1 2 3 4 5 6 7Network Working Group K. Zeilenga 8Request for Comments: 4523 OpenLDAP Foundation 9Obsoletes: 2252, 2256, 2587 June 2006 10Category: Standards Track 11 12 13 Lightweight Directory Access Protocol (LDAP) 14 Schema Definitions for X.509 Certificates 15 16Status of This Memo 17 18 This document specifies an Internet standards track protocol for the 19 Internet community, and requests discussion and suggestions for 20 improvements. Please refer to the current edition of the "Internet 21 Official Protocol Standards" (STD 1) for the standardization state 22 and status of this protocol. Distribution of this memo is unlimited. 23 24Copyright Notice 25 26 Copyright (C) The Internet Society (2006). 27 28 Abstract 29 30 This document describes schema for representing X.509 certificates, 31 X.521 security information, and related elements in directories 32 accessible using the Lightweight Directory Access Protocol (LDAP). 33 The LDAP definitions for these X.509 and X.521 schema elements 34 replace those provided in RFCs 2252 and 2256. 35 361. Introduction 37 38 This document provides LDAP [RFC4510] schema definitions [RFC4512] 39 for a subset of elements specified in X.509 [X.509] and X.521 40 [X.521], including attribute types for certificates, cross 41 certificate pairs, and certificate revocation lists; matching rules 42 to be used with these attribute types; and related object classes. 43 LDAP syntax definitions are also provided for associated assertion 44 and attribute values. 45 46 As the semantics of these elements are as defined in X.509 and X.521, 47 knowledge of X.509 and X.521 is necessary to make use of the LDAP 48 schema definitions provided herein. 49 50 This document, together with [RFC4510], obsoletes RFCs 2252 and 2256 51 in their entirety. The changes (in this document) made since RFC 52 2252 and RFC 2256 include: 53 54 - addition of pkiUser, pkiCA, and deltaCRL classes; 55 56 57 58Zeilenga Standards Track [Page 1] 59 60RFC 4523 LDAP X.509 Schema June 2006 61 62 63 - update of attribute types to include equality matching rules in 64 accordance with their X.500 specifications; 65 66 - addition of certificate, certificate pair, certificate list, 67 and algorithm identifier matching rules; and 68 69 - addition of LDAP syntax for assertion syntaxes for these 70 matching rules. 71 72 This document obsoletes RFC 2587. The X.509 schema descriptions for 73 LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494]. 74 75 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 76 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 77 document are to be interpreted as described in BCP 14 [RFC2119]. 78 79 Schema definitions are provided using LDAP description formats 80 [RFC4512]. Definitions provided here are formatted (line wrapped) 81 for readability. 82 832. Syntaxes 84 85 This section describes various syntaxes used in LDAP to transfer 86 certificates and related data types. 87 882.1. Certificate 89 90 ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' ) 91 92 A value of this syntax is an X.509 Certificate [X.509, clause 7]. 93 94 Due to changes made to the definition of a Certificate through time, 95 no LDAP-specific encoding is defined for this syntax. Values of this 96 syntax SHOULD be encoded using Distinguished Encoding Rules (DER) 97 [X.690] and MUST only be transferred using the ;binary transfer 98 option [RFC4522]; that is, by requesting and returning values using 99 attribute descriptions such as "userCertificate;binary". 100 101 As values of this syntax contain digitally signed data, values of 102 this syntax and the form of each value MUST be preserved as 103 presented. 104 1052.2. CertificateList 106 107 ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' ) 108 109 A value of this syntax is an X.509 CertificateList [X.509, clause 110 7.3]. 111 112 113 114Zeilenga Standards Track [Page 2] 115 116RFC 4523 LDAP X.509 Schema June 2006 117 118 119 Due to changes made to the definition of a CertificateList through 120 time, no LDAP-specific encoding is defined for this syntax. Values 121 of this syntax SHOULD be encoded using DER [X.690] and MUST only be 122 transferred using the ;binary transfer option [RFC4522]; that is, by 123 requesting and returning values using attribute descriptions such as 124 "certificateRevocationList;binary". 125 126 As values of this syntax contain digitally signed data, values of 127 this syntax and the form of each value MUST be preserved as 128 presented. 129 1302.3. CertificatePair 131 132 ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'X.509 Certificate Pair' ) 133 134 A value of this syntax is an X.509 CertificatePair [X.509, clause 135 11.2.3]. 136 137 Due to changes made to the definition of an X.509 CertificatePair 138 through time, no LDAP-specific encoding is defined for this syntax. 139 Values of this syntax SHOULD be encoded using DER [X.690] and MUST 140 only be transferred using the ;binary transfer option [RFC4522]; that 141 is, by requesting and returning values using attribute descriptions 142 such as "crossCertificatePair;binary". 143 144 As values of this syntax contain digitally signed data, values of 145 this syntax and the form of each value MUST be preserved as 146 presented. 