Teknisk om OCES (Technical details of OCES)
Overview
This document details the contents of an OCES Certificate issued by TDC. The general structure is for Person certificates. Where fields are significantly different for Employee- or Organizational certificates this will be stated in different sections.
Components of a certificate
The contents of a certificate can be divided in the following components:
Part |
Function |
|---|---|
|
Formalia |
Certificate Serial Number, Validity, X509 version |
|
Issuer |
DN of issuer |
|
Subject |
DN of subject and optional SubjectAlternativeName |
|
Public Key |
The RSA public Key |
|
Extensions |
Key Usage, Certificate Policy, CRL Distribution Point, Basic Constraints |
|
Signature |
The CAs signature confirming the correspondence between the identity of the subscriber and the key pair |
Note that fields like Signature Algorithm and Public Key Algorithm are not discussed.
Formalia
The formalia are characterized by the following details:
Field |
Value/Description |
|---|---|
|
X509 Version |
3 (Integer) (Note that the actual integer value is 2) |
|
Serial Number |
Serial number of the issued certificate. Not to be mistaken for the SubjectSerialNumber. (Integer) |
|
Validity |
The Not Before and Not After fields specifying the validity of the certificate (UTCTime) |
Note that the ASN1 types are given in parenthesis where applicable.
Issuer
The contents of the Issuer field are characterized by the following details:
Field |
Value/Description |
|---|---|
| Country | DK (Printable String) |
| Organisation | TDC (Printable String) |
| Common Name | TDC OCES CA (Printable String) |
Subject for persons
The contents of the Subject field are characterized by the following details:
Field |
Value/Description |
|---|---|
| Country | DK (Printable String) |
| Organisation | Ingen organisatorisk tilknytning (Printable String) |
| Common Name | Common Name of user, i.e. Name or Pseudonym (PrintableString/T61String/UTF8) |
| SubjectSerialNumber | The PID of the subscriber, e.g. PID:9208-2002-2-123456789012 (Printable String). The last component is the serial number, while the start is CA specific stuff. The serial number is at present time 12 digits. The total PID string can be considered unique. The total Subject serial number however is restricted to 64 chars. |
| SubjectAlternativeName | Persons email address, if subscriber decides to include this in the certificate, e.g.: email:mig@mail.dk (Octet String) |
Note that for young persons with age between 15 and 18 years the subject field is characterized by the following details:
Field |
Value/Description |
|---|---|
| Country | DK (Printable String) |
| Organisation | Ingen organisatorisk tilknytning (Printable String) |
| Organisational Unit | Ung mellem 15 og 18 - Kan som udgangspunkt ikke lave juridisk bindende aftaler (Printable String) |
| Common Name | Common Name of user, i.e. Name or Pseudonym followed by (Ung under 18) (PrintableString/T61String/UTF8) |
| SubjectSerialNumber | The PID of the subscriber, e.g. PID:9208-2002-2-123456789012 (Printable String). The last component is the serial number, while the start is CA specific stuff. The serial number is at present time 12 digits. Note that due to an error some OCES certificates exists with a different CA specific part that is 9802-2002-2. The total PID string can be considered unique. The total Subject serial number however is restricted to 64 chars. |
| SubjectAlternativeName | Persons email address, if subscriber decides to include this in the certificate, e.g.: email:mig@mail.dk (Octet String) |
Note that it is the responsibility of the partner implementing an application to ensure that access is resticted to grown ups if required. The restriction can be based on the fields above or the age of the person returned from PID-CPR conversion.
