rfc4523.txt

samba最新软件

Network Working Group                                        K. Zeilenga
Request for Comments: 4523                           OpenLDAP Foundation
Obsoletes: 2252, 2256, 2587                                    June 2006
Category: Standards Track


             Lightweight Directory Access Protocol (LDAP)
               Schema Definitions for X.509 Certificates

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

   Abstract

   This document describes schema for representing X.509 certificates,
   X.521 security information, and related elements in directories
   accessible using the Lightweight Directory Access Protocol (LDAP).
   The LDAP definitions for these X.509 and X.521 schema elements
   replace those provided in RFCs 2252 and 2256.

1.  Introduction

   This document provides LDAP [RFC4510] schema definitions [RFC4512]
   for a subset of elements specified in X.509 [X.509] and X.521
   [X.521], including attribute types for certificates, cross
   certificate pairs, and certificate revocation lists; matching rules
   to be used with these attribute types; and related object classes.
   LDAP syntax definitions are also provided for associated assertion
   and attribute values.

   As the semantics of these elements are as defined in X.509 and X.521,
   knowledge of X.509 and X.521 is necessary to make use of the LDAP
   schema definitions provided herein.

   This document, together with [RFC4510], obsoletes RFCs 2252 and 2256
   in their entirety.  The changes (in this document) made since RFC
   2252 and RFC 2256 include:

      -  addition of pkiUser, pkiCA, and deltaCRL classes;



Zeilenga                    Standards Track                     [Page 1]

RFC 4523                   LDAP X.509 Schema                   June 2006


      -  update of attribute types to include equality matching rules in
         accordance with their X.500 specifications;

      -  addition of certificate, certificate pair, certificate list,
         and algorithm identifier matching rules; and

      -  addition of LDAP syntax for assertion syntaxes for these
         matching rules.

   This document obsoletes RFC 2587.  The X.509 schema descriptions for
   LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14 [RFC2119].

   Schema definitions are provided using LDAP description formats
   [RFC4512].  Definitions provided here are formatted (line wrapped)
   for readability.

2.  Syntaxes

   This section describes various syntaxes used in LDAP to transfer
   certificates and related data types.

2.1.  Certificate

      ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' )

   A value of this syntax is an X.509 Certificate [X.509, clause 7].

   Due to changes made to the definition of a Certificate through time,
   no LDAP-specific encoding is defined for this syntax.  Values of this
   syntax SHOULD be encoded using Distinguished Encoding Rules (DER)
   [X.690] and MUST only be transferred using the ;binary transfer
   option [RFC4522]; that is, by requesting and returning values using
   attribute descriptions such as "userCertificate;binary".

   As values of this syntax contain digitally signed data, values of
   this syntax and the form of each value MUST be preserved as
   presented.

2.2.  CertificateList

      ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' )

   A value of this syntax is an X.509 CertificateList [X.509, clause
   7.3].



Zeilenga                    Standards Track                     [Page 2]

RFC 4523                   LDAP X.509 Schema                   June 2006


   Due to changes made to the definition of a CertificateList through
   time, no LDAP-specific encoding is defined for this syntax.  Values
   of this syntax SHOULD be encoded using DER [X.690] and MUST only be
   transferred using the ;binary transfer option [RFC4522]; that is, by
   requesting and returning values using attribute descriptions such as
   "certificateRevocationList;binary".

   As values of this syntax contain digitally signed data, values of
   this syntax and the form of each value MUST be preserved as
   presented.

2.3.  CertificatePair

      ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'X.509 Certificate Pair' )

   A value of this syntax is an X.509 CertificatePair [X.509, clause
   11.2.3].

   Due to changes made to the definition of an X.509 CertificatePair
   through time, no LDAP-specific encoding is defined for this syntax.
   Values of this syntax SHOULD be encoded using DER [X.690] and MUST
   only be transferred using the ;binary transfer option [RFC4522]; that
   is, by requesting and returning values using attribute descriptions
   such as "crossCertificatePair;binary".

   As values of this syntax contain digitally signed data, values of
   this syntax and the form of each value MUST be preserved as
   presented.

2.4.  SupportedAlgorithm

      ( 1.3.6.1.4.1.1466.115.121.1.49
           DESC 'X.509 Supported Algorithm' )

   A value of this syntax is an X.509 SupportedAlgorithm [X.509, clause
   11.2.7].

