1、Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 12/24/2003Published by American National Standards Institute,25 West 43rd Street, New York, New York 10036Copyright 2003 by Information Technology Industry Council
2、 (ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council(ITI). Not for resale. No part of t
3、his publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washington, DC 20005.Printed in the United States of AmericaReference numberISO
4、/IEC 9594-8:2001(E)ISO/IEC 2001INTERNATIONAL STANDARD ISO/IEC9594-8Fourth edition2001-08-01Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks Technologies de linformation Interconnexion de systmes ouverts (OSI) Lannuaire: Cadres de cl p
5、ublique et de certificat dattribut ISO/IEC 9594-8:2001(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the c
6、omputer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to c
7、reate this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform
8、the Central Secretariat at the address given below. ISO/IEC 2001 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
9、either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.ch Web www.iso.ch Printed in Switzerland ii ISO/IEC 2001 All rights reserved CONTENTS Page Intr
10、oduction viii SECTION 1 GENERAL . 1 1 Scope 1 2 Normative references 2 2.1 Identical Recommendations | International Standards. 2 2.2 Paired Recommendations | International Standards equivalent in technical content. 3 3 Definitions 3 3.1 OSI Reference Model security architecture definitions. 3 3.2 D
11、irectory model definitions. 3 3.3 Definitions. 4 4 Abbreviations 6 5 Conventions 7 6 Frameworks overview 7 6.1 Digital signatures. 8 SECTION 2 PUBLIC-KEY CERTIFICATE FRAMEWORK. 10 7 Public-keys and public-key certificates 11 7.1 Generation of key pairs . 15 7.2 Public-key certificate creation. 15 7.
12、3 Certificate validity. 15 8 Public-key certificate and CRL extensions. 17 8.1 Policy handling 18 8.1.1 Certificate policy . 18 8.1.2 Cross-certification . 19 8.1.3 Policy mapping 20 8.1.4 Certification path processing. 20 8.1.5 Self-issued certificates. 20 8.2 Key and policy information extensions
13、. 21 8.2.1 Requirements. 21 8.2.2 Public-key certificate and CRL extension fields . 21 8.2.2.1 Authority key identifier extension. 22 8.2.2.2 Subject key identifier extension 22 8.2.2.3 Key usage extension 22 8.2.2.4 Extended key usage extension. 23 8.2.2.5 Private key usage period extension . 24 8.
14、2.2.6 Certificate policies extension. 24 8.2.2.7 Policy mappings extension 25 8.3 Subject and issuer information extensions 26 8.3.1 Requirements. 26 8.3.2 Certificate and CRL extension fields. 26 8.3.2.1 Subject alternative name extension . 26 8.3.2.2 Issuer alternative name extension 26 8.3.2.3 Su
15、bject directory attributes extension 27 8.4 Certification path constraint extensions. 27 8.4.1 Requirements. 27 8.4.2 Certificate extension fields 28 8.4.2.1 Basic constraints extension 28 8.4.2.2 Name constraints extension. 29 8.4.2.3 Policy constraints extension 30 8.4.2.4 Inhibit any policy exten
16、sion 30 ISO/IEC 9594-8:2001(E) ISO/IEC 2001 All rights reserved iiiPage 8.5 Basic CRL extensions 30 8.5.1 Requirements. 30 8.5.2 CRL and CRL entry extension fields. 31 8.5.2.1 CRL number extension 31 8.5.2.2 Reason code extension 32 8.5.2.3 Hold instruction code extension 32 8.5.2.4 Invalidity date
17、extension 33 8.5.2.5 CRL scope extension. 33 8.5.2.6 Status referral extension 35 8.5.2.7 CRL stream identifier extension 36 8.5.2.8 Ordered list extension 36 8.5.2.9 Delta information extension 37 8.6 CRL distribution points and delta-CRL extensions. 37 8.6.1 Requirements. 37 8.6.2 CRL distribution
18、 point and delta-CRL extension fields 38 8.6.2.1 CRL distribution points extension. 38 8.6.2.2 Issuing distribution point extension. 39 8.6.2.3 Certificate issuer extension 40 8.6.2.4 Delta CRL indicator extension 40 8.6.2.5 Base update extension . 41 8.6.2.6 Freshest CRL extension. 41 9 Delta CRL r
19、elationship to base. 41 10 Certification path processing procedure . 42 10.1 Path processing inputs . 42 10.2 Path processing outputs . 43 10.3 Path processing variables 43 10.4 Initialization step . 43 10.5 Certificate processing 44 10.5.1 Basic certificate checks . 44 10.5.2 Processing intermediat
