draft-ietf-pkix-ldap-pki-schema-00.txt

PKIX的RFC英文文档

                               %x72.63.65.49.64.65.6E.74.69.66.69.65
                               %x72 ; "uniformResourceIdentifier"

CertPolicySet = "{" sp CertPolicyId *( "," sp CertPolicyId ) sp "}"
CertPolicyId  = OBJECT-IDENTIFIER

NameConstraintsSyntax = "{"    [ sp ncs-permittedSubtrees ]
                           [ sep sp ncs-excludedSubtrees ]
                                 sp "}"

ncs-permittedSubtrees = id-permittedSubtrees msp GeneralSubtrees
ncs-excludedSubtrees  = id-excludedSubtrees  msp GeneralSubtrees
id-permittedSubtrees  = %x70.65.72.6D.69.74.74.65.64.53.75.62.74.72
                           %x65.65.73 ; "permittedSubtrees"
id-excludedSubtrees   = %x65.78.63.6C.75.64.65.64.53.75.62.74.72.65
                           %x65.73 ; "excludedSubtrees"

GeneralSubtrees = "{" sp GeneralSubtree
                     *( "," sp GeneralSubtree ) sp "}"
GeneralSubtree  = "{"      sp gs-base
                     [ "," sp gs-minimum ]
                     [ "," sp gs-maximum ]
                           sp "}"

gs-base      = id-base    msp GeneralName
gs-minimum   = id-minimum msp BaseDistance
gs-maximum   = id-maximum msp BaseDistance
id-base      = %x62.61.73.65          ; "base"
id-minimum   = %x6D.69.6E.69.6D.75.6D ; "minimum"
id-maximum   = %x6D.61.78.69.6D.75.6D ; "maximum"
BaseDistance = INTEGER-0-MAX

The <OBJECT-IDENTIFIER>, <OCTET-STRING>, <IA5String>, <DirectoryString>, 
<RelativeDistinguishedName>, <UTCTime>, <GeneralizedTime>, <INTEGER-0-
MAX> and <ORAddress> rules are given in [16].

4.3 Certificate Pair Exact Match

Certificate pair exact match is defined in 11.3.3 of [9]. The string 
description of the certificatePairExactMatch matching rule is:

( 2.5.13.36 NAME 'certificatePairExactMatch'
    SYNTAX 1.2.826.0.1.3344810.7.8)


The LDAP syntax definition is:

(1.2.826.0.1.3344810.7.8
    DESC 'Certificate Pair Exact Assertion' )

The ASN.1 for CertificatePairExactAssertion is defined in 11.3.3 of [9], 
as are the semantics of each of its component types.

The LDAP-specific encoding of an assertion value of this syntax is 
defined by [13] and described by the following Augmented BNF [10]:

CertificatePairExactAssertion = "{"   [ sp cpea-issuedTo ]
                                   [sep sp cpea-issuedBy ]
                                        sp "}"

At least one of <cpea-issuedTo> or <cpea-issuedBy> MUST be present.

cpea-issuedTo = id-issuedToThisCAAssertion msp
                   CertificateExactAssertion
cpea-issuedBy = id-issuedByThisCAAssertion msp
                   CertificateExactAssertion

id-issuedToThisCAAssertion = %x69.73.73.75.65.64.54.6F.54.68.69.73.43
                                %x41.41.73.73.65.72.74.69.6F.6E
                                ; "issuedToThisCAAssertion"
id-issuedByThisCAAssertion = %x69.73.73.75.65.64.42.79.54.68.69.73.43
                                %x41.41.73.73.65.72.74.69.6F.6E
                                ; "issuedByThisCAAssertion"


4.4 Certificate Pair Match

Certificate pair match is defined in 11.3.4 of [9]. The string 
description of the certificatePairMatch matching rule is:


( 2.5.13.37 NAME 'certificatePairExactMatch'
    SYNTAX 1.2.826.0.1.3344810.7.9)


The LDAP syntax definition is:

(1.2.826.0.1.3344810.7.9
    DESC 'Certificate Pair Assertion' )

The ASN.1 for CertificatePairAssertion is defined in 11.3.4 of [9], as 
are the semantics of each of its component types.

