1     Scope 
 2     Normative references 
        2.1     Identical Recommendations | International Standards 
        2.2     Paired Recommendations | International Standards equivalent in technical content
 3     Definitions 
        3.1     OSI Reference Model security architecture definitions 
        3.2     Directory model definitions 
        3.3     Definitions 
 4     Abbreviations 
 5     Conventions 
 6     Frameworks overview  
        6.1     Digital signatures 
 7     Public-keys and public-key certificates 
        7.1     Generation of key pairs 
        7.2     Public-key certificate creation 
        7.3     Certificate validity 
 8     Public-key certificate and CRL extensions 
        8.1     Policy handling 
                  8.1.1     Certificate policy 
                  8.1.2     Cross-certification 
                  8.1.3     Policy mapping 
                  8.1.4     Certification path processing 
                  8.1.5     Self-issued certificates 
        8.2     Key and policy information extensions 
                  8.2.1     Requirements 
                  8.2.2     Public-key certificate and CRL extension fields 
                          Authority key identifier extension 
                          Subject key identifier extension 
                          Key usage extension 
                          Extended key usage extension 
                          Private key usage period extension 
                          Certificate policies extension 
                          Policy mappings extension 
        8.3     Subject and issuer information extensions 
                  8.3.1     Requirements 
                  8.3.2     Certificate and CRL extension fields 
                          Subject alternative name extension 
                          Issuer alternative name extension 
                          Subject directory attributes extension 
        8.4     Certification path constraint extensions 
                  8.4.1     Requirements 
                  8.4.2     Certificate extension fields 
                          Basic constraints extension 
                          Name constraints extension 
                          Policy constraints extension 
                          Inhibit any policy extension 
        8.5     Basic CRL extensions 
                  8.5.1     Requirements 
                  8.5.2     CRL and CRL entry extension fields 
                          CRL number extension 
                          Reason code extension 
                          Hold instruction code extension 
                          Invalidity date extension 
                          CRL scope extension 
                          Status referral extension 
                           CRL stream identifier extension 
                           Ordered list extension 
                          Delta information extension 
        8.6     CRL distribution points and delta-CRL extensions 
                  8.6.1     Requirements 
                  8.6.2     CRL distribution point and delta-CRL extension fields 
                          CRL distribution points extension 
                          Issuing distribution point extension 
                          Certificate issuer extension 
                          Delta CRL indicator extension 
                          Base update extension 
                           Freshest CRL extension 
 9     Delta CRL relationship to base 
10     Certification path processing procedure 
       10.1     Path processing inputs 
       10.2     Path processing outputs 
       10.3     Path processing variables 
       10.4     Initialization step 
       10.5     Certificate processing 
                  10.5.1     Basic certificate checks           
                  10.5.2     Processing intermediate certificates          
                  10.5.3     Explicit policy indicator processing          
                  10.5.4     Final processing  
11     PKI directory schema 
       11.1     PKI directory object classes and name forms 
                  11.1.1     PKI user object class 
                  11.1.2     PKI CA object class 
                  11.1.3     CRL distribution points object class and name form  
                  11.1.4     Delta CRL object class 
                  11.1.5     Certificate Policy & CPS object class 
                  11.1.6     PKI certificate path object class 
       11.2     PKI directory attributes 
                  11.2.1     User certificate attribute 
                  11.2.2     CA certificate attribute 
                  11.2.3     Cross certificate pair attribute 
                  11.2.4     Certificate revocation list attribute 
                  11.2.5     Authority revocation list attribute 
                  11.2.6     Delta revocation list attribute 
                  11.2.7     Supported algorithms attribute 
                  11.2.8     Certification practice statement attribute 
                  11.2.9     Certificate policy attribute 
                  11.2.10     PKI path attribute 
       11.3     PKI directory matching rules 
                  11.3.1     Certificate exact match 
                  11.3.2     Certificate match 
                  11.3.3     Certificate pair exact match 
                  11.3.4     Certificate pair match 
                  11.3.5     Certificate list exact match 
                  11.3.6     Certificate list match 
                  11.3.7     Algorithm identifier match 
                  11.3.8     Policy match 
                  11.3.9     PKI path match 
12     Attribute certificates 
       12.1     Attribute certificate structure 
       12.2     Attribute certificate paths 
13     Attribute Authority, SOA and Certification Authority relationship 
       13.1     Privilege in attribute certificates 
       13.2     Privilege in public-key certificates 
14     PMI models 
       14.1     General model
                  14.1.1     PMI in access control context
