scope:

The present document defines a common profile for ITU-T Recommendation X.509 [2] based certificates issued to natural persons. The scope of the present document is to provide a certificate profile, which will allow actual interoperability of certificates issued for the purposes of qualified electronic signatures, peer entity authentication and data authentication.

This profile depends on the Internet standards RFC 5280 [3] and RFC 3739 [4] for generic profiling of ITU-T Recommendation X.509 [2], and depends on the ETSI standard TS 101 862 [5] to define implementation of requirements defined by the Electronic Signature Directive 1999/93/EC [1] Annexes I and II.

The scope of the present document is primary limited to facilitate interoperable processing and display of certificate information in existing deployments of ITU-T Recommendation X.509 [2]. It is thus important to note that this profile deliberately has excluded support for some certificate information content options, which may be perfectly valid in a local context but which are not regarded as relevant or suitable for use in widely deployed applications.

The present document focuses on requirements on certificate content. Requirements on decoding and processing rules are limited to aspects required to process certificate content defined in the present document. Further processing requirements are only specified for cases where it adds information that is necessary for the sake of interoperability. Guidance for implementers is provided for cases in which near term developments are affected.

This certificate profile recognizes the natural need for reasonable variations of implementation which does not negatively affect generic interoperability. This is e.g. valid for different ways to encode a certificate holder's identity.

Certain applications or protocols impose specific requirements on certificate content such as IP-sec, Network logon, S/MIME, IEEE 802.1x [12] EAP. The present document is based on the assumption that these requirements are adequately defined by the respective application or protocol. It is therefore outside the scope of the present document to specify such application or protocol specific certificate content.