7 INTERNET-DRAFT Kurt D. Zeilenga
8 Intended Category: Standard Track OpenLDAP Foundation
9 Expires in six months 18 July 2005
10 Obsoletes: RFC 2252, RFC 2256, RFC 2587
13 Lightweight Directory Access Protocol (LDAP) schema
14 definitions for X.509 Certificates
15 <draft-zeilenga-ldap-x509-02.txt>
20 This document is intended to be, after appropriate review and
21 revision, submitted to the RFC Editor as an Standard Track document.
22 Distribution of this memo is unlimited. Technical discussion of this
23 document will take place on the IETF LDAP Extensions mailing list
24 <ldapext@ietf.org>. Please send editorial comments directly to the
25 author <Kurt@OpenLDAP.org>.
27 This document is intended to be published in conjunction to the
28 revised LDAP TS [Roadmap]. Together, this document and the revised
29 LDAP TS obsoletes RFC 2252 and RFC 2256 in their entirety.
31 By submitting this Internet-Draft, each author represents that any
32 applicable patent or other IPR claims of which he or she is aware have
33 been or will be disclosed, and any of which he or she becomes aware
34 will be disclosed, in accordance with Section 6 of BCP 79.
36 Internet-Drafts are working documents of the Internet Engineering Task
37 Force (IETF), its areas, and its working groups. Note that other
38 groups may also distribute working documents as Internet-Drafts.
40 Internet-Drafts are draft documents valid for a maximum of six months
41 and may be updated, replaced, or obsoleted by other documents at any
42 time. It is inappropriate to use Internet-Drafts as reference material
43 or to cite them other than as "work in progress."
45 The list of current Internet-Drafts can be accessed at
46 http://www.ietf.org/1id-abstracts.html
48 The list of Internet-Draft Shadow Directories can be accessed at
49 http://www.ietf.org/shadow.html
52 Copyright (C) The Internet Society (2005). All Rights Reserved.
54 Please see the Full Copyright section near the end of this document
58 Zeilenga draft-zeilenga-ldap-x509-02 [Page 1]
60 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
68 This document describes schema for representing X.509 certificates,
69 X.521 security information, and related elements in directories
70 accessible using the Lightweight Directory Access Protocol (LDAP).
71 The LDAP definitions for these X.509 and X.521 schema elements
72 replaces those provided in RFC 2252 and RFC 2256.
75 1. Background and Intended Use
77 This document provides LDAP [Roadmap] schema definitions [Models] for
78 a subset of elements specified in X.509 [X.509] and X.521 [X.521],
79 including attribute types for certificates, cross certificate pairs,
80 and certificate revocation lists; matching rules to be used with these
81 attribute types; and related object classes. LDAP syntax definitions
82 are also provided for associated assertion and attribute values.
84 As the semantics of these elements are as defined in X.509 and X.521,
85 knowledge of X.509 and X.521 is necessary to make use of the LDAP
86 schema definitions provided herein.
88 This document, together with [Roadmap], obsoletes RFC 2252 and RFC
89 2256 in their entirety. The changes (in this document) made since RFC
90 2252 and RFC 2256 include:
91 - addition of pkiUser, pkiCA, and deltaCRL classes;
92 - update of attribute types to include equality matching rules in
93 accordance with their X.500 specifications;
94 - addition of certificate, certificate pair, certificate list, and
95 algorithm identifer matching rules; and
96 - addition of LDAP syntax for assertion syntaxes for these matching
99 This document obsoletes RFC 2587. The X.509 schema descriptions for
100 LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494].
103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
105 document are to be interpreted as described in BCP 14 [RFC2119].
107 Schema definitions are provided using LDAP description formats
108 [Models]. Definitions provided here are formatted (line wrapped) for
114 Zeilenga draft-zeilenga-ldap-x509-02 [Page 2]
116 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
121 This section describes various syntaxes used in LDAP to transfer
122 certificates and related data types.
127 ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' )
129 A value of this syntax is an X.509 Certificate [X.509, clause 7].
131 Due to changes made to the definition of a Certificate made through
132 time, no LDAP-specific encoding is defined for this syntax. Values of
133 this syntax SHOULD be encoded using Distinguished Encoding Rules (DER)
134 [X.690] and MUST only be transferred using the ;binary transfer option
135 [Binary]. That is, by requesting and returning values using attribute
136 descriptions such as "userCertificate;binary".
138 As values of this syntax contain digitally-signed data, values of this
139 syntax, and the form of the value, MUST be preserved as presented.
144 ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' )
146 A value of this syntax is an X.509 CertificateList [X.509, clause
149 Due to changes made to the definition of a CertificateList made
150 through time, no LDAP-specific encoding is defined for this syntax.
151 Values of this syntax SHOULD be encoded using DER [X.690] and MUST
152 only be transferred using the ;binary transfer option [Binary]. That
153 is, by requesting and returning values using attribute descriptions
154 such as "certificateRevocationList;binary".
156 As values of this syntax contain digitally-signed data, values of this
157 syntax, and the form of the value, MUST be preserved as presented.
162 ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'X.509 Certificate Pair' )
164 A value of this syntax is an X.509 CertificatePair [X.509, clause
170 Zeilenga draft-zeilenga-ldap-x509-02 [Page 3]
172 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
175 Due to changes made to the definition of an X.509 CertificatePair made
176 through time, no LDAP-specific encoding is defined for this syntax.
177 Values of this syntax SHOULD be encoded using DER [X.690] and MUST
178 only be transferred using the ;binary transfer option [Binary]. That
179 is, by requesting and returning values using attribute descriptions
180 such as "crossCertificatePair;binary".
182 As values of this syntax contain digitally-signed data, values of this
183 syntax, and the form of the value, MUST be preserved as presented.
