/
908.txt
117 lines (87 loc) · 4.78 KB
/
908.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
* 仕様書
[REFS[
- [6] [CITE@en[RFC 6066 - Transport Layer Security (TLS) Extensions: Extension Definitions]]
([TIME[2015-02-01 18:07:52 +09:00]] 版)
<http://tools.ietf.org/html/rfc6066#section-10>
]REFS]
* ファイル形式
[13] 次の[[ファイル]]形式があります。
[FIG(short list)[
- [CODE(MIME)@en[[[application/pkix-pkipath]]]]
- [[PKCS #7証明書鎖]]
- [[Netscape Certificate Sequence]]
- [CODE[[[.pem]]]]
-- [CODE[application/pem-certificate-chain]]
]FIG]
[16] [CODE[[[report-uri]]]] で指定された [[URL]] に送信される [[JSON]]
では、[[証明書鎖]]を[[証明書]]の [CODE[[[.pem]]]] 形式の文字列を
[[JSON]] [[配列]]として記述します。
[21] [CODE[x5u]] では [CODE[.pem]] が使われます。順序について具体的な規定があります。
* [CODE(MIME)@en[application/pkix-pkipath]]
[7] [[RFC 5280]] [[証明書]]の[[列]]を [[DER]] で[[符号化]]したものが、
[[MIME型]] [DFN[[CODE(MIME)@en[[[application/pkix-pkipath]]]]]]
です [SRC[>>6]]。これは [[certification path]] を表します [SRC[>>6]]。
[8] [[証明書]]の順序は意味を持ちます。最初の[[証明書]]の [[subject]]
が2番目の[[証明書]]の[[発行者]]、などとなるように並べます [SRC[>>6]]。
[9] [[relying party]] は [[RFC 5280]] に厳密に適合しない[[証明書]]を必ずしも拒絶しなくても構いませんが、
[[セキュリティー]]への影響は慎重に検討する必要があります [SRC[>>6]]。
[11] [[MIME型]]の[[引数]]は次の通りです。
[FIG(short list)[
- [CODE(MIME)@en[[[version]]]]
]FIG]
[10] [[7ビット輸送路]]では、 [[Base64]] を使う[['''べきです''']] [SRC[>>6]]。
[12] [[拡張子]]は [DFN[[CODE[[[.pkipath]]]]]] が使われます [SRC[>>6]]。
* [CODE[application/pem-certificate-chain]]
[19]
[[[CODE[.pem]]ファイル]]形式の[[証明書鎖]]の記述形式の一種として、
[DFN[[CODE[application/pem-certificate-chain]]]]
があります [SRC[>>17, >>18]]。
[REFS[
- [17] [CITE@en[draft-ietf-acme-acme-18 - Automatic Certificate Management Environment (ACME)]]
([TIME[2018-12-21 18:47:41 +09:00]])
<https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-9.1>
- [18] [CITE[application/pem-certificate-chain]]
([TIME[2019-01-03 07:50:08 +09:00]])
<https://www.iana.org/assignments/media-types/application/pem-certificate-chain>
- [20] [CITE@en[An optional MIME parameter for application/pem-certificate-chain? · Issue #435 · ietf-wg-acme/acme]] ([TIME[2019-01-06 16:07:22 +09:00]]) <https://github.com/ietf-wg-acme/acme/issues/435>
]REFS]
* メモ
[1] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-3.2>
[FIG(quote)[
[FIGCAPTION[
[2] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-4.1.2.4>
]FIGCAPTION]
> Certificate users MUST be prepared to process the issuer
> distinguished name and subject distinguished name (Section 4.1.2.6)
> fields to perform name chaining for certification path validation
> (Section 6). Name chaining is performed by matching the issuer
> distinguished name in one certificate with the subject name in a CA
> certificate.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[3] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-4.2.1.7>
]FIGCAPTION]
> Issuer alternative names are not
> processed as part of the certification path validation algorithm in
> Section 6. (That is, issuer alternative names are not used in name
> chaining and name constraints are not enforced.)
]FIG]
[4] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-6>
[5] [CITE@en[RFC 6818 - Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-03-24 03:47:50 +09:00]] 版)
<https://tools.ietf.org/html/rfc6818#section-4>
[14] [CITE@en[634074 – Cannot validate valid certificate chain when looping/cross-signed certs are involved]]
( ([TIME[2016-05-08 21:58:21 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=634074>
[15] [CITE@en[RFC 7515 - JSON Web Signature (JWS)]]
([TIME[2018-12-30 17:16:56 +09:00]])
<https://tools.ietf.org/html/rfc7515#section-4.1.6>