20、e certificates 44 10.5.3 Explicit policy indicator processing 45 10.5.4 Final processing. 46 11 PKI directory schema . 46 11.1 PKI directory object classes and name forms 46 11.1.1 PKI user object class . 46 11.1.2 PKI CA object class. 46 11.1.3 CRL distribution points object class and name form. 46
21、 11.1.4 Delta CRL object class 47 11.1.5 Certificate Policy published Technical Corrigenda can be obtained via the ISO webstore or from the ISO and IEC national bodies. Corrigenda and Implementors Guides to ITU-T Recommendations can be obtained from the ITU-T website. International Standard ISO/IEC
22、9594-8 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 6, Telecommunications and information exchange between systems, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.509. This fourth edition of ISO/IEC 9594-8 co
23、nstitutes a technical revision of the third edition (ISO/IEC 9594-8:1998), which is provisionally retained in order to support implementations based on the third edition. This edition also incorporates Corrigendum 1:2000. ISO/IEC 9594 consists of the following parts, under the general title Informat
24、ion technology Open Systems Interconnection The Directory: Part 1: Overview of concepts, models and services Part 2: Models Part 3: Abstract service definition Part 4: Procedures for distributed operation Part 5: Protocol specifications Part 6: Selected attribute types Part 7: Selected object classe
25、s Part 8: Public-key and attribute certificate frameworks Part 9: Replication Part 10: Use of systems management for administration of the Directory Annexes A, B and F form a normative part of this part of ISO/IEC 9594. Annexes C, D, E, G, H and I are for information only. Introduction This Recommen
26、dation | International Standard, together with other Recommendations | International Standards, has been produced to facilitate the interconnection of information processing systems to provide directory services. A set of such systems, together with the directory information which they hold, can be
27、viewed as an integrated whole, called the Directory. The information held by the Directory, collectively known as the Directory Information Base (DIB), is typically used to facilitate communication between, with or about objects such as application-entities, people, terminals and distribution lists.
28、 The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of technical agreement outside of the interconnection standards themselves, the interconnection of information processing systems: from different manufacturers; under different managements;
29、 of different levels of complexity; and of different ages. Many applications have requirements for security to protect against threats to the communication of information. Virtually all security services are dependent upon the identities of the communicating parties being reliably known, i.e. authen
30、tication. This Recommendation | International Standard defines a framework for public-key certificates. That framework includes specification of data objects used to represent the certificates themselves as well as revocation notices for issued certificates that should no longer be trusted. The publ
31、ic-key certificate framework defined in this Specification, while it defines some critical components of a Public-key Infrastructure (PKI), it does not define a PKI in its entirety. However, this Specification provides the foundation upon which full PKIs and their specifications would be built. Simi
32、larly, this Recommendation | International Standard defines a framework for attribute certificates. That framework includes specification of data objects used to represent the certificates themselves as well as revocation notices for issued certificates that should no longer be trusted. The attribut
33、e certificate framework defined in this Specification, while it defines some critical components of a Privilege Management Infrastructure (PMI), it does not define a PMI it its entirety. However, this Specification provides the foundation upon which full PMIs and their specifications would be built.