Subject for Employees
The contents of the Subject field are characterized by the following details:
Field |
Value/Description |
|---|---|
| Country | DK (Printable String) |
| Organisation | Organisation name and CVR number (Printable String) eg. TDC A/S // CVR:14773908 |
| Organisation Unit | Optional Organisation Unit Name fields. Note that more than one field can be present. (Printable String) eg. Marketing |
| Common Name | Common Name of user, i.e. Name or Pseudonym (PrintableString/T61String/UTF8) |
| SubjectSerialNumber | The CVR number of the organization followed by the RID of the employee (Printable String) eg. CVR:14773908-RID:1234. The total string can be considered unique. The total Subject serial number is restricted to 64 chars. |
| SubjectAlternativeName | Persons email address, if subscriber decides to include this in the certificate, e.g.: email:mig@mail.dk (Octet String) |
Subject for Organisations
The contents of the Subject field are characterized by the following details:
Field |
Value/Description |
|---|---|
| Country | DK (Printable String) |
| Organisation | Organisation name and CVR number (Printable String) eg. TDC A/S // CVR:14773908 |
| Organisation Unit | Optional Organisation Unit Name fields. Note that more than one field can be present. (Printable String) eg. Marketing |
| Common Name | Common Name consists of organisation, name organisation unit names and optional function description. (PrintableString/T61String/UTF8), eg. TDC A/S - Marketing - Reciept Broker |
| SubjectSerialNumber | The CVR number of the organization and followed by the UID of the certificate holder (Printable String) eg. CVR:14773908-UID:1234. The total string can be considered unique. The total Subject serial number is restricted to 64 chars. |
| SubjectAlternativeName | Subscribers email address, if subscriber decides to include this in the certificate, e.g.: email:mig@mail.dk (Octet String) |
Public Key
The contents of the Public Key field are characterized by the following details:
Field |
Value/Description |
|---|---|
| Public Key | The subscribers public key (Bit String) |
Extensions
The contents of the Extension fields are characterized by the following details. Note that extension can be marked critical. If this is the case this will be specified under the particular extension.
Field |
Value/Description |
|---|---|
| Key Usage | The intended key usage for the given certificate. Different for encryption, verification and combined certificates according to the CP. (Octet String). The extension is critical |
| Private Key Usage Period | The Private Key usage period. Since the CPs does not discuss this extension it is set to 100 %. (Octet string) |
| Certificate Policies | The Certificate Policy extension holds the following parts: 1. OCES OID 2. Reference to www.certifikat.dk/repository where terms can be found 3. A short cook up (200 chars) of the terms (Octet string) |
| CRL Distribution Points | The CRL Distribution Points extension holds different locations for status information of the given certificate. Two different ways are supported: 1) A full CRL over http 2) A partitioned CRL over LDAP Since most client applications support CRL download over http the full CRL is lo-cated at the http link. Example: http://crl.oces.certifikat.dk/oces.crl The LDAP reference to the partitioned CRL is not full, i.e. the hostname is not included. This prevents clients who are expecting a full CRL to trust a partitioned CRL as full. If a partner wants to implement partitioned CRL support they have to be aware of the following details: 1) A new partitioned CRL is issued for every 750 certificates 2) The most secure way to decide which partitioned CRL to use is to look at the CRL Distribution Point. 3) The hostname of the external LDAP is ldap://dir.certifikat.dk Note further that since the partitioned CRL mechanism is far more complicated it is the responsibility of the partner to ensure that the implementation is correct. Example: DirName:/C=DK/O=TDC/CN=TDC OCES CA/CN=CRL3 Note further that the full CRL can be obtained over LDAP from the node /C=DK/O=TDC/CN=TDC OCES CA in the attribute certificateRevocationList The extension is encoded as Octet string. Note that the CRL files obey the following rule of thumb: A general CRL grows with 38 bytes for each revoked certificate (offset 527 bytes) Hence partitioned CRLs have size 0-30000 bytes The location of the CRL servers is dictated by the DNS names crl.oces.certifikat.dk and dir.certifikat.dk This corresponds currently to the following IP-addresses: 62.243.75.201 62.243.75.196 62.243.75.194 The list will expand and the current list will be available here Shift between the IP-addresses is done dynamically and without warning however respecting TTL in the DNS system. This means that an implementation of CRL retrieval should comply with the following: 1. The service should not cache DNS/IP information but perform DNS lookups respecting TTL. 2. If the service is behind a firewall make sure that the firewall does not block any of the destination IP-addresses in the list. |
| Access Information Authority (AIA) | The AIA holds information about how to use Online Certificate Status Protocol (OCSP) instead of CRL to verify certificates. The OCSP responder is located at http://ocsp.certifikat.dk/ocsp/status and is described in further detail at http://erhverv.tdc.dk/artikel.php?dogtag=tdc_e_digi_pl_pi_oc. |
| Authority Key Identifier | The Authority Key ID holds a fingerprint of the Issuing key. For chain building purposes (Octet string). |
| Subject Key Identifier | The Subject Key ID holds a fingerprint of the Subject key. For chain building and internal client administrative purposes (Octet string) |
| Basic Constraints | Basic Constraints hold information about whether or not the certificate is an end user or a CA certificate. For OCES End User Certificates this is done by the value CA:FALSE (Octet String) |
| Entrust Version Info | The Entrust Version Info extension (1.2.840.113533.7.65.0) is used for internal purposes at the different Entrust Clients. |
Signature
The contents of the Signature field is characterized by the following details:
Field |
Value/Description |
|---|---|
| Signature | The CAs signature on the certificate (Bit String) |
References
See the OCES CP, documents from FDS and the relevant RFCs for details.
