Skip to content

Commit ebd9a88

Browse files
author
ietf-corpus-bot
committed
auto-ingest: ietf-elements backfill — 232 new elements (2026-05-24)
1 parent 36dcae3 commit ebd9a88

232 files changed

Lines changed: 2140 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
document: rfc-2459
2+
kind: design-rationale
3+
summary: X.509 v3 extensions replace the rigid RFC 1422 PEM hierarchy (which required a fixed IPRA root, name subordination rules, and a priori knowledge of PCAs) by encoding policy and constraint information directly in certificates. This allows certification paths to start at any trusted CA, name constraints to be explicitly stated or omitted, and policy mappings to replace PCAs, enabling automated chain processing.
4+
section: "3.2"
5+
topics:
6+
- pkix
7+
extracted_by: claude-sonnet-4-6
8+
extracted_at: "2026-05-24"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-2459
2+
kind: interoperability-note
3+
summary: Legacy implementations embed RFC 822 email addresses in the subject DN as an EmailAddress attribute of type IA5String. New certificates MUST use rfc822Name in subjectAltName for email identities; simultaneous inclusion of EmailAddress in the subject DN is deprecated but permitted for backward compatibility.
4+
section: 4.1.2.6
5+
topics:
6+
- pkix
7+
- email
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-05-24"
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
document: rfc-2459
2+
kind: interoperability-note
3+
summary: Legacy implementations may encode ISO 8859-1 (Latin1String) characters but tag them as TeletexString. Implementations processing TeletexString SHOULD be prepared to handle the entire ISO 8859-1 character set. Attribute values encoded in different string types (e.g., PrintableString vs. BMPString) may be treated as representing different strings.
4+
section: 4.1.2.4
5+
topics:
6+
- pkix
7+
extracted_by: claude-sonnet-4-6
8+
extracted_at: "2026-05-24"
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
document: rfc-2459
2+
kind: normative-requirement
3+
summary: A certificate-using system MUST reject a certificate if it encounters a critical extension it does not recognize. A non-critical extension may be ignored if it is not recognized.
4+
section: "4.2"
5+
rfc2119_level: MUST
6+
topics:
7+
- pkix
8+
- security
9+
extracted_by: claude-sonnet-4-6
10+
extracted_at: "2026-05-24"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-2459
2+
kind: normative-requirement
3+
summary: All certificates issued after December 31, 2003 MUST use UTF8String encoding for DirectoryString fields in distinguished names. Until that date, CAs must choose PrintableString (if sufficient), then BMPString, then UTF8String.
4+
section: 4.1.2.4
5+
rfc2119_level: MUST
6+
topics:
7+
- pkix
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-05-24"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-2459
2+
kind: normative-requirement
3+
summary: Certificate validity dates through the year 2049 MUST be encoded as UTCTime; dates in 2050 or later MUST be encoded as GeneralizedTime.
4+
section: 4.1.2.5
5+
rfc2119_level: MUST
6+
topics:
7+
- pkix
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-05-24"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-2459
2+
kind: normative-requirement
3+
summary: 'Conforming CAs MUST support key identifiers, basic constraints, key usage, and certificate policies extensions. Applications MUST recognize all extensions that must or may be marked critical: key usage, certificate policies, subject alternative name, basic constraints, name constraints, policy constraints, and extended key usage.'
4+
section: "4.2"
5+
rfc2119_level: MUST
6+
topics:
7+
- pkix
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-05-24"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-2459
2+
kind: normative-requirement
3+
summary: GeneralizedTime values MUST be expressed in GMT (Zulu) and MUST include seconds (format YYYYMMDDHHMMSSZ). GeneralizedTime values MUST NOT include fractional seconds.
4+
section: 4.1.2.5.2
5+
rfc2119_level: MUST
6+
topics:
7+
- pkix
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-05-24"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-2459
2+
kind: normative-requirement
3+
summary: If the subject is a CA, the subject field MUST be populated with a non-empty DN matching the issuer field in all certificates it issues. If subject naming is present only in subjectAltName, the subject field MUST be an empty sequence and subjectAltName MUST be critical.
4+
section: 4.1.2.6
5+
rfc2119_level: MUST
6+
topics:
7+
- pkix
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-05-24"
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
document: rfc-2459
2+
kind: normative-requirement
3+
summary: The Basic Constraints extension MUST appear as a critical extension in all CA certificates. pathLenConstraint MUST be greater than or equal to zero where present. This extension SHOULD NOT appear in end-entity certificates.
4+
section: 4.2.1.10
5+
rfc2119_level: MUST
6+
topics:
7+
- pkix
8+
- security
9+
extracted_by: claude-sonnet-4-6
10+
extracted_at: "2026-05-24"

0 commit comments

Comments
 (0)