Network Working Group T. Freeman Request for Comments: 5055 Microsoft Corp Category: Standards Track R. Housley Vigil Security A. Malpani Malpani Consulting Services D. Cooper W. Polk NIST December 2007 Server-Based Certificate Validation Protocol (SCVP)
Status of This Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
The Server-Based Certificate Validation Protocol (SCVP) allows a
client to delegate certification path construction and certification path validation to a server. The path construction or validation
(e.g., making sure that none of the certificates in the path are
revoked) is performed according to a validation policy, which
contains one or more trust anchors. It allows simplification of
client implementations and use of a set of predefined validation
policies.
Table of Contents
1. Introduction (4)
1.1. Terminology (4)
1.2. SCVP Overview (5)
1.3. SCVP Requirements (5)
1.4. Validation Policies (6)
1.5. Validation Algorithm (7)
1.6. Validation Requirements (8)
2. Protocol Overview (9)
3. Validation Request (9)
3.1. cvRequestVersion (12)
3.2. query (12)
3.2.1. queriedCerts (13)
3.2.2. checks (15)
Freeman, et al. Standards Track [Page 1]
3.2.3. wantBack (16)
3.2.4. validationPolicy (19)
3.2.4.1. validationPolRef (20)
3.2.4.1.1. Default Validation Policy (21)
3.2.4.2. validationAlg (22)
3.2.4.2.1. Basic Validation Algorithm (22)
3.2.
4.2.2. Basic Validation
Algorithm Errors (23)
3.2.4.2.3. Name Validation Algorithm (24)
3.2.
4.2.4. Name Validation
Algorithm Errors (25)
3.2.4.3. userPolicySet (26)
3.2.4.4. inhibitPolicyMapping (26)
3.2.4.5. requireExplicitPolicy (27)
3.2.4.6. inhibitAnyPolicy (27)
3.2.4.7. trustAnchors (27)
3.2.4.8. keyUsages (28)
3.2.4.9. extendedKeyUsages (28)
3.2.4.10. specifiedKeyUsages (29)
3.2.5. responseFlags (30)
3.2.5.1. fullRequestInResponse (30)
3.2.5.2. responseValidationPolByRef (30)
3.2.5.3. protectResponse (31)
3.2.5.4. cachedResponse (31)
3.2.6. serverContextInfo (32)
3.2.7. validationTime (32)
3.2.8. intermediateCerts (33)
3.2.9. revInfos (34)
3.2.10. producedAt (35)
3.2.11. queryExtensions (35)
3.2.11.1. extnID (35)
3.2.11.2. critical (35)
3.2.11.3. extnValue (36)
3.3. requestorRef (36)
3.4. requestNonce (36)
3.5. requestorName (37)
3.6. responderName (37)
3.7. requestExtensions (38)
3.7.1. extnID (38)
3.7.2. critical (38)
3.7.3. extnValue (38)
3.8. signatureAlg (38)
3.9. hashAlg (39)
3.10. requestorText (39)
3.11. SCVP Request Authentication (40)
4. Validation Response (40)
4.1. cvResponseVersion (43)
4.2. serverConfigurationID (43)
Freeman, et al. Standards Track [Page 2]
4.4. responseStatus (44)
4.5. respValidationPolicy (46)
4.6. requestRef (47)
4.6.1. requestHash (47)
4.6.2. fullRequest (48)
4.7. requestorRef (48)
4.8. requestorName (48)
4.9. replyObjects (49)
4.9.1. cert (50)
4.9.2. replyStatus (50)
4.9.3. replyValTime (51)
4.9.4. replyChecks (51)
4.9.5. replyWantBacks (53)
4.9.6. validationErrors (56)
4.9.7. nextUpdate (56)
4.9.8. certReplyExtensions (56)
4.10. respNonce (57)
4.11. serverContextInfo (57)
4.12. cvResponseExtensions (58)
4.13. requestorText (58)
4.14. SCVP Response Validation (59)
4.14.1. Simple Key Validation (59)
4.14.2. SCVP Server Certificate Validation (59)
5. Server Policy Request (60)
5.1. vpRequestVersion (60)
5.2. requestNonce (60)
6. Validation Policy Response (61)
6.1. vpResponseVersion (62)
6.2. maxCVRequestVersion (62)
6.3. maxVPRequestVersion (62)
6.4. serverConfigurationID (62)
6.5. thisUpdate (63)
6.6. nextUpdate and requestNonce (63)
6.7. supportedChecks (63)
6.8. supportedWantBacks (64)
6.9. validationPolicies (64)
6.10. validationAlgs (64)
6.11. authPolicies (64)
6.12. responseTypes (64)
6.13. revocationInfoTypes (64)
6.14. defaultPolicyValues (65)
6.15. signatureGeneration (65)
6.16. signatureVerification (65)
6.17. hashAlgorithms (66)
6.18. serverPublicKeys (66)
6.19. clockSkew (66)
7. SCVP Server Relay (67)
Freeman, et al. Standards Track [Page 3]
9. Security Considerations (76)
10.IANA Considerations (78)
11. References (78)
11.1. Normative References (78)
11.2. Informative References (79)
12. Acknowledgments (80)
Appendix A. MIME Media Type Registrations (81)
A.1. application/scvp-cv-request (81)
A.2. application/scvp-cv-response (82)
A.3. application/scvp-vp-request (83)
A.4. application/scvp-vp-response (84)
Appendix B. SCVP over HTTP (85)
B.1. SCVP Request (85)
B.2. SCVP Response (85)
B.3. SCVP Policy Request (86)
B.4. SCVP Policy Response (86)
1. Introduction
Certificate validation is complex. If certificate handling is to be widely deployed in a variety of applications and environments, the
amount of processing an application needs to perform before it can
accept a certificate needs to be reduced. There are a variety of
applications that can make use of public key certificates, but these applications are burdened with the overhead of constructing and
validating the certification paths. SCVP reduces this overhead for
two classes of certificate-using applications.
The first class of applications wants just two things: confirmation
that the public key belongs to the identity named in the certificate and confirmation that the public key can be used for the intended
purpose. Such clients can completely delegate certification path
construction and validation to the SCVP server. This is often
referred to as delegated path validation (DPV).
The second class of applications can perform certification path
validation, but they lack a reliable or efficient method of
constructing a valid certification path. Such clients delegate
certification path construction to the SCVP server, but not
validation of the returned certification path. This is often
referred to as delegated path discovery (DPD).
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [STDWORDS].
Freeman, et al. Standards Track [Page 4]
1.2. SCVP Overview
The primary goals of SCVP are to make it easier to deploy Public Key Infrastructure (PKI)-enabled applications by delegating path
discovery and/or validation processing to a server, and to allow
central administration of validation policies within an organization. SCVP can be used by clients that do much of the certificate
processing themselves but simply want an untrusted server to collect information for them. However, when the client has complete trust in the SCVP server, SCVP can be used to delegate the work of
certification path construction and validation, and SCVP can be used to ensure that policies are consistently enforced throughout an
organization.
Untrusted SCVP servers can provide clients the certification paths.
They can also provide clients the revocation information, such as
Certificate Revocation Lists (CRLs) and Online Certificate Status
Protocol (OCSP) responses, that the clients need to validate the
certification paths constructed by the SCVP server. These services
can be valuable to clients that do not implement the protocols needed to find and download intermediate certificates, CRLs, and OCSP
responses.
Trusted SCVP servers can perform certification path construction and validation for the client. For a client that uses these services,
the client inherently trusts the SCVP server as much as it would its own certification path validation software (if it contained such
software). There are two main reasons that a client may want to
trust such an SCVP server:
1. The client does not want to incur the overhead of including
certification path validation software and running it for each
certificate it receives.
2. The client is in an organization or community that wants to
centralize management of validation policies. These policies
might dictate that particular trust anchors are to be used and the types of policy checking that are to be performed during
certification path validation.
1.3. SCVP Requirements
SCVP meets the mandatory requirements documented in [RQMTS] for DPV
and DPD.
Freeman, et al. Standards Track [Page 5]
Note that RFC 3379 states the following requirement:
The DPD response MUST indicate one of the following status
alternatives:
1) one or more certification paths was found according to the path discovery policy, with all of the requested revocation
information present.
2) one or more certification paths was found according to the path discovery policy, with a subset of the requested revocation
information present.
3) one or more certification paths was found according to the path discovery policy, with none of the requested revocation
information present.
4) no certification path was found according to the path discovery policy.
5) path construction could not be performed due to an error.
DPD responses constructed by SCVP servers do not differentiate
between states 2) and 3). This property was discussed on the PKIX
working group list and determined to be conformant with the intent of [RQMTS].
1.4. Validation Policies
A validation policy (as defined in RFC 3379 [RQMTS]) specifies the
rules and parameters to be used by the SCVP server when validating a certificate. In SCVP, the validation policy to be used by the server either can be fully referenced in the request by the client (and thus no additional parameters are necessary) or can be referenced in the
request by the client with additional parameters.