The LDAP-specific encoding of an assertion value of this syntax is 
defined by [13] and described by the following Augmented BNF [10]:


CertificatePairAssertion = "{"   [ sp cpa-issuedTo ]
                              [sep sp cpa-issuedBy ]
                                   sp "}"

At least one of <cpa-issuedTo> and <cpa-issuedBy> MUST be present.

cpa-issuedTo = id-issuedToThisCAAssertion msp CertificateAssertion
cpa-issuedBy = id-issuedByThisCAAssertion msp CertificateAssertion

5 Certificate Revocation List Matching Rules

X.509[9] defines both equality and flexible matching rules for CRLs, via 
the certificateListExactMatch and certificateListMatch MATCHING-RULEs 
respectively. LDAP servers MUST support the certificateListExactMatch 
matching rule. Clients MAY support certificateListExactMatch values for 
equalityMatch filters. LDAPv3 servers MAY support the 
certificateListMatch matching rule. If the server does support flexible 
matching (either via certificateListMatch or some other matching rule), 
then the extensibleMatch filter of the Search request MUST be supported. 
Clients MAY support the extensibleMatch filter and one or more of the 
optional elements of certificateListMatch. 

5.1  Certificate List Exact Match

Certificate List exact match is defined in 11.3.5 of [9]. The string
description of the certificateListExactMatch matching rule is:

( 2.5.13.38 NAME 'certificateListExactMatch'
    SYNTAX 1.2.826.0.1.3344810.7.3)

The syntax definition is:

(1.2.826.0.1.3344810.7.3 DESC 'Certificate List Exact Assertion (Issuer 
name, time and distribution point name)' )

The ASN.1 for CertificateListExactAssertion is defined in 11.3.5 of [9], 
as are the semantics of each of its component types.

The LDAP-specific encoding of an assertion value of this syntax is 
defined by [13] and described 
by the following ABNF:

CertificateListExactAssertion = "{"      sp clea-issuer
                                     "," sp clea-thisUpdate
                                   [ "," sp clea-distributionPoint ]
                                         sp "}"

clea-issuer            = id-issuer msp Name
clea-thisUpdate        = id-thisUpdate msp Time
clea-distributionPoint = id-distributionPoint msp
                            DistributionPointName

id-thisUpdate        = %x74.68.69.73.55.70.64.61.74.65
                          ; "thisUpdate"
id-distributionPoint = %x64.69.73.74.72.69.62.75.74.69.6F.6E
                          %x50.6F.69.6E.74 ; "distributionPoint"

DistributionPointName = dpn-fullName / dpn-nameRelativeToCRLIssuer

dpn-fullName                = id-fullName ":" GeneralNames
dpn-nameRelativeToCRLIssuer = id-nameRelativeToCRLIssuer ":"
                                 RelativeDistinguishedName

id-fullName                = %x66.75.6C.6C.4E.61.6D.65 ; "fullName"
id-nameRelativeToCRLIssuer = %x6E.61.6D.65.52.65.6C.61.74.69.76.65
                                %x54.6F.43.52.4C.49.73.73.75.65.72
                                ; "nameRelativeToCRLIssuer"


5.2 Certificate List Match

Certificate List match is defined in 11.3.6 of [9]. The string
description of the certificateListMatch matching rule is:

( 2.5.13.39 NAME 'certificateListMatch'
    SYNTAX 1.2.826.0.1.3344810.7.4)

The syntax definition is:

(1.2.826.0.1.3344810.7.4 DESC 'Certificate List Assertion' )

The ASN.1 for CertificateListAssertion is defined in 11.3.6 of [9], as 
are the semantics of its components.

The LDAP-specific encoding of an assertion value of this syntax is 
defined by [13] and describedby the following ABNF:

