RFC4523 日本語訳
4523 Lightweight Directory Access Protocol (LDAP) Schema Definitionsfor X.509 Certificates. K. Zeilenga. June 2006. (Format: TXT=43753 bytes) (Obsoletes RFC2252, RFC2256, RFC2587) (Status: PROPOSED STANDARD)
プログラムでの自動翻訳です。
英語原文
Network Working Group K. Zeilenga Request for Comments: 4523 OpenLDAP Foundation Obsoletes: 2252, 2256, 2587 June 2006 Category: Standards Track
Network Working Group K. Zeilenga Request for Comments: 4523 OpenLDAP Foundation Obsoletes: 2252, 2256, 2587 June 2006 Category: Standards Track
Lightweight Directory Access Protocol (LDAP)
Schema Definitions for X.509 Certificates
Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates
Status of This Memo
Status of This Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright Notice
Copyright (C) The Internet Society (2006).
Copyright (C) The Internet Society (2006).
Abstract
Abstract
This document describes schema for representing X.509 certificates, X.521 security information, and related elements in directories accessible using the Lightweight Directory Access Protocol (LDAP). The LDAP definitions for these X.509 and X.521 schema elements replace those provided in RFCs 2252 and 2256.
This document describes schema for representing X.509 certificates, X.521 security information, and related elements in directories accessible using the Lightweight Directory Access Protocol (LDAP). The LDAP definitions for these X.509 and X.521 schema elements replace those provided in RFCs 2252 and 2256.
1. Introduction
1. Introduction
This document provides LDAP [RFC4510] schema definitions [RFC4512] for a subset of elements specified in X.509 [X.509] and X.521 [X.521], including attribute types for certificates, cross certificate pairs, and certificate revocation lists; matching rules to be used with these attribute types; and related object classes. LDAP syntax definitions are also provided for associated assertion and attribute values.
This document provides LDAP [RFC4510] schema definitions [RFC4512] for a subset of elements specified in X.509 [X.509] and X.521 [X.521], including attribute types for certificates, cross certificate pairs, and certificate revocation lists; matching rules to be used with these attribute types; and related object classes. LDAP syntax definitions are also provided for associated assertion and attribute values.
As the semantics of these elements are as defined in X.509 and X.521, knowledge of X.509 and X.521 is necessary to make use of the LDAP schema definitions provided herein.
As the semantics of these elements are as defined in X.509 and X.521, knowledge of X.509 and X.521 is necessary to make use of the LDAP schema definitions provided herein.
This document, together with [RFC4510], obsoletes RFCs 2252 and 2256 in their entirety. The changes (in this document) made since RFC 2252 and RFC 2256 include:
This document, together with [RFC4510], obsoletes RFCs 2252 and 2256 in their entirety. The changes (in this document) made since RFC 2252 and RFC 2256 include:
- addition of pkiUser, pkiCA, and deltaCRL classes;
- addition of pkiUser, pkiCA, and deltaCRL classes;
Zeilenga Standards Track [Page 1] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 1] RFC 4523 LDAP X.509 Schema June 2006
- update of attribute types to include equality matching rules in
accordance with their X.500 specifications;
- update of attribute types to include equality matching rules in accordance with their X.500 specifications;
- addition of certificate, certificate pair, certificate list,
and algorithm identifier matching rules; and
- addition of certificate, certificate pair, certificate list, and algorithm identifier matching rules; and
- addition of LDAP syntax for assertion syntaxes for these
matching rules.
- addition of LDAP syntax for assertion syntaxes for these matching rules.
This document obsoletes RFC 2587. The X.509 schema descriptions for LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494].
This document obsoletes RFC 2587. The X.509 schema descriptions for LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119].
Schema definitions are provided using LDAP description formats [RFC4512]. Definitions provided here are formatted (line wrapped) for readability.
Schema definitions are provided using LDAP description formats [RFC4512]. Definitions provided here are formatted (line wrapped) for readability.
2. Syntaxes
2. Syntaxes
This section describes various syntaxes used in LDAP to transfer certificates and related data types.
This section describes various syntaxes used in LDAP to transfer certificates and related data types.
2.1. Certificate
2.1. Certificate
( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' )
( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' )
A value of this syntax is an X.509 Certificate [X.509, clause 7].
A value of this syntax is an X.509 Certificate [X.509, clause 7].
Due to changes made to the definition of a Certificate through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using Distinguished Encoding Rules (DER) [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "userCertificate;binary".
Due to changes made to the definition of a Certificate through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using Distinguished Encoding Rules (DER) [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "userCertificate;binary".
As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented.
As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented.
2.2. CertificateList
2.2. CertificateList
( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' )
( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' )
A value of this syntax is an X.509 CertificateList [X.509, clause 7.3].
A value of this syntax is an X.509 CertificateList [X.509, clause 7.3].
Zeilenga Standards Track [Page 2] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 2] RFC 4523 LDAP X.509 Schema June 2006
Due to changes made to the definition of a CertificateList through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using DER [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "certificateRevocationList;binary".
Due to changes made to the definition of a CertificateList through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using DER [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "certificateRevocationList;binary".
As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented.
As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented.
2.3. CertificatePair
2.3. CertificatePair
( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'X.509 Certificate Pair' )
( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'X.509 Certificate Pair' )
A value of this syntax is an X.509 CertificatePair [X.509, clause 11.2.3].
A value of this syntax is an X.509 CertificatePair [X.509, clause 11.2.3].
Due to changes made to the definition of an X.509 CertificatePair through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using DER [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "crossCertificatePair;binary".
Due to changes made to the definition of an X.509 CertificatePair through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using DER [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "crossCertificatePair;binary".
As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented.
As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented.
2.4. SupportedAlgorithm
2.4. SupportedAlgorithm
( 1.3.6.1.4.1.1466.115.121.1.49
DESC 'X.509 Supported Algorithm' )
( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'X.509 Supported Algorithm' )
A value of this syntax is an X.509 SupportedAlgorithm [X.509, clause 11.2.7].
A value of this syntax is an X.509 SupportedAlgorithm [X.509, clause 11.2.7].
Due to changes made to the definition of an X.509 SupportedAlgorithm through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using DER [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "supportedAlgorithms;binary".
Due to changes made to the definition of an X.509 SupportedAlgorithm through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using DER [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "supportedAlgorithms;binary".
As values of this syntax contain digitally signed data, values of this syntax and the form of the value MUST be preserved as presented.
As values of this syntax contain digitally signed data, values of this syntax and the form of the value MUST be preserved as presented.
Zeilenga Standards Track [Page 3] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 3] RFC 4523 LDAP X.509 Schema June 2006
2.5. CertificateExactAssertion
2.5. CertificateExactAssertion
( 1.3.6.1.1.15.1 DESC 'X.509 Certificate Exact Assertion' )
( 1.3.6.1.1.15.1 DESC 'X.509 Certificate Exact Assertion' )
A value of this syntax is an X.509 CertificateExactAssertion [X.509, clause 11.3.1]. Values of this syntax MUST be encoded using the Generic String Encoding Rules (GSER) [RFC3641]. Appendix A.1 provides an equivalent Augmented Backus-Naur Form (ABNF) [RFC4234] grammar for this syntax.
A value of this syntax is an X.509 CertificateExactAssertion [X.509, clause 11.3.1]. Values of this syntax MUST be encoded using the Generic String Encoding Rules (GSER) [RFC3641]. Appendix A.1 provides an equivalent Augmented Backus-Naur Form (ABNF) [RFC4234] grammar for this syntax.
2.6. CertificateAssertion
2.6. CertificateAssertion
( 1.3.6.1.1.15.2 DESC 'X.509 Certificate Assertion' )
( 1.3.6.1.1.15.2 DESC 'X.509 Certificate Assertion' )
A value of this syntax is an X.509 CertificateAssertion [X.509, clause 11.3.2]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.2 provides an equivalent ABNF [RFC4234] grammar for this syntax.
A value of this syntax is an X.509 CertificateAssertion [X.509, clause 11.3.2]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.2 provides an equivalent ABNF [RFC4234] grammar for this syntax.
2.7. CertificatePairExactAssertion
2.7. CertificatePairExactAssertion
( 1.3.6.1.1.15.3
DESC 'X.509 Certificate Pair Exact Assertion' )
( 1.3.6.1.1.15.3 DESC 'X.509 Certificate Pair Exact Assertion' )
A value of this syntax is an X.509 CertificatePairExactAssertion [X.509, clause 11.3.3]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.3 provides an equivalent ABNF [RFC4234] grammar for this syntax.
A value of this syntax is an X.509 CertificatePairExactAssertion [X.509, clause 11.3.3]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.3 provides an equivalent ABNF [RFC4234] grammar for this syntax.
2.8. CertificatePairAssertion
2.8. CertificatePairAssertion
( 1.3.6.1.1.15.4 DESC 'X.509 Certificate Pair Assertion' )
( 1.3.6.1.1.15.4 DESC 'X.509 Certificate Pair Assertion' )
A value of this syntax is an X.509 CertificatePairAssertion [X.509, clause 11.3.4]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.4 provides an equivalent ABNF [RFC4234] grammar for this syntax.
A value of this syntax is an X.509 CertificatePairAssertion [X.509, clause 11.3.4]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.4 provides an equivalent ABNF [RFC4234] grammar for this syntax.
2.9. CertificateListExactAssertion
2.9. CertificateListExactAssertion
( 1.3.6.1.1.15.5
DESC 'X.509 Certificate List Exact Assertion' )
( 1.3.6.1.1.15.5 DESC 'X.509 Certificate List Exact Assertion' )
A value of this syntax is an X.509 CertificateListExactAssertion [X.509, clause 11.3.5]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.5 provides an equivalent ABNF grammar for this syntax.
A value of this syntax is an X.509 CertificateListExactAssertion [X.509, clause 11.3.5]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.5 provides an equivalent ABNF grammar for this syntax.