Policy definitions can be quite long and complex, and some policies
may allow for the setting of a few parameters. The request can
therefore be very simple if an object identifier (OID) is used to
specify both the algorithm to be used and all the associated
parameters of the validation policy. The request can be more complex if the validation policy fixes many of the parameters but allows the client to specify some of them. When the validation policy defines
every parameter necessary, an SCVP request needs only to contain the certificate to be validated, the referenced validation policy, and
any run-time parameters for the request.
Freeman, et al. Standards Track [Page 6]
A server publishes the references of the validation policies it
supports. When these policies have parameters that may be
overridden, the server communicates the default values for these
parameters as well. The client can simplify the request by omitting a parameter from a request if the default value published by the
server for a given validation policy reference is acceptable.
However, if there is a desire to demonstrate to someone else that a
specific validation policy with all its parameters has been used, the client will need to ask the server for the inclusion of the full
validation policy with all the parameters in the response.
The inputs to the basic certification path processing algorithm used by SCVP are defined by [PKIX-1] in Section 6.1.1 and comprise:
Certificate to be validated (by value or by reference);
Validation time;
The initial policy set;
Initial inhibit policy mapping setting;
Initial inhibit anyPolicy setting; and
Initial require explicit policy setting.
The basic certification path processing algorithm also supports
specification of one or more trust anchors (by value or reference) as an input. Where the client demands a certification path originating with a specific Certification Authority (CA), a single trust anchor
is specified. Where the client is willing to accept paths beginning with any of several CAs, a set of trust anchors is specified.
The basic certification path processing algorithm also supports the
following parameters, which are defined in [PKIX-1], Section 4:
The usage of the key contained in the certificate (e.g., key
encipherment, key agreement, signature); and
Other application-specific purposes for which the certified public key may be used.
1.5. Validation Algorithm
The validation algorithm is determined by agreement between the
client and the server and is represented as an OID. The algorithm
defines the checking that will be performed by the server to
determine whether the certificate is valid. A validation algorithm Freeman, et al. Standards Track [Page 7]
is one of the parameters to a validation policy. SCVP defines a
basic validation algorithm that implements the basic path validation algorithm as defined in [PKIX-1], and it permits the client to
request additional information about the certificate to be validated. New validation algorithms can be specified that define additional
checks if needed. These new validation algorithms may specify
additional parameters. The values for these parameters may be
defined by any validation policy that uses the algorithm or may be
included by the client in the request.
Application-specific validation algorithms, in addition to those
defined in this document, can be defined to meet specific
requirements not covered by the basic validation algorithm. The
validation algorithms documented here should serve as a guide for the development of further application-specific validation algorithms.
For example, a new application-specific validation algorithm might
require the presence of a particular name form in the subject
alternative name extension of the certificate.
1.6. Validation Requirements
For a certification path to be considered valid under a particular
validation policy, it MUST be a valid certification path as defined
in [PKIX-1], and all validation policy constraints that apply to the certification path MUST be verified.
Revocation checking is one aspect of certification path validation
defined in [PKIX-1]. However, revocation checking is an optional
feature in [PKIX-1], and revocation information is distributed in
multiple formats. Clients specify in requests whether revocation
checking should be performed and whether revocation information
should be returned in the response.
Servers MUST be capable of indicating the sources of revocation
information that they are capable of processing:
1. full CRLs (or full Authority Revocation Lists);
2. OCSP responses, using [OCSP];
3. delta CRLs; and
4. indirect CRLs.
Freeman, et al. Standards Track [Page 8]
2. Protocol Overview
SCVP uses a simple request-response model. That is, the SCVP client creates a request and sends it to the SCVP server, and then the SCVP server creates a single response and sends it to the client. The
typical use of SCVP is expected to be over HTTP [HTTP], but it can
also be used with email or any other protocol that can transport
digitally signed objects. Appendices A and B provide the details
necessary to use SCVP with HTTP.
SCVP includes two request-response pairs. The primary request-
response pair handles certificate validation. The secondary request- response pair is used to determine the list of validation policies
and default parameters supported by a specific SCVP server.
Section 3 defines the certificate validation request.
Section 4 defines the corresponding certificate validation response. Section 5 defines the validation policies request.
Section 6 defines the corresponding validation policies response.
Appendix A registers MIME types for SCVP requests and responses, and Appendix B describes the use of these MIME types with HTTP.
3. Validation Request
An SCVP client request to the server MUST be a single CVRequest item. When a CVRequest is encapsulated in a MIME body part,
application/scvp-cv-request MUST be used. There are two forms of
SCVP request: unprotected and protected. A protected request is used to authenticate the client to the server or to provide anonymous
client integrity over the request-response pair. The protection is
provided by a digital signature or message authentication code (MAC). In the later case, the MAC key is derived using a key agreement
algorithm, such as Diffie-Hellman. If the client’s public key is
contained in a certificate, then it may be used to authenticate the
client. More commonly, the client’s key agreement public key will be ephemeral, supporting anonymous client integrity.
A server MAY require all requests to be protected, and a server MAY
discard all unprotected requests. Alternatively, a server MAY choose to process unprotected requests.
The unprotected request consists of a CVRequest encapsulated in a
Cryptographic Message Syntax (CMS) ContentInfo [CMS]. An overview of this structure is provided below and is only intended as
Freeman, et al. Standards Track [Page 9]
illustrative. The definitive ASN.1 is found in [CMS]. Many details are not shown, but the way that SCVP makes use of CMS is clearly
illustrated.
ContentInfo {
contentType id-ct-scvp-certValRequest,
-- (1.2.840.113549.1.9.16.1.10)
content CVRequest }
The protected request consists of a CVRequest encapsulated in either a SignedData or AuthenticatedData, which is in turn encapsulated in a ContentInfo. That is, the EncapsulatedContentInfo field of either
SignedData or AuthenticatedData consists of an eContentType field
with a value of id-ct-scvp-certValRequest and an eContent field that contains a Distinguished Encoding Rules (DER)-encoded CVRequest.
SignedData is used when the request is digitally signed.
AuthenticatedData is used with a message authentication code (MAC).
All SCVP clients and servers MUST support SignedData for signed
requests and responses. SCVP clients and servers SHOULD support
AuthenticatedData for MAC-protected requests and responses.
If the client uses SignedData, it MUST have a public key that has
been bound to a subject identity by a certificate that conforms to
the PKIX profile [PKIX-1], and that certificate MUST be suitable for signing the SCVP request. That is:
1. If the key usage extension is present, either the digital
signature or the non-repudiation bit MUST be asserted.
2. If the extended key usage extension is present, it MUST contain either the SCVP client OID (see Section
3.11), the
anyExtendedKeyUsage OID, or another OID acceptable to the SCVP server.
The client MUST put an unambiguous reference to its certificate in
the SignedData that encapsulates the request. The client SHOULD
include its certificate in the request, but MAY omit the certificate to reduce the size of the request. The client MAY include other
certificates in the request to aid the validation of its certificates by the SCVP server. The signerInfos field of SignedData MUST include exactly one SignerInfo. The SignedData MUST NOT include the
unsignedAttrs field.
Freeman, et al. Standards Track [Page 10]
The client MUST put its key agreement public key, or an unambiguous
reference to a certificate that contains its key agreement public
key, in the AuthenticatedData that encapsulates the request. If an
ephemeral key agreement key pair is used, then the ephemeral key
agreement public key is carried in the originatorKey field of
KeyAgreeRecipientInfo, which requires the client to obtain the
server’s key agreement public key before computing the message
authentication code (MAC). An SCVP server’s key agreement key is
included in its validation policy response message (see Section 6).
The recipientInfos field of AuthenticatedData MUST include exactly
one RecipientInfo, which contains information for the SCVP server.
The AuthenticatedData MUST NOT include the unauthAttrs field.
The syntax and semantics for SignedData, AuthenticatedData, and
ContentInfo are defined in [CMS]. The syntax and semantics for
CVRequest are defined below. The CVRequest item contains the client request. The CVRequest contains the cvRequestVersion and query
items; the CVRequest MAY also contain the requestorRef, requestNonce, requestorName, responderName, requestExtensions, signatureAlg, and
hashAlg items.
The CVRequest MUST have the following syntax:
CVRequest ::= SEQUENCE {
cvRequestVersion INTEGER DEFAULT 1,
query Query,
requestorRef [0] GeneralNames OPTIONAL,
requestNonce [1] OCTET STRING OPTIONAL,
requestorName [2] GeneralName OPTIONAL,
responderName [3] GeneralName OPTIONAL,
requestExtensions [4] Extensions OPTIONAL,
signatureAlg [5] AlgorithmIdentifier OPTIONAL,
hashAlg [6] OBJECT IDENTIFIER OPTIONAL,
requestorText [7] UTF8String (SIZE (1..256)) OPTIONAL }
Conforming clients MUST be able to construct requests with
cvRequestVersion and query. Conforming clients MUST DER encode the
CVRequest in both protected and unprotected messages to facilitate
unambiguous hash-based referencing in the corresponding response
message. SCVP clients that insist on creation of a fresh response
(e.g., to protect against a replay attack or ensure information is up to date) MUST support requestNonce. Support for the remaining items is optional in client implementations.
Conforming servers MUST be able to parse CVRequests that contain any or all of the optional items.
Freeman, et al. Standards Track [Page 11]
Each of the items within the CVRequest is described in the following sections.
