SECTION 1 –
GENERAL
1 Scope
2 Normative references
2.1 Identical
Recommendations | International Standards
2.2 Paired Recommendations |
International Standards equivalent in technical content
3 Definitions
3.1 OSI Reference Model
security architecture definitions
3.2 Directory model
definitions
3.3 Definitions
4 Abbreviations
5 Conventions
6 Frameworks overview
6.1 Digital signatures
SECTION 2
– PUBLIC-KEY CERTIFICATE
FRAMEWORK
7 Public-keys and
public-key certificates
7.1 Generation of key pairs
7.2 Public-key certificate
creation
7.3 Certificate Validity
7.4
Repudiation of a digital signing
8 Public-key certificate
and CRL extensions
8.1 Policy handling
8.1.1 Certificate policy
8.1.2 Cross-certification
8.1.3 Policy mapping
8.1.4 Certification path
processing
8.1.5 Self-issued certificates
8.2 Key and policy
information extensions
8.2.1 Requirements
8.2.2 Public-key certificate
and CRL extension fields
8.3 Subject and issuer
information extensions
8.3.1 Requirements
8.3.2 Certificate and CRL
extension fields
8.4 Certification path
constraint extensions
8.4.1 Requirements
8.4.2 Certificate extension
fields
8.5 Basic CRL extensions
8.5.1 Requirements
8.5.2 CRL and CRL entry
extension fields
8.6 CRL distribution points
and delta-CRL extensions
8.6.1 Requirements
8.6.2 CRL distribution point
and delta-CRL extension fields
9 Delta CRL relationship
to base
10
Certification path processing procedure
10.1 Path processing inputs
10.2 Path processing outputs
10.3 Path processing
variables
10.4 Initialization step
10.5 Certificate processing
10.5.1
Basic certificate checks
10.5.2 Processing intermediate certificates
10.5.3 Explicit policy indicator processing
10.5.4 Final processing
11
PKI directory schema
11.1
PKI directory object classes and name forms
11.1.1 PKI user object class
11.1.2 PKI CA object class
11.1.3 CRL distribution points object class and name form
11.1.4
Delta CRL object class
11.1.5 Certificate Policy & CPS object class
11.1.6 PKI certificate path object class
11.2 PKI directory attributes
11.2.1 User certificate attribute
11.2.2 CA certificate attribute
11.2.3 Cross-certificate pair attribute
11.2.4 Certificate revocation list attribute
11.2.5 Authority revocation list attribute
11.2.6 Delta revocation list attribute
11.2.7 Supported algorithms attribute
11.2.8 Certification practice statement attribute
11.2.9 Certificate policy attribute
11.2.10 PKI path attribute
11.3 PKI directory matching
rules
11.3.1 Certificate exact match
11.3.2 Certificate match
11.3.3 Certificate pair exact match
11.3.4 Certificate pair match
11.3.5 Certificate list exact match
11.3.6 Certificate list match
11.3.7 Algorithm identifier match
11.3.8 Policy match
11.3.9 PKI path match
11.3.10 Enhanced certificate match
SECTION 3
– ATTRIBUTE CERTIFICATE
FRAMEWORK
12
Attribute Certificates
12.1 Attribute certificate
structure
12.2 Attribute certificate
paths
13
Attribute Authority, SOA and Certification Authority
relationship
13.1 Privilege in attribute
certificates
13.2 Privilege in public-key
certificates
14
PMI models
14.1 General model
14.1.1 PMI in access control context
14.1.2 PMI in a non-repudiation context
14.2 Control model
14.3 Delegation model
14.4 Roles model
14.4.1 Role attribute
14.5 XML privilege
information attribute
15
Privilege management certificate extensions
15.1 Basic privilege
management extensions
15.1.1 Requirements
15.1.2 Basic privilege
management extension fields
15.2 Privilege revocation
extensions
15.2.1 Requirements
15.2.2 Privilege revocation extension fields
15.3 Source of Authority
extensions
15.3.1 Requirements
15.3.2 SOA extension fields