Zeilenga Standards Track [Page 4] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 4] RFC 4523 LDAP X.509 Schema June 2006
2.10. CertificateListAssertion
2.10. CertificateListAssertion
( 1.3.6.1.1.15.6 DESC 'X.509 Certificate List Assertion' )
( 1.3.6.1.1.15.6 DESC 'X.509 Certificate List Assertion' )
A value of this syntax is an X.509 CertificateListAssertion [X.509, clause 11.3.6]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.6 provides an equivalent ABNF [RFC4234] grammar for this syntax.
A value of this syntax is an X.509 CertificateListAssertion [X.509, clause 11.3.6]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.6 provides an equivalent ABNF [RFC4234] grammar for this syntax.
2.11. AlgorithmIdentifier
2.11. AlgorithmIdentifier
( 1.3.6.1.1.15.7 DESC 'X.509 Algorithm Identifier' )
( 1.3.6.1.1.15.7 DESC 'X.509 Algorithm Identifier' )
A value of this syntax is an X.509 AlgorithmIdentifier [X.509, Clause 7]. Values of this syntax MUST be encoded using GSER [RFC3641].
A value of this syntax is an X.509 AlgorithmIdentifier [X.509, Clause 7]. Values of this syntax MUST be encoded using GSER [RFC3641].
Appendix A.7 provides an equivalent ABNF [RFC4234] grammar for this syntax.
Appendix A.7 provides an equivalent ABNF [RFC4234] grammar for this syntax.
3. Matching Rules
3. Matching Rules
This section introduces a set of certificate and related matching rules for use in LDAP. These rules are intended to act in accordance with their X.500 counterparts.
This section introduces a set of certificate and related matching rules for use in LDAP. These rules are intended to act in accordance with their X.500 counterparts.
3.1. certificateExactMatch
3.1. certificateExactMatch
The certificateExactMatch matching rule compares the presented certificate exact assertion value with an attribute value of the certificate syntax as described in clause 11.3.1 of [X.509].
The certificateExactMatch matching rule compares the presented certificate exact assertion value with an attribute value of the certificate syntax as described in clause 11.3.1 of [X.509].
( 2.5.13.34 NAME 'certificateExactMatch'
DESC 'X.509 Certificate Exact Match'
SYNTAX 1.3.6.1.1.15.1 )
( 2.5.13.34 NAME 'certificateExactMatch' DESC 'X.509 Certificate Exact Match' SYNTAX 1.3.6.1.1.15.1 )
3.2. certificateMatch
3.2. certificateMatch
The certificateMatch matching rule compares the presented certificate assertion value with an attribute value of the certificate syntax as described in clause 11.3.2 of [X.509].
The certificateMatch matching rule compares the presented certificate assertion value with an attribute value of the certificate syntax as described in clause 11.3.2 of [X.509].
( 2.5.13.35 NAME 'certificateMatch'
DESC 'X.509 Certificate Match'
SYNTAX 1.3.6.1.1.15.2 )
( 2.5.13.35 NAME 'certificateMatch' DESC 'X.509 Certificate Match' SYNTAX 1.3.6.1.1.15.2 )
Zeilenga Standards Track [Page 5] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 5] RFC 4523 LDAP X.509 Schema June 2006
3.3. certificatePairExactMatch
3.3. certificatePairExactMatch
The certificatePairExactMatch matching rule compares the presented certificate pair exact assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.3 of [X.509].
The certificatePairExactMatch matching rule compares the presented certificate pair exact assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.3 of [X.509].
( 2.5.13.36 NAME 'certificatePairExactMatch'
DESC 'X.509 Certificate Pair Exact Match'
SYNTAX 1.3.6.1.1.15.3 )
( 2.5.13.36 NAME 'certificatePairExactMatch' DESC 'X.509 Certificate Pair Exact Match' SYNTAX 1.3.6.1.1.15.3 )
3.4. certificatePairMatch
3.4. certificatePairMatch
The certificatePairMatch matching rule compares the presented certificate pair assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.4 of [X.509].
The certificatePairMatch matching rule compares the presented certificate pair assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.4 of [X.509].
( 2.5.13.37 NAME 'certificatePairMatch'
DESC 'X.509 Certificate Pair Match'
SYNTAX 1.3.6.1.1.15.4 )
( 2.5.13.37 NAME 'certificatePairMatch' DESC 'X.509 Certificate Pair Match' SYNTAX 1.3.6.1.1.15.4 )
3.5. certificateListExactMatch
3.5. certificateListExactMatch
The certificateListExactMatch matching rule compares the presented certificate list exact assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.5 of [X.509].
The certificateListExactMatch matching rule compares the presented certificate list exact assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.5 of [X.509].
( 2.5.13.38 NAME 'certificateListExactMatch'
DESC 'X.509 Certificate List Exact Match'
SYNTAX 1.3.6.1.1.15.5 )
( 2.5.13.38 NAME 'certificateListExactMatch' DESC 'X.509 Certificate List Exact Match' SYNTAX 1.3.6.1.1.15.5 )
3.6. certificateListMatch
3.6. certificateListMatch
The certificateListMatch matching rule compares the presented certificate list assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.6 of [X.509].
The certificateListMatch matching rule compares the presented certificate list assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.6 of [X.509].
( 2.5.13.39 NAME 'certificateListMatch'
DESC 'X.509 Certificate List Match'
SYNTAX 1.3.6.1.1.15.6 )
( 2.5.13.39 NAME 'certificateListMatch' DESC 'X.509 Certificate List Match' SYNTAX 1.3.6.1.1.15.6 )
Zeilenga Standards Track [Page 6] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 6] RFC 4523 LDAP X.509 Schema June 2006
3.7. algorithmIdentifierMatch
3.7. algorithmIdentifierMatch
The algorithmIdentifierMatch mating rule compares a presented algorithm identifier with an attribute value of the supported algorithm as described in clause 11.3.7 of [X.509].
The algorithmIdentifierMatch mating rule compares a presented algorithm identifier with an attribute value of the supported algorithm as described in clause 11.3.7 of [X.509].
( 2.5.13.40 NAME 'algorithmIdentifier'
DESC 'X.509 Algorithm Identifier Match'
SYNTAX 1.3.6.1.1.15.7 )
( 2.5.13.40 NAME 'algorithmIdentifier' DESC 'X.509 Algorithm Identifier Match' SYNTAX 1.3.6.1.1.15.7 )
4. Attribute Types
4. Attribute Types
This section details a set of certificate and related attribute types for use in LDAP.
This section details a set of certificate and related attribute types for use in LDAP.
4.1. userCertificate
4.1. userCertificate
The userCertificate attribute holds the X.509 certificates issued to the user by one or more certificate authorities, as discussed in clause 11.2.1 of [X.509].
The userCertificate attribute holds the X.509 certificates issued to the user by one or more certificate authorities, as discussed in clause 11.2.1 of [X.509].
( 2.5.4.36 NAME 'userCertificate'
DESC 'X.509 user certificate'
EQUALITY certificateExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
( 2.5.4.36 NAME 'userCertificate' DESC 'X.509 user certificate' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "userCertificate;binary".
As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "userCertificate;binary".
4.2. cACertificate
4.2. cACertificate
The cACertificate attribute holds the X.509 certificates issued to the certificate authority (CA), as discussed in clause 11.2.2 of [X.509].
The cACertificate attribute holds the X.509 certificates issued to the certificate authority (CA), as discussed in clause 11.2.2 of [X.509].
( 2.5.4.37 NAME 'cACertificate'
DESC 'X.509 CA certificate'
EQUALITY certificateExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
( 2.5.4.37 NAME 'cACertificate' DESC 'X.509 CA certificate' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "cACertificate;binary".
As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "cACertificate;binary".
Zeilenga Standards Track [Page 7] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 7] RFC 4523 LDAP X.509 Schema June 2006
4.3. crossCertificatePair
4.3. crossCertificatePair
The crossCertificatePair attribute holds an X.509 certificate pair, as discussed in clause 11.2.3 of [X.509].
The crossCertificatePair attribute holds an X.509 certificate pair, as discussed in clause 11.2.3 of [X.509].
( 2.5.4.40 NAME 'crossCertificatePair'
DESC 'X.509 cross certificate pair'
EQUALITY certificatePairExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
( 2.5.4.40 NAME 'crossCertificatePair' DESC 'X.509 cross certificate pair' EQUALITY certificatePairExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "crossCertificatePair;binary".
As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "crossCertificatePair;binary".
4.4. certificateRevocationList
4.4. certificateRevocationList
The certificateRevocationList attribute holds certificate lists, as discussed in 11.2.4 of [X.509].
The certificateRevocationList attribute holds certificate lists, as discussed in 11.2.4 of [X.509].
( 2.5.4.39 NAME 'certificateRevocationList'
DESC 'X.509 certificate revocation list'
EQUALITY certificateListExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
( 2.5.4.39 NAME 'certificateRevocationList' DESC 'X.509 certificate revocation list' EQUALITY certificateListExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "certificateRevocationList;binary".
As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "certificateRevocationList;binary".
4.5. authorityRevocationList
4.5. authorityRevocationList
The authorityRevocationList attribute holds certificate lists, as discussed in 11.2.5 of [X.509].
The authorityRevocationList attribute holds certificate lists, as discussed in 11.2.5 of [X.509].
( 2.5.4.38 NAME 'authorityRevocationList'
DESC 'X.509 authority revocation list'
EQUALITY certificateListExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
( 2.5.4.38 NAME 'authorityRevocationList' DESC 'X.509 authority revocation list' EQUALITY certificateListExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "authorityRevocationList;binary".
As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "authorityRevocationList;binary".