34、 Information objects for holding PKI and PMI objects in the Directory and for comparing presented values with stored values are also defined. This Recommendation | International Standard also defines a framework for the provision of authentication services by the Directory to its users. This Recomme
35、ndation | International Standard provides the foundation frameworks upon which industry profiles can be defined by other standards groups and industry forums. Many of the features defined as optional in these frameworks, may be mandated for use in certain environments through profiles. This fourth e
36、dition technically revises and enhances, but does not replace, the third edition of this Recommendation | International Standard. Implementations may still claim conformance to the third edition. However, at some point, the third edition will not be supported (i.e. reported defects will no longer be
37、 resolved). It is recommended that implementations conform to this fourth edition as soon as possible. This fourth edition specifies version 1 and 2 of the Directory protocols. The first and second editions specified only version 1. Most of the services and protocols specified in this edition are de
38、signed to function under version 1. However some enhanced services and protocols, e.g. signed errors, will not function unless all Directory entities involved in the operation have negotiated version 2. Whichever version has been negotiated, differences between the services and between the protocols
39、 defined in the four editions, except for those specifically assigned to version 2, are accommodated using the rules of extensibility defined in this edition of ITU-T Rec. X.519 | ISO/IEC 9594-5. Annex A, which is an integral part of this Recommendation | International Standard, provides the ASN.1 m
40、odule which contains all of the definitions associated with the frameworks. Annex B, which is an integral part of this Recommendation | International Standard, provides rules for generating and processing Certificate Revocation Lists. Annex C, which is not an integral part of this Recommendation | I
41、nternational Standard, provides examples of delta-CRL issuance. ISO/IEC 9594-8:2001(E) ISO/IEC 2001 All rights reserved ixAnnex D, which is not an integral part of this Recommendation | International Standard, provides examples of privilege policy syntaxes and privilege attributes. Annex E, which is
42、 not an integral part of this Recommendation | International Standard, is an introduction to public-key cryptography. Annex F, which is an integral part of this Recommendation | International Standard, defines object identifiers assigned to authentication and encryption algorithms, in the absence of
43、 a formal register. Annex G, which is not an integral part of this Recommendation | International Standard, contains examples of the use of certification path constraints. Annex H, which is not an integral part of this Recommendation | International Standard, contains an alphabetical list of informa
44、tion item definitions in this Specification. Annex I, which is not an integral part of this Recommendation | International Standard, lists the amendments and defect reports that have been incorporated to form this edition of this Recommendation | International Standard. ISO/IEC 9594-8:2001(E) x ISO/
45、IEC 2001 All rights reserved The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) draw attention to the fact that it is claimed that compliance with this part of ISO/IEC 9594 may involve the use of a patent concerning the CRL distribution p
46、oint facility. ISO and IEC take no position concerning the evidence, validity and scope of this patent right. The holder of this patent right has assured ISO and IEC that he is willing to negotiate licences under reasonable and non-discriminatory terms and conditions with applicants throughout the w
47、orld. In this respect, the statement of the holder of this patent right is registered with ISO and IEC. Information may be obtained from: Entrust Technologies Mr. Mike Morgan, Senior Legal Counsel 750 Heron Road, Suite E08 Ottawa, Ontario K1V 1A7 Canada Attention is drawn to the possibility that som
48、e of the elements of this part of ISO/IEC 9594 may be the subject of patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 9594-8 : 2001 (E) ITU-T Rec. X.509 (2000 E) 1 INTERNATIONAL STANDARD ISO/IEC 9594-8 :
49、 2001 (E) ITU-T Rec. X.509 (2000 E) ITU-T RECOMMENDATION INFORMATION TECHNOLOGY OPEN SYSTEMS INTERCONNECTION THE DIRECTORY: PUBLIC-KEY AND ATTRIBUTE CERTIFICATE FRAMEWORKS SECTION 1 GENERAL 1 Scope This Recommendation | International Standard addresses some of the security requirements in the areas of authentication and other security services through the provision of a set of frameworks upon which full services can be based. Specifically, this Recommendation | International Standard defines frameworks for: Pu
