1*2de962bdSlukem 2*2de962bdSlukem 3*2de962bdSlukem 4*2de962bdSlukem 5*2de962bdSlukem 6*2de962bdSlukem 7*2de962bdSlukemNetwork Working Group K. Zeilenga 8*2de962bdSlukemRequest for Comments: 4523 OpenLDAP Foundation 9*2de962bdSlukemObsoletes: 2252, 2256, 2587 June 2006 10*2de962bdSlukemCategory: Standards Track 11*2de962bdSlukem 12*2de962bdSlukem 13*2de962bdSlukem Lightweight Directory Access Protocol (LDAP) 14*2de962bdSlukem Schema Definitions for X.509 Certificates 15*2de962bdSlukem 16*2de962bdSlukemStatus of This Memo 17*2de962bdSlukem 18*2de962bdSlukem This document specifies an Internet standards track protocol for the 19*2de962bdSlukem Internet community, and requests discussion and suggestions for 20*2de962bdSlukem improvements. Please refer to the current edition of the "Internet 21*2de962bdSlukem Official Protocol Standards" (STD 1) for the standardization state 22*2de962bdSlukem and status of this protocol. Distribution of this memo is unlimited. 23*2de962bdSlukem 24*2de962bdSlukemCopyright Notice 25*2de962bdSlukem 26*2de962bdSlukem Copyright (C) The Internet Society (2006). 27*2de962bdSlukem 28*2de962bdSlukem Abstract 29*2de962bdSlukem 30*2de962bdSlukem This document describes schema for representing X.509 certificates, 31*2de962bdSlukem X.521 security information, and related elements in directories 32*2de962bdSlukem accessible using the Lightweight Directory Access Protocol (LDAP). 33*2de962bdSlukem The LDAP definitions for these X.509 and X.521 schema elements 34*2de962bdSlukem replace those provided in RFCs 2252 and 2256. 35*2de962bdSlukem 36*2de962bdSlukem1. Introduction 37*2de962bdSlukem 38*2de962bdSlukem This document provides LDAP [RFC4510] schema definitions [RFC4512] 39*2de962bdSlukem for a subset of elements specified in X.509 [X.509] and X.521 40*2de962bdSlukem [X.521], including attribute types for certificates, cross 41*2de962bdSlukem certificate pairs, and certificate revocation lists; matching rules 42*2de962bdSlukem to be used with these attribute types; and related object classes. 43*2de962bdSlukem LDAP syntax definitions are also provided for associated assertion 44*2de962bdSlukem and attribute values. 45*2de962bdSlukem 46*2de962bdSlukem As the semantics of these elements are as defined in X.509 and X.521, 47*2de962bdSlukem knowledge of X.509 and X.521 is necessary to make use of the LDAP 48*2de962bdSlukem schema definitions provided herein. 49*2de962bdSlukem 50*2de962bdSlukem This document, together with [RFC4510], obsoletes RFCs 2252 and 2256 51*2de962bdSlukem in their entirety. The changes (in this document) made since RFC 52*2de962bdSlukem 2252 and RFC 2256 include: 53*2de962bdSlukem 54*2de962bdSlukem - addition of pkiUser, pkiCA, and deltaCRL classes; 55*2de962bdSlukem 56*2de962bdSlukem 57*2de962bdSlukem 58*2de962bdSlukemZeilenga Standards Track [Page 1] 59*2de962bdSlukem 60*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 61*2de962bdSlukem 62*2de962bdSlukem 63*2de962bdSlukem - update of attribute types to include equality matching rules in 64*2de962bdSlukem accordance with their X.500 specifications; 65*2de962bdSlukem 66*2de962bdSlukem - addition of certificate, certificate pair, certificate list, 67*2de962bdSlukem and algorithm identifier matching rules; and 68*2de962bdSlukem 69*2de962bdSlukem - addition of LDAP syntax for assertion syntaxes for these 70*2de962bdSlukem matching rules. 71*2de962bdSlukem 72*2de962bdSlukem This document obsoletes RFC 2587. The X.509 schema descriptions for 73*2de962bdSlukem LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494]. 74*2de962bdSlukem 75*2de962bdSlukem The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 76*2de962bdSlukem "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 77*2de962bdSlukem document are to be interpreted as described in BCP 14 [RFC2119]. 78*2de962bdSlukem 79*2de962bdSlukem Schema definitions are provided using LDAP description formats 80*2de962bdSlukem [RFC4512]. Definitions provided here are formatted (line wrapped) 81*2de962bdSlukem for readability. 82*2de962bdSlukem 83*2de962bdSlukem2. Syntaxes 84*2de962bdSlukem 85*2de962bdSlukem This section describes various syntaxes used in LDAP to transfer 86*2de962bdSlukem certificates and related data types. 87*2de962bdSlukem 88*2de962bdSlukem2.1. Certificate 89*2de962bdSlukem 90*2de962bdSlukem ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' ) 91*2de962bdSlukem 92*2de962bdSlukem A value of this syntax is an X.509 Certificate [X.509, clause 7]. 93*2de962bdSlukem 94*2de962bdSlukem Due to changes made to the definition of a Certificate through time, 95*2de962bdSlukem no LDAP-specific encoding is defined for this syntax. Values of this 96*2de962bdSlukem syntax SHOULD be encoded using Distinguished Encoding Rules (DER) 97*2de962bdSlukem [X.690] and MUST only be transferred using the ;binary transfer 98*2de962bdSlukem option [RFC4522]; that is, by requesting and returning values using 99*2de962bdSlukem attribute descriptions such as "userCertificate;binary". 100*2de962bdSlukem 101*2de962bdSlukem As values of this syntax contain digitally signed data, values of 102*2de962bdSlukem this syntax and the form of each value MUST be preserved as 103*2de962bdSlukem presented. 104*2de962bdSlukem 105*2de962bdSlukem2.2. CertificateList 106*2de962bdSlukem 107*2de962bdSlukem ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' ) 108*2de962bdSlukem 109*2de962bdSlukem A value of this syntax is an X.509 CertificateList [X.509, clause 110*2de962bdSlukem 7.3]. 111*2de962bdSlukem 112*2de962bdSlukem 113*2de962bdSlukem 114*2de962bdSlukemZeilenga Standards Track [Page 2] 115*2de962bdSlukem 116*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 117*2de962bdSlukem 118*2de962bdSlukem 119*2de962bdSlukem Due to changes made to the definition of a CertificateList through 120*2de962bdSlukem time, no LDAP-specific encoding is defined for this syntax. Values 121*2de962bdSlukem of this syntax SHOULD be encoded using DER [X.690] and MUST only be 122*2de962bdSlukem transferred using the ;binary transfer option [RFC4522]; that is, by 123*2de962bdSlukem requesting and returning values using attribute descriptions such as 124*2de962bdSlukem "certificateRevocationList;binary". 125*2de962bdSlukem 126*2de962bdSlukem As values of this syntax contain digitally signed data, values of 127*2de962bdSlukem this syntax and the form of each value MUST be preserved as 128*2de962bdSlukem presented. 129*2de962bdSlukem 130*2de962bdSlukem2.3. CertificatePair 131*2de962bdSlukem 132*2de962bdSlukem ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'X.509 Certificate Pair' ) 133*2de962bdSlukem 134*2de962bdSlukem A value of this syntax is an X.509 CertificatePair [X.509, clause 135*2de962bdSlukem 11.2.3]. 136*2de962bdSlukem 137*2de962bdSlukem Due to changes made to the definition of an X.509 CertificatePair 138*2de962bdSlukem through time, no LDAP-specific encoding is defined for this syntax. 139*2de962bdSlukem Values of this syntax SHOULD be encoded using DER [X.690] and MUST 140*2de962bdSlukem only be transferred using the ;binary transfer option [RFC4522]; that 141*2de962bdSlukem is, by requesting and returning values using attribute descriptions 142*2de962bdSlukem such as "crossCertificatePair;binary". 143*2de962bdSlukem 144*2de962bdSlukem As values of this syntax contain digitally signed data, values of 145*2de962bdSlukem this syntax and the form of each value MUST be preserved as 146*2de962bdSlukem presented. 147*2de962bdSlukem 148*2de962bdSlukem2.4. SupportedAlgorithm 149*2de962bdSlukem 150*2de962bdSlukem ( 1.3.6.1.4.1.1466.115.121.1.49 151*2de962bdSlukem DESC 'X.509 Supported Algorithm' ) 152*2de962bdSlukem 153*2de962bdSlukem A value of this syntax is an X.509 SupportedAlgorithm [X.509, clause 154*2de962bdSlukem 11.2.7]. 155*2de962bdSlukem 156*2de962bdSlukem Due to changes made to the definition of an X.509 SupportedAlgorithm 157*2de962bdSlukem through time, no LDAP-specific encoding is defined for this syntax. 