Zeilenga Standards Track [Page 8] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 8] RFC 4523 LDAP X.509 Schema June 2006
4.6. deltaRevocationList
4.6. deltaRevocationList
The deltaRevocationList attribute holds certificate lists, as discussed in 11.2.6 of [X.509].
The deltaRevocationList attribute holds certificate lists, as discussed in 11.2.6 of [X.509].
( 2.5.4.53 NAME 'deltaRevocationList'
DESC 'X.509 delta revocation list'
EQUALITY certificateListExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
( 2.5.4.53 NAME 'deltaRevocationList' DESC 'X.509 delta revocation list' EQUALITY certificateListExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
As required by this attribute type's syntax, values of this attribute MUST be requested and transferred using the attribute description "deltaRevocationList;binary".
As required by this attribute type's syntax, values of this attribute MUST be requested and transferred using the attribute description "deltaRevocationList;binary".
4.7. supportedAlgorithms
4.7. supportedAlgorithms
The supportedAlgorithms attribute holds supported algorithms, as discussed in 11.2.7 of [X.509].
The supportedAlgorithms attribute holds supported algorithms, as discussed in 11.2.7 of [X.509].
( 2.5.4.52 NAME 'supportedAlgorithms'
DESC 'X.509 supported algorithms'
EQUALITY algorithmIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
( 2.5.4.52 NAME 'supportedAlgorithms' DESC 'X.509 supported algorithms' EQUALITY algorithmIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
As required by this attribute type's syntax, values of this attribute MUST be requested and transferred using the attribute description "supportedAlgorithms;binary".
As required by this attribute type's syntax, values of this attribute MUST be requested and transferred using the attribute description "supportedAlgorithms;binary".
5. Object Classes
5. Object Classes
This section details a set of certificate-related object classes for use in LDAP.
This section details a set of certificate-related object classes for use in LDAP.
5.1. pkiUser
5.1. pkiUser
This object class is used in augment entries for objects that may be subject to certificates, as defined in clause 11.1.1 of [X.509].
This object class is used in augment entries for objects that may be subject to certificates, as defined in clause 11.1.1 of [X.509].
( 2.5.6.21 NAME 'pkiUser'
DESC 'X.509 PKI User'
SUP top AUXILIARY
MAY userCertificate )
( 2.5.6.21 NAME 'pkiUser' DESC 'X.509 PKI User' SUP top AUXILIARY MAY userCertificate )
Zeilenga Standards Track [Page 9] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 9] RFC 4523 LDAP X.509 Schema June 2006
5.2. pkiCA
5.2. pkiCA
This object class is used to augment entries for objects that act as certificate authorities, as defined in clause 11.1.2 of [X.509]
This object class is used to augment entries for objects that act as certificate authorities, as defined in clause 11.1.2 of [X.509]
( 2.5.6.22 NAME 'pkiCA'
DESC 'X.509 PKI Certificate Authority'
SUP top AUXILIARY
MAY ( cACertificate $ certificateRevocationList $
authorityRevocationList $ crossCertificatePair ) )
( 2.5.6.22 NAME 'pkiCA' DESC 'X.509 PKI Certificate Authority' SUP top AUXILIARY MAY ( cACertificate $ certificateRevocationList $ authorityRevocationList $ crossCertificatePair ) )
5.3. cRLDistributionPoint
5.3. cRLDistributionPoint
This class is used to represent objects that act as CRL distribution points, as discussed in clause 11.1.3 of [X.509].
This class is used to represent objects that act as CRL distribution points, as discussed in clause 11.1.3 of [X.509].
( 2.5.6.19 NAME 'cRLDistributionPoint'
DESC 'X.509 CRL distribution point'
SUP top STRUCTURAL
MUST cn
MAY ( certificateRevocationList $
authorityRevocationList $ deltaRevocationList ) )
( 2.5.6.19 NAME 'cRLDistributionPoint' DESC 'X.509 CRL distribution point' SUP top STRUCTURAL MUST cn MAY ( certificateRevocationList $ authorityRevocationList $ deltaRevocationList ) )
5.4. deltaCRL
5.4. deltaCRL
The deltaCRL object class is used to augment entries to hold delta revocation lists, as discussed in clause 11.1.4 of [X.509].
The deltaCRL object class is used to augment entries to hold delta revocation lists, as discussed in clause 11.1.4 of [X.509].
( 2.5.6.23 NAME 'deltaCRL'
DESC 'X.509 delta CRL'
SUP top AUXILIARY
MAY deltaRevocationList )
( 2.5.6.23 NAME 'deltaCRL' DESC 'X.509 delta CRL' SUP top AUXILIARY MAY deltaRevocationList )
5.5. strongAuthenticationUser
5.5. strongAuthenticationUser
This object class is used to augment entries for objects participating in certificate-based authentication, as defined in clause 6.15 of [X.521]. This object class is deprecated in favor of pkiUser.
This object class is used to augment entries for objects participating in certificate-based authentication, as defined in clause 6.15 of [X.521]. This object class is deprecated in favor of pkiUser.
( 2.5.6.15 NAME 'strongAuthenticationUser'
DESC 'X.521 strong authentication user'
SUP top AUXILIARY
MUST userCertificate )
( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'X.521 strong authentication user' SUP top AUXILIARY MUST userCertificate )
Zeilenga Standards Track [Page 10] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 10] RFC 4523 LDAP X.509 Schema June 2006
5.6. userSecurityInformation
5.6. userSecurityInformation
This object class is used to augment entries with needed additional associated security information, as defined in clause 6.16 of [X.521].
This object class is used to augment entries with needed additional associated security information, as defined in clause 6.16 of [X.521].
( 2.5.6.18 NAME 'userSecurityInformation'
DESC 'X.521 user security information'
SUP top AUXILIARY
MAY ( supportedAlgorithms ) )
( 2.5.6.18 NAME 'userSecurityInformation' DESC 'X.521 user security information' SUP top AUXILIARY MAY ( supportedAlgorithms ) )
5.7. certificationAuthority
5.7. certificationAuthority
This object class is used to augment entries for objects that act as certificate authorities, as defined in clause 6.17 of [X.521]. This object class is deprecated in favor of pkiCA.
This object class is used to augment entries for objects that act as certificate authorities, as defined in clause 6.17 of [X.521]. This object class is deprecated in favor of pkiCA.
( 2.5.6.16 NAME 'certificationAuthority'
DESC 'X.509 certificate authority'
SUP top AUXILIARY
MUST ( authorityRevocationList $
certificateRevocationList $ cACertificate )
MAY crossCertificatePair )
( 2.5.6.16 NAME 'certificationAuthority' DESC 'X.509 certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair )
5.8. certificationAuthority-V2
5.8. certificationAuthority-V2
This object class is used to augment entries for objects that act as certificate authorities, as defined in clause 6.18 of [X.521]. This object class is deprecated in favor of pkiCA.
This object class is used to augment entries for objects that act as certificate authorities, as defined in clause 6.18 of [X.521]. This object class is deprecated in favor of pkiCA.
( 2.5.6.16.2 NAME 'certificationAuthority-V2'
DESC 'X.509 certificate authority, version 2'
SUP certificationAuthority AUXILIARY
MAY deltaRevocationList )
( 2.5.6.16.2 NAME 'certificationAuthority-V2' DESC 'X.509 certificate authority, version 2' SUP certificationAuthority AUXILIARY MAY deltaRevocationList )
6. Security Considerations
6. Security Considerations
General certificate considerations [RFC3280] apply to LDAP-aware certificate applications. General LDAP security considerations [RFC4510] apply as well.
General certificate considerations [RFC3280] apply to LDAP-aware certificate applications. General LDAP security considerations [RFC4510] apply as well.
While elements of certificate information are commonly signed, these signatures only protect the integrity of the signed information. In the absence of data integrity protections in LDAP (or lower layer, e.g., IPsec), a server is not assured that client certificate request (or other request) was unaltered in transit. Likewise, a client cannot be assured that the results of the query were unaltered in
While elements of certificate information are commonly signed, these signatures only protect the integrity of the signed information. In the absence of data integrity protections in LDAP (or lower layer, e.g., IPsec), a server is not assured that client certificate request (or other request) was unaltered in transit. Likewise, a client cannot be assured that the results of the query were unaltered in
Zeilenga Standards Track [Page 11] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 11] RFC 4523 LDAP X.509 Schema June 2006
transit. Hence, it is generally recommended that implementations make use of authentication and data integrity services in LDAP [RFC4513][RFC4511].
transit. Hence, it is generally recommended that implementations make use of authentication and data integrity services in LDAP [RFC4513][RFC4511].
7. IANA Considerations
7. IANA Considerations
7.1. Object Identifier Registration
7.1. Object Identifier Registration
The IANA has registered an LDAP Object Identifier [RFC4520] for use in this technical specification.
The IANA has registered an LDAP Object Identifier [RFC4520] for use in this technical specification.
Subject: Request for LDAP OID Registration
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Specification: RFC 4523
Author/Change Controller: IESG
Comments:
Identifies the LDAP X.509 Certificate schema elements
introduced in this document.
Subject: Request for LDAP OID Registration Person & email address to contact for further information: Kurt Zeilenga <kurt@OpenLDAP.org> Specification: RFC 4523 Author/Change Controller: IESG Comments: Identifies the LDAP X.509 Certificate schema elements introduced in this document.
7.2. Descriptor Registration
7.2. Descriptor Registration
The IANA has updated the LDAP Descriptor registry [RFC44520] as indicated below.
The IANA has updated the LDAP Descriptor registry [RFC44520] as indicated below.
