分享
 
 
 

RFC2587 - Internet X.509 Public Key Infrastructure LDAPv2 Schema

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

Network Working Group S. Boeyen

Request for Comments: 2587 Entrust

Category: Standards Track T. Howes

Netscape

P. Richard

Xcert

June 1999

Internet X.509 Public Key InfrastrUCture

LDAPv2 Schema

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

1. Abstract

The schema defined in this document is a minimal schema to support

PKIX in an LDAPv2 environment, as defined in RFC2559. Only PKIX-

specific components are specified here. LDAP servers, acting as PKIX

repositories should support the auxiliary object classes defined in

this specification and integrate this schema specification with the

generic and other application-specific schemas as appropriate,

depending on the services to be supplied by that server.

The key Words 'MUST', 'SHALL', 'REQUIRED', 'SHOULD', 'RECOMMENDED',

and 'MAY' in this document are to be interpreted as described in RFC

2119.

2. Introduction

This specification is part of a multi-part standard for development

of a Public Key Infrastructure (PKI) for the Internet. LDAPv2 is one

mechanism defined for Access to a PKI repository. Other mechanisms,

such as http, are also defined. If an LDAP server, accessed by LDAPv2

is used to provide a repository, the minimum requirement is that the

repository support the addition of X.509 certificates to Directory

entries. Certificate Revocation List (CRL)is one mechanism for

publishing revocation information in a repository. Other mechanisms,

such as http, are also defined.

This specification defines the attributes and object classes to be

used by LDAP servers acting as PKIX repositories and to be understood

by LDAP clients communicating with such repositories to query, add,

modify and delete PKI information. Some object classes and attributes

defined in X.509 are duplicated here for completeness. For end

entities and Certification Authorities (CA), the earlier X.509

defined object classes mandated inclusion of attributes which are

optional for PKIX. Also, because of the mandatory attribute

specification, this would have required dynamic modification of the

object class attribute should the attributes not always be present in

entries. For these reasons, alternative object classes are defined in

this document for use by LDAP servers acting as PKIX repositories.

3. PKIX Repository Objects

The primary PKIX objects to be represented in a repository are:

- End Entities

- Certification Authorities (CA)

These objects are defined in RFC2459.

3.1. End Entities

For purposes of PKIX schema definition, the role of end entities as

subjects of certificates is the major ASPect relevant to this

specification. End entities may be human users, or other types of

entities to which certificates may be issued. In some cases, the

entry for the end entity may already exist and the PKI-specific

information is added to the existing entry. In other cases the entry

may not exist prior to the issuance of a certificate, in which case

the entity adding the certificate may also need to create the entry.

Schema elements used to represent the non PKIX aspects of an entry,

such as the structural object class used to represent organizational

persons, may vary, depending on the particular environment and set of

applications served and are outside the scope of this specification.

The following auxiliary object class MAY be used to represent

certificate subjects:

pkiUser OBJECT-CLASS ::= {

SUBCLASS OF { top}

KIND auxiliary

MAY CONTAIN {userCertificate}

ID joint-iso-ccitt(2) ds(5) objectClass(6) pkiUser(21)}

userCertificate ATTRIBUTE ::= {

WITH SYNTAX Certificate

EQUALITY MATCHING RULE certificateExactMatch

ID joint-iso-ccitt(2) ds(5) attributeType(4) userCertificate(36) }

An end entity may oBTain one or more certificates from one or more

Certification Authorities. The userCertificate attribute MUST be

used to represent these certificates in the directory entry

representing that user.

3.2. Certification Authorities

As with end entities, Certification Authorities are typically

represented in directories as auxiliary components of entries

representing a more generic object, such as organizations,

organizational units etc. The non PKIX-specific schema elements for

these entries, such as the structural object class of the object, are

outside the scope of this specification.

The following auxiliary object class MAY be used to represent

Certification Authorities:

pkiCA OBJECT-CLASS ::= {

SUBCLASS OF { top}

KIND auxiliary

MAY CONTAIN {cACertificate

certificateRevocationList

authorityRevocationList

crossCertificatePair }

ID joint-iso-ccitt(2) ds(5) objectClass(6) pkiCA(22)}

cACertificate ATTRIBUTE ::= {

WITH SYNTAX Certificate

EQUALITY MATCHING RULE certificateExactMatch

ID joint-iso-ccitt(2) ds(5) attributeType(4) cACertificate(37) }

crossCertificatePairATTRIBUTE::={

WITH SYNTAX CertificatePair

EQUALITY MATCHING RULE certificatePairExactMatch

ID joint-iso-ccitt(2) ds(5) attributeType(4) crossCertificatePair(40)}

The cACertificate attribute of a CA's directory entry shall be used

to store self-issued certificates (if any) and certificates issued to

this CA by CAs in the same realm as this CA.

The forward elements of the crossCertificatePair attribute of a CA's

directory entry shall be used to store all, except self-issued

certificates issued to this CA. Optionally, the reverse elements of

the crossCertificatePair attribute, of a CA's directory entry may

contain a subset of certificates issued by this CA to other CAs.

When both the forward and the reverse elements are present in a

single attribute value, issuer name in one certificate shall match

the subject name in the other and vice versa, and the subject public

key in one certificate shall be capable of verifying the digital

signature on the other certificate and vice versa.

When a reverse element is present, the forward element value and the

reverse element value need not be stored in the same attribute value;

in other words, they can be stored in either a single attribute value

or two attribute values.