147 1482.4. SupportedAlgorithm 149 150 ( 1.3.6.1.4.1.1466.115.121.1.49 151 DESC 'X.509 Supported Algorithm' ) 152 153 A value of this syntax is an X.509 SupportedAlgorithm [X.509, clause 154 11.2.7]. 155 156 Due to changes made to the definition of an X.509 SupportedAlgorithm 157 through time, no LDAP-specific encoding is defined for this syntax. 158 Values of this syntax SHOULD be encoded using DER [X.690] and MUST 159 only be transferred using the ;binary transfer option [RFC4522]; that 160 is, by requesting and returning values using attribute descriptions 161 such as "supportedAlgorithms;binary". 162 163 As values of this syntax contain digitally signed data, values of 164 this syntax and the form of the value MUST be preserved as presented. 165 166 167 168 169 170Zeilenga Standards Track [Page 3] 171 172RFC 4523 LDAP X.509 Schema June 2006 173 174 1752.5. CertificateExactAssertion 176 177 ( 1.3.6.1.1.15.1 DESC 'X.509 Certificate Exact Assertion' ) 178 179 A value of this syntax is an X.509 CertificateExactAssertion [X.509, 180 clause 11.3.1]. Values of this syntax MUST be encoded using the 181 Generic String Encoding Rules (GSER) [RFC3641]. Appendix A.1 182 provides an equivalent Augmented Backus-Naur Form (ABNF) [RFC4234] 183 grammar for this syntax. 184 1852.6. CertificateAssertion 186 187 ( 1.3.6.1.1.15.2 DESC 'X.509 Certificate Assertion' ) 188 189 A value of this syntax is an X.509 CertificateAssertion [X.509, 190 clause 11.3.2]. Values of this syntax MUST be encoded using GSER 191 [RFC3641]. Appendix A.2 provides an equivalent ABNF [RFC4234] 192 grammar for this syntax. 193 1942.7. CertificatePairExactAssertion 195 196 ( 1.3.6.1.1.15.3 197 DESC 'X.509 Certificate Pair Exact Assertion' ) 198 199 A value of this syntax is an X.509 CertificatePairExactAssertion 200 [X.509, clause 11.3.3]. Values of this syntax MUST be encoded using 201 GSER [RFC3641]. Appendix A.3 provides an equivalent ABNF [RFC4234] 202 grammar for this syntax. 203 2042.8. CertificatePairAssertion 205 206 ( 1.3.6.1.1.15.4 DESC 'X.509 Certificate Pair Assertion' ) 207 208 A value of this syntax is an X.509 CertificatePairAssertion [X.509, 209 clause 11.3.4]. Values of this syntax MUST be encoded using GSER 210 [RFC3641]. Appendix A.4 provides an equivalent ABNF [RFC4234] 211 grammar for this syntax. 212 2132.9. CertificateListExactAssertion 214 215 ( 1.3.6.1.1.15.5 216 DESC 'X.509 Certificate List Exact Assertion' ) 217 218 A value of this syntax is an X.509 CertificateListExactAssertion 219 [X.509, clause 11.3.5]. Values of this syntax MUST be encoded using 220 GSER [RFC3641]. Appendix A.5 provides an equivalent ABNF grammar for 221 this syntax. 222 223 224 225 226Zeilenga Standards Track [Page 4] 227 228RFC 4523 LDAP X.509 Schema June 2006 229 230 2312.10. CertificateListAssertion 232 233 ( 1.3.6.1.1.15.6 DESC 'X.509 Certificate List Assertion' ) 234 235 A value of this syntax is an X.509 CertificateListAssertion [X.509, 236 clause 11.3.6]. Values of this syntax MUST be encoded using GSER 237 [RFC3641]. Appendix A.6 provides an equivalent ABNF [RFC4234] 238 grammar for this syntax. 239 2402.11. AlgorithmIdentifier 241 242 ( 1.3.6.1.1.15.7 DESC 'X.509 Algorithm Identifier' ) 243 244 A value of this syntax is an X.509 AlgorithmIdentifier [X.509, Clause 245 7]. Values of this syntax MUST be encoded using GSER [RFC3641]. 246 247 Appendix A.7 provides an equivalent ABNF [RFC4234] grammar for this 248 syntax. 249 2503. Matching Rules 251 252 This section introduces a set of certificate and related matching 253 rules for use in LDAP. These rules are intended to act in accordance 254 with their X.500 counterparts. 255 2563.1. certificateExactMatch 257 258 The certificateExactMatch matching rule compares the presented 259 certificate exact assertion value with an attribute value of the 260 certificate syntax as described in clause 11.3.1 of [X.509]. 261 262 ( 2.5.13.34 NAME 'certificateExactMatch' 263 DESC 'X.509 Certificate Exact Match' 264 SYNTAX 1.3.6.1.1.15.1 ) 265 2663.2. certificateMatch 267 268 The certificateMatch matching rule compares the presented certificate 269 assertion value with an attribute value of the certificate syntax as 270 described in clause 11.3.2 of [X.509]. 271 272 ( 2.5.13.35 NAME 'certificateMatch' 273 DESC 'X.509 Certificate Match' 274 SYNTAX 1.3.6.1.1.15.2 ) 275 276 277 278 279 280 281 282Zeilenga Standards Track [Page 5] 283 284RFC 4523 LDAP X.509 Schema June 2006 285 286 2873.3. certificatePairExactMatch 288 289 The certificatePairExactMatch matching rule compares the presented 290 certificate pair exact assertion value with an attribute value of the 291 certificate pair syntax as described in clause 11.3.3 of [X.509]. 292 293 ( 2.5.13.36 NAME 'certificatePairExactMatch' 294 DESC 'X.509 Certificate Pair Exact Match' 295 SYNTAX 1.3.6.1.1.15.3 ) 296 2973.4. certificatePairMatch 298 299 The certificatePairMatch matching rule compares the presented 300 certificate pair assertion value with an attribute value of the 301 certificate pair syntax as described in clause 11.3.4 of [X.509]. 302 303 ( 2.5.13.37 NAME 'certificatePairMatch' 304 DESC 'X.509 Certificate Pair Match' 305 SYNTAX 1.3.6.1.1.15.4 ) 306 3073.5. certificateListExactMatch 308 309 The certificateListExactMatch matching rule compares the presented 310 certificate list exact assertion value with an attribute value of the 311 certificate pair syntax as described in clause 11.3.5 of [X.509]. 