185 2.4 SupportedAlgorithm
187 ( 1.3.6.1.4.1.1466.115.121.1.49
188 DESC 'X.509 Supported Algorithm' )
190 A value of this syntax is an X.509 SupportedAlgorithm [X.509, clause
193 Due to changes made to the definition of an X.509 SupportedAlgorithm
194 made through time, no LDAP-specific encoding is defined for this
195 syntax. Values of this syntax SHOULD be encoded using DER [X.690] and
196 MUST only be transferred using the ;binary transfer option [Binary].
197 That is, by requesting and returning values using attribute
198 descriptions such as "supportedAlgorithms;binary".
200 As values of this syntax contain digitally-signed data, values of this
201 syntax, and the form of the value, MUST be preserved as presented.
204 2.5. CertificateExactAssertion
206 ( IANA-ASSIGNED-OID.1 DESC 'X.509 Certificate Exact Assertion' )
208 A value of this syntax is an X.509 CertificateExactAssertion [X.509,
209 clause 11.3.1]. Values of this syntax MUST be encoded using the
210 Generic String Encoding Rules (GSER) [RFC3641]. Appendix A.1 provides
211 an equivalent Augmented Backus-Naur Form (ABNF) [ABNF] grammar for
215 2.6. CertificateAssertion
217 ( IANA-ASSIGNED-OID.2 DESC 'X.509 Certificate Assertion' )
219 A value of this syntax is an X.509 CertificateAssertion [X.509, clause
220 11.3.2]. Values of this syntax MUST be encoded using GSER [RFC3641].
221 Appendix A.2 provides an equivalent ABNF [ABNF] grammar for this
226 Zeilenga draft-zeilenga-ldap-x509-02 [Page 4]
228 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
231 2.7. CertificatePairExactAssertion
233 ( IANA-ASSIGNED-OID.3
234 DESC 'X.509 Certificate Pair Exact Assertion' )
236 A value of this syntax is an X.509 CertificatePairExactAssertion
237 [X.509, clause 11.3.3]. Values of this syntax MUST be encoded using
238 GSER [RFC3641]. Appendix A.3 provides an equivalent ABNF [ABNF]
239 grammar for this syntax.
242 2.8. CertificatePairAssertion
244 ( IANA-ASSIGNED-OID.4 DESC 'X.509 Certificate Pair Assertion' )
246 A value of this syntax is an X.509 CertificatePairAssertion [X.509,
247 clause 11.3.4]. Values of this syntax MUST be encoded using GSER
248 [RFC3641]. Appendix A.4 provides an equivalent ABNF [ABNF] grammar
252 2.9. CertificateListExactAssertion
254 ( IANA-ASSIGNED-OID.5
255 DESC 'X.509 Certificate List Exact Assertion' )
257 A value of this syntax is an X.509 CertificateListExactAssertion
258 [X.509, clause 11.3.5]. Values of this syntax MUST be encoded using
259 GSER [RFC3641]. Appendix A.5 provides an equivalent ABNF grammar for
263 2.10. CertificateListAssertion
265 ( IANA-ASSIGNED-OID.6 DESC 'X.509 Certificate List Assertion' )
267 A value of this syntax is an X.509 CertificateListAssertion [X.509,
268 clause 11.3.6]. Values of this syntax MUST be encoded using GSER
269 [RFC3641]. Appendix A.6 provides an equivalent ABNF [ABNF] grammar
273 2.11 AlgorithmIdentifier
275 ( IANA-ASSIGNED-OID.7 DESC 'X.509 Algorithm Identifier' )
277 A value of this syntax is an X.509 AlgorithmIdentifier [X.509, Clause
278 7]. Values of this syntax MUST be encoded using GSER [RFC3641].
282 Zeilenga draft-zeilenga-ldap-x509-02 [Page 5]
284 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
287 Appendix A.7 provides an equivalent ABNF [ABNF] grammar for this
293 This section introduces a set of certificate and related matching
294 rules for use in LDAP. These rules are intended to act in accordance
295 with their X.500 counterparts.
298 3.1. certificateExactMatch
300 The certificateExactMatch matching rule compares the presented
301 certificate exact assertion value with an attribute value of the
302 certificate syntax as described in clause 11.3.1 of [X.509].
304 ( 2.5.13.34 NAME 'certificateExactMatch'
305 DESC 'X.509 Certificate Exact Match'
306 SYNTAX IANA-ASSIGNED-OID.1 )
309 3.2. certificateMatch
311 The certificateMatch matching rule compares the presented certificate
312 assertion value with an attribute value of the certificate syntax as
313 described in clause 11.3.2 of [X.509].
315 ( 2.5.13.35 NAME 'certificateMatch'
316 DESC 'X.509 Certificate Match'
317 SYNTAX IANA-ASSIGNED-OID.2 )
320 3.3. certificatePairExactMatch
322 The certificatePairExactMatch matching rule compares the presented
323 certificate pair exact assertion value with an attribute value of the
324 certificate pair syntax as described in clause 11.3.3 of [X.509].
326 ( 2.5.13.36 NAME 'certificatePairExactMatch'
327 DESC 'X.509 Certificate Pair Exact Match'
328 SYNTAX IANA-ASSIGNED-OID.3 )
331 3.4. certificatePairMatch
333 The certificatePairMatch matching rule compares the presented
334 certificate pair assertion value with an attribute value of the
338 Zeilenga draft-zeilenga-ldap-x509-02 [Page 6]
340 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
343 certificate pair syntax as described in clause 11.3.4 of [X.509].
345 ( 2.5.13.37 NAME 'certificatePairMatch'
346 DESC 'X.509 Certificate Pair Match'
347 SYNTAX IANA-ASSIGNED-OID.4 )
350 3.5. certificateListExactMatch
352 The certificateListExactMatch matching rule compares the presented
353 certificate list exact assertion value with an attribute value of the
354 certificate pair syntax as described in clause 11.3.5 of [X.509].
