draft-ietf-pkix-ldap-pmi-schema-00.txt

PKIX的RFC英文文档

Basic Attribute Constraints Match is described in section 15.5.2.1.1 of 
[9]. The string
description of the holderIssuerMatch matching rule is:

      ( 2.5.13.55 NAME ' basicAttConstraintsMatch '
      SYNTAX 1.2.826.0.1.3344810.7.14)

The syntax definition is:

     (1.2.826.0.1.3344810.7.14 DESC 'Basic Attributes Constraints 
      Syntax' )

The ASN.1 for BasicAttConstraintsSyntax is defined in 15.5.2.1 of [9], 
as are the semantics of its components.

The LDAP string encoding of an assertion value of this syntax is given
by the following ABNF:

BasicAttConstraintsSyntax = "{"    [ sp bacm-authority ]
                               [ sep sp bacm-pathLenConstraint ]
                                     sp "}"
bacm-authority         = id-authority         msp BOOLEAN
bacm-pathLenConstraint = id-pathLenConstraint msp INTEGER-0-MAX
id-authority           = %x61.75.74.68.6F.72.69.74.79 ; "authority"
id-pathLenConstraint   = %x70.61.74.68.4C.65.6E.43.6F.6E.73.74.72.61
                            %x69.6E.74 ; "pathLenConstraint"

The <BOOLEAN> rule is given in [6].

5.6	 Delegated Name Constraints Match

Delegated Name Constraints Match is described in section 15.5.2.2.1 of 
[9]. The string description of the holderIssuerMatch matching rule is:

     ( 2.5.13.56 NAME ' delegatedNameConstraintsMatch'
      SYNTAX 1.2.826.0.1.3344810.7.15)

The syntax definition is:

      (1.2.826.0.1.3344810.7.15 DESC 'Name Constraints Syntax' )

The ASN.1 for NameConstraintsSyntax is defined in 8.4.2.2 of [9], and 
the semantics of its components when used for delegated name constraints 
are described in 15.5.2.2.

The LDAP string encoding of an assertion value of this syntax is given
in Section 4.2.

5.7  Time Specification Match

Time Specification Match is described in section 15.1.2.1.1 of [9]. The 
string description of the timeSpecificationMatch matching rule is:

       ( 2.5.13.57 NAME ' timeSpecificationMatch '
        SYNTAX 1.2.826.0.1.3344810.7.16)

The syntax definition is:

       (1.2.826.0.1.3344810.7.16 DESC 'Time Specification' )

The ASN.1 for TimeSpecification is defined in 7.2 of [7], as are the 
semantics of its components.

The LDAP string encoding of an assertion value of this syntax is given
by the following ABNF:

TimeSpecification = "{"      sp ts-time
                       [ "," sp ts-notThisTime ]
                       [ "," sp ts-timeZone ]
                             sp "}"

ts-time        = id-time        msp TSTime
ts-notThisTime = id-notThisTime msp BOOLEAN
ts-timeZone    = id-timeZone    msp TimeZone
id-time        = %x74.69.6D.65                      ; "time"
id-notThisTime = %x6E.6F.74.54.68.69.73.54.69.6D.65 ; "notThisTime"
id-timeZone    = %x74.69.6D.65.5A.6F.6E.65          ; "timeZone"

TSTime       = tst-absolute / tst-periodic
tst-absolute = id-absolute ":" AbsoluteTime
tst-periodic = id-periodic ":" Periods
AbsoluteTime = "{"    [ sp at-startTime ]
                  [ sep sp at-endTime ]
                        sp "}"
at-startTime = id-startTime msp GeneralizedTime
at-endTime   = id-endTime   msp GeneralizedTime
id-startTime = %x73.74.61.72.74.54.69.6D.65 ; "startTime"
id-endTime   = %x65.6E.64.54.69.6D.65       ; "endTime"