3.1. cvRequestVersion
The cvRequestVersion item defines the version of the SCVP CVRequest
used in a request. The subsequent response MUST use the same version number. The value of the cvRequestVersion item MUST be one (1) for a client implementing this specification. Future updates to this
specification must specify other values if there are any changes to
syntax or semantics. However, new extensions may be defined without changing the version number.
SCVP clients MUST support asserting this value and SCVP servers MUST be capable of processing this value.
3.2. query
The query item specifies one or more certificates that are the
subject of the request; the certificates can be either public key
certificates [PKIX-1] or attribute certificates [PKIX-AC]. A query
MUST contain a queriedCerts item as well as one checks item, and one validationPolicy item; a query MAY also contain wantBack,
responseFlags, serverContextInfo, validationTime, intermediateCerts, revInfos, producedAt, and queryExtensions items.
A Query MUST have the following syntax:
Query ::= SEQUENCE {
queriedCerts CertReferences,
checks CertChecks,
-- Note: tag [0] not used --
wantBack [1] WantBack OPTIONAL,
validationPolicy ValidationPolicy,
responseFlags ResponseFlags OPTIONAL,
serverContextInfo [2] OCTET STRING OPTIONAL,
validationTime [3] GeneralizedTime OPTIONAL,
intermediateCerts [4] CertBundle OPTIONAL,
revInfos [5] RevocationInfos OPTIONAL,
producedAt [6] GeneralizedTime OPTIONAL,
queryExtensions [7] Extensions OPTIONAL }
The list of certificate references in the queriedCerts item tells the server the certificate(s) for which the client wants information.
The checks item specifies the checking that the client wants
performed. The wantBack item specifies the objects that the client
wants the server to return in the response. The validationPolicy
item specifies the validation policy that the client wants the server Freeman, et al. Standards Track [Page 12]
to employ. The responseFlags item allows the client to request
optional features for the response. The serverContextInfo item tells the server that additional information from a previous request-
response is desired. The validationTime item tells the date and time relative to which the client wants the server to perform the checks. The intermediateCerts and revInfos items provide context for the
client request. The queryExtensions item provides for future
expansion of the query syntax. The syntax and semantics of each of
these items are discussed in the following sections.
Conforming clients MUST be able to construct a Query with a
queriedCerts item that specifies at least one certificate, checks,
and validationPolicy. Conforming SCVP clients MAY support
specification of multiple certificates and MAY support the optional
items in the Query structure.
SCVP clients that support delegated path discovery (DPD) as defined
in [RQMTS] MUST support wantBack and responseFlags. SCVP clients
that insist on creation of a fresh response (e.g., to protect against a replay attack or ensure information is up to date) MUST support
responseFlags.
Conforming servers MUST be able to process a Query that contains any of the optional items, and MUST be able to process a Query that
specifies multiple certificates.
3.2.1. queriedCerts
The queriedCerts item is a SEQUENCE of one or more certificates, each of which is a subject of the request. The specified certificates are either public key certificates or attribute certificates; if more
than one certificate is specified, all must be of the same type.
Each certificate is either directly included, or it is referenced.
When referenced, a hash value of the referenced item is included to
ensure that the SCVP client and the SCVP server both obtain the same certificate when the referenced certificate is fetched. Certificate references use the SCVPCertID type, which is described below. A
single request MAY contain both directly included and referenced
certificates.
CertReferences has the following syntax:
CertReferences ::= CHOICE {
pkcRefs [0] SEQUENCE SIZE (1..MAX) OF PKCReference,
acRefs [1] SEQUENCE SIZE (1..MAX) OF ACReference }
Freeman, et al. Standards Track [Page 13]
PKCReference ::= CHOICE {
cert [0] Certificate,
pkcRef [1] SCVPCertID }
ACReference ::= CHOICE {
attrCert [2] AttributeCertificate,
acRef [3] SCVPCertID }
SCVPCertID ::= SEQUENCE {
certHash OCTET STRING,
issuerSerial SCVPIssuerSerial,
hashAlgorithm AlgorithmIdentifier DEFAULT { algorithm sha-1 } }
The ASN.1 definition of Certificate is imported from [PKIX-1] and the definition of AttributeCertificate is imported from [PKIX-AC].
When creating a SCVPCertID, the certHash is computed over the entire DER-encoded certificate including the signature. The hash algorithm used to compute certHash is specified in hashAlgorithm. The hash
algorithm used to compute certHash SHOULD be one of the hash
algorithms specified in the hashAlgorithms item of the server’s
validation policy response message.
When encoding SCVPIssuerSerial, serialNumber is the serial number
that uniquely identifies the certificate. For public key
certificates, the issuer MUST contain only the issuer name from the
certificate encoded in the directoryName choice of GeneralNames. For attribute certificates, the issuer MUST contain the issuer name field from the attribute certificate.
Conforming clients MUST be able to reference a certificate by direct inclusion. Clients SHOULD be able to specify a certificate using the SCVPCertID. Conforming clients MAY be able to reference multiple
certificates and MAY be able to reference both public key and
attribute certificates.
Conforming SCVP Server implementations MUST be able to process
CertReferences with multiple certificates. Conforming SCVP server
implementations MUST be able to parse CertReferences that contain
either public key or attribute certificates. Conforming SCVP server implementations MUST be able to parse both the cert and pkcRef
choices in PKCReference. Conforming SCVP server implementations that process attribute certificates MUST be able to parse both the
attrCert and acRef choices in ACReference.
Freeman, et al. Standards Track [Page 14]
3.2.2. checks
The checks item describes the checking that the SCVP client wants the SCVP server to perform on the certificate(s) in the queriedCerts
item. The checks item contains a sequence of object identifiers
(OIDs). Each OID tells the SCVP server what checking the client
expects the server to perform. For each check specified in the
request, the SCVP server MUST perform the requested check, or return an error. A server may choose to perform additional checks (e.g., a server that is only asked to build a validated certification path may choose to also perform revocation status checks), although the server cannot indicate in the response that the additional checks have been performed, except in the case of an error response.
The checks item uses the CertChecks type, which has the following
syntax:
CertChecks ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
For public key certificates, the following checks are defined in this document:
- id-stc-build-pkc-path: Build a prospective certification path to a trust anchor (as defined in Section 6.1 of [PKIX-1]);
- id-stc-build-valid-pkc-path: Build a validated certification path to a trust anchor (revocation checking not required);
- id-stc-build-status-checked-pkc-path: Build a validated
certification path to a trust anchor and perform revocation status checks on the certification path.
Conforming SCVP server implementations that support delegated path
discovery (DPD) as defined in [RQMTS] MUST support the id-stc-build- pkc-path check. Conforming SCVP server implementations that support delegated path validation (DPV) as defined in [RQMTS] MUST support
the id-stc-build-valid-pkc-path and id-stc-build-status-checked-pkc- path checks.
For attribute certificates, the following checks are defined in this document:
- id-stc-build-aa-path: Build a prospective certification path to a trust anchor for the Attribute Certificate (AC) issuer;
- id-stc-build-valid-aa-path: Build a validated certification path
to a trust anchor for the AC issuer;
Freeman, et al. Standards Track [Page 15]
- id-stc-build-status-checked-aa-path: Build a validated
certification path to a trust anchor for the AC issuer and perform revocation status checks on the certification path for the AC
issuer;
- id-stc-status-check-ac-and-build-status-checked-aa-path: Build a
validated certification path to a trust anchor for the AC issuer
and perform revocation status checks on the AC as well as the
certification path for the AC issuer.
Conforming SCVP server implementations MAY support the attribute
certificates checks.
For these purposes, the following OIDs are defined:
id-stc OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 17 } id-stc-build-pkc-path OBJECT IDENTIFIER ::= { id-stc 1 }
id-stc-build-valid-pkc-path OBJECT IDENTIFIER ::= { id-stc 2 }
id-stc-build-status-checked-pkc-path
OBJECT IDENTIFIER ::= { id-stc 3 }
id-stc-build-aa-path OBJECT IDENTIFIER ::= { id-stc 4 }
id-stc-build-valid-aa-path OBJECT IDENTIFIER ::= { id-stc 5 }
id-stc-build-status-checked-aa-path
OBJECT IDENTIFIER ::= { id-stc 6 }
id-stc-status-check-ac-and-build-status-checked-aa-path
OBJECT IDENTIFIER ::= { id-stc 7 }
Other specifications may define additional checks.
Conforming client implementations MUST support assertion of at least one of the standard checks. Conforming clients MAY support assertion of multiple checks. Conforming clients need not support all of the
checks defined in this section.
3.2.3. wantBack
The optional wantBack item describes any information the SCVP client wants from the SCVP server for the certificate(s) in the queriedCerts item in addition to the results of the checks specified in the checks item. If present, the wantBack item MUST contain a sequence of
object identifiers (OIDs). Each OID tells the SCVP server what the
client wants to know about the queriedCerts item. For each type of
information specified in the request, the server MUST return
information regarding its finding (in a successful response). Freeman, et al. Standards Track [Page 16]
For example, a request might include a checks item that only
specifies certification path building and include a wantBack item
that requests the return of the certification path built by the
server. In this case, the response would not include a status for
the validation of the certification path, but it would include a
prospective certification path. A client that wants to perform its
own certification path validation might use a request of this form.