Subject: Request for LDAP Descriptor Registration
Descriptor (short name): see table
Object Identifier: see table
Person & email address to contact for further information:
Kurt Zeilenga <kurt@OpenLDAP.org>
Usage: see table
Specification: RFC 4523
Author/Change Controller: IESG
Subject: Request for LDAP Descriptor Registration Descriptor (short name): see table Object Identifier: see table Person & email address to contact for further information: Kurt Zeilenga <kurt@OpenLDAP.org> Usage: see table Specification: RFC 4523 Author/Change Controller: IESG
algorithmIdentifierMatch M 2.5.13.40
authorityRevocationList A 2.5.4.38 *
cACertificate A 2.5.4.37 *
cRLDistributionPoint O 2.5.6.19 *
certificateExactMatch M 2.5.13.34
certificateListExactMatch M 2.5.13.38
certificateListMatch M 2.5.13.39
certificateMatch M 2.5.13.35
certificatePairExactMatch M 2.5.13.36
certificatePairMatch M 2.5.13.37
certificateRevocationList A 2.5.4.39 *
certificationAuthority O 2.5.6.16 *
certificationAuthority-V2 O 2.5.6.16.2 *
crossCertificatePair A 2.5.4.40 *
algorithmIdentifierMatch M 2.5.13.40 authorityRevocationList A 2.5.4.38 * cACertificate A 2.5.4.37 * cRLDistributionPoint O 2.5.6.19 * certificateExactMatch M 2.5.13.34 certificateListExactMatch M 2.5.13.38 certificateListMatch M 2.5.13.39 certificateMatch M 2.5.13.35 certificatePairExactMatch M 2.5.13.36 certificatePairMatch M 2.5.13.37 certificateRevocationList A 2.5.4.39 * certificationAuthority O 2.5.6.16 * certificationAuthority-V2 O 2.5.6.16.2 * crossCertificatePair A 2.5.4.40 *
Zeilenga Standards Track [Page 12] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 12] RFC 4523 LDAP X.509 Schema June 2006
deltaCRL O 2.5.6.23 *
deltaRevocationList A 2.5.4.53 *
pkiCA O 2.5.6.22 *
pkiUser O 2.5.6.21 *
strongAuthenticationUser O 2.5.6.15 *
supportedAlgorithms A 2.5.4.52 *
userCertificate A 2.5.4.36 *
userSecurityInformation O 2.5.6.18 *
deltaCRL O 2.5.6.23 * deltaRevocationList A 2.5.4.53 * pkiCA O 2.5.6.22 * pkiUser O 2.5.6.21 * strongAuthenticationUser O 2.5.6.15 * supportedAlgorithms A 2.5.4.52 * userCertificate A 2.5.4.36 * userSecurityInformation O 2.5.6.18 *
* Updates previous registration
* Updates previous registration
8. Acknowledgements
8. Acknowledgements
This document is based on X.509, a product of the ITU-T. A number of LDAP schema definitions were based on those found in RFCs 2252 and 2256, both products of the IETF ASID WG. The ABNF productions in Appendix A were provided by Steven Legg. Additional material was borrowed from prior works by David Chadwick and Steven Legg to refine the LDAP X.509 schema.
This document is based on X.509, a product of the ITU-T. A number of LDAP schema definitions were based on those found in RFCs 2252 and 2256, both products of the IETF ASID WG. The ABNF productions in Appendix A were provided by Steven Legg. Additional material was borrowed from prior works by David Chadwick and Steven Legg to refine the LDAP X.509 schema.
9. References
9. References
9.1. Normative References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3641] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1
Types", RFC 3641, October 2003.
[RFC3641] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1 Types", RFC 3641, October 2003.
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
(LDAP): Technical Specification Road Map", RFC 4510, June
2006.
[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006.
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Directory Information Models", RFC 4512, June
2006.
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006.
[RFC4522] Legg, S., "Lightweight Directory Access Protocol (LDAP):
The Binary Encoding Option", RFC 4522, June 2006.
[RFC4522] Legg, S., "Lightweight Directory Access Protocol (LDAP): The Binary Encoding Option", RFC 4522, June 2006.
[X.509] International Telecommunication Union - Telecommunication
Standardization Sector, "The Directory: Authentication
Framework", X.509(2000).
[X.509] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Authentication Framework", X.509(2000).
Zeilenga Standards Track [Page 13] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga Standards Track [Page 13] RFC 4523 LDAP X.509 Schema June 2006
[X.521] International Telecommunication Union - Telecommunication
Standardization Sector, "The Directory: Selected Object
Classes", X.521(2000).
[X.521] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Selected Object Classes", X.521(2000).
[X.690] International Telecommunication Union - Telecommunication
Standardization Sector, "Specification of ASN.1 encoding
rules: Basic Encoding Rules (BER), Canonical Encoding
Rules (CER), and Distinguished Encoding Rules (DER)",
X.690(2002) (also ISO/IEC 8825-1:2002).
[X.690] International Telecommunication Union - Telecommunication Standardization Sector, "Specification of ASN.1 encoding rules: Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER)", X.690(2002) (also ISO/IEC 8825-1:2002).
9.2. Informative References
9.2. Informative References
[RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory
Access Protocol", RFC 1777, March 1995.
[RFC1777] YeongとW.とハウズ、T.とS.Kille、「ライトウェイト・ディレクトリ・アクセス・プロトコル」、RFC1777、1995年3月。
[RFC2156] Kille, S., "MIXER (Mime Internet X.400 Enhanced Relay):
Mapping between X.400 and RFC 822/MIME", RFC 2156, January
1998.
[RFC2156]Kille、S.、「ミキサー(パントマイムインターネットX.400はリレーを機能アップしました):」 「X.400とRFC822/の間でMIMEを写像します」、RFC2156、1998年1月。
[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", RFC 3280,
April 2002.
[RFC3280] Housley、R.、ポーク、W.、フォード、W.、および一人で生活して、「インターネットX.509公開鍵暗号基盤証明書と証明書失効リスト(CRL)は輪郭を描く」D.、RFC3280(2002年4月)。
[RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol
version 2 (LDAPv2) to Historic Status", RFC 3494, March
2003.
[RFC3494]Zeilenga、2003年3月のK.、「Historic Statusへのライトウェイト・ディレクトリ・アクセス・プロトコルバージョン2(LDAPv2)」RFC3494。
[RFC3642] Legg, S., "Common Elements of Generic String Encoding
Rules (GSER) Encodings", RFC 3642, October 2003.
[RFC3642]Legg、S.、「一般的なストリング符号化規則(GSER)Encodingsの一般的なElements」、RFC3642、2003年10月。
[RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 4234, October 2005.
[RFC4234] クロッカー、D.、およびP.Overell、「構文仕様のための増大しているBNF:」 "ABNF"、2005年10月のRFC4234。
[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
Protocol (LDAP): The Protocol", RFC 4511, June 2006.
[RFC4511] Sermersheim、J.、エド、「軽量のディレクトリアクセスは(LDAP)について議定書の中で述べます」。 「プロトコル」、RFC4511、2006年6月。
[RFC4513] Harrison, R. Ed., "Lightweight Directory Access Protocol
(LDAP): Authentication Methods and Security Mechanisms",
RFC 4513, June 2006.
[RFC4513]ハリソン、R.エド、「軽量のディレクトリアクセスは(LDAP)について議定書の中で述べます」。 「認証方法とセキュリティー対策」、RFC4513、6月2006日
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
Considerations for the Lightweight Directory Access
Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
[RFC4520]Zeilenga、K.、「インターネットはライトウェイト・ディレクトリ・アクセス・プロトコル(LDAP)のために数の権威(IANA)に問題を割り当てました」、BCP64、RFC4520、2006年6月。
Zeilenga Standards Track [Page 14] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga規格はLDAP X.509図式2006年6月にRFC4523を追跡します[14ページ]。
Appendix A.
付録A。
This appendix is informative.
この付録は有益です。
This appendix provides ABNF [RFC4234] grammars for GSER-based [RFC3641] LDAP-specific encodings specified in this document. These grammars where produced using, and relying on, Common Elements for GSER Encodings [RFC3642].