312 313 ( 2.5.13.38 NAME 'certificateListExactMatch' 314 DESC 'X.509 Certificate List Exact Match' 315 SYNTAX 1.3.6.1.1.15.5 ) 316 3173.6. certificateListMatch 318 319 The certificateListMatch matching rule compares the presented 320 certificate list assertion value with an attribute value of the 321 certificate pair syntax as described in clause 11.3.6 of [X.509]. 322 323 ( 2.5.13.39 NAME 'certificateListMatch' 324 DESC 'X.509 Certificate List Match' 325 SYNTAX 1.3.6.1.1.15.6 ) 326 327 328 329 330 331 332 333 334 335 336 337 338Zeilenga Standards Track [Page 6] 339 340RFC 4523 LDAP X.509 Schema June 2006 341 342 3433.7. algorithmIdentifierMatch 344 345 The algorithmIdentifierMatch mating rule compares a presented 346 algorithm identifier with an attribute value of the supported 347 algorithm as described in clause 11.3.7 of [X.509]. 348 349 ( 2.5.13.40 NAME 'algorithmIdentifier' 350 DESC 'X.509 Algorithm Identifier Match' 351 SYNTAX 1.3.6.1.1.15.7 ) 352 3534. Attribute Types 354 355 This section details a set of certificate and related attribute types 356 for use in LDAP. 357 3584.1. userCertificate 359 360 The userCertificate attribute holds the X.509 certificates issued to 361 the user by one or more certificate authorities, as discussed in 362 clause 11.2.1 of [X.509]. 363 364 ( 2.5.4.36 NAME 'userCertificate' 365 DESC 'X.509 user certificate' 366 EQUALITY certificateExactMatch 367 SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) 368 369 As required by this attribute type's syntax, values of this attribute 370 are requested and transferred using the attribute description 371 "userCertificate;binary". 372 3734.2. cACertificate 374 375 The cACertificate attribute holds the X.509 certificates issued to 376 the certificate authority (CA), as discussed in clause 11.2.2 of 377 [X.509]. 378 379 ( 2.5.4.37 NAME 'cACertificate' 380 DESC 'X.509 CA certificate' 381 EQUALITY certificateExactMatch 382 SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) 383 384 As required by this attribute type's syntax, values of this attribute 385 are requested and transferred using the attribute description 386 "cACertificate;binary". 387 388 389 390 391 392 393 394Zeilenga Standards Track [Page 7] 395 396RFC 4523 LDAP X.509 Schema June 2006 397 398 3994.3. crossCertificatePair 400 401 The crossCertificatePair attribute holds an X.509 certificate pair, 402 as discussed in clause 11.2.3 of [X.509]. 403 404 ( 2.5.4.40 NAME 'crossCertificatePair' 405 DESC 'X.509 cross certificate pair' 406 EQUALITY certificatePairExactMatch 407 SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 ) 408 409 As required by this attribute type's syntax, values of this attribute 410 are requested and transferred using the attribute description 411 "crossCertificatePair;binary". 412 4134.4. certificateRevocationList 414 415 The certificateRevocationList attribute holds certificate lists, as 416 discussed in 11.2.4 of [X.509]. 417 418 ( 2.5.4.39 NAME 'certificateRevocationList' 419 DESC 'X.509 certificate revocation list' 420 EQUALITY certificateListExactMatch 421 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 422 423 As required by this attribute type's syntax, values of this attribute 424 are requested and transferred using the attribute description 425 "certificateRevocationList;binary". 426 4274.5. authorityRevocationList 428 429 The authorityRevocationList attribute holds certificate lists, as 430 discussed in 11.2.5 of [X.509]. 431 432 ( 2.5.4.38 NAME 'authorityRevocationList' 433 DESC 'X.509 authority revocation list' 434 EQUALITY certificateListExactMatch 435 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 436 437 As required by this attribute type's syntax, values of this attribute 438 are requested and transferred using the attribute description 439 "authorityRevocationList;binary". 440 441 442 443 444 445 446 447 448 449 450Zeilenga Standards Track [Page 8] 451 452RFC 4523 LDAP X.509 Schema June 2006 453 454 4554.6. deltaRevocationList 456 457 The deltaRevocationList attribute holds certificate lists, as 458 discussed in 11.2.6 of [X.509]. 459 460 ( 2.5.4.53 NAME 'deltaRevocationList' 461 DESC 'X.509 delta revocation list' 462 EQUALITY certificateListExactMatch 463 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) 464 465 As required by this attribute type's syntax, values of this attribute 466 MUST be requested and transferred using the attribute description 467 "deltaRevocationList;binary". 468 4694.7. supportedAlgorithms 470 471 The supportedAlgorithms attribute holds supported algorithms, as 472 discussed in 11.2.7 of [X.509]. 473 474 ( 2.5.4.52 NAME 'supportedAlgorithms' 475 DESC 'X.509 supported algorithms' 476 EQUALITY algorithmIdentifierMatch 477 SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) 478 479 As required by this attribute type's syntax, values of this attribute 480 MUST be requested and transferred using the attribute description 481 "supportedAlgorithms;binary". 482 4835. Object Classes 484 485 This section details a set of certificate-related object classes for 486 use in LDAP. 487 4885.1. pkiUser 489 490 This object class is used in augment entries for objects that may be 491 subject to certificates, as defined in clause 11.1.1 of [X.509]. 