Network Working Group                                        K. Zeilenga
Request for Comments: 4523                           OpenLDAP Foundation
Obsoletes: 2252, 2256, 2587                                    June 2006
Category: Standards Track
        
Network Working Group                                        K. Zeilenga
Request for Comments: 4523                           OpenLDAP Foundation
Obsoletes: 2252, 2256, 2587                                    June 2006
Category: Standards Track
        

Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates

X.509证书的轻型目录访问协议(LDAP)架构定义

Status of This Memo

关于下段备忘

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2006).

版权所有(C)互联网协会(2006年)。

Abstract

摘要

This document describes schema for representing X.509 certificates, X.521 security information, and related elements in directories accessible using the Lightweight Directory Access Protocol (LDAP). The LDAP definitions for these X.509 and X.521 schema elements replace those provided in RFCs 2252 and 2256.

本文档描述了用于表示X.509证书、X.521安全信息以及使用轻量级目录访问协议(LDAP)访问的目录中的相关元素的模式。这些X.509和X.521模式元素的LDAP定义替换了RFCs 2252和2256中提供的定义。

1. Introduction
1. 介绍

This document provides LDAP [RFC4510] schema definitions [RFC4512] for a subset of elements specified in X.509 [X.509] and X.521 [X.521], including attribute types for certificates, cross certificate pairs, and certificate revocation lists; matching rules to be used with these attribute types; and related object classes. LDAP syntax definitions are also provided for associated assertion and attribute values.

本文档为X.509[X.509]和X.521[X.521]中指定的元素子集提供LDAP[RFC4510]模式定义[RFC4512],包括证书、交叉证书对和证书吊销列表的属性类型;与这些属性类型一起使用的匹配规则;和相关的对象类。还为关联的断言和属性值提供了LDAP语法定义。

As the semantics of these elements are as defined in X.509 and X.521, knowledge of X.509 and X.521 is necessary to make use of the LDAP schema definitions provided herein.

由于这些元素的语义如X.509和X.521中所定义,因此有必要了解X.509和X.521以使用本文提供的LDAP模式定义。

This document, together with [RFC4510], obsoletes RFCs 2252 and 2256 in their entirety. The changes (in this document) made since RFC 2252 and RFC 2256 include:

本文件连同[RFC4510]一起,完全废弃了RFC 2252和2256。自RFC 2252和RFC 2256以来(本文件中)所做的变更包括:

- addition of pkiUser, pkiCA, and deltaCRL classes;

- 增加pkiUser、pkiCA和deltaCRL类;

- update of attribute types to include equality matching rules in accordance with their X.500 specifications;

- 根据X.500规范更新属性类型,以包括相等匹配规则;

- addition of certificate, certificate pair, certificate list, and algorithm identifier matching rules; and

- 添加证书、证书对、证书列表和算法标识符匹配规则;和

- addition of LDAP syntax for assertion syntaxes for these matching rules.

- 为这些匹配规则的断言语法添加LDAP语法。

This document obsoletes RFC 2587. The X.509 schema descriptions for LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494].

本文件废除了RFC 2587。LDAPv2[RFC1777]的X.509模式描述是历史性的,LDAPv2[RFC3494]也是如此。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14[RFC2119]中所述进行解释。

Schema definitions are provided using LDAP description formats [RFC4512]. Definitions provided here are formatted (line wrapped) for readability.

模式定义使用LDAP描述格式[RFC4512]提供。为了便于阅读,这里提供的定义是格式化的(换行)。

2. Syntaxes
2. 语法

This section describes various syntaxes used in LDAP to transfer certificates and related data types.

本节介绍LDAP中用于传输证书和相关数据类型的各种语法。

2.1. Certificate
2.1. 证明书

( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' )

(1.3.6.1.4.1.1466.115.121.1.8描述“X.509证书”)

A value of this syntax is an X.509 Certificate [X.509, clause 7].

此语法的值是X.509证书[X.509,第7条]。

Due to changes made to the definition of a Certificate through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using Distinguished Encoding Rules (DER) [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "userCertificate;binary".

由于随着时间的推移对证书的定义进行了更改,因此没有为此语法定义特定于LDAP的编码。此语法的值应使用可分辨编码规则(DER)[X.690]进行编码,并且只能使用;二进制传输选项[RFC4522];也就是说,通过使用诸如“userCertificate;binary”之类的属性描述来请求和返回值。

As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented.

由于此语法的值包含数字签名数据,因此必须保留此语法的值以及每个值的形式。

2.2. CertificateList
2.2. 认证专家

( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' )

(1.3.6.1.4.1.1466.115.121.1.9描述“X.509证书列表”)

A value of this syntax is an X.509 CertificateList [X.509, clause 7.3].

此语法的值是X.509证书列表[X.509,第7.3条]。

Due to changes made to the definition of a CertificateList through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using DER [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "certificateRevocationList;binary".

由于随着时间的推移对CertificateList的定义进行了更改,因此没有为此语法定义特定于LDAP的编码。此语法的值应使用DER[X.690]进行编码,并且只能使用;二进制传输选项[RFC4522];也就是说,通过使用属性描述(如“CertificateJournalist;binary”)请求和返回值。

As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented.

由于此语法的值包含数字签名数据,因此必须保留此语法的值以及每个值的形式。

2.3. CertificatePair
2.3. 证书航空

( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'X.509 Certificate Pair' )

(1.3.6.1.4.1.1466.115.121.1.10描述“X.509证书对”)

A value of this syntax is an X.509 CertificatePair [X.509, clause 11.2.3].

此语法的一个值是X.509证书Pair[X.509,第11.2.3条]。

Due to changes made to the definition of an X.509 CertificatePair through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using DER [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "crossCertificatePair;binary".

由于随着时间的推移对X.509 CertificatePair的定义进行了更改,因此没有为此语法定义特定于LDAP的编码。此语法的值应使用DER[X.690]进行编码,并且只能使用;二进制传输选项[RFC4522];也就是说,通过使用属性描述(如“crossCertificatePair;binary”)请求和返回值。

As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented.

由于此语法的值包含数字签名数据,因此必须保留此语法的值以及每个值的形式。

2.4. SupportedAlgorithm
2.4. 支持算法

( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'X.509 Supported Algorithm' )

(1.3.6.1.4.1.1466.115.121.1.49描述“X.509支持的算法”)

A value of this syntax is an X.509 SupportedAlgorithm [X.509, clause 11.2.7].

此语法的值是X.509支持的算法[X.509,第11.2.7条]。

Due to changes made to the definition of an X.509 SupportedAlgorithm through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using DER [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "supportedAlgorithms;binary".

由于随着时间的推移对X.509 SupportedAlgorithm的定义进行了更改,因此没有为此语法定义特定于LDAP的编码。此语法的值应使用DER[X.690]进行编码,并且只能使用;二进制传输选项[RFC4522];也就是说,通过使用属性描述(如“supportedAlgorithms;binary”)请求和返回值。

As values of this syntax contain digitally signed data, values of this syntax and the form of the value MUST be preserved as presented.

由于此语法的值包含数字签名数据,因此必须保留此语法的值和值的形式。

2.5. CertificateExactAssertion
2.5. 证书ExactAssertion

( 1.3.6.1.1.15.1 DESC 'X.509 Certificate Exact Assertion' )

(1.3.6.1.1.15.1描述“X.509证书准确断言”)

A value of this syntax is an X.509 CertificateExactAssertion [X.509, clause 11.3.1]. Values of this syntax MUST be encoded using the Generic String Encoding Rules (GSER) [RFC3641]. Appendix A.1 provides an equivalent Augmented Backus-Naur Form (ABNF) [RFC4234] grammar for this syntax.

此语法的值是X.509证书ExactAssertion[X.509,第11.3.1条]。此语法的值必须使用通用字符串编码规则(GSER)[RFC3641]进行编码。附录A.1为该语法提供了等效的增广巴科斯诺尔形式(ABNF)[RFC4234]语法。

2.6. CertificateAssertion
2.6. 证书颁发

( 1.3.6.1.1.15.2 DESC 'X.509 Certificate Assertion' )

(1.3.6.1.1.15.2描述“X.509证书断言”)

A value of this syntax is an X.509 CertificateAssertion [X.509, clause 11.3.2]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.2 provides an equivalent ABNF [RFC4234] grammar for this syntax.

此语法的一个值是X.509 CertificateAsservion[X.509,第11.3.2条]。此语法的值必须使用GSER[RFC3641]进行编码。附录A.2提供了该语法的等效ABNF[RFC4234]语法。

2.7. CertificatePairExactAssertion
2.7. 证书airexactassertion

( 1.3.6.1.1.15.3 DESC 'X.509 Certificate Pair Exact Assertion' )

(1.3.6.1.1.15.3描述“X.509证书对精确断言”)

A value of this syntax is an X.509 CertificatePairExactAssertion [X.509, clause 11.3.3]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.3 provides an equivalent ABNF [RFC4234] grammar for this syntax.

此语法的值是X.509证书PairexactAssertion[X.509,第11.3.3条]。此语法的值必须使用GSER[RFC3641]进行编码。附录A.3提供了该语法的等效ABNF[RFC4234]语法。

2.8. CertificatePairAssertion
2.8. 证书授权

( 1.3.6.1.1.15.4 DESC 'X.509 Certificate Pair Assertion' )

(1.3.6.1.1.15.4描述“X.509证书对断言”)

A value of this syntax is an X.509 CertificatePairAssertion [X.509, clause 11.3.4]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.4 provides an equivalent ABNF [RFC4234] grammar for this syntax.