CertificateListAssertion = "{"    [ sp cla-issuer ]
                              [ sep sp cla-minCRLNumber ]
                              [ sep sp cla-maxCRLNumber ]
                              [ sep sp cla-reasonFlags ]
                              [ sep sp cla-dateAndTime ]
                              [ sep sp cla-distributionPoint ]
                              [ sep sp cla-authorityKeyIdentifier ]
                                    sp "}"

cla-issuer       = id-issuer       msp Name
cla-minCRLNumber = id-minCRLNumber msp CRLNumber
cla-maxCRLNumber = id-maxCRLNumber msp CRLNumber
cla-reasonFlags  = id-reasonFlags  msp ReasonFlags
cla-dateAndTime  = id-dateAndTime  msp Time

cla-distributionPoint      = id-distributionPoint msp
                                DistributionPointName
cla-authorityKeyIdentifier = id-authorityKeyIdentifier msp
                                AuthorityKeyIdentifier

id-minCRLNumber = %x6D.69.6E.43.52.4C.4E.75.6D.62.65.72
                     ; "minCRLNumber"
id-maxCRLNumber = %x6D.61.78.43.52.4C.4E.75.6D.62.65.72
                     ; "maxCRLNumber"
id-reasonFlags  = %x72.65.61.73.6F.6E.46.6C.61.67.73 ; "reasonFlags"
id-dateAndTime  = %x64.61.74.65.41.6E.64.54.69.6D.65 ; "dateAndTime"

CRLNumber = INTEGER-0-MAX

ReasonFlags = BIT-STRING
              / "{" [ sp reason-flag
                   *( "," sp reason-flag ) ] sp "}"

reason-flag = id-unused
              / id-keyCompromise
              / id-cACompromise
              / id-affiliationChanged
              / id-superseded
              / id-cessationOfOperation
              / id-certificateHold
              / id-privilegeWithdrawn
              / id-aACompromise

id-unused               = %x75.6E.75.73.65.64 ; "unused"
id-keyCompromise        = %x6B.65.79.43.6F.6D.70.72.6F.6D.69.73.65
                             ; "keyCompromise"
id-cACompromise         = %x63.41.43.6F.6D.70.72.6F.6D.69.73.65
                             ; "cACompromise"
id-affiliationChanged   = %x61.66.66.69.6C.69.61.74.69.6F.6E.43.68
                             %x61.6E.67.65.64 ; "affiliationChanged"
id-superseded           = %x73.75.70.65.72.73.65.64.65.64
                             ; "superseded"
id-cessationOfOperation = %x63.65.73.73.61.74.69.6F.6E.4F.66.4F.70
                             %x65.72.61.74.69.6F.6E
                             ; "cessationOfOperation"
id-certificateHold      = %x63.65.72.74.69.66.69.63.61.74.65.48.6F
                             %x6C.64 ; "certificateHold"
id-privilegeWithdrawn   = %x70.72.69.76.69.6C.65.67.65.57.69.74.68
                             %x64.72.61.77.6E ; "privilegeWithdrawn"
id-aACompromise         = %x61.41.43.6F.6D.70.72.6F.6D.69.73.65
                             ; "aACompromise"


6. PKI Object Classes

6.1 PKI user object class

The PKI user object class MAY be used in defining entries for objects 
that may be the subject of public-key certificates.

     ( 2.5.6.21 NAME 'pkiUser' SUP top AUXILIARY
     MAY userCertificate )

6.2 PKI CA object class

The PKI CA object class MAY be used in defining entries for objects that 
act as certification authorities.

     ( 2.5.6.22 NAME 'pkiCA' SUP top AUXILIARY
     MAY ( cACertificate $ certificateRevocationList $ 
     authorityRevocationList $ crossCertificatePair ) )

6.3 CRL Distribution Point object class

The CRL Distribution Point object class MAY be used in defining entries 
for objects which act as CRL Distribution Points

     ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL MUST cn
     MAY (certificateRevocationList $ authorityRevocationList $
     DeltaRevocationList ) )

6.4 Delta CRL object class

The delta CRL object class is used in defining entries for objects that 
hold delta revocation lists (e.g. CAs, AAs etc.).

      ( 2.5.6.23 NAME 'deltaCRL' SUP top AUXILIARY 
      MAY deltaRevocationList )


6.5 Certificate Policy and CPS object class

The CP CPS object class MAY be used in defining entries for objects that 
contain certificate policy and / or certification practice information

     ( 2.5.6.30 NAME 'cpCPS' SUP top AUXILIARY MAY ( certificatePolicy $
     certificationPracticeStmt ) )

6.6 PKI Certification Path object class

The PKI certification path object class MAY be used in defining entries 
for objects that contain PKI certification paths. It will generally be 
used in conjunction with entries of structural object class pkiCA.

     ( 2.5.6.31 NAME 'pkiCertPath' SUP top AUXILIARY MAY pkiPath)