158*2de962bdSlukem Values of this syntax SHOULD be encoded using DER [X.690] and MUST 159*2de962bdSlukem only be transferred using the ;binary transfer option [RFC4522]; that 160*2de962bdSlukem is, by requesting and returning values using attribute descriptions 161*2de962bdSlukem such as "supportedAlgorithms;binary". 162*2de962bdSlukem 163*2de962bdSlukem As values of this syntax contain digitally signed data, values of 164*2de962bdSlukem this syntax and the form of the value MUST be preserved as presented. 165*2de962bdSlukem 166*2de962bdSlukem 167*2de962bdSlukem 168*2de962bdSlukem 169*2de962bdSlukem 170*2de962bdSlukemZeilenga Standards Track [Page 3] 171*2de962bdSlukem 172*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 173*2de962bdSlukem 174*2de962bdSlukem 175*2de962bdSlukem2.5. CertificateExactAssertion 176*2de962bdSlukem 177*2de962bdSlukem ( 1.3.6.1.1.15.1 DESC 'X.509 Certificate Exact Assertion' ) 178*2de962bdSlukem 179*2de962bdSlukem A value of this syntax is an X.509 CertificateExactAssertion [X.509, 180*2de962bdSlukem clause 11.3.1]. Values of this syntax MUST be encoded using the 181*2de962bdSlukem Generic String Encoding Rules (GSER) [RFC3641]. Appendix A.1 182*2de962bdSlukem provides an equivalent Augmented Backus-Naur Form (ABNF) [RFC4234] 183*2de962bdSlukem grammar for this syntax. 184*2de962bdSlukem 185*2de962bdSlukem2.6. CertificateAssertion 186*2de962bdSlukem 187*2de962bdSlukem ( 1.3.6.1.1.15.2 DESC 'X.509 Certificate Assertion' ) 188*2de962bdSlukem 189*2de962bdSlukem A value of this syntax is an X.509 CertificateAssertion [X.509, 190*2de962bdSlukem clause 11.3.2]. Values of this syntax MUST be encoded using GSER 191*2de962bdSlukem [RFC3641]. Appendix A.2 provides an equivalent ABNF [RFC4234] 192*2de962bdSlukem grammar for this syntax. 193*2de962bdSlukem 194*2de962bdSlukem2.7. CertificatePairExactAssertion 195*2de962bdSlukem 196*2de962bdSlukem ( 1.3.6.1.1.15.3 197*2de962bdSlukem DESC 'X.509 Certificate Pair Exact Assertion' ) 198*2de962bdSlukem 199*2de962bdSlukem A value of this syntax is an X.509 CertificatePairExactAssertion 200*2de962bdSlukem [X.509, clause 11.3.3]. Values of this syntax MUST be encoded using 201*2de962bdSlukem GSER [RFC3641]. Appendix A.3 provides an equivalent ABNF [RFC4234] 202*2de962bdSlukem grammar for this syntax. 203*2de962bdSlukem 204*2de962bdSlukem2.8. CertificatePairAssertion 205*2de962bdSlukem 206*2de962bdSlukem ( 1.3.6.1.1.15.4 DESC 'X.509 Certificate Pair Assertion' ) 207*2de962bdSlukem 208*2de962bdSlukem A value of this syntax is an X.509 CertificatePairAssertion [X.509, 209*2de962bdSlukem clause 11.3.4]. Values of this syntax MUST be encoded using GSER 210*2de962bdSlukem [RFC3641]. Appendix A.4 provides an equivalent ABNF [RFC4234] 211*2de962bdSlukem grammar for this syntax. 212*2de962bdSlukem 213*2de962bdSlukem2.9. CertificateListExactAssertion 214*2de962bdSlukem 215*2de962bdSlukem ( 1.3.6.1.1.15.5 216*2de962bdSlukem DESC 'X.509 Certificate List Exact Assertion' ) 217*2de962bdSlukem 218*2de962bdSlukem A value of this syntax is an X.509 CertificateListExactAssertion 219*2de962bdSlukem [X.509, clause 11.3.5]. Values of this syntax MUST be encoded using 220*2de962bdSlukem GSER [RFC3641]. Appendix A.5 provides an equivalent ABNF grammar for 221*2de962bdSlukem this syntax. 222*2de962bdSlukem 223*2de962bdSlukem 224*2de962bdSlukem 225*2de962bdSlukem 226*2de962bdSlukemZeilenga Standards Track [Page 4] 227*2de962bdSlukem 228*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 229*2de962bdSlukem 230*2de962bdSlukem 231*2de962bdSlukem2.10. CertificateListAssertion 232*2de962bdSlukem 233*2de962bdSlukem ( 1.3.6.1.1.15.6 DESC 'X.509 Certificate List Assertion' ) 234*2de962bdSlukem 235*2de962bdSlukem A value of this syntax is an X.509 CertificateListAssertion [X.509, 236*2de962bdSlukem clause 11.3.6]. Values of this syntax MUST be encoded using GSER 237*2de962bdSlukem [RFC3641]. Appendix A.6 provides an equivalent ABNF [RFC4234] 238*2de962bdSlukem grammar for this syntax. 239*2de962bdSlukem 240*2de962bdSlukem2.11. AlgorithmIdentifier 241*2de962bdSlukem 242*2de962bdSlukem ( 1.3.6.1.1.15.7 DESC 'X.509 Algorithm Identifier' ) 243*2de962bdSlukem 244*2de962bdSlukem A value of this syntax is an X.509 AlgorithmIdentifier [X.509, Clause 245*2de962bdSlukem 7]. Values of this syntax MUST be encoded using GSER [RFC3641]. 246*2de962bdSlukem 247*2de962bdSlukem Appendix A.7 provides an equivalent ABNF [RFC4234] grammar for this 248*2de962bdSlukem syntax. 249*2de962bdSlukem 250*2de962bdSlukem3. Matching Rules 251*2de962bdSlukem 252*2de962bdSlukem This section introduces a set of certificate and related matching 253*2de962bdSlukem rules for use in LDAP. These rules are intended to act in accordance 254*2de962bdSlukem with their X.500 counterparts. 255*2de962bdSlukem 256*2de962bdSlukem3.1. certificateExactMatch 257*2de962bdSlukem 258*2de962bdSlukem The certificateExactMatch matching rule compares the presented 259*2de962bdSlukem certificate exact assertion value with an attribute value of the 260*2de962bdSlukem certificate syntax as described in clause 11.3.1 of [X.509]. 261*2de962bdSlukem 262*2de962bdSlukem ( 2.5.13.34 NAME 'certificateExactMatch' 263*2de962bdSlukem DESC 'X.509 Certificate Exact Match' 264*2de962bdSlukem SYNTAX 1.3.6.1.1.15.1 ) 265*2de962bdSlukem 266*2de962bdSlukem3.2. certificateMatch 267*2de962bdSlukem 268*2de962bdSlukem The certificateMatch matching rule compares the presented certificate 269*2de962bdSlukem assertion value with an attribute value of the certificate syntax as 270*2de962bdSlukem described in clause 11.3.2 of [X.509]. 271*2de962bdSlukem 272*2de962bdSlukem ( 2.5.13.35 NAME 'certificateMatch' 273*2de962bdSlukem DESC 'X.509 Certificate Match' 274*2de962bdSlukem SYNTAX 1.3.6.1.1.15.2 ) 275*2de962bdSlukem 276*2de962bdSlukem 277*2de962bdSlukem 278*2de962bdSlukem 279*2de962bdSlukem 280*2de962bdSlukem 281*2de962bdSlukem 282*2de962bdSlukemZeilenga Standards Track [Page 5] 283*2de962bdSlukem 284*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 285*2de962bdSlukem 286*2de962bdSlukem 287*2de962bdSlukem3.3. certificatePairExactMatch 288*2de962bdSlukem 289*2de962bdSlukem The certificatePairExactMatch matching rule compares the presented 290*2de962bdSlukem certificate pair exact assertion value with an attribute value of the 291*2de962bdSlukem certificate pair syntax as described in clause 11.3.3 of [X.509]. 292*2de962bdSlukem 293*2de962bdSlukem ( 2.5.13.36 NAME 'certificatePairExactMatch' 294*2de962bdSlukem DESC 'X.509 Certificate Pair Exact Match' 295*2de962bdSlukem SYNTAX 1.3.6.1.1.15.3 ) 296*2de962bdSlukem 297*2de962bdSlukem3.4. certificatePairMatch 298*2de962bdSlukem 299*2de962bdSlukem The certificatePairMatch matching rule compares the presented 300*2de962bdSlukem certificate pair assertion value with an attribute value of the 301*2de962bdSlukem certificate pair syntax as described in clause 11.3.4 of [X.509]. 302*2de962bdSlukem 303*2de962bdSlukem ( 2.5.13.37 NAME 'certificatePairMatch' 304*2de962bdSlukem DESC 'X.509 Certificate Pair Match' 305*2de962bdSlukem SYNTAX 1.3.6.1.1.15.4 ) 306*2de962bdSlukem 307*2de962bdSlukem3.5. certificateListExactMatch 308*2de962bdSlukem 309*2de962bdSlukem The certificateListExactMatch matching rule compares the presented 310*2de962bdSlukem certificate list exact assertion value with an attribute value of the 311*2de962bdSlukem certificate pair syntax as described in clause 11.3.5 of [X.509]. 312*2de962bdSlukem 313*2de962bdSlukem ( 2.5.13.38 NAME 'certificateListExactMatch' 314*2de962bdSlukem DESC 'X.509 Certificate List Exact Match' 315*2de962bdSlukem SYNTAX 1.3.6.1.1.15.5 ) 316*2de962bdSlukem 317*2de962bdSlukem3.6. certificateListMatch 318*2de962bdSlukem 319*2de962bdSlukem The certificateListMatch matching rule compares the presented 320*2de962bdSlukem certificate list assertion value with an attribute value of the 321*2de962bdSlukem certificate pair syntax as described in clause 11.3.6 of [X.509]. 