此语法的一个值是X.509证书Pairassertion[X.509,第11.3.4条]。此语法的值必须使用GSER[RFC3641]进行编码。附录A.4提供了该语法的等效ABNF[RFC4234]语法。

2.9. CertificateListExactAssertion
2.9. 证书体系结构

( 1.3.6.1.1.15.5 DESC 'X.509 Certificate List Exact Assertion' )

(1.3.6.1.1.15.5描述“X.509证书列表准确断言”)

A value of this syntax is an X.509 CertificateListExactAssertion [X.509, clause 11.3.5]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.5 provides an equivalent ABNF grammar for this syntax.

此语法的一个值是X.509证书体系结构的CTASSERTION[X.509,第11.3.5条]。此语法的值必须使用GSER[RFC3641]进行编码。附录A.5提供了该语法的等效ABNF语法。

2.10. CertificateListAssertion
2.10. 证书鉴定

( 1.3.6.1.1.15.6 DESC 'X.509 Certificate List Assertion' )

(1.3.6.1.1.15.6描述“X.509证书列表断言”)

A value of this syntax is an X.509 CertificateListAssertion [X.509, clause 11.3.6]. Values of this syntax MUST be encoded using GSER [RFC3641]. Appendix A.6 provides an equivalent ABNF [RFC4234] grammar for this syntax.

此语法的值是X.509证书STASSERTION[X.509,第11.3.6条]。此语法的值必须使用GSER[RFC3641]进行编码。附录A.6提供了该语法的等效ABNF[RFC4234]语法。

2.11. AlgorithmIdentifier
2.11. 算法识别器

( 1.3.6.1.1.15.7 DESC 'X.509 Algorithm Identifier' )

(1.3.6.1.1.15.7描述“X.509算法标识符”)

A value of this syntax is an X.509 AlgorithmIdentifier [X.509, Clause 7]. Values of this syntax MUST be encoded using GSER [RFC3641].

此语法的一个值是X.509算法标识符[X.509,第7条]。此语法的值必须使用GSER[RFC3641]进行编码。

Appendix A.7 provides an equivalent ABNF [RFC4234] grammar for this syntax.

附录A.7提供了该语法的等效ABNF[RFC4234]语法。

3. Matching Rules
3. 匹配规则

This section introduces a set of certificate and related matching rules for use in LDAP. These rules are intended to act in accordance with their X.500 counterparts.

本节介绍一组用于LDAP的证书和相关匹配规则。这些规则旨在按照其X.500对应规则行事。

3.1. certificateExactMatch
3.1. certificateExactMatch

The certificateExactMatch matching rule compares the presented certificate exact assertion value with an attribute value of the certificate syntax as described in clause 11.3.1 of [X.509].

certificateExactMatch匹配规则将提供的证书确切断言值与[X.509]第11.3.1条中描述的证书语法属性值进行比较。

( 2.5.13.34 NAME 'certificateExactMatch' DESC 'X.509 Certificate Exact Match' SYNTAX 1.3.6.1.1.15.1 )

(2.5.13.34名称“certificateExactMatch”描述“X.509证书精确匹配”语法1.3.6.1.1.15.1)

3.2. certificateMatch
3.2. 证书匹配

The certificateMatch matching rule compares the presented certificate assertion value with an attribute value of the certificate syntax as described in clause 11.3.2 of [X.509].

certificateMatch匹配规则将提供的证书断言值与[X.509]第11.3.2条中描述的证书语法属性值进行比较。

( 2.5.13.35 NAME 'certificateMatch' DESC 'X.509 Certificate Match' SYNTAX 1.3.6.1.1.15.2 )

(2.5.13.35名称“certificateMatch”DESC“X.509 Certificate Match”语法1.3.6.1.1.15.2)

3.3. certificatePairExactMatch
3.3. 证书PairexactMatch

The certificatePairExactMatch matching rule compares the presented certificate pair exact assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.3 of [X.509].

certificatePairExactMatch匹配规则将提供的证书对精确断言值与证书对语法的属性值进行比较,如[X.509]第11.3.3条所述。

( 2.5.13.36 NAME 'certificatePairExactMatch' DESC 'X.509 Certificate Pair Exact Match' SYNTAX 1.3.6.1.1.15.3 )

(2.5.13.36名称“certificatePairExactMatch”说明“X.509证书对精确匹配”语法1.3.6.1.1.15.3)

3.4. certificatePairMatch
3.4. 证书航空匹配

The certificatePairMatch matching rule compares the presented certificate pair assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.4 of [X.509].

certificatePairMatch匹配规则将提供的证书对断言值与[X.509]第11.3.4条中描述的证书对语法的属性值进行比较。

( 2.5.13.37 NAME 'certificatePairMatch' DESC 'X.509 Certificate Pair Match' SYNTAX 1.3.6.1.1.15.4 )

(2.5.13.37名称“certificatePairMatch”DESC“X.509证书对匹配”语法1.3.6.1.1.15.4)

3.5. certificateListExactMatch
3.5. 证书匹配

The certificateListExactMatch matching rule compares the presented certificate list exact assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.5 of [X.509].

certificateListExactMatch匹配规则将提供的证书列表确切断言值与[X.509]第11.3.5条中描述的证书对语法的属性值进行比较。

( 2.5.13.38 NAME 'certificateListExactMatch' DESC 'X.509 Certificate List Exact Match' SYNTAX 1.3.6.1.1.15.5 )

(2.5.13.38名称“CertificateStexactMatch”描述“X.509证书列表精确匹配”语法1.3.6.1.1.15.5)

3.6. certificateListMatch
3.6. 证书匹配

The certificateListMatch matching rule compares the presented certificate list assertion value with an attribute value of the certificate pair syntax as described in clause 11.3.6 of [X.509].

certificateListMatch匹配规则将提供的证书列表断言值与[X.509]第11.3.6条中描述的证书对语法的属性值进行比较。

( 2.5.13.39 NAME 'certificateListMatch' DESC 'X.509 Certificate List Match' SYNTAX 1.3.6.1.1.15.6 )

“匹配”证书名称'6.5.1

3.7. algorithmIdentifierMatch
3.7. 算法标识符匹配

The algorithmIdentifierMatch mating rule compares a presented algorithm identifier with an attribute value of the supported algorithm as described in clause 11.3.7 of [X.509].

algorithmIdentifierMatch匹配规则将给出的算法标识符与[X.509]第11.3.7条所述的支持算法的属性值进行比较。

( 2.5.13.40 NAME 'algorithmIdentifier' DESC 'X.509 Algorithm Identifier Match' SYNTAX 1.3.6.1.1.15.7 )

(2.5.13.40名称“algorithmIdentifier”DESC“X.509算法标识符匹配”语法1.3.6.1.1.15.7)

4. Attribute Types
4. 属性类型

This section details a set of certificate and related attribute types for use in LDAP.

本节详细介绍LDAP中使用的一组证书和相关属性类型。

4.1. userCertificate
4.1. 用户证书

The userCertificate attribute holds the X.509 certificates issued to the user by one or more certificate authorities, as discussed in clause 11.2.1 of [X.509].

userCertificate属性保存由一个或多个证书颁发机构颁发给用户的X.509证书,如[X.509]第11.2.1条所述。

( 2.5.4.36 NAME 'userCertificate' DESC 'X.509 user certificate' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )

(2.5.4.36名称“用户证书”DESC“X.509用户证书”平等证书ExactMatch语法1.3.6.1.4.1.1466.115.121.1.8)

As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "userCertificate;binary".

根据该属性类型的语法要求,使用属性描述“userCertificate;binary”请求并传输该属性的值。

4.2. cACertificate
4.2. 证书

The cACertificate attribute holds the X.509 certificates issued to the certificate authority (CA), as discussed in clause 11.2.2 of [X.509].

cACertificate属性保存颁发给证书颁发机构(CA)的X.509证书,如[X.509]第11.2.2条所述。

( 2.5.4.37 NAME 'cACertificate' DESC 'X.509 CA certificate' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )

(2.5.4.37名称“cACertificate”DESC“X.509 CA certificate”平等证书ExactMatch语法1.3.6.1.4.1.1466.115.121.1.8)

As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "cACertificate;binary".

根据该属性类型的语法要求,使用属性描述“cACertificate;binary”请求并传输该属性的值。

4.3. crossCertificatePair
4.3. 交叉认证飞机

The crossCertificatePair attribute holds an X.509 certificate pair, as discussed in clause 11.2.3 of [X.509].

crossCertificatePair属性保存X.509证书对,如[X.509]第11.2.3条所述。

( 2.5.4.40 NAME 'crossCertificatePair' DESC 'X.509 cross certificate pair' EQUALITY certificatePairExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )

(2.5.4.40名称'crossCertificatePair'DESC'X.509交叉证书对'EQUALITY certificatePairExactMatch语法1.3.6.1.4.1.1466.115.121.1.10)

As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "crossCertificatePair;binary".

根据该属性类型的语法要求,使用属性描述“crossCertificatePair;binary”请求并传输该属性的值。

4.4. certificateRevocationList
4.4. 证书职业列表

The certificateRevocationList attribute holds certificate lists, as discussed in 11.2.4 of [X.509].