Periods = "{" [ sp Period *( "," sp Period ) ] sp "}"
Period  = "{"    [ sp p-timesOfDay ]
             [ sep sp p-days ]
             [ sep sp p-weeks ]
             [ sep sp p-months ]
             [ sep sp p-years ]
                   sp "}"

p-timesOfDay  = id-timesOfDay msp DayTimeBands
p-days        = id-days       msp Days
p-weeks       = id-weeks      msp Weeks
p-months      = id-months     msp Months
p-years       = id-years      msp Years
id-timesOfDay = %x74.69.6D.65.73.4F.66.44.61.79 ; "timesOfDay"
id-days       = %x64.61.79.73                   ; "days"
id-weeks      = %x77.65.65.6B.73                ; "weeks"
id-months     = %x6D.6F.6E.74.68.73             ; "months"
id-years      = %x79.65.61.72.73                ; "years"

DayTimeBands = "{" sp DayTimeBand *( "," sp DayTimeBand ) sp "}"
DayTimeBand  = "{"    [ sp dtb-startDayTime ]
                  [ sep sp dtb-endDayTime ]
                        sp "}"
dtb-startDayTime = id-startDayTime msp DayTime
dtb-endDayTime   = id-endDayTime   msp DayTime
id-startDayTime  = %x73.74.61.72.74.44.61.79.54.69.6D.65
                      ; "startDayTime"
id-endDayTime    = %x65.6E.64.44.61.79.54.69.6D.65 ; "endDayTime"

DayTime = "{"      sp dt-hour
             [ "," sp dt-minute ]
             [ "," sp dt-second ]
                   sp "}"
dt-hour   = id-hour   msp INTEGER ; 0 to 23
dt-minute = id-minute msp INTEGER ; 0 to 59
dt-second = id-second msp INTEGER ; 0 to 59
id-hour   = %x68.6F.75.72       ; "hour"
id-minute = %x6D.69.6E.75.74.65 ; "minute"
id-second = %x73.65.63.6F.6E.64 ; "second"

Days        = days-intDay / days-bitDay / days-dayOf
days-intDay = id-intDay ":" SET-OF-INTEGER
days-bitDay = id-bitDay ":" BitDay
days-dayOf  = id-dayOf  ":" XDayOf
id-intDay   = %x69.6E.74.44.61.79 ; "intDay"
id-bitDay   = %x62.69.74.44.61.79 ; "bitDay"
id-dayOf    = %x64.61.79.4F.66    ; "dayOf"

SET-OF-INTEGER = "{" [ sp INTEGER *( "," sp INTEGER ) ] "}"

BitDay       = BIT-STRING / day-bit-list
day-bit-list = "{" [ sp day *( "," sp day ) ] sp "}"
day          = %x73.75.6E.64.61.79            ; "sunday"
               / %x6D.6F.6E.64.61.79          ; "monday"
               / %x74.75.65.73.64.61.79       ; "tuesday"
               / %x77.65.64.6E.65.73.64.61.79 ; "wednesday"
               / %x74.68.75.72.73.64.61.79    ; "thursday"
               / %x66.72.69.64.61.79          ; "friday"
               / %x73.61.74.75.72.64.61.79    ; "saturday"

XDayOf = xdo-first / xdo-second / xdo-third / xdo-fourth / xdo-fifth

xdo-first  = id-first  ":" NamedDay
xdo-second = id-second ":" NamedDay
xdo-third  = id-third  ":" NamedDay
xdo-fourth = id-fourth ":" NamedDay
xdo-fifth  = id-fifth  ":" NamedDay

NamedDay        = nd-intNamedDays / nd-bitNamedDays
nd-intNamedDays = id-intNamedDays ":" day
nd-bitNamedDays = id-bitNamedDays ":" ( BIT-STRING / day-bit-list )
id-intNamedDays = %x69.6E.74.4E.61.6D.65.64.44.61.79.73
                     ; "intNamedDays"
id-bitNamedDays = %x62.69.74.4E.61.6D.65.64.44.61.79.73
                     ; "bitNamedDays"

