datatracker.ietf.org
Sign in
Version 5.6.2.p1, 2014-07-22
Report a bug

Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates
RFC 4523

Document type: RFC - Proposed Standard (June 2006; No errata)
Was draft-zeilenga-ldap-x509 (individual in app area)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4523 (Proposed Standard)
Responsible AD: Ted Hardie
Send notices to: kurt@openLDAP.org

Network Working Group                                        K. Zeilenga
Request for Comments: 4523                           OpenLDAP Foundation
Obsoletes: 2252, 2256, 2587                                    June 2006
Category: Standards Track

             Lightweight Directory Access Protocol (LDAP)
               Schema Definitions for X.509 Certificates

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

   Abstract

   This document describes schema for representing X.509 certificates,
   X.521 security information, and related elements in directories
   accessible using the Lightweight Directory Access Protocol (LDAP).
   The LDAP definitions for these X.509 and X.521 schema elements
   replace those provided in RFCs 2252 and 2256.

1.  Introduction

   This document provides LDAP [RFC4510] schema definitions [RFC4512]
   for a subset of elements specified in X.509 [X.509] and X.521
   [X.521], including attribute types for certificates, cross
   certificate pairs, and certificate revocation lists; matching rules
   to be used with these attribute types; and related object classes.
   LDAP syntax definitions are also provided for associated assertion
   and attribute values.

   As the semantics of these elements are as defined in X.509 and X.521,
   knowledge of X.509 and X.521 is necessary to make use of the LDAP
   schema definitions provided herein.

   This document, together with [RFC4510], obsoletes RFCs 2252 and 2256
   in their entirety.  The changes (in this document) made since RFC
   2252 and RFC 2256 include:

      -  addition of pkiUser, pkiCA, and deltaCRL classes;

Zeilenga                    Standards Track                     [Page 1]
RFC 4523                   LDAP X.509 Schema                   June 2006

      -  update of attribute types to include equality matching rules in
         accordance with their X.500 specifications;

      -  addition of certificate, certificate pair, certificate list,
         and algorithm identifier matching rules; and

      -  addition of LDAP syntax for assertion syntaxes for these
         matching rules.

   This document obsoletes RFC 2587.  The X.509 schema descriptions for
   LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14 [RFC2119].

   Schema definitions are provided using LDAP description formats
   [RFC4512].  Definitions provided here are formatted (line wrapped)
   for readability.

2.  Syntaxes

   This section describes various syntaxes used in LDAP to transfer
   certificates and related data types.

2.1.  Certificate

      ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' )

   A value of this syntax is an X.509 Certificate [X.509, clause 7].

   Due to changes made to the definition of a Certificate through time,
   no LDAP-specific encoding is defined for this syntax.  Values of this
   syntax SHOULD be encoded using Distinguished Encoding Rules (DER)
   [X.690] and MUST only be transferred using the ;binary transfer
   option [RFC4522]; that is, by requesting and returning values using
   attribute descriptions such as "userCertificate;binary".

   As values of this syntax contain digitally signed data, values of
   this syntax and the form of each value MUST be preserved as
   presented.

2.2.  CertificateList

      ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' )

   A value of this syntax is an X.509 CertificateList [X.509, clause
   7.3].

Zeilenga                    Standards Track                     [Page 2]
RFC 4523                   LDAP X.509 Schema                   June 2006

   Due to changes made to the definition of a CertificateList through
   time, no LDAP-specific encoding is defined for this syntax.  Values
   of this syntax SHOULD be encoded using DER [X.690] and MUST only be
   transferred using the ;binary transfer option [RFC4522]; that is, by
   requesting and returning values using attribute descriptions such as
   "certificateRevocationList;binary".

   As values of this syntax contain digitally signed data, values of

[include full document text]