Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates
RFC 4523
Document | Type |
RFC - Proposed Standard
(June 2006; Errata)
Was draft-zeilenga-ldap-x509 (individual in app area)
|
|
---|---|---|---|
Author | Kurt Zeilenga | ||
Last updated | 2020-01-21 | ||
Stream | Internent Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4523 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Ted Hardie | ||
Send notices to | (None) |
Network Working Group K. Zeilenga Request for Comments: 4523 OpenLDAP Foundation Obsoletes: 2252, 2256, 2587 June 2006 Category: Standards Track Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes schema for representing X.509 certificates, X.521 security information, and related elements in directories accessible using the Lightweight Directory Access Protocol (LDAP). The LDAP definitions for these X.509 and X.521 schema elements replace those provided in RFCs 2252 and 2256. 1. Introduction This document provides LDAP [RFC4510] schema definitions [RFC4512] for a subset of elements specified in X.509 [X.509] and X.521 [X.521], including attribute types for certificates, cross certificate pairs, and certificate revocation lists; matching rules to be used with these attribute types; and related object classes. LDAP syntax definitions are also provided for associated assertion and attribute values. As the semantics of these elements are as defined in X.509 and X.521, knowledge of X.509 and X.521 is necessary to make use of the LDAP schema definitions provided herein. This document, together with [RFC4510], obsoletes RFCs 2252 and 2256 in their entirety. The changes (in this document) made since RFC 2252 and RFC 2256 include: - addition of pkiUser, pkiCA, and deltaCRL classes; Zeilenga Standards Track [Page 1] RFC 4523 LDAP X.509 Schema June 2006 - update of attribute types to include equality matching rules in accordance with their X.500 specifications; - addition of certificate, certificate pair, certificate list, and algorithm identifier matching rules; and - addition of LDAP syntax for assertion syntaxes for these matching rules. This document obsoletes RFC 2587. The X.509 schema descriptions for LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119]. Schema definitions are provided using LDAP description formats [RFC4512]. Definitions provided here are formatted (line wrapped) for readability. 2. Syntaxes This section describes various syntaxes used in LDAP to transfer certificates and related data types. 2.1. Certificate ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' ) A value of this syntax is an X.509 Certificate [X.509, clause 7]. Due to changes made to the definition of a Certificate through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using Distinguished Encoding Rules (DER) [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "userCertificate;binary". As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented. 2.2. CertificateList ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' ) A value of this syntax is an X.509 CertificateList [X.509, clause 7.3]. Zeilenga Standards Track [Page 2] RFC 4523 LDAP X.509 Schema June 2006 Due to changes made to the definition of a CertificateList through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using DER [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "certificateRevocationList;binary". As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented. 2.3. CertificatePair ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'X.509 Certificate Pair' ) A value of this syntax is an X.509 CertificatePair [X.509, clause 11.2.3]. Due to changes made to the definition of an X.509 CertificatePair through time, no LDAP-specific encoding is defined for this syntax.Show full document text