322*2de962bdSlukem 323*2de962bdSlukem ( 2.5.13.39 NAME 'certificateListMatch' 324*2de962bdSlukem DESC 'X.509 Certificate List Match' 325*2de962bdSlukem SYNTAX 1.3.6.1.1.15.6 ) 326*2de962bdSlukem 327*2de962bdSlukem 328*2de962bdSlukem 329*2de962bdSlukem 330*2de962bdSlukem 331*2de962bdSlukem 332*2de962bdSlukem 333*2de962bdSlukem 334*2de962bdSlukem 335*2de962bdSlukem 336*2de962bdSlukem 337*2de962bdSlukem 338*2de962bdSlukemZeilenga Standards Track [Page 6] 339*2de962bdSlukem 340*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 341*2de962bdSlukem 342*2de962bdSlukem 343*2de962bdSlukem3.7. algorithmIdentifierMatch 344*2de962bdSlukem 345*2de962bdSlukem The algorithmIdentifierMatch mating rule compares a presented 346*2de962bdSlukem algorithm identifier with an attribute value of the supported 347*2de962bdSlukem algorithm as described in clause 11.3.7 of [X.509]. 348*2de962bdSlukem 349*2de962bdSlukem ( 2.5.13.40 NAME 'algorithmIdentifier' 350*2de962bdSlukem DESC 'X.509 Algorithm Identifier Match' 351*2de962bdSlukem SYNTAX 1.3.6.1.1.15.7 ) 352*2de962bdSlukem 353*2de962bdSlukem4. Attribute Types 354*2de962bdSlukem 355*2de962bdSlukem This section details a set of certificate and related attribute types 356*2de962bdSlukem for use in LDAP. 357*2de962bdSlukem 358*2de962bdSlukem4.1. userCertificate 359*2de962bdSlukem 360*2de962bdSlukem The userCertificate attribute holds the X.509 certificates issued to 361*2de962bdSlukem the user by one or more certificate authorities, as discussed in 362*2de962bdSlukem clause 11.2.1 of [X.509]. 363*2de962bdSlukem 364*2de962bdSlukem ( 2.5.4.36 NAME 'userCertificate' 365*2de962bdSlukem DESC 'X.509 user certificate' 366*2de962bdSlukem EQUALITY certificateExactMatch 367*2de962bdSlukem SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) 368*2de962bdSlukem 369*2de962bdSlukem As required by this attribute type's syntax, values of this attribute 370*2de962bdSlukem are requested and transferred using the attribute description 371*2de962bdSlukem "userCertificate;binary". 372*2de962bdSlukem 373*2de962bdSlukem4.2. cACertificate 374*2de962bdSlukem 375*2de962bdSlukem The cACertificate attribute holds the X.509 certificates issued to 376*2de962bdSlukem the certificate authority (CA), as discussed in clause 11.2.2 of 377*2de962bdSlukem [X.509]. 378*2de962bdSlukem 379*2de962bdSlukem ( 2.5.4.37 NAME 'cACertificate' 380*2de962bdSlukem DESC 'X.509 CA certificate' 381*2de962bdSlukem EQUALITY certificateExactMatch 382*2de962bdSlukem SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) 383*2de962bdSlukem 384*2de962bdSlukem As required by this attribute type's syntax, values of this attribute 385*2de962bdSlukem are requested and transferred using the attribute description 386*2de962bdSlukem "cACertificate;binary". 387*2de962bdSlukem 388*2de962bdSlukem 389*2de962bdSlukem 390*2de962bdSlukem 391*2de962bdSlukem 392*2de962bdSlukem 393*2de962bdSlukem 394*2de962bdSlukemZeilenga Standards Track [Page 7] 395*2de962bdSlukem 396*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 397*2de962bdSlukem 398*2de962bdSlukem 399*2de962bdSlukem4.3. crossCertificatePair 400*2de962bdSlukem 401*2de962bdSlukem The crossCertificatePair attribute holds an X.509 certificate pair, 402*2de962bdSlukem as discussed in clause 11.2.3 of [X.509]. 403*2de962bdSlukem 404*2de962bdSlukem ( 2.5.4.40 NAME 'crossCertificatePair' 405*2de962bdSlukem DESC 'X.509 cross certificate pair' 406*2de962bdSlukem EQUALITY certificatePairExactMatch 407*2de962bdSlukem SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) 408*2de962bdSlukem 409*2de962bdSlukem As required by this attribute type's syntax, values of this attribute 410*2de962bdSlukem are requested and transferred using the attribute description 411*2de962bdSlukem "crossCertificatePair;binary". 412*2de962bdSlukem 413*2de962bdSlukem4.4. certificateRevocationList 414*2de962bdSlukem 415*2de962bdSlukem The certificateRevocationList attribute holds certificate lists, as 416*2de962bdSlukem discussed in 11.2.4 of [X.509]. 417*2de962bdSlukem 418*2de962bdSlukem ( 2.5.4.39 NAME 'certificateRevocationList' 419*2de962bdSlukem DESC 'X.509 certificate revocation list' 420*2de962bdSlukem EQUALITY certificateListExactMatch 421*2de962bdSlukem SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 422*2de962bdSlukem 423*2de962bdSlukem As required by this attribute type's syntax, values of this attribute 424*2de962bdSlukem are requested and transferred using the attribute description 425*2de962bdSlukem "certificateRevocationList;binary". 426*2de962bdSlukem 427*2de962bdSlukem4.5. authorityRevocationList 428*2de962bdSlukem 429*2de962bdSlukem The authorityRevocationList attribute holds certificate lists, as 430*2de962bdSlukem discussed in 11.2.5 of [X.509]. 431*2de962bdSlukem 432*2de962bdSlukem ( 2.5.4.38 NAME 'authorityRevocationList' 433*2de962bdSlukem DESC 'X.509 authority revocation list' 434*2de962bdSlukem EQUALITY certificateListExactMatch 435*2de962bdSlukem SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 436*2de962bdSlukem 437*2de962bdSlukem As required by this attribute type's syntax, values of this attribute 438*2de962bdSlukem are requested and transferred using the attribute description 439*2de962bdSlukem "authorityRevocationList;binary". 440*2de962bdSlukem 441*2de962bdSlukem 442*2de962bdSlukem 443*2de962bdSlukem 444*2de962bdSlukem 445*2de962bdSlukem 446*2de962bdSlukem 447*2de962bdSlukem 448*2de962bdSlukem 449*2de962bdSlukem 450*2de962bdSlukemZeilenga Standards Track [Page 8] 451*2de962bdSlukem 452*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 453*2de962bdSlukem 454*2de962bdSlukem 455*2de962bdSlukem4.6. deltaRevocationList 456*2de962bdSlukem 457*2de962bdSlukem The deltaRevocationList attribute holds certificate lists, as 458*2de962bdSlukem discussed in 11.2.6 of [X.509]. 459*2de962bdSlukem 460*2de962bdSlukem ( 2.5.4.53 NAME 'deltaRevocationList' 461*2de962bdSlukem DESC 'X.509 delta revocation list' 462*2de962bdSlukem EQUALITY certificateListExactMatch 463*2de962bdSlukem SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 464*2de962bdSlukem 465*2de962bdSlukem As required by this attribute type's syntax, values of this attribute 466*2de962bdSlukem MUST be requested and transferred using the attribute description 467*2de962bdSlukem "deltaRevocationList;binary". 468*2de962bdSlukem 469*2de962bdSlukem4.7. supportedAlgorithms 470*2de962bdSlukem 471*2de962bdSlukem The supportedAlgorithms attribute holds supported algorithms, as 472*2de962bdSlukem discussed in 11.2.7 of [X.509]. 473*2de962bdSlukem 474*2de962bdSlukem ( 2.5.4.52 NAME 'supportedAlgorithms' 475*2de962bdSlukem DESC 'X.509 supported algorithms' 476*2de962bdSlukem EQUALITY algorithmIdentifierMatch 477*2de962bdSlukem SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) 478*2de962bdSlukem 479*2de962bdSlukem As required by this attribute type's syntax, values of this attribute 480*2de962bdSlukem MUST be requested and transferred using the attribute description 481*2de962bdSlukem "supportedAlgorithms;binary". 482*2de962bdSlukem 483*2de962bdSlukem5. Object Classes 484*2de962bdSlukem 485*2de962bdSlukem This section details a set of certificate-related object classes for 486*2de962bdSlukem use in LDAP. 487*2de962bdSlukem 488*2de962bdSlukem5.1. pkiUser 489*2de962bdSlukem 490*2de962bdSlukem This object class is used in augment entries for objects that may be 491*2de962bdSlukem subject to certificates, as defined in clause 11.1.1 of [X.509]. 