/
908.txt
84 lines (62 loc) · 3.24 KB
/
908.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
* 仕様書
[REFS[
- [6] [CITE@en[RFC 6066 - Transport Layer Security (TLS) Extensions: Extension Definitions]]
([TIME[2015-02-01 18:07:52 +09:00]] 版)
<http://tools.ietf.org/html/rfc6066#section-10>
]REFS]
* ファイル形式
[13] 次の[[ファイル]]形式があります。
[FIG(short list)[
- [CODE(MIME)@en[[[application/pkix-pkipath]]]]
- [[PKCS #7証明書鎖]]
- [[Netscape Certificate Sequence]]
- [CODE[[[.pem]]]]
]FIG]
* [CODE(MIME)@en[application/pkix-pkipath]]
[7] [[RFC 5280]] [[証明書]]の[[列]]を [[DER]] で[[符号化]]したものが、
[[MIME型]] [DFN[[CODE(MIME)@en[[[application/pkix-pkipath]]]]]]
です [SRC[>>6]]。これは [[certification path]] を表します [SRC[>>6]]。
[8] [[証明書]]の順序は意味を持ちます。最初の[[証明書]]の [[subject]]
が2番目の[[証明書]]の[[発行者]]、などとなるように並べます [SRC[>>6]]。
[9] [[relying party]] は [[RFC 5280]] に厳密に適合しない[[証明書]]を必ずしも拒絶しなくても構いませんが、
[[セキュリティー]]への影響は慎重に検討する必要があります [SRC[>>6]]。
[11] [[MIME型]]の[[引数]]は次の通りです。
[FIG(short list)[
- [CODE(MIME)@en[[[version]]]]
]FIG]
[10] [[7ビット輸送路]]では、 [[Base64]] を使う[['''べきです''']] [SRC[>>6]]。
[12] [[拡張子]]は [DFN[[CODE[[[.pkipath]]]]]] が使われます [SRC[>>6]]。
* メモ
[1] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-3.2>
[FIG(quote)[
[FIGCAPTION[
[2] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-4.1.2.4>
]FIGCAPTION]
> Certificate users MUST be prepared to process the issuer
> distinguished name and subject distinguished name (Section 4.1.2.6)
> fields to perform name chaining for certification path validation
> (Section 6). Name chaining is performed by matching the issuer
> distinguished name in one certificate with the subject name in a CA
> certificate.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[3] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-4.2.1.7>
]FIGCAPTION]
> Issuer alternative names are not
> processed as part of the certification path validation algorithm in
> Section 6. (That is, issuer alternative names are not used in name
> chaining and name constraints are not enforced.)
]FIG]
[4] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-6>
[5] [CITE@en[RFC 6818 - Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-03-24 03:47:50 +09:00]] 版)
<https://tools.ietf.org/html/rfc6818#section-4>