Weeks          = weeks-allWeeks / weeks-intWeek / weeks-bitWeek
weeks-allWeeks = id-allWeeks ":" NULL
weeks-intWeek  = id-intWeek  ":" SET-OF-INTEGER
weeks-bitWeek  = id-bitWeek  ":" BitWeek
id-allWeeks    = %x61.6C.6C.57.65.65.6B.73 ; "allWeeks"
id-intWeek     = %x69.6E.74.57.65.65.6B    ; "intWeek"
id-bitWeek     = %x62.69.74.57.65.65.6B    ; "bitWeek"
BitWeek        = BIT-STRING / week-bit-list
week-bit-list  = "{" [ sp week-bit *( "," sp week-bit ) ] sp "}"
week-bit       = %x77.65.65.6B.31   ; "week1"
                 / %x77.65.65.6B.32 ; "week2"
                 / %x77.65.65.6B.33 ; "week3"
                 / %x77.65.65.6B.34 ; "week4"
                 / %x77.65.65.6B.35 ; "week5"

Months = months-allMonths / months-intMonth / months-bitMonth

months-allMonths = id-allMonths ":" NULL
months-intMonth  = id-intMonth  ":" SET-OF-INTEGER
months-bitMonth  = id-bitMonth  ":" BitMonth
id-allMonths     = %x61.6C.6C.4D.6F.6E.74.68.73 ; "allMonths"
id-intMonth      = %x69.6E.74.4D.6F.6E.74.68    ; "intMonth"
id-bitMonth      = %x62.69.74.4D.6F.6E.74.68    ; "bitMonth"
BitMonth         = BIT-STRING / month-bit-list
month-bit-list   = "{" [ sp month-bit *( "," sp month-bit ) ] sp "}"
month-bit        = %x6A.61.6E.75.61.72.79            ; "january"
                   / %x66.65.62.72.75.61.72.79       ; "february"
                   / %x6D.61.72.63.68                ; "march"
                   / %x61.70.72.69.6C                ; "april"
                   / %x6D.61.79                      ; "may"
                   / %x6A.75.6E.65                   ; "june"
                   / %x6A.75.6C.79                   ; "july"
                   / %x61.75.67.75.73.74             ; "august"
                   / %x22.73.65.70.74.65.6D.62.65.72 ; "september"
                   / %x6F.63.74.6F.62.65.72          ; "october"
                   / %x6E.6F.76.65.6D.62.65.72       ; "november"
                   / %x64.65.63.65.6D.62.65.72       ; "december"

Years = "{" [ sp Year *( "," sp Year ) ] sp "}"
Year  = INTEGER ; must be >= 1000

TimeZone = INTEGER ; -12 to 12

The <NULL> rule is given in [6].

5.8	 Acceptable Certificate Policies Match

Acceptable Certificate Policies Match is described in section 15.5.2.3.1 
of [9]. The string description of the acceptableCertPoliciesMatch 
matching rule is:

     ( 2.5.13.59 NAME 'acceptableCertPoliciesMatch'
      SYNTAX 1.2.826.0.1.3344810.7.17)

The syntax definition is:

(1.2.826.0.1.3344810.7.17 DESC 'Acceptable Certificate Policies Syntax)

The ASN.1 for AcceptableCertPoliciesSyntax is defined in 15.5.2.3 of 
[9], as are the semantics of its components.

The LDAP string encoding of an assertion value of this syntax is given
by the following ABNF:

AcceptableCertPoliciesSyntax = "{" sp CertPolicyId
                                  *( "," sp CertPolicyId ) sp "}"

5.9 Attribute Descriptor Match

Attribute Descriptor Match is described in section 15.3.2.2.1 of [9]. 
The string description of the attDescriptor matching rule is:

     ( 2.5.13.58 NAME 'attDescriptor'
      SYNTAX 1.2.826.0.1.3344810.7.18)

The syntax definition is:

     (1.2.826.0.1.3344810.7.18 DESC 'Attribute Descriptor Syntax')

The ASN.1 for AttributeDescriptorSyntax is defined in 15.3.2.2 of [9], 
as are the semantics of its components.

