Introduction to CRL Extensions
358
Netscape Certificate Management System Plug-Ins Guide • March 2002
The extensions defined by ANSI X9 and ISO/IEC/ITU for X.509 v2 CRLs [X.509]
[X9.55] enable you to associate additional attributes with CRLs. The Internet X.509
Public Key Infrastructure Certificate and CRL Profile (see
http://www.ietf.org/rfc/rfc2459.txt
) recommends a set of extensions to be
used in CRLs. These extensions are called standard CRL extensions.
The standard also suggests that you can define your own extensions and include
them in CRLs you issue. These extensions are called private, proprietary, or custom
CRL extensions and they carry information unique to your organization or
business. Keep in mind that applications may not able to validate CRLs that
contain private, critical extensions, thus preventing the use of these CRLs in a
general context.
Structure of CRL Extensions
A CRL extension consists of the following:
•
The object identifier (OID) for the extension; see Appendix B, “Object
Identifiers.”
This identifier uniquely identifies the extension. It also determines the ASN.1
type of value in the value field and how the value is interpreted. That is, when
an extension appears in a CRL, the OID appears as the extension ID field
(
extnID
) and the corresponding ASN.1 encoded structure appears as the value
of the octet string (
extnValue
); see the examples in “Sample Certificate
Extensions” on page 331.
•
A flag or boolean field called
critical
.
The
true
or
false
value assigned to this field indicates whether the extension
is critical (true) or noncritical (false) to the CRL.
❍
If the extension is critical and the CRL is sent to an application that does
not understand the extension (based on the extension’s ID), the application
must reject the CRL.
NOTE
Some explanations in this chapter make reference to Abstract
Syntax Notation One (ASN.1) and Distinguished Encoding Rules
(DER). These are specified in the CCITT Recommendations X.208
and X.209. For a quick summary of ASN.1 and DER, see A Layman’s
Guide to a Subset of ASN.1, BER, and DER, which is available at RSA
Laboratories’ web site (
http://www.rsa.com
).
Summary of Contents for Certificate Management System 6.0
Page 1: ...Plug Ins Guide Netscape Certificate Management System Version6 0 March 2002...
Page 10: ...10 Netscape Certificate Management System Plug Ins Guide March 2002...
Page 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide March 2002...
Page 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide March 2002...