1、 International Telecommunication Union ITU-T X.509TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2012) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Directory Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks Re
2、commendation ITU-T X.509 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arra
3、ngements X.180X.199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.27
4、0X.279 Layer Managed Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599OSI NETWORKING AND SYSTEM ASPECTS Networking X.6
5、00X.629 Efficiency X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems management framework and architecture X.700X.709 Management communication service and protocol X.710X.719 Structure of man
6、agement information X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, concurrency and recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X
7、.900X.999 INFORMATION AND NETWORK SECURITY X.1000X.1099 SECURE APPLICATIONS AND SERVICES X.1100X.1199 CYBERSPACE SECURITY X.1200X.1299 SECURE APPLICATIONS AND SERVICES X.1300X.1399 CYBERSECURITY INFORMATION EXCHANGE X.1500X.1599 For further details, please refer to the list of ITU-T Recommendations.
8、 Rec. ITU-T X.509 (10/2012) i INTERNATIONAL STANDARD ISO/IEC 9594-8 RECOMMENDATION ITU-T X.509 Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks Summary Recommendation ITU-T X.509 | ISO/IEC 9594-8 defines frameworks for public-key cert
9、ificates and attribute certificates. The public-key certificate framework is the base specification for public-key certificates, for the different components going into a public-key infrastructure (PKI) for validation procedures and for public-key certificate revocation, etc. The attribute certifica
10、te framework is the base specification for attribute certificates and the different components going into the Privilege Management Infrastructure (PMI). These frameworks may be used by standards bodies to profile their application to PKIs and PMIs. History Edition Recommendation Approval Study Group
11、 1.0 ITU-T X.509 1988-11-25 2.0 ITU-T X.509 1993-11-16 7 3.0 ITU-T X.509 1997-08-09 7 3.1 ITU-T X.509 (1997) Technical Cor. 1 2000-03-31 7 3.2 ITU-T X.509 (1997) Technical Cor. 2 2001-02-02 7 3.3 ITU-T X.509 (1997) Technical Cor. 3 2001-10-29 7 3.4 ITU-T X.509 (1997) Technical Cor. 4 2002-04-13 17 3
12、.5 ITU-T X.509 (1997) Technical Cor. 5 2003-02-13 17 3.6 ITU-T X.509 (1997) Technical Cor. 6 2004-04-29 17 4.0 ITU-T X.509 2000-03-31 7 4.1 ITU-T X.509 (2000) Technical Cor. 1 2001-10-29 7 4.2 ITU-T X.509 (2000) Technical Cor. 2 2002-04-13 17 4.3 ITU-T X.509 (2000) Technical Cor. 3 2004-04-29 17 4.4
13、 ITU-T X.509 (2000) Technical Cor. 4 2007-01-13 17 5.0 ITU-T X.509 2005-08-29 17 5.1 ITU-T X.509 (2005) Cor. 1 2007-01-13 17 5.2 ITU-T X.509 (2005) Cor. 2 2008-11-13 17 5.3 ITU-T X.509 (2005) Cor. 3 2011-02-13 17 5.4 ITU-T X.509 (2005) Cor. 4 2012-04-13 17 6.0 ITU-T X.509 2008-11-13 17 6.1 ITU-T X.5
14、09 (2008) Cor. 1 2011-02-13 17 6.2 ITU-T X.509 (2008) Cor. 2 2012-04-13 17 6.3 ITU-T X.509 (2008) Cor. 3 2012-10-14 17 7.0 ITU-T X.509 2012-10-14 17 ii Rec. ITU-T X.509 (10/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecom
15、munications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommu
16、nications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the proce
17、dure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telec
18、ommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of th
19、ese mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS IT
20、U draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU memb
21、ers or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not re
22、present the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2014 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.509 (10/
23、2012) iii CONTENTS Page 1 Scope 1 2 Normative references . 2 2.1 Identical Recommendations | International Standards 2 2.2 Paired Recommendations | International Standards equivalent in technical content . 3 2.3 Recommendations . 3 2.4 Other references 3 3 Definitions 3 3.1 OSI Reference Model secur
24、ity architecture definitions 3 3.2 Baseline identity management terms and definitions 3 3.3 Directory model definitions 4 3.4 Access control framework definitions . 4 3.5 Public-key and attribute certificate definitions 4 4 Abbreviations . 7 5 Conventions 8 6 Frameworks overview 8 6.1 Digital signat
25、ures 9 6.2 Formal definitions for public-key cryptography . 10 6.3 Distinguished encoding of Basic Encoding Rules . 10 6.4 Applying distinguished encoding 11 7 Public-keys and public-key certificates 11 7.1 Introduction . 11 7.2 Public-key certificate 12 7.3 Public-key certificate extensions . 14 7.