356 ( 2.5.13.38 NAME 'certificateListExactMatch'
357 DESC 'X.509 Certificate List Exact Match'
358 SYNTAX IANA-ASSIGNED-OID.5 )
361 3.6. certificateListMatch
363 The certificateListMatch matching rule compares the presented
364 certificate list assertion value with an attribute value of the
365 certificate pair syntax as described in clause 11.3.6 of [X.509].
367 ( 2.5.13.39 NAME 'certificateListMatch'
368 DESC 'X.509 Certificate List Match'
369 SYNTAX IANA-ASSIGNED-OID.6 )
372 3.7. algorithmIdentifierMatch
374 The algorithmIdentifierMatch mating rule compares a presented
375 algorithm identifier with an attribute value of supported algorithm as
376 described in clause 11.3.7 of [X.509].
378 ( 2.5.13.40 NAME 'algorithmIdentifier'
379 DESC 'X.509 Algorithm Identifier Match'
380 SYNTAX IANA-ASSIGNED-OID.7 )
385 This section details a set of certificate and related attribute types
394 Zeilenga draft-zeilenga-ldap-x509-02 [Page 7]
396 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
399 The userCertificate attribute holds the X.509 certificates issued to
400 the user by one or more certificate authorities, as discussed in
401 clause 11.2.1 of [X.509].
403 ( 2.5.4.36 NAME 'userCertificate'
404 DESC 'X.509 user certificate'
405 EQUALITY certificateExactMatch
406 SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
408 As required by this attribute type's syntax, values of this attribute
409 are requested and transferred using the attribute description
410 "userCertificate;binary".
415 The cACertificate attribute holds the X.509 certificates issued to the
416 certificate authority (CA), as discussed in clause 11.2.2 of [X.509].
418 ( 2.5.4.37 NAME 'cACertificate'
419 DESC 'X.509 CA certificate'
420 EQUALITY certificateExactMatch
421 SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
423 As required by this attribute type's syntax, values of this attribute
424 are requested and transferred using the attribute description
425 "cACertificate;binary".
428 4.3. crossCertificatePair
430 The crossCertificatePair attribute holds an X.509 certificate pair, as
431 discussed in clause 11.2.3 of [X.509].
433 ( 2.5.4.40 NAME 'crossCertificatePair'
434 DESC 'X.509 cross certificate pair'
435 EQUALITY certificatePairExactMatch
436 SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
438 As required by this attribute type's syntax, values of this attribute
439 are requested and transferred using the attribute description
440 "crossCertificatePair;binary".
443 4.4. certificateRevocationList
445 The certificateRevocationList attribute holds certificate lists, as
446 discussed in 11.2.4 of [X.509].
450 Zeilenga draft-zeilenga-ldap-x509-02 [Page 8]
452 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
455 ( 2.5.4.39 NAME 'certificateRevocationList'
456 DESC 'X.509 certificate revocation list'
457 EQUALITY certificateListExactMatch
458 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
460 As required by this attribute type's syntax, values of this attribute
461 are requested and transferred using the attribute description
462 "certificateRevocationList;binary".
465 4.5. authorityRevocationList
467 The authorityRevocationList attribute holds certificate lists, as
468 discussed in 11.2.5 of [X.509].
470 ( 2.5.4.38 NAME 'authorityRevocationList'
471 DESC 'X.509 authority revocation list'
472 EQUALITY certificateListExactMatch
473 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
475 As required by this attribute type's syntax, values of this attribute
476 are requested and transferred using the attribute description
477 "authorityRevocationList;binary".
480 4.6. deltaRevocationList
482 The deltaRevocationList attribute holds certificate lists, as
483 discussed in 11.2.6 of [X.509].
485 ( 2.5.4.53 NAME 'deltaRevocationList'
486 DESC 'X.509 delta revocation list'
487 EQUALITY certificateListExactMatch
488 SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
490 As required by this attribute type's syntax, values of this attribute
491 MUST be requested and transferred using the attribute description
492 "deltaRevocationList;binary".
495 4.7. supportedAlgorithms
497 The supportedAlgorithms attribute holds supported algorithms, as
498 discussed in 11.2.7 of [X.509].
500 ( 2.5.4.52 NAME 'supportedAlgorithms'
501 DESC 'X.509 supported algorithms'
502 EQUALITY algorithmIdentifierMatch
506 Zeilenga draft-zeilenga-ldap-x509-02 [Page 9]
508 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
511 SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
513 As required by this attribute type's syntax, values of this attribute
514 MUST be requested and transferred using the attribute description
515 "supportedAlgorithms;binary".
520 This section details a set of certificate-related object classes for
526 This object class is used in augment entries for objects that may be
527 subject to certificates, as defined in clause 11.1.1 of [X.509].
529 ( 2.5.6.21 NAME 'pkiUser'
530 DESC 'X.509 PKI User'
532 MAY userCertificate )
537 This object class is used to augment entries for objects which act as
538 certificate authorities, as defined in clause 11.1.2 of [X.509]
540 ( 2.5.6.22 NAME 'pkiCA'
541 DESC 'X.509 PKI Certificate Authority'
543 MAY ( cACertificate $ certificateRevocationList $
544 authorityRevocationList $ crossCertificatePair ) )
547 5.3. cRLDistributionPoint
549 This class is used to represent objects which act as CRL distribution
550 points, as discussed in clause 11.1.3 of [X.509].
552 ( 2.5.6.19 NAME 'cRLDistributionPoint'
553 DESC 'X.509 CRL distribution point'
556 MAY ( certificateRevocationList $
557 authorityRevocationList $ deltaRevocationList ) )
562 Zeilenga draft-zeilenga-ldap-x509-02 [Page 10]
564 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
569 The deltaCRL object class is used to augment entries to hold delta
570 revocation lists, as discussed in clause 11.1.4 of [X.509].