Alternatively, a request might include a checks item that requests
the server to build a certification path and validate it, including
revocation checking, and not include a wantBack item. In this case, the response would include only a status for the validation of the
certification path. A client that completely delegates certification path validation might use a request of this form.
The wantBack item uses the WantBack type, which has the following
syntax:
WantBack ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER
For public key certificates, the following wantBacks are defined in
this document:
- id-swb-pkc-cert: The certificate that was the subject of the
request;
- id-swb-pkc-best-cert-path: The certification path built for the
certificate including the certificate that was validated;
- id-swb-pkc-revocation-info: Proof of revocation status for each
certificate in the certification path;
- id-swb-pkc-public-key-info: The public key from the certificate
that was the subject of the request;
- id-swb-pkc-all-cert-paths: A set of certification paths for the
certificate that was the subject of the request;
- id-swb-pkc-ee-revocation-info: Proof of revocation status for the end entity certificate in the certification path; and
- id-swb-pkc-CAs-revocation-info: Proof of revocation status for
each CA certificate in the certification path.
Freeman, et al. Standards Track [Page 17]
All conforming SCVP server implementations MUST support the id-swb-
pkc-cert and id-swb-pkc-public-key-info wantBacks. Conforming SCVP
server implementations that support delegated path discovery (DPD) as defined in [RQMTS] MUST support the id-swb-pkc-best-cert-path and id- swb-pkc-revocation-info wantBacks.
SCVP provides two methods for a client to obtain multiple
certification paths for a certificate. The client could use
serverContextInfo to request one path at a time (see Section 3.2.6). After obtaining each path, the client could submit the
serverContextInfo from the previous request to obtain another path
until either the client found a suitable path or the server indicated (by not returning a serverContextInfo) that no more paths were
available. Alternatively, the client could send a single request
with an id-swb-pkc-all-cert-paths wantBack, in which case the server would return all of the available paths in a single response.
The server may, at its discretion, limit the number of paths that it returns in response to the id-swb-pkc-all-cert-paths. When the
request includes an id-swb-pkc-all-cert-paths wantBack, the response SHOULD NOT include a serverContextInfo.
For attribute certificates, the following wantBacks are defined in
this document:
- id-swb-ac-cert: The attribute certificate that was the subject of the request;
- id-swb-aa-cert-path: The certification path built for the AC
issuer certificate;
- id-swb-ac-revocation-info: Proof of revocation status for each
certificate in the AC issuer certification path; and
- id-swb-aa-revocation-info: Proof of revocation status for the
attribute certificate.
Conforming SCVP server implementations MAY support the attribute
certificate wantBacks.
The following wantBack can be used for either public key or attribute certificates:
- id-swb-relayed-responses: Any SCVP responses received by the
server that were used to generate the response to this query.
Conforming SCVP servers MAY support the id-swb-relayed-responses
wantBack.
Freeman, et al. Standards Track [Page 18]
For these purposes, the following OIDs are defined:
id-swb OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 18 } id-swb-pkc-best-cert-path OBJECT IDENTIFIER ::= { id-swb 1 } id-swb-pkc-revocation-info OBJECT IDENTIFIER ::= { id-swb 2 } id-swb-pkc-public-key-info OBJECT IDENTIFIER ::= { id-swb 4 } id-swb-aa-cert-path OBJECT IDENTIFIER ::= { id-swb 5 } id-swb-aa-revocation-info OBJECT IDENTIFIER ::= { id-swb 6 } id-swb-ac-revocation-info OBJECT IDENTIFIER ::= { id-swb 7 } id-swb-relayed-responses OBJECT IDENTIFIER ::= { id-swb 9 } id-swb-pkc-cert OBJECT IDENTIFIER ::= { id-swb 10} id-swb-ac-cert OBJECT IDENTIFIER ::= { id-swb 11} id-swb-pkc-all-cert-paths OBJECT IDENTIFIER ::= { id-swb 12} id-swb-pkc-ee-revocation-info OBJECT IDENTIFIER ::= { id-swb 13} id-swb-pkc-CAs-revocation-info OBJECT IDENTIFIER ::= { id-swb 14} Other specifications may define additional wantBacks.
Conforming client implementations that support delegated path
validation (DPV) as defined in [RQMTS] SHOULD support assertion of at least one wantBack. Conforming client implementations that support
delegated path discovery (DPD) as defined in [RQMTS] MUST support
assertion of at least one wantBack. Conforming clients MAY support
assertion of multiple wantBacks. Conforming clients need not support all of the wantBacks defined in this section.
3.2.
4. validationPolicy
The validationPolicy item defines the validation policy that the
client wants the SCVP server to use during certificate validation.
If this policy cannot be used for any reason, then the server MUST
return an error response.
A validation policy MUST define default values for all parameters
necessary for processing an SCVP request. For each parameter, a
validation policy may either allow the client to specify a non-
default value or forbid the use of a non-default value. If the
client wishes to use the default values for all of the parameters,
then the client need only supply a reference to the policy in this
item. If the client wishes to use non-default values for one or more parameters, then the client supplies a reference to the policy plus
whatever parameters are necessary to complete the request in this
item. If there are any conflicts between the policy referenced in
the request and any supplied parameter values in the request, then
the server MUST return an error response.
Freeman, et al. Standards Track [Page 19]
ValidationPolicy ::= SEQUENCE {
validationPolRef ValidationPolRef,
validationAlg [0] ValidationAlg OPTIONAL,
userPolicySet [1] SEQUENCE SIZE (1..MAX) OF OBJECT
IDENTIFIER OPTIONAL,
inhibitPolicyMapping [2] BOOLEAN OPTIONAL,
requireExplicitPolicy [3] BOOLEAN OPTIONAL,
inhibitAnyPolicy [4] BOOLEAN OPTIONAL,
trustAnchors [5] TrustAnchors OPTIONAL,
keyUsages [6] SEQUENCE OF KeyUsage OPTIONAL,
extendedKeyUsages [7] SEQUENCE OF KeyPurposeId OPTIONAL,
specifiedKeyUsages [8] SEQUENCE OF KeyPurposeId OPTIONAL }
The validationPolRef item is required, but the remaining items are
optional. The optional items are used to provide validation policy
parameters. When the client uses the validation policy’s default
values for all parameters, all of the optional items are absent.
At a minimum, conforming SCVP client implementations MUST support the validationPolRef item. Conforming client implementations MAY support any or all of the optional items in ValidationPolicy.
Conforming SCVP servers MUST support processing of a ValidationPolicy that contains any or all of the optional items.
The validationAlg item specifies the validation algorithm. The
userPolicySet item provides an acceptable set of certificate
policies. The inhibitPolicyMapping item inhibits certificate policy mapping during certification path validation. The
requireExplicitPolicy item requires at least one valid certificate
policy in the certificate policies extension. The inhibitAnyPolicy
item indicates whether the anyPolicy certificate policy OID is
processed or ignored when evaluating certificate policy. The
trustAnchors item indicates the trust anchors that are acceptable to the client. The keyUsages item indicates the technical usage of the public key that is to be confirmed by the server as acceptable. The extendedKeyUsages item indicates the application-specific usage of
the public key that is to be confirmed by the server as acceptable.
The syntax and semantics of each of these items are discussed in the following sections.
3.2.
