AuthInfoAccessExt Plug-in Module132 Netscape Certificate Management System Plug-Ins Guide • March 2002For general guidelines on developing custom policy modules and adding them tothe CMS policy framework, take a look at the samples installed at these locations:/cms_sdk/cms_jdk/samples/policiesFor instructions to configure a Certificate Manager and Registration Manager touse one or more of the policy modules, see section “Configuring Policy Rules for aSubsystem” in Chapter 18, “Setting Up Policies” of CMS Installation and SetupGuide.AuthInfoAccessExt Plug-in ModuleThe AuthInfoAccessExt plug-in module implements the authority informationaccess extension policy. This policy enables you to configure CertificateManagement System to add the Authority Information Access Extension defined inX.509 and PKIX standard RFC 2459 (seehttp://www.ietf.org/rfc/rfc2459.txt) to certificates. The extension specifieshow an application validating a certificate can access information, such as on-linevalidation services and CA policy statements, about the CA that has issued thecertificate in which the extension appears. Note that this extension should not beused to point directly to the CRL location maintained by a CA; the CRLDistribution Points extension explained in “CRLDistributionPointsExt Plug-inModule” on page 163 allows you to reference to CRL locations.The PKIX standard recommends that you may include the authority informationaccess extension in end-entity and CA certificates and that the extension be markednoncritical. For general guidelines on setting the authority information accessextension, see “authorityInfoAccess” on page 339.The authority information access extension policy in Certificate ManagementSystem allows you to set the authority information access extension as defined inits X.509 definition. The policy enables you to specify any number of access pointsfor CA information. For each access point, you can specify the access method,actual location that contains the additional information about the CA, and themechanism for retrieving the information. The location can be specified in any ofthe following general-name forms: an rfc822name, a directory name, a DNS name,an EDI party name, a uniform resource indicator (URI), an IP address, an objectidentifier (OID), and any other name.