この付録は本書では指定されたGSERベースの[RFC3641]LDAP特有のencodingsのためにABNF[RFC4234]に文法を供給します。 これらの文法のどこの生産された使用、およびGSER Encodingsのためのオン当てにしているCommon Elements[RFC3642]。
A.1. CertificateExactAssertion
A.1。 CertificateExactAssertion
CertificateExactAssertion = "{" sp cea-serialNumber ","
sp cea-issuer sp "}"
「CertificateExactAssertionが等しい、「」 「spセア-serialNumber」、sp cea-発行人sp、」、」
cea-serialNumber = id-serialNumber msp CertificateSerialNumber cea-issuer = id-issuer msp Name
cea-serialNumberはイドserialNumber msp CertificateSerialNumber cea発行人=イド発行人msp Nameと等しいです。
id-serialNumber =
%x73.65.72.69.61.6C.4E.75.6D.62.65.72 ; 'serialNumber'
id-issuer = %x69.73.73.75.65.72 ; 'issuer'
イド-serialNumber=%x73.65.72.69.61.6C.4E.75.6D.62.65.72。 'serialNumber'イド発行人=%x69.73.73.75.65.72。 '発行人'
Name = id-rdnSequence ":" RDNSequence id-rdnSequence = %x72.64.6E.53.65.71.75.65.6E.63.65 ; 'rdnSequence'
「イド-rdnSequenceと=を命名してください」:、」 RDNSequenceイド-rdnSequence=%x72.64.6E.53.65.71.75.65.6E.63.65。 'rdnSequence'
CertificateSerialNumber = INTEGER
CertificateSerialNumberは整数と等しいです。
A.2. CertificateAssertion
A.2。 CertificateAssertion
CertificateAssertion = "{" [ sp ca-serialNumber ]
[ sep sp ca-issuer ]
[ sep sp ca-subjectKeyIdentifier ]
[ sep sp ca-authorityKeyIdentifier ]
[ sep sp ca-certificateValid ]
[ sep sp ca-privateKeyValid ]
[ sep sp ca-subjectPublicKeyAlgID ]
[ sep sp ca-keyUsage ]
[ sep sp ca-subjectAltName ]
[ sep sp ca-policy ]
[ sep sp ca-pathToName ]
[ sep sp ca-subject ]
[ sep sp ca-nameConstraints ] sp "}"
CertificateAssertionは「「[sp ca-serialNumber][9月のsp ca-発行人][9月のsp ca-subjectKeyIdentifier][9月のsp ca-authorityKeyIdentifier][9月のsp ca-certificateValid][9月のsp ca-privateKeyValid][9月のsp ca-subjectPublicKeyAlgID][9月のsp ca-keyUsage][9月のsp ca-subjectAltName][9月のsp ca-方針][9月のsp ca-pathToName][9月のsp ca-対象][9月のsp ca-nameConstraints]sp」」と等しいです。
ca-serialNumber = id-serialNumber msp CertificateSerialNumber
ca-issuer = id-issuer msp Name
ca-subjectKeyIdentifier = id-subjectKeyIdentifier msp
SubjectKeyIdentifier
ca-authorityKeyIdentifier = id-authorityKeyIdentifier msp
AuthorityKeyIdentifier
ca-serialNumber=イドserialNumber msp CertificateSerialNumber ca発行人=イド発行人msp Name ca-subjectKeyIdentifier=イド-subjectKeyIdentifier msp SubjectKeyIdentifier ca-authorityKeyIdentifierはイド-authorityKeyIdentifier msp AuthorityKeyIdentifierと等しいです。
Zeilenga Standards Track [Page 15] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga規格はLDAP X.509図式2006年6月にRFC4523を追跡します[15ページ]。
ca-certificateValid = id-certificateValid msp Time
ca-privateKeyValid = id-privateKeyValid msp GeneralizedTime
ca-subjectPublicKeyAlgID = id-subjectPublicKeyAlgID msp
OBJECT-IDENTIFIER
ca-keyUsage = id-keyUsage msp KeyUsage
ca-subjectAltName = id-subjectAltName msp AltNameType
ca-policy = id-policy msp CertPolicySet
ca-pathToName = id-pathToName msp Name
ca-subject = id-subject msp Name
ca-nameConstraints = id-nameConstraints msp NameConstraintsSyntax
イドpathToName msp Name ca対象=イド対象イド-keyUsage msp KeyUsage ca-subjectAltName=イドsubjectAltName msp AltNameType ca方針=イド方針ca-certificateValid=イド-certificateValid msp Time ca-privateKeyValid=イド-privateKeyValid msp GeneralizedTime ca-subjectPublicKeyAlgID=イド-subjectPublicKeyAlgID msp OBJECT-IDENTIFIER ca-keyUsage=msp CertPolicySet ca-pathToName=msp Name ca-nameConstraintsはイド-nameConstraints msp NameConstraintsSyntaxと等しいです。
id-subjectKeyIdentifier =
%x73.75.62.6A.65.63.74.4B.65.79.49.64.65.6E.74.69.66.69.65.72
; 'subjectKeyIdentifier'
id-authorityKeyIdentifier =
%x61.75.74.68.6F.72.69.74.79.4B.65.79.49.64.65.6E.74.69.66.69.65.72
; 'authorityKeyIdentifier'
id-certificateValid = %x63.65.72.74.69.66.69.63.61.74.65.56.61.6C.69.64
; 'certificateValid'
id-privateKeyValid = %x70.72.69.76.61.74.65.4B.65.79.56.61.6C.69.64
; 'privateKeyValid'
id-subjectPublicKeyAlgID =
%x73.75.62.6A.65.63.74.50.75.62.6C.69.63.4B.65.79.41.6C.67.49.44
; 'subjectPublicKeyAlgID'
id-keyUsage = %x6B.65.79.55.73.61.67.65 ; 'keyUsage'
id-subjectAltName = %x73.75.62.6A.65.63.74.41.6C.74.4E.61.6D.65
; 'subjectAltName'
id-policy = %x70.6F.6C.69.63.79 ; 'policy'
id-pathToName = %x70.61.74.68.54.6F.4E.61.6D.65 ; 'pathToName'
id-subject = %x73.75.62.6A.65.63.74 ; 'subject'
id-nameConstraints = %x6E.61.6D.65.43.6F.6E.73.74.72.61.69.6E.74.73
; 'nameConstraints'
イド-subjectKeyIdentifier=%x73.75.62.6A.65.63.74.4B.65.79.49.64.65.6E.74.69.66.69.65.72。 'subjectKeyIdentifier'イド-authorityKeyIdentifier=%x61.75.74.68.6F.72.69.74.79.4B.65.79.49.64.65.6E.74.69.66.69.65.72。 'authorityKeyIdentifier'イド-certificateValid=%x63.65.72.74.69.66.69.63.61.74.65.56.61.6C.69.64。 'certificateValid'イド-privateKeyValid=%x70.72.69.76.61.74.65.4B.65.79.56.61.6C.69.64。 'privateKeyValid'イド-subjectPublicKeyAlgID=%x73.75.62.6A.65.63.74.50.75.62.6C.69.63.4B.65.79.41.6C.67.49.44。 'subjectPublicKeyAlgID'イド-keyUsage=%x6B.65.79.55.73.61.67、.65。 'keyUsage'イド-subjectAltName=%x73.75.62.6A.65.63.74.41.6C.74.4E.61.6D.65。 'subjectAltName'イド方針=%x70.6F.6C.69.63.79。 '方針'イド-pathToName=%x70.61.74.68.54.6F.4E.61.6D.65。 'pathToName'イド対象=%x73.75.62.6A.65.63.74。 '受けることがある'イド-nameConstraints=%x6E.61.6D.65.43.6F.6E.73.74.72.61.69.6E.74.73。 'nameConstraints'
SubjectKeyIdentifier = KeyIdentifier
SubjectKeyIdentifierはKeyIdentifierと等しいです。
KeyIdentifier = OCTET-STRING
KeyIdentifier=八重奏ストリング
AuthorityKeyIdentifier = "{" [ sp aki-keyIdentifier ]
[ sep sp aki-authorityCertIssuer ]
[ sep sp aki-authorityCertSerialNumber ] sp "}"
AuthorityKeyIdentifierは「「[spアキ-keyIdentifier][9月のspアキ-authorityCertIssuer][9月のspアキ-authorityCertSerialNumber]sp」」と等しいです。
aki-keyIdentifier = id-keyIdentifier msp KeyIdentifier aki-authorityCertIssuer = id-authorityCertIssuer msp GeneralNames
aki-keyIdentifier=イド-keyIdentifier msp KeyIdentifier aki-authorityCertIssuerはイド-authorityCertIssuer msp GeneralNamesと等しいです。
GeneralNames = "{" sp GeneralName *( "," sp GeneralName ) sp "}"
GeneralName = gn-otherName
/ gn-rfc822Name
/ gn-dNSName
GeneralNamesが等しい、「「sp GeneralName*、(「」、sp GeneralName) sp、」、」 GeneralNameはgn-otherName/gn-rfc822Name/gn-dNSNameと等しいです。
Zeilenga Standards Track [Page 16] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga規格はLDAP X.509図式2006年6月にRFC4523を追跡します[16ページ]。
/ gn-x400Address
/ gn-directoryName
/ gn-ediPartyName
/ gn-uniformResourceIdentifier
/ gn-iPAddress
/ gn-registeredID
/ gn-x400Address / gn-directoryName / gn-ediPartyName / gn-uniformResourceIdentifier / gn-iPAddress / gn-registeredID
gn-otherName = id-otherName ":" OtherName gn-rfc822Name = id-rfc822Name ":" IA5String gn-dNSName = id-dNSName ":" IA5String gn-x400Address = id-x400Address ":" ORAddress gn-directoryName = id-directoryName ":" Name gn-ediPartyName = id-ediPartyName ":" EDIPartyName gn-iPAddress = id-iPAddress ":" OCTET-STRING gn-registeredID = gn-id-registeredID ":" OBJECT-IDENTIFIER
「gn-otherNameはイド-otherNameと等しい」:、」 「OtherName gn-rfc822Nameはイド-rfc822Nameと等しい」:、」 「IA5String gn-dNSNameはイド-dNSNameと等しい」:、」 「IA5String gn-x400Addressはイド-x400Addressと等しい」:、」 「ORAddress gn-directoryNameはイド-directoryNameと等しい」:、」 「名前gn-ediPartyNameはイド-ediPartyNameと等しい」:、」 「EDIPartyName gn-iPAddressはイド-iPAddressと等しい」:、」 「イドregisteredIDをgnしていた状態でgn-registeredID=を八重奏で結んでください」:、」 物識別子
gn-uniformResourceIdentifier = id-uniformResourceIdentifier
":" IA5String
「gn-uniformResourceIdentifierはイド-uniformResourceIdentifierと等しい」:、」 IA5String
id-otherName = %x6F.74.68.65.72.4E.61.6D.65 ; 'otherName'
gn-id-registeredID = %x72.65.67.69.73.74.65.72.65.64.49.44
; 'registeredID'
イド-otherName=%x6F.74.68.65.72.4E.61.6D.65。 イドregisteredIDをgnしている'otherName'=%x72.65.67.69.73.74、.65、.72、.65、.64、.49、.44。 'registeredID'
OtherName = "{" sp on-type-id "," sp on-value sp "}"
on-type-id = id-type-id msp OBJECT-IDENTIFIER
on-value = id-value msp Value
;; <Value> as defined in Section 3 of [RFC3641]
「OtherNameが等しい、「「spにタイプイド」です、」 spオン値がspされる、」、」 タイプイドでは、=イドタイプイドmsp物識別子は値でイド価値のmsp価値と等しいです。 <はセクション3における定義されるとしての>を評価します。[RFC3641]
id-type-id = %x74.79.70.65.2D.69.64 ; 'type-id' id-value = %x76.61.6C.75.65 ; 'value'
イドタイプイド=%x74.79.70.65.2D.69.64。 'タイプイド'イド価値=%x76.61.6C.75.65。 '値'
ORAddress = dquote *SafeIA5Character dquote
SafeIA5Character = %x01-21 / %x23-7F / ; ASCII minus dquote
dquote dquote ; escaped double quote
dquote = %x22 ; '"' (double quote)
ORAddressはdquote*SafeIA5Character dquote SafeIA5Characterと= %x01-21/%x23-7F/等しいです。 ASCIIのマイナスdquote dquote dquote。 逃げられた二重引用文のdquote=%x22。 '"' (二重引用文)
;; Note: The <ORAddress> rule encodes the x400Address component ;; of a GeneralName as a character string between double quotes. ;; The character string is first derived according to Section 4.1 ;; of [RFC2156], and then any embedded double quotes are escaped ;; by being repeated. This resulting string is output between ;; double quotes.
