1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
|
<pre>Internet Engineering Task Force (IETF) S. Santesson
Request for Comments: 6170 3xA Security
Updates: <a href="./rfc3709">3709</a> R. Housley
Category: Standards Track Vigil Security
ISSN: 2070-1721 S. Bajaj
Symantec Corp.
L. Rosenthol
Adobe
May 2011
<span class="h1">Internet X.509 Public Key Infrastructure -- Certificate Image</span>
Abstract
This document specifies a method to bind a visual representation of a
certificate in the form of a certificate image to a public key
certificate as defined in <a href="./rfc5280">RFC 5280</a>, by defining a new "otherLogos"
image type according to <a href="./rfc3709">RFC 3709</a>.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6170">http://www.rfc-editor.org/info/rfc6170</a>.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Santesson, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-2">2</a>
<a href="#section-1.1">1.1</a>. Terminology ................................................<a href="#page-3">3</a>
<a href="#section-2">2</a>. Certificate Image ...............................................<a href="#page-3">3</a>
<a href="#section-3">3</a>. LogotypeImageInfo ...............................................<a href="#page-4">4</a>
<a href="#section-4">4</a>. Embedded Images .................................................<a href="#page-5">5</a>
<a href="#section-5">5</a>. Certificate Image Formats .......................................<a href="#page-6">6</a>
<a href="#section-5.1">5.1</a>. PDF ........................................................<a href="#page-6">6</a>
<a href="#section-5.2">5.2</a>. SVG ........................................................<a href="#page-6">6</a>
<a href="#section-5.3">5.3</a>. PNG ........................................................<a href="#page-7">7</a>
<a href="#section-6">6</a>. Security Considerations .........................................<a href="#page-7">7</a>
<a href="#section-7">7</a>. Acknowledgements ................................................<a href="#page-8">8</a>
<a href="#section-8">8</a>. References ......................................................<a href="#page-9">9</a>
<a href="#section-8.1">8.1</a>. Normative References .......................................<a href="#page-9">9</a>
<a href="#section-8.2">8.2</a>. Informative References .....................................<a href="#page-9">9</a>
<a href="#appendix-A">Appendix A</a>. ASN.1 Module .........................................<a href="#page-10">10</a>
<a href="#appendix-B">Appendix B</a>. Example ..............................................<a href="#page-11">11</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This standard specifies how to bind a certificate image to a
certificate (defined in [<a href="./rfc5280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC5280</a>]), providing a visual representation
of that certificate using the Logotype extension defined in [<a href="./rfc3709" title=""Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates"">RFC3709</a>]
and specifying the certificate image as a new "otherLogos" type.
The purpose of the certificate image is to aid human interpretation
of a certificate by providing meaningful visual information to the
user interface (UI).
Typical situations when a human needs to examine the visual
representation of a certificate are:
- A person establishes a secured channel with an authenticated
service. The person needs to determine the identity of the
service based on the authenticated credentials.
- A person validates the signature on critical information, such as
signed executable code, and needs to determine the identity of the
signer based on the signer's certificate.
- A person is required to select an appropriate certificate to be
used when authenticating to a service or Identity Management
infrastructure. The person needs to see the available
certificates in order to distinguish between them in the selection
process.
<span class="grey">Santesson, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
The display of certificate information to humans is challenging due
to lack of well-defined semantics for critical identity attributes.
Unless the application has out-of-band knowledge about a particular
certificate, the application will not know the exact nature of the
data stored in common identification attributes such as serialNumber,
organizationName, country, etc. Consequently, the application can
display the actual data, but faces the problem of labeling that data
in the UI and informing the human about the exact nature (semantics)
of that data. It is also challenging for the application to
determine which identification attributes are important to display
and how to organize them in a logical order.
<a href="./rfc3709">RFC 3709</a> [<a href="./rfc3709" title=""Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates"">RFC3709</a>] defines a certificate extension for binding images
to a certificate, such as a community logo and issuer logo, enhancing
the display of certificate information. The syntax is extensible and
allows inclusion of new image types using the otherLogos structure.
This standard defines how to include a complete certificate image
using the extensibility mechanism of <a href="./rfc3709">RFC 3709</a>.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Terminology</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Certificate Image</span>
This section defines the certificate image as a new otherLogos type
according to <a href="./rfc3709#section-4.1">Section 4.1 of [RFC3709]</a>.
