Standard X.509 V3 Certificate Extensions; Authorityinfoaccess - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Standard X.509 v3 Certificate Extensions

The PKIX standard recommends that all objects, such as extensions and policy statements, that
are used in certificates be included in the form of an OID. This promotes interoperability between
organizations on a shared network. If certificates will be issued that will be used on shared networks,
register the OID prefixes with the appropriate registration authority.
OIDs are controlled by the International Standards Organization (ISO) registration authority. In some
cases, this authority is delegated by ISO to regional registration authorities. In the United States, the
American National Standards Institute (ANSI) manages this registration.
Using an OID registered to another organization or failing to register an OID may carry legal
consequences, depending the situation. Registration may be subject to fees. For more information,
contact the appropriate registration authority.
To define or assign OIDs for custom objects, know the company's arc, an OID for a private enterprise.
If the company does not have an arc, it needs to get one. The following site has more information on
registering and using OIDs:
http://www.alvestrand.no/objectid/
For example, this site contains information on the Netscape-defined OID for an extension named
Netscape Certificate Comment. The OID assigned to this extension is hierarchical and includes
the former Netscape company arc, 2.16.840.1.
http://www.alvestrand.no/objectid/2.16.840.1.113730.1.13.html
If an OID extension exists in a certificate and is marked critical, the application validating the certificate
must be able to interpret the extension, including any optional qualifiers, or it must reject the certificate.
Since it is unlikely that all applications will be able to interpret a company's custom extensions
embedded in the form of OIDs, the PKIX standard recommends that the extension be always marked
noncritical.
A.3. Standard X.509 v3 Certificate Extensions
This section summarizes the extension types defined as part of the Internet X.509 version 3 standard
and indicates which types are recommended by the PKIX working group.
This section summarizes important information about each certificate. For complete details, see
both the X.509 v3 standard, available from the ITU, and Internet X.509 Public Key Infrastructure
- Certificate and CRL Profile (RFC 2459), available at http://www.ietf.org/rfc/rfc2459.txt. The
descriptions of extensions reference the RFC and section number of the standard draft that discusses
the extension; the object identifier (OID) for each extension is also provided.
Each extension in a certificate can be designated as critical or noncritical. A certificate-using system,
such as a web browser, must reject the certificate if it encounters a critical extension it does not
recognize; however, a noncritical extension can be ignored if it is not recognized.
A.3.1. authorityInfoAccess
A.3.1.1. OID
1.3.6.1.5.5.7.1.1
429