4.1. validationPolRef
The reference to the validation policy is an OID that the client and server have agreed represents a particular validation policy. Freeman, et al. Standards Track [Page 20]
英国出生证明认证 在英国出生的孩子,在回国办理以下手续时需提供由中国驻英国大使馆签发的英国出生证明认证(也叫英国出生纸认证,英国出生证明公证)文件: 1、在英国出生持旅行证回国的孩子,在国内落户、入学或办理一次性出入境通行证; 2、在英国出生持英国护照中国签证回国的孩子,办理签证延期、寄养或申请中国长期居留权。 英国出生证明认证需经过英国公证员公证、英国外交部认证及中国驻英国大使馆领事认证。 一般情况下,申请人还需提供出生证明认证的翻译件给政府部门,各地各部门对翻译机构的要求不同,有些需要国内指定公证处翻译,有些接受翻译公司翻译的版本,有些部门接受申请人自己翻译的文书,具体要求请与当地政府部门确认。 为什么英国出生证明需要办理领事认证? 英国出生证明系由英国政府签发的文书,中国政府部门无法直接确认国外文书的真实性。英国出生证明必须由中国驻外领事馆认证以承认其法律效力。 中国驻外领事馆通过对文书上官员签字是否属实来确认国外文书的
真实性。领事认证仅对文书上官员签字进行认证,不对具体的文书内容做认证。 英国出生证明认证的办理流程? 第一步,英国出生证明经由当地国际公证律师事务所(Notary Public)公证。 第二步,将公证好的英国出生证明送英国外交部(FCO)公证认证办公室或英国外交部授权机构认证。 第三步,将经外交部认证的英国出生证明送中国驻英使领馆(Chinese Embassy/Consulate)办理领事认证。 英国出生证明认证的处理时间? 一般情况下英国出生证明认证办理时长为15-20个工作日(3周-4周),加急服务时长10-13个工作日,加急服务请先提前预约。 英国出生证明认证所需材料? 我公司为您提供英国出生纸认证服务,办理英国出生证认证所需材料清单如下: 1)公证认证申请表 2)英国出生证明扫描件 3)父母双方护照照片页扫描件
国外研究生证明(精选多篇)),若大,那是不是有工作经验的更好呢?实际上不是的,有的教授反而喜欢没有经验的,呵呵。还是注意gpa, 语言,推荐性这三点吧 ps:开不开无所谓,推荐性不一定非要让你导师写,别的老师,有权威的老师依然可以。 是申请美国的吗? 成绩所占的比例不大,除了语言考托福之外,专业要求考gmat,或者gre,这个看具体学校的要求,再就是实习或者工作经验,这个对于商科的学生来说,还算是比较重要的,尤其是你跨专业,总要说服人家招生的你为什么转专业吧。至于你说的证,国际级别的最好了,作为你优秀素质的体现,国内的考考也可以,体现以下你对商科还是有一定基础的,你是喜欢这个专业才转的。 顺便提一下,研究生还要你本科成绩单,要学校开的原件盖章的,你男朋友在非洲的话,一定要记得这些材料到学校开。。。 如果你告诉了对方你正在读研,那么对方会要求了解你什么时候毕业,会具体跟你商量这些的。如果你国内学业没结束就出国,无论学校是否要求你出退学证明,你都得办退学手续。 签证时,也是需要有退学证明的。 总之,你不能同时在两个学校读同等学位。 每个国家不一样,我知道的是德国及其他德语国家是不行的,德国只接受每年10月起的毕业证书,所以当年毕业的学生最快也只能申请来年4月的春季学年入学,当年秋天入学是不可能的,英美地区我不知道。 第二篇:国外证明 如下的商品是把日立(中国)研究开发有限公司出口到日本的钢板 6*1500*8000,6*1800*5800,6*1350*6000;8*2014*9000,8*1800*6000,8*1500*59 00;12*1800*6000,12*1800*6000,12*2200*10000;在日本检测下料到300mm x 300mm以后再送到中国来。除了长度宽度发生变化外,厚度不变,日立(中 国)研究开发有限公司发出的产品质量证明书内容没有任何变化。特此证明 q235b300*300*6116kgjpy500jpy500300*300*8116kgjpy500jpy500300*300*1211 4kgjpy500jpy500 ss400300*300*6116kgjpy500jpy500300*300*8116kgjpy500jpy500300*300*1211 4kgjpy500jpy500 q345b300*300*6116kgjpy500jpy500300*300*8116kgjpy500jpy500300*300*1211 4kgjpy500jpy500
中驻英大使馆公证认证三步办理详情 中驻英大使馆公证认证三步办理详情。 英国境内出具的文书,个人文书或商业文书,个人结婚证,出生证,无犯罪,委托书,未婚证明,房产委托书,放弃遗产声明,健在证明,学历证明,离婚证明,商业登记证书,合同,声明书,委托书,授权书,任命书,资信证明,存续证明,股权证明等,在中国大陆使用,必须经过英国当地公证律师公证,外交部初次认证,大使馆再次认证之后才能使用。 英国出具的文书在中国澳门香港特区使用,可以直接办理海牙认证apostille,海牙认证与使馆认证不同之处在于海牙认证只有两个步骤,不需要经过中国驻英国海关认证。中国大陆是尚未加入海牙组织的国家之一,不承认海牙认证文件,能有效的在中国内地使用英国文件,必须进行英国大使馆认证。 英国大使馆认证三个步骤详情:
1、英国国际公证律师公证:必须是具备资质的公证员或公证律师,主要是对文件的真实性,规范性,合法性等进行核实,确认无误之后在文书上盖章确认。 2、英国外交部认证:只接收公证之后的文书,也是初次认证,确认文件上英国公证员签字的真伪。 3、中国驻英国使馆认证:经过上两级确认之后的文件,才能送往大使馆办理认证。英国使馆认证通常有申请人所居住地辖区的中国驻英国使馆受理。 中国驻英使馆认证是一份最权威的政府文件,由律师、外务部和中国驻英大使馆一级秘书对相关文件的认证。其主要的用途在于使英国产生的文件在中国合法有效的使用,最常见的就是以英国或BVI、开曼、塞舌尔、萨摩亚等英属公司到中国来投资时,中国的商务及工商部门在受理外商投资时需要对国外公司主体资格做一份使馆认证,证明其其合法、有效性。 来源于https://www.doczj.com/doc/b54142739.html,/html/zlzx/8689.html
英国签证在职证明 Company Document number:WUUT-WUUY-WBBGB-BWYTT-1982GT
英国签证在职证明参考样本(请使用时删除) Certification Visa Officer Consular Section, Embassy, Beijing/Shanghai(请选则使馆) Consulate Company: (公司名称) Add: (公司地址) Tel:( 区号-公司电话) Fax:(区号-公司传真) Dear Sir or Madam: I am (领导人姓名), the (领导人职务) in this company. I certify that (Ms.申请人姓名),who was born on (1999/09/19申请人出生日期), is working as (申请人职务) in our units. (His/Her) monthly salary is about (申请人月收入) RMB, and she/he has been working in our units since (申请人开始工作时 间).(she/he) has been allowed for a leave to visitAustralia from (2007/07/17)出行日期) to (2007/07/17)回程日期). We will keep (his/her) position during (his/her) visit in Australia. We also guarantee that (he/she) will come back to china and continue to work in our units after (he/she) returns from Australia. Best Regards (领导本人签名) (日期) The registration number as which the units is registered in the business bureau(营业执照注册号). 注: 1.在职证明需打印成英文 2.凡样本中标红的地方,均需相应填写您的相关信息,不要保留标红在完成后的在职证明中 3.()括号中为我们为您更加清晰在职证明的内容而标注的解释,不要保留在完成后的在职证明中 4.请不要将“英国签证在职证明参考样本”字样保留在完成的在职证明中 英国签证在职证明参考样本译文 (请使用时删除) 在职证明 英国驻北京/上海领事馆签证处: 公司名称: 地址: 电话:传真: 尊敬的先生/女士: 我是XXX,在此公司担任XXX职务。我证明XXX(出生日期:XXX)在我公司工作并担任XXX职务,月收入XXXX,自X年X月X日起开始在我公司工作。
外国出生证明翻译 出生医学证明是由医院开具的以证明婴儿的出生时间、地点、性别、重量、出生方式、父母信息等的一份证明材料,其作为一种长期有效的证明文件,可作为婴儿确认国籍、登记户口的重要依据。 在现实生活中,很多国外出生的孩子回国后需要办理落户、上学等事项,按照现行的法律要求,符合相关要求的国外出生的宝宝需要办理国内户籍、入学等事项时需出示出生证明以及父母双方的相关证件; 由于中国没有加入海牙国际公约组织,国外的很多证件都是需要事先经过公证认证之后拿到中国使用才能被认可,出生证明位列其中; 当国外的出生证明需要拿到中国办理相关手续时,国内的使用部门会要求对国外的出生证明做中国驻当地使领馆的认证之后,再交由有相关资质的翻译公司或者机构将外文翻译成中文,才能在国内使用。 所以说,英美加等国的出生证明需要经过驻当地的中国使领馆认证之后,再去找翻译公司翻译成为中文,提交给国内相关部门才会得到承认;直接递交外文原件或者个人翻译的文件是不被认可的。 外国出生医学证明作为重要的涉外证明类文件,是需要有正规资质的翻译公司进行翻译盖章方能得到承认的,个人翻译难免会有作弊之嫌; 正规的出生证明翻译公司 首先,专业的出生医学证明翻译公司有自己独特的管理模式和翻译流程,同时配备有专业性强、翻译服务质量高的翻译人才,公司译员持有国家级别的翻译专业资格证书,在各自翻译的领域不仅有着扎实的学术功底,而且业务经验相当丰富;出生证明等证件类翻译都会经由经验丰富的证件类译员来完成,
再经过后期的排版审校之后进行翻译盖章确认,最终呈现给客户的是精美的译件,能够高效的满足客户的出生证明翻译服务要求。 其次,证件类翻译不同于普通文稿的翻译,受理部门会非常重视出具翻译件的翻译公司的资质问题,国内正规的翻译公司必须具有工商部门颁发的营业执照和企业公章,表明该翻译公司可以合法从事翻译业务,依法提供翻译服务;如果被查出来翻译公司并无相关法律资质的话,出生证明等材料就会被驳回,从而耽误后续事项的办理。 最后出生证明翻译同其他类型的证件翻译一样,必须是要有翻译盖章环节的;翻译盖章就是在译件上加盖翻译公司的公章和翻译行业专业章,来证实这个译件是由正规机构出具的,保证与原件意思相符,可以放心使用;翻译盖章也是翻译公司是否具有翻译资质的重要体现,未经翻译盖章的文件不会得到认可。这也是为什么需要找正规翻译公司的原因之一。 文章来源:译心向善出生证明翻译
Certificate of employment Date: 时间(打印日期即可) To: Consulate-General of 申请国家 This is to certify that the Mr/Ms 姓名is 职位in our company. He/She has been working here since 年月日. He/She is allowed to be off work between 去的日期and 回国日期to have a 旅游写 trip商务请写business trip to 所申请的国家,total 天数days . We guarantee that he/she will abide by the laws in your country and regulations and return to China on time. All of the traveling expenses will be paid by 旅游签证一般为自付费用himself/herself 商务签证通常为公司付款请写my company. We agree and will keep his/her position after he/she comes back to China. Name D.O.B Passport No. Position Monthly Salary 姓名(拼音)出生日期护照号职位RMB 月收入 Your kind approval of this application will be highly appreciated. Your sincerely Manager Position: 准假人英文职称 Manager Signature:准假人姓名拼音(不能为申请人,本人的领导即可无需法人签名) 中文签名负责人手写签名 公司盖章 Company:公司英文名称 Tel:(区号)公司电话 Fax:(区号)公司传真 Address:公司英文地址