;; 以下に注意してください。 <ORAddress>規則はx400Addressの部品をコード化します。 二重引用符の間の文字列としてのGeneralNameについて。 ;; セクション4.1に従って、文字列は最初に、引き出されます。 [RFC2156]、および次に、二重に埋め込まれたいずれではも、引用文逃げられます。 繰り返されることによって。 ストリングが出力されるこの結果になること。 引用文を倍にしてください。
EDIPartyName = "{" [ sp nameAssigner "," ] sp partyName sp "}"
nameAssigner = id-nameAssigner msp DirectoryString
partyName = id-partyName msp DirectoryString
id-nameAssigner = %x6E.61.6D.65.41.73.73.69.67.6E.65.72
; 'nameAssigner'
「EDIPartyNameが等しい、「「[sp nameAssigner、」、」、]、sp partyName sp、」、」 nameAssigner=イド-nameAssigner msp DirectoryString partyName=イド-partyName msp DirectoryStringイド-nameAssigner=%x6E.61.6D.65.41.73.73.69.67.6E.65.72。 'nameAssigner'
Zeilenga Standards Track [Page 17] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga規格はLDAP X.509図式2006年6月にRFC4523を追跡します[17ページ]。
id-partyName = %x70.61.72.74.79.4E.61.6D.65 ; 'partyName'
イド-partyName=%x70.61.72.74.79.4E.61.6D.65。 'partyName'
aki-authorityCertSerialNumber = id-authorityCertSerialNumber
msp CertificateSerialNumber
aki-authorityCertSerialNumberはイド-authorityCertSerialNumber msp CertificateSerialNumberと等しいです。
id-keyIdentifier = %x6B.65.79.49.64.65.6E.74.69.66.69.65.72
; 'keyIdentifier'
id-authorityCertIssuer =
%x61.75.74.68.6F.72.69.74.79.43.65.72.74.49.73.73.75.65.72
; 'authorityCertIssuer'
イド-keyIdentifier=%x6B.65.79.49.64.65.6E.74.69.66.69.65.72。 'keyIdentifier'イド-authorityCertIssuer=%x61.75.74.68.6F.72.69.74.79.43.65、.72、.74、.49、.73、.73、.75、.65、.72。 'authorityCertIssuer'
id-authorityCertSerialNumber = %x61.75.74.68.6F.72.69.74.79.43
%x65.72.74.53.65.72.69.61.6C.4E.75.6D.62.65.72
; 'authorityCertSerialNumber'
イド-authorityCertSerialNumberは%x61.75.74.68.6F.72.69.74.79.43%のx65.72.74.53.65.72.69.61.6C.4E.75.6D.62.65.72と等しいです。 'authorityCertSerialNumber'
Time = time-utcTime / time-generalizedTime
time-utcTime = id-utcTime ":" UTCTime
time-generalizedTime = id-generalizedTime ":" GeneralizedTime
id-utcTime = %x75.74.63.54.69.6D.65 ; 'utcTime'
id-generalizedTime = %x67.65.6E.65.72.61.6C.69.7A.65.64.54.69.6D.65
; 'generalizedTime'
「時間=時間時間-utcTime/generalizedTime時間-utcTimeはイド-utcTimeと等しい」:、」 「UTCTime時間-generalizedTimeはイド-generalizedTimeと等しい」:、」 GeneralizedTimeイド-utcTime=%x75.74.63.54.69.6D.65。 'utcTime'イド-generalizedTime=%x67.65.6E.65.72.61.6C.69.7A.65.64.54.69.6D.65。 'generalizedTime'
KeyUsage = BIT-STRING / key-usage-bit-list
key-usage-bit-list = "{" [ sp key-usage *( "," sp key-usage ) ] sp "}"
KeyUsageが主要な用法噛み付いているBIT-STRING/リスト主要な用法噛み付いているリスト=と等しい、「「[sp主要な用法*、(「」、spの主要な用法] sp、」、」
;; Note: The <key-usage-bit-list> rule encodes the one bits in ;; a KeyUsage value as a comma separated list of identifiers.
;; 以下に注意してください。 >規則が1ビットをコード化する<の主要な用法ビットリスト。 コンマとしてのKeyUsage値は識別子のリストを切り離しました。
key-usage = id-digitalSignature
/ id-nonRepudiation
/ id-keyEncipherment
/ id-dataEncipherment
/ id-keyAgreement
/ id-keyCertSign
/ id-cRLSign
/ id-encipherOnly
/ id-decipherOnly
主要な用法はイドイドイドイドイドイドイドイドイド-digitalSignature/nonRepudiation/keyEncipherment/dataEncipherment/keyAgreement/keyCertSign/cRLSign/encipherOnly/decipherOnlyと等しいです。
id-digitalSignature = %x64.69.67.69.74.61.6C.53.69.67.6E.61.74
%x75.72.65 ; 'digitalSignature'
id-nonRepudiation = %x6E.6F.6E.52.65.70.75.64.69.61.74.69.6F.6E
; 'nonRepudiation'
id-keyEncipherment = %x6B.65.79.45.6E.63.69.70.68.65.72.6D.65.6E.74
; 'keyEncipherment'
id-dataEncipherment = %x64.61.74.61.45.6E.63.69.70.68.65.72.6D.65.6E
%x74 ; "dataEncipherment'
id-keyAgreement = %x6B.65.79.41.67.72.65.65.6D.65.6E.74
; 'keyAgreement'
イド-digitalSignature=%x64.69.67.69.74.61.6C.53.69.67.6E.61.74%x75.72.65。 'digitalSignature'イド-nonRepudiation=%x6E.6F.6E.52.65.70.75.64.69.61.74.69.6F.6E。 'nonRepudiation'イド-keyEncipherment=%x6B.65.79.45.6E.63.69.70.68.65.72.6D.65.6E.74。 'keyEncipherment'イド-dataEncipherment=%x64.61.74.61.45.6E.63.69.70.68.65.72.6D.65.6E%x74。 「'dataEncipherment'イド-keyAgreement=%x6B.65.79.41.67.72.65.65.6D.65.6E.74」。 'keyAgreement'
Zeilenga Standards Track [Page 18] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga規格はLDAP X.509図式2006年6月にRFC4523を追跡します[18ページ]。
id-keyCertSign = %x6B.65.79.43.65.72.74.53.69.67.6E
; 'keyCertSign'
id-cRLSign = %x63.52.4C.53.69.67.6E ; "cRLSign"
id-encipherOnly = %x65.6E.63.69.70.68.65.72.4F.6E.6C.79
; 'encipherOnly'
id-decipherOnly = %x64.65.63.69.70.68.65.72.4F.6E.6C.79
; 'decipherOnly'
イド-keyCertSign=%x6B.65.79.43.65.72.74.53.69.67.6E。 'keyCertSign'イド-cRLSign=%x63.52.4C.53.69.67.6E。 "cRLSign"イド-encipherOnly=%x65.6E.63.69.70.68.65.72.4F.6E.6C.79。 'encipherOnly'イド-decipherOnly=%x64.65.63.69.70.68.65.72.4F.6E.6C.79。 'decipherOnly'
AltNameType = ant-builtinNameForm / ant-otherNameForm
AltNameTypeはアリアリ-builtinNameForm/otherNameFormと等しいです。
ant-builtinNameForm = id-builtinNameForm ":" BuiltinNameForm ant-otherNameForm = id-otherNameForm ":" OBJECT-IDENTIFIER
「アリ-builtinNameFormはイド-builtinNameFormと等しい」:、」 「BuiltinNameFormアリ-otherNameFormはイド-otherNameFormと等しい」:、」 物識別子
id-builtinNameForm = %x62.75.69.6C.74.69.6E.4E.61.6D.65.46.6F.72.6D
; 'builtinNameForm'
id-otherNameForm = %x6F.74.68.65.72.4E.61.6D.65.46.6F.72.6D
; 'otherNameForm'
イド-builtinNameForm=%x62.75.69.6C.74.69.6E.4E.61.6D.65.46.6F.72.6D。 'builtinNameForm'イド-otherNameForm=%x6F.74.68.65.72.4E.61.6D.65.46.6F.72.6D。 'otherNameForm'
BuiltinNameForm = id-rfc822Name
/ id-dNSName
/ id-x400Address
/ id-directoryName
/ id-ediPartyName
/ id-uniformResourceIdentifier
/ id-iPAddress
/ id-registeredId
BuiltinNameFormはイドイドイドイドイドイドイドイド-rfc822Name/dNSName/x400Address/directoryName/ediPartyName/uniformResourceIdentifier/iPAddress/registeredIdと等しいです。
id-rfc822Name = %x72.66.63.38.32.32.4E.61.6D.65 ; 'rfc822Name'
id-dNSName = %x64.4E.53.4E.61.6D.65 ; 'dNSName'
id-x400Address = %x78.34.30.30.41.64.64.72.65.73.73 ; 'x400Address'
id-directoryName = %x64.69.72.65.63.74.6F.72.79.4E.61.6D.65
; 'directoryName'
id-ediPartyName = %x65.64.69.50.61.72.74.79.4E.61.6D.65
; 'ediPartyName'
id-iPAddress = %x69.50.41.64.64.72.65.73.73 ; 'iPAddress'
id-registeredId = %x72.65.67.69.73.74.65.72.65.64.49.64
; 'registeredId'