In the case of V3 certificates, none of the above CA certificates

shall include a basicConstraints extension with the cA value set to

FALSE.

The definition of realm is purely a matter of local policy.

certificateRevocationListATTRIBUTE::={

WITH SYNTAX CertificateList

EQUALITY MATCHING RULE certificateListExactMatch

ID joint-iso-ccitt(2) ds(5) attributeType(4)

certificateRevocationList(39)}

The certificateRevocationList attribute, if present in a particular

CA's entry, contains CRL(s) as defined in RFC2459.

authorityRevocationListATTRIBUTE::={

WITH SYNTAX CertificateList

EQUALITY MATCHING RULE certificateListExactMatch

ID joint-iso-ccitt(2) ds(5) attributeType(4)

authorityRevocationList(38)}

The authorityRevocationList attribute, if present in a particular

CA's entry, includes revocation information regarding certificates

issued to other CAs.

3.2.1. CRL distribution points

CRL distribution points are an optional mechanism, specified in RFC

2459, which MAY be used to distribute revocation information.

A patent statement regarding CRL distribution points can be found at

the end of this document.

If a CA elects to use CRL distribution points, the following object

class is used to represent these.

cRLDistributionPoint OBJECT-CLASS::= {

SUBCLASS OF { top }

KIND structural

MUST CONTAIN { commonName }

MAY CONTAIN { certificateRevocationList

authorityRevocationList

deltaRevocationList }

ID joint-iso-ccitt(2) ds(5) objectClass(6) cRLDistributionPoint(19) }

The certificateRevocationList and authorityRevocationList attributes

are as defined above.

The commonName attribute and deltaRevocationList attributes, defined

in X.509, are duplicated below.

commonName ATTRIBUTE::={

SUBTYPE OF name

WITH SYNTAX DirectoryString

ID joint-iso-ccitt(2) ds(5) attributeType(4) commonName(3) }

deltaRevocationList ATTRIBUTE ::= {

WITH SYNTAX CertificateList

EQUALITY MATCHING RULE certificateListExactMatch

ID joint-iso-ccitt(2) ds(5) attributeType(4)

deltaRevocationList(53) }

3.2.2. Delta CRLs

Delta CRLs are an optional mechanism, specified in RFC2459, which

MAY be used to enhance the distribution of revocation information.

If a CA elects to use delta CRLs, the following object class is used

to represent these.

deltaCRL OBJECT-CLASS::= {

SUBCLASS OF { top }

KIND auxiliary

MAY CONTAIN { deltaRevocationList }

ID joint-iso-ccitt(2) ds(5) objectClass(6) deltaCRL(23) }

4. Security Considerations

Since the elements of information which are key to the PKI service

(certificates and CRLs) are both digitally signed pieces of

information, no additional integrity service is REQUIRED.

Security considerations with respect to retrieval, addition,

deletion, and modification of the information supported by this

schema definition are addressed in RFC2559.

5. References

[1] Yeong, Y., Howes, T. and S. Kille, "Lightweight Directory Access

Protocol", RFC1777, March 1995.

[2] Bradner, S., "Key Words for use in RFCs to Indicate Requirement

Levels", BCP 14, RFC2119, March 1997.

6 Intellectual Property Rights

The IETF has been notified of intellectual property rights claimed in

regard to some or all of the specification contained in this

document. For more information consult the online list of claimed

rights.

The IETF takes no position regarding the validity or scope of any

intellectual property or other rights that might be claimed to

pertain to the implementation or use of the technology described in

this document or the extent to which any license under such rights

might or might not be available; neither does it represent that it

has made any effort to identify any such rights. Information on the

IETF's procedures with respect to rights in standards-track and

standards-related documentation can be found in BCP-11. Copies of

claims of rights made available for publication and any assurances of

licenses to be made available, or the result of an attempt made to

obtain a general license or permission for the use of such

proprietary rights by implementors or users of this specification can

be obtained from the IETF Secretariat.

7. Authors' Addresses

Sharon Boeyen

Entrust Technologies Limited

750 Heron Road

Ottawa, Ontario

Canada K1V 1A7

EMail: sharon.boeyen@entrust.com

Tim Howes

Netscape Communications Corp.

501 E. Middlefield Rd.

Mountain View, CA 94043

USA

EMail: howes@netscape.com

Patrick Richard

Xcert Software Inc.

Suite 1001, 701 W. Georgia Street

P.O. Box 10145

Pacific Centre

Vancouver, B.C.

Canada V7Y 1C6

EMail: patr@xcert.com

Full Copyright Statement

Copyright (C) The Internet Society (1999). All Rights Reserved.

This document and translations of it may be copied and furnished to

others, and derivative works that comment on or otherwise eXPlain it

or assist in its implementation may be prepared, copied, published

and distributed, in whole or in part, without restriction of any

kind, provided that the above copyright notice and this paragraph are

included on all such copies and derivative works. However, this

document itself may not be modified in any way, such as by removing

the copyright notice or references to the Internet Society or other

Internet organizations, except as needed for the purpose of

developing Internet standards in which case the procedures for

copyrights defined in the Internet Standards process must be

followed, or as required to translate it into languages other than

English.

The limited permissions granted above are perpetual and will not be

revoked by the Internet Society or its successors or assigns.

This document and the information contained herein is provided on an

"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

Funding for the RFCEditor function is currently provided by the

Internet Society.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有