The certificate image otherLogos type is identified by the Object
Identifier (OID) id-logo-certimage.
id-pkix OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) }
id-logo OBJECT IDENTIFIER ::= { id-pkix 20 }
id-logo-certimage OBJECT IDENTIFIER ::= { id-logo 3 }
When present, the certificate image MUST be a complete visual
representation of the certificate. This means that the display of
this certificate image represents all information about the
certificate that the issuer subjectively defines as relevant to show
to a typical human user within the typical intended use of the
certificate, giving adequate information about at least the following
three aspects of the certificate:
<span class="grey">Santesson, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
- Certificate Context
- Certificate Issuer
- Certificate Subject
Certificate Context information is visual marks and/or textual
information that helps the typical user to understand the typical
usage and/or purpose of the certificate.
It is up to the issuer to decide what information -- in the form of
text, graphical symbols, and elements -- represents a complete visual
representation of the certificate. However, the visual
representation of Certificate Subject and Certificate Issuer
information from the certificate MUST have the same meaning as the
textual representation of that information in the certificate itself.
Applications providing a Graphical User Interface (GUI) to the
certificate user MAY present a certificate image according to this
standard in any given application interface, as the only visual
representation of a certificate.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. LogotypeImageInfo</span>
The optional LogotypeImageInfo structure is defined in [<a href="./rfc3709" title=""Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates"">RFC3709</a>] and
is included here for convenience:
LogotypeImageInfo ::= SEQUENCE {
type [0] LogotypeImageType DEFAULT color,
fileSize INTEGER, -- In octets
xSize INTEGER, -- Horizontal size in pixels
ySize INTEGER, -- Vertical size in pixels
resolution LogotypeImageResolution OPTIONAL,
language [4] IA5String OPTIONAL } -- <a href="./rfc3066">RFC 3066</a> Language Tag
NOTE: The referenced <a href="./rfc3066">RFC 3066</a> in the structure above (from <a href="./rfc3709">RFC 3709</a>)
is obsolete and is currently replaced by <a href="./rfc5646">RFC 5646</a> [<a href="./rfc5646" title=""Tags for Identifying Languages"">RFC5646</a>].
The language tag may carry information about the language used
to express any textual elements within the image as well as any
audio information associated with the image.
When the optional LogotypeImageInfo is included with a certificate
image, the parameters shall be used with the following semantics and
restrictions.
xSize and ySize represent the recommended display size for the image.
When a value of 0 (zero) is present, no recommended display size is
specified. When non-zero values are present and these values differ
<span class="grey">Santesson, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
from corresponding size values in the referenced image file, then the
referenced image SHOULD be scaled to fit within the size parameters
of LogotypeImageInfo, while keeping the x and y ratio intact.
The resolution parameter is redundant for all image formats that are
relevant for certificate images and MUST NOT be specified.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Embedded Images</span>
The certificate image otherLogos type defined in this specification
and all logotype types defined in <a href="./rfc3709">RFC 3709</a> [<a href="./rfc3709" title=""Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates"">RFC3709</a>] MAY be stored
within the logotype extension using the "data" URL scheme defined in
<a href="./rfc2397">RFC 2397</a> [<a href="./rfc2397" title=""The "">RFC2397</a>] if the logotype image is provided through direct
addressing, i.e., the image is referenced using the LogotypeDetails
structure.
The syntax of Logotype details defined in <a href="./rfc3709">RFC 3709</a> is included here
for convenience:
LogotypeDetails ::= SEQUENCE {
mediaType IA5String, -- MIME media type name and optional
-- parameters (see <a href="#section-5">Section 5</a>)
logotypeHash SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
logotypeURI SEQUENCE SIZE (1..MAX) OF IA5String }
The syntax of the "data" URL scheme defined in <a href="./rfc2397">RFC 2397</a> is included
here for convenience:
dataurl := "data:" [ mediatype ] [ ";base64" ] "," data
mediatype := [ type "/" subtype ] *( ";" parameter )
data := *urlchar
parameter := attribute "=" value
When including the image data in the logotype extension using the
"data" URL scheme, the following conventions apply.
- The value of mediaType in LogotypeDetails MUST be identical to the
media type value in the "data" URL.
- The hash of the image MUST be included in logotypeHash and MUST be
calculated over the same data as it would have been, had the image
been referenced through a link to an external resource.
NOTE: As the "data" URL scheme is processed as a data source rather
than as a URL, the image data is typically not limited by any
URL length limit settings that otherwise apply to URLs in
general.
<span class="grey">Santesson, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
NOTE: Implementations need to be cautious about the size of images
included in a certificate in order to ensure that the size of
the certificate does not prevent the certificate from being
used as intended.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Certificate Image Formats</span>
Implementations of this specification MUST support JPEG and GIF as
defined in <a href="./rfc3709">RFC 3709</a> [<a href="./rfc3709" title=""Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates"">RFC3709</a>]. In addition to these mandatory-to-
implement formats, this specification specifies the use of the
Portable Document Format (PDF), Scalable Vector Graphics (SVG), and
Portable Network Graphics (PNG) as image formats.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. PDF</span>
A certificate image MAY be provided in the form of a Portable
Document Format (PDF) document according to [<a href="#ref-ISO32000" title=""Document management -- Portable document format -- Part 1: PDF 1.7"">ISO32000</a>] and following
the conventions defined in this section. When a certificate image is
formatted as a PDF document, it MUST also be formatted according to
the profile PDF/A [<a href="#ref-ISO19005" title=""Document management -- Electronic document file format for long-term preservation -- Part 1: Use of PDF 1.4 (PDF/A-1)"">ISO19005</a>].
When including a PDF document as a certificate image, the following
MIME media type as specified in [<a href="./rfc3778" title=""The application/pdf Media Type"">RFC3778</a>] MUST be used as mediaType
in LogotypeDetails:
application/pdf
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. SVG</span>
A certificate image MAY be provided in the form of a Scalable Vector
Graphics (SVG) image, which MUST follow the SVG Tiny profile [<a href="#ref-SVGT" title=""Scalable Vector Graphics (SVG) Tiny 1.2 Specification"">SVGT</a>]
with the following amendments:
- The SVG image MUST NOT contain any Internationalized Resource
Identifier (IRI) references to information stored outside of the
SVG image of type B, C, or D, according to <a href="#section-14.1.4">Section 14.1.4</a> of SVG
Tiny 1.2 [<a href="#ref-SVGT" title=""Scalable Vector Graphics (SVG) Tiny 1.2 Specification"">SVGT</a>].
- The SVG image MUST NOT contain any 'script' element, according to
<a href="#section-15.2">Section 15.2</a> of SVG Tiny 1.2 [<a href="#ref-SVGT" title=""Scalable Vector Graphics (SVG) Tiny 1.2 Specification"">SVGT</a>].
- The XML structure in the SVG file MUST use <LF> (linefeed 0x0A) as
the end-of-line (EOL) character when calculating a hash over the
SVG image.
The referenced SVG file MAY be provided in GZIP-compressed [<a href="./rfc1952" title=""GZIP file format specification version 4.3"">RFC1952</a>]
form as an SVGZ file. In this case, the extension 'svgz' is used as
an alias for 'svg.gz' [<a href="./rfc1952" title=""GZIP file format specification version 4.3"">RFC1952</a>], i.e., octet streams of type
<span class="grey">Santesson, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
image/svg+xml, subsequently compressed with gzip as specified in
[<a href="#ref-SVGR" title=""Media Type Registration for image/svg+xml"">SVGR</a>]. The hash over the SVGZ file is calculated over the
decompressed SVG content with canonicalized EOL characters (<LF>) as
specified above.
The following MIME media type, defined in <a href="#appendix-M">Appendix M</a> of [<a href="#ref-SVGT" title=""Scalable Vector Graphics (SVG) Tiny 1.2 Specification"">SVGT</a>], MUST
be included as mediaType in LogotypeDetails for all SVG and SVGZ
images:
image/svg+xml
When the SVG image is embedded using the "data" URL scheme as defined
in <a href="#section-4">Section 4</a>, SVG image data MUST be provided in SVGZ (GZIP
compressed) form (i.e., it MUST NOT be provided in uncompressed SVG
form).
Compliant implementations of this specification SHOULD be able to
process SVG images that are formatted according to this section.