新加坡出生证公证认证步骤第三点你必须 知道 新加坡出生证公证认证步骤第三点你必须知道 新加坡,香港,英国等国家在出生公民权问题上实行出生地原则,即凡在其领土上出生的婴儿都自动成为该国公民,享受当地的福利,这就是出生公民权制度。 孩子在新加坡出生,取得新加坡出生证明,要拿到中国办理孩子入学,上户口等事宜,首先必须先办理新加坡出生证公证认证手续,方可在中国有效使用。 新加坡出生证用途: 1、在新加坡出生持旅行证回国的孩子,在国内落户、入学或办理一次性出入境通行证; 2、在新加坡出生持新加坡护照中国签证回国的孩子,办理签证延期、寄养或申请中国长期居留权。一般情况下,申请人还需提供出生证明认证的翻译件给政府部门,各地各部门对翻译机构的要求不同,有些需要国内指定公证处
翻译,有些接受翻译公司翻译的版本,有些部门接受申请人自己翻译的文书,具体要求请与当地政府部门确认。 新加坡出生证公证认证步骤: 1.委托国际公证律师或公证员将国外提供的出生证进行公证; 2.将公证过的出生证送新加坡外交部进行认证; 3.将经过该国外交部门认证的出生证送中国驻新加坡使领馆进行认证 由于各国之间所出具的文书是存在差异的,新加坡的出生证在中国使用,中国政府是无法辨识该文件的真实性的,因而就需要通过办理公证认证手续之后就能协助中国政府辨识该文件的真伪,新加坡的出生证在中国使用也就存在了对应的法律效力了。 新加坡出生证公证认证所需材料:
出生证及父母一方护照复印件 一般出生证公证是需要10到15个工作日左右的,而认证就比较快啦一般的7个工作日左右。但是这些公证和认证的时间还需要根据你当地的公证、认证处的相关政策不同时间也有点不同的。 来源于https://www.doczj.com/doc/b54142739.html,/html/zlzx/8972.html
2018年美国宝宝出生证明公证指南2018年美国宝宝出生证明公证认证指南。 美国出生的孩子,在国内涉及到落户、入学、办理签证延期或长期居留的情况,国内相关机构会要求对美国出生证明办理公证认证,包括县书记官认证、美国州务卿认证以及中国驻美使领馆领事认证三个步骤。 如何为宝宝申请美国出生证明? 宝宝在美国出生后,医院会有专门的医护人员指导您填写孩子美国出证明的申请表格并准备相关材料。 正常办理宝宝出生证明的时间大概是1-2个月,很多妈妈自己在美国待产,生产后急切的希望回国,那么一定要在填写美国出生证明申请表的时候选择加急办理,加急办理处理时间各个州不同,大概在5个工作日左右,一般会要求申请人提供1-2周内离开的机票。 一般情况下来讲可以多申请几份美国出生证明原件,
因为您办理护照、旅行证以及出生证明认证的时候都会用到,建议您申请至少三份,出生证明一般是以邮寄的方式发送至您的家庭住址。 为什么要办理美国出生证明认证? 很多妈妈以为拿到美国出生证明就可以在国内使用了,其实在中国为宝宝办理落户、寄养、入学、签证延期、长期居留证明时,国内机构会要求孩子的美国出生纸必须经过中国驻美大使馆或领馆的三级认证。三级认证是指美国出生证明需经过县书记官认证、美国州务卿认证以及中国驻美使领馆领事认证三个步骤,经驻外使领馆认证的出生证明才是可以拿到中国使用的有效出生证明。 美国出生证明认证的处理时间? 一般情况下美国出生证明办理时长为15个工作日,加急服务时长10-12个工作日。 美国出生纸认证所需材料?
所需材料清单如下: 1、儿童出生证明 2、儿童护照复印件 3、父母双方护照复印件 美国出生纸三级认证的步骤? 以下步骤需逐级办理,不能同时办理。您可以选择自己办理或者委托第三方机构代办。 1、首先由当地公证员(Notary Public)办理公证; 2、当地县书记员办公室(Office of County Clerk)认证。 3、所在州州务卿认证(Secretary of the State)。 4、在中国驻美大使馆或领事馆申办领事认证。 来源于https://www.doczj.com/doc/b54142739.html,/html/gzrzxgzl/6026.html
“访问学者”类型签证(VISA ACADEMIC VISITOR) (1)谁应该申请“访问学者”类型签证? 按照英国相关政策规定,凡是以独立开展个人所从事的专业学术领域中的某个或某些研究课题为目的的公派访问学者,方可申请“访问学者”类别签证。申请“访问学者”类别签证的公派学者、研究人员、教师必须满足如下要求: ①单位准假并同意保留其工作职位 ②不得从英国邀请方收取报酬 ③不准从事规定的学术活动以外的任何工作 ④不准填补英方的工作职位 ⑤在英国停留不得超过一年 ⑥在访问结束后必须离开英国 ⑦有足够的资金支付在英国及离开英国所需的费用 (2)需向英国签证中心提交的材料: ①经过本人签名的有效护照原件及其首页和末页的复印件各一份。 ②照片:近期白色背景彩色照片(照片尺寸要求横35mm,竖45mm)三张。 ③邀请信:邀请信原件和复印件各一份。(请留学人员同时自备一份复印件,已备出国后使用)邀请信主要内容包括:邀请人姓名、单位、地址、电话号码;被邀请人姓名、单位、预定访问日期、停留期限、访问目的、经费来源以及Bench Fee的明确数额,如英方不需要Bench Fee也请在信中注明。 ④提供单位回聘证明信原件一份及复印件两份。如果是尚未工作的学生,请提供就读院校证明原件一份及复印件两份。 ⑤资金担保证明原件一份及复印件一份。国家全额资助留学人员申办签证的担保证明由中国留学服务中心统一提供。 ⑥照会:由中国留学服务中心统一提供。 ⑦英国签证申请表格,请登陆以下网址自行填写:https://https://www.doczj.com/doc/b54142739.html,/ 有关英国签证申请中心的相关信息,请查询https://www.doczj.com/doc/b54142739.html,/smplchinese/vfsglobalintroduction.html 特别提示: 8月22日英国驻华使馆告知:申请访问学者类签证必须同时满足下列条件:
上海国外出生证明翻译 为国外出生的宝宝上户口是很多妈妈非常关心的问题。在上海等一线城市尤为众多; 根据有关政策的规定,符合条件的国/境外出生的宝宝回国后百分百是可以上国内户口的。当然了,每个地方的政策都不太一样,但大同小异。当然计划外的、不符合要求的要罚款,妈妈们要权衡利弊,多多关注官方政策,想好计划外的宝宝是否真的有上户口的必要。 无论是哪个省市,给国外出生的宝宝上本地户口都需要提供宝宝的医学出生证明。 什么是出生证明呢? 出生证明是由医院官方出具的,能够证明婴儿出生时间、性别、出生地、生父母等具体情况,极具证明力的一项书面材料,出生证明在国外是获得国籍的证明性材料,在国内则是为婴儿登记户口的必不可少的依据。 为什么需要出生证明翻译件? 除了出生证明原件,大部分省市比如上海还需要将出生证明翻译为中文,并且在原文复印件和译文原件上加盖骑缝的翻译专用章,然后由翻译人员亲笔签名,同时附上该翻译公司的营业执照,表明译稿由正规专业的翻译公司翻译。
个人翻译出生证明是无效的,公安机关不予认可。 在有些国家国籍的认定采用的是出生地原则,而出生证明是出生地的最有力证明,因此需要出生证明翻译,尤其是父母一方或双方都是外籍的时候。 那么,出生证明翻译件都有哪些要求呢? 出生证明也叫《出生医学证明》,是由医院出具的具有一定证明力的书面材料,终身有效,婴儿登记户口必须用到出生证明。婴儿出生证明主要是医院针对新生儿的详细情况进行记录。 出生证明翻译在国外出生孩子上国内户口或者是移民国外才会用到,译稿要求翻译语言精确,译文的专业术语要达到法律级别上的专业水准,保证译稿的准确性和有效性。 出生证明翻译需要注意的是:文件翻译完成后,无需公证,但必须加盖翻译专用章,标明译稿是由正规专业的翻译机构翻译的,作为对出生证明翻译内容一致的权威认定。 正规的出生证明翻译公司 正规翻译公司以及涉外政府机关都会刻有翻译专用章,涉外政府机关一般不对外,只有办理涉外政府业务时才会使用; 从事翻译服务的正规翻译公司的认证章使用范围就比较广了,两者的法律效力没有太大分别;但是有些时候,受函方的认可远比法律规定重要。处于各个方面的考量,很多机构都会从正规翻译机构里面精选出一家翻译公司或多家翻译公司长期合作,于是就有了指定/定点翻译机构的说法。出生证明由个人翻译是无效的,译稿翻译完后,必须加盖翻译公司的翻译专用章方视为有效。
Visitor: supporting documents guide访问者: 支持材料指南 This guidance explains the documents you may need to provide in support of your application to visit the UK. 该指南向您说明支持赴英签证申请可能需要提交的材料。 All documents must be originals and not photocopies. Submission of these documents does not guarantee that your application will be successful and you should bear this in mind when making any bookings. 所有的材料必须为原件而不是复印件。提交这些材料并不能确保成功获得签证。预定机票酒店时请记住这一点。 If you submit a document that is not in English or Welsh, it must be accompanied by a full translation that can be independently verified by the Home Office. Each translated document must contain: 如果您提交非英文或威尔士文材料,则必须提供可以由内政部独立核查的翻译件。每份翻译件必须包含: ?confirmation from the translator that it is an accurate translation of the original document 译者确认是对原始文件的正确翻译 ?the date of the translation 翻译日期 ?the translator's full name and signature 译者的全名和签名 ?the translator's contact details 译者的联络方式 ? Structure of this guidance 指南目录 Section 1 documents you must provide with all visit applications 第一部分所有访问类申请都必须提交的材料 Section 2 suggested documents that you might want to provide in order to demonstrate that you meet the requirements of Appendix V: Immigration Rules for Visitors. 第二部分为证明您符合附录V:适用于访问者的移民法规相关规定而建议提交的材料 Section 3 additional documents for specific types of visitor: 第三部分适用于特定类别访问者的额外材料 academics coming to undertake research (12 month visa) 从事研究的学者(12个月的签证)
2020年比赛奖状打印实用模板全(课件) 班: 在“我与安全手拉手"安全知识竞赛中荣获 优秀组织奖 特此鼓励 土右旗第一幼儿园2017.12.21田瑶小朋友: 被评为2016—2017年度土右旗第一幼儿园 文明幼儿 特此鼓励 土右旗第一幼儿园 2017.6.1 1 / 1...... 感谢聆听 ......
