X.509 Certificates: A Readable Unabridged Inside View

NOTE: This is a companion text to the paper "Overview of Certification Systems: X.509, CA, PGP and SKIP" and provides a graphic, didactic illustration of the technical matters discussed in the paper regarding X.509 and CA certification systems.

E. Gerck,N. Bohm
Copyright © 1998 by E. Gerck, N. Bohm and MCG, first published in February 15, 1998 by the MCG
All rights reserved, free copying and citation allowed with source and author reference.

1. Problem:

As referenced in the paper Overview of Certification Systems: X.509, PKIX, CA, PGP and SKIP [Ger00], X.509 (and PKIX) Certificates and CA assurances are difficult to read and understand for several reasons. To begin with, X.509 Certificates are encoded in ASN.1/DER, which even experts can't agree on how to implement and code/decode in all cases. Second, X.509 Certificates and CA assurances contain fields which are not very intuitively defined or even coherent with their names, such as the Distinguished Name field, which is neither always distinguished nor necessarily contains the subject's name. Third, the field names have a context which is not clear and which can be specified in a variety of  documents, sometimes in conflict with one another, such as by X.509 itself, by the CA's CPS, by the CA without anyone knowing it or by laws which depend on a particular state and country. Fourth, the user cannot usually find all this information at hand and is thus left groping in the dark as to what the certificate really is, contains or warrants. Fifth, other reasons such as the naming procedures used, the certification chain, etc.

This means that a X.509 Certificate issued by a CA cannot be considered as an easy and objective truth, because it depends not only on intersubjective evaluations but also on hidden rules.

Therefore, how can you rely upon a X.509 Certificate unless, of course, you can read it and understand all of its ins and outs and ifs and whens?

2. Solution:

Since all X.509 Certificates follow  X.509, if we do not try to decode it from a particular ASN.1. implementation but instead provide it in a generic and readable ASCII text, then it is possible to make it human readable and  include general interpretation guidelines or placeholders so that a user may approximately know what certificates are, contain and warrant.

In order to provide a bird's eye view of the companion paper cited above, we have prepared the "Unabridged X.509 Certificate" which contains the full explicit and implicit content of a generic X.509 certificate and thus may  well represent what is meant by any X.509 Certificate that the reader may need to accept or buy for https (SSL) access, for S/MIME e-mail, etc.  The same applies to PKIX certificates, which are derived from the X.509 concept.

For the sake of further understanding and recognizing the subjective nature of this endeavor, we present the "Unabridged X.509 Certificate" from two different viewpoints. The first one is that of a lawyer, the second one is that of a savvy user who would look for all the references. The technical viewpoint has already been presented in the companion paper "Overview of Certification Systems: X.509, PKIX, CA, PGP and SKIP".

The unabridged version provided here is a nearly complete insider view which contains all references and indirect references we could possibly find. When it is not possible to find the reference or exactly specify the wording to be used, such as when a reference depends on the CA's CPS which may be different for each CA and may change at will at any time, a placeholder description is used so the reader is aware that the reference still depends on further information which we do not have (nor the user will have).

3. The Unabridged X.509/PKIX Certificate: How a Lawyer Would Describe a X.509/PKIX Certificate

3. The Unabridged X.509 Certificate: A Savvy User's View

 5. Remarks:

The views presented above are neither exaggerations nor a parody. They correspond to the actual wording of X.509 and the usual CPS conditions for commercial CAs. The companion paper provides comments and references for each point graphically illustrated in the viewpoints above.


[Ger00] E. Gerck, "Overview of Certification Systems: X.509, PKIX, CA, PGP and SKIP", published by the MCG 1997-2000, in http://mcwg.org/mcg-mirror/certover.pdf