15.4 Role extensions
15.4.1 Requirements
15.4.2 Role extension fields
15.5 Delegation extensions
15.5.1 Requirements
15.5.2 Delegation extension fields
16
Privilege path processing procedure
16.1 Basic processing procedure
16.2 Role processing procedure
16.3 Delegation processing
procedure
16.3.1 Verify integrity of domination rule
16.3.2 Establish valid delegation path
16.3.3 Verify privilege delegation
16.3.4 Pass/fail determination
17
PMI directory schema
17.1 PMI directory object
classes
17.1.1 PMI user object class
17.1.2 PMI AA object class
17.1.3 PMI SOA object class
17.1.4 Attribute certificate CRL distribution point object class
17.1.5 PMI delegation path
17.1.6 Privilege policy object class
17.1.7 Protected privilege policy object class
17.2
PMI Directory attributes
17.2.1 Attribute certificate attribute
17.2.2 AA certificate attribute
17.2.3 Attribute descriptor certificate attribute
17.2.4 Attribute certificate revocation list attribute
17.2.5 AA
certificate revocation list attribute
17.2.6 Delegation
path attribute
17.2.7 Privilege
policy attribute
17.2.8 Protected
privilege policy attribute
17.2.9 XML
Protected privilege policy attribute
17.3 PMI general directory
matching rules
17.3.1 Attribute certificate exact match
17.3.2 Attribute certificate match
17.3.3 Holder issuer match
17.3.4 Delegation path match
SECTION 4
– DIRECTORY USE OF PUBLIC-KEY
& ATTRIBUTE CERTIFICATE FRAMEWORKS
18
Directory authentication
18.1 Simple authentication
procedure
18.1.1 Generation of protected identifying information
18.1.2 Procedure for protected simple authentication
18.1.3 User Password attribute type
18.2 Strong Authentication
18.2.1 Obtaining public-key certificates from the directory
18.2.2 Strong authentication procedures
19
Access control
20
Protection of Directory operations
Annex A – Public-Key and Attribute Certificate Frameworks
-- A.1 Authentication framework module
-- A.2 Certificate extensions module
-- A.3 Attribute Certificate Framework module
Annex B – CRL generation and processing rules
B.1 Introduction
B.1.1 CRL types
B.1.2 CRL processing
B.2 Determine parameters for
CRLs
B.3 Determine CRLs required
B.3.1 End-entity with critical
CRL DP
B.3.2 End-entity with no
critical CRL DP
B.3.3 CA with critical CRL DP
B.3.4 CA with no critical CRL
DP
B.4 Obtain CRLs
B.5 Process CRLs
B.5.1 Validate base CRL scope
B.5.2 Validate
delta CRL scope
B.5.3 Validity and currency
checks on the base CRL
B.5.4 Validity and checks on the delta CRL
Annex C – Examples of delta CRL issuance
Annex D – Privilege policy and privilege attribute definition
examples
D.1 Introduction
D.2 Sample syntaxes
D.2.1 First example
D.2.2 Second example
D.3 Privilege attribute
example
Annex E – An introduction to public key cryptography
Annex F – Reference definition of algorithm object
identifiers
Annex G – Examples of use of certification path constraints
G.1 Example 1: Use of basic
constraints
G.2 Example 2: Use of policy mapping and policy constraints
G.3 Use of Name Constraints
Extension
G.3.1 Examples of Certificate
Format with Name Constraints Extension
G.3.2 Examples of Certificate
Handling with Name Constraint Extension
Annex H – Guidance on determining for which policies a
certification path is valid
H.1 Certification path valid
for a user-specified policy required
H.2 Certification path valid
for any policy required
H.3 Certification path valid
regardless of policy
H.4 Certification path valid
for a user-specific policy desired, but not required
Annex I – Key usage certificate extension issues
Annex J – Alphabetical list of information item definitions
Annex K – Amendments and corrigenda