                  14.1.2     PMI in a non-repudiation context
       14.2     Control model
       14.3     Delegation model
       14.4     Roles model
                  14.4.1     Role attribute 
15     Privilege management certificate extensions 
       15.1     Basic privilege management extensions 
                  15.1.1     Requirements 
                  15.1.2     Basic privilege management extension fields 
                          Time specification extension 
                          Targeting information extension 
                          User notice extension 
                          Acceptable privilege policies extension 
       15.2     Privilege revocation extensions 
                  15.2.1     Requirements 
                  15.2.2     Privilege revocation extension fields 
                          CRL distribution points extension 
                          No revocation information extension 
       15.3     Source of Authority extensions 
                  15.3.1     Requirements 
                  15.3.2     SOA extension fields 
                          SOA identifier extension 
                          Attribute descriptor extension 
       15.4     Role extensions 
                  15.4.1     Requirements 
                  15.4.2     Role extension fields 
                         Role specification certificate identifier extension 
       15.5     Delegation extensions 
                  15.5.1     Requirements 
                  15.5.2     Delegation extension fields 
                          Basic attribute constraints extension 
                          Delegated name constraints extension 
                          Acceptable certificate policies extension 
                          Authority attribute identifier extension 
16     Privilege path processing procedure 
       16.1     Basic processing procedure 
       16.2     Role processing procedure 
       16.3     Delegation processing procedure 
                  16.3.1     Verify integrity of domination rule 
                  16.3.2     Establish valid delegation path 
                  16.3.3     Verify privilege delegation 
                  16.3.4     Pass/fail determination 
17     PMI directory schema 
       17.1     PMI directory object classes 
                  17.1.1     PMI user object class 
                  17.1.2     PMI AA object class 
                  17.1.3     PMI SOA object class 
                  17.1.4     Attribute certificate CRL distribution point object class 
                  17.1.5     PMI delegation path object class 
                  17.1.6     Privilege policy object class 
       17.2     PMI Directory attributes 
                  17.2.1     Attribute certificate attribute 
                  17.2.2     AA certificate attribute 
                  17.2.3     Attribute descriptor certificate attribute 
                  17.2.4     Attribute certificate revocation list attribute 
                  17.2.5     AA certificate revocation list attribute 
                  17.2.6     Delegation path attribute 
                  17.2.7     Privilege policy attribute 
       17.3     PMI general directory matching rules 
                  17.3.1     Attribute certificate exact match 
                  17.3.2     Attribute certificate match 
                  17.3.3     Holder issuer match        
                  17.3.4     Delegation path match 
18     Directory authentication 
       18.1     Simple authentication procedure 
                  18.1.1     Generation of protected identifying information 
                  18.1.2     Procedure for protected simple authentication 
                  18.1.3     User password attribute type 
       18.2     Strong Authentication 
                  18.2.1     Obtaining public-key certificates from the directory 
                  18.2.2     Strong authentication procedures 
                          One-way authentication 
                          Two-way authentication 
                          Three-way authentication 
19     Access control
20     Protection of Directory operations 
Annex  A – Public-Key and Attribute Certificate Frameworks    
Annex  B – CRL Generation and Processing Rules    
        B.1     Introduction 
                  B.1.1     CRL types 
                  B.1.2     CRL processing 
        B.2     Determine parameters for CRLs 
        B.3     Determine CRLs required 
                  B.3.1     End-entity with critical CRL DP 
                  B.3.2     End-entity with no critical CRL DP 
                  B.3.3     CA with critical CRL DP 
                  B.3.4     CA with no critical CRL DP 
        B.4     Obtain CRLs 
        B.5     Process CRLs 
                  B.5.1     Validate base CRL scope 
                               B.5.1.1     Complete CRL 
                               B.5.1.2     Complete EPRL 
                               B.5.1.3     Complete CARL 
                               B.5.1.4     Distribution point based CRL/EPRL/CARL 
                  B.5.2     Validate delta CRL scope 
                  B.5.3     Validity and currency checks on the base CRL 
                  B.5.4     Validity and checks on the delta CRL 
Annex  C – Examples of Delta CRL Issuance    
        C.1     Introduction 
Annex  D – Privilege Policy and Privilege Attribute Definition Examples    
        D.1     Introduction 
        D.2     Sample syntaxes 
                  D.2.1     First example 
                  D.2.2     Second example 
        D.3     Privilege attribute example 
Annex  E – An introduction to public key cryptography    
Annex  F – Reference definition of algorithm object identifiers    
Annex  G – Examples of use of certification path constraints    
        G.1     Example 1: Use of basic constraints 
        G.2     Example 2: Use of name constraints 
        G.3     Example 3: Use of policy mapping and policy constraints 
Annex  H – Alphabetical list of information item definitions    
Annex  I – Amendments and corrigenda