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. PNG</span>
If a certificate image is provided as a bitmapped image, the PNG
[<a href="#ref-ISO15948" title=""Information technology -- Computer graphics and image processing -- Portable Network Graphics (PNG): Functional specification"">ISO15948</a>] format SHOULD be used.
PNG images are identified by the following mediaType in
LogotypeDetails:
image/png
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Security Considerations</span>
This document is based on and inherits all security considerations
from <a href="./rfc3709">RFC 3709</a> [<a href="./rfc3709" title=""Internet X.509 Public Key Infrastructure: Logotypes in X.509 Certificates"">RFC3709</a>]. In particular, <a href="./rfc3709">RFC 3709</a> discusses several
issues a Certificate Authority (CA) should take into consideration
when evaluating a request to issue a certificate with a certificate
image.
Images incorporated according to <a href="./rfc3709">RFC 3709</a> provide an additional
possibility for a CA with bad intentions or bad security procedures
to include false, conflicting, or malicious information to relying
parties. Such a CA may, for example:
- include information in graphical form that is in conflict with
information in provided text-based attributes or other name forms,
and
- include malicious data that could exploit known security bugs in
common software libraries used to render graphical images.
<span class="grey">Santesson, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
This underlines the necessity for CAs to provide reliable services,
and the relying party's responsibility and need to carefully select
which CAs are trusted to provide public key certificates.
This also underlines the general necessity for relying parties to use
up-to-date software libraries to render or dereference data from
external sources (such as certificates), to minimize risks related to
processing potentially malicious data before the data has been
adequately verified and validated.
Referenced image files are hashed in order to bind the image to the
signature of the certificate. Some image types, such as SVG, allow
part of the image to be collected from an external source by
incorporating a reference to an external image file. If this feature
were used within a certificate image file, the hash of the image file
would only cover the URI reference to the external image file, but
not the referenced image data. Clients SHOULD verify that SVGT
images meet all requirements listed in <a href="#section-5.2">Section 5.2</a> and reject images
that contain references to external data.
CAs issuing certificates with embedded certificate images should be
cautious when accepting graphics from the certificate requestor for
inclusion in the certificate if the hash algorithm used to sign the
certificate is vulnerable to collision attacks. In such a case, the
accepted image may contain data that could help an attacker to obtain
colliding certificates with identical certificate signatures.
Certificates, and hence their certificate images, are commonly public
objects and as such usually will not contain privacy-sensitive
information. However, when a certificate image that is referenced
from a certificate contains privacy-sensitive information,
appropriate security controls should be in place to protect the
privacy of that information. Details of such controls are outside
the scope of this document.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Acknowledgements</span>
The authors recognize valuable contributions from members of the PKIX
working group, the CA Browser Forum, and James Manger, for their
review and sample data.
<span class="grey">Santesson, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-RFC1952">RFC1952</a>] Deutsch, P., "GZIP file format specification version
4.3", <a href="./rfc1952">RFC 1952</a>, May 1996.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC2397">RFC2397</a>] Masinter, L., "The "data" URL scheme", <a href="./rfc2397">RFC 2397</a>, August
1998.
[<a id="ref-RFC3709">RFC3709</a>] Santesson, S., Housley, R., and T. Freeman, "Internet
X.509 Public Key Infrastructure: Logotypes in X.509
Certificates", <a href="./rfc3709">RFC 3709</a>, February 2004.
[<a id="ref-RFC5280">RFC5280</a>] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation
List (CRL) Profile", <a href="./rfc5280">RFC 5280</a>, May 2008.
[<a id="ref-RFC5646">RFC5646</a>] Phillips, A., Ed., and M. Davis, Ed., "Tags for
Identifying Languages", <a href="https://www.rfc-editor.org/bcp/bcp47">BCP 47</a>, <a href="./rfc5646">RFC 5646</a>, September 2009.
[<a id="ref-ISO15948">ISO15948</a>] ISO/IEC 15948:2004, "Information technology -- Computer
graphics and image processing -- Portable Network
Graphics (PNG): Functional specification", 2004.
[<a id="ref-ISO19005">ISO19005</a>] ISO 19005-1:2005, "Document management -- Electronic
document file format for long-term preservation -- Part
1: Use of PDF 1.4 (PDF/A-1)", 2005.
[<a id="ref-ISO32000">ISO32000</a>] ISO 32000-1:2008, "Document management -- Portable
document format -- Part 1: PDF 1.7", April 2008.