572 ( 2.5.6.23 NAME 'deltaCRL'
573 DESC 'X.509 delta CRL'
575 MAY deltaRevocationList )
578 5.5. strongAuthenticationUser
580 This object class is used to augment entries for objects participating
581 in certificate-based authentication, as defined in clause 6.15 of
582 [X.521]. This object class is deprecated in favor of pkiUser.
584 ( 2.5.6.15 NAME 'strongAuthenticationUser'
585 DESC 'X.521 strong authentication user'
587 MUST userCertificate )
590 5.6. userSecurityInformation
592 This object class is used to augment entries with needed additional
593 associated security information, as defined in clause 6.16 of [X.521].
595 ( 2.5.6.18 NAME 'userSecurityInformation'
596 DESC 'X.521 user security information'
598 MAY ( supportedAlgorithms ) )
601 5.7. certificationAuthority
603 This object class is used to augment entries for objects which act as
604 certificate authorities, as defined in clause 6.17 of [X.521]. This
605 object class is deprecated in favor of pkiCA.
607 ( 2.5.6.16 NAME 'certificationAuthority'
608 DESC 'X.509 certificate authority'
610 MUST ( authorityRevocationList $
611 certificateRevocationList $ cACertificate )
612 MAY crossCertificatePair )
618 Zeilenga draft-zeilenga-ldap-x509-02 [Page 11]
620 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
623 5.8. certificationAuthority-V2
625 This object class is used to augment entries for objects which act as
626 certificate authorities, as defined in clause 6.18 of [X.521]. This
627 object class is deprecated in favor of pkiCA.
629 ( 2.5.6.16.2 NAME 'certificationAuthority-V2'
630 DESC 'X.509 certificate authority, version 2'
631 SUP certificationAuthority AUXILIARY
632 MAY deltaRevocationList )
635 6. Security Considerations
637 General certificate considerations [RFC3280] apply to LDAP-aware
638 certificate applications. General LDAP security considerations
639 [Roadmap] apply as well.
641 While elements of certificate information are commonly signed, these
642 signatures only protect the integrity of the signed information. In
643 the absence of a data integrity protections in LDAP (or lower layer,
644 e.g. IPsec), a server is not assured that client certificate request
645 (or other request) was unaltered in transit. Likewise, a client
646 cannot be assured that the results of the query were unaltered in
647 transit. Hence, it is generally recommended implementations make use
648 of authentication and data integrity services in LDAP
649 [AuthMeth][Protocol].
652 7. IANA Considerations
654 7.1. Object Identifier Registration
656 It is requested that IANA register upon Standards Action an LDAP
657 Object Identifier for use in this technical specification.
659 Subject: Request for LDAP OID Registration
660 Person & email address to contact for further information:
661 Kurt Zeilenga <kurt@OpenLDAP.org>
662 Specification: RFC XXXX
663 Author/Change Controller: IESG
665 Identifies the LDAP X.509 Certificate schema elements
666 introduced in this document.
669 7.2. Registration of the descriptor
674 Zeilenga draft-zeilenga-ldap-x509-02 [Page 12]
676 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
679 It is requested that IANA update upon Standards Action the LDAP
680 Descriptor registry as indicated below.
682 Subject: Request for LDAP Descriptor Registration
683 Descriptor (short name): see table
684 Object Identifier: see table
685 Person & email address to contact for further information:
686 Kurt Zeilenga <kurt@OpenLDAP.org>
688 Specification: RFC XXXX
689 Author/Change Controller: IESG
691 algorithmIdentifierMatch R 2.5.13.40
692 authorityRevocationList A 2.5.4.38 *
693 cACertificate A 2.5.4.37 *
694 cRLDistributionPoint O 2.5.6.19 *
695 certificateExactMatch R 2.5.13.34
696 certificateListExactMatch R 2.5.13.38
697 certificateListMatch R 2.5.13.39
698 certificateMatch R 2.5.13.35
699 certificatePairExactMatch R 2.5.13.36
700 certificatePairMatch R 2.5.13.37
701 certificateRevocationList A 2.5.4.39 *
702 certificationAuthority O 2.5.6.16 *
703 certificationAuthority-V2 O 2.5.6.16.2 *
704 crossCertificatePair A 2.5.4.40 *
705 deltaCRL O 2.5.6.23 *
706 deltaRevocationList A 2.5.4.53 *
709 strongAuthenticationUser O 2.5.6.15 *
710 supportedAlgorithms A 2.5.4.52 *
711 userCertificate A 2.5.4.36 *
712 userSecurityInformation O 2.5.6.18 *
714 * Updates previous registration
719 This document is based upon X.509, a product of the ITU-T. A number
720 of LDAP schema definitions were based on those found in RFC 2252 and
721 RFC 2256, both products of the IETF ASID WG. The ABNF productions in
722 Appendix A were provided by Steven Legg. Additional material was
723 borrowed from prior works by David Chadwick and Steven Legg to refine
724 the LDAP X.509 schema.
730 Zeilenga draft-zeilenga-ldap-x509-02 [Page 13]
732 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
740 Email: Kurt@OpenLDAP.org
745 [[Note to the RFC Editor: please replace the citation tags used in
746 referencing Internet-Drafts with tags of the form RFCnnnn where
750 10.1. Normative References
752 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
753 Requirement Levels", BCP 14 (also RFC 2119), March 1997.
755 [RFC3641] Legg, S., "Generic String Encoding Rules for ASN.1
756 Types", RFC 3641, October 2003.
758 [Roadmap] Zeilenga, K. (editor), "LDAP: Technical Specification
759 Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
762 [Models] Zeilenga, K. (editor), "LDAP: Directory Information
763 Models", draft-ietf-ldapbis-models-xx.txt, a work in
766 [Binary] Legg, S., "Lightweight Directory Access Protocol (LDAP):
767 The Binary Encoding Option",
768 draft-legg-ldap-binary-xx.txt, a work in progress.
