1     Scope 
 2     Normative references 
        2.1     Identical Recommendations | International Standards 
        2.2     Paired Recommendations | International Standards equivalent in technical content
 3     Definitions 
        3.1     OSI Reference Model security architecture definitions 
        3.2     Directory model definitions 
        3.3     Definitions 
 4     Abbreviations 
 5     Conventions 
 6     Frameworks overview  
        6.1     Digital signatures 
 7     Public-keys and public-key certificates 
        7.1     Generation of key pairs 
        7.2     Public-key certificate creation 
        7.3     Certificate Validity 
        7.4     Repudiation of a digital signing 
 8     Public-key certificate and CRL extensions 
        8.1     Policy handling 
                  8.1.1     Certificate policy 
                  8.1.2     Cross-certification 
                  8.1.3     Policy mapping 
                  8.1.4     Certification path processing 
                  8.1.5     Self-issued certificates 
        8.2     Key and policy information extensions 
                  8.2.1     Requirements 
                  8.2.2     Public-key certificate and CRL extension fields 
        8.3     Subject and issuer information extensions 
                  8.3.1     Requirements 
                  8.3.2     Certificate and CRL extension fields 
        8.4     Certification path constraint extensions 
                  8.4.1     Requirements 
                  8.4.2     Certificate extension fields 
        8.5     Basic CRL extensions 
                  8.5.1     Requirements 
                  8.5.2     CRL and CRL entry extension fields 
        8.6     CRL distribution points and delta-CRL extensions 
                  8.6.1     Requirements 
                  8.6.2     CRL distribution point and delta-CRL extension fields 
 9     Delta CRL relationship to base 
10     Certification path processing procedure 
       10.1     Path processing inputs 
       10.2     Path processing outputs 
       10.3     Path processing variables 
       10.4     Initialization step 
       10.5     Certificate processing 
                  10.5.1     Basic certificate checks 
                  10.5.2     Processing intermediate certificates 
                  10.5.3     Explicit policy indicator processing 
                  10.5.4     Final processing 
11     PKI directory schema 
       11.1     PKI directory object classes and name forms 
                  11.1.1     PKI user object class 
                  11.1.2     PKI CA object class 
                  11.1.3     CRL distribution points object class and name form  
                  11.1.4     Delta CRL object class 
                  11.1.5     Certificate Policy & CPS object class 
                  11.1.6     PKI certificate path object class 
       11.2     PKI directory attributes 
                  11.2.1     User certificate attribute 
                  11.2.2     CA certificate attribute 
                  11.2.3     Cross-certificate pair attribute 
                  11.2.4     Certificate revocation list attribute 
                  11.2.5     Authority revocation list attribute 
                  11.2.6     Delta revocation list attribute 
                  11.2.7     Supported algorithms attribute 
                  11.2.8     Certification practice statement attribute 
                  11.2.9     Certificate policy attribute 
                  11.2.10     PKI path attribute 
       11.3     PKI directory matching rules 
                  11.3.1     Certificate exact match 
                  11.3.2     Certificate match 
                  11.3.3     Certificate pair exact match 
                  11.3.4     Certificate pair match 
                  11.3.5     Certificate list exact match 
                  11.3.6     Certificate list match 
                  11.3.7     Algorithm identifier match 
                  11.3.8     Policy match 
                  11.3.9     PKI path match 
                  11.3.10     Enhanced certificate match 
12     Attribute Certificates 
       12.1     Attribute certificate structure 
       12.2     Attribute certificate paths 
13     Attribute Authority, SOA and Certification Authority relationship 
       13.1     Privilege in attribute certificates 
       13.2     Privilege in public-key certificates 
14     PMI models 
       14.1     General model
                  14.1.1     PMI in access control context
                  14.1.2     PMI in a non-repudiation context
       14.2     Control model
       14.3     Delegation model
       14.4     Roles model
                  14.4.1     Role attribute 
       14.5     XML privilege information attribute 
15     Privilege management certificate extensions 
       15.1     Basic privilege management extensions 
                  15.1.1     Requirements 
                  15.1.2     Basic privilege management extension fields 
       15.2     Privilege revocation extensions 
                  15.2.1     Requirements 
                  15.2.2     Privilege revocation extension fields 
       15.3     Source of Authority extensions 