Example Certificate
Below is given a dump of a real OCES Person Certificate.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1044954854 (0x3e48bee6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DK, O=TDC, CN=TDC OCES CA
Validity
Not Before: Mar 11 07:48:40 2003 GMT
Not After : Mar 11 08:18:40 2005 GMT
Subject: C=DK, O=Ingen organisatorisk tilknytning, CN=Peter Lind Damkjær, SN=PID:9802-2002-2-584707726050
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ce:40:d6:cb:d3:c2:76:cf:4d:97:31:7b:54:7e:
dc:3d:8b:6b:0b:8d:ce:f5:4b:05:06:11:17:28:9a:
50:c7:17:4e:4c:80:0f:bb:1d:ae:8a:e1:80:37:fd:
4d:6d:57:34:01:c0:5e:8a:e8:ea:f8:13:d1:fd:d2:
97:75:44:47:d7:9a:d9:fd:9c:ae:95:2b:29:2a:61:
ac:6c:ef:57:92:45:89:12:45:87:45:8a:ac:5a:28:
10:58:0c:be:8e:3c:26:16:66:e5:03:5e:cc:96:83:
79:49:af:c2:f1:10:1a:37:b7:7c:e6:3f:c2:af:75:
f3:f1:95:4f:01:15:64:4b:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Private Key Usage Period:
Not Before: Mar 11 07:48:40 2003 GMT, Not After: Mar 11 08:18:40 2005 GMT
X509v3 Certificate Policies:
Policy: 1.2.208.169.1.1.1.1.1
CPS: http://www.certifikat.dk/repository
User Notice:
Organization: TDC
Number: 1
Explicit Text: For anvendelse og modtagelse af dette certifikat gælder OCES kundevilkår, CPS og OCES CP, der er tilgængelige fra www.certifikat.dk/repository
X509v3 Subject Alternative Name:
email:peter@lind-damkjaer.dk
X509v3 CRL Distribution Points:
DirName:/C=DK/O=TDC/CN=TDC OCES CA/CN=CRL1
URI:http://crl.oces.certifikat.dk/oces/1044954854.crl
X509v3 Authority Key Identifier:
keyid:60:B5:85:EC:56:64:7E:12:19:27:67:1D:50:15:4B:73:AE:3B:F9:12
X509v3 Subject Key Identifier:
F4:4A:0D:C9:EE:84:CB:43:76:C4:57:47:45:B7:CD:91:8C:42:DC:8C
X509v3 Basic Constraints:
CA:FALSE
1.2.840.113533.7.65.0:
0
..V6.0....
