📄 draft-ietf-pkix-ldap-pmi-schema-00.txt
字号:
id-serialNumber = %x73.65.72.69.61.6C.4E.75.6D.62.65.72 ; "serialNumber"id-issuer = %x69.73.73.75.65.72 ; "issuer"AttCertIssuer = "{" [ sp aci-issuerName ] [ sep sp aci-baseCertificateID ] [ sep sp aci-objectDigestInfo ] sp "}"At least one of <aci-issuerName>, <aci-baseCertificateID> or<aci-objectDigestInfo> MUST be present.aci-issuerName = id-issuerName msp GeneralNamesaci-baseCertificateID = id-baseCertificateID msp IssuerSerialaci-objectDigestInfo = id-objectDigestInfo msp ObjectDigestInfoid-issuerName = %x69.73.73.75.65.72.4E.61.6D.65 ; "issuerName"GeneralNames = "{" sp GeneralName *( "," sp GeneralName ) sp "}"GeneralName = gn-otherName / gn-rfc822Name / gn-dNSName / gn-x400Address / gn-directoryName / gn-ediPartyName / gn-uniformResourceIdentifier / gn-iPAddress / gn-registeredIDgn-otherName = id-otherName ":" OtherNamegn-rfc822Name = id-rfc822Name ":" IA5Stringgn-dNSName = id-dNSName ":" IA5Stringgn-x400Address = id-x400Address ":" ORAddressgn-directoryName = id-directoryName ":" Namegn-ediPartyName = id-ediPartyName ":" EDIPartyNamegn-iPAddress = id-iPAddress ":" OCTET-STRINGgn-registeredID = gn-id-registeredID ":" OBJECT-IDENTIFIERgn-uniformResourceIdentifier = id-uniformResourceIdentifier ":" IA5Stringid-otherName = %x6F.74.68.65.72.4E.61.6D.65 ; "otherName"id-rfc822Name = %x72.66.63.38.32.32.4E.61.6D.65 ; "rfc822Name"id-dNSName = %x64.4E.53.4E.61.6D.65 ; "dNSName"id-x400Address = %x78.34.30.30.41.64.64.72.65.73.73 ; "x400Address"id-directoryName = %x64.69.72.65.63.74.6F.72.79.4E.61.6D.65 ; "directoryName"id-ediPartyName = %x65.64.69.50.61.72.74.79.4E.61.6D.65 ; "ediPartyName"id-iPAddress = %x69.50.41.64.64.72.65.73.73 ; "iPAddress"id-registeredId = %x72.65.67.69.73.74.65.72.65.64.49.64 ; "registeredId"id-uniformResourceIdentifier = %x75.6E.69.66.6F.72.6D.52.65.73.6F.75 %x72.63.65.49.64.65.6E.74.69.66.69.65 %x72 ; "uniformResourceIdentifier"gn-id-registeredID = %x72.65.67.69.73.74.65.72.65.64.49.44 ; "registeredID"OtherName = "{" sp on-type-id "," sp on-value sp "}"on-type-id = id-type-id msp OBJECT-IDENTIFIERon-value = id-value msp Valueid-type-id = %x74.79.70.65.2D.69.64 ; "type-id"id-value = %x76.61.6C.75.65 ; "value"The <Value> rule is defined in [3].EDIPartyName = "{" [ sp nameAssigner "," ] sp partyName sp "}"nameAssigner = id-nameAssigner msp DirectoryStringpartyName = id-partyName msp DirectoryStringid-nameAssigner = %x6E.61.6D.65.41.73.73.69.67.6E.65.72 ; "nameAssigner"id-partyName = %x70.61.72.74.79.4E.61.6D.65 ; "partyName"id-objectDigestInfo = %x6F.62.6A.65.63.74.44.69.67.65.73.74.49.6E %x66.6F ; "objectDigestInfo"ObjectDigestInfo = "{" sp odi-digestedObjectType [ "," sp odi-otherObjectTypeID ] "," sp odi-digestAlgorithm "," sp odi-objectDigest sp "}"odi-digestedObjectType = id-digestedObjectType msp DigestedObjectTypeodi-otherObjectTypeID = id-otherObjectTypeID msp OBJECT-IDENTIFIERodi-digestAlgorithm = id-digestAlgorithm msp AlgorithmIdentifierodi-objectDigest = id-objectDigest msp BIT-STRINGid-digestedObjectType = %x64.69.67.65.73.74.65.64.4F.62.6A.65.63.74 %x54.79.70.65 ; "digestedObjectType"id-otherObjectTypeID = %x6F.74.68.65.72.4F.62.6A.65.63.74.54.79.70 %x65.49.44 ; "otherObjectTypeID"id-digestAlgorithm = %x64.69.67.65.73.74.41.6C.67.6F.72.69.74.68 %x6D ; "digestAlgorithm"id-objectDigest = %x6F.62.6A.65.63.74.44.69.67.65.73.74 ; "objectDigest"DigestedObjectType = id-publicKey / id-publicKeyCert / id-otherObjectTypesid-publicKey = %x70.75.62.6C.69.63.4B.65.79 ; "publicKey"id-publicKeyCert = %x70.75.62.6C.69.63.4B.65.79.43.65.72.74 ; "publicKeyCert"id-otherObjectTypes = %x6F.74.68.65.72.4F.62.6A.65.63.74.54.79.70.65 %x73 ; "otherObjectTypes"AlgorithmIdentifier = "{" sp ai-algorithm [ "," sp ai-parameters ] sp "}"ai-algorithm = id-algorithm msp OBJECT-IDENTIFIERai-parameters = id-parameters msp Valueid-algorithm = %x61.6C.67.6F.72.69.74.68.6D ; "algorithm"id-parameters = %x70.61.72.61.6D.65.74.65.72.73 ; "parameters"IssuerSerial = "{" sp is-issuer "," sp is-serial [ "," sp is-issuerUID ] sp "}"is-issuer = id-issuer msp GeneralNamesis-serial = id-serial msp CertificateSerialNumberis-issuerUID = id-issuerUID msp UniqueIdentifierid-serial = %x73.65.72.69.61.6C ; "serial"id-issuerUID = %x69.73.73.75.65.72.55.49.44 ; "issuerUID"UniqueIdentifier = BIT-STRING4.2 Attribute Certificate MatchAttribute certificate matching rule is defined in section 17.3.2 of[9]. For the convenience of the reader it is reproduced below:attributeCertificateMatch MATCHING-RULE ::= { SYNTAX AttributeCertificateAssertion ID { joint-iso-ccitt(2) ds(5) mr (13) attributeCertificateMatch (42) }AttributeCertificateAssertion ::= SEQUENCE { holder [0] CHOICE { baseCertificateID [0] IssuerSerial, subjectName [1] GeneralNames } OPTIONAL, issuer [1] GeneralNames OPTIONAL, attCertValidity [2] GeneralizedTime OPTIONAL, attType [3] SET OF AttributeType OPTIONAL }--At least one component of the sequence must be presentThe LDAP definition of the attributeCertificateMatch matching ruleis:( 2.5.13.42 NAME 'attributeCertificateMatch' SYNTAX 1.2.826.0.1.3344810.7.7 )The syntax definition is:(1.2.826.0.1.3344810.7.7 DESC 'Attribute Certificate Assertion' )The LDAP string encoding of an assertion value of this syntax is givenby the following ABNF:AttributeCertificateAssertion = "{" [ sp aca-holder ] [ sep sp aca-issuer ] [ sep sp aca-attCertValidity ] [ sep sp aca-attType ] sp "}"aca-holder = id-holder msp ACAHolderaca-issuer = id-issuer msp GeneralNamesaca-attCertValidity = id-attCertValidity msp GeneralizedTimeaca-attType = id-attType msp SETOFAttributeTypeACAHolder = acah-baseCertificateID / acah-holderNameacah-baseCertificateID = id-baseCertificateID ":" IssuerSerialacah-holderName = id-holderName ":" GeneralNamesid-baseCertificateID = %x62.61.73.65.43.65.72.74.69.66.69.63.61.74 %x65.49.44 ; "baseCertificateID"id-holderName = %x68.6F.6C.64.65.72.4E.61.6D.65 ; "holderName"SETOFAttributeType = "{" sp AttributeType *( "," sp AttributeType ) sp "}"The <AttributeType> rule is given in [6].5 AC Extensions Matching RulesX.509 defines the following matching rules for matching on various extensions within an attribute certificate.5.1 Holder Issuer MatchHolder Issuer Match is described in section 17.3.3 of [9]. The stringdescription of the holderIssuerMatch matching rule is: ( 2.5.13.46 NAME 'holderIssuerMatch' SYNTAX 1.2.826.0.1.3344810.7.10)The syntax definition is: (1.2.826.0.1.3344810.7.10 DESC 'Holder Issuer Assertion' )The ASN.1 for HolderIssuerAssertion is defined in 17.3.3 of [9], as are the semantics of its components.The LDAP string encoding of an assertion value of this syntax is givenby the following ABNF:HolderIssuerAssertion = "{" [ sp hia-holder ] [ sep sp hia-issuer ] sp "}"hia-holder = id-holder msp Holderhia-issuer = id-issuer