492*2de962bdSlukem 493*2de962bdSlukem ( 2.5.6.21 NAME 'pkiUser' 494*2de962bdSlukem DESC 'X.509 PKI User' 495*2de962bdSlukem SUP top AUXILIARY 496*2de962bdSlukem MAY userCertificate ) 497*2de962bdSlukem 498*2de962bdSlukem 499*2de962bdSlukem 500*2de962bdSlukem 501*2de962bdSlukem 502*2de962bdSlukem 503*2de962bdSlukem 504*2de962bdSlukem 505*2de962bdSlukem 506*2de962bdSlukemZeilenga Standards Track [Page 9] 507*2de962bdSlukem 508*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 509*2de962bdSlukem 510*2de962bdSlukem 511*2de962bdSlukem5.2. pkiCA 512*2de962bdSlukem 513*2de962bdSlukem This object class is used to augment entries for objects that act as 514*2de962bdSlukem certificate authorities, as defined in clause 11.1.2 of [X.509] 515*2de962bdSlukem 516*2de962bdSlukem ( 2.5.6.22 NAME 'pkiCA' 517*2de962bdSlukem DESC 'X.509 PKI Certificate Authority' 518*2de962bdSlukem SUP top AUXILIARY 519*2de962bdSlukem MAY ( cACertificate $ certificateRevocationList $ 520*2de962bdSlukem authorityRevocationList $ crossCertificatePair ) ) 521*2de962bdSlukem 522*2de962bdSlukem5.3. cRLDistributionPoint 523*2de962bdSlukem 524*2de962bdSlukem This class is used to represent objects that act as CRL distribution 525*2de962bdSlukem points, as discussed in clause 11.1.3 of [X.509]. 526*2de962bdSlukem 527*2de962bdSlukem ( 2.5.6.19 NAME 'cRLDistributionPoint' 528*2de962bdSlukem DESC 'X.509 CRL distribution point' 529*2de962bdSlukem SUP top STRUCTURAL 530*2de962bdSlukem MUST cn 531*2de962bdSlukem MAY ( certificateRevocationList $ 532*2de962bdSlukem authorityRevocationList $ deltaRevocationList ) ) 533*2de962bdSlukem 534*2de962bdSlukem5.4. deltaCRL 535*2de962bdSlukem 536*2de962bdSlukem The deltaCRL object class is used to augment entries to hold delta 537*2de962bdSlukem revocation lists, as discussed in clause 11.1.4 of [X.509]. 538*2de962bdSlukem 539*2de962bdSlukem ( 2.5.6.23 NAME 'deltaCRL' 540*2de962bdSlukem DESC 'X.509 delta CRL' 541*2de962bdSlukem SUP top AUXILIARY 542*2de962bdSlukem MAY deltaRevocationList ) 543*2de962bdSlukem 544*2de962bdSlukem5.5. strongAuthenticationUser 545*2de962bdSlukem 546*2de962bdSlukem This object class is used to augment entries for objects 547*2de962bdSlukem participating in certificate-based authentication, as defined in 548*2de962bdSlukem clause 6.15 of [X.521]. This object class is deprecated in favor of 549*2de962bdSlukem pkiUser. 550*2de962bdSlukem 551*2de962bdSlukem ( 2.5.6.15 NAME 'strongAuthenticationUser' 552*2de962bdSlukem DESC 'X.521 strong authentication user' 553*2de962bdSlukem SUP top AUXILIARY 554*2de962bdSlukem MUST userCertificate ) 555*2de962bdSlukem 556*2de962bdSlukem 557*2de962bdSlukem 558*2de962bdSlukem 559*2de962bdSlukem 560*2de962bdSlukem 561*2de962bdSlukem 562*2de962bdSlukemZeilenga Standards Track [Page 10] 563*2de962bdSlukem 564*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 565*2de962bdSlukem 566*2de962bdSlukem 567*2de962bdSlukem5.6. userSecurityInformation 568*2de962bdSlukem 569*2de962bdSlukem This object class is used to augment entries with needed additional 570*2de962bdSlukem associated security information, as defined in clause 6.16 of 571*2de962bdSlukem [X.521]. 572*2de962bdSlukem 573*2de962bdSlukem ( 2.5.6.18 NAME 'userSecurityInformation' 574*2de962bdSlukem DESC 'X.521 user security information' 575*2de962bdSlukem SUP top AUXILIARY 576*2de962bdSlukem MAY ( supportedAlgorithms ) ) 577*2de962bdSlukem 578*2de962bdSlukem5.7. certificationAuthority 579*2de962bdSlukem 580*2de962bdSlukem This object class is used to augment entries for objects that act as 581*2de962bdSlukem certificate authorities, as defined in clause 6.17 of [X.521]. This 582*2de962bdSlukem object class is deprecated in favor of pkiCA. 583*2de962bdSlukem 584*2de962bdSlukem ( 2.5.6.16 NAME 'certificationAuthority' 585*2de962bdSlukem DESC 'X.509 certificate authority' 586*2de962bdSlukem SUP top AUXILIARY 587*2de962bdSlukem MUST ( authorityRevocationList $ 588*2de962bdSlukem certificateRevocationList $ cACertificate ) 589*2de962bdSlukem MAY crossCertificatePair ) 590*2de962bdSlukem 591*2de962bdSlukem5.8. certificationAuthority-V2 592*2de962bdSlukem 593*2de962bdSlukem This object class is used to augment entries for objects that act as 594*2de962bdSlukem certificate authorities, as defined in clause 6.18 of [X.521]. This 595*2de962bdSlukem object class is deprecated in favor of pkiCA. 596*2de962bdSlukem 597*2de962bdSlukem ( 2.5.6.16.2 NAME 'certificationAuthority-V2' 598*2de962bdSlukem DESC 'X.509 certificate authority, version 2' 599*2de962bdSlukem SUP certificationAuthority AUXILIARY 600*2de962bdSlukem MAY deltaRevocationList ) 601*2de962bdSlukem 602*2de962bdSlukem6. Security Considerations 603*2de962bdSlukem 604*2de962bdSlukem General certificate considerations [RFC3280] apply to LDAP-aware 605*2de962bdSlukem certificate applications. General LDAP security considerations 606*2de962bdSlukem [RFC4510] apply as well. 607*2de962bdSlukem 608*2de962bdSlukem While elements of certificate information are commonly signed, these 609*2de962bdSlukem signatures only protect the integrity of the signed information. In 610*2de962bdSlukem the absence of data integrity protections in LDAP (or lower layer, 611*2de962bdSlukem e.g., IPsec), a server is not assured that client certificate request 612*2de962bdSlukem (or other request) was unaltered in transit. Likewise, a client 613*2de962bdSlukem cannot be assured that the results of the query were unaltered in 614*2de962bdSlukem 615*2de962bdSlukem 616*2de962bdSlukem 617*2de962bdSlukem 618*2de962bdSlukemZeilenga Standards Track [Page 11] 619*2de962bdSlukem 620*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 621*2de962bdSlukem 622*2de962bdSlukem 623*2de962bdSlukem transit. Hence, it is generally recommended that implementations 624*2de962bdSlukem make use of authentication and data integrity services in LDAP 625*2de962bdSlukem [RFC4513][RFC4511]. 626*2de962bdSlukem 627*2de962bdSlukem7. IANA Considerations 628*2de962bdSlukem 629*2de962bdSlukem7.1. Object Identifier Registration 630*2de962bdSlukem 631*2de962bdSlukem The IANA has registered an LDAP Object Identifier [RFC4520] for use 632*2de962bdSlukem in this technical specification. 633*2de962bdSlukem 634*2de962bdSlukem Subject: Request for LDAP OID Registration 635*2de962bdSlukem Person & email address to contact for further information: 636*2de962bdSlukem Kurt Zeilenga <kurt@OpenLDAP.org> 637*2de962bdSlukem Specification: RFC 4523 638*2de962bdSlukem Author/Change Controller: IESG 639*2de962bdSlukem Comments: 640*2de962bdSlukem Identifies the LDAP X.509 Certificate schema elements 641*2de962bdSlukem introduced in this document. 642*2de962bdSlukem 643*2de962bdSlukem7.2. Descriptor Registration 644*2de962bdSlukem 645*2de962bdSlukem The IANA has updated the LDAP 646*2de962bdSlukem Descriptor registry [RFC44520] as indicated below. 647*2de962bdSlukem 648*2de962bdSlukem Subject: Request for LDAP Descriptor Registration 649*2de962bdSlukem Descriptor (short name): see table 650*2de962bdSlukem Object Identifier: see table 651*2de962bdSlukem Person & email address to contact for further information: 652*2de962bdSlukem Kurt Zeilenga <kurt@OpenLDAP.org> 653*2de962bdSlukem Usage: see table 654*2de962bdSlukem Specification: RFC 4523 655*2de962bdSlukem Author/Change Controller: IESG 656*2de962bdSlukem 657*2de962bdSlukem algorithmIdentifierMatch M 2.5.13.40 658*2de962bdSlukem authorityRevocationList A 2.5.4.38 * 659*2de962bdSlukem cACertificate A 2.5.4.37 * 660*2de962bdSlukem cRLDistributionPoint O 2.5.6.19 * 661*2de962bdSlukem certificateExactMatch M 2.5.13.34 662*2de962bdSlukem certificateListExactMatch M 2.5.13.38 663*2de962bdSlukem certificateListMatch M 2.5.13.39 664*2de962bdSlukem certificateMatch M 2.5.13.35 665*2de962bdSlukem certificatePairExactMatch M 2.5.13.36 666*2de962bdSlukem certificatePairMatch M 2.5.13.37 667*2de962bdSlukem certificateRevocationList A 2.5.4.39 * 668*2de962bdSlukem certificationAuthority O 2.5.6.16 * 669*2de962bdSlukem certificationAuthority-V2 O 2.5.6.16.2 * 670*2de962bdSlukem crossCertificatePair A 2.5.4.40 * 671*2de962bdSlukem 672*2de962bdSlukem 673*2de962bdSlukem 674*2de962bdSlukemZeilenga Standards Track [Page 12] 675*2de962bdSlukem 676*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 677*2de962bdSlukem 678*2de962bdSlukem 679*2de962bdSlukem deltaCRL O 2.5.6.23 * 680*2de962bdSlukem deltaRevocationList A 2.5.4.53 * 681*2de962bdSlukem pkiCA O 2.5.6.22 * 682*2de962bdSlukem pkiUser O 2.5.6.21 * 683*2de962bdSlukem strongAuthenticationUser O 2.5.6.15 * 684*2de962bdSlukem supportedAlgorithms A 2.5.4.52 * 685*2de962bdSlukem userCertificate A 2.5.4.36 * 686*2de962bdSlukem userSecurityInformation O 2.5.6.18 * 687*2de962bdSlukem 688*2de962bdSlukem * Updates previous registration 689*2de962bdSlukem 690*2de962bdSlukem8. Acknowledgements 691*2de962bdSlukem 692*2de962bdSlukem This document is based on X.509, a product of the ITU-T. A number of 693*2de962bdSlukem LDAP schema definitions were based on those found in RFCs 2252 and 694*2de962bdSlukem 2256, both products of the IETF ASID WG. The ABNF productions in 695*2de962bdSlukem Appendix A were provided by Steven Legg. Additional material was 696*2de962bdSlukem borrowed from prior works by David Chadwick and Steven Legg to refine 697*2de962bdSlukem the LDAP X.509 schema. 