for organizations that wish to use DNs that parallel their DNS names.
This is not a replacement for the dNSName component of the
alternative name field. Implementations are not required to convert
such names into DNS names. The syntax and associated OID for this
attribute type is provided in the ASN.1 modules in Appendices A and
B.
Certificate users MUST be prepared to process the issuer
distinguished name and subject distinguished name (see sec. 4.1.2.6)
fields to perform name chaining for certification path validation
(see section 6). Name chaining is performed by matching the issuer
distinguished name in one certificate with the subject name in a CA
certificate.
This specification requires only a subset of the name comparison
functionality specified in the X.500 series of specifications. The
requirements for conforming implementations are as follows:
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
(a) attribute values encoded in different types (e.g.,
PrintableString and BMPString) may be assumed to represent
different strings;
(b) attribute values in types other than PrintableString are case
sensitive (this permits matching of attribute values as binary
objects);
(c) attribute values in PrintableString are not case sensitive
(e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and
(d) attribute values in PrintableString are compared after
removing leading and trailing white space and converting internal
substrings of one or more consecutive white space characters to a
single space.
These name comparison rules permit a certificate user to validate
certificates issued using languages or encodings unfamiliar to the
certificate user.
In addition, implementations of this specification MAY use these
comparison rules to process unfamiliar attribute types for name
chaining. This allows implementations to process certificates with
unfamiliar attributes in the issuer name.
Note that the comparison rules defined in the X.500 series of
specifications indicate that the character sets used to encode data
in distinguished names are irrelevant. The characters themselves are
compared without regard to encoding. Implementations of the profile
are permitted to use the comparison algorithm defined in the X.500
series. Such an implementation will recognize a superset of name
matches recognized by the algorithm specified above.
4.1.2.5 Validity
The certificate validity period is the time interval during which the
CA warrants that it will maintain information about the status of the
certificate. The field is represented as a SEQUENCE of two dates:
the date on which the certificate validity period begins (notBefore)
and the date on which the certificate validity period ends
(notAfter). Both notBefore and notAfter may be encoded as UTCTime or
GeneralizedTime.
CAs conforming to this profile MUST always encode certificate
validity dates through the year 2049 as UTCTime; certificate validity
dates in 2050 or later MUST be encoded as GeneralizedTime.
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
4.1.2.5.1 UTCTime
The universal time type, UTCTime, is a standard ASN.1 type intended
for international applications where local time alone is not
adequate. UTCTime specifies the year through the two low order
digits and time is specified to the precision of one minute or one
second. UTCTime includes either Z (for Zulu, or Greenwich Mean Time)
or a time differential.
For the purposes of this profile, UTCTime values MUST be expressed
Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are
YYMMDDHHMMSSZ), even where the number of seconds is zero. Conforming
systems MUST interpret the year field (YY) as follows:
Where YY is greater than or equal to 50, the year shall be
interpreted as 19YY; and
Where YY is less than 50, the year shall be interpreted as 20YY.
=12= |