492 493 ( 2.5.6.21 NAME 'pkiUser' 494 DESC 'X.509 PKI User' 495 SUP top AUXILIARY 496 MAY userCertificate ) 497 498 499 500 501 502 503 504 505 506Zeilenga Standards Track [Page 9] 507 508RFC 4523 LDAP X.509 Schema June 2006 509 510 5115.2. pkiCA 512 513 This object class is used to augment entries for objects that act as 514 certificate authorities, as defined in clause 11.1.2 of [X.509] 515 516 ( 2.5.6.22 NAME 'pkiCA' 517 DESC 'X.509 PKI Certificate Authority' 518 SUP top AUXILIARY 519 MAY ( cACertificate $ certificateRevocationList $ 520 authorityRevocationList $ crossCertificatePair ) ) 521 5225.3. cRLDistributionPoint 523 524 This class is used to represent objects that act as CRL distribution 525 points, as discussed in clause 11.1.3 of [X.509]. 526 527 ( 2.5.6.19 NAME 'cRLDistributionPoint' 528 DESC 'X.509 CRL distribution point' 529 SUP top STRUCTURAL 530 MUST cn 531 MAY ( certificateRevocationList $ 532 authorityRevocationList $ deltaRevocationList ) ) 533 5345.4. deltaCRL 535 536 The deltaCRL object class is used to augment entries to hold delta 537 revocation lists, as discussed in clause 11.1.4 of [X.509]. 538 539 ( 2.5.6.23 NAME 'deltaCRL' 540 DESC 'X.509 delta CRL' 541 SUP top AUXILIARY 542 MAY deltaRevocationList ) 543 5445.5. strongAuthenticationUser 545 546 This object class is used to augment entries for objects 547 participating in certificate-based authentication, as defined in 548 clause 6.15 of [X.521]. This object class is deprecated in favor of 549 pkiUser. 550 551 ( 2.5.6.15 NAME 'strongAuthenticationUser' 552 DESC 'X.521 strong authentication user' 553 SUP top AUXILIARY 554 MUST userCertificate ) 555 556 557 558 559 560 561 562Zeilenga Standards Track [Page 10] 563 564RFC 4523 LDAP X.509 Schema June 2006 565 566 5675.6. userSecurityInformation 568 569 This object class is used to augment entries with needed additional 570 associated security information, as defined in clause 6.16 of 571 [X.521]. 572 573 ( 2.5.6.18 NAME 'userSecurityInformation' 574 DESC 'X.521 user security information' 575 SUP top AUXILIARY 576 MAY ( supportedAlgorithms ) ) 577 5785.7. certificationAuthority 579 580 This object class is used to augment entries for objects that act as 581 certificate authorities, as defined in clause 6.17 of [X.521]. This 582 object class is deprecated in favor of pkiCA. 583 584 ( 2.5.6.16 NAME 'certificationAuthority' 585 DESC 'X.509 certificate authority' 586 SUP top AUXILIARY 587 MUST ( authorityRevocationList $ 588 certificateRevocationList $ cACertificate ) 589 MAY crossCertificatePair ) 590 5915.8. certificationAuthority-V2 592 593 This object class is used to augment entries for objects that act as 594 certificate authorities, as defined in clause 6.18 of [X.521]. This 595 object class is deprecated in favor of pkiCA. 596 597 ( 2.5.6.16.2 NAME 'certificationAuthority-V2' 598 DESC 'X.509 certificate authority, version 2' 599 SUP certificationAuthority AUXILIARY 600 MAY deltaRevocationList ) 601 6026. Security Considerations 603 604 General certificate considerations [RFC3280] apply to LDAP-aware 605 certificate applications. General LDAP security considerations 606 [RFC4510] apply as well. 607 608 While elements of certificate information are commonly signed, these 609 signatures only protect the integrity of the signed information. In 610 the absence of data integrity protections in LDAP (or lower layer, 611 e.g., IPsec), a server is not assured that client certificate request 612 (or other request) was unaltered in transit. Likewise, a client 613 cannot be assured that the results of the query were unaltered in 614 615 616 617 618Zeilenga Standards Track [Page 11] 619 620RFC 4523 LDAP X.509 Schema June 2006 621 622 623 transit. Hence, it is generally recommended that implementations 624 make use of authentication and data integrity services in LDAP 625 [RFC4513][RFC4511]. 626 6277. IANA Considerations 628 6297.1. Object Identifier Registration 630 631 The IANA has registered an LDAP Object Identifier [RFC4520] for use 632 in this technical specification. 633 634 Subject: Request for LDAP OID Registration 635 Person & email address to contact for further information: 636 Kurt Zeilenga <kurt@OpenLDAP.org> 637 Specification: RFC 4523 638 Author/Change Controller: IESG 639 Comments: 640 Identifies the LDAP X.509 Certificate schema elements 641 introduced in this document. 642 6437.2. Descriptor Registration 644 645 The IANA has updated the LDAP 646 Descriptor registry [RFC44520] as indicated below. 647 648 Subject: Request for LDAP Descriptor Registration 649 Descriptor (short name): see table 650 Object Identifier: see table 651 Person & email address to contact for further information: 652 Kurt Zeilenga <kurt@OpenLDAP.org> 653 Usage: see table 654 Specification: RFC 4523 655 Author/Change Controller: IESG 656 657 algorithmIdentifierMatch M 2.5.13.40 658 authorityRevocationList A 2.5.4.38 * 659 cACertificate A 2.5.4.37 * 660 cRLDistributionPoint O 2.5.6.19 * 661 certificateExactMatch M 2.5.13.34 662 certificateListExactMatch M 2.5.13.38 663 certificateListMatch M 2.5.13.39 664 certificateMatch M 2.5.13.35 665 certificatePairExactMatch M 2.5.13.36 666 certificatePairMatch M 2.5.13.37 667 certificateRevocationList A 2.5.4.39 * 668 certificationAuthority O 2.5.6.16 * 669 certificationAuthority-V2 O 2.5.6.16.2 * 670 crossCertificatePair A 2.5.4.40 * 671 672 673 674Zeilenga Standards Track [Page 12] 675 676RFC 4523 LDAP X.509 Schema June 2006 677 678 679 deltaCRL O 2.5.6.23 * 680 deltaRevocationList A 2.5.4.53 * 681 pkiCA O 2.5.6.22 * 682 pkiUser O 2.5.6.21 * 683 strongAuthenticationUser O 2.5.6.15 * 684 supportedAlgorithms A 2.5.4.52 * 685 userCertificate A 2.5.4.36 * 686 userSecurityInformation O 2.5.6.18 * 687 688 * Updates previous registration 689 6908. Acknowledgements 691 692 This document is based on X.509, a product of the ITU-T. A number of 693 LDAP schema definitions were based on those found in RFCs 2252 and 694 2256, both products of the IETF ASID WG. The ABNF productions in 695 Appendix A were provided by Steven Legg. Additional material was 696 borrowed from prior works by David Chadwick and Steven Legg to refine 697 the LDAP X.509 schema. 