698*2de962bdSlukem 699*2de962bdSlukem9. References 700*2de962bdSlukem 701*2de962bdSlukem9.1. Normative References 702*2de962bdSlukem 703*2de962bdSlukem [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 704*2de962bdSlukem Requirement Levels", BCP 14, RFC 2119, March 1997. 705*2de962bdSlukem 706*2de962bdSlukem [RFC3641] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1 707*2de962bdSlukem Types", RFC 3641, October 2003. 708*2de962bdSlukem 709*2de962bdSlukem [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol 710*2de962bdSlukem (LDAP): Technical Specification Road Map", RFC 4510, June 711*2de962bdSlukem 2006. 712*2de962bdSlukem 713*2de962bdSlukem [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol 714*2de962bdSlukem (LDAP): Directory Information Models", RFC 4512, June 715*2de962bdSlukem 2006. 716*2de962bdSlukem 717*2de962bdSlukem [RFC4522] Legg, S., "Lightweight Directory Access Protocol (LDAP): 718*2de962bdSlukem The Binary Encoding Option", RFC 4522, June 2006. 719*2de962bdSlukem 720*2de962bdSlukem [X.509] International Telecommunication Union - Telecommunication 721*2de962bdSlukem Standardization Sector, "The Directory: Authentication 722*2de962bdSlukem Framework", X.509(2000). 723*2de962bdSlukem 724*2de962bdSlukem 725*2de962bdSlukem 726*2de962bdSlukem 727*2de962bdSlukem 728*2de962bdSlukem 729*2de962bdSlukem 730*2de962bdSlukemZeilenga Standards Track [Page 13] 731*2de962bdSlukem 732*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 733*2de962bdSlukem 734*2de962bdSlukem 735*2de962bdSlukem [X.521] International Telecommunication Union - Telecommunication 736*2de962bdSlukem Standardization Sector, "The Directory: Selected Object 737*2de962bdSlukem Classes", X.521(2000). 738*2de962bdSlukem 739*2de962bdSlukem [X.690] International Telecommunication Union - Telecommunication 740*2de962bdSlukem Standardization Sector, "Specification of ASN.1 encoding 741*2de962bdSlukem rules: Basic Encoding Rules (BER), Canonical Encoding 742*2de962bdSlukem Rules (CER), and Distinguished Encoding Rules (DER)", 743*2de962bdSlukem X.690(2002) (also ISO/IEC 8825-1:2002). 744*2de962bdSlukem 745*2de962bdSlukem9.2. Informative References 746*2de962bdSlukem 747*2de962bdSlukem [RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory 748*2de962bdSlukem Access Protocol", RFC 1777, March 1995. 749*2de962bdSlukem 750*2de962bdSlukem [RFC2156] Kille, S., "MIXER (Mime Internet X.400 Enhanced Relay): 751*2de962bdSlukem Mapping between X.400 and RFC 822/MIME", RFC 2156, January 752*2de962bdSlukem 1998. 753*2de962bdSlukem 754*2de962bdSlukem [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet 755*2de962bdSlukem X.509 Public Key Infrastructure Certificate and 756*2de962bdSlukem Certificate Revocation List (CRL) Profile", RFC 3280, 757*2de962bdSlukem April 2002. 758*2de962bdSlukem 759*2de962bdSlukem [RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol 760*2de962bdSlukem version 2 (LDAPv2) to Historic Status", RFC 3494, March 761*2de962bdSlukem 2003. 762*2de962bdSlukem 763*2de962bdSlukem [RFC3642] Legg, S., "Common Elements of Generic String Encoding 764*2de962bdSlukem Rules (GSER) Encodings", RFC 3642, October 2003. 765*2de962bdSlukem 766*2de962bdSlukem [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 767*2de962bdSlukem Specifications: ABNF", RFC 4234, October 2005. 768*2de962bdSlukem 769*2de962bdSlukem [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access 770*2de962bdSlukem Protocol (LDAP): The Protocol", RFC 4511, June 2006. 771*2de962bdSlukem 772*2de962bdSlukem [RFC4513] Harrison, R. Ed., "Lightweight Directory Access Protocol 773*2de962bdSlukem (LDAP): Authentication Methods and Security Mechanisms", 774*2de962bdSlukem RFC 4513, June 2006. 775*2de962bdSlukem 776*2de962bdSlukem [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) 777*2de962bdSlukem Considerations for the Lightweight Directory Access 778*2de962bdSlukem Protocol (LDAP)", BCP 64, RFC 4520, June 2006. 779*2de962bdSlukem 780*2de962bdSlukem 781*2de962bdSlukem 782*2de962bdSlukem 783*2de962bdSlukem 784*2de962bdSlukem 785*2de962bdSlukem 786*2de962bdSlukemZeilenga Standards Track [Page 14] 787*2de962bdSlukem 788*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 789*2de962bdSlukem 790*2de962bdSlukem 791*2de962bdSlukemAppendix A. 792*2de962bdSlukem 793*2de962bdSlukem This appendix is informative. 794*2de962bdSlukem 795*2de962bdSlukem This appendix provides ABNF [RFC4234] grammars for GSER-based 796*2de962bdSlukem [RFC3641] LDAP-specific encodings specified in this document. These 797*2de962bdSlukem grammars where produced using, and relying on, Common Elements for 798*2de962bdSlukem GSER Encodings [RFC3642]. 799*2de962bdSlukem 800*2de962bdSlukemA.1. CertificateExactAssertion 801*2de962bdSlukem 802*2de962bdSlukem CertificateExactAssertion = "{" sp cea-serialNumber "," 803*2de962bdSlukem sp cea-issuer sp "}" 804*2de962bdSlukem 805*2de962bdSlukem cea-serialNumber = id-serialNumber msp CertificateSerialNumber 806*2de962bdSlukem cea-issuer = id-issuer msp Name 807*2de962bdSlukem 808*2de962bdSlukem id-serialNumber = 809*2de962bdSlukem %x73.65.72.69.61.6C.4E.75.6D.62.65.72 ; 'serialNumber' 810*2de962bdSlukem id-issuer = %x69.73.73.75.65.72 ; 'issuer' 811*2de962bdSlukem 812*2de962bdSlukem Name = id-rdnSequence ":" RDNSequence 813*2de962bdSlukem id-rdnSequence = %x72.64.6E.53.65.71.75.65.6E.63.65 ; 'rdnSequence' 814*2de962bdSlukem 815*2de962bdSlukem CertificateSerialNumber = INTEGER 816*2de962bdSlukem 817*2de962bdSlukemA.2. CertificateAssertion 818*2de962bdSlukem 819*2de962bdSlukemCertificateAssertion = "{" [ sp ca-serialNumber ] 820*2de962bdSlukem [ sep sp ca-issuer ] 821*2de962bdSlukem [ sep sp ca-subjectKeyIdentifier ] 822*2de962bdSlukem [ sep sp ca-authorityKeyIdentifier ] 823*2de962bdSlukem [ sep sp ca-certificateValid ] 824*2de962bdSlukem [ sep sp ca-privateKeyValid ] 825*2de962bdSlukem [ sep sp ca-subjectPublicKeyAlgID ] 826*2de962bdSlukem [ sep sp ca-keyUsage ] 827*2de962bdSlukem [ sep sp ca-subjectAltName ] 828*2de962bdSlukem [ sep sp ca-policy ] 829*2de962bdSlukem [ sep sp ca-pathToName ] 830*2de962bdSlukem [ sep sp ca-subject ] 831*2de962bdSlukem [ sep sp ca-nameConstraints ] sp "}" 832*2de962bdSlukem 833*2de962bdSlukemca-serialNumber = id-serialNumber msp CertificateSerialNumber 834*2de962bdSlukemca-issuer = id-issuer msp Name 835*2de962bdSlukemca-subjectKeyIdentifier = id-subjectKeyIdentifier msp 836*2de962bdSlukem SubjectKeyIdentifier 837*2de962bdSlukemca-authorityKeyIdentifier = id-authorityKeyIdentifier msp 838*2de962bdSlukem AuthorityKeyIdentifier 839*2de962bdSlukem 840*2de962bdSlukem 841*2de962bdSlukem 842*2de962bdSlukemZeilenga Standards Track [Page 15] 843*2de962bdSlukem 844*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 845*2de962bdSlukem 846*2de962bdSlukem 847*2de962bdSlukemca-certificateValid = id-certificateValid msp Time 848*2de962bdSlukemca-privateKeyValid = id-privateKeyValid msp GeneralizedTime 849*2de962bdSlukemca-subjectPublicKeyAlgID = id-subjectPublicKeyAlgID msp 850*2de962bdSlukem OBJECT-IDENTIFIER 851*2de962bdSlukemca-keyUsage = id-keyUsage msp KeyUsage 852*2de962bdSlukemca-subjectAltName = id-subjectAltName msp AltNameType 853*2de962bdSlukemca-policy = id-policy msp CertPolicySet 854*2de962bdSlukemca-pathToName = id-pathToName msp Name 855*2de962bdSlukemca-subject = id-subject msp Name 856*2de962bdSlukemca-nameConstraints = id-nameConstraints msp NameConstraintsSyntax 857*2de962bdSlukem 858*2de962bdSlukemid-subjectKeyIdentifier = 859*2de962bdSlukem %x73.75.62.6A.65.63.74.4B.65.79.49.64.65.6E.74.69.66.69.65.72 860*2de962bdSlukem ; 'subjectKeyIdentifier' 861*2de962bdSlukemid-authorityKeyIdentifier = 862*2de962bdSlukem %x61.75.74.68.6F.72.69.74.79.4B.65.79.49.64.65.6E.74.69.66.69.65.72 863*2de962bdSlukem ; 'authorityKeyIdentifier' 864*2de962bdSlukemid-certificateValid = %x63.65.72.74.69.66.69.63.61.74.65.56.61.6C.69.64 865*2de962bdSlukem ; 'certificateValid' 866*2de962bdSlukemid-privateKeyValid = %x70.72.69.76.61.74.65.4B.65.79.56.61.6C.69.64 867*2de962bdSlukem ; 'privateKeyValid' 868*2de962bdSlukemid-subjectPublicKeyAlgID = 869*2de962bdSlukem %x73.75.62.6A.65.63.74.50.75.62.6C.69.63.4B.65.79.41.6C.67.49.44 870*2de962bdSlukem ; 'subjectPublicKeyAlgID' 871*2de962bdSlukemid-keyUsage = %x6B.65.79.55.73.61.67.65 ; 'keyUsage' 872*2de962bdSlukemid-subjectAltName = %x73.75.62.6A.65.63.74.41.6C.74.4E.61.6D.65 873*2de962bdSlukem ; 'subjectAltName' 874*2de962bdSlukemid-policy = %x70.6F.6C.69.63.79 ; 'policy' 875*2de962bdSlukemid-pathToName = %x70.61.74.68.54.6F.4E.61.6D.65 ; 'pathToName' 876*2de962bdSlukemid-subject = %x73.75.62.6A.65.63.74 ; 'subject' 877*2de962bdSlukemid-nameConstraints = %x6E.61.6D.65.43.6F.6E.73.74.72.61.69.6E.74.73 878*2de962bdSlukem ; 'nameConstraints' 879*2de962bdSlukem 880*2de962bdSlukemSubjectKeyIdentifier = KeyIdentifier 881*2de962bdSlukem 882*2de962bdSlukemKeyIdentifier = OCTET-STRING 883*2de962bdSlukem 884*2de962bdSlukemAuthorityKeyIdentifier = "{" [ sp aki-keyIdentifier ] 885*2de962bdSlukem [ sep sp aki-authorityCertIssuer ] 886*2de962bdSlukem [ sep sp aki-authorityCertSerialNumber ] sp "}" 887*2de962bdSlukem 888*2de962bdSlukemaki-keyIdentifier = id-keyIdentifier msp KeyIdentifier 889*2de962bdSlukemaki-authorityCertIssuer = id-authorityCertIssuer msp GeneralNames 890*2de962bdSlukem 891*2de962bdSlukemGeneralNames = "{" sp GeneralName *( "," sp GeneralName ) sp "}" 892*2de962bdSlukemGeneralName = gn-otherName 893*2de962bdSlukem / gn-rfc822Name 894*2de962bdSlukem / gn-dNSName 895*2de962bdSlukem 896*2de962bdSlukem 897*2de962bdSlukem 898*2de962bdSlukemZeilenga Standards Track [Page 16] 899*2de962bdSlukem 900*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 901*2de962bdSlukem 902*2de962bdSlukem 903*2de962bdSlukem / gn-x400Address 904*2de962bdSlukem / gn-directoryName 905*2de962bdSlukem / gn-ediPartyName 906*2de962bdSlukem / gn-uniformResourceIdentifier 907*2de962bdSlukem / gn-iPAddress 908*2de962bdSlukem / gn-registeredID 909*2de962bdSlukem 910*2de962bdSlukemgn-otherName = id-otherName ":" OtherName 911*2de962bdSlukemgn-rfc822Name = id-rfc822Name ":" IA5String 912*2de962bdSlukemgn-dNSName = id-dNSName ":" IA5String 913*2de962bdSlukemgn-x400Address = id-x400Address ":" ORAddress 914*2de962bdSlukemgn-directoryName = id-directoryName ":" Name 915*2de962bdSlukemgn-ediPartyName = id-ediPartyName ":" EDIPartyName 916*2de962bdSlukemgn-iPAddress = id-iPAddress ":" OCTET-STRING 917*2de962bdSlukemgn-registeredID = gn-id-registeredID ":" OBJECT-IDENTIFIER 918*2de962bdSlukem 919*2de962bdSlukemgn-uniformResourceIdentifier = id-uniformResourceIdentifier 920*2de962bdSlukem ":" IA5String 921*2de962bdSlukem 922*2de962bdSlukemid-otherName = %x6F.74.68.65.72.4E.61.6D.65 ; 'otherName' 923*2de962bdSlukemgn-id-registeredID = %x72.65.67.69.73.74.65.72.65.64.49.44 924*2de962bdSlukem ; 'registeredID' 925*2de962bdSlukem 926*2de962bdSlukemOtherName = "{" sp on-type-id "," sp on-value sp "}" 927*2de962bdSlukemon-type-id = id-type-id msp OBJECT-IDENTIFIER 928*2de962bdSlukemon-value = id-value msp Value 929*2de962bdSlukem ;; <Value> as defined in Section 3 of [RFC3641] 930*2de962bdSlukem 931*2de962bdSlukemid-type-id = %x74.79.70.65.2D.69.64 ; 'type-id' 932*2de962bdSlukemid-value = %x76.61.6C.75.65 ; 'value' 933*2de962bdSlukem 934*2de962bdSlukemORAddress = dquote *SafeIA5Character dquote 935*2de962bdSlukemSafeIA5Character = %x01-21 / %x23-7F / ; ASCII minus dquote 936*2de962bdSlukem dquote dquote ; escaped double quote 937*2de962bdSlukemdquote = %x22 ; '"' (double quote) 938*2de962bdSlukem 939*2de962bdSlukem;; Note: The <ORAddress> rule encodes the x400Address component 940*2de962bdSlukem;; of a GeneralName as a character string between double quotes. 941*2de962bdSlukem;; The character string is first derived according to Section 4.1 942*2de962bdSlukem;; of [RFC2156], and then any embedded double quotes are escaped 943*2de962bdSlukem;; by being repeated. This resulting string is output between 944*2de962bdSlukem;; double quotes. 945*2de962bdSlukem 946*2de962bdSlukemEDIPartyName = "{" [ sp nameAssigner "," ] sp partyName sp "}" 947*2de962bdSlukemnameAssigner = id-nameAssigner msp DirectoryString 948*2de962bdSlukempartyName = id-partyName msp DirectoryString 949*2de962bdSlukemid-nameAssigner = %x6E.61.6D.65.41.73.73.69.67.6E.65.72 950*2de962bdSlukem ; 'nameAssigner' 951*2de962bdSlukem 952*2de962bdSlukem 953*2de962bdSlukem 954*2de962bdSlukemZeilenga Standards Track [Page 17] 955*2de962bdSlukem 956*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 957*2de962bdSlukem 958*2de962bdSlukem 959*2de962bdSlukemid-partyName = %x70.61.72.74.79.4E.61.6D.65 ; 'partyName' 960*2de962bdSlukem 961*2de962bdSlukemaki-authorityCertSerialNumber = id-authorityCertSerialNumber 962*2de962bdSlukem msp CertificateSerialNumber 963*2de962bdSlukem 964*2de962bdSlukemid-keyIdentifier = %x6B.65.79.49.64.65.6E.74.69.66.69.65.72 965*2de962bdSlukem ; 'keyIdentifier' 966*2de962bdSlukemid-authorityCertIssuer = 967*2de962bdSlukem %x61.75.74.68.6F.72.69.74.79.43.65.72.74.49.73.73.75.65.72 968*2de962bdSlukem ; 'authorityCertIssuer' 969*2de962bdSlukem 970*2de962bdSlukemid-authorityCertSerialNumber = %x61.75.74.68.6F.72.69.74.79.43 971*2de962bdSlukem %x65.72.74.53.65.72.69.61.6C.4E.75.6D.62.65.72 972*2de962bdSlukem ; 'authorityCertSerialNumber' 973*2de962bdSlukem 974*2de962bdSlukemTime = time-utcTime / time-generalizedTime 975*2de962bdSlukemtime-utcTime = id-utcTime ":" UTCTime 976*2de962bdSlukemtime-generalizedTime = id-generalizedTime ":" GeneralizedTime 977*2de962bdSlukemid-utcTime = %x75.74.63.54.69.6D.65 ; 'utcTime' 978*2de962bdSlukemid-generalizedTime = %x67.65.6E.65.72.61.6C.69.7A.65.64.54.69.6D.65 979*2de962bdSlukem ; 'generalizedTime' 980*2de962bdSlukem 981*2de962bdSlukemKeyUsage = BIT-STRING / key-usage-bit-list 982*2de962bdSlukemkey-usage-bit-list = "{" [ sp key-usage *( "," sp key-usage ) ] sp "}" 983*2de962bdSlukem 984*2de962bdSlukem;; Note: The <key-usage-bit-list> rule encodes the one bits in 985*2de962bdSlukem;; a KeyUsage value as a comma separated list of identifiers. 