Netscape MANAGEMENT SYSTEM 6.0 - PLUG-IN Manual page 328

Introduction to Certificate Extensions
The X.509 v1 certificate specification was originally designed to bind public keys to
names in an X.500 directory. As certificates began to be used on the Internet and
extranets, and directory lookups could not always be performed, problem areas
such as the following emerged that were not foreseen in the original specification:
Trust— The X.500 specification establishes trust by means of a strict directory
•
hierarchy. By contrast, Internet and extranet deployments frequently involve
distributed trust models that do not conform to the hierarchical X.500 approach.
• Certificate use—Some organizations may wish to restrict the use of certificates
for policy reasons. For example, some certificates may be restricted to client
authentication only.
• Multiple certificates—It's not uncommon for certificate users to possess
multiple certificates with identical subject names but different key material. In
this case, it's necessary to identify which key and certificate should be used for
what purpose.
• Alternate names—For some purposes, it is useful to have alternative subject
names that are also bound to the public key in the certificate.
• Additional attributes—Some organizations may find it convenient to store
additional information in certificates, for example for situations in which it's
not possible to look up information in a directory.
• Relationship with CA—When certificate chaining involves intermediate CAs,
it is useful to have information about the relationships among CAs embedded
in their certificates.
• CRL checking—Since it's not always possible to check a certificate's revocation
status against a directory or with the original certificate authority, it is useful
for certificates to include information about where to check CRLs.
Eventually, the X.509 v3 specification addressed many of these issues by amending
the certificate format to include additional information within a certificate—the
version 3 format defines a general format for certificate extensions and specifies a
number of standard extensions that can be included the certificate. Thus, the
extensions defined for X.509 v3 certificates enable you to associate additional
attributes with users or public keys and manage the certification hierarchy. The
Internet X.509 Public Key Infrastructure Certificate and CRL Profile (see
http://www.ietf.org/rfc/rfc2459.txt
used in Internet certificates (and standard locations for certificate or CA
information). These extensions are called standard extensions.
328 Netscape Certificate Management System Plug-Ins Guide • March 2002
) recommends a set of extensions to be