Table of Contents
SECTION1-GENERAL
1Scope
2Normativereferences
2.1IdenticalRecommendations/InternationalStandards
2.2PairedRecommendations/InternationalStandards
equivalentintechnicalcontent
3Definitions
3.1OSIReferenceModelsecurityarchitecture
definitions
3.2Directorymodeldefinitions
3.3Definitions
4Abbreviations
5Conventions
6Frameworksoverview
6.1Digitalsignatures
SECTION2-PUBLIC-KEYCERTIFICATEFRAMEWORK
7Public-keysandpublic-keycertificates
7.1Generationofkeypairs
7.2Public-keycertificatecreation
7.3CertificateValidity
7.4Repudiationofadigitalsigning
8Public-keycertificateandCRLextensions
8.1Policyhandling
8.2Keyandpolicyinformationextensions
8.3Subjectandissuerinformationextensions
8.4Certificationpathconstraintextensions
8.5BasicCRLextensions
8.6CRLdistributionpointsanddelta-CRLextensions
9DeltaCRLrelationshiptobase
10Certificationpathprocessingprocedure
10.1Pathprocessinginputs
10.2Pathprocessingoutputs
10.3Pathprocessingvariables
10.4Initializationstep
10.5Certificateprocessing
11PKIdirectoryschema
11.1PKIdirectoryobjectclassesandnameforms
11.2PKIdirectoryattributes
11.3PKIdirectorymatchingrules
SECTION3-ATTRIBUTECERTIFICATEFRAMEWORK
12AttributeCertificates
12.1Attributecertificatestructure
12.2Attributecertificatepaths
13AttributeAuthority,SOAandCertificationAuthority
relationship
13.1Privilegeinattributecertificates
13.2Privilegeinpublic-keycertificates
14PMImodels
14.1Generalmodel
14.2Controlmodel
14.3Delegationmodel
14.4Rolesmodel
14.5XMLprivilegeinformationattribute
15Privilegemanagementcertificateextensions
15.1Basicprivilegemanagementextensions
15.2Privilegerevocationextensions
15.3SourceofAuthorityextensions
15.4Roleextensions
15.5Delegationextensions
16Privilegepathprocessingprocedure
16.1Basicprocessingprocedure
16.2Roleprocessingprocedure
16.3Delegationprocessingprocedure
17PMIdirectoryschema
17.1PMIdirectoryobjectclasses
17.2PMIDirectoryattributes
17.3PMIgeneraldirectorymatchingrules
SECTION4-DIRECTORYUSEOFPUBLIC-KEYATTRIBUTE
CERTIFICATEFRAMEWORKS
18Directoryauthentication
18.1Simpleauthenticationprocedure
18.2StrongAuthentication
19Accesscontrol
20ProtectionofDirectoryoperations
AnnexA-Public-KeyandAttributeCertificateFrameworks
A.1Authenticationframeworkmodule
A.2Certificateextensionsmodule
A.3AttributeCertificateFrameworkmodule
AnnexB-CRLgenerationandprocessingrules
B.1Introduction
B.2DetermineparametersforCRLs
B.3DetermineCRLsrequired
B.4ObtainCRLs
B.5ProcessCRLs
AnnexC-ExamplesofdeltaCRLissuance
AnnexD-Privilegepolicyandprivilegeattribute
definitionexamples
D.1Introduction
D.2Samplesyntaxes
D.3Privilegeattributeexample
AnnexE-Anintroductiontopublickeycryptography
AnnexF-Referencedefinitionofalgorithmobject
identifiers
AnnexG-Examplesofuseofcertificationpathconstraints
G.1Example1:Useofbasicconstraints
G.2Example2:Useofpolicymappingandpolicy
constraints
G.3UseofNameConstraintsExtension
AnnexH-Guidanceondeterminingforwhichpoliciesa
certificationpathisvalid
H.1Certificationpathvalidforauser-specified
policyrequired
H.2Certificationpathvalidforanypolicyrequired
H.3Certificationpathvalidregardlessofpolicy
H.4Certificationpathvalidforauser-specificpolicy
desired,butnotrequired
AnnexI-Keyusagecertificateextensionissues
AnnexJ-Alphabeticallistofinformationitemdefinitions
AnnexK-Amendmentsandcorrigenda Abstract
Defines a framework for public-key certificates and attribute certificates. It also defines a framework for the provision of authentication services by Directory to its users. It describes two levels of authentication: simple authentication, using a password as a verification of claimed identity; and strong authentication, involving credentials formed using cryptographic techniques.
