Table of Contents

 1     Scope          
 2     Normative references          
        2.1     Identical Recommendations | International Standards
        2.2     Paired Recommendations | International Standards equivalent in technical content    
        2.3     Recommendations      
        2.4     Other references         
 3     Definitions 
        3.1     OSI Reference Model security architecture definitions               
        3.2     Baseline identity management terms and definitions  
        3.3     Directory model definitions     
        3.4     Access control framework definitions 
        3.5     Public-key and attribute certificate definitions
 4     Abbreviations          
 5     Conventions             
 6     Frameworks overview         
        6.1     Digital signatures          
        6.2     Public-key cryptography and cryptographic algorithms
        6.3     Distinguished encoding of basic encoding rules              
        6.4     Applying distinguished encoding           
        6.5     Using repositories       
 7     Public keys and public-key certificates          
        7.1     Introduction   
        7.2     Public-key certificate  
        7.3     Public-key certificate extensions          
        7.4     Types of public-key certificates             
        7.5     Trust anchor   
        7.6     Entity relationship       
        7.7     Certification path         
        7.8     Generation of key pairs            
        7.9     Public-key certificate creation
       7.10     Certificate revocation list        
       7.11     Uniqueness of names              
       7.12     Indirect CRLs 
       7.13     Repudiation of a digital signing             
 8     Trust models            
        8.1     Three-cornered trust model   
        8.2     Four cornered trust model      
 9     Public-key certificate and CRL extensions    
        9.1     Policy handling              
        9.2     Key and policy information extensions               
        9.3     Subject and issuer information extensions       
        9.4     Certification path constraint extensions            
        9.5     Basic CRL extensions  
        9.6     CRL distribution points and delta CRL extensions           
10     Delta CRL relationship to base         
11     Authorization and validation lists    
       11.1     Authorization and validation list concept          
       11.2     The authorizer             
       11.3     Authorization and validation list syntax             
       11.4     Authorization and validation restrictions          
12     Certification path processing procedure     
       12.1     Path processing inputs             
       12.2     Path processing outputs          
       12.3     Path processing variables        
       12.4     Initialization step        
       12.5     Public-key certificate processing          
13     PKI directory schema           
       13.1     PKI directory object classes and name forms 
       13.2     PKI directory attributes            
       13.3     PKI directory matching rules  
       13.4     PKI directory syntax definitions            
14     Attribute certificates           
       14.1     Attribute certificate structure               
       14.2     Delegation paths        
       14.3     Attribute certificate revocation lists   
15     Attribute authority, source of authority and certification authority relationship        
       15.1     Privilege in attribute certificates          
       15.2     Privilege in public-key certificates       
16     PMI models             
       16.1     General model            
       16.2     Control model              
       16.3     Delegation model       
       16.4     Group assignment model       
       16.5     Roles model  
       16.6     Recognition of Authority Model           
       16.7     XML privilege information attribute   
       16.8     Permission attribute and matching rule            
17     Attribute certificate and attribute certificate revocation list extensions        
       17.1     Basic privilege management extensions           
       17.2     Privilege revocation extensions           
       17.3     Source of authority extensions            
       17.4     Role extensions          
       17.5     Delegation extensions             
       17.6     Recognition of authority extensions  
       17.7     Use of basic CRL extension for ACRLs
18     Delegation path processing procedure        
       18.1     Basic processing procedure    
       18.2     Role processing procedure     
       18.3     Delegation processing procedure        
19     PMI directory schema         
       19.1     PMI directory object classes  
       19.2     PMI directory attributes          
       19.3     PMI general directory matching rules
20     Protocol support for public-key and privilege management infrastructures
       20.1     General syntax            
       20.2     Wrapping of non-encrypted protocol data units           
       20.3     Wrapping of encrypted protocol data unit       
       20.4     Check of PKI-PMI-Wrapper protocol elements             
       20.5     PKI-PMI-Wrapper error codes              
21     Authorization and validation list management         
       21.1     General          
       21.2     Defined protocol data unit (PDU) types            
       21.3     Checking of received PDU      
       21.4     Authorization and validation management protocol   
       21.5     Certification authority subscription protocol   
22     Trust broker protocol          
Annex A – Public-key and attribute certificate frameworks    
Annex B – Reference definition of cryptographic algorithms    
Annex C – Certificate extension attribute types    
        C.1     Certificate extension attribute concept             
        C.2     Formal specification for certificate extension attribute types  
Annex D – External ASN.1 modules    
Annex E – CRL generation and processing rules    
        E.1     Introduction   
        E.2     Determine parameters for CRLs            
        E.3     Determine CRLs required         
        E.4     Obtain CRLs    
        E.5     Process CRLs  
Annex F – Examples of delta CRL issuance    
Annex G – Privilege policy and privilege attribute definition examples     
        G.1     Introduction  
        G.2     Sample syntaxes         
        G.3     Privilege attribute example    
Annex H – An introduction to public key cryptography2)    
Annex I – Examples of use of certification path constraints    
        I.1     Example 1: Use of basic constraints      
        I.2     Example 2: Use of policy mapping and policy constraints             
        I.3     Use of name constraints extension      
Annex J – Guidance on determining for which policies a certification path is valid    
        J.1     Certification path valid for a user-specified policy required        
        J.2     Certification path valid for any policy required 
        J.3     Certification path valid regardless of policy       
        J.4     Certification path valid for a user-specific policy desired, but not required         
Annex K – Key usage certificate extension issues    
Annex L – Deprecated extensions    
        L.1     CRL scope extension   
Annex M – Directory concepts    
        M.1     Scope              
        M.2     Basic directory concepts         
        M.3     Directory schema       
        M.4     Directory distinguished names             
        M.5     Subtrees        
Annex N – Considerations on strong authentication    
        N.1     Introduction  
        N.2     One-way authentication          
        N.3     Two-way authentication          
        N.4     Three-way authentication      
        N.5     Five-way authentication (initiated by A)           
        N.6     Five-way authentication (initiated by B)           
Annex O – Alphabetical list of information item definitions    
Annex P – Amendments and corrigenda