X.509 Alternative Public Key and Signature

For people who work in the world of PKI (Public Key Infrastructure) and security protocols, when you think of certificates, RFC 5280 instantly comes to mind. However, it is interesting to note that this document was written in 2008 and is the IETF’s specification of X.509 which is itself a standard that is maintained by the ITU (International Telecommunication Union). The X.509 standard was updated in 2019.

One of the additions to X.509 made in 2019 is the concept of alternative cryptographic digital signature algorithm extensions. They are defined and discussed in technical detail in section 9.8 of the 2019 update to X.509.

Briefly, it introduces 3 new non-critical X.509 certificate extensions:

  • Subject Alternative Public Key Information
  • Alternative Signature Algorithm
  • Alternative Signature Value

The main purpose of these extensions is to allow for 2 algorithms to be used in a certificate chain. The reason this is needed is to help ease the migration to post-quantum cryptography.

Do you think having an optional second alternative digital signature algorithm public key and signature in your certificates would be useful? If so, send a message to facts@wolfSSL.com and let us know your needs and use case for these X.509 extensions!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now