770 [X.509] International Telecommunication Union -
771 Telecommunication Standardization Sector, "The
772 Directory: Authentication Framework", X.509(2000).
774 [X.521] International Telecommunication Union -
775 Telecommunication Standardization Sector, "The
776 Directory: Selected Object Classes", X.521(2000).
778 [X.680] International Telecommunication Union -
779 Telecommunication Standardization Sector, "Abstract
780 Syntax Notation One (ASN.1) - Specification of Basic
781 Notation", X.680(2002) (also ISO/IEC 8824-1:2002).
786 Zeilenga draft-zeilenga-ldap-x509-02 [Page 14]
788 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
791 [X.690] International Telecommunication Union -
792 Telecommunication Standardization Sector, "Specification
793 of ASN.1 encoding rules: Basic Encoding Rules (BER),
794 Canonical Encoding Rules (CER), and Distinguished
795 Encoding Rules (DER)", X.690(2002) (also ISO/IEC
799 11.2. Informative References
801 [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
802 Specifications: ABNF", draft-crocker-abnf-rfc2234bis, a
805 [AuthMeth] Harrison, R. (editor), "LDAP: Authentication Methods and
806 Connection Level Security Mechanisms",
807 draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.
809 [Protocol] Sermersheim, J. (editor), "LDAP: The Protocol",
810 draft-ietf-ldapbis-protocol-xx.txt, a work in progress.
812 [RFC2156] Kille, S., "MIXER (Mime Internet X.400 Enhanced Relay):
813 Mapping between X.400 and RFC 822/MIME", RFC 2156,
816 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
817 X.509 Public Key Infrastructure Certificate and
818 Certificate Revocation List (CRL) Profile", RFC 3280,
821 [RFC3383] Zeilenga, K., "IANA Considerations for LDAP", BCP 64
822 (also RFC 3383), September 2002.
824 [RFC3642] Legg, S., "Common Elements of GSER Encodings", RFC 3642,
827 [RFC3687] Legg, S., "Lightweight Directory Access Protocol (LDAP)
828 and X.500 Component Matching Rules", RFC 3687, February
831 [BCP64bis] Zeilenga, K., "IANA Considerations for LDAP",
832 draft-ietf-ldapbis-bcp64-xx.txt, a work in progress.
837 This appendix is informative.
842 Zeilenga draft-zeilenga-ldap-x509-02 [Page 15]
844 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
847 This appendix provides ABNF [ABNF] grammars for GSER-based [RFC3687]
848 LDAP-specific encodings specified in this document. These grammars
849 where produced using, and relying on, Common Elements for GSER
853 A.1. CertificateExactAssertion
855 CertificateExactAssertion = "{" sp cea-serialNumber ","
858 cea-serialNumber = id-serialNumber msp CertificateSerialNumber
859 cea-issuer = id-issuer msp Name
862 %x73.65.72.69.61.6C.4E.75.6D.62.65.72 ; 'serialNumber'
863 id-issuer = %x69.73.73.75.65.72 ; 'issuer'
865 Name = id-rdnSequence ":" RDNSequence
866 id-rdnSequence = %x72.64.6E.53.65.71.75.65.6E.63.65 ; 'rdnSequence'
868 CertificateSerialNumber = INTEGER
871 A.2. CertificateAssertion
873 CertificateAssertion = "{" [ sp ca-serialNumber ]
875 [ sep sp ca-subjectKeyIdentifier ]
876 [ sep sp ca-authorityKeyIdentifier ]
877 [ sep sp ca-certificateValid ]
878 [ sep sp ca-privateKeyValid ]
879 [ sep sp ca-subjectPublicKeyAlgID ]
880 [ sep sp ca-keyUsage ]
881 [ sep sp ca-subjectAltName ]
883 [ sep sp ca-pathToName ]
884 [ sep sp ca-subject ]
885 [ sep sp ca-nameConstraints ] sp "}"
887 ca-serialNumber = id-serialNumber msp CertificateSerialNumber
888 ca-issuer = id-issuer msp Name
889 ca-subjectKeyIdentifier = id-subjectKeyIdentifier msp
891 ca-authorityKeyIdentifier = id-authorityKeyIdentifier msp
892 AuthorityKeyIdentifier
893 ca-certificateValid = certificateValid msp Time
894 ca-privateKeyValid = id-privateKeyValid msp GeneralizedTime
898 Zeilenga draft-zeilenga-ldap-x509-02 [Page 16]
900 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
903 ca-subjectPublicKeyAlgID = id-subjectPublicKeyAlgID msp
905 ca-keyUsage = id-keyUsage msp KeyUsage
906 ca-subjectAltName = id-subjectAltName msp AltNameType
907 ca-policy = id-policy msp CertPolicySet
908 ca-pathToName = id-pathToName msp Name
909 ca-subject = id-subject msp Name
910 ca-nameConstraints = id-nameConstraints msp NameConstraintsSyntax
912 id-subjectKeyIdentifier =
913 %x73.75.62.6A.65.63.74.4B.65.79.49.64.65.6E.74.69.66.69.65.72