赵宏睿妈妈: 被评为2016—2017年度土右旗第一幼儿园 文明家长 特此鼓励 土右旗第一幼儿园2017.6.1老师: 被评为2016-2017年度土右旗第一幼儿园 文明教师 特此鼓励 土右旗第一幼儿园 2017.6.1小朋友: 在《届小主持人大赛》中荣获 1 / 1...... 感谢聆听 ......
三等奖 特此鼓励 土右旗第一幼儿园 2018.4。26班级: 在《童话剧展演活动》中荣获 三等奖 特此鼓励 土右旗第一幼儿园2018.4.12小朋友: 被评为本周礼仪小明星 特此鼓励 土右旗第一幼儿园 1 / 1...... 感谢聆听 ......
2018.4.23 刘雅静老师: 被评为2014-2015年度土右旗幼儿园 优秀保育员 特此鼓励 土右旗幼儿园2014。12.31刘雅静老师: 被评为2014—2015年度土右旗幼儿园 优秀保育员 特此鼓励 土右旗幼儿园 2014.12。31大五班: 1 / 1...... 感谢聆听 ......
在“健康快乐动起来”韵律操比赛中荣获 一等奖 特此鼓励 土右旗幼儿园2016.4。29 小朋友: 在亲子创意手工比赛中荣获 优秀奖 特此鼓励 土右旗第一幼儿园2018.4.28 小朋友: 在亲子创意体育器械比赛中荣获 1 / 1...... 感谢聆听 ......
statements that you have made on your visa application form (VAF).您应阅读此信息说明,以帮助您决定何种文件将有助于支持您在签证申请表It is not a list of documents that you must submit. We do not expect you to provide all of the documents listed below, it is for you to decide which documents are most relevant to your application. 这不是您必须要提供的文件的清单。我们不要求您提供下面清单上的所有文件,您需要自己决定哪些文件与您的申请最相关。 The submission of all or any of these documents does not guarantee that your application will be successful. 递交了所有或任何这些文件,不能确保您的申请将会成功。 Information about you 个人信息 These documents are important because they provide information about your personal circumstances in the country in which you are applying. 这些文件很重要,因为它们反映了您在递交申请的国家中您的个人情况。 Information about your finances and employment 您的资金及工作信息
奖状 _____同学: 在本学期期末质量检测中被评为“英语进步学生”。特发此状,以资鼓励。 XX小学 二○年月日 奖状 _____同学: 在本学期期末质量检测中被评为“数学进步学生”。特发此状,以资鼓励。 XX小学 二○年月日 奖状 _____同学: 在本学期期末质量检测中被评为“语文进步学生”。特发此状,以资鼓励。
XX小学 二○年月日 奖状 _____同学: 在本学期被评为扶大中心小学“优秀值日生”特发此状,以资鼓励。 XX小学 二○年月日 奖状 _____同学: 在班级工作中表现突出,被评为“优秀班干部”。特发此状,以资鼓励。 XX小学 二○年月日
奖状 _____同学: 在本学期“扶大小学之星”系列评选活动中,被评为“之星”。特发此状,以资鼓励。 XX小学 二○年月日 奖状 _____同学: 在本学期表现优秀,德、智、体全面发展,被评为“三好学生”。特发此状,以资鼓励。 XX小学 二○年月日 奖状 _____同学: 在本学期的红领巾广播工作中变现突出,被评为“优秀广播员”。特发此状,以资鼓励。
XX小学 二○年月日 奖状 _____同学: 参加第届校运会比赛,荣获年级组第名。特发此状,以资鼓励。 XX小学 二○年月日 奖状 _____小朋友在本学期表现优秀,被评 为好孩子 特发此状,以资鼓励。 XX小学 二○年月日
奖状 _____同学: 在本学期英语科专项竞赛中成绩优秀名列全级前茅。特发此状,以资鼓励。 XX小学 二○年月日 奖状 _____同学: 在本学期数学科专项竞赛中成绩优秀,名列全级前茅。特发此状,以资鼓励。 XX小学 二○年月日 奖状 _____同学: 在本学期语文科专项竞赛中成绩优秀,名列全级前茅。特发此状,以资鼓励。 XX小学 二○年月日
新西兰出生证明认证 在新西兰出生的孩子,在回国办理以下手续时需提供由中国驻新西兰大使馆签发的新西兰出生证明认证(也叫新西兰出生纸认证,新西兰出生证明公证)文件: 1、在新西兰出生持旅行证回国的孩子,在国内落户、入学或办理一次性出入境通行证; 2、在新西兰出生持新西兰护照中国签证回国的孩子,办理签证延期、寄养或申请中国长期居留权。 一般情况下,申请人还需提供出生证明认证的翻译件给政府部门,各地各部门对翻译机构的要求不同,有些需要国内指定公证处翻译,有些接受翻译公司翻译的版本,有些部门接受申请人自己翻译的文书,具体要求请与当地政府部门确认。 如何为宝宝申请新西兰出生证明 新西兰负责办理新生儿出生证明的部门属于新西兰内政部(Department of Internal Affair),具体到负责出生、死亡和婚姻公证的机构被称为BDM – Birth, Death & Marriage。
新西兰出生证明(Birth Certificate) 为什么新西兰出生证明需要办理领事认证? 在中国为宝宝办理落户、寄养、入学、签证延期、长期居留证明时,国内机构会要求提供孩子的新西兰出生证明认证文件。新西兰出生证明系由新西兰政府签发的文书,中国政府部门无法直接确认国外文书的真实性。新西兰出生证明必须由中国驻外领事馆认证以承认其法律效力。 新西兰出生证明认证所需材料?
1)公证认证申请表 2)新西兰出生证明原件 3)父母双方护照照片页扫描件及在新西兰居留身份证明扫描件 新西兰出生证明认证的处理时间? 一般情况下新西兰出生证明认证办理时长为20个工作日,包含邮寄时间。 新西兰出生证明认证的办理流程? 第一步,新西兰出生证明经新西兰内政部(Department of Internal Affairs)认证。 第二步,将内政部认证后的新西兰出生证明提交到新西兰外交贸易部(Ministry of Foreign Affairs and Trade)办理认证。 第三步,将经外交部认证的新西兰出生证明送中国驻新西兰使领馆(Chinese Embassy/Consulate)办理领事认证。
英国面签时签证官所提问题大全 **出国的原因及目的** 1.去英国做什么? What will you do in UK? 2.为什么选择英国? Why do you select UK? 3.在选择英国之前是否考虑过其它国家?或是否和其它国家进行过比较? Before you select UK, did you consider other country? Or if you have a comparison with other country? 4.你认为英国与其它国家相比有什么优势吗?或和其它国家比较过什么? Do you think what’s the advantage of UK comparing with other country? What do you compare UK with other countries? 5.你是什么时候开始有出国打算的? When do you plan to go abroad? 6.你是什么时候决定去英国的? When did you decide to go to UK? 7.难道有什么重大的变故使你产生出国的念头吗? Is there any important accident that make you have the idea of going abroad? 8.你为什么要出国读书? Why do you study abroad? 9.你对英国了解吗? Do you know UK? 10.你在英国有亲属或朋友吗? Do you have relatives and/or friends? 11.有人向你介绍过英国吗? Is there anyone who tell you something about UK to you? 12.你听说过什么人去英国留学吗? Do you hear of someone who study at UK? 13.你准备什么时候到达英国? When will you arrive in UK? Why will you arrive in UK in August? **学校情况及学习计划** 1.你怎么知道的这所学校? How do know the university?
