Introduction
SECTION 1 – GENERAL
1 Scope
2 Normative references
2.1 Identical Recommendations |
International Standards
2.2 Paired Recommendations |
International Standards equivalent in technical content
3 Definitions
3.1 OSI Reference Model security
architecture definitions
3.2 Directory model definitions
3.3 Definitions
4 Abbreviations
5 Conventions
6 Frameworks overview
6.1 Digital signatures
SECTION 2 –
PUBLIC-KEY CERTIFICATE FRAMEWORK
7 Public-keys and public-key
certificates
7.1 Generation of key pairs
7.2 Public-key certificate creation
7.3 Certificate validity
8 Public-key certificate and CRL
extensions
8.1 Policy handling
8.1.1 Certificate
policy
8.1.2 Cross-certification
8.1.3 Policy mapping
8.1.4 Certification path
processing
8.1.5 Self-issued
certificates
8.2 Key and policy information
extensions
8.2.1 Requirements
8.2.2 Public-key
certificate and CRL extension fields
8.2.2.1 Authority key identifier extension
8.2.2.2 Subject key identifier extension
8.2.2.3 Key usage extension
8.2.2.4 Extended key usage extension
8.2.2.5 Private key usage period extension
8.2.2.6 Certificate policies extension
8.2.2.7 Policy mappings extension
8.3 Subject and issuer information extensions
8.3.1 Requirements
8.3.2 Certificate and
CRL extension fields
8.3.2.1 Subject alternative name extension
8.3.2.2 Issuer alternative name extension
8.3.2.3 Subject directory attributes extension
8.4 Certification path constraint
extensions
8.4.1 Requirements
8.4.2 Certificate extension fields
8.4.2.1 Basic constraints extension
8.4.2.2 Name constraints extension
8.4.2.3 Policy constraints extension
8.4.2.4 Inhibit any policy extension
8.5 Basic CRL extensions
8.5.1 Requirements
8.5.2 CRL and CRL entry
extension fields
8.5.2.1 CRL number extension
8.5.2.2 Reason code extension
8.5.2.3 Hold instruction code extension
8.5.2.4 Invalidity date extension
8.5.2.5 CRL scope extension
8.5.2.6 Status referral extension
8.5.2.7 CRL stream identifier extension
8.5.2.8 Ordered list extension
8.5.2.9 Delta information extension
8.6 CRL distribution points and delta-CRL extensions
8.6.1 Requirements
8.6.2 CRL distribution point and delta-CRL
extension fields
8.6.2.1 CRL distribution points extension
8.6.2.2 Issuing distribution point extension
8.6.2.3 Certificate issuer extension
8.6.2.4 Delta CRL indicator extension
8.6.2.5 Base update extension
8.6.2.6 Freshest CRL extension
9 Delta CRL relationship to base
10 Certification
path processing procedure
10.1 Path processing inputs
10.2 Path processing outputs
10.3 Path processing variables
10.4 Initialization step
10.5 Certificate processing
10.5.1 Basic certificate
checks
10.5.2 Processing intermediate certificates
10.5.3 Explicit policy indicator processing
10.5.4 Final processing
11 PKI directory
schema
11.1 PKI directory object classes and
name forms
11.1.1 PKI user object
class
11.1.2 PKI CA object
class
11.1.3 CRL distribution
points object class and name form
11.1.4 Delta CRL object
class
11.1.5 Certificate
Policy & CPS object class
11.1.6 PKI certificate
path object class
11.2 PKI directory attributes
11.2.1 User certificate attribute
11.2.2 CA certificate attribute
11.2.3 Cross certificate pair attribute
11.2.4 Certificate revocation list attribute
11.2.5 Authority revocation list attribute
11.2.6 Delta revocation list attribute
11.2.7 Supported algorithms attribute
11.2.8 Certification
practice statement attribute
11.2.9 Certificate
policy attribute
11.2.10 PKI path
attribute
11.3 PKI directory matching rules
11.3.1 Certificate exact
match
11.3.2 Certificate match
11.3.3 Certificate pair exact
match
11.3.4 Certificate pair
match
11.3.5 Certificate list
exact match
11.3.6 Certificate list
match
11.3.7 Algorithm
identifier match
11.3.8 Policy match
11.3.9 PKI path match
SECTION
3 – ATTRIBUTE CERTIFICATE FRAMEWORK
12 Attribute certificates
12.1 Attribute certificate structure
12.2 Attribute certificate paths
13 Attribute
Authority, SOA and Certification Authority relationship
13.1 Privilege in attribute
certificates
13.2 Privilege in public-key
certificates
14 PMI models
14.1 General model
14.1.1 PMI in access
control context
14.1.2 PMI in a
