名証明書]]の [[subject][subject field]]
と
[[issuer]]
が一致しているとエラーにします。
[19] 一方
[[OpenSSL]]
は両者が一致していないとエラーにします。