[<a id="ref-SVGT">SVGT</a>] W3C Recommendation, "Scalable Vector Graphics (SVG) Tiny
1.2 Specification", December 2008.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-RFC3778">RFC3778</a>] Taft, E., Pravetz, J., Zilles, S., and L. Masinter, "The
application/pdf Media Type", <a href="./rfc3778">RFC 3778</a>, May 2004.
[<a id="ref-SVGR">SVGR</a>] "Media Type Registration for image/svg+xml",
<a href="http://dev.w3.org/SVG/profiles/1.1F2/master/mimereg.html">http://dev.w3.org/SVG/profiles/1.1F2/master/mimereg.html</a>.
<span class="grey">Santesson, et al. Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. ASN.1 Module</span>
CERT-IMAGE-MODULE { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-logotype-certimage(68) }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
EXPORTS ALL; -- export all items from this module
id-logo-certImage OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-logo(20) 3 }
END
<span class="grey">Santesson, et al. Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
<span class="h2"><a class="selflink" id="appendix-B" href="#appendix-B">Appendix B</a>. Example</span>
The following example stores an embedded svgz-encoded SVG image using
the "data" URL scheme.
data:image/svg+xml;base64,H4sICLXutU0AA0NlcnRJbWFnZURlbW8uc3ZnANVa
W2/bOBZ+n19BqBigwdoS7xK9jmeapB0EWHQHzez2WZZoR1tZMiQ5jvvr95CSL7Gl1E
m8C9d9iERSPOd85+O5EB3+9jhL0YMuyiTPLh3iYgfpLMrjJJteOv/661M/cFBZhVkc
pnmmL50sd34b/TIsH6YoiS+da11UySSJwkqj21k41Q6CDbNyUMSTS+e+quYDz1sul+
6SuXkx9YhSysPUo7QPK/rlKqvCx35Wvmu+a/uGYow9EOigh0Qvr/LHSwcjjDjGiGHQ
914n0/sKlMf4Vwctk7i6X7/sGEYdNA5L/WeRT5IUDKmSbLVWNoo2cqNCh1XyoKN8Ns
uz0iqwVW8Qb1fOF0Vqp+PI06me6awqPeISzxn9goYzXYVxWIUWpfWLCMwcGoLpgy83
n8wzGkbR4GtefENmMBznC7DEroKpOBpM8mIWVqPEYGtA+BvoMfS2E5uF1Wqu7R6FLv
NFEelWReNolpiV3l2VpGntMW9nk6RKdf0+9BrFrMbeVuWhtzbHvMR6UlobPyVpBWjX
Bk7six2vH5nCwY6nXCo5xb7YusvFVPqCOGh16fSxSxglmPkScLfvmDDmC4FlDc1wov
8IF2WZhNlVumgEPRliimDD3PhGPyTgUUMC6lKqKAjxaptq1boUJvQFsvi+LOJyxZkP
E/vCwHuAmXmoj1AarnRBatzqkbv7cK5Ls2ORfwM/vsOG5lURZqXxOnDXPKZw5t5jVz
IhFKO0B6D6hARSXDR6Fzqq7H7mQeJAOQiUSPvFIrUHOfuui3zrFI5dYVeAmpcOcOb9
u63vLjae4kYX4yRifYPrTa2SlMigYdO+cEWeGADMLZLH96SH4R9xRYApl6q3Y02f+N
zlRAl+cZSKhB6qSIVa80fsqMnWOqZJpmsXwAPoyNaQ95uNIGasKPwhxGzQzOXzMIIz
BKabmLIil470zfSjWWn+kvpvLQ9g1l3yRIc8gukz0uysEcakcDfy3KMk+l0SOXlOop