CertificateReliationList属性保存证书列表,如[X.509]的11.2.4所述。

( 2.5.4.39 NAME 'certificateRevocationList' DESC 'X.509 certificate revocation list' EQUALITY certificateListExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )

(2.5.4.39名称“CertificatereJournalist”DESC“X.509证书撤销列表”平等证书体系结构匹配语法1.3.6.1.4.1.1466.115.121.1.9)

As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "certificateRevocationList;binary".

根据该属性类型的语法要求,使用属性描述“CertificateReshibitionList;binary”请求并传输该属性的值。

4.5. authorityRevocationList
4.5. 作者唤起主义者

The authorityRevocationList attribute holds certificate lists, as discussed in 11.2.5 of [X.509].

authorityRevocationList属性保存证书列表,如[X.509]的11.2.5所述。

( 2.5.4.38 NAME 'authorityRevocationList' DESC 'X.509 authority revocation list' EQUALITY certificateListExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )

(2.5.4.38名称“authorityRecovationList”DESC“X.509授权撤销列表”平等证书体系结构XACTMatch语法1.3.6.1.4.1.1466.115.121.1.9)

As required by this attribute type's syntax, values of this attribute are requested and transferred using the attribute description "authorityRevocationList;binary".

根据此属性类型的语法要求,使用属性描述“authorityRevocationList;binary”请求并传输此属性的值。

4.6. deltaRevocationList
4.6. 三角回忆家

The deltaRevocationList attribute holds certificate lists, as discussed in 11.2.6 of [X.509].

deltaRevocationList属性保存证书列表,如[X.509]的11.2.6所述。

( 2.5.4.53 NAME 'deltaRevocationList' DESC 'X.509 delta revocation list' EQUALITY certificateListExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )

(2.5.4.53名称“deltaRevocationList”DESC“X.509 delta吊销列表”相等证书体系结构XACTMatch语法1.3.6.1.4.1.1466.115.121.1.9)

As required by this attribute type's syntax, values of this attribute MUST be requested and transferred using the attribute description "deltaRevocationList;binary".

根据该属性类型的语法要求,必须使用属性描述“deltaRevocationList;binary”请求和传输该属性的值。

4.7. supportedAlgorithms
4.7. 支持算法

The supportedAlgorithms attribute holds supported algorithms, as discussed in 11.2.7 of [X.509].

supportedAlgorithms属性包含支持的算法,如[X.509]的11.2.7所述。

( 2.5.4.52 NAME 'supportedAlgorithms' DESC 'X.509 supported algorithms' EQUALITY algorithmIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )

(2.5.4.52名称“supportedAlgorithms”DESC“X.509支持的算法”相等算法标识符匹配语法1.3.6.1.4.1.1466.115.121.1.49)

As required by this attribute type's syntax, values of this attribute MUST be requested and transferred using the attribute description "supportedAlgorithms;binary".

根据此属性类型的语法要求,必须使用属性描述“supportedAlgorithms;binary”请求和传输此属性的值。

5. Object Classes
5. 对象类

This section details a set of certificate-related object classes for use in LDAP.

本节详细介绍了LDAP中使用的一组与证书相关的对象类。

5.1. pkiUser
5.1. 公钥基础设施用户

This object class is used in augment entries for objects that may be subject to certificates, as defined in clause 11.1.1 of [X.509].

如[X.509]第11.1.1条所定义,该对象类用于可能受证书约束的对象的扩充条目。

( 2.5.6.21 NAME 'pkiUser' DESC 'X.509 PKI User' SUP top AUXILIARY MAY userCertificate )

(2.5.6.21名称“PKI用户”描述“X.509 PKI用户”辅助用户证书)

5.2. pkiCA
5.2. pkiCA

This object class is used to augment entries for objects that act as certificate authorities, as defined in clause 11.1.2 of [X.509]

该对象类用于扩充[X.509]第11.1.2条中定义的作为证书颁发机构的对象的条目

( 2.5.6.22 NAME 'pkiCA' DESC 'X.509 PKI Certificate Authority' SUP top AUXILIARY MAY ( cACertificate $ certificateRevocationList $ authorityRevocationList $ crossCertificatePair ) )

(2.5.6.22名称'pkiCA'说明'X.509 PKI证书颁发机构'SUP-top-associated-MAY(cACertificate$Certificate职业列表$AuthorityRecovationList$crossCertificatePair))

5.3. cRLDistributionPoint
5.3. cRLDistributionPoint

This class is used to represent objects that act as CRL distribution points, as discussed in clause 11.1.3 of [X.509].

此类用于表示充当CRL分发点的对象,如[X.509]第11.1.3条所述。

( 2.5.6.19 NAME 'cRLDistributionPoint' DESC 'X.509 CRL distribution point' SUP top STRUCTURAL MUST cn MAY ( certificateRevocationList $ authorityRevocationList $ deltaRevocationList ) )

(2.5.6.19名称“CRL配送点”描述“X.509 CRL配送点”SUP-top STRUCTURAL必须cn-MAY(认证职业列表$authorityRevocationList$DeltarRevocationList))

5.4. deltaCRL
5.4. 德尔塔克勒

The deltaCRL object class is used to augment entries to hold delta revocation lists, as discussed in clause 11.1.4 of [X.509].

如[X.509]第11.1.4条所述,deltaCRL对象类用于增加条目以保存delta撤销列表。

( 2.5.6.23 NAME 'deltaCRL' DESC 'X.509 delta CRL' SUP top AUXILIARY MAY deltaRevocationList )

(2.5.6.23名称“deltaCRL”描述“X.509 delta CRL”辅助顶部辅助可能deltaRevocationList)

5.5. strongAuthenticationUser
5.5. strong身份验证用户

This object class is used to augment entries for objects participating in certificate-based authentication, as defined in clause 6.15 of [X.521]. This object class is deprecated in favor of pkiUser.

如[X.521]第6.15条所定义,此对象类用于增加参与基于证书的身份验证的对象的条目。此对象类已弃用,取而代之的是pkiUser。

( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'X.521 strong authentication user' SUP top AUXILIARY MUST userCertificate )

(2.5.6.15名称“strongAuthenticationUser”DESC“X.521 strong authentication user”SUP top辅助必须用户证书)

5.6. userSecurityInformation
5.6. 用户安全信息

This object class is used to augment entries with needed additional associated security information, as defined in clause 6.16 of [X.521].

该对象类用于根据[X.521]第6.16条的规定,使用所需的额外关联安全信息来扩充条目。

( 2.5.6.18 NAME 'userSecurityInformation' DESC 'X.521 user security information' SUP top AUXILIARY MAY ( supportedAlgorithms ) )

(2.5.6.18名称“userSecurityInformation”DESC“X.521 user security information”SUP top辅助可能(支持的算法))

5.7. certificationAuthority
5.7. 认证机构

This object class is used to augment entries for objects that act as certificate authorities, as defined in clause 6.17 of [X.521]. This object class is deprecated in favor of pkiCA.

如[X.521]第6.17条所定义,此对象类用于增加作为证书颁发机构的对象的条目。此对象类已弃用,取而代之的是pkiCA。

( 2.5.6.16 NAME 'certificationAuthority' DESC 'X.509 certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair )

(2.5.6.16名称“认证机构”描述“X.509证书颁发机构”辅助顶级辅助必须(认证机构提醒者$CertificateReserviceList$cACertificate)可以交叉认证PAIR)

5.8. certificationAuthority-V2
5.8. 认证机构-V2

This object class is used to augment entries for objects that act as certificate authorities, as defined in clause 6.18 of [X.521]. This object class is deprecated in favor of pkiCA.

如[X.521]第6.18条所定义,此对象类用于增加作为证书颁发机构的对象的条目。此对象类已弃用,取而代之的是pkiCA。

( 2.5.6.16.2 NAME 'certificationAuthority-V2' DESC 'X.509 certificate authority, version 2' SUP certificationAuthority AUXILIARY MAY deltaRevocationList )

(2.5.6.16.2名称“certificationAuthority-V2“DESC”X.509证书颁发机构,版本2“SUP certificationAuthority”辅助可能会删除列表)

6. Security Considerations
6. 安全考虑

General certificate considerations [RFC3280] apply to LDAP-aware certificate applications. General LDAP security considerations [RFC4510] apply as well.

一般证书注意事项[RFC3280]适用于支持LDAP的证书应用程序。一般LDAP安全注意事项[RFC4510]也适用。

While elements of certificate information are commonly signed, these signatures only protect the integrity of the signed information. In the absence of data integrity protections in LDAP (or lower layer, e.g., IPsec), a server is not assured that client certificate request (or other request) was unaltered in transit. Likewise, a client cannot be assured that the results of the query were unaltered in

虽然证书信息的元素通常是经过签名的,但这些签名只保护已签名信息的完整性。在LDAP(或较低层,例如IPsec)中没有数据完整性保护的情况下,服务器无法确保客户端证书请求(或其他请求)在传输过程中未被更改。同样,客户也不能保证查询结果在任何情况下都没有改变

transit. Hence, it is generally recommended that implementations make use of authentication and data integrity services in LDAP [RFC4513][RFC4511].

运输因此,通常建议实现使用LDAP[RFC4513][RFC4511]中的身份验证和数据完整性服务。

7. IANA Considerations
7. IANA考虑
7.1. Object Identifier Registration
7.1. 对象标识符注册

The IANA has registered an LDAP Object Identifier [RFC4520] for use in this technical specification.

IANA已注册LDAP对象标识符[RFC4520],以用于本技术规范。

Subject: Request for LDAP OID Registration Person & email address to contact for further information: Kurt Zeilenga <kurt@OpenLDAP.org> Specification: RFC 4523 Author/Change Controller: IESG Comments: Identifies the LDAP X.509 Certificate schema elements introduced in this document.

主题:请求LDAP OID注册人员和电子邮件地址以联系更多信息:Kurt Zeilenga<kurt@OpenLDAP.org>规范:RFC 4523作者/变更控制器:IESG注释:标识本文档中介绍的LDAP X.509证书架构元素。

7.2. Descriptor Registration
7.2. 描述符注册

The IANA has updated the LDAP Descriptor registry [RFC44520] as indicated below.

IANA已经更新了LDAP描述符注册表[RFC44520],如下所示。

      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): see table
      Object Identifier: see table
      Person & email address to contact for further information:
          Kurt Zeilenga <kurt@OpenLDAP.org>
      Usage: see table
      Specification: RFC 4523
      Author/Change Controller: IESG
        
      Subject: Request for LDAP Descriptor Registration
      Descriptor (short name): see table
      Object Identifier: see table
      Person & email address to contact for further information:
          Kurt Zeilenga <kurt@OpenLDAP.org>
      Usage: see table
      Specification: RFC 4523
      Author/Change Controller: IESG
        
      algorithmIdentifierMatch     M 2.5.13.40
      authorityRevocationList      A 2.5.4.38 *
      cACertificate                A 2.5.4.37 *
      cRLDistributionPoint         O 2.5.6.19 *
      certificateExactMatch        M 2.5.13.34
      certificateListExactMatch    M 2.5.13.38
      certificateListMatch         M 2.5.13.39
      certificateMatch             M 2.5.13.35
      certificatePairExactMatch    M 2.5.13.36
      certificatePairMatch         M 2.5.13.37
      certificateRevocationList    A 2.5.4.39 *
      certificationAuthority       O 2.5.6.16 *
      certificationAuthority-V2    O 2.5.6.16.2 *
      crossCertificatePair         A 2.5.4.40 *
        
      algorithmIdentifierMatch     M 2.5.13.40
      authorityRevocationList      A 2.5.4.38 *
      cACertificate                A 2.5.4.37 *
      cRLDistributionPoint         O 2.5.6.19 *
      certificateExactMatch        M 2.5.13.34
      certificateListExactMatch    M 2.5.13.38
      certificateListMatch         M 2.5.13.39
      certificateMatch             M 2.5.13.35
      certificatePairExactMatch    M 2.5.13.36
      certificatePairMatch         M 2.5.13.37
      certificateRevocationList    A 2.5.4.39 *
      certificationAuthority       O 2.5.6.16 *
      certificationAuthority-V2    O 2.5.6.16.2 *
      crossCertificatePair         A 2.5.4.40 *
        
      deltaCRL                     O 2.5.6.23 *
      deltaRevocationList          A 2.5.4.53 *
      pkiCA                        O 2.5.6.22 *
      pkiUser                      O 2.5.6.21 *
      strongAuthenticationUser     O 2.5.6.15 *
      supportedAlgorithms          A 2.5.4.52 *
      userCertificate              A 2.5.4.36 *
      userSecurityInformation      O 2.5.6.18 *
        
      deltaCRL                     O 2.5.6.23 *
      deltaRevocationList          A 2.5.4.53 *
      pkiCA                        O 2.5.6.22 *
      pkiUser                      O 2.5.6.21 *
      strongAuthenticationUser     O 2.5.6.15 *
      supportedAlgorithms          A 2.5.4.52 *
      userCertificate              A 2.5.4.36 *
      userSecurityInformation      O 2.5.6.18 *
        

* Updates previous registration

* 更新以前的注册

8. Acknowledgements
8. 致谢

This document is based on X.509, a product of the ITU-T. A number of LDAP schema definitions were based on those found in RFCs 2252 and 2256, both products of the IETF ASID WG. The ABNF productions in Appendix A were provided by Steven Legg. Additional material was borrowed from prior works by David Chadwick and Steven Legg to refine the LDAP X.509 schema.

本文档基于ITU-T的产品X.509。许多LDAP模式定义基于IETF ASID工作组的产品RFCs 2252和2256中的定义。附录A中的ABNF产品由Steven Legg提供。David Chadwick和Steven Legg从以前的工作中借用了其他材料来改进LDAP X.509模式。

9. References
9. 工具书类
9.1. Normative References
9.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC3641] Legg, S., "Generic String Encoding Rules (GSER) for ASN.1 Types", RFC 3641, October 2003.

[RFC3641]Legg,S.“ASN.1类型的通用字符串编码规则(GSER)”,RFC 3641,2003年10月。

[RFC4510] Zeilenga, K., Ed., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006.

[RFC4510]Zeilenga,K.,Ed.“轻量级目录访问协议(LDAP):技术规范路线图”,RFC45102006年6月。

[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006.

[RFC4512]Zeilenga,K.,“轻量级目录访问协议(LDAP):目录信息模型”,RFC4512,2006年6月。

[RFC4522] Legg, S., "Lightweight Directory Access Protocol (LDAP): The Binary Encoding Option", RFC 4522, June 2006.

[RFC4522]Legg,S.,“轻量级目录访问协议(LDAP):二进制编码选项”,RFC4522,2006年6月。

[X.509] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Authentication Framework", X.509(2000).

[X.509]国际电信联盟-电信标准化部门,“目录:认证框架”,X.509(2000年)。

[X.521] International Telecommunication Union - Telecommunication Standardization Sector, "The Directory: Selected Object Classes", X.521(2000).

[X.521]国际电信联盟-电信标准化部门,“目录:选定对象类”,X.521(2000年)。

[X.690] International Telecommunication Union - Telecommunication Standardization Sector, "Specification of ASN.1 encoding rules: Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER)", X.690(2002) (also ISO/IEC 8825-1:2002).

[X.690]国际电信联盟-电信标准化部门,“ASN.1编码规则规范:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)”,X.690(2002)(另见ISO/IEC 8825-1:2002)。

9.2. Informative References
9.2. 资料性引用

[RFC1777] Yeong, W., Howes, T., and S. Kille, "Lightweight Directory Access Protocol", RFC 1777, March 1995.

[RFC1777]Yeong,W.,Howes,T.,和S.Kille,“轻量级目录访问协议”,RFC 17771995年3月。

[RFC2156] Kille, S., "MIXER (Mime Internet X.400 Enhanced Relay): Mapping between X.400 and RFC 822/MIME", RFC 2156, January 1998.

[RFC2156]Kille,S.,“混音器(Mime互联网X.400增强中继):X.400和RFC 822/Mime之间的映射”,RFC 2156,1998年1月。

[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.

2002年4月,福特公司发布了《公共基础设施许可证》和《公共基础设施许可证撤销许可证》(RFC.3280),并于2002年4月发布。

[RFC3494] Zeilenga, K., "Lightweight Directory Access Protocol version 2 (LDAPv2) to Historic Status", RFC 3494, March 2003.

[RFC3494]Zeilenga,K.,“轻型目录访问协议版本2(LDAPv2)到历史状态”,RFC 34942003年3月。

[RFC3642] Legg, S., "Common Elements of Generic String Encoding Rules (GSER) Encodings", RFC 3642, October 2003.

[RFC3642]Legg,S.,“通用字符串编码规则(GSER)编码的公共元素”,RFC 3642,2003年10月。

[RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 4234, October 2005.

[RFC4234]Crocker,D.和P.Overell,“语法规范的扩充BNF:ABNF”,RFC 4234,2005年10月。

[RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access Protocol (LDAP): The Protocol", RFC 4511, June 2006.

[RFC4511]Sermersheim,J.,Ed.,“轻量级目录访问协议(LDAP):协议”,RFC4511,2006年6月。

[RFC4513] Harrison, R. Ed., "Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms", RFC 4513, June 2006.

[RFC4513]Harrison,R.Ed.,“轻量级目录访问协议(LDAP):认证方法和安全机制”,RFC4513,2006年6月。

[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 4520, June 2006.

[RFC4520]Zeilenga,K.,“轻量级目录访问协议(LDAP)的互联网分配号码管理局(IANA)注意事项”,BCP 64,RFC 4520,2006年6月。

Appendix A.

附录A。

This appendix is informative.

本附录为资料性附录。

This appendix provides ABNF [RFC4234] grammars for GSER-based [RFC3641] LDAP-specific encodings specified in this document. These grammars where produced using, and relying on, Common Elements for GSER Encodings [RFC3642].

本附录提供了本文档中指定的基于GSER的[RFC3641]LDAP特定编码的ABNF[RFC4234]语法。这些语法使用并依赖GSER编码的公共元素[RFC3642]生成。

A.1. CertificateExactAssertion
A.1. 证书ExactAssertion

CertificateExactAssertion = "{" sp cea-serialNumber "," sp cea-issuer sp "}"

CertificateExactAssertion=“{”sp cea序列号”,“sp cea颁发者sp”}”

cea-serialNumber = id-serialNumber msp CertificateSerialNumber cea-issuer = id-issuer msp Name

cea serialNumber=id serialNumber msp CertificateSerialNumber cea issuer=id issuer msp名称

   id-serialNumber =
        %x73.65.72.69.61.6C.4E.75.6D.62.65.72 ; 'serialNumber'
   id-issuer = %x69.73.73.75.65.72 ; 'issuer'
        
   id-serialNumber =
        %x73.65.72.69.61.6C.4E.75.6D.62.65.72 ; 'serialNumber'
   id-issuer = %x69.73.73.75.65.72 ; 'issuer'
        
   Name = id-rdnSequence ":" RDNSequence
   id-rdnSequence = %x72.64.6E.53.65.71.75.65.6E.63.65 ; 'rdnSequence'
        
   Name = id-rdnSequence ":" RDNSequence
   id-rdnSequence = %x72.64.6E.53.65.71.75.65.6E.63.65 ; 'rdnSequence'
        
   CertificateSerialNumber = INTEGER
        
   CertificateSerialNumber = INTEGER
        
A.2. CertificateAssertion
A.2. 证书颁发
CertificateAssertion = "{" [ sp ca-serialNumber ]
     [ sep sp ca-issuer ]
     [ sep sp ca-subjectKeyIdentifier ]
     [ sep sp ca-authorityKeyIdentifier ]
     [ sep sp ca-certificateValid ]
     [ sep sp ca-privateKeyValid ]
     [ sep sp ca-subjectPublicKeyAlgID ]
     [ sep sp ca-keyUsage ]
     [ sep sp ca-subjectAltName ]
     [ sep sp ca-policy ]
     [ sep sp ca-pathToName ]
     [ sep sp ca-subject ]
     [ sep sp ca-nameConstraints ] sp "}"
        
CertificateAssertion = "{" [ sp ca-serialNumber ]
     [ sep sp ca-issuer ]
     [ sep sp ca-subjectKeyIdentifier ]
     [ sep sp ca-authorityKeyIdentifier ]
     [ sep sp ca-certificateValid ]
     [ sep sp ca-privateKeyValid ]
     [ sep sp ca-subjectPublicKeyAlgID ]
     [ sep sp ca-keyUsage ]
     [ sep sp ca-subjectAltName ]
     [ sep sp ca-policy ]
     [ sep sp ca-pathToName ]
     [ sep sp ca-subject ]
     [ sep sp ca-nameConstraints ] sp "}"
        

ca-serialNumber = id-serialNumber msp CertificateSerialNumber ca-issuer = id-issuer msp Name ca-subjectKeyIdentifier = id-subjectKeyIdentifier msp SubjectKeyIdentifier ca-authorityKeyIdentifier = id-authorityKeyIdentifier msp AuthorityKeyIdentifier

ca serialNumber=id serialNumber msp CertificateSerialNumber ca issuer=id issuer msp Name ca subjectKeyIdentifier=id subjectKeyIdentifier msp subjectKeyIdentifier ca authorityKeyIdentifier=id authorityKeyIdentifier msp authorityKeyIdentifier

ca-certificateValid = id-certificateValid msp Time ca-privateKeyValid = id-privateKeyValid msp GeneralizedTime ca-subjectPublicKeyAlgID = id-subjectPublicKeyAlgID msp OBJECT-IDENTIFIER ca-keyUsage = id-keyUsage msp KeyUsage ca-subjectAltName = id-subjectAltName msp AltNameType ca-policy = id-policy msp CertPolicySet ca-pathToName = id-pathToName msp Name ca-subject = id-subject msp Name ca-nameConstraints = id-nameConstraints msp NameConstraintsSyntax

ca certificateValid=id certificateValid msp Time ca privateKeyValid=id privateKeyValid msp GeneralizedTime ca subjectPublicKeyAlgID=id subjectPublicKeyAlgID msp对象标识符ca keyUsage=id keyUsage msp keyUsage ca subjectAltName=id subjectAltName msp AltNameType ca policy=id policy msp CertPolicySet ca PathtName=id PathtNamemsp名称ca主题=id主题msp名称ca名称约束=id名称约束msp名称约束语法

id-subjectKeyIdentifier =
     %x73.75.62.6A.65.63.74.4B.65.79.49.64.65.6E.74.69.66.69.65.72
     ; 'subjectKeyIdentifier'
id-authorityKeyIdentifier =
     %x61.75.74.68.6F.72.69.74.79.4B.65.79.49.64.65.6E.74.69.66.69.65.72
     ; 'authorityKeyIdentifier'
id-certificateValid = %x63.65.72.74.69.66.69.63.61.74.65.56.61.6C.69.64
     ; 'certificateValid'
id-privateKeyValid = %x70.72.69.76.61.74.65.4B.65.79.56.61.6C.69.64
     ; 'privateKeyValid'
id-subjectPublicKeyAlgID  =
     %x73.75.62.6A.65.63.74.50.75.62.6C.69.63.4B.65.79.41.6C.67.49.44
     ; 'subjectPublicKeyAlgID'
id-keyUsage = %x6B.65.79.55.73.61.67.65 ; 'keyUsage'
id-subjectAltName = %x73.75.62.6A.65.63.74.41.6C.74.4E.61.6D.65
     ; 'subjectAltName'
id-policy = %x70.6F.6C.69.63.79 ; 'policy'
id-pathToName = %x70.61.74.68.54.6F.4E.61.6D.65 ; 'pathToName'
id-subject = %x73.75.62.6A.65.63.74 ; 'subject'
id-nameConstraints = %x6E.61.6D.65.43.6F.6E.73.74.72.61.69.6E.74.73
     ; 'nameConstraints'
        
id-subjectKeyIdentifier =
     %x73.75.62.6A.65.63.74.4B.65.79.49.64.65.6E.74.69.66.69.65.72
     ; 'subjectKeyIdentifier'
id-authorityKeyIdentifier =
     %x61.75.74.68.6F.72.69.74.79.4B.65.79.49.64.65.6E.74.69.66.69.65.72
     ; 'authorityKeyIdentifier'
id-certificateValid = %x63.65.72.74.69.66.69.63.61.74.65.56.61.6C.69.64
     ; 'certificateValid'
id-privateKeyValid = %x70.72.69.76.61.74.65.4B.65.79.56.61.6C.69.64
     ; 'privateKeyValid'
id-subjectPublicKeyAlgID  =
     %x73.75.62.6A.65.63.74.50.75.62.6C.69.63.4B.65.79.41.6C.67.49.44
     ; 'subjectPublicKeyAlgID'
id-keyUsage = %x6B.65.79.55.73.61.67.65 ; 'keyUsage'
id-subjectAltName = %x73.75.62.6A.65.63.74.41.6C.74.4E.61.6D.65
     ; 'subjectAltName'
id-policy = %x70.6F.6C.69.63.79 ; 'policy'
id-pathToName = %x70.61.74.68.54.6F.4E.61.6D.65 ; 'pathToName'
id-subject = %x73.75.62.6A.65.63.74 ; 'subject'
id-nameConstraints = %x6E.61.6D.65.43.6F.6E.73.74.72.61.69.6E.74.73
     ; 'nameConstraints'
        
SubjectKeyIdentifier = KeyIdentifier
        
SubjectKeyIdentifier = KeyIdentifier
        
KeyIdentifier = OCTET-STRING
        
KeyIdentifier = OCTET-STRING
        

AuthorityKeyIdentifier = "{" [ sp aki-keyIdentifier ] [ sep sp aki-authorityCertIssuer ] [ sep sp aki-authorityCertSerialNumber ] sp "}"

AuthorityKeyIdentifier=“{”[sp aki keyIdentifier][sep sp aki authorityCertIssuer][sep sp aki authorityCertSerialNumber]sp}”

aki-keyIdentifier = id-keyIdentifier msp KeyIdentifier aki-authorityCertIssuer = id-authorityCertIssuer msp GeneralNames

aki keyIdentifier=id keyIdentifier msp keyIdentifier aki authorityCertIssuer=id authorityCertIssuer msp GeneralNames

GeneralNames = "{" sp GeneralName *( "," sp GeneralName ) sp "}"
GeneralName  = gn-otherName
     / gn-rfc822Name
     / gn-dNSName
        
GeneralNames = "{" sp GeneralName *( "," sp GeneralName ) sp "}"
GeneralName  = gn-otherName
     / gn-rfc822Name
     / gn-dNSName
        
     / gn-x400Address
     / gn-directoryName
     / gn-ediPartyName
     / gn-uniformResourceIdentifier
     / gn-iPAddress
     / gn-registeredID
        
     / gn-x400Address
     / gn-directoryName
     / gn-ediPartyName
     / gn-uniformResourceIdentifier
     / gn-iPAddress
     / gn-registeredID
        
gn-otherName = id-otherName ":" OtherName
gn-rfc822Name = id-rfc822Name ":" IA5String
gn-dNSName = id-dNSName ":" IA5String
gn-x400Address = id-x400Address ":" ORAddress
gn-directoryName = id-directoryName ":" Name
gn-ediPartyName = id-ediPartyName ":" EDIPartyName
gn-iPAddress = id-iPAddress ":" OCTET-STRING
gn-registeredID = gn-id-registeredID ":" OBJECT-IDENTIFIER
        
gn-otherName = id-otherName ":" OtherName
gn-rfc822Name = id-rfc822Name ":" IA5String
gn-dNSName = id-dNSName ":" IA5String
gn-x400Address = id-x400Address ":" ORAddress
gn-directoryName = id-directoryName ":" Name
gn-ediPartyName = id-ediPartyName ":" EDIPartyName
gn-iPAddress = id-iPAddress ":" OCTET-STRING
gn-registeredID = gn-id-registeredID ":" OBJECT-IDENTIFIER
        

gn-uniformResourceIdentifier = id-uniformResourceIdentifier ":" IA5String

gn uniformResourceIdentifier=id uniformResourceIdentifier:“IA5String”

id-otherName = %x6F.74.68.65.72.4E.61.6D.65 ; 'otherName'
gn-id-registeredID = %x72.65.67.69.73.74.65.72.65.64.49.44
     ; 'registeredID'
        
id-otherName = %x6F.74.68.65.72.4E.61.6D.65 ; 'otherName'
gn-id-registeredID = %x72.65.67.69.73.74.65.72.65.64.49.44
     ; 'registeredID'
        
OtherName = "{" sp on-type-id "," sp on-value sp "}"
on-type-id = id-type-id msp OBJECT-IDENTIFIER
on-value = id-value msp Value
     ;; <Value> as defined in Section 3 of [RFC3641]
        
OtherName = "{" sp on-type-id "," sp on-value sp "}"
on-type-id = id-type-id msp OBJECT-IDENTIFIER
on-value = id-value msp Value
     ;; <Value> as defined in Section 3 of [RFC3641]
        
id-type-id = %x74.79.70.65.2D.69.64 ; 'type-id'
id-value = %x76.61.6C.75.65 ; 'value'
        
id-type-id = %x74.79.70.65.2D.69.64 ; 'type-id'
id-value = %x76.61.6C.75.65 ; 'value'
        
ORAddress = dquote *SafeIA5Character dquote
SafeIA5Character = %x01-21 / %x23-7F / ; ASCII minus dquote
     dquote dquote ; escaped double quote
dquote = %x22 ; '"' (double quote)
        
ORAddress = dquote *SafeIA5Character dquote
SafeIA5Character = %x01-21 / %x23-7F / ; ASCII minus dquote
     dquote dquote ; escaped double quote
dquote = %x22 ; '"' (double quote)
        
;; Note: The <ORAddress> rule encodes the x400Address component
;; of a GeneralName as a character string between double quotes.
;; The character string is first derived according to Section 4.1
;; of [RFC2156], and then any embedded double quotes are escaped
;; by being repeated. This resulting string is output between
;; double quotes.
        
;; Note: The <ORAddress> rule encodes the x400Address component
;; of a GeneralName as a character string between double quotes.
;; The character string is first derived according to Section 4.1
;; of [RFC2156], and then any embedded double quotes are escaped
;; by being repeated. This resulting string is output between
;; double quotes.
        
EDIPartyName = "{" [ sp nameAssigner "," ] sp partyName sp "}"
nameAssigner = id-nameAssigner msp DirectoryString
partyName = id-partyName msp DirectoryString
id-nameAssigner = %x6E.61.6D.65.41.73.73.69.67.6E.65.72
     ; 'nameAssigner'
        
EDIPartyName = "{" [ sp nameAssigner "," ] sp partyName sp "}"
nameAssigner = id-nameAssigner msp DirectoryString
partyName = id-partyName msp DirectoryString
id-nameAssigner = %x6E.61.6D.65.41.73.73.69.67.6E.65.72
     ; 'nameAssigner'
        
id-partyName    = %x70.61.72.74.79.4E.61.6D.65 ; 'partyName'
        
id-partyName    = %x70.61.72.74.79.4E.61.6D.65 ; 'partyName'
        

aki-authorityCertSerialNumber = id-authorityCertSerialNumber msp CertificateSerialNumber

aki authorityCertSerialNumber=id authorityCertSerialNumber msp CertificateSerialNumber

id-keyIdentifier = %x6B.65.79.49.64.65.6E.74.69.66.69.65.72
     ; 'keyIdentifier'
id-authorityCertIssuer =
     %x61.75.74.68.6F.72.69.74.79.43.65.72.74.49.73.73.75.65.72
     ; 'authorityCertIssuer'
        
id-keyIdentifier = %x6B.65.79.49.64.65.6E.74.69.66.69.65.72
     ; 'keyIdentifier'
id-authorityCertIssuer =
     %x61.75.74.68.6F.72.69.74.79.43.65.72.74.49.73.73.75.65.72
     ; 'authorityCertIssuer'
        
id-authorityCertSerialNumber = %x61.75.74.68.6F.72.69.74.79.43
     %x65.72.74.53.65.72.69.61.6C.4E.75.6D.62.65.72
     ; 'authorityCertSerialNumber'
        
id-authorityCertSerialNumber = %x61.75.74.68.6F.72.69.74.79.43
     %x65.72.74.53.65.72.69.61.6C.4E.75.6D.62.65.72
     ; 'authorityCertSerialNumber'
        
Time = time-utcTime / time-generalizedTime
time-utcTime = id-utcTime ":" UTCTime
time-generalizedTime = id-generalizedTime ":" GeneralizedTime
id-utcTime = %x75.74.63.54.69.6D.65 ; 'utcTime'
id-generalizedTime = %x67.65.6E.65.72.61.6C.69.7A.65.64.54.69.6D.65
     ; 'generalizedTime'
        
Time = time-utcTime / time-generalizedTime
time-utcTime = id-utcTime ":" UTCTime
time-generalizedTime = id-generalizedTime ":" GeneralizedTime
id-utcTime = %x75.74.63.54.69.6D.65 ; 'utcTime'
id-generalizedTime = %x67.65.6E.65.72.61.6C.69.7A.65.64.54.69.6D.65
     ; 'generalizedTime'
        
KeyUsage = BIT-STRING / key-usage-bit-list
key-usage-bit-list = "{" [ sp key-usage *( "," sp key-usage ) ] sp "}"
        
KeyUsage = BIT-STRING / key-usage-bit-list
key-usage-bit-list = "{" [ sp key-usage *( "," sp key-usage ) ] sp "}"
        

;; Note: The <key-usage-bit-list> rule encodes the one bits in ;; a KeyUsage value as a comma separated list of identifiers.

;; 注意:<key usage bit list>规则将一位编码为;;以逗号分隔的标识符列表形式显示的KeyUsage值。

key-usage = id-digitalSignature
     / id-nonRepudiation
     / id-keyEncipherment
     / id-dataEncipherment
     / id-keyAgreement
     / id-keyCertSign
     / id-cRLSign
     / id-encipherOnly
     / id-decipherOnly
        
key-usage = id-digitalSignature
     / id-nonRepudiation
     / id-keyEncipherment
     / id-dataEncipherment
     / id-keyAgreement
     / id-keyCertSign
     / id-cRLSign
     / id-encipherOnly
     / id-decipherOnly
        
id-digitalSignature = %x64.69.67.69.74.61.6C.53.69.67.6E.61.74
     %x75.72.65 ; 'digitalSignature'
id-nonRepudiation   = %x6E.6F.6E.52.65.70.75.64.69.61.74.69.6F.6E
     ; 'nonRepudiation'
id-keyEncipherment  = %x6B.65.79.45.6E.63.69.70.68.65.72.6D.65.6E.74
     ; 'keyEncipherment'
id-dataEncipherment = %x64.61.74.61.45.6E.63.69.70.68.65.72.6D.65.6E
     %x74 ; "dataEncipherment'
id-keyAgreement     = %x6B.65.79.41.67.72.65.65.6D.65.6E.74
     ; 'keyAgreement'
        
id-digitalSignature = %x64.69.67.69.74.61.6C.53.69.67.6E.61.74
     %x75.72.65 ; 'digitalSignature'
id-nonRepudiation   = %x6E.6F.6E.52.65.70.75.64.69.61.74.69.6F.6E
     ; 'nonRepudiation'
id-keyEncipherment  = %x6B.65.79.45.6E.63.69.70.68.65.72.6D.65.6E.74
     ; 'keyEncipherment'
id-dataEncipherment = %x64.61.74.61.45.6E.63.69.70.68.65.72.6D.65.6E
     %x74 ; "dataEncipherment'
id-keyAgreement     = %x6B.65.79.41.67.72.65.65.6D.65.6E.74
     ; 'keyAgreement'
        
id-keyCertSign      = %x6B.65.79.43.65.72.74.53.69.67.6E
     ; 'keyCertSign'
id-cRLSign          = %x63.52.4C.53.69.67.6E ; "cRLSign"
id-encipherOnly     = %x65.6E.63.69.70.68.65.72.4F.6E.6C.79
     ; 'encipherOnly'
id-decipherOnly     = %x64.65.63.69.70.68.65.72.4F.6E.6C.79
     ; 'decipherOnly'
        
id-keyCertSign      = %x6B.65.79.43.65.72.74.53.69.67.6E
     ; 'keyCertSign'
id-cRLSign          = %x63.52.4C.53.69.67.6E ; "cRLSign"
id-encipherOnly     = %x65.6E.63.69.70.68.65.72.4F.6E.6C.79
     ; 'encipherOnly'
id-decipherOnly     = %x64.65.63.69.70.68.65.72.4F.6E.6C.79
     ; 'decipherOnly'
        
AltNameType = ant-builtinNameForm / ant-otherNameForm
        
AltNameType = ant-builtinNameForm / ant-otherNameForm
        
ant-builtinNameForm = id-builtinNameForm ":" BuiltinNameForm
ant-otherNameForm = id-otherNameForm ":" OBJECT-IDENTIFIER
        
ant-builtinNameForm = id-builtinNameForm ":" BuiltinNameForm
ant-otherNameForm = id-otherNameForm ":" OBJECT-IDENTIFIER
        
id-builtinNameForm = %x62.75.69.6C.74.69.6E.4E.61.6D.65.46.6F.72.6D
     ; 'builtinNameForm'
id-otherNameForm   = %x6F.74.68.65.72.4E.61.6D.65.46.6F.72.6D
     ; 'otherNameForm'
        
id-builtinNameForm = %x62.75.69.6C.74.69.6E.4E.61.6D.65.46.6F.72.6D
     ; 'builtinNameForm'
id-otherNameForm   = %x6F.74.68.65.72.4E.61.6D.65.46.6F.72.6D
     ; 'otherNameForm'
        
BuiltinNameForm  = id-rfc822Name
     / id-dNSName
     / id-x400Address
     / id-directoryName
     / id-ediPartyName
     / id-uniformResourceIdentifier
     / id-iPAddress
     / id-registeredId
        
BuiltinNameForm  = id-rfc822Name
     / id-dNSName
     / id-x400Address
     / id-directoryName
     / id-ediPartyName
     / id-uniformResourceIdentifier
     / id-iPAddress
     / id-registeredId
        
id-rfc822Name = %x72.66.63.38.32.32.4E.61.6D.65 ; 'rfc822Name'
id-dNSName = %x64.4E.53.4E.61.6D.65 ; 'dNSName'
id-x400Address  = %x78.34.30.30.41.64.64.72.65.73.73 ; 'x400Address'
id-directoryName = %x64.69.72.65.63.74.6F.72.79.4E.61.6D.65
     ; 'directoryName'
id-ediPartyName  = %x65.64.69.50.61.72.74.79.4E.61.6D.65
     ; 'ediPartyName'
id-iPAddress = %x69.50.41.64.64.72.65.73.73 ; 'iPAddress'
id-registeredId = %x72.65.67.69.73.74.65.72.65.64.49.64
     ; 'registeredId'
        
id-rfc822Name = %x72.66.63.38.32.32.4E.61.6D.65 ; 'rfc822Name'
id-dNSName = %x64.4E.53.4E.61.6D.65 ; 'dNSName'
id-x400Address  = %x78.34.30.30.41.64.64.72.65.73.73 ; 'x400Address'
id-directoryName = %x64.69.72.65.63.74.6F.72.79.4E.61.6D.65
     ; 'directoryName'
id-ediPartyName  = %x65.64.69.50.61.72.74.79.4E.61.6D.65
     ; 'ediPartyName'
id-iPAddress = %x69.50.41.64.64.72.65.73.73 ; 'iPAddress'
id-registeredId = %x72.65.67.69.73.74.65.72.65.64.49.64
     ; 'registeredId'
        
id-uniformResourceIdentifier = %x75.6E.69.66.6F.72.6D.52.65.73.6F.75
     %x72.63.65.49.64.65.6E.74.69.66.69.65.72
     ; 'uniformResourceIdentifier'
        
id-uniformResourceIdentifier = %x75.6E.69.66.6F.72.6D.52.65.73.6F.75
     %x72.63.65.49.64.65.6E.74.69.66.69.65.72
     ; 'uniformResourceIdentifier'
        
CertPolicySet = "{" sp CertPolicyId *( "," sp CertPolicyId ) sp "}"
CertPolicyId = OBJECT-IDENTIFIER
        
CertPolicySet = "{" sp CertPolicyId *( "," sp CertPolicyId ) sp "}"
CertPolicyId = OBJECT-IDENTIFIER
        

NameConstraintsSyntax = "{" [ sp ncs-permittedSubtrees ] [ sep sp ncs-excludedSubtrees ] sp "}"

NameConstraintsSyntax=“{[sp ncs permittedSubtrees][sep sp ncs excludedSubtrees]sp}”

ncs-permittedSubtrees = id-permittedSubtrees msp GeneralSubtrees ncs-excludedSubtrees = id-excludedSubtrees msp GeneralSubtrees

ncs permittedSubtrees=id permittedSubtrees msp GeneralSubtrees ncs excludedSubtrees=id excludedSubtrees msp GeneralSubtrees

id-permittedSubtrees = %x70.65.72.6D.69.74.74.65.64.53.75.62.74.72.65.65.73 ; 'permittedSubtrees' id-excludedSubtrees = %x65.78.63.6C.75.64.65.64.53.75.62.74.72.65.65.73 ; 'excludedSubtrees'

id许可子树=%x70.65.72.6D.69.74.74.65.64.53.75.62.74.72.65.73;'许可子树的id不包括子树=%x65.78.63.6C.75.64.65.64.53.75.62.74.72.65.65.73;'排除子树'

GeneralSubtrees = "{" sp GeneralSubtree
     *( "," sp GeneralSubtree ) sp "}"
GeneralSubtree  = "{" sp gs-base
     [ "," sp gs-minimum ]
     [ "," sp gs-maximum ] sp "}"
        
GeneralSubtrees = "{" sp GeneralSubtree
     *( "," sp GeneralSubtree ) sp "}"
GeneralSubtree  = "{" sp gs-base
     [ "," sp gs-minimum ]
     [ "," sp gs-maximum ] sp "}"
        

gs-base = id-base msp GeneralName gs-minimum = id-minimum msp BaseDistance gs-maximum = id-maximum msp BaseDistance

gs base=id base msp GeneralName gs minimum=id minimum msp BaseDistance gs maximum=id maximum msp BaseDistance

id-base = %x62.61.73.65 ; 'base'
id-minimum = %x6D.69.6E.69.6D.75.6D ; 'minimum'
id-maximum = %x6D.61.78.69.6D.75.6D ; 'maximum'
        
id-base = %x62.61.73.65 ; 'base'
id-minimum = %x6D.69.6E.69.6D.75.6D ; 'minimum'
id-maximum = %x6D.61.78.69.6D.75.6D ; 'maximum'
        
BaseDistance = INTEGER-0-MAX
        
BaseDistance = INTEGER-0-MAX
        
A.3. CertificatePairExactAssertion
A.3. 证书airexactassertion

CertificatePairExactAssertion = "{" [ sp cpea-issuedTo ] [sep sp cpea-issuedBy ] sp "}" ;; At least one of <cpea-issuedTo> or <cpea-issuedBy> MUST be present.

CertificatePairExactAssertion=“{”[sp cpea发布日期][sep sp cpea发布日期]sp“}”;;必须至少存在<cpea issuedTo>或<cpea issuedBy>中的一个。

cpea-issuedTo = id-issuedToThisCAAssertion msp CertificateExactAssertion cpea-issuedBy = id-issuedByThisCAAssertion msp CertificateExactAssertion

cpea issuedTo=id ISCAASSERION msp CertificateExactAssertion cpea issuedBy=id ISCAASSERION msp CertificateExactAssertion

  id-issuedToThisCAAssertion = %x69.73.73.75.65.64.54.6F.54.68.69.73
       %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedToThisCAAssertion'
  id-issuedByThisCAAssertion = %x69.73.73.75.65.64.42.79.54.68.69.73
       %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedByThisCAAssertion'
        
  id-issuedToThisCAAssertion = %x69.73.73.75.65.64.54.6F.54.68.69.73
       %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedToThisCAAssertion'
  id-issuedByThisCAAssertion = %x69.73.73.75.65.64.42.79.54.68.69.73
       %x43.41.41.73.73.65.72.74.69.6F.6E ; 'issuedByThisCAAssertion'
        
A.4. CertificatePairAssertion
A.4. 证书授权

CertificatePairAssertion = "{" [ sp cpa-issuedTo ] [sep sp cpa-issuedBy ] sp "}" ;; At least one of <cpa-issuedTo> and <cpa-issuedBy> MUST be present.

CertificatePairAssertion=“{”[sp cpa发行方][sep sp cpa发行方]sp“}”;;必须至少存在<cpa issuedTo>和<cpa issuedBy>中的一个。

cpa-issuedTo = id-issuedToThisCAAssertion msp CertificateAssertion cpa-issuedBy = id-issuedByThisCAAssertion msp CertificateAssertion

cpa issuedTo=id issuedTo ISCAASSERION msp CertificateAsseration cpa issuedBy=id issuedTo=id issuedTo ISCAASSERION msp CertificateAsseration

A.5. CertificateListExactAssertion
A.5. 证书体系结构

CertificateListExactAssertion = "{" sp clea-issuer "," sp clea-thisUpdate [ "," sp clea-distributionPoint ] sp "}"

CertificateListExactAssertion=“{”sp clea issuer”,“sp clea thisUpdate[”,“sp clea distributionPoint]sp“}”

clea-issuer = id-issuer msp Name clea-thisUpdate = id-thisUpdate msp Time clea-distributionPoint = id-distributionPoint msp DistributionPointName

clea issuer=id issuer msp Name clea thisUpdate=id thisUpdate msp Time clea distributionPoint=id distributionPoint msp DistributionPointName

   id-thisUpdate = %x74.68.69.73.55.70.64.61.74.65 ; 'thisUpdate'
   id-distributionPoint =
        %x64.69.73.74.72.69.62.75.74.69.6F.6E.50.6F.69.6E.74
        ; 'distributionPoint'
        
   id-thisUpdate = %x74.68.69.73.55.70.64.61.74.65 ; 'thisUpdate'
   id-distributionPoint =
        %x64.69.73.74.72.69.62.75.74.69.6F.6E.50.6F.69.6E.74
        ; 'distributionPoint'
        

DistributionPointName = dpn-fullName / dpn-nameRelativeToCRLIssuer

DistributionPointName=dpn fullName/dpn nameRelativeToCRLIssuer

dpn-fullName = id-fullName ":" GeneralNames dpn-nameRelativeToCRLIssuer = id-nameRelativeToCRLIssuer ":" RelativeDistinguishedName

dpn fullName=id fullName:“一般名称dpn nameRelativeToCRLIssuer=id nameRelativeToCRLIssuer:“RelativeDistinguishedName”

   id-fullName = %x66.75.6C.6C.4E.61.6D.65 ; 'fullName'
   id-nameRelativeToCRLIssuer = %x6E.61.6D.65.52.65.6C.61.74.69.76.65
        %x54.6F.43.52.4C.49.73.73.75.65.72 ; 'nameRelativeToCRLIssuer'
        
   id-fullName = %x66.75.6C.6C.4E.61.6D.65 ; 'fullName'
   id-nameRelativeToCRLIssuer = %x6E.61.6D.65.52.65.6C.61.74.69.76.65
        %x54.6F.43.52.4C.49.73.73.75.65.72 ; 'nameRelativeToCRLIssuer'
        
A.6. CertificateListAssertion
A.6. 证书鉴定
   CertificateListAssertion = "{" [ sp cla-issuer ]
        [ sep sp cla-minCRLNumber ]
        [ sep sp cla-maxCRLNumber ]
        [ sep sp cla-reasonFlags ]
        [ sep sp cla-dateAndTime ]
        [ sep sp cla-distributionPoint ]
        [ sep sp cla-authorityKeyIdentifier ] sp "}"
        
   CertificateListAssertion = "{" [ sp cla-issuer ]
        [ sep sp cla-minCRLNumber ]
        [ sep sp cla-maxCRLNumber ]
        [ sep sp cla-reasonFlags ]
        [ sep sp cla-dateAndTime ]
        [ sep sp cla-distributionPoint ]
        [ sep sp cla-authorityKeyIdentifier ] sp "}"
        

cla-issuer = id-issuer msp Name cla-minCRLNumber = id-minCRLNumber msp CRLNumber cla-maxCRLNumber = id-maxCRLNumber msp CRLNumber

cla issuer=id issuer msp Name cla minCRLNumber=id minCRLNumber msp CRLNumber cla maxCRLNumber=id maxCRLNumber msp CRLNumber

cla-reasonFlags = id-reasonFlags msp ReasonFlags cla-dateAndTime = id-dateAndTime msp Time

cla reasonFlags=id reasonFlags msp reasonFlags cla dateAndTime=id dateAndTime msp Time

cla-distributionPoint = id-distributionPoint msp DistributionPointName

cla distributionPoint=id distributionPoint msp DistributionPointName

cla-authorityKeyIdentifier = id-authorityKeyIdentifier msp AuthorityKeyIdentifier

cla authorityKeyIdentifier=id authorityKeyIdentifier msp authorityKeyIdentifier

   id-minCRLNumber = %x6D.69.6E.43.52.4C.4E.75.6D.62.65.72
        ; 'minCRLNumber'
   id-maxCRLNumber = %x6D.61.78.43.52.4C.4E.75.6D.62.65.72
        ; 'maxCRLNumber'
   id-reasonFlags = %x72.65.61.73.6F.6E.46.6C.61.67.73 ; 'reasonFlags'
   id-dateAndTime = %x64.61.74.65.41.6E.64.54.69.6D.65 ; 'dateAndTime'
        
   id-minCRLNumber = %x6D.69.6E.43.52.4C.4E.75.6D.62.65.72
        ; 'minCRLNumber'
   id-maxCRLNumber = %x6D.61.78.43.52.4C.4E.75.6D.62.65.72
        ; 'maxCRLNumber'
   id-reasonFlags = %x72.65.61.73.6F.6E.46.6C.61.67.73 ; 'reasonFlags'
   id-dateAndTime = %x64.61.74.65.41.6E.64.54.69.6D.65 ; 'dateAndTime'
        
   CRLNumber = INTEGER-0-MAX
        
   CRLNumber = INTEGER-0-MAX
        
   ReasonFlags = BIT-STRING
        / "{" [ sp reason-flag *( "," sp reason-flag ) ] sp "}"
        
   ReasonFlags = BIT-STRING
        / "{" [ sp reason-flag *( "," sp reason-flag ) ] sp "}"
        
   reason-flag = id-unused
        / id-keyCompromise
        / id-cACompromise
        / id-affiliationChanged
        / id-superseded
        / id-cessationOfOperation
        / id-certificateHold
        / id-privilegeWithdrawn
        / id-aACompromise
        
   reason-flag = id-unused
        / id-keyCompromise
        / id-cACompromise
        / id-affiliationChanged
        / id-superseded
        / id-cessationOfOperation
        / id-certificateHold
        / id-privilegeWithdrawn
        / id-aACompromise
        
   id-unused = %x75.6E.75.73.65.64 ; 'unused'
   id-keyCompromise = %x6B.65.79.43.6F.6D.70.72.6F.6D.69.73.65
        ; 'keyCompromise'
   id-cACompromise = %x63.41.43.6F.6D.70.72.6F.6D.69.73.65
        ; 'cACompromise'
   id-affiliationChanged =
        %x61.66.66.69.6C.69.61.74.69.6F.6E.43.68.61.6E.67.65.64
        ; 'affiliationChanged'
   id-superseded = %x73.75.70.65.72.73.65.64.65.64 ; 'superseded'
   id-cessationOfOperation =
        %x63.65.73.73.61.74.69.6F.6E.4F.66.4F.70.65.72.61.74.69.6F.6E
        ; 'cessationOfOperation'
   id-certificateHold = %x63.65.72.74.69.66.69.63.61.74.65.48.6F.6C.64
        ; 'certificateHold'
   id-privilegeWithdrawn =
        %x70.72.69.76.69.6C.65.67.65.57.69.74.68.64.72.61.77.6E
        ; 'privilegeWithdrawn'
        
   id-unused = %x75.6E.75.73.65.64 ; 'unused'
   id-keyCompromise = %x6B.65.79.43.6F.6D.70.72.6F.6D.69.73.65
        ; 'keyCompromise'
   id-cACompromise = %x63.41.43.6F.6D.70.72.6F.6D.69.73.65
        ; 'cACompromise'
   id-affiliationChanged =
        %x61.66.66.69.6C.69.61.74.69.6F.6E.43.68.61.6E.67.65.64
        ; 'affiliationChanged'
   id-superseded = %x73.75.70.65.72.73.65.64.65.64 ; 'superseded'
   id-cessationOfOperation =
        %x63.65.73.73.61.74.69.6F.6E.4F.66.4F.70.65.72.61.74.69.6F.6E
        ; 'cessationOfOperation'
   id-certificateHold = %x63.65.72.74.69.66.69.63.61.74.65.48.6F.6C.64
        ; 'certificateHold'
   id-privilegeWithdrawn =
        %x70.72.69.76.69.6C.65.67.65.57.69.74.68.64.72.61.77.6E
        ; 'privilegeWithdrawn'
        
   id-aACompromise = %x61.41.43.6F.6D.70.72.6F.6D.69.73.65
        ; 'aACompromise'
        
   id-aACompromise = %x61.41.43.6F.6D.70.72.6F.6D.69.73.65
        ; 'aACompromise'
        
A.7. AlgorithmIdentifier
A.7. 算法识别器

AlgorithmIdentifier = "{" sp ai-algorithm [ "," sp ai-parameters ] sp "}"

AlgorithmIdentifier=“{”sp ai算法[”,“sp ai参数]sp”}”

   ai-algorithm = id-algorithm msp OBJECT-IDENTIFIER
   ai-parameters = id-parameters msp Value
   id-algorithm = %x61.6C.67.6F.72.69.74.68.6D ; 'algorithm'
   id-parameters = %x70.61.72.61.6D.65.74.65.72.73 ; 'parameters'
        
   ai-algorithm = id-algorithm msp OBJECT-IDENTIFIER
   ai-parameters = id-parameters msp Value
   id-algorithm = %x61.6C.67.6F.72.69.74.68.6D ; 'algorithm'
   id-parameters = %x70.61.72.61.6D.65.74.65.72.73 ; 'parameters'
        

Author's Address

作者地址

Kurt D. Zeilenga OpenLDAP Foundation

库尔特D.Zeeliga OpenLDAP基金会

   EMail: Kurt@OpenLDAP.org
        
   EMail: Kurt@OpenLDAP.org
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2006).

版权所有(C)互联网协会(2006年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).

RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。