non-repudiation context
14.2 Control model
14.3 Delegation model
14.4 Roles model
14.4.1 Role attribute
15 Privilege
management certificate extensions
15.1 Basic privilege management
extensions
15.1.1 Requirements
15.1.2 Basic privilege
management extension fields
15.1.2.1 Time specification extension
15.1.2.2 Targeting information extension
15.1.2.3 User notice extension
15.1.2.4 Acceptable privilege policies extension
15.2 Privilege revocation extensions
15.2.1 Requirements
15.2.2 Privilege
revocation extension fields
15.2.2.1 CRL distribution points extension
15.2.2.2 No
revocation information extension
15.3 Source of Authority extensions
15.3.1 Requirements
15.3.2 SOA extension
fields
15.3.2.1 SOA identifier extension
15.3.2.2 Attribute descriptor extension
15.4 Role extensions
15.4.1 Requirements
15.4.2 Role extension fields
15.4.2.1 Role specification certificate identifier extension
15.5 Delegation extensions
15.5.1 Requirements
15.5.2 Delegation extension fields
15.5.2.1 Basic attribute constraints extension
15.5.2.2 Delegated name constraints extension
15.5.2.3 Acceptable certificate policies extension
15.5.2.4 Authority attribute identifier extension
16 Privilege
path processing procedure
16.1 Basic processing procedure
16.2 Role processing procedure
16.3 Delegation processing procedure
16.3.1 Verify integrity
of domination rule
16.3.2 Establish valid
delegation path
16.3.3 Verify privilege
delegation
16.3.4 Pass/fail
determination
17 PMI
directory schema
17.1 PMI directory object classes
17.1.1 PMI user object
class
17.1.2 PMI AA object
class
17.1.3 PMI SOA object
class
17.1.4 Attribute
certificate CRL distribution point object class
17.1.5 PMI delegation
path object class
17.1.6 Privilege policy
object class
17.2 PMI Directory attributes
17.2.1 Attribute certificate attribute
17.2.2 AA certificate attribute
17.2.3 Attribute descriptor certificate attribute
17.2.4 Attribute certificate revocation list
attribute
17.2.5 AA certificate
revocation list attribute
17.2.6 Delegation path
attribute
17.2.7 Privilege policy
attribute
17.3 PMI general directory matching
rules
17.3.1 Attribute
certificate exact match
17.3.2 Attribute
certificate match
17.3.3 Holder issuer
match
17.3.4 Delegation path
match
SECTION
4 – DIRECTORY USE OF PUBLIC-KEY & ATTRIBUTE CERTIFICATE FRAMEWORKS
18 Directory
authentication
18.1 Simple authentication procedure
18.1.1 Generation of
protected identifying information
18.1.2 Procedure for
protected simple authentication
18.1.3 User password
attribute type
18.2 Strong Authentication
18.2.1 Obtaining
public-key certificates from the directory
18.2.1.1 Example
18.2.2 Strong
authentication procedures
18.2.2.1 One-way authentication
18.2.2.2 Two-way authentication
18.2.2.3 Three-way authentication
19 Access
control
20 Protection
of Directory operations
Annex A –
Public-Key and Attribute Certificate Frameworks
Annex B – CRL
Generation and Processing Rules
B.1 Introduction
B.1.1 CRL types
B.1.2 CRL processing
B.2 Determine parameters for CRLs
B.3 Determine CRLs required
B.3.1 End-entity with
critical CRL DP
B.3.2 End-entity with
no critical CRL DP
B.3.3 CA with critical
CRL DP
B.3.4 CA with no
critical CRL DP
B.4 Obtain CRLs
B.5 Process CRLs
B.5.1 Validate base CRL
scope
B.5.1.1 Complete CRL
B.5.1.2 Complete EPRL
B.5.1.3 Complete CARL
B.5.1.4 Distribution point based CRL/EPRL/CARL
B.5.2 Validate delta CRL scope
B.5.3 Validity and
currency checks on the base CRL
B.5.4 Validity and
checks on the delta CRL
Annex C –
Examples of Delta CRL Issuance
C.1 Introduction
Annex D –
Privilege Policy and Privilege Attribute Definition Examples
D.1 Introduction
D.2 Sample syntaxes
D.2.1 First example
D.2.2 Second example
D.3 Privilege attribute example
Annex E – An
introduction to public key cryptography
Annex F –
Reference definition of algorithm object identifiers
Annex G –
Examples of use of certification path constraints
G.1 Example 1: Use of basic
constraints
G.2 Example 2: Use of name constraints
G.3 Example 3: Use of policy mapping
and policy constraints
Annex H –
Alphabetical list of information item definitions
Annex I –
Amendments and corrigenda