英国签证申请表的翻译 注意事项(略) 您希望您的签证有效期多久?您去英国的主要目的是什么?您在英国呆多久? 您到达英国的日期年月日您离开英国的日期年月日 1.1名 1.2姓 1.3其他名字(包括您用过的其他任何名字) 1.4性别 1.5婚姻状况(单身、离异、已婚、分居、离异、丧偶、其它) 1.6出生日期年月日 1.7出生地 1.8出生国家 1.9民族 1.10 2.1 现在的护照号或旅行证件号 2.2 签发地 2.3 签发机构 2.4 签发日期 2.5 失效日期 2.6 这是您第一本护照吗 如果是填写第三部分(part 3) 3 您的具体联系方式 您的具体家庭住址及邮编您在该地址居住了多久了家庭电话(固定电话)您的手机号码邮箱地址 如果有与3.1所述不一致的地方,请在此填写具体联系方式 4 关于您的家庭父亲的名字父亲的姓氏 父亲出生日期(日月年)父亲的出生国家及地方父亲的国籍母亲的名字母亲的姓氏母亲的出生日期 2014年中考冲刺综合复习指导北京地区试题广东地区试题江苏地区试题 母亲的国籍 母亲的出生国家及地方 配偶的全名(如果单身,直接跳至4.16)配偶的国籍 配偶的出生日期 现在您的配偶与您一起居住在您在3.1中给出的地址吗(如果是,请填写您配偶体的居住地址)您的配偶将和您一起出国吗 您有孩子吗(如果没有,直接跳至4.20) 请提供您现在处于受您抚养阶段的子女的具体信息(名字,出生日期) 现在您所有的孩子都和您一同居住在您在3.1所提供的地址吗(如果不是,请提供您的子女的具体居住地址) 如果您的孩子随您一起去英国,请列出他们的名字 还有其他孩子同您一起出国吗(如果是,请跳至4.21;如果不是,请跳至第五部分part 5) 如果是,请提供此养子/女的具体信息(全名,出生日期,护照号,地址,出生地,国籍,你与此人 的关系,你与此人家长的关系) (注意:如果儿童不与其父母同行,须出具该儿童父母书面通知书或法定监护书,表明他们同意此儿童出国。) 5经济状况及职业受抚养阶段的儿童应归入其父名明细下 5.1 目前你个人的情况是(在相应的框内画×)先下后右 全职,请跳至5.2 兼职,请跳至5.2
出生证明验证 出生证明验证 第一篇: 出生证明验证 出生证明验证 出生证明验证 各国出生证明认证 由于国外优越的居注工作、教育、医疗及社会福利等方面的优势,越来越多的中国妈妈选择去美国、英国、香港、澳大利亚、加拿大等发达国家生孩子,使孩子一出生就拿到所在国的国籍,为孩子今后的成长发展奠定良好的基矗孩子出生之后,取得国外当地的出生证明。当国外的出生证明拿到中国去办理相关后续时,国内的使用部门会要求对国外的出生证明做中国驻当地使馆的认证之后,才能在中国使用。 因此,国外出生证明在拿到中国使用之前,要对其进行中国驻出生证明发出国的使馆认证,其流程如下: 1、由律师从当地相关政府部门申请出生证的核证副本; 2、经核证的出生证送交该国外交部或其授权机构进行认证; 3、中国驻当地使馆认证。 经过以上三步,国外的出生证才能拿到中国有效使用。 中国没有加入海牙公约组织,因此必须经过公证认证的文件拿到中国使用才能被认可,
香港美国,英国,加拿大,新西兰,澳大利亚等结婚证,出生证明拿到中国使用的公证认证。 香港出生证明和结婚证的认证程序如下: 香港地区出生证明书的公证认证 1、委托香港的中国司-法-部指定的中国委托公证律师做公证; 2、委托香港律师到中国法律服务有限公司加盖转递章; 3、将该份文件寄回内地使用。 香港地区结婚证书的公证认证 1、委托香港的中国司-法-部指定的中国委托公证律师做公证; 2、委托香港律师到中国法律服务有限公司加盖转递章; 3、将该份文件寄回内地使用。在国内申请户口,等到要去加拿大什么的时候再申请加拿大护照,那时才决定要不要放弃中国公民,如果你现在就要放弃中国公民,拿着加拿大护照,回国就要签证呀什么的,就很麻烦的啦.但如果是是加拿大公民,任何时候想回加拿大都没问题的出生证明 哈尔滨市公证处: 兹证明我单位 于年月日在出生。 生父: 工作单位: 生母: 工作单位: 单位人事部门章: :
加拿大出生证明认证 在加拿大出生的孩子,回国上户口,办理入学手续,在国内寄养,签证旅行证延期或办理一次性出入境通行证,都需要对加拿大出生证明办理中国驻加拿大大使馆或领事馆的领事认证。 一般情况下只要办理了加拿大出生证明认证即可拿到国内使用。个别城市个别部门(比如派出所)不仅要求提供加拿大出生证明认证文件,还会要求您带着领事认证后的加拿大出生证明认证到指定的公证处翻译公证。 办理加拿大出生证明认证仅需提供出生证明的高清扫描件即可,不需要提供原件。 加拿大出生证明三级认证所需的材料有: 1、公证认证申请表 2、申请人护照复印件,申请人为中国公民的还需要提供在加拿大有效居留身份复印件 3、加拿大出生证明的高清扫描件 中国公民,加拿大有效居留身份过期的,需要起草一份声明书说明哪段时间在加拿大居留,目前因何原因无法提供有效居留身份并签字。办理加拿大出生证明认证所需时长
加拿大出生证明认证的正常办理时长为15-20个工作日,加急服务的办理时常为10工作日左右。 加拿大出生证明认证的有效期为多长? 经中国驻加拿大领事馆认证的出生证明长期有效。 我们能为您做什么? 北京、上海、深圳、无锡、成都….无论您身在哪个城市,傲凡使馆认证网都可以帮您代办加拿大出生证明认证。 如果您委托我公司办理加拿大出生证明公证认证,可以略过以下部分的内容,我们将全权负责与加拿大机构的沟通、缴费、文件提交及邮寄等工作。我们拥有多年的专业认证经验,能够处理各种疑难案例,最大程度的提高文书认证的成功率,并为您节约宝贵时间。 我们会帮助您完成以下的三级认证程序。 第一步,经加拿大当地公证员(Notary Public)公证; 第二步,经省政府ODS(Official Documents Services)认证; 第三步,经中国驻加拿大大使馆或者领事馆(Chinese Embassy / Chinese Consulate)领事认证。 本文章源自:https://www.doczj.com/doc/b54142739.html,/background-ca
日本出生证明公证认证 在日本出生的孩子,在回国办理以下手续时需提供由中国驻日本大使馆签发的日本出生证明认证(也叫日本出生纸认证,日本出生证明公证)文件: 1、在日本出生持旅行证回国的孩子,在国内落户、入学或办理一次性出入境通行证; 2、在日本出生持日本护照中国签证回国的孩子,办理签证延期、寄养或申请中国长期居留权。 一般情况下,申请人还需提供出生证明认证的翻译件给政府部门,各地各部门对翻译机构的要求不同,有些需要国内指定公证处翻译,有些接受翻译公司翻译的版本,有些部门接受申请人自己翻译的文书,具体要求请与当地政府部门确认。 为什么日本出生证明需要办理领事认证? 在中国为宝宝办理落户、寄养、入学、签证延期、长期居留证明时,国内机构会要求提供孩子的日本出生证明认证文件。日本出生证明系由日本政府签发的文书,中国政府部门无法直接确认国外文书的真实性。日本出生证明必须由中国驻外领事馆认证以承认其法律效力。 日本出生证明认证所需材料 1)公证认证申请表
2)日本出生证明原件 3)父母双方护照照片页扫描件及在日本居留身份证明扫描件 4)孩子在留卡扫描件 日本出生证明认证的处理时间 一般情况下日本出生证明认证办理时长为15-20个工作日,包含邮寄时间。 日本出生证明认证的办理流程 第一步,日本出生证明递交至日本外务省办理认证。 日本外务省认证页内容用于证明出生证上官员的签字与印章属实,并会附上外务省官员的签字及印章。 第二步,将外务省认证后的日本出生证明递交至中国驻日本使领馆(Chinese Embassy/Consulate)办理领事认证。 中国驻日本使馆领事认证是在外务省认证页的背面粘贴一张小卡片,用于证明上一步外务省官员的签字与机构印章属实。