698 6999. References 700 7019.1. Normative References 702 703 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 704 Requirement Levels", BCP 14, RFC 2119, March 1997. 705 706 [RFC3641] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1 707 Types", RFC 3641, October 2003. 708 709 [RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol 710 (LDAP): Technical Specification Road Map", RFC 4510, June 711 2006. 712 713 [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol 714 (LDAP): Directory Information Models", RFC 4512, June 715 2006. 716 717 [RFC4522] Legg, S., "Lightweight Directory Access Protocol (LDAP): 718 The Binary Encoding Option", RFC 4522, June 2006. 719 720 [X.509] International Telecommunication Union - Telecommunication 721 Standardization Sector, "The Directory: Authentication 722 Framework", X.509(2000). 723 724 725 726 727 728 729 730Zeilenga Standards Track [Page 13] 731 732RFC 4523 LDAP X.509 Schema June 2006 733 734 735 [X.521] International Telecommunication Union - Telecommunication 736 Standardization Sector, "The Directory: Selected Object 737 Classes", X.521(2000). 738 739 [X.690] International Telecommunication Union - Telecommunication 740 Standardization Sector, "Specification of ASN.1 encoding 741 rules: Basic Encoding Rules (BER), Canonical Encoding 742 Rules (CER), and Distinguished Encoding Rules (DER)", 743 X.690(2002) (also ISO/IEC 8825-1:2002). 744 7459.2. Informative References 746 747 [RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory 748 Access Protocol", RFC 1777, March 1995. 749 750 [RFC2156] Kille, S., "MIXER (Mime Internet X.400 Enhanced Relay): 751 Mapping between X.400 and RFC 822/MIME", RFC 2156, January 752 1998. 753 754 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet 755 X.509 Public Key Infrastructure Certificate and 756 Certificate Revocation List (CRL) Profile", RFC 3280, 757 April 2002. 758 759 [RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol 760 version 2 (LDAPv2) to Historic Status", RFC 3494, March 761 2003. 762 763 [RFC3642] Legg, S., "Common Elements of Generic String Encoding 764 Rules (GSER) Encodings", RFC 3642, October 2003. 765 766 [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 767 Specifications: ABNF", RFC 4234, October 2005. 768 769 [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access 770 Protocol (LDAP): The Protocol", RFC 4511, June 2006. 771 772 [RFC4513] Harrison, R. Ed., "Lightweight Directory Access Protocol 773 (LDAP): Authentication Methods and Security Mechanisms", 774 RFC 4513, June 2006. 775 776 [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) 777 Considerations for the Lightweight Directory Access 778 Protocol (LDAP)", BCP 64, RFC 4520, June 2006. 779 780 781 782 783 784 785 786Zeilenga Standards Track [Page 14] 787 788RFC 4523 LDAP X.509 Schema June 2006 789 790 791Appendix A. 792 793 This appendix is informative. 794 795 This appendix provides ABNF [RFC4234] grammars for GSER-based 796 [RFC3641] LDAP-specific encodings specified in this document. These 797 grammars where produced using, and relying on, Common Elements for 798 GSER Encodings [RFC3642]. 799 800A.1. CertificateExactAssertion 801 802 CertificateExactAssertion = "{" sp cea-serialNumber "," 803 sp cea-issuer sp "}" 804 805 cea-serialNumber = id-serialNumber msp CertificateSerialNumber 806 cea-issuer = id-issuer msp Name 807 808 id-serialNumber = 809 %x73.65.72.69.61.6C.4E.75.6D.62.65.72 ; 'serialNumber' 810 id-issuer = %x69.73.73.75.65.72 ; 'issuer' 811 812 Name = id-rdnSequence ":" RDNSequence 813 id-rdnSequence = %x72.64.6E.53.65.71.75.65.6E.63.65 ; 'rdnSequence' 814 815 CertificateSerialNumber = INTEGER 816 817A.2. CertificateAssertion 818 819CertificateAssertion = "{" [ sp ca-serialNumber ] 820 [ sep sp ca-issuer ] 821 [ sep sp ca-subjectKeyIdentifier ] 822 [ sep sp ca-authorityKeyIdentifier ] 823 [ sep sp ca-certificateValid ] 824 [ sep sp ca-privateKeyValid ] 825 [ sep sp ca-subjectPublicKeyAlgID ] 826 [ sep sp ca-keyUsage ] 827 [ sep sp ca-subjectAltName ] 828 [ sep sp ca-policy ] 829 [ sep sp ca-pathToName ] 830 [ sep sp ca-subject ] 831 [ sep sp ca-nameConstraints ] sp "}" 832 833ca-serialNumber = id-serialNumber msp CertificateSerialNumber 834ca-issuer = id-issuer msp Name 835ca-subjectKeyIdentifier = id-subjectKeyIdentifier msp 836 SubjectKeyIdentifier 837ca-authorityKeyIdentifier = id-authorityKeyIdentifier msp 838 AuthorityKeyIdentifier 839 840 841 842Zeilenga Standards Track [Page 15] 843 844RFC 4523 LDAP X.509 Schema June 2006 845 846 847ca-certificateValid = id-certificateValid msp Time 848ca-privateKeyValid = id-privateKeyValid