ltJL7EPtUlzZfP4tnM70k8xkKCySt92MwfIXPoTe0pnu4dYbp7hJ/kxWySN0ey0o/1
qbiCsxDXJMWWo37QekBcAUFPSGkPCnUJF5wwBacDK5cGlEp4BC2lYoJcrNNGVc7DzI
qxT4CKsPlrAG8mL8whRejiQe9EmImIAoz3sds9NxP4RZEzugqzb7c3Q89u3WQKY9ae
gbsA/AUJB/bJs6pfJt9BHFEuk5DWITzOH5uZSThLUsDjQ5GE6RMsyihMTaQLfA6BIi
AQMAhnHHN1sd61WtUhDVJiuhkrdBXd740+hLB9Vm1HjQe4ywLOBLWOMMiyQAXNB8sm
9Gx2qdGgGkMG6wY8aLfqgH4dfnmrVc+pPrE/Z/QnZOs8C1Okb2/ggwLdxlDC1D6DFP
ZDD98txv8xQf5TEc7Ax6ZyaDf6BC4SylWKCMqtizp80+UMchATal63qHq0M3ZTs83O
b/XO6LYsFzpGVY5+iLxdWvwY+NaKoR/0iJIXL3dBjT2hG+wO+NXm53XStSh1eogfeo
jV35BTOaqh/cmPUe2Mdp91pQp2CjWOO2k7OamhjU1HB3DLGm66n6iajz4bqn2oICmN
FxDR/x2mC5s+rKhlkUA3Ne3P8lgP0qJfjf9uvu+HWXSfFwNoH4uqGUmTadYMtOc7yj
EEd9EUhkwEEOcDSHKQ+yhnSvUYRH8miQo2FK5TCjWZZGWKB8iHPud16wApnCvTOzjI
FAj9TQdCxa+ddOTizaa1xJvD0qMrKx+Ydaj6iwJQG0vaSdYWpTv4HwVRAP3Z6ONjOJ
unEIeKRVmhujpA2+wPmQR9WFQAFhh9bGQzFEXX+WwOnXq8pV35P2Acdn0pGebcMg7O
gQKaEdOKEAkFlk/9HuEKGBVwucc4AjnJ/LBYU09hVwWY1F0HlBUC2lbyIuYF58O8p+
adMwUt9YAoX/IwRtAC9NAdBAyGuEB3VR59u8/TGYx9/Xjz8bPB/Z/F9B0SghBK+4xx
fiwtr0GXECqedQQ9PRVpEAQ+26MidbGSmPm8RwRzcQsT17EPSmoorH3+av4Jcj78O/
vIp/uzMEkHKAE6/F7VHHSj8HddR0Q3ymcGZfRVjwfmOnNn3GuWR+FzhcPmPqiptHca
yacT28T8j3Cs0/LQCwo6J2iYxP4R58AsobjFegusoJhuq7VNS2evRPcqASvQki+gbk
BYwETNPt/1A2pT6UErR1zMzUITZRvF5Lp5basO1fk2U4aBSjkji8quL3cDyW7TpI3u
nxezMcSTNhQJhfpGctKgKN2Amo7/7ShSev4oXicPSYS+6GkCm9a1Qw3VEchCUA+z5H
tTcbQhK6F14YFUp+Yn7WgmzwpZCDf5DDiXT9B7U6RdHAHpdb7IqmLVjqZSLnTW61zj
Q7/G7D3hm9E846uTDZoNMADmLlm7IG2ieXfUtu1US9TeNGUHibE9Nv//2jRJGZfQmK
3v7ykJJOv1IXjBsDCPpmgWppe6sHxR3KVSQKqp+WIqammuJbtqkxZmMHry4oS/9pLh
dCXKq8uR0R+LDEqCKRxqc5VXdvPvIP+ggwR0RkyBfO9iKZvrWGAKVdz31cuocvoO/q
emClFMYEFEH7oI+vpkek4s4bCMBqK+5mHQUlDpE/oylpy+2/6pWXK31PEYagP04epV
1cE50UMy6IQZeQM7+Ol74Z+eHfpHNc7OjffQ/HeV0X8BopoDkGEkAAA=
<span class="grey">Santesson, et al. Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6170">RFC 6170</a> Certificate Image May 2011</span>
Authors' Addresses
Stefan Santesson
3xA Security (AAA-sec.com)
Bjornstorp 744
247 98 Genarp
Sweden
EMail: sts@aaa-sec.com
Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
USA
EMail: housley@vigilsec.com
Siddharth Bajaj
Symantec Corp.
350 Ellis Street
Mountain View, CA 94043
USA
EMail: siddharthietf@gmail.com
Leonard Rosenthol
3533 Sunset Way
Huntingdon Valley, PA 19006
USA
EMail: leonardr@adobe.com
Santesson, et al. Standards Track [Page 12]
</pre>
|