msp AttCertIssuerHolder = "{" [ sp h-baseCertificateID ] [ sep sp h-entityName ] [ sep sp h-objectDigestInfo ] sp "}"At least one of <h-baseCertificateID>, <h-entityName> or<h-objectDigestInfo> MUST be present.h-baseCertificateID = id-baseCertificateID msp IssuerSerialh-entityName = id-entityName msp GeneralNamesh-objectDigestInfo = id-objectDigestInfo msp ObjectDigestInfoid-entityName = %x65.6E.74.69.74.79.4E.61.6D.65 ; "entityName"5.2 Delegation Path MatchDelegation Path Match is described in section 17.3.4 of [9]. The stringdescription of the delegationPathMatch matching rule is: ( 2.5.13.61 NAME 'delegationPathMatch' SYNTAX 1.2.826.0.1.3344810.7.10)The syntax definition is: (1.2.826.0.1.3344810.7.10 DESC 'DelMatchSyntax' )The ASN.1 for DelMatchSyntax is defined in 17.3.4 of [9], as are the semantics of its components.The LDAP string encoding of an assertion value of this syntax is givenby the following ABNF:DelMatchSyntax = "{" sp dms-firstIssuer "," sp dms-lastHolder sp "}"dms-firstIssuer = id-firstIssuer msp AttCertIssuerdms-lastHolder = id-lastHolder msp Holderid-firstIssuer = %x66.69.72.73.74.49.73.73.75.65.72 ; "firstIssuer"id-lastHolder = %x6C.61.73.74.48.6F.6C.64.65.72 ; "lastHolder"5.3 Authority Attribute Identifier MatchAuthority Attribute Identifier Match is described in section 15.5.2.4.1 of [9]. The string description of the authAttIdMatch matching rule is: ( 2.5.13.53 NAME 'authAttIdMatch' SYNTAX 1.2.826.0.1.3344810.7.12)The syntax definition is: (1.2.826.0.1.3344810.7.12 DESC 'Authority Attribute Identifier Syntax' )The ASN.1 for AuthorityAttributeIdentifierSyntax is defined in 15.5.2.4 of [9], as are the semantics of its components.The LDAP string encoding of an assertion value of this syntax is givenby the following ABNF:AuthorityAttributeIdentifierSyntax = "{" sp AuthAttId *( "," sp AuthAttId ) sp "}"AuthAttId = IssuerSerial5.4 Role Specification Certificate Identifier MatchRole Specification Certificate Identifier match is described in section 15.4.2.1.1 of [9]. The string description of the roleSpecCertIdMatch Match matching rule is: ( 2.5.13.54 NAME 'roleSpecCertIdMatch ' SYNTAX 1.2.826.0.1.3344810.7.13)The syntax definition is: (1.2.826.0.1.3344810.7.13 DESC 'Role Specification Ceritificate Identifier Syntax' )The ASN.1 for RoleSpecCertIdentifierSyntax is defined in 15.4.2.1 of [9], as are the semantics of its components.The LDAP string encoding of an assertion value of this syntax is givenby the following ABNF:RoleSpecCertIdentifierSyntax = "{" sp RoleCertSpecIdentifier *( "," sp RoleCertSpecIdentifier ) sp "}"RoleCertSpecIdentifier = "{" sp rsci-roleName "," sp rsci-roleCertIssuer [ "," sp rsci-roleCertSerialNumber ] [ "," sp rsci-roleCertLocator ] sp "}"rsci-roleName = id-roleName msp GeneralNamersci-roleCertIssuer = id-roleCertIssuer msp GeneralNamersci-roleCertSerialNumber = id-roleCertSerialNumber msp CertificateSerialNumberrsci-roleCertLocator = id-roleCertLocator msp GeneralNameid-roleName = %x72.6F.6C.65.4E.61.6D.65 ; "roleName"id-roleCertIssuer = %x72.6F.6C.65.43.65.72.74.49.73.73.75.65 %x72 ; "roleCertIssuer"id-roleCertSerialNumber = %x72.6F.6C.65.43.65.72.74.53.65.72.69.61 %x6C.4E.75.6D.62.65.72 ; "roleCertSerialNumber"id-roleCertLocator = %x72.6F.6C.65.43.65.72.74.4C.6F.63.61.74 %x6F.72 ; "roleCertLocator"5.5 Basic Attribute Constraints Match⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -