Network Working Group                                     S. Boeyen
Request for Comments: 2587                                  Entrust
Category: Standards Track                                  T. Howes
                                                           Netscape
                                                         P. Richard
                                                              Xcert
                                                          June 1999
        
Network Working Group                                     S. Boeyen
Request for Comments: 2587                                  Entrust
Category: Standards Track                                  T. Howes
                                                           Netscape
                                                         P. Richard
                                                              Xcert
                                                          June 1999
        

Internet X.509 Public Key Infrastructure LDAPv2 Schema

Internet X.509公钥基础结构LDAPv2架构

Status of this Memo

本备忘录的状况

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (1999). All Rights Reserved.

版权所有(C)互联网协会(1999年)。版权所有。

1. Abstract
1. 摘要

The schema defined in this document is a minimal schema to support PKIX in an LDAPv2 environment, as defined in RFC 2559. Only PKIX-specific components are specified here. LDAP servers, acting as PKIX repositories should support the auxiliary object classes defined in this specification and integrate this schema specification with the generic and other application-specific schemas as appropriate, depending on the services to be supplied by that server.

本文档中定义的模式是在LDAPv2环境中支持PKIX的最低模式,如RFC 2559中所定义。此处仅指定特定于PKIX的组件。充当PKIX存储库的LDAP服务器应支持本规范中定义的辅助对象类,并根据服务器提供的服务,将本架构规范与通用架构和其他特定于应用程序的架构(视情况而定)集成。

The key words 'MUST', 'SHALL', 'REQUIRED', 'SHOULD', 'RECOMMENDED', and 'MAY' in this document are to be interpreted as described in RFC 2119.

本文件中的关键词“必须”、“应”、“要求”、“应”、“建议”和“可能”应按照RFC 2119中的说明进行解释。

2. Introduction
2. 介绍

This specification is part of a multi-part standard for development of a Public Key Infrastructure (PKI) for the Internet. LDAPv2 is one mechanism defined for access to a PKI repository. Other mechanisms, such as http, are also defined. If an LDAP server, accessed by LDAPv2 is used to provide a repository, the minimum requirement is that the repository support the addition of X.509 certificates to directory

本规范是互联网公钥基础设施(PKI)开发多部分标准的一部分。LDAPv2是为访问PKI存储库而定义的一种机制。还定义了其他机制,如http。如果使用LDAPv2访问的LDAP服务器来提供存储库,则存储库支持将X.509证书添加到目录

entries. Certificate Revocation List (CRL)is one mechanism for publishing revocation information in a repository. Other mechanisms, such as http, are also defined.

条目。证书吊销列表(CRL)是在存储库中发布吊销信息的一种机制。还定义了其他机制,如http。

This specification defines the attributes and object classes to be used by LDAP servers acting as PKIX repositories and to be understood by LDAP clients communicating with such repositories to query, add, modify and delete PKI information. Some object classes and attributes defined in X.509 are duplicated here for completeness. For end entities and Certification Authorities (CA), the earlier X.509 defined object classes mandated inclusion of attributes which are optional for PKIX. Also, because of the mandatory attribute specification, this would have required dynamic modification of the object class attribute should the attributes not always be present in entries. For these reasons, alternative object classes are defined in this document for use by LDAP servers acting as PKIX repositories.

本规范定义了充当PKIX存储库的LDAP服务器要使用的属性和对象类,以及与此类存储库通信以查询、添加、修改和删除PKI信息的LDAP客户端要理解的属性和对象类。为了完整起见,这里复制了X.509中定义的一些对象类和属性。对于终端实体和证书颁发机构(CA),早期的X.509定义的对象类要求包含PKIX可选的属性。此外,由于强制属性规范,如果属性不总是出现在条目中,则需要动态修改对象类属性。由于这些原因,本文档中定义了替代对象类,供充当PKIX存储库的LDAP服务器使用。

3. PKIX Repository Objects
3. PKIX存储库对象

The primary PKIX objects to be represented in a repository are:

存储库中要表示的主要PKIX对象包括:

- End Entities - Certification Authorities (CA)

- 终端实体-认证机构(CA)

These objects are defined in RFC 2459.

这些对象在RFC 2459中定义。

3.1. End Entities
3.1. 终端实体

For purposes of PKIX schema definition, the role of end entities as subjects of certificates is the major aspect relevant to this specification. End entities may be human users, or other types of entities to which certificates may be issued. In some cases, the entry for the end entity may already exist and the PKI-specific information is added to the existing entry. In other cases the entry may not exist prior to the issuance of a certificate, in which case the entity adding the certificate may also need to create the entry. Schema elements used to represent the non PKIX aspects of an entry, such as the structural object class used to represent organizational persons, may vary, depending on the particular environment and set of applications served and are outside the scope of this specification.

就PKIX模式定义而言,最终实体作为证书主体的角色是与本规范相关的主要方面。最终实体可以是人类用户,或者可以向其颁发证书的其他类型的实体。在某些情况下,最终实体的条目可能已经存在,并且特定于PKI的信息会添加到现有条目中。在其他情况下,在颁发证书之前,条目可能不存在,在这种情况下,添加证书的实体可能还需要创建条目。用于表示条目的非PKIX方面的架构元素(例如用于表示组织人员的结构对象类)可能会有所不同,具体取决于特定环境和所服务的应用程序集,并且不在本规范的范围内。

The following auxiliary object class MAY be used to represent certificate subjects:

以下辅助对象类可用于表示证书主题:

pkiUser   OBJECT-CLASS   ::= {
   SUBCLASS OF   { top}
   KIND          auxiliary
   MAY CONTAIN   {userCertificate}
   ID    joint-iso-ccitt(2) ds(5) objectClass(6) pkiUser(21)}
        
pkiUser   OBJECT-CLASS   ::= {
   SUBCLASS OF   { top}
   KIND          auxiliary
   MAY CONTAIN   {userCertificate}
   ID    joint-iso-ccitt(2) ds(5) objectClass(6) pkiUser(21)}
        
userCertificate    ATTRIBUTE  ::=  {
     WITH SYNTAX   Certificate
     EQUALITY MATCHING RULE   certificateExactMatch
     ID  joint-iso-ccitt(2) ds(5) attributeType(4) userCertificate(36) }
        
userCertificate    ATTRIBUTE  ::=  {
     WITH SYNTAX   Certificate
     EQUALITY MATCHING RULE   certificateExactMatch
     ID  joint-iso-ccitt(2) ds(5) attributeType(4) userCertificate(36) }
        

An end entity may obtain one or more certificates from one or more Certification Authorities. The userCertificate attribute MUST be used to represent these certificates in the directory entry representing that user.

最终实体可从一个或多个认证机构获得一个或多个证书。userCertificate属性必须用于在表示该用户的目录项中表示这些证书。

3.2. Certification Authorities
3.2. 认证机构

As with end entities, Certification Authorities are typically represented in directories as auxiliary components of entries representing a more generic object, such as organizations, organizational units etc. The non PKIX-specific schema elements for these entries, such as the structural object class of the object, are outside the scope of this specification.

与终端实体一样,证书颁发机构通常在目录中表示为表示更通用对象的条目的辅助组件,如组织、组织单位等。这些条目的非PKIX特定模式元素,如对象的结构对象类,不在本规范的范围内。

The following auxiliary object class MAY be used to represent Certification Authorities:

以下辅助对象类可用于表示认证机构:

pkiCA   OBJECT-CLASS   ::= {
   SUBCLASS OF   { top}
   KIND          auxiliary
   MAY CONTAIN   {cACertificate |
                  certificateRevocationList |
                  authorityRevocationList |
                  crossCertificatePair }
   ID    joint-iso-ccitt(2) ds(5) objectClass(6) pkiCA(22)}
        
pkiCA   OBJECT-CLASS   ::= {
   SUBCLASS OF   { top}
   KIND          auxiliary
   MAY CONTAIN   {cACertificate |
                  certificateRevocationList |
                  authorityRevocationList |
                  crossCertificatePair }
   ID    joint-iso-ccitt(2) ds(5) objectClass(6) pkiCA(22)}
        
cACertificate    ATTRIBUTE  ::=  {
     WITH SYNTAX   Certificate
     EQUALITY MATCHING RULE   certificateExactMatch
     ID  joint-iso-ccitt(2) ds(5) attributeType(4) cACertificate(37) }
        
cACertificate    ATTRIBUTE  ::=  {
     WITH SYNTAX   Certificate
     EQUALITY MATCHING RULE   certificateExactMatch
     ID  joint-iso-ccitt(2) ds(5) attributeType(4) cACertificate(37) }
        
crossCertificatePairATTRIBUTE::={
   WITH SYNTAX   CertificatePair
   EQUALITY MATCHING RULE certificatePairExactMatch
 ID joint-iso-ccitt(2) ds(5) attributeType(4) crossCertificatePair(40)}
        
crossCertificatePairATTRIBUTE::={
   WITH SYNTAX   CertificatePair
   EQUALITY MATCHING RULE certificatePairExactMatch
 ID joint-iso-ccitt(2) ds(5) attributeType(4) crossCertificatePair(40)}
        

The cACertificate attribute of a CA's directory entry shall be used to store self-issued certificates (if any) and certificates issued to this CA by CAs in the same realm as this CA.

CA目录项的cACertificate属性应用于存储自颁发的证书(如果有)以及CAs在与此CA相同的域中向此CA颁发的证书。

The forward elements of the crossCertificatePair attribute of a CA's directory entry shall be used to store all, except self-issued certificates issued to this CA. Optionally, the reverse elements of the crossCertificatePair attribute, of a CA's directory entry may contain a subset of certificates issued by this CA to other CAs. When both the forward and the reverse elements are present in a single attribute value, issuer name in one certificate shall match the subject name in the other and vice versa, and the subject public key in one certificate shall be capable of verifying the digital signature on the other certificate and vice versa.

CA目录项的crossCertificatePair属性的正向元素应用于存储除颁发给该CA的自颁发证书外的所有证书。CA目录项的crossCertificatePair属性的反向元素也可以包含该CA颁发给其他CA的证书的子集。当正向和反向元素都存在于单个属性值中时,一个证书中的颁发者名称应与另一个证书中的主体名称匹配,反之亦然,并且一个证书中的主体公钥应能够验证另一个证书上的数字签名,反之亦然。

When a reverse element is present, the forward element value and the reverse element value need not be stored in the same attribute value; in other words, they can be stored in either a single attribute value or two attribute values.

当存在反向元素时,正向元素值和反向元素值不需要存储在同一属性值中;换句话说,它们可以存储在单个属性值或两个属性值中。

In the case of V3 certificates, none of the above CA certificates shall include a basicConstraints extension with the cA value set to FALSE.

对于V3证书,上述CA证书均不应包含CA值设置为FALSE的basicConstraints扩展。

The definition of realm is purely a matter of local policy.

领域的定义纯粹是地方政策的问题。

      certificateRevocationListATTRIBUTE::={
           WITH SYNTAX  CertificateList
           EQUALITY MATCHING RULE certificateListExactMatch
        ID joint-iso-ccitt(2) ds(5) attributeType(4)
           certificateRevocationList(39)}
        
      certificateRevocationListATTRIBUTE::={
           WITH SYNTAX  CertificateList
           EQUALITY MATCHING RULE certificateListExactMatch
        ID joint-iso-ccitt(2) ds(5) attributeType(4)
           certificateRevocationList(39)}
        

The certificateRevocationList attribute, if present in a particular CA's entry, contains CRL(s) as defined in RFC 2459.

CertificateReliationList属性(如果存在于特定CA的条目中)包含RFC 2459中定义的CRL。

      authorityRevocationListATTRIBUTE::={
         WITH SYNTAX   CertificateList
         EQUALITY MATCHING RULE certificateListExactMatch
       ID joint-iso-ccitt(2) ds(5) attributeType(4)
          authorityRevocationList(38)}
        
      authorityRevocationListATTRIBUTE::={
         WITH SYNTAX   CertificateList
         EQUALITY MATCHING RULE certificateListExactMatch
       ID joint-iso-ccitt(2) ds(5) attributeType(4)
          authorityRevocationList(38)}
        

The authorityRevocationList attribute, if present in a particular CA's entry, includes revocation information regarding certificates issued to other CAs.

authorityRevocationList属性(如果存在于特定CA的条目中)包括有关颁发给其他CA的证书的吊销信息。

3.2.1. CRL distribution points
3.2.1. CRL分发点

CRL distribution points are an optional mechanism, specified in RFC 2459, which MAY be used to distribute revocation information.

CRL分发点是RFC 2459中指定的可选机制,可用于分发吊销信息。

A patent statement regarding CRL distribution points can be found at the end of this document.

关于CRL分发点的专利声明可在本文件末尾找到。

If a CA elects to use CRL distribution points, the following object class is used to represent these.

如果CA选择使用CRL分发点,则使用以下对象类来表示这些分发点。

 cRLDistributionPoint   OBJECT-CLASS::= {
    SUBCLASS OF     { top }
    KIND            structural
    MUST CONTAIN    { commonName }
    MAY CONTAIN     { certificateRevocationList |
                      authorityRevocationList |
                      deltaRevocationList }
    ID joint-iso-ccitt(2) ds(5) objectClass(6) cRLDistributionPoint(19) }
        
 cRLDistributionPoint   OBJECT-CLASS::= {
    SUBCLASS OF     { top }
    KIND            structural
    MUST CONTAIN    { commonName }
    MAY CONTAIN     { certificateRevocationList |
                      authorityRevocationList |
                      deltaRevocationList }
    ID joint-iso-ccitt(2) ds(5) objectClass(6) cRLDistributionPoint(19) }
        

The certificateRevocationList and authorityRevocationList attributes are as defined above.

CertificateRelationList和AuthorityRecovationList属性如上所述。

The commonName attribute and deltaRevocationList attributes, defined in X.509, are duplicated below.

下面复制了X.509中定义的commonName属性和deltaRevocationList属性。

      commonName   ATTRIBUTE::={
         SUBTYPE OF     name
         WITH SYNTAX   DirectoryString
         ID joint-iso-ccitt(2) ds(5) attributeType(4) commonName(3) }
        
      commonName   ATTRIBUTE::={
         SUBTYPE OF     name
         WITH SYNTAX   DirectoryString
         ID joint-iso-ccitt(2) ds(5) attributeType(4) commonName(3) }
        
      deltaRevocationList        ATTRIBUTE ::= {
         WITH SYNTAX             CertificateList
         EQUALITY MATCHING RULE  certificateListExactMatch
         ID joint-iso-ccitt(2) ds(5) attributeType(4)
            deltaRevocationList(53) }
        
      deltaRevocationList        ATTRIBUTE ::= {
         WITH SYNTAX             CertificateList
         EQUALITY MATCHING RULE  certificateListExactMatch
         ID joint-iso-ccitt(2) ds(5) attributeType(4)
            deltaRevocationList(53) }
        
3.2.2. Delta CRLs
3.2.2. 增量CRLs

Delta CRLs are an optional mechanism, specified in RFC 2459, which MAY be used to enhance the distribution of revocation information.

Delta CRL是RFC 2459中指定的可选机制,可用于增强吊销信息的分发。

If a CA elects to use delta CRLs, the following object class is used to represent these.

如果CA选择使用增量CRL,则使用以下对象类来表示这些。

      deltaCRL   OBJECT-CLASS::= {
         SUBCLASS OF     { top }
         KIND            auxiliary
         MAY CONTAIN     { deltaRevocationList }
         ID joint-iso-ccitt(2) ds(5) objectClass(6) deltaCRL(23) }
        
      deltaCRL   OBJECT-CLASS::= {
         SUBCLASS OF     { top }
         KIND            auxiliary
         MAY CONTAIN     { deltaRevocationList }
         ID joint-iso-ccitt(2) ds(5) objectClass(6) deltaCRL(23) }
        
4. Security Considerations
4. 安全考虑

Since the elements of information which are key to the PKI service (certificates and CRLs) are both digitally signed pieces of information, no additional integrity service is REQUIRED.

由于PKI服务的关键信息元素(证书和CRL)都是经过数字签名的信息,因此不需要额外的完整性服务。

Security considerations with respect to retrieval, addition, deletion, and modification of the information supported by this schema definition are addressed in RFC 2559.

关于检索、添加、删除和修改此模式定义支持的信息的安全注意事项,请参见RFC2559。

5. References
5. 工具书类

[1] Yeong, Y., Howes, T. and S. Kille, "Lightweight Directory Access Protocol", RFC 1777, March 1995.

[1] Yeong,Y.,Howes,T.和S.Kille,“轻量级目录访问协议”,RFC 17771995年3月。

[2] Bradner, S., "Key Words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[2] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

6 Intellectual Property Rights

6知识产权

The IETF has been notified of intellectual property rights claimed in regard to some or all of the specification contained in this document. For more information consult the online list of claimed rights.

IETF已收到关于本文件所含部分或全部规范的知识产权声明。有关更多信息,请查阅在线权利主张列表。

The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。

7. Authors' Addresses
7. 作者地址

Sharon Boeyen Entrust Technologies Limited 750 Heron Road Ottawa, Ontario Canada K1V 1A7

加拿大安大略省渥太华Heron路750号Sharon Boeyn信托科技有限公司K1V 1A7

   EMail: sharon.boeyen@entrust.com
        
   EMail: sharon.boeyen@entrust.com
        

Tim Howes Netscape Communications Corp. 501 E. Middlefield Rd. Mountain View, CA 94043 USA

Tim Howes Netscape Communications Corp.美国加利福尼亚州山景城米德菲尔德东路501号,邮编94043

   EMail: howes@netscape.com
        
   EMail: howes@netscape.com
        

Patrick Richard Xcert Software Inc. Suite 1001, 701 W. Georgia Street P.O. Box 10145 Pacific Centre Vancouver, B.C. Canada V7Y 1C6

Patrick Richard Xcert Software Inc.加拿大不列颠哥伦比亚省温哥华太平洋中心10145号邮政信箱乔治亚街西701号1001室V7Y 1C6

   EMail: patr@xcert.com
        
   EMail: patr@xcert.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (1999). All Rights Reserved.

版权所有(C)互联网协会(1999年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。