Network Working Group K. Zeilenga
Request for Comments: 4523 OpenLDAP Foundation
Obsoletes: 2252, 2256, 2587 June 2006
Category: Standards Track
Lightweight Directory Access Protocol (LDAP)
Schema Definitions for X.509 Certificates
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes schema for representing X.509 certificates,
X.521 security information, and related elements in directories
accessible using the Lightweight Directory Access Protocol (LDAP).
The LDAP definitions for these X.509 and X.521 schema elements
replace those provided in RFCs 2252 and 2256.
1. Introduction
This document provides LDAP [RFC4510] schema definitions [RFC4512]
for a subset of elements specified in X.509 [X.509] and X.521
[X.521], including attribute types for certificates, cross
certificate pairs, and certificate revocation lists; matching rules
to be used with these attribute types; and related object classes.
LDAP syntax definitions are also provided for associated assertion
and attribute values.
As the semantics of these elements are as defined in X.509 and X.521,
knowledge of X.509 and X.521 is necessary to make use of the LDAP
schema definitions provided herein.
This document, together with [RFC4510], obsoletes RFCs 2252 and 2256
in their entirety. The changes (in this document) made since RFC
2252 and RFC 2256 include:
- addition of pkiUser, pkiCA, and deltaCRL classes;
Zeilenga Standards Track [Page 1]RFC 4523 LDAP X.509 Schema June 2006
- update of attribute types to include equality matching rules in
accordance with their X.500 specifications;
- addition of certificate, certificate pair, certificate list,
and algorithm identifier matching rules; and
- addition of LDAP syntax for assertion syntaxes for these
matching rules.
This document obsoletes RFC 2587. The X.509 schema descriptions for
LDAPv2 [RFC1777] are Historic, as is LDAPv2 [RFC3494].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119].
Schema definitions are provided using LDAP description formats
[RFC4512]. Definitions provided here are formatted (line wrapped)
for readability.
2. Syntaxes
This section describes various syntaxes used in LDAP to transfer
certificates and related data types.
2.1. Certificate
( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'X.509 Certificate' )
A value of this syntax is an X.509 Certificate [X.509, clause 7].
Due to changes made to the definition of a Certificate through time,
no LDAP-specific encoding is defined for this syntax. Values of this
syntax SHOULD be encoded using Distinguished Encoding Rules (DER)
[X.690] and MUST only be transferred using the ;binary transfer
option [RFC4522]; that is, by requesting and returning values using
attribute descriptions such as "userCertificate;binary".
As values of this syntax contain digitally signed data, values of
this syntax and the form of each value MUST be preserved as
presented.
2.2. CertificateList
( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'X.509 Certificate List' )
A value of this syntax is an X.509 CertificateList [X.509, clause
7.3].
Zeilenga Standards Track [Page 2]RFC 4523 LDAP X.509 Schema June 2006
Due to changes made to the definition of a CertificateList through
time, no LDAP-specific encoding is defined for this syntax. Values
of this syntax SHOULD be encoded using DER [X.690] and MUST only be
transferred using the ;binary transfer option [RFC4522]; that is, by
requesting and returning values using attribute descriptions such as
"certificateRevocationList;binary".
As values of this syntax contain digitally signed data, values of
datatracker.ietf.org