914 ; 'subjectKeyIdentifier'
915 id-authorityKeyIdentifier =
916 %x61.75.74.68.6F.72.69.74.79.4B.65.79.49.64.65.6E.74.69.66.69.65.72
917 ; 'authorityKeyIdentifier'
918 id-certificateValid = %x63.65.72.74.69.66.69.63.61.74.65.56.61.6C.69.64
920 id-privateKeyValid = %x70.72.69.76.61.74.65.4B.65.79.56.61.6C.69.64
922 id-subjectPublicKeyAlgID =
923 %x73.75.62.6A.65.63.74.50.75.62.6C.69.63.4B.65.79.41.6C.67.49.44
924 ; 'subjectPublicKeyAlgID'
925 id-keyUsage = %x6B.65.79.55.73.61.67.65 ; 'keyUsage'
926 id-subjectAltName = %x73.75.62.6A.65.63.74.41.6C.74.4E.61.6D.65
928 id-policy = %x70.6F.6C.69.63.79 ; 'policy'
929 id-pathToName = %x70.61.74.68.54.6F.4E.61.6D.65 ; 'pathToName'
930 id-subject = %x73.75.62.6A.65.63.74 ; 'subject'
931 id-nameConstraints = %x6E.61.6D.65.43.6F.6E.73.74.72.61.69.6E.74.73
934 SubjectKeyIdentifier = KeyIdentifier
936 KeyIdentifier = OCTET-STRING
938 AuthorityKeyIdentifier = "{" [ sp aki-keyIdentifier ]
939 [ sep sp aki-authorityCertIssuer ]
940 [ sep sp aki-authorityCertSerialNumber ] sp "}"
942 aki-keyIdentifier = id-keyIdentifier msp KeyIdentifier
943 aki-authorityCertIssuer = id-authorityCertIssuer msp GeneralNames
945 GeneralNames = "{" sp GeneralName *( "," sp GeneralName ) sp "}"
946 GeneralName = gn-otherName
954 Zeilenga draft-zeilenga-ldap-x509-02 [Page 17]
956 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
960 / gn-uniformResourceIdentifier
964 gn-otherName = id-otherName ":" OtherName
965 gn-rfc822Name = id-rfc822Name ":" IA5String
966 gn-dNSName = id-dNSName ":" IA5String
967 gn-x400Address = id-x400Address ":" ORAddress
968 gn-directoryName = id-directoryName ":" Name
969 gn-ediPartyName = id-ediPartyName ":" EDIPartyName
970 gn-iPAddress = id-iPAddress ":" OCTET-STRING
971 gn-registeredID = gn-id-registeredID ":" OBJECT-IDENTIFIER
973 gn-uniformResourceIdentifier = id-uniformResourceIdentifier
976 id-otherName = %x6F.74.68.65.72.4E.61.6D.65 ; 'otherName'
977 gn-id-registeredID = %x72.65.67.69.73.74.65.72.65.64.49.44
980 OtherName = "{" sp on-type-id "," sp on-value sp "}"
981 on-type-id = id-type-id msp OBJECT-IDENTIFIER
982 on-value = id-value msp Value
983 ;; <Value> as defined in Section 8 of [RFC3786]
985 id-type-id = %x74.79.70.65.2D.69.64 ; 'type-id'
986 id-value = %x76.61.6C.75.65 ; 'value'
988 ORAddress = dquote *SafeIA5Character dquote
989 SafeIA5Character = %x01-21 / %x23-7F / ; ASCII minus dquote
990 dquote dquote ; escaped double quote
991 dquote = %x22 ; '"' (double quote)
993 ;; Note: The <ORAddress> rule encodes the x400Address component
994 ;; of a GeneralName as a character string between double quotes.
995 ;; The character string is first derived according to Section 4.1
996 ;; of [RFC2156], and then any embedded double quotes are escaped
997 ;; by being repeated. This resulting string is output between
1000 EDIPartyName = "{" [ sp nameAssigner "," ] sp partyName sp "}"
1001 nameAssigner = id-nameAssigner msp DirectoryString
1002 partyName = id-partyName msp DirectoryString
1003 id-nameAssigner = %x6E.61.6D.65.41.73.73.69.67.6E.65.72
1005 id-partyName = %x70.61.72.74.79.4E.61.6D.65 ; 'partyName'
1010 Zeilenga draft-zeilenga-ldap-x509-02 [Page 18]
1012 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
1015 aki-authorityCertSerialNumber = id-authorityCertSerialNumber
1016 msp CertificateSerialNumber
1018 id-keyIdentifier = %x6B.65.79.49.64.65.6E.74.69.66.69.65.72
1020 id-authorityCertIssuer =
1021 %x61.75.74.68.6F.72.69.74.79.43.65.72.74.49.73.73.75.65.72
1022 ; 'authorityCertIssuer'
1024 id-authorityCertSerialNumber = %x61.75.74.68.6F.72.69.74.79.43
1025 %x65.72.74.53.65.72.69.61.6C.4E.75.6D.62.65.72
1026 ; 'authorityCertSerialNumber'
1028 Time = time-utcTime / time-generalizedTime
1029 time-utcTime = id-utcTime ":" UTCTime
1030 time-generalizedTime = id-generalizedTime ":" GeneralizedTime
1031 id-utcTime = %x75.74.63.54.69.6D.65 ; 'utcTime'
1032 id-generalizedTime = %x67.65.6E.65.72.61.6C.69.7A.65.64.54.69.6D.65
1035 KeyUsage = BIT-STRING / key-usage-bit-list
1036 key-usage-bit-list = "{" [ sp key-usage *( "," sp key-usage ) ] sp "}"
1038 ;; Note: The <key-usage-bit-list> rule encodes the one bits in
1039 ;; a KeyUsage value as a comma separated list of identifiers.