msp GeneralizedTime 849ca-subjectPublicKeyAlgID = id-subjectPublicKeyAlgID msp 850 OBJECT-IDENTIFIER 851ca-keyUsage = id-keyUsage msp KeyUsage 852ca-subjectAltName = id-subjectAltName msp AltNameType 853ca-policy = id-policy msp CertPolicySet 854ca-pathToName = id-pathToName msp Name 855ca-subject = id-subject msp Name 856ca-nameConstraints = id-nameConstraints msp NameConstraintsSyntax 857 858id-subjectKeyIdentifier = 859 %x73.75.62.6A.65.63.74.4B.65.79.49.64.65.6E.74.69.66.69.65.72 860 ; 'subjectKeyIdentifier' 861id-authorityKeyIdentifier = 862 %x61.75.74.68.6F.72.69.74.79.4B.65.79.49.64.65.6E.74.69.66.69.65.72 863 ; 'authorityKeyIdentifier' 864id-certificateValid = %x63.65.72.74.69.66.69.63.61.74.65.56.61.6C.69.64 865 ; 'certificateValid' 866id-privateKeyValid = %x70.72.69.76.61.74.65.4B.65.79.56.61.6C.69.64 867 ; 'privateKeyValid' 868id-subjectPublicKeyAlgID = 869 %x73.75.62.6A.65.63.74.50.75.62.6C.69.63.4B.65.79.41.6C.67.49.44 870 ; 'subjectPublicKeyAlgID' 871id-keyUsage = %x6B.65.79.55.73.61.67.65 ; 'keyUsage' 872id-subjectAltName = %x73.75.62.6A.65.63.74.41.6C.74.4E.61.6D.65 873 ; 'subjectAltName' 874id-policy = %x70.6F.6C.69.63.79 ; 'policy' 875id-pathToName = %x70.61.74.68.54.6F.4E.61.6D.65 ; 'pathToName' 876id-subject = %x73.75.62.6A.65.63.74 ; 'subject' 877id-nameConstraints = %x6E.61.6D.65.43.6F.6E.73.74.72.61.69.6E.74.73 878 ; 'nameConstraints' 879 880SubjectKeyIdentifier = KeyIdentifier 881 882KeyIdentifier = OCTET-STRING 883 884AuthorityKeyIdentifier = "{" [ sp aki-keyIdentifier ] 885 [ sep sp aki-authorityCertIssuer ] 886 [ sep sp aki-authorityCertSerialNumber ] sp "}" 887 888aki-keyIdentifier = id-keyIdentifier msp KeyIdentifier 889aki-authorityCertIssuer = id-authorityCertIssuer msp GeneralNames 890 891GeneralNames = "{" sp GeneralName *( "," sp GeneralName ) sp "}" 892GeneralName = gn-otherName 893 / gn-rfc822Name 894 / gn-dNSName 895 896 897 898Zeilenga Standards Track [Page 16] 899 900RFC 4523 LDAP X.509 Schema June 2006 901 902 903 / gn-x400Address 904 / gn-directoryName 905 / gn-ediPartyName 906 / gn-uniformResourceIdentifier 907 / gn-iPAddress 908 / gn-registeredID 909 910gn-otherName = id-otherName ":" OtherName 911gn-rfc822Name = id-rfc822Name ":" IA5String 912gn-dNSName = id-dNSName ":" IA5String 913gn-x400Address = id-x400Address ":" ORAddress 914gn-directoryName = id-directoryName ":" Name 915gn-ediPartyName = id-ediPartyName ":" EDIPartyName 916gn-iPAddress = id-iPAddress ":" OCTET-STRING 917gn-registeredID = gn-id-registeredID ":" OBJECT-IDENTIFIER 918 919gn-uniformResourceIdentifier = id-uniformResourceIdentifier 920 ":" IA5String 921 922id-otherName = %x6F.74.68.65.72.4E.61.6D.65 ; 'otherName' 923gn-id-registeredID = %x72.65.67.69.73.74.65.72.65.64.49.44 924 ; 'registeredID' 925 926OtherName = "{" sp on-type-id "," sp on-value sp "}" 927on-type-id = id-type-id msp OBJECT-IDENTIFIER 928on-value = id-value msp Value 929 ;; <Value> as defined in Section 3 of [RFC3641] 930 931id-type-id = %x74.79.70.65.2D.69.64 ; 'type-id' 932id-value = %x76.61.6C.75.65 ; 'value' 933 934ORAddress = dquote *SafeIA5Character dquote 935SafeIA5Character = %x01-21 / %x23-7F / ; ASCII minus dquote 936 dquote dquote ; escaped double quote 937dquote = %x22 ; '"' (double quote) 938 939;; Note: The <ORAddress> rule encodes the x400Address component 940;; of a GeneralName as a character string between double quotes. 941;; The character string is first derived according to Section 4.1 942;; of [RFC2156], and then any embedded double quotes are escaped 943;; by being repeated. This resulting string is output between 944;; double quotes. 945 946EDIPartyName = "{" [ sp nameAssigner "," ] sp partyName sp "}" 947nameAssigner = id-nameAssigner msp DirectoryString 948partyName = id-partyName msp DirectoryString 949id-nameAssigner = %x6E.61.6D.65.41.73.73.69.67.6E.65.72 950 ; 'nameAssigner' 951 952 953 954Zeilenga Standards Track [Page 17] 955 956RFC 4523 LDAP X.509 Schema June 2006 957 958 959id-partyName = %x70.61.72.74.79.4E.61.6D.65 ; 'partyName' 960 961aki-authorityCertSerialNumber = id-authorityCertSerialNumber 962 msp CertificateSerialNumber 963 964id-keyIdentifier = %x6B.65.79.49.64.65.6E.74.69.66.69.65.72 965 ; 'keyIdentifier' 966id-authorityCertIssuer = 967 %x61.75.74.68.6F.72.69.74.79.43.65.72.74.49.73.73.75.65.72 968 ; 'authorityCertIssuer' 969 970id-authorityCertSerialNumber = %x61.75.74.68.6F.72.69.74.79.43 971 %x65.72.74.53.65.72.69.61.6C.4E.75.6D.62.65.72 972 ; 'authorityCertSerialNumber' 973 974Time = time-utcTime / time-generalizedTime 975time-utcTime = id-utcTime ":" UTCTime 976time-generalizedTime = id-generalizedTime ":" GeneralizedTime 977id-utcTime = %x75.74.63.54.69.6D.65 ; 'utcTime' 978id-generalizedTime = %x67.65.6E.65.72.61.6C.69.7A.65.64.54.69.6D.65 979 ; 'generalizedTime' 980 981KeyUsage = BIT-STRING / key-usage-bit-list 982key-usage-bit-list = "{" [ sp key-usage *( "," sp key-usage ) ] sp "}" 983 984;; Note: The <key-usage-bit-list> rule encodes the one bits in 985;; a KeyUsage value as a comma separated list of identifiers. 