   Due to changes made to the definition of an X.509 SupportedAlgorithm
   through time, no LDAP-specific encoding is defined for this syntax.
   Values of this syntax SHOULD be encoded using DER [X.690] and MUST
   only be transferred using the ;binary transfer option [RFC4522]; that
   is, by requesting and returning values using attribute descriptions
   such as "supportedAlgorithms;binary".

   As values of this syntax contain digitally signed data, values of
   this syntax and the form of the value MUST be preserved as presented.





Zeilenga                    Standards Track                     [Page 3]

RFC 4523                   LDAP X.509 Schema                   June 2006


2.5.  CertificateExactAssertion

      ( 1.3.6.1.1.15.1 DESC 'X.509 Certificate Exact Assertion' )

   A value of this syntax is an X.509 CertificateExactAssertion [X.509,
   clause 11.3.1].  Values of this syntax MUST be encoded using the
   Generic String Encoding Rules (GSER) [RFC3641].  Appendix A.1
   provides an equivalent Augmented Backus-Naur Form (ABNF) [RFC4234]
   grammar for this syntax.

2.6.  CertificateAssertion

      ( 1.3.6.1.1.15.2 DESC 'X.509 Certificate Assertion' )

   A value of this syntax is an X.509 CertificateAssertion [X.509,
   clause 11.3.2].  Values of this syntax MUST be encoded using GSER
   [RFC3641].  Appendix A.2 provides an equivalent ABNF [RFC4234]
   grammar for this syntax.

2.7.  CertificatePairExactAssertion

      ( 1.3.6.1.1.15.3
           DESC 'X.509 Certificate Pair Exact Assertion' )

   A value of this syntax is an X.509 CertificatePairExactAssertion
   [X.509, clause 11.3.3].  Values of this syntax MUST be encoded using
   GSER [RFC3641].  Appendix A.3 provides an equivalent ABNF [RFC4234]
   grammar for this syntax.

2.8.  CertificatePairAssertion

      ( 1.3.6.1.1.15.4 DESC 'X.509 Certificate Pair Assertion' )

   A value of this syntax is an X.509 CertificatePairAssertion [X.509,
   clause 11.3.4].  Values of this syntax MUST be encoded using GSER
   [RFC3641].  Appendix A.4 provides an equivalent ABNF [RFC4234]
   grammar for this syntax.

2.9.  CertificateListExactAssertion

      ( 1.3.6.1.1.15.5
           DESC 'X.509 Certificate List Exact Assertion' )

   A value of this syntax is an X.509 CertificateListExactAssertion
   [X.509, clause 11.3.5].  Values of this syntax MUST be encoded using
   GSER [RFC3641].  Appendix A.5 provides an equivalent ABNF grammar for
   this syntax.




Zeilenga                    Standards Track                     [Page 4]

RFC 4523                   LDAP X.509 Schema                   June 2006


2.10.  CertificateListAssertion

      ( 1.3.6.1.1.15.6 DESC 'X.509 Certificate List Assertion' )

   A value of this syntax is an X.509 CertificateListAssertion [X.509,
   clause 11.3.6].  Values of this syntax MUST be encoded using GSER
   [RFC3641].  Appendix A.6 provides an equivalent ABNF [RFC4234]
   grammar for this syntax.

2.11.  AlgorithmIdentifier

      ( 1.3.6.1.1.15.7 DESC 'X.509 Algorithm Identifier' )

   A value of this syntax is an X.509 AlgorithmIdentifier [X.509, Clause
   7].  Values of this syntax MUST be encoded using GSER [RFC3641].

   Appendix A.7 provides an equivalent ABNF [RFC4234] grammar for this
   syntax.

3.  Matching Rules

   This section introduces a set of certificate and related matching
   rules for use in LDAP.  These rules are intended to act in accordance
   with their X.500 counterparts.

3.1.  certificateExactMatch

   The certificateExactMatch matching rule compares the presented
   certificate exact assertion value with an attribute value of the
   certificate syntax as described in clause 11.3.1 of [X.509].

      ( 2.5.13.34 NAME 'certificateExactMatch'
           DESC 'X.509 Certificate Exact Match'
           SYNTAX 1.3.6.1.1.15.1 )

3.2.  certificateMatch

   The certificateMatch matching rule compares the presented certificate
   assertion value with an attribute value of the certificate syntax as
   described in clause 11.3.2 of [X.509].

      ( 2.5.13.35 NAME 'certificateMatch'
           DESC 'X.509 Certificate Match'
           SYNTAX 1.3.6.1.1.15.2 )







Zeilenga                    Standards Track                     [Page 5]

RFC 4523                   LDAP X.509 Schema                   June 2006


3.3.  certificatePairExactMatch

   The certificatePairExactMatch matching rule compares the presented
   certificate pair exact assertion value with an attribute value of the
   certificate pair syntax as described in clause 11.3.3 of [X.509].

