问题描述:

I am using OpenSSL for implementing Digital Signatures.

As a part of the requirement I need to identify the Class of a certificate.

As far as I have read, the classes and types of a certificate are vendor specific.

However, I want to know if there is any way of identifying and retrieving such information

from an X509 Certificate?

网友答案:

Types and Classes are something that various CA invent mainly for marketing purposes. They have no definition within standards. Consequently you can't extract such information from the certificate.

In general, digital certificates are indeed different - they can be X.509 certificates, IPSec certificates (this seems to be a subset of X.509 certificates with extra requirements), attribute certificates (maybe I forgot something). They have different structure, but in real life you will deal only with X.509 certificates (Attribute Certificates become more widespread, but very slowly, and IPSec certs are almost never seen in wild).

网友答案:

Two important criteria for certificates are:

  • what is intended for (mail encryption, signing applets, ...)
  • what did the issuing authority check before signing the data

The latter one is typically termed "class". There seems some convention, that the higher numeric values assume more checking, so class 1 typically verifies, that the certificate holder has access to the mail address in the certificate, while a class 3 certificate may require the holder to provide his/her ID card at a given counter, so address data and identity may be relied upon.

网友答案:

Classification of Classes

Class 1- Binds an individual to a valid email address. A Certificate Authority will conduct an email challenge to validate the email address.

Class 2-Binds an individual to a valid email address plus additional information about the individual that is provided during the application process (Full Name, Company Name, and so forth) A Certificate Authority will use third party databases to verify the individuals identity information

Class 3- Binds an individual to the ownership of an email address and individual identity information using third party databases to verify plus identity verification via face-to-face appearance before a local vetting agent.

You may check GlobalSign PersonalSign Certificate - Digital Certificate: https://www.globalsign.com/personalsign/comparison.html

You may identify the type or class of an X.509 certificate by looking at the certificate details of it.

网友答案:

As pointed by others, the Class of a digital signatures is vendor specific and/or depends on the level of checking performed and their intention. It is definitely not a part of X.509 certificate structure.

It may also depend on government guidelines.

Here in this document on "Guidelines for Usage of Digital Signatures in e-Governance" by Department of Information Technology, Government of India, 3 types of Classes for Digital signatures are explained on page 11.

The classification has been done on the basis of 2 factors:

1) Assurance Level

2) Applicability

and, it seems to go well with most international practices too.

相关阅读:
Top