The LDAP string encoding of an assertion value of this syntax is given
by the following ABNF:

AttributeDescriptorSyntax = "{"      sp ads-identifier
                                 "," sp ads-attributeSyntax
                               [ "," sp ads-name ]
                               [ "," sp ads-description ]
                                 "," sp ads-dominationRule
                                     sp "}"

ads-identifier      = id-identifier msp AttributeIdentifier
ads-attributeSyntax = id-attributeSyntax msp AttributeSyntax
ads-name            = id-name msp AttributeName
ads-description     = id-description msp AttributeDescription
ads-dominationRule  = id-dominationRule msp PrivilegePolicyIdentifier
id-identifier       = %x69.64.65.6E.74.69.66.69.65.72 ; "identifier"
id-attributeSyntax  = %x61.74.74.72.69.62.75.74.65.53.79.6E.74.61.78
                         ; "attributeSyntax"
id-name             = %x6E.61.6D.65 ; "name"
id-description      = %x64.65.73.63.72.69.70.74.69.6F.6E
                         ; "description"
id-dominationRule   = %x64.6F.6D.69.6E.61.74.69.6F.6E.52.75.6C.65
                         ; "dominationRule"

AttributeSyntax      = OCTET-STRING ; an empty string is not allowed
AttributeIdentifier  = AttributeType
AttributeName        = UTF8String ; an empty string is not allowed
AttributeDescription = UTF8String ; an empty string is not allowed

PrivilegePolicyIdentifier = "{" sp ppi-privilegePolicy ","
                                sp ppi-privPolSyntax
                                sp "}"

ppi-privilegePolicy = id-privilegePolicy msp PrivilegePolicy
ppi-privPolSyntax   = id-privPolSyntax   msp InfoSyntax
id-privilegePolicy  = %x70.72.69.76.69.6C.65.67.65.50.6F.6C.69.63.79
                         ; "privilegePolicy"
id-privPolSyntax    = %x70.72.69.76.50.6F.6C.53.79.6E.74.61.78
                         ; "privPolSyntax"

PrivilegePolicy = OBJECT-IDENTIFIER

InfoSyntax = is-content / is-pointer
is-content = id-content ":" DirectoryString
is-pointer = id-pointer ":" InfoSyntaxPointer
id-content = %x63.6F.6E.74.65.6E.74 ; "content"
id-pointer = %x70.6F.69.6E.74.65.72 ; "pointer"

InfoSyntaxPointer = "{"      sp isp-name
                       [ "," sp isp-hash ]
                             sp "}"

isp-name = id-name msp GeneralNames
isp-hash = id-hash msp HASH
id-hash  = %x68.61.73.68 ; "hash"
HASH     = "{" sp h-algorithmIdentifier ","
               sp h-hashValue
               sp "}"

h-algorithmIdentifier = id-algorithmIdentifier msp AlgorithmIdentifier
h-hashValue           = id-hashValue           msp BIT-STRING

id-algorithmIdentifier = %x61.6C.67.6F.72.69.74.68.6D.49.64.65.6E.74
                            %x69.66.69.65.72 ; "algorithmIdentifier"
id-hashValue           = %x68.61.73.68.56.61.6C.75.65 ; "hashValue"

The <UTF8String> rule is given in [6].

5.10 Source of Authority Match

Note. This rule has not been defined by X.509, but this is perhaps an
omission that should be rectified. It is an easy matching rule to
define since it has a null syntax i.e. we will be matching on whether 
the extension is present or not.

Source of Authority Match returns TRUE if an attribute certificate 
contains an SOA Identifier extension. The SOA Identifier extension is 
described in section 15.3.2.1 of [9]. The string description of the 
sOAIdentifierMatch matching rule is:

    ( 2.5.13.x NAME 'sOAIdentifierMatch'
    SYNTAX 1.2.36.79672281.1.5.1)