986 987key-usage = id-digitalSignature 988 / id-nonRepudiation 989 / id-keyEncipherment 990 / id-dataEncipherment 991 / id-keyAgreement 992 / id-keyCertSign 993 / id-cRLSign 994 / id-encipherOnly 995 / id-decipherOnly 996 997id-digitalSignature = %x64.69.67.69.74.61.6C.53.69.67.6E.61.74 998 %x75.72.65 ; 'digitalSignature' 999id-nonRepudiation = %x6E.6F.6E.52.65.70.75.64.69.61.74.69.6F.6E 1000 ; 'nonRepudiation' 1001id-keyEncipherment = %x6B.65.79.45.6E.63.69.70.68.65.72.6D.65.6E.74 1002 ; 'keyEncipherment' 1003id-dataEncipherment = %x64.61.74.61.45.6E.63.69.70.68.65.72.6D.65.6E 1004 %x74 ; "dataEncipherment' 1005id-keyAgreement = %x6B.65.79.41.67.72.65.65.6D.65.6E.74 1006 ; 'keyAgreement' 1007 1008 1009 1010Zeilenga Standards Track [Page 18] 1011 1012RFC 4523 LDAP X.509 Schema June 2006 1013 1014 1015id-keyCertSign = %x6B.65.79.43.65.72.74.53.69.67.6E 1016 ; 'keyCertSign' 1017id-cRLSign = %x63.52.4C.53.69.67.6E ; "cRLSign" 1018id-encipherOnly = %x65.6E.63.69.70.68.65.72.4F.6E.6C.79 1019 ; 'encipherOnly' 1020id-decipherOnly = %x64.65.63.69.70.68.65.72.4F.6E.6C.79 1021 ; 'decipherOnly' 1022 1023AltNameType = ant-builtinNameForm / ant-otherNameForm 1024 1025ant-builtinNameForm = id-builtinNameForm ":" BuiltinNameForm 1026ant-otherNameForm = id-otherNameForm ":" OBJECT-IDENTIFIER 1027 1028id-builtinNameForm = %x62.75.69.6C.74.69.6E.4E.61.6D.65.46.6F.72.6D 1029 ; 'builtinNameForm' 1030id-otherNameForm = %x6F.74.68.65.72.4E.61.6D.65.46.6F.72.6D 1031 ; 'otherNameForm' 1032 1033BuiltinNameForm = id-rfc822Name 1034 / id-dNSName 1035 / id-x400Address 1036 / id-directoryName 1037 / id-ediPartyName 1038 / id-uniformResourceIdentifier 1039 / id-iPAddress 1040 / id-registeredId 1041 1042id-rfc822Name = %x72.66.63.38.32.32.4E.61.6D.65 ; 'rfc822Name' 1043id-dNSName = %x64.4E.53.4E.61.6D.65 ; 'dNSName' 1044id-x400Address = %x78.34.30.30.41.64.64.72.65.73.73 ; 'x400Address' 1045id-directoryName = %x64.69.72.65.63.74.6F.72.79.4E.61.6D.65 1046 ; 'directoryName' 1047id-ediPartyName = %x65.64.69.50.61.72.74.79.4E.61.6D.65 1048 ; 'ediPartyName' 1049id-iPAddress = %x69.50.41.64.64.72.65.73.73 ; 'iPAddress' 1050id-registeredId = %x72.65.67.69.73.74.65.72.65.64.49.64 1051 ; 'registeredId' 1052 1053id-uniformResourceIdentifier = %x75.6E.69.66.6F.72.6D.52.65.73.6F.75 1054 %x72.63.65.49.64.65.6E.74.69.66.69.65.72 1055 ; 'uniformResourceIdentifier' 1056 1057CertPolicySet = "{" sp CertPolicyId *( "," sp CertPolicyId ) sp "}" 1058CertPolicyId = OBJECT-IDENTIFIER 1059 1060NameConstraintsSyntax = "{" [ sp ncs-permittedSubtrees ] 1061 [ sep sp ncs-excludedSubtrees ] sp "}" 1062 1063 1064 1065 1066Zeilenga Standards Track [Page 19] 1067 1068RFC 4523 LDAP X.509 Schema June 2006 1069 1070 1071ncs-permittedSubtrees = id-permittedSubtrees msp GeneralSubtrees 1072ncs-excludedSubtrees = id-excludedSubtrees msp GeneralSubtrees 1073 1074id-permittedSubtrees = 1075 %x70.65.72.6D.69.74.74.65.64.53.75.62.74.72.65.65.73 1076 ; 'permittedSubtrees' 1077id-excludedSubtrees = 1078 %x65.78.63.6C.75.64.65.64.53.75.62.74.72.65.65.73 1079 ; 'excludedSubtrees' 1080 1081GeneralSubtrees = "{" sp GeneralSubtree 1082 *( "," sp GeneralSubtree ) sp "}" 1083GeneralSubtree = "{" sp gs-base 1084 [ "," sp gs-minimum ] 1085 [ "," sp gs-maximum ] sp "}" 1086 1087gs-base = id-base msp GeneralName 1088gs-minimum = id-minimum msp BaseDistance 1089gs-maximum = id-maximum msp BaseDistance 1090 1091id-base = %x62.61.73.65 ; 'base' 1092id-minimum = %x6D.69.6E.69.6D.75.6D ; 'minimum' 1093id-maximum = %x6D.61.78.69.6D.75.6D ; 'maximum' 1094 1095BaseDistance = INTEGER-0-MAX 1096 1097A.3. CertificatePairExactAssertion 1098 1099 CertificatePairExactAssertion = "{" [ sp cpea-issuedTo ] 1100 [sep sp cpea-issuedBy ] sp "}" 1101 ;; At least one of <cpea-issuedTo> or <cpea-issuedBy> MUST be present. 1102 1103 cpea-issuedTo = id-issuedToThisCAAssertion msp 1104 CertificateExactAssertion 1105 cpea-issuedBy = id-issuedByThisCAAssertion msp 1106 CertificateExactAssertion 1107 1108 id-issuedToThisCAAssertion = %x69.73.73.75.65.64.54.6F.54.68.69.73 1109 %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedToThisCAAssertion' 1110 id-issuedByThisCAAssertion = %x69.73.73.75.65.64.42.79.54.68.69.73 1111 %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedByThisCAAssertion' 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122Zeilenga Standards Track [Page 20] 1123 1124RFC 4523 LDAP X.509 Schema June 2006 1125 1126 1127A.4. CertificatePairAssertion 1128 1129 CertificatePairAssertion = "{" [ sp cpa-issuedTo ] 1130 [sep sp cpa-issuedBy ] sp "}" 1131 ;; At least one of <cpa-issuedTo> and <cpa-issuedBy> MUST be present. 1132 1133 cpa-issuedTo = id-issuedToThisCAAssertion msp CertificateAssertion 1134 cpa-issuedBy = id-issuedByThisCAAssertion msp CertificateAssertion 1135 1136A.5. CertificateListExactAssertion 1137 1138 CertificateListExactAssertion = "{" sp clea-issuer "," 1139 sp clea-thisUpdate 1140 [ "," sp clea-distributionPoint ] sp "}" 1141 1142 clea-issuer = id-issuer msp Name 1143 clea-thisUpdate = id-thisUpdate msp Time 1144 clea-distributionPoint = id-distributionPoint msp 1145 DistributionPointName 1146 1147 id-thisUpdate = %x74.68.69.73.55.70.64.61.74.65 ; 'thisUpdate' 1148 id-distributionPoint = 1149 %x64.69.73.74.72.69.62.75.74.69.6F.6E.50.6F.69.6E.74 1150 ; 'distributionPoint' 1151 1152 DistributionPointName = dpn-fullName / dpn-nameRelativeToCRLIssuer 1153 1154 dpn-fullName = id-fullName ":" GeneralNames 1155 dpn-nameRelativeToCRLIssuer = id-nameRelativeToCRLIssuer ":" 1156 RelativeDistinguishedName 1157 1158 id-fullName = %x66.75.6C.6C.4E.61.6D.65 ; 'fullName' 1159 id-nameRelativeToCRLIssuer = %x6E.61.6D.65.52.65.6C.61.74.69.76.65 1160 %x54.6F.43.52.4C.49.73.73.75.65.72 ; 'nameRelativeToCRLIssuer' 1161 1162A.6. CertificateListAssertion 1163 1164 CertificateListAssertion = "{" [ sp cla-issuer ] 1165 [ sep sp cla-minCRLNumber ] 1166 [ sep sp cla-maxCRLNumber ] 1167 [ sep sp cla-reasonFlags ] 1168 [ sep sp cla-dateAndTime ] 1169 [ sep sp cla-distributionPoint ] 1170 [ sep sp cla-authorityKeyIdentifier ] sp "}" 1171 1172 cla-issuer = id-issuer msp Name 1173 cla-minCRLNumber = id-minCRLNumber msp CRLNumber 1174 cla-maxCRLNumber = id-maxCRLNumber msp CRLNumber 1175 1176 1177 1178Zeilenga Standards Track [Page 21] 1179 1180RFC 4523 LDAP X.509 Schema June 2006 1181 1182 1183 cla-reasonFlags = id-reasonFlags msp ReasonFlags 1184 cla-dateAndTime = id-dateAndTime msp Time 1185 1186 cla-distributionPoint = id-distributionPoint msp 1187 DistributionPointName 1188 1189 cla-authorityKeyIdentifier = id-authorityKeyIdentifier msp 1190 AuthorityKeyIdentifier 1191 1192 id-minCRLNumber = %x6D.69.6E.43.52.4C.4E.75.6D.62.65.72 1193 ; 'minCRLNumber' 1194 id-maxCRLNumber = %x6D.61.78.43.52.4C.4E.75.6D.62.65.72 1195 ; 'maxCRLNumber' 1196 id-reasonFlags = %x72.65.61.73.6F.6E.46.6C.61.67.73 ; 'reasonFlags' 1197 id-dateAndTime = %x64.61.74.65.41.6E.64.54.69.6D.65 ; 'dateAndTime' 1198 1199 CRLNumber = INTEGER-0-MAX 1200 1201 ReasonFlags = BIT-STRING 1202 / "{" [ sp reason-flag *( "," sp reason-flag ) ] sp "}" 1203 1204 reason-flag = id-unused 1205 / id-keyCompromise 1206 / id-cACompromise 1207 / id-affiliationChanged 1208 / id-superseded 1209 / id-cessationOfOperation 1210 / id-certificateHold 1211 / id-privilegeWithdrawn 1212 / id-aACompromise 1213 1214 id-unused = %x75.6E.75.73.65.64 ; 'unused' 1215 id-keyCompromise = %x6B.65.79.43.6F.6D.70.72.6F.6D.69.73.65 1216 ; 'keyCompromise' 1217 id-cACompromise = %x63.41.43.6F.6D.70.72.6F.6D.69.73.65 1218 ; 'cACompromise' 1219 id-affiliationChanged = 1220 %x61.66.66.69.6C.69.61.74.69.6F.6E.43.68.61.6E.67.65.64 1221 ; 'affiliationChanged' 1222 id-superseded = %x73.75.70.65.72.73.65.64.65.64 ; 'superseded' 1223 id-cessationOfOperation = 1224 %x63.65.73.73.61.74.69.6F.6E.4F.66.4F.70.65.72.61.74.69.6F.6E 1225 ; 'cessationOfOperation' 1226 id-certificateHold = %x63.65.72.74.69.66.69.63.61.74.65.48.6F.6C.64 1227 ; 'certificateHold' 1228 id-privilegeWithdrawn = 1229 %x70.72.69.76.69.6C.65.67.65.57.69.74.68.64.72.61.77.6E 1230 ; 'privilegeWithdrawn' 1231 1232 1233 1234Zeilenga Standards Track [Page 22] 1235 1236RFC 4523 LDAP X.509 Schema June 2006 1237 1238 1239 id-aACompromise = %x61.41.43.6F.6D.70.72.6F.6D.69.73.65 1240 ; 'aACompromise' 1241 1242A.7. AlgorithmIdentifier 1243 1244 AlgorithmIdentifier = "{" sp ai-algorithm 1245 [ "," sp ai-parameters ] sp "}" 1246 1247 ai-algorithm = id-algorithm msp OBJECT-IDENTIFIER 1248 ai-parameters = id-parameters msp Value 1249 id-algorithm = %x61.6C.67.6F.72.69.74.68.6D ; 'algorithm' 1250 id-parameters = %x70.61.72.61.6D.65.74.65.72.73 ; 'parameters' 1251 1252Author's Address 1253 1254 Kurt D. Zeilenga 1255 OpenLDAP Foundation 1256 1257 EMail: Kurt@OpenLDAP.org 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290Zeilenga Standards Track [Page 23] 1291 1292RFC 4523 LDAP X.509 Schema June 2006 1293 1294 1295Full Copyright Statement 1296 1297 Copyright (C) The Internet Society (2006). 1298 1299 This document is subject to the rights, licenses and restrictions 1300 contained in BCP 78, and except as set forth therein, the authors 1301 retain all their rights. 1302 1303 This document and the information contained herein are provided on an 1304 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1305 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1306 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1307 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1308 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1309 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1310 1311Intellectual Property 1312 1313 The IETF takes no position regarding the validity or scope of any 1314 Intellectual Property Rights or other rights that might be claimed to 1315 pertain to the implementation or use of the technology described in 1316 this document or the extent to which any license under such rights 1317 might or might not be available; nor does it represent that it has 1318 made any independent effort to identify any such rights. Information 1319 on the procedures with respect to rights in RFC documents can be 1320 found in BCP 78 and BCP 79. 1321 1322 Copies of IPR disclosures made to the IETF Secretariat and any 1323 assurances of licenses to be made available, or the result of an 1324 attempt made to obtain a general license or permission for the use of 1325 such proprietary rights by implementers or users of this 1326 specification can be obtained from the IETF on-line IPR repository at 1327 http://www.ietf.org/ipr. 1328 1329 The IETF invites any interested party to bring to its attention any 1330 copyrights, patents or patent applications, or other proprietary 1331 rights that may cover technology that may be required to implement 1332 this standard. Please address the information to the IETF at 1333 ietf-ipr@ietf.org. 1334 1335Acknowledgement 1336 1337 Funding for the RFC Editor function is provided by the IETF 1338 Administrative Support Activity (IASA). 1339 1340 1341 1342 1343 1344 1345 1346Zeilenga Standards Track [Page 24] 1347 1348