イド-rfc822Name=%x72.66.63.38.32.32.4E.61.6D.65。 'rfc822Name'イド-dNSName=%x64.4E.53.4E.61.6D.65。 'dNSName'イド-x400Address=%x78.34.30.30.41.64、.64、.72、.65、.73、.73。 'x400Address'イド-directoryName=%x64.69.72.65.63.74.6F.72.79.4E.61.6D.65。 'directoryName'イド-ediPartyName=%x65.64.69.50.61.72.74.79.4E.61.6D.65。 'ediPartyName'イド-iPAddress=%x69.50.41.64.64.72、.65、.73、.73。 'iPAddress'イド-registeredId=%x72.65.67.69.73.74、.65、.72、.65、.64、.49、.64。 'registeredId'
id-uniformResourceIdentifier = %x75.6E.69.66.6F.72.6D.52.65.73.6F.75
%x72.63.65.49.64.65.6E.74.69.66.69.65.72
; 'uniformResourceIdentifier'
%x75.6E.69.66.6F.72.6D.52.65.73.6F.75%x72.63.65.49.64.65.6E.74.69.66.69.65イド-uniformResourceIdentifier=.72。 'uniformResourceIdentifier'
CertPolicySet = "{" sp CertPolicyId *( "," sp CertPolicyId ) sp "}"
CertPolicyId = OBJECT-IDENTIFIER
CertPolicySetが等しい、「「sp CertPolicyId*、(「」、sp CertPolicyId) sp、」、」 CertPolicyIdは物識別子と等しいです。
NameConstraintsSyntax = "{" [ sp ncs-permittedSubtrees ]
[ sep sp ncs-excludedSubtrees ] sp "}"
NameConstraintsSyntaxは「「[sp ncs-permittedSubtrees][9月のsp ncs-excludedSubtrees]sp」」と等しいです。
Zeilenga Standards Track [Page 19] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga規格はLDAP X.509図式2006年6月にRFC4523を追跡します[19ページ]。
ncs-permittedSubtrees = id-permittedSubtrees msp GeneralSubtrees ncs-excludedSubtrees = id-excludedSubtrees msp GeneralSubtrees
ncs-permittedSubtrees=イド-permittedSubtrees msp GeneralSubtrees ncs-excludedSubtreesはイド-excludedSubtrees msp GeneralSubtreesと等しいです。
id-permittedSubtrees =
%x70.65.72.6D.69.74.74.65.64.53.75.62.74.72.65.65.73
; 'permittedSubtrees'
id-excludedSubtrees =
%x65.78.63.6C.75.64.65.64.53.75.62.74.72.65.65.73
; 'excludedSubtrees'
イド-permittedSubtrees=%x70.65.72.6D.69.74.74.65.64.53、.75、.62、.74、.72、.65、.65、.73。 'permittedSubtrees'イド-excludedSubtrees=%x65.78.63.6C.75.64.65.64.53.75、.62、.74、.72、.65、.65、.73。 'excludedSubtrees'
GeneralSubtrees = "{" sp GeneralSubtree
*( "," sp GeneralSubtree ) sp "}"
GeneralSubtree = "{" sp gs-base
[ "," sp gs-minimum ]
[ "," sp gs-maximum ] sp "}"
GeneralSubtreesが等しい、「「sp GeneralSubtree*、(「」、sp GeneralSubtree) sp、」、」 GeneralSubtreeが等しい、「「sp gs-ベース、[「」、sp gs-最小限]、[「」、sp gs-最大] sp、」、」
gs-base = id-base msp GeneralName gs-minimum = id-minimum msp BaseDistance gs-maximum = id-maximum msp BaseDistance
gs-ベース=イドベースのmsp GeneralName gs最小の=イド最小のmsp BaseDistance gs最大の=イド最大のmsp BaseDistance
id-base = %x62.61.73.65 ; 'base' id-minimum = %x6D.69.6E.69.6D.75.6D ; 'minimum' id-maximum = %x6D.61.78.69.6D.75.6D ; 'maximum'
イドベース=%x62.61.73.65。 'ベース'イド最小限=%x6D.69.6E.69.6D.75.6D。 '最小'のイド最大の=%x6D.61.78.69.6D.75.6D。 '最大です'。
BaseDistance = INTEGER-0-MAX
BaseDistanceは整数0最大と等しいです。
A.3. CertificatePairExactAssertion
A.3。 CertificatePairExactAssertion
CertificatePairExactAssertion = "{" [ sp cpea-issuedTo ]
[sep sp cpea-issuedBy ] sp "}"
;; At least one of <cpea-issuedTo> or <cpea-issuedBy> MUST be present.
CertificatePairExactAssertionは「「[sp cpea-issuedTo][9月のsp cpea-issuedBy]sp」」と等しいです。 少なくとも<cpea-issuedTo>か<cpea-issuedBy>の1つは存在していなければなりません。
cpea-issuedTo = id-issuedToThisCAAssertion msp
CertificateExactAssertion
cpea-issuedBy = id-issuedByThisCAAssertion msp
CertificateExactAssertion
cpea-issuedTo=イド-issuedToThisCAAssertion msp CertificateExactAssertion cpea-issuedByはイド-issuedByThisCAAssertion msp CertificateExactAssertionと等しいです。
id-issuedToThisCAAssertion = %x69.73.73.75.65.64.54.6F.54.68.69.73
%x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedToThisCAAssertion'
id-issuedByThisCAAssertion = %x69.73.73.75.65.64.42.79.54.68.69.73
%x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedByThisCAAssertion'
イド-issuedToThisCAAssertion=%のx69.73.73.75.65.64.54.6F.54.68.69.73%のx43.41.41.73.73.65.72.74.69.6F.6E。 'issuedToThisCAAssertion'イド-issuedByThisCAAssertion=%x69.73.73.75.65.64、.42 .79 .54 .68 .69 .73%のx43.41.41.73.73.65.72.74.69.6F.6E。 'issuedByThisCAAssertion'
Zeilenga Standards Track [Page 20] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga規格はLDAP X.509図式2006年6月にRFC4523を追跡します[20ページ]。
A.4. CertificatePairAssertion
A.4。 CertificatePairAssertion
CertificatePairAssertion = "{" [ sp cpa-issuedTo ]
[sep sp cpa-issuedBy ] sp "}"
;; At least one of <cpa-issuedTo> and <cpa-issuedBy> MUST be present.
CertificatePairAssertionは「「[sp cpa-issuedTo][9月のsp cpa-issuedBy]sp」」と等しいです。 少なくとも<cpa-issuedTo>と<cpa-issuedBy>の1つは存在していなければなりません。
cpa-issuedTo = id-issuedToThisCAAssertion msp CertificateAssertion cpa-issuedBy = id-issuedByThisCAAssertion msp CertificateAssertion
cpa-issuedTo=イド-issuedToThisCAAssertion msp CertificateAssertion cpa-issuedByはイド-issuedByThisCAAssertion msp CertificateAssertionと等しいです。
A.5. CertificateListExactAssertion
A.5。 CertificateListExactAssertion
CertificateListExactAssertion = "{" sp clea-issuer ","
sp clea-thisUpdate
[ "," sp clea-distributionPoint ] sp "}"
「CertificateListExactAssertionが等しい、「」 「spクリーア-発行人」、spクリーア-thisUpdate、[「」 spクリーア-distributionPoint] sp」、」
clea-issuer = id-issuer msp Name
clea-thisUpdate = id-thisUpdate msp Time
clea-distributionPoint = id-distributionPoint msp
DistributionPointName
clea-発行人=イド発行人msp Name clea-thisUpdate=イド-thisUpdate msp Time clea-distributionPointはイド-distributionPoint msp DistributionPointNameと等しいです。
id-thisUpdate = %x74.68.69.73.55.70.64.61.74.65 ; 'thisUpdate'
id-distributionPoint =
%x64.69.73.74.72.69.62.75.74.69.6F.6E.50.6F.69.6E.74
; 'distributionPoint'
イド-thisUpdate=%x74.68.69.73.55.70、.64、.61、.74、.65。 'thisUpdate'イド-distributionPoint=%x64.69.73.74.72.69.62.75.74.69.6F.6E.50.6F.69.6E.74。 'distributionPoint'
DistributionPointName = dpn-fullName / dpn-nameRelativeToCRLIssuer
DistributionPointNameはdpn-fullName / dpn-nameRelativeToCRLIssuerと等しいです。
dpn-fullName = id-fullName ":" GeneralNames
dpn-nameRelativeToCRLIssuer = id-nameRelativeToCRLIssuer ":"
RelativeDistinguishedName
「dpn-fullNameはイド-fullNameと等しい」:、」 「GeneralNames dpn-nameRelativeToCRLIssuerはイド-nameRelativeToCRLIssuerと等しい」:、」 RelativeDistinguishedName
id-fullName = %x66.75.6C.6C.4E.61.6D.65 ; 'fullName'
id-nameRelativeToCRLIssuer = %x6E.61.6D.65.52.65.6C.61.74.69.76.65
%x54.6F.43.52.4C.49.73.73.75.65.72 ; 'nameRelativeToCRLIssuer'
イド-fullName=%x66.75.6C.6C.4E.61.6D.65。 %x6E.61.6D.65.52.65.6C.61.74.69.76.65%x54.6F.43.52.4C.49.73.73.75'fullName'イド-nameRelativeToCRLIssuer=.65、.72。 'nameRelativeToCRLIssuer'
A.6. CertificateListAssertion
A.6。 CertificateListAssertion
CertificateListAssertion = "{" [ sp cla-issuer ]
[ sep sp cla-minCRLNumber ]