Signature Algorithm: sha1WithRSAEncryption
a2:18:f2:5c:6a:f1:b4:58:c2:74:50:6d:f7:79:8e:65:a5:03:
4f:a1:8b:6f:41:21:ea:a1:df:f0:bc:42:6d:9d:4b:4d:4b:ae:
dc:fe:cc:81:68:0f:ff:79:66:16:10:9d:ff:44:0d:09:1d:a5:
c3:38:5b:90:8c:02:ad:78:c2:fd:4c:4c:58:be:ce:23:82:f8:
69:34:b8:64:0b:d4:1f:88:c7:e1:19:a3:11:75:16:1c:73:53:
58:c9:03:36:1c:ac:5e:44:51:26:48:07:d8:90:62:3d:c2:ef:
4c:f4:d0:ef:71:1a:96:57:af:fc:12:12:f8:ad:03:4a:34:20:
b7:7e:96:d6:8f:bb:4a:05:9b:c3:dc:da:2d:2b:09:47:fc:bb:
12:e3:83:99:96:be:b1:31:5f:44:f4:79:57:64:ef:92:e5:7f:
fd:fd:1a:bb:0f:03:16:9e:db:a3:2b:f6:dc:44:d8:47:42:7d:
37:e0:fd:a3:2d:a0:bc:f3:df:b2:4b:49:ba:95:3c:4e:85:e9:
a1:68:d0:c5:4b:c2:08:94:66:c1:83:19:01:9a:cb:9a:ef:18:
1b:44:42:26:0b:3c:3b:22:7d:9c:b9:f8:9b:da:19:e2:a3:93:
78:75:3e:be:f5:cc:d8:b1:82:9c:95:1a:bd:70:88:3c:25:e6:
c7:61:f0:9a
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgIEPki+5jANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJE
SzEMMAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQTAeFw0wMzAzMTEw
NzQ4NDBaFw0wNTAzMTEwODE4NDBaMHoxCzAJBgNVBAYTAkRLMSkwJwYDVQQKEyBJ
bmdlbiBvcmdhbmlzYXRvcmlzayB0aWxrbnl0bmluZzFAMBkGA1UEAxQSUGV0ZXIg
TGluZCBEYW1rauZyMCMGA1UEBRMcUElEOjk4MDItMjAwMi0yLTU4NDcwNzcyNjA1
MDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzkDWy9PCds9NlzF7VH7cPYtr
C43O9UsFBhEXKJpQxxdOTIAPux2uiuGAN/1NbVc0AcBeiujq+BPR/dKXdURH15rZ
/ZyulSspKmGsbO9XkkWJEkWHRYqsWigQWAy+jjwmFmblA17MloN5Sa/C8RAaN7d8
5j/Cr3Xz8ZVPARVkS/MCAwEAAaOCAlkwggJVMA4GA1UdDwEB/wQEAwID+DArBgNV
HRAEJDAigA8yMDAzMDMxMTA3NDg0MFqBDzIwMDUwMzExMDgxODQwWjCB+wYDVR0g
BIHzMIHwMIHtBgoqgVCBKQEBAQEBMIHeMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3
LmNlcnRpZmlrYXQuZGsvcmVwb3NpdG9yeTCBqgYIKwYBBQUHAgIwgZ0wChYDVERD
MAMCAQEagY5Gb3IgYW52ZW5kZWxzZSBvZyBtb2R0YWdlbHNlIGFmIGRldHRlIGNl
cnRpZmlrYXQgZ+ZsZGVyIE9DRVMga3VuZGV2aWxr5XIsIENQUyBvZyBPQ0VTIENQ
LCBkZXIgZXIgdGlsZ+ZuZ2VsaWdlIGZyYSB3d3cuY2VydGlmaWthdC5kay9yZXBv
c2l0b3J5MCEGA1UdEQQaMBiBFnBldGVyQGxpbmQtZGFta2phZXIuZGswgY4GA1Ud
HwSBhjCBgzBIoEagRKRCMEAxCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMxFDAS
BgNVBAMTC1REQyBPQ0VTIENBMQ0wCwYDVQQDEwRDUkwxMDegNaAzhjFodHRwOi8v
Y3JsLm9jZXMuY2VydGlmaWthdC5kay9vY2VzLzEwNDQ5NTQ4NTQuY3JsMB8GA1Ud
IwQYMBaAFGC1hexWZH4SGSdnHVAVS3OuO/kSMB0GA1UdDgQWBBT0Sg3J7oTLQ3bE
V0dFt82RjELcjDAJBgNVHRMEAjAAMBkGCSqGSIb2fQdBAAQMMAobBFY2LjADAgOo
MA0GCSqGSIb3DQEBBQUAA4IBAQCiGPJcavG0WMJ0UG33eY5lpQNPoYtvQSHqod/w
vEJtnUtNS67c/syBaA//eWYWEJ3/RA0JHaXDOFuQjAKteML9TExYvs4jgvhpNLhk
C9QfiMfhGaMRdRYcc1NYyQM2HKxeRFEmSAfYkGI9wu9M9NDvcRqWV6/8EhL4rQNK
NCC3fpbWj7tKBZvD3NotKwlH/LsS44OZlr6xMV9E9HlXZO+S5X/9/Rq7DwMWntuj
K/bcRNhHQn034P2jLaC889+yS0m6lTxOhemhaNDFS8IIlGbBgxkBmsua7xgbREIm
Czw7In2cufib2hnio5N4dT6+9czYsYKclRq9cIg8JebHYfCa
-----END CERTIFICATE-----