RFC 2459 Internet X.509 Public Key Infrastructure January 1999
The value of the keyIdentifier field SHOULD be derived from the
public key used to verify the certificate's signature or a method
that generates unique values. Two common methods for generating key
identifiers from the public key are described in (sec. 4.2.1.2). One
common method for generating unique values isdescribed in (sec.
4.2.1.2). Where a key identifier has not been previously
established, this specification recommends use of one of these
methods for generating keyIdentifiers.
This profile recommends support for the key identifier method by all
certificate users.
This extension MUST NOT be marked critical.
id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
KeyIdentifier ::= OCTET STRING
4.2.1.2 Subject Key Identifier
The subject key identifier extension provides a means of identifying
certificates that contain a particular public key.
To facilitate chain building, this extension MUST appear in all con-
forming CA certificates, that is, all certificates including the
basic constraints extension (see sec. 4.2.1.10) where the value of cA
is TRUE. The value of the subject key identifier MUST be the value
placed in the key identifier field of the Authority Key Identifier
extension (see sec. 4.2.1.1) of certificates issued by the subject of
this certificate.
For CA certificates, subject key identifiers SHOULD be derived from
the public key or a method that generates unique values. Two common
methods for generating key identifiers from the public key are:
(1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).
(2) The keyIdentifier is composed of a four bit type field with
the value 0100 followed by the least significant 60 bits of the
SHA-1 hash of the value of the BIT STRING subjectPublicKey.
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
One common method for generating unique values is a monotomically
increasing sequence of integers.
For end entity certificates, the subject key identifier extension
provides a means for identifying certificates containing the
particular public key used in an application. Where an end entity has
obtained multiple certificates, especially from multiple CAs, the
subject key identifier provides a means to quickly identify the set
of certificates containing a particular public key. To assist
applications in identificiation the appropriate end entity
certificate, this extension SHOULD be included in all end entity
certificates.
For end entity certificates, subject key identifiers SHOULD be
derived from the public key. Two common methods for generating key
identifiers from the public key are identifed above.
Where a key identifier has not been previously established, this
specification recommends use of one of these methods for generating
keyIdentifiers.
This extension MUST NOT be marked critical.
id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
SubjectKeyIdentifier ::= KeyIdentifier
4.2.1.3 Key Usage
The key usage extension defines the purpose (e.g., encipherment,
signature, certificate signing) of the key contained in the
certificate. The usage restriction might be employed when a key that
could be used for more than one operation is to be restricted. For
example, when an RSA key should be used only for signing, the
digitalSignature and/or nonRepudiation bits would be asserted.
Likewise, when an RSA key should be used only for key management, the
keyEncipherment bit would be asserted. When used, this extension
SHOULD be marked critical.
=15= |
