RFC 3280: Internet X.509 Public key infrastructure certificate and certificate revocation list (CRL) profile

Summary

This specification, part of the X.509 Public Key Infrastructure (PKI) standards for the Internet, details the format and semantics of certificates and certificate revocation lists (CRLs). It outlines procedures for processing certification paths and includes ASN.1 modules for defined data structures. The document builds on previous standards, specifically IETF PEM and ISO/IEC/ITU-T X.509 specifications.

Key updates from RFC 2459 include:

• A detailed algorithm for certification path validation.
• An algorithm for determining certificate status using CRLs.
• Detailed information on delta CRLs.
• Public key and digital signature encoding are now covered in a separate specification [PKIXALGS].
• New extensions for certificates and CRLs: subject info access, inhibit any-policy, freshest CRL, and a CRL extension for freshest CRL.

The specification aims to improve interoperability with ITU-T X.509 standards and provides clarifications for consistent implementation. It obsoletes RFC 2459 and employs the 1988 ASN.1 notation. The document also introduces key terminology as defined in RFC 2119.