986*2de962bdSlukem 987*2de962bdSlukemkey-usage = id-digitalSignature 988*2de962bdSlukem / id-nonRepudiation 989*2de962bdSlukem / id-keyEncipherment 990*2de962bdSlukem / id-dataEncipherment 991*2de962bdSlukem / id-keyAgreement 992*2de962bdSlukem / id-keyCertSign 993*2de962bdSlukem / id-cRLSign 994*2de962bdSlukem / id-encipherOnly 995*2de962bdSlukem / id-decipherOnly 996*2de962bdSlukem 997*2de962bdSlukemid-digitalSignature = %x64.69.67.69.74.61.6C.53.69.67.6E.61.74 998*2de962bdSlukem %x75.72.65 ; 'digitalSignature' 999*2de962bdSlukemid-nonRepudiation = %x6E.6F.6E.52.65.70.75.64.69.61.74.69.6F.6E 1000*2de962bdSlukem ; 'nonRepudiation' 1001*2de962bdSlukemid-keyEncipherment = %x6B.65.79.45.6E.63.69.70.68.65.72.6D.65.6E.74 1002*2de962bdSlukem ; 'keyEncipherment' 1003*2de962bdSlukemid-dataEncipherment = %x64.61.74.61.45.6E.63.69.70.68.65.72.6D.65.6E 1004*2de962bdSlukem %x74 ; "dataEncipherment' 1005*2de962bdSlukemid-keyAgreement = %x6B.65.79.41.67.72.65.65.6D.65.6E.74 1006*2de962bdSlukem ; 'keyAgreement' 1007*2de962bdSlukem 1008*2de962bdSlukem 1009*2de962bdSlukem 1010*2de962bdSlukemZeilenga Standards Track [Page 18] 1011*2de962bdSlukem 1012*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 1013*2de962bdSlukem 1014*2de962bdSlukem 1015*2de962bdSlukemid-keyCertSign = %x6B.65.79.43.65.72.74.53.69.67.6E 1016*2de962bdSlukem ; 'keyCertSign' 1017*2de962bdSlukemid-cRLSign = %x63.52.4C.53.69.67.6E ; "cRLSign" 1018*2de962bdSlukemid-encipherOnly = %x65.6E.63.69.70.68.65.72.4F.6E.6C.79 1019*2de962bdSlukem ; 'encipherOnly' 1020*2de962bdSlukemid-decipherOnly = %x64.65.63.69.70.68.65.72.4F.6E.6C.79 1021*2de962bdSlukem ; 'decipherOnly' 1022*2de962bdSlukem 1023*2de962bdSlukemAltNameType = ant-builtinNameForm / ant-otherNameForm 1024*2de962bdSlukem 1025*2de962bdSlukemant-builtinNameForm = id-builtinNameForm ":" BuiltinNameForm 1026*2de962bdSlukemant-otherNameForm = id-otherNameForm ":" OBJECT-IDENTIFIER 1027*2de962bdSlukem 1028*2de962bdSlukemid-builtinNameForm = %x62.75.69.6C.74.69.6E.4E.61.6D.65.46.6F.72.6D 1029*2de962bdSlukem ; 'builtinNameForm' 1030*2de962bdSlukemid-otherNameForm = %x6F.74.68.65.72.4E.61.6D.65.46.6F.72.6D 1031*2de962bdSlukem ; 'otherNameForm' 1032*2de962bdSlukem 1033*2de962bdSlukemBuiltinNameForm = id-rfc822Name 1034*2de962bdSlukem / id-dNSName 1035*2de962bdSlukem / id-x400Address 1036*2de962bdSlukem / id-directoryName 1037*2de962bdSlukem / id-ediPartyName 1038*2de962bdSlukem / id-uniformResourceIdentifier 1039*2de962bdSlukem / id-iPAddress 1040*2de962bdSlukem / id-registeredId 1041*2de962bdSlukem 1042*2de962bdSlukemid-rfc822Name = %x72.66.63.38.32.32.4E.61.6D.65 ; 'rfc822Name' 1043*2de962bdSlukemid-dNSName = %x64.4E.53.4E.61.6D.65 ; 'dNSName' 1044*2de962bdSlukemid-x400Address = %x78.34.30.30.41.64.64.72.65.73.73 ; 'x400Address' 1045*2de962bdSlukemid-directoryName = %x64.69.72.65.63.74.6F.72.79.4E.61.6D.65 1046*2de962bdSlukem ; 'directoryName' 1047*2de962bdSlukemid-ediPartyName = %x65.64.69.50.61.72.74.79.4E.61.6D.65 1048*2de962bdSlukem ; 'ediPartyName' 1049*2de962bdSlukemid-iPAddress = %x69.50.41.64.64.72.65.73.73 ; 'iPAddress' 1050*2de962bdSlukemid-registeredId = %x72.65.67.69.73.74.65.72.65.64.49.64 1051*2de962bdSlukem ; 'registeredId' 1052*2de962bdSlukem 1053*2de962bdSlukemid-uniformResourceIdentifier = %x75.6E.69.66.6F.72.6D.52.65.73.6F.75 1054*2de962bdSlukem %x72.63.65.49.64.65.6E.74.69.66.69.65.72 1055*2de962bdSlukem ; 'uniformResourceIdentifier' 1056*2de962bdSlukem 1057*2de962bdSlukemCertPolicySet = "{" sp CertPolicyId *( "," sp CertPolicyId ) sp "}" 1058*2de962bdSlukemCertPolicyId = OBJECT-IDENTIFIER 1059*2de962bdSlukem 1060*2de962bdSlukemNameConstraintsSyntax = "{" [ sp ncs-permittedSubtrees ] 1061*2de962bdSlukem [ sep sp ncs-excludedSubtrees ] sp "}" 1062*2de962bdSlukem 1063*2de962bdSlukem 1064*2de962bdSlukem 1065*2de962bdSlukem 1066*2de962bdSlukemZeilenga Standards Track [Page 19] 1067*2de962bdSlukem 1068*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 1069*2de962bdSlukem 1070*2de962bdSlukem 1071*2de962bdSlukemncs-permittedSubtrees = id-permittedSubtrees msp GeneralSubtrees 1072*2de962bdSlukemncs-excludedSubtrees = id-excludedSubtrees msp GeneralSubtrees 1073*2de962bdSlukem 1074*2de962bdSlukemid-permittedSubtrees = 1075*2de962bdSlukem %x70.65.72.6D.69.74.74.65.64.53.75.62.74.72.65.65.73 1076*2de962bdSlukem ; 'permittedSubtrees' 1077*2de962bdSlukemid-excludedSubtrees = 1078*2de962bdSlukem %x65.78.63.6C.75.64.65.64.53.75.62.74.72.65.65.73 1079*2de962bdSlukem ; 'excludedSubtrees' 1080*2de962bdSlukem 1081*2de962bdSlukemGeneralSubtrees = "{" sp GeneralSubtree 1082*2de962bdSlukem *( "," sp GeneralSubtree ) sp "}" 1083*2de962bdSlukemGeneralSubtree = "{" sp gs-base 1084*2de962bdSlukem [ "," sp gs-minimum ] 1085*2de962bdSlukem [ "," sp gs-maximum ] sp "}" 1086*2de962bdSlukem 1087*2de962bdSlukemgs-base = id-base msp GeneralName 1088*2de962bdSlukemgs-minimum = id-minimum msp BaseDistance 1089*2de962bdSlukemgs-maximum = id-maximum msp BaseDistance 1090*2de962bdSlukem 1091*2de962bdSlukemid-base = %x62.61.73.65 ; 'base' 1092*2de962bdSlukemid-minimum = %x6D.69.6E.69.6D.75.6D ; 'minimum' 1093*2de962bdSlukemid-maximum = %x6D.61.78.69.6D.75.6D ; 'maximum' 1094*2de962bdSlukem 1095*2de962bdSlukemBaseDistance = INTEGER-0-MAX 1096*2de962bdSlukem 1097*2de962bdSlukemA.3. CertificatePairExactAssertion 1098*2de962bdSlukem 1099*2de962bdSlukem CertificatePairExactAssertion = "{" [ sp cpea-issuedTo ] 1100*2de962bdSlukem [sep sp cpea-issuedBy ] sp "}" 1101*2de962bdSlukem ;; At least one of <cpea-issuedTo> or <cpea-issuedBy> MUST be present. 1102*2de962bdSlukem 1103*2de962bdSlukem cpea-issuedTo = id-issuedToThisCAAssertion msp 1104*2de962bdSlukem CertificateExactAssertion 1105*2de962bdSlukem cpea-issuedBy = id-issuedByThisCAAssertion msp 1106*2de962bdSlukem CertificateExactAssertion 1107*2de962bdSlukem 1108*2de962bdSlukem id-issuedToThisCAAssertion = %x69.73.73.75.65.64.54.6F.54.68.69.73 1109*2de962bdSlukem %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedToThisCAAssertion' 1110*2de962bdSlukem id-issuedByThisCAAssertion = %x69.73.73.75.65.64.42.79.54.68.69.73 1111*2de962bdSlukem %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedByThisCAAssertion' 1112*2de962bdSlukem 1113*2de962bdSlukem 1114*2de962bdSlukem 1115*2de962bdSlukem 1116*2de962bdSlukem 1117*2de962bdSlukem 1118*2de962bdSlukem 1119*2de962bdSlukem 1120*2de962bdSlukem 1121*2de962bdSlukem 1122*2de962bdSlukemZeilenga Standards Track [Page 20] 1123*2de962bdSlukem 1124*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 1125*2de962bdSlukem 1126*2de962bdSlukem 1127*2de962bdSlukemA.4. CertificatePairAssertion 1128*2de962bdSlukem 1129*2de962bdSlukem CertificatePairAssertion = "{" [ sp cpa-issuedTo ] 1130*2de962bdSlukem [sep sp cpa-issuedBy ] sp "}" 1131*2de962bdSlukem ;; At least one of <cpa-issuedTo> and <cpa-issuedBy> MUST be present. 1132*2de962bdSlukem 1133*2de962bdSlukem cpa-issuedTo = id-issuedToThisCAAssertion msp CertificateAssertion 1134*2de962bdSlukem cpa-issuedBy = id-issuedByThisCAAssertion msp CertificateAssertion 1135*2de962bdSlukem 1136*2de962bdSlukemA.5. CertificateListExactAssertion 1137*2de962bdSlukem 1138*2de962bdSlukem CertificateListExactAssertion = "{" sp clea-issuer "," 1139*2de962bdSlukem sp clea-thisUpdate 1140*2de962bdSlukem [ "," sp clea-distributionPoint ] sp "}" 1141*2de962bdSlukem 1142*2de962bdSlukem clea-issuer = id-issuer msp Name 1143*2de962bdSlukem clea-thisUpdate = id-thisUpdate msp Time 1144*2de962bdSlukem clea-distributionPoint = id-distributionPoint msp 1145*2de962bdSlukem DistributionPointName 1146*2de962bdSlukem 1147*2de962bdSlukem id-thisUpdate = %x74.68.69.73.55.70.64.61.74.65 ; 'thisUpdate' 1148*2de962bdSlukem id-distributionPoint = 1149*2de962bdSlukem %x64.69.73.74.72.69.62.75.74.69.6F.6E.50.6F.69.6E.74 1150*2de962bdSlukem ; 'distributionPoint' 1151*2de962bdSlukem 1152*2de962bdSlukem DistributionPointName = dpn-fullName / dpn-nameRelativeToCRLIssuer 1153*2de962bdSlukem 1154*2de962bdSlukem dpn-fullName = id-fullName ":" GeneralNames 1155*2de962bdSlukem dpn-nameRelativeToCRLIssuer = id-nameRelativeToCRLIssuer ":" 1156*2de962bdSlukem RelativeDistinguishedName 1157*2de962bdSlukem 1158*2de962bdSlukem id-fullName = %x66.75.6C.6C.4E.61.6D.65 ; 'fullName' 1159*2de962bdSlukem id-nameRelativeToCRLIssuer = %x6E.61.6D.65.52.65.6C.61.74.69.76.65 1160*2de962bdSlukem %x54.6F.43.52.4C.49.73.73.75.65.72 ; 'nameRelativeToCRLIssuer' 1161*2de962bdSlukem 1162*2de962bdSlukemA.6. CertificateListAssertion 1163*2de962bdSlukem 1164*2de962bdSlukem CertificateListAssertion = "{" [ sp cla-issuer ] 1165*2de962bdSlukem [ sep sp cla-minCRLNumber ] 1166*2de962bdSlukem [ sep sp cla-maxCRLNumber ] 1167*2de962bdSlukem [ sep sp cla-reasonFlags ] 1168*2de962bdSlukem [ sep sp cla-dateAndTime ] 1169*2de962bdSlukem [ sep sp cla-distributionPoint ] 1170*2de962bdSlukem [ sep sp cla-authorityKeyIdentifier ] sp "}" 1171*2de962bdSlukem 1172*2de962bdSlukem cla-issuer = id-issuer msp Name 1173*2de962bdSlukem cla-minCRLNumber = id-minCRLNumber msp CRLNumber 1174*2de962bdSlukem cla-maxCRLNumber = id-maxCRLNumber msp CRLNumber 1175*2de962bdSlukem 1176*2de962bdSlukem 1177*2de962bdSlukem 1178*2de962bdSlukemZeilenga Standards Track [Page 21] 1179*2de962bdSlukem 1180*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 1181*2de962bdSlukem 1182*2de962bdSlukem 1183*2de962bdSlukem cla-reasonFlags = id-reasonFlags msp ReasonFlags 1184*2de962bdSlukem cla-dateAndTime = id-dateAndTime msp Time 1185*2de962bdSlukem 1186*2de962bdSlukem cla-distributionPoint = id-distributionPoint msp 1187*2de962bdSlukem DistributionPointName 1188*2de962bdSlukem 1189*2de962bdSlukem cla-authorityKeyIdentifier = id-authorityKeyIdentifier msp 1190*2de962bdSlukem AuthorityKeyIdentifier 1191*2de962bdSlukem 1192*2de962bdSlukem id-minCRLNumber = %x6D.69.6E.43.52.4C.4E.75.6D.62.65.72 1193*2de962bdSlukem ; 'minCRLNumber' 1194*2de962bdSlukem id-maxCRLNumber = %x6D.61.78.43.52.4C.4E.75.6D.62.65.72 1195*2de962bdSlukem ; 'maxCRLNumber' 1196*2de962bdSlukem id-reasonFlags = %x72.65.61.73.6F.6E.46.6C.61.67.73 ; 'reasonFlags' 1197*2de962bdSlukem id-dateAndTime = %x64.61.74.65.41.6E.64.54.69.6D.65 ; 'dateAndTime' 1198*2de962bdSlukem 1199*2de962bdSlukem CRLNumber = INTEGER-0-MAX 1200*2de962bdSlukem 1201*2de962bdSlukem ReasonFlags = BIT-STRING 1202*2de962bdSlukem / "{" [ sp reason-flag *( "," sp reason-flag ) ] sp "}" 1203*2de962bdSlukem 1204*2de962bdSlukem reason-flag = id-unused 1205*2de962bdSlukem / id-keyCompromise 1206*2de962bdSlukem / id-cACompromise 1207*2de962bdSlukem / id-affiliationChanged 1208*2de962bdSlukem / id-superseded 1209*2de962bdSlukem / id-cessationOfOperation 1210*2de962bdSlukem / id-certificateHold 1211*2de962bdSlukem / id-privilegeWithdrawn 1212*2de962bdSlukem / id-aACompromise 1213*2de962bdSlukem 1214*2de962bdSlukem id-unused = %x75.6E.75.73.65.64 ; 'unused' 1215*2de962bdSlukem id-keyCompromise = %x6B.65.79.43.6F.6D.70.72.6F.6D.69.73.65 1216*2de962bdSlukem ; 'keyCompromise' 1217*2de962bdSlukem id-cACompromise = %x63.41.43.6F.6D.70.72.6F.6D.69.73.65 1218*2de962bdSlukem ; 'cACompromise' 1219*2de962bdSlukem id-affiliationChanged = 1220*2de962bdSlukem %x61.66.66.69.6C.69.61.74.69.6F.6E.43.68.61.6E.67.65.64 1221*2de962bdSlukem ; 'affiliationChanged' 1222*2de962bdSlukem id-superseded = %x73.75.70.65.72.73.65.64.65.64 ; 'superseded' 1223*2de962bdSlukem id-cessationOfOperation = 1224*2de962bdSlukem %x63.65.73.73.61.74.69.6F.6E.4F.66.4F.70.65.72.61.74.69.6F.6E 1225*2de962bdSlukem ; 'cessationOfOperation' 1226*2de962bdSlukem id-certificateHold = %x63.65.72.74.69.66.69.63.61.74.65.48.6F.6C.64 1227*2de962bdSlukem ; 'certificateHold' 1228*2de962bdSlukem id-privilegeWithdrawn = 1229*2de962bdSlukem %x70.72.69.76.69.6C.65.67.65.57.69.74.68.64.72.61.77.6E 1230*2de962bdSlukem ; 'privilegeWithdrawn' 1231*2de962bdSlukem 1232*2de962bdSlukem 1233*2de962bdSlukem 1234*2de962bdSlukemZeilenga Standards Track [Page 22] 1235*2de962bdSlukem 1236*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 1237*2de962bdSlukem 1238*2de962bdSlukem 1239*2de962bdSlukem id-aACompromise = %x61.41.43.6F.6D.70.72.6F.6D.69.73.65 1240*2de962bdSlukem ; 'aACompromise' 1241*2de962bdSlukem 1242*2de962bdSlukemA.7. AlgorithmIdentifier 1243*2de962bdSlukem 1244*2de962bdSlukem AlgorithmIdentifier = "{" sp ai-algorithm 1245*2de962bdSlukem [ "," sp ai-parameters ] sp "}" 1246*2de962bdSlukem 1247*2de962bdSlukem ai-algorithm = id-algorithm msp OBJECT-IDENTIFIER 1248*2de962bdSlukem ai-parameters = id-parameters msp Value 1249*2de962bdSlukem id-algorithm = %x61.6C.67.6F.72.69.74.68.6D ; 'algorithm' 1250*2de962bdSlukem id-parameters = %x70.61.72.61.6D.65.74.65.72.73 ; 'parameters' 1251*2de962bdSlukem 1252*2de962bdSlukemAuthor's Address 1253*2de962bdSlukem 1254*2de962bdSlukem Kurt D. Zeilenga 1255*2de962bdSlukem OpenLDAP Foundation 1256*2de962bdSlukem 1257*2de962bdSlukem EMail: Kurt@OpenLDAP.org 1258*2de962bdSlukem 1259*2de962bdSlukem 1260*2de962bdSlukem 1261*2de962bdSlukem 1262*2de962bdSlukem 1263*2de962bdSlukem 1264*2de962bdSlukem 1265*2de962bdSlukem 1266*2de962bdSlukem 1267*2de962bdSlukem 1268*2de962bdSlukem 1269*2de962bdSlukem 1270*2de962bdSlukem 1271*2de962bdSlukem 1272*2de962bdSlukem 1273*2de962bdSlukem 1274*2de962bdSlukem 1275*2de962bdSlukem 1276*2de962bdSlukem 1277*2de962bdSlukem 1278*2de962bdSlukem 1279*2de962bdSlukem 1280*2de962bdSlukem 1281*2de962bdSlukem 1282*2de962bdSlukem 1283*2de962bdSlukem 1284*2de962bdSlukem 1285*2de962bdSlukem 1286*2de962bdSlukem 1287*2de962bdSlukem 1288*2de962bdSlukem 1289*2de962bdSlukem 1290*2de962bdSlukemZeilenga Standards Track [Page 23] 1291*2de962bdSlukem 1292*2de962bdSlukemRFC 4523 LDAP X.509 Schema June 2006 1293*2de962bdSlukem 1294*2de962bdSlukem 1295*2de962bdSlukemFull Copyright Statement 1296*2de962bdSlukem 1297*2de962bdSlukem Copyright (C) The Internet Society (2006). 1298*2de962bdSlukem 1299*2de962bdSlukem This document is subject to the rights, licenses and restrictions 1300*2de962bdSlukem contained in BCP 78, and except as set forth therein, the authors 1301*2de962bdSlukem retain all their rights. 1302*2de962bdSlukem 1303*2de962bdSlukem This document and the information contained herein are provided on an 1304*2de962bdSlukem "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1305*2de962bdSlukem OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1306*2de962bdSlukem ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1307*2de962bdSlukem INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1308*2de962bdSlukem INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1309*2de962bdSlukem WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1310*2de962bdSlukem 1311*2de962bdSlukemIntellectual Property 1312*2de962bdSlukem 1313*2de962bdSlukem The IETF takes no position regarding the validity or scope of any 1314*2de962bdSlukem Intellectual Property Rights or other rights that might be claimed to 1315*2de962bdSlukem pertain to the implementation or use of the technology described in 1316*2de962bdSlukem this document or the extent to which any license under such rights 1317*2de962bdSlukem might or might not be available; nor does it represent that it has 1318*2de962bdSlukem made any independent effort to identify any such rights. Information 1319*2de962bdSlukem on the procedures with respect to rights in RFC documents can be 1320*2de962bdSlukem found in BCP 78 and BCP 79. 1321*2de962bdSlukem 1322*2de962bdSlukem Copies of IPR disclosures made to the IETF Secretariat and any 1323*2de962bdSlukem assurances of licenses to be made available, or the result of an 1324*2de962bdSlukem attempt made to obtain a general license or permission for the use of 1325*2de962bdSlukem such proprietary rights by implementers or users of this 1326*2de962bdSlukem specification can be obtained from the IETF on-line IPR repository at 1327*2de962bdSlukem http://www.ietf.org/ipr. 1328*2de962bdSlukem 1329*2de962bdSlukem The IETF invites any interested party to bring to its attention any 1330*2de962bdSlukem copyrights, patents or patent applications, or other proprietary 1331*2de962bdSlukem rights that may cover technology that may be required to implement 1332*2de962bdSlukem this standard. Please address the information to the IETF at 1333*2de962bdSlukem ietf-ipr@ietf.org. 1334*2de962bdSlukem 1335*2de962bdSlukemAcknowledgement 1336*2de962bdSlukem 1337*2de962bdSlukem Funding for the RFC Editor function is provided by the IETF 1338*2de962bdSlukem Administrative Support Activity (IASA). 1339*2de962bdSlukem 1340*2de962bdSlukem 1341*2de962bdSlukem 1342*2de962bdSlukem 1343*2de962bdSlukem 1344*2de962bdSlukem 1345*2de962bdSlukem 1346*2de962bdSlukemZeilenga Standards Track [Page 24] 1347*2de962bdSlukem 1348