1041 key-usage = id-digitalSignature
1043 / id-keyEncipherment
1044 / id-dataEncipherment
1051 id-digitalSignature = %x64.69.67.69.74.61.6C.53.69.67.6E.61.74
1052 %x75.72.65 ; 'digitalSignature'
1053 id-nonRepudiation = %x6E.6F.6E.52.65.70.75.64.69.61.74.69.6F.6E
1055 id-keyEncipherment = %x6B.65.79.45.6E.63.69.70.68.65.72.6D.65.6E.74
1057 id-dataEncipherment = %x64.61.74.61.45.6E.63.69.70.68.65.72.6D.65.6E
1058 %x74 ; "dataEncipherment'
1059 id-keyAgreement = %x6B.65.79.41.67.72.65.65.6D.65.6E.74
1061 id-keyCertSign = %x6B.65.79.43.65.72.74.53.69.67.6E
1066 Zeilenga draft-zeilenga-ldap-x509-02 [Page 19]
1068 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
1071 id-cRLSign = %x63.52.4C.53.69.67.6E ; "cRLSign"
1072 id-encipherOnly = %x65.6E.63.69.70.68.65.72.4F.6E.6C.79
1074 id-decipherOnly = %x64.65.63.69.70.68.65.72.4F.6E.6C.79
1077 AltNameType = ant-builtinNameForm / ant-otherNameForm
1079 ant-builtinNameForm = id-builtinNameForm ":" BuiltinNameForm
1080 ant-otherNameForm = id-otherNameForm ":" OBJECT-IDENTIFIER
1082 id-builtinNameForm = %x62.75.69.6C.74.69.6E.4E.61.6D.65.46.6F.72.6D
1084 id-otherNameForm = %x6F.74.68.65.72.4E.61.6D.65.46.6F.72.6D
1087 BuiltinNameForm = id-rfc822Name
1092 / id-uniformResourceIdentifier
1096 id-rfc822Name = %x72.66.63.38.32.32.4E.61.6D.65 ; 'rfc822Name'
1097 id-dNSName = %x64.4E.53.4E.61.6D.65 ; 'dNSName'
1098 id-x400Address = %x78.34.30.30.41.64.64.72.65.73.73 ; 'x400Address'
1099 id-directoryName = %x64.69.72.65.63.74.6F.72.79.4E.61.6D.65
1101 id-ediPartyName = %x65.64.69.50.61.72.74.79.4E.61.6D.65
1103 id-iPAddress = %x69.50.41.64.64.72.65.73.73 ; 'iPAddress'
1104 id-registeredId = %x72.65.67.69.73.74.65.72.65.64.49.64
1107 id-uniformResourceIdentifier = %x75.6E.69.66.6F.72.6D.52.65.73.6F.75
1108 %x72.63.65.49.64.65.6E.74.69.66.69.65.72
1109 ; 'uniformResourceIdentifier'
1111 CertPolicySet = "{" sp CertPolicyId *( "," sp CertPolicyId ) sp "}"
1112 CertPolicyId = OBJECT-IDENTIFIER
1114 NameConstraintsSyntax = "{" [ sp ncs-permittedSubtrees ]
1115 [ sep sp ncs-excludedSubtrees ] sp "}"
1117 ncs-permittedSubtrees = id-permittedSubtrees msp GeneralSubtrees
1118 ncs-excludedSubtrees = id-excludedSubtrees msp GeneralSubtrees
1122 Zeilenga draft-zeilenga-ldap-x509-02 [Page 20]
1124 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
1127 id-permittedSubtrees =
1128 %x70.65.72.6D.69.74.74.65.64.53.75.62.74.72.65.65.73
1129 ; 'permittedSubtrees'
1130 id-excludedSubtrees =
1131 %x65.78.63.6C.75.64.65.64.53.75.62.74.72.65.65.73
1132 ; 'excludedSubtrees'
1134 GeneralSubtrees = "{" sp GeneralSubtree
1135 *( "," sp GeneralSubtree ) sp "}"
1136 GeneralSubtree = "{" sp gs-base
1137 [ "," sp gs-minimum ]
1138 [ "," sp gs-maximum ] sp "}"
1140 gs-base = id-base msp GeneralName
1141 gs-minimum = id-minimum msp BaseDistance
1142 gs-maximum = id-maximum msp BaseDistance
1144 id-base = %x62.61.73.65 ; 'base'
1145 id-minimum = %x6D.69.6E.69.6D.75.6D ; 'minimum'
1146 id-maximum = %x6D.61.78.69.6D.75.6D ; 'maximum'
1148 BaseDistance = INTEGER-0-MAX
1151 A.3. CertificatePairExactAssertion
1153 CertificatePairExactAssertion = "{" [ sp cpea-issuedTo ]
1154 [sep sp cpea-issuedBy ] sp "}"
1155 ;; At least one of <cpea-issuedTo> or <cpea-issuedBy> MUST be present.
1157 cpea-issuedTo = id-issuedToThisCAAssertion msp
1158 CertificateExactAssertion
1159 cpea-issuedBy = id-issuedByThisCAAssertion msp
1160 CertificateExactAssertion
1162 id-issuedToThisCAAssertion = %x69.73.73.75.65.64.54.6F.54.68.69.73
1163 %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedToThisCAAssertion'
1164 id-issuedByThisCAAssertion = %x69.73.73.75.65.64.42.79.54.68.69.73
1165 %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedByThisCAAssertion'
1168 A.4. CertificatePairAssertion
1170 CertificatePairAssertion = "{" [ sp cpa-issuedTo ]
1171 [sep sp cpa-issuedBy ] sp "}"
1172 ;; At least one of <cpa-issuedTo> and <cpa-issuedBy> MUST be present.