                  15.3.1     Requirements 
                  15.3.2     SOA extension fields 
       15.4     Role extensions 
                  15.4.1     Requirements 
                  15.4.2     Role extension fields 
       15.5     Delegation extensions 
                  15.5.1     Requirements 
                  15.5.2     Delegation extension fields 
16     Privilege path processing procedure 
       16.1     Basic processing procedure 
       16.2     Role processing procedure 
       16.3     Delegation processing procedure 
                  16.3.1     Verify integrity of domination rule 
                  16.3.2     Establish valid delegation path 
                  16.3.3     Verify privilege delegation 
                  16.3.4     Pass/fail determination 
17     PMI directory schema 
       17.1     PMI directory object classes 
                  17.1.1     PMI user object class 
                  17.1.2     PMI AA object class 
                  17.1.3     PMI SOA object class 
                  17.1.4     Attribute certificate CRL distribution point object class 
                  17.1.5     PMI delegation path 
                  17.1.6     Privilege policy object class 
                  17.1.7     Protected privilege policy object class 
       17.2     PMI Directory attributes 
                  17.2.1     Attribute certificate attribute 
                  17.2.2     AA certificate attribute 
                  17.2.3     Attribute descriptor certificate attribute 
                  17.2.4     Attribute certificate revocation list attribute 
                  17.2.5     AA certificate revocation list attribute 
                  17.2.6     Delegation path attribute 
                  17.2.7     Privilege policy attribute 
                  17.2.8     Protected privilege policy attribute 
                  17.2.9     XML Protected privilege policy attribute 
       17.3     PMI general directory matching rules 
                  17.3.1     Attribute certificate exact match 
                  17.3.2     Attribute certificate match 
                  17.3.3     Holder issuer match 
                  17.3.4     Delegation path match 
18     Directory authentication 
       18.1     Simple authentication procedure 
                  18.1.1     Generation of protected identifying information 
                  18.1.2     Procedure for protected simple authentication 
                  18.1.3     User Password attribute type 
       18.2     Strong Authentication 
                  18.2.1     Obtaining public-key certificates from the directory 
                  18.2.2     Strong authentication procedures 
19     Access control
20     Protection of Directory operations 
Annex A – Public-Key and Attribute Certificate Frameworks    
    --  A.1     Authentication framework module 
    --  A.2     Certificate extensions module 
    --  A.3     Attribute Certificate Framework module 
Annex B – CRL generation and processing rules    
        B.1     Introduction 
                  B.1.1     CRL types 
                  B.1.2     CRL processing 
        B.2     Determine parameters for CRLs 
        B.3     Determine CRLs required 
                  B.3.1     End-entity with critical CRL DP 
                  B.3.2     End-entity with no critical CRL DP 
                  B.3.3     CA with critical CRL DP 
                  B.3.4     CA with no critical CRL DP 
        B.4     Obtain CRLs 
        B.5     Process CRLs 
                  B.5.1     Validate base CRL scope 
                  B.5.2     Validate delta CRL scope 
                  B.5.3     Validity and currency checks on the base CRL 
                  B.5.4    Validity and checks on the delta CRL 
Annex C – Examples of delta CRL issuance    
Annex D – Privilege policy and privilege attribute definition examples    
        D.1     Introduction 
        D.2     Sample syntaxes 
                  D.2.1     First example 
                  D.2.2     Second example 
        D.3     Privilege attribute example 
Annex E – An introduction to public key cryptography    
Annex F – Reference definition of algorithm object identifiers    
Annex G – Examples of use of certification path constraints    
        G.1     Example 1: Use of basic constraints 
        G.2     Example 2:  Use of policy mapping and policy constraints 
        G.3     Use of Name Constraints Extension 
                  G.3.1     Examples of Certificate Format with Name Constraints Extension 
                  G.3.2     Examples of Certificate Handling with Name Constraint Extension 
Annex H – Guidance on determining for which policies a certification path is valid    
        H.1     Certification path valid for a user-specified policy required 
        H.2     Certification path valid for any policy required 
        H.3     Certification path valid regardless of policy 
        H.4     Certification path valid for a user-specific policy desired, but not required 
Annex I – Key usage certificate extension issues    
Annex J – Alphabetical list of information item definitions    
Annex K – Amendments and corrigenda