26、4 Types of public-key certificates 15 7.5 Trust anchor 15 7.6 Entity relationship . 16 7.7 Certification path . 16 7.8 Generation of key pairs . 18 7.9 Public-key certificate creation . 18 7.10 Certificate revocation list 18 7.11 Repudiation of a digital signing 21 8 Public-key certificate and CRL e
27、xtensions . 22 8.1 Policy handling 22 8.2 Key and policy information extensions . 25 8.3 Subject and issuer information extensions 31 8.4 Certification path constraint extensions 33 8.5 Basic CRL extensions . 37 8.6 CRL distribution points and delta-CRL extensions . 46 9 Delta CRL relationship to ba
28、se . 52 10 Certification path processing procedure . 53 10.1 Path processing inputs . 53 10.2 Path processing outputs . 54 10.3 Path processing variables 54 10.4 Initialization step . 55 10.5 Certificate processing 55 11 PKI directory schema . 57 11.1 PKI directory object classes and name forms 57 1
29、1.2 PKI directory attributes . 59 11.3 PKI directory matching rules 61 11.4 PKI directory syntax definitions . 66 iv Rec. ITU-T X.509 (10/2012) Page 12 Attribute Certificates 68 12.1 Attribute certificate structure 69 12.2 Attribute certification paths . 71 13 Attribute Authority, SOA and Certificat
30、ion Authority relationship . 71 13.1 Privilege in attribute certificates . 73 13.2 Privilege in public-key certificates 73 14 PMI models 73 14.1 General model . 73 14.2 Control model . 75 14.3 Delegation model 76 14.4 Group assignment model . 76 14.5 Roles model . 77 14.6 Recognition of Authority Mo
31、del . 78 14.7 XML privilege information attribute . 82 14.8 Permission attribute and matching rule . 83 15 Privilege management certificate extensions 83 15.1 Basic privilege management extensions 84 15.2 Privilege revocation extensions . 87 15.3 Source of Authority extensions . 87 15.4 Role extensi
32、ons . 90 15.5 Delegation extensions . 91 15.6 Recognition of Authority Extensions 95 16 Privilege path processing procedure . 98 16.1 Basic processing procedure . 98 16.2 Role processing procedure 99 16.3 Delegation processing procedure 99 17 PMI directory schema 102 17.1 PMI directory object classe
33、s . 102 17.2 PMI Directory attributes 103 17.3 PMI general directory matching rules . 105 18 Directory authentication . 107 18.1 Simple authentication procedure . 107 18.2 Password policy 109 18.3 Strong Authentication . 119 19 Access control 122 20 Protection of Directory operations . 122 Annex A P
34、ublic-Key and Attribute Certificate Frameworks 123 Annex B Reference definition of algorithm object identifiers 153 Annex C CRL generation and processing rules 154 C.1 Introduction . 154 C.2 Determine parameters for CRLs . 155 C.3 Determine CRLs required . 156 C.4 Obtain CRLs . 157 C.5 Process CRLs
35、157 Annex D Examples of delta CRL issuance . 161 Annex E Privilege policy and privilege attribute definition examples . 163 E.1 Introduction . 163 E.2 Sample syntaxes 163 E.3 Privilege attribute example 167 Annex F An introduction to public key cryptography2)168 Annex G Examples of use of certificat
36、ion path constraints 170 Rec. ITU-T X.509 (10/2012) v Page G.1 Example 1: Use of basic constraints 170 G.2 Example 2: Use of policy mapping and policy constraints . 170 G.3 Use of Name Constraints Extension 170 Annex H Guidance on determining for which policies a certification path is valid . 179 H.
37、1 Certification path valid for a user-specified policy required . 179 H.2 Certification path valid for any policy required 180 H.3 Certification path valid regardless of policy . 180 H.4 Certification path valid for a user-specific policy desired, but not required . 180 Annex I Key usage certificate
38、 extension issues 181 Annex J External ASN.1 modules 182 Annex K Use of Protected Passwords for Bind operations . 190 Annex L Examples of password hashing algorithms 191 L.1 Null Hashing method 191 L.2 MD5 method . 191 L.3 SHA-1 method 191 Annex M Alphabetical list of information item definitions 19
39、2 Annex N Amendments and corrigenda . 195 vi Rec. ITU-T X.509 (10/2012) Introduction This Recommendation | International Standard, together with other Recommendations | International Standards, has been produced to facilitate the interconnection of information processing systems to provide directory
40、 services. A set of such systems, together with the directory information which they hold, can be viewed as an integrated whole, called the Directory. The information held by the Directory, collectively known as the Directory Information Base (DIB), is typically used to facilitate communication betw
41、een, with or about objects such as application-entities, people, terminals and distribution lists. The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of technical agreement outside of the interconnection standards themselves, the interconnec
42、tion of information processing systems: from different manufacturers; under different managements; of different levels of complexity; and of different ages. Many applications have requirements for security to protect against threats to the communication of information. Virtually all security service
43、s are dependent upon the identities of the communicating parties being reliably known, i.e., authentication. This Recommendation | International Standard defines a framework for public-key certificates. This framework includes the specification of data objects used to represent the certificates them
44、selves, as well as revocation notices for issued certificates that should no longer be trusted. The public-key certificate framework defined in this Recommendation | International Standard, while it defines some critical components of a public-key infrastructure (PKI), it does not define a PKI in it
45、s entirety. However, this Recommendation | International Standard provides the foundation upon which full PKIs and their specifications would be built. Similarly, this Recommendation | International Standard defines a framework for attribute certificates. That framework includes the specification of
46、 data objects used to represent the certificates themselves, as well as revocation notices for issued certificates that should no longer be trusted. The attribute certificate framework defined in this Recommendation | International Standard, while it defines some critical components of a Privilege M
47、anagement Infrastructure (PMI), it does not define a PMI in its entirety. However, this Recommendation | International Standard provides the foundation upon which full PMIs and their specifications would be built. Information objects for holding PKI and PMI objects in the Directory and for comparing
48、 presented values with stored values are also defined. This Recommendation | International Standard also defines a framework for the provision of authentication services by the Directory to its users. This Recommendation | International Standard provides the foundation frameworks upon which industry
49、 profiles can be defined by other standards groups and industry forums. Many of the features defined as optional in these frameworks may be mandated for use in certain environments through profiles. This seventh edition technically revises and enhances the sixth edition of this Recommendation | International Standard. This seventh edition specifies versions 1, 2 and 3 of public-key certificates and versions 1 and 2 of certificate revocation lists. This ed