1174 cpa-issuedTo = id-issuedToThisCAAssertion msp CertificateAssertion
1178 Zeilenga draft-zeilenga-ldap-x509-02 [Page 21]
1180 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
1183 cpa-issuedBy = id-issuedByThisCAAssertion msp CertificateAssertion
1186 A.5. CertificateListExactAssertion
1188 CertificateListExactAssertion = "{" sp clea-issuer ","
1190 [ "," sp clea-distributionPoint ] sp "}"
1192 clea-issuer = id-issuer msp Name
1193 clea-thisUpdate = id-thisUpdate msp Time
1194 clea-distributionPoint = id-distributionPoint msp
1195 DistributionPointName
1197 id-thisUpdate = %x74.68.69.73.55.70.64.61.74.65 ; 'thisUpdate'
1198 id-distributionPoint =
1199 %x64.69.73.74.72.69.62.75.74.69.6F.6E.50.6F.69.6E.74
1200 ; 'distributionPoint'
1202 DistributionPointName = dpn-fullName / dpn-nameRelativeToCRLIssuer
1204 dpn-fullName = id-fullName ":" GeneralNames
1205 dpn-nameRelativeToCRLIssuer = id-nameRelativeToCRLIssuer ":"
1206 RelativeDistinguishedName
1208 id-fullName = %x66.75.6C.6C.4E.61.6D.65 ; 'fullName'
1209 id-nameRelativeToCRLIssuer = %x6E.61.6D.65.52.65.6C.61.74.69.76.65
1210 %x54.6F.43.52.4C.49.73.73.75.65.72 ; 'nameRelativeToCRLIssuer'
1213 A.6. CertificateListAssertion
1215 CertificateListAssertion = "{" [ sp cla-issuer ]
1216 [ sep sp cla-minCRLNumber ]
1217 [ sep sp cla-maxCRLNumber ]
1218 [ sep sp cla-reasonFlags ]
1219 [ sep sp cla-dateAndTime ]
1220 [ sep sp cla-distributionPoint ]
1221 [ sep sp cla-authorityKeyIdentifier ] sp "}"
1223 cla-issuer = id-issuer msp Name
1224 cla-minCRLNumber = id-minCRLNumber msp CRLNumber
1225 cla-maxCRLNumber = id-maxCRLNumber msp CRLNumber
1226 cla-reasonFlags = id-reasonFlags msp ReasonFlags
1227 cla-dateAndTime = id-dateAndTime msp Time
1229 cla-distributionPoint = id-distributionPoint msp
1230 DistributionPointName
1234 Zeilenga draft-zeilenga-ldap-x509-02 [Page 22]
1236 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
1239 cla-authorityKeyIdentifier = id-authorityKeyIdentifier msp
1240 AuthorityKeyIdentifier
1242 id-minCRLNumber = %x6D.69.6E.43.52.4C.4E.75.6D.62.65.72
1244 id-maxCRLNumber = %x6D.61.78.43.52.4C.4E.75.6D.62.65.72
1246 id-reasonFlags = %x72.65.61.73.6F.6E.46.6C.61.67.73 ; 'reasonFlags'
1247 id-dateAndTime = %x64.61.74.65.41.6E.64.54.69.6D.65 ; 'dateAndTime'
1249 CRLNumber = INTEGER-0-MAX
1251 ReasonFlags = BIT-STRING
1252 / "{" [ sp reason-flag *( "," sp reason-flag ) ] sp "}"
1254 reason-flag = id-unused
1257 / id-affiliationChanged
1259 / id-cessationOfOperation
1260 / id-certificateHold
1261 / id-privilegeWithdrawn
1264 id-unused = %x75.6E.75.73.65.64 ; 'unused'
1265 id-keyCompromise = %x6B.65.79.43.6F.6D.70.72.6F.6D.69.73.65
1267 id-cACompromise = %x63.41.43.6F.6D.70.72.6F.6D.69.73.65
1269 id-affiliationChanged =
1270 %x61.66.66.69.6C.69.61.74.69.6F.6E.43.68.61.6E.67.65.64
1271 ; 'affiliationChanged'
1272 id-superseded = %x73.75.70.65.72.73.65.64.65.64 ; 'superseded'
1273 id-cessationOfOperation =
1274 %x63.65.73.73.61.74.69.6F.6E.4F.66.4F.70.65.72.61.74.69.6F.6E
1275 ; 'cessationOfOperation'
1276 id-certificateHold = %x63.65.72.74.69.66.69.63.61.74.65.48.6F.6C.64
1278 id-privilegeWithdrawn =
1279 %x70.72.69.76.69.6C.65.67.65.57.69.74.68.64.72.61.77.6E
1280 ; 'privilegeWithdrawn'
1281 id-aACompromise = %x61.41.43.6F.6D.70.72.6F.6D.69.73.65
1285 A.7. AlgorithmIdentifier
1290 Zeilenga draft-zeilenga-ldap-x509-02 [Page 23]
1292 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
1295 AlgorithmIdentifier = "{" sp ai-algorithm
1296 [ "," sp ai-parameters ] sp "}"
1298 ai-algorithm = id-algorithm msp OBJECT-IDENTIFIER
1299 ai-parameters = id-parameters msp Value
1300 id-algorithm = %x61.6C.67.6F.72.69.74.68.6D ; 'algorithm'
1301 id-parameters = %x70.61.72.61.6D.65.74.65.72.73 ; 'parameters'
1305 Intellectual Property Rights
1307 The IETF takes no position regarding the validity or scope of any
1308 Intellectual Property Rights or other rights that might be claimed to
1309 pertain to the implementation or use of the technology described in
1310 this document or the extent to which any license under such rights
1311 might or might not be available; nor does it represent that it has
1312 made any independent effort to identify any such rights. Information
1313 on the procedures with respect to rights in RFC documents can be found
1314 in BCP 78 and BCP 79.
1316 Copies of IPR disclosures made to the IETF Secretariat and any
1317 assurances of licenses to be made available, or the result of an
1318 attempt made to obtain a general license or permission for the use of
1319 such proprietary rights by implementers or users of this specification
1320 can be obtained from the IETF on-line IPR repository at
1321 http://www.ietf.org/ipr.
1323 The IETF invites any interested party to bring to its attention any
1324 copyrights, patents or patent applications, or other proprietary
1325 rights that may cover technology that may be required to implement
1326 this standard. Please address the information to the IETF at
1333 Copyright (C) The Internet Society (2005).
1335 This document is subject to the rights, licenses and restrictions
1336 contained in BCP 78, and except as set forth therein, the authors
1337 retain all their rights.
1339 This document and the information contained herein are provided on an
1340 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1341 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1342 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1346 Zeilenga draft-zeilenga-ldap-x509-02 [Page 24]
1348 INTERNET-DRAFT LDAP X.509 Schema 18 July 2005
1351 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1352 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1353 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1402 Zeilenga draft-zeilenga-ldap-x509-02 [Page 25]