[ sep sp cla-maxCRLNumber ]
[ sep sp cla-reasonFlags ]
[ sep sp cla-dateAndTime ]
[ sep sp cla-distributionPoint ]
[ sep sp cla-authorityKeyIdentifier ] sp "}"
CertificateListAssertionは「「[sp cla-発行人][9月のsp cla-minCRLNumber][9月のsp cla-maxCRLNumber][9月のsp cla-reasonFlags][9月のsp cla-dateAndTime][9月のsp cla-distributionPoint][9月のsp cla-authorityKeyIdentifier]sp」」と等しいです。
cla-issuer = id-issuer msp Name cla-minCRLNumber = id-minCRLNumber msp CRLNumber cla-maxCRLNumber = id-maxCRLNumber msp CRLNumber
cla-発行人=イド発行人msp Name cla-minCRLNumber=イド-minCRLNumber msp CRLNumber cla-maxCRLNumberはイド-maxCRLNumber msp CRLNumberと等しいです。
Zeilenga Standards Track [Page 21] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga規格はLDAP X.509図式2006年6月にRFC4523を追跡します[21ページ]。
cla-reasonFlags = id-reasonFlags msp ReasonFlags cla-dateAndTime = id-dateAndTime msp Time
cla-reasonFlags=イド-reasonFlags msp ReasonFlags cla-dateAndTimeはイド-dateAndTime msp Timeと等しいです。
cla-distributionPoint = id-distributionPoint msp
DistributionPointName
cla-distributionPointはイド-distributionPoint msp DistributionPointNameと等しいです。
cla-authorityKeyIdentifier = id-authorityKeyIdentifier msp
AuthorityKeyIdentifier
cla-authorityKeyIdentifierはイド-authorityKeyIdentifier msp AuthorityKeyIdentifierと等しいです。
id-minCRLNumber = %x6D.69.6E.43.52.4C.4E.75.6D.62.65.72
; 'minCRLNumber'
id-maxCRLNumber = %x6D.61.78.43.52.4C.4E.75.6D.62.65.72
; 'maxCRLNumber'
id-reasonFlags = %x72.65.61.73.6F.6E.46.6C.61.67.73 ; 'reasonFlags'
id-dateAndTime = %x64.61.74.65.41.6E.64.54.69.6D.65 ; 'dateAndTime'
イド-minCRLNumber=%x6D.69.6E.43.52.4C.4E.75.6D.62.65.72。 'minCRLNumber'イド-maxCRLNumber=%x6D.61.78.43.52.4C.4E.75.6D.62.65.72。 'maxCRLNumber'イド-reasonFlags=%x72.65.61.73.6F.6E.46.6C.61.67.73。 'reasonFlags'イド-dateAndTime=%x64.61.74.65.41.6E.64.54.69.6D.65。 'dateAndTime'
CRLNumber = INTEGER-0-MAX
CRLNumberは整数0最大と等しいです。
ReasonFlags = BIT-STRING
/ "{" [ sp reason-flag *( "," sp reason-flag ) ] sp "}"
ReasonFlagsがBIT-STRING/と等しい、「「[sp理由旗の*、(「」、sp理由旗] sp、」、」
reason-flag = id-unused
/ id-keyCompromise
/ id-cACompromise
/ id-affiliationChanged
/ id-superseded
/ id-cessationOfOperation
/ id-certificateHold
/ id-privilegeWithdrawn
/ id-aACompromise
理由旗の=イド未使用の/イドでイドイドイド-keyCompromise/cACompromise/affiliationChanged/取って代わられた/イド-cessationOfOperation/イドイドイド-certificateHold/privilegeWithdrawn/aACompromise
id-unused = %x75.6E.75.73.65.64 ; 'unused'
id-keyCompromise = %x6B.65.79.43.6F.6D.70.72.6F.6D.69.73.65
; 'keyCompromise'
id-cACompromise = %x63.41.43.6F.6D.70.72.6F.6D.69.73.65
; 'cACompromise'
id-affiliationChanged =
%x61.66.66.69.6C.69.61.74.69.6F.6E.43.68.61.6E.67.65.64
; 'affiliationChanged'
id-superseded = %x73.75.70.65.72.73.65.64.65.64 ; 'superseded'
id-cessationOfOperation =
%x63.65.73.73.61.74.69.6F.6E.4F.66.4F.70.65.72.61.74.69.6F.6E
; 'cessationOfOperation'
id-certificateHold = %x63.65.72.74.69.66.69.63.61.74.65.48.6F.6C.64
; 'certificateHold'
id-privilegeWithdrawn =
%x70.72.69.76.69.6C.65.67.65.57.69.74.68.64.72.61.77.6E
; 'privilegeWithdrawn'
イド未使用の=%x75.6E.75.73.65.64。 '未使用'のイド-keyCompromise=%x6B.65.79.43.6F.6D.70.72.6F.6D.69.73.65。 'keyCompromiseする'イド-cACompromise=%x63.41.43.6F.6D.70.72.6F.6D.69.73.65。 'cACompromise'イド-affiliationChanged=%x61.66.66.69.6C.69.61.74.69.6F.6E.43.68.61.6E.67.65.64。 イドで取って代わられた=%x73.75.70.65.72.73を'affiliationChangedした'、.65、.64、.65、.64。 '取って代わられた'イド-cessationOfOperation=%x63.65.73.73.61.74.69.6F.6E.4F.66.4F.70.65.72.61.74.69.6F.6E。 'cessationOfOperation'イド-certificateHold=%x63.65.72.74.69.66.69.63.61.74.65.48.6F.6C.64。 'certificateHold'イド-privilegeWithdrawn=%x70.72.69.76.69.6C.65.67.65.57.69.74.68.64.72.61.77.6E。 'privilegeWithdrawn'
Zeilenga Standards Track [Page 22] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga規格はLDAP X.509図式2006年6月にRFC4523を追跡します[22ページ]。
id-aACompromise = %x61.41.43.6F.6D.70.72.6F.6D.69.73.65
; 'aACompromise'
イド-aACompromise=%x61.41.43.6F.6D.70.72.6F.6D.69.73.65。 'aACompromise'
A.7. AlgorithmIdentifier
A.7。 AlgorithmIdentifier
AlgorithmIdentifier = "{" sp ai-algorithm
[ "," sp ai-parameters ] sp "}"
AlgorithmIdentifierが等しい、「「sp ai-アルゴリズム、[「」、sp ai-パラメタ] sp、」、」
ai-algorithm = id-algorithm msp OBJECT-IDENTIFIER ai-parameters = id-parameters msp Value id-algorithm = %x61.6C.67.6F.72.69.74.68.6D ; 'algorithm' id-parameters = %x70.61.72.61.6D.65.74.65.72.73 ; 'parameters'
イドパラメタmsp Valueイドアルゴリズム=ai-アルゴリズム=イドアルゴリズムmsp OBJECT-IDENTIFIER ai-パラメタ=%x61.6C.67.6F.72.69.74.68.6D。 %x70.61.72.61.6D.65.74.65.72'アルゴリズム'イドパラメタ=.73。 'パラメタ'
Author's Address
作者のアドレス
Kurt D. Zeilenga OpenLDAP Foundation
カートD.Zeilenga OpenLDAP財団
EMail: Kurt@OpenLDAP.org
メール: Kurt@OpenLDAP.org
Zeilenga Standards Track [Page 23] RFC 4523 LDAP X.509 Schema June 2006
Zeilenga規格はLDAP X.509図式2006年6月にRFC4523を追跡します[23ページ]。
Full Copyright Statement
完全な著作権宣言文
Copyright (C) The Internet Society (2006).
Copyright(C)インターネット協会(2006)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
このドキュメントはBCP78に含まれた権利、ライセンス、および制限を受けることがあります、そして、そこに詳しく説明されるのを除いて、作者は彼らのすべての権利を保有します。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
このドキュメントと「そのままで」という基礎と貢献者、その人が代表する組織で提供するか、または後援されて、インターネット協会とインターネット・エンジニアリング・タスク・フォースはすべての保証を放棄します、と急行ORが含意したということであり、他を含んでいて、ここに含まれて、情報の使用がここに侵害しないどんな保証も少しもまっすぐになるという情報か市場性か特定目的への適合性のどんな黙示的な保証。
Intellectual Property
知的所有権
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETFはどんなIntellectual Property Rightsの正当性か範囲、実現に関係すると主張されるかもしれない他の権利、本書では説明された技術の使用またはそのような権利の下におけるどんなライセンスも利用可能であるかもしれない、または利用可能でないかもしれない範囲に関しても立場を全く取りません。 または、それはそれを表しません。どんなそのような権利も特定するためのどんな独立している努力もしました。 BCP78とBCP79でRFCドキュメントの権利に関する手順に関する情報を見つけることができます。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
IPR公開のコピーが利用可能に作られるべきライセンスの保証、または一般的な免許を取得するのが作られた試みの結果をIETF事務局といずれにもしたか、または http://www.ietf.org/ipr のIETFのオンラインIPR倉庫からこの仕様のimplementersかユーザによるそのような所有権の使用のために許可を得ることができます。
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETFはこの規格を実行するのに必要であるかもしれない技術をカバーするかもしれないどんな著作権もその注目していただくどんな利害関係者、特許、特許出願、または他の所有権も招待します。 ietf-ipr@ietf.org のIETFに情報を記述してください。
Acknowledgement
承認
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
RFC Editor機能のための基金はIETF Administrative Support Activity(IASA)によって提供されます。
Zeilenga Standards Track [Page 24]
Zeilenga標準化過程[24ページ]
一覧
スポンサーリンク