      ( 2.5.13.36 NAME 'certificatePairExactMatch'
           DESC 'X.509 Certificate Pair Exact Match'
           SYNTAX 1.3.6.1.1.15.3 )

3.4.  certificatePairMatch

   The certificatePairMatch matching rule compares the presented
   certificate pair assertion value with an attribute value of the
   certificate pair syntax as described in clause 11.3.4 of [X.509].

      ( 2.5.13.37 NAME 'certificatePairMatch'
           DESC 'X.509 Certificate Pair Match'
           SYNTAX 1.3.6.1.1.15.4 )

3.5.  certificateListExactMatch

   The certificateListExactMatch matching rule compares the presented
   certificate list exact assertion value with an attribute value of the
   certificate pair syntax as described in clause 11.3.5 of [X.509].

      ( 2.5.13.38 NAME 'certificateListExactMatch'
           DESC 'X.509 Certificate List Exact Match'
           SYNTAX 1.3.6.1.1.15.5 )

3.6.  certificateListMatch

   The certificateListMatch matching rule compares the presented
   certificate list assertion value with an attribute value of the
   certificate pair syntax as described in clause 11.3.6 of [X.509].

      ( 2.5.13.39 NAME 'certificateListMatch'
           DESC 'X.509 Certificate List Match'
           SYNTAX 1.3.6.1.1.15.6 )












Zeilenga                    Standards Track                     [Page 6]

RFC 4523                   LDAP X.509 Schema                   June 2006


3.7.  algorithmIdentifierMatch

   The algorithmIdentifierMatch mating rule compares a presented
   algorithm identifier with an attribute value of the supported
   algorithm as described in clause 11.3.7 of [X.509].

      ( 2.5.13.40 NAME 'algorithmIdentifier'
           DESC 'X.509 Algorithm Identifier Match'
           SYNTAX 1.3.6.1.1.15.7 )

4.  Attribute Types

   This section details a set of certificate and related attribute types
   for use in LDAP.

4.1.  userCertificate

   The userCertificate attribute holds the X.509 certificates issued to
   the user by one or more certificate authorities, as discussed in
   clause 11.2.1 of [X.509].

      ( 2.5.4.36 NAME 'userCertificate'
           DESC 'X.509 user certificate'
           EQUALITY certificateExactMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )

   As required by this attribute type's syntax, values of this attribute
   are requested and transferred using the attribute description
   "userCertificate;binary".

4.2.  cACertificate

   The cACertificate attribute holds the X.509 certificates issued to
   the certificate authority (CA), as discussed in clause 11.2.2 of
   [X.509].

      ( 2.5.4.37 NAME 'cACertificate'
           DESC 'X.509 CA certificate'
           EQUALITY certificateExactMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )

   As required by this attribute type's syntax, values of this attribute
   are requested and transferred using the attribute description
   "cACertificate;binary".







Zeilenga                    Standards Track                     [Page 7]

RFC 4523                   LDAP X.509 Schema                   June 2006


4.3.  crossCertificatePair

   The crossCertificatePair attribute holds an X.509 certificate pair,
   as discussed in clause 11.2.3 of [X.509].

      ( 2.5.4.40 NAME 'crossCertificatePair'
           DESC 'X.509 cross certificate pair'
           EQUALITY certificatePairExactMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )

   As required by this attribute type's syntax, values of this attribute
   are requested and transferred using the attribute description
   "crossCertificatePair;binary".

4.4.  certificateRevocationList

   The certificateRevocationList attribute holds certificate lists, as
   discussed in 11.2.4 of [X.509].

      ( 2.5.4.39 NAME 'certificateRevocationList'
           DESC 'X.509 certificate revocation list'
           EQUALITY certificateListExactMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )

   As required by this attribute type's syntax, values of this attribute
   are requested and transferred using the attribute description
   "certificateRevocationList;binary".

4.5.  authorityRevocationList

   The authorityRevocationList attribute holds certificate lists, as
   discussed in 11.2.5 of [X.509].

      ( 2.5.4.38 NAME 'authorityRevocationList'
           DESC 'X.509 authority revocation list'
           EQUALITY certificateListExactMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )

   As required by this attribute type's syntax, values of this attribute
   are requested and transferred using the attribute description
   "authorityRevocationList;binary".










Zeilenga                    Standards Track                     [Page 8]