S`BO,#"!& '($) +-./0123456789:;<=>?h@C]DEFGI%KLMNPQHRSTVWa*YZ[\c^i_bdegfjklmXnopqrstuvwxyz{|}~JU\  !"#$&()*    # "!$&()*> ,^BLTT TTTATKTZTbRe^BLTT TTTT!T'TATKTZTbRe^BLTT TTTT T%T*T/T4T9T>TATKTZTbRe `]DLTRe^BLTT TTTATKTZTbRe^BLTT TTTT T%T*T/T4T9TATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTTT!T'TATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTTT!T'TATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTTT T%T*T/T4T:TATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTTT T%T*T/T4T9T>TATKTZTbRe^BLTT TTTATKTZR\^BLTT TTTTATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTTKTZTbRe^BLTT TTTT T%T*T/T4T9TATKTZTbRe^BLTT TTTT T%T*T/T4T9T>TATKTZTbRe^BLTT TT%  type.{R*t1_wNotew - It follows that the Directory will not permit such an attribute to be used in a %!SWh Cdistinguished name, nor allow for a specific value to be modified.C R >9.6.3If an equality matching rule is defined, the Directory:> z ba)treats values of attributes of this attribute syntax as having type AN, i.e. the O@ w cDirectory does not check that those values conform with the data type indicated for the c1 attribute syntax; u  ab)will not attempt to match presented values against target values of such an attribute ack that those values :!ose values @61 attribute syntax;) indicated for the attribute syntax;N T6 "to the data type;" wciii)ordering. Applicable to any attribute syntax for which a rule can be defined that cy ewill allow a presented value to be described as less than, equal to, or greater than ew ca target value. The presented value must conform to the data type of the attribute c8ill allow a presented value to bePd K7the data type of the attribute syntax;7r ^ii)substrings. Applicable to any attribute syntax with a string data type. The ^| dpresented value must be a sequence ("SEQUENCE OF"), each of whose elements conforms 5@ $e syntax;'` Lii)substrings. Applicable to any attribute syntax with ]y eheld in the DIB. None, some, or all of the following matching rules may be defined for a e<  (particular attribute syntax:( x]DLdi)equality. Applicable to any attribute syntax. The presented value must conform to d a presented value with a PK7held in the DIB. None, some, or all of 7ome, or all of N. particOnitionw%!J69.6.1The definition of an attribute syntax involves:6c  Oa)optionally, assigning an object identifier to the attribute syntax;O [  Gb)indicating the data type, in ASN.1 of the attribute syntax;G w  cc)defining appropriate rules for matching a presented value with a target attribute value cJ6object identifiers in this series of Recommendations.6 cwNote 2w - The attribute syntaxes referred to in these definitions are themselves defined in %!Uommendations.S lPwNote 2w - The attribute syntaxes referred to in these definitions are %!?f  ^9.6.5. (d in ^9.6.5.P @P $9.6wAttribute syntax defi6&AliasedObjectName::= ATTRIBUTE $::= ATTRIBUTE) Q 9WITH ATTRIBUTE-SYNTAX distinguishedNameSyntax @-0 SINGLE VALUE @  ~ bwNote 1w - These are partial definitions: the object identifiers are actually allocated for %!Ty ethese attribute types in Recommendation^X.520 so as to provide a single point of allocation of these ey e9.5.4The attribute types identified in ^7.3.3 which are known to and used by the Directory for its e9%own purposes are defined as follows:% ]DL@ ObjectClass^::=^ATTRIBUTE@ @@ P8WITH ATTRIBUTE-SYNTAX objectIdentifierSyntax @, F&AliasedObjectName^::=^ATTRIBUTE@@@ 5fierSyntax @, Bernative of the type notation be selected, the resulting notation @GY A("ATTRIBUTE") can be used to denote any possible attribute type.@ 6 y e9.5.4The attriv ^Should the "empty" alternative of the type notation be selected, the resulting notation @GY A("ATTRIBUTE") can be used to denote any possible attribute type.@ 6 estring types or a value range for an underlying integer type may optionally be indicated;e  cc)the attribute is single valued if the MultiValued production is "SINGLE VALUE", and may 1@ @ \  Dhave one or more values if it is "MULTI VALUE" or empty.-@ { _wNotew - The macro is used in defining selected attribute types in Recommendation^X.520.%!S8 $assignment of the MACRO;$ y  ab)the attribute syntax for the attribute type is that identified by the AttributeSyntax Q@v  bproduction. This either points to a separately defined attribute syntax, or explicitly b attribute syntax for the attribute type is that identified by the AttributeSyntax Q@<  (production. This either point(cL  8tLG /"ORDERING"$@ "  END@ x dThe correspondence between the parts of the definition, as listed in ^9.5.1, and the various dS ?pieces of the notation introduced by the macro, is as follows:?w  ca)the object identifier assigned to the attribute type is the value supplied in the value certex of any arc is often referred to informally as a wleafw ^%!} evertex, or even more informally, as a "leaf" of the tree graph. For example, vertices V3, V6, and V7X{  are leaves. % ^&& :An woriented pathw from a vertex V to a vertex Vw'w % ! !|))\is a set of arcs (a1,^a2,^...,^an) Kd(( e< 4SizeConstraint::= SingleValue | Range@@ K/SingleValue::= value(INTEGER)@ @ V :Range::= value(INTEGER) ".." value@@A)(INTEGER)@ B&IntegerConstraint::= Range@@  Z>MatchTypesvalue(ATTRIBUTE-SYNTAX)@ @Q 9Constraint | type MatchTypes@ ` DConstraint::= "("ConstraintAlternative")" | empty@ @' aEConstraintAlternative::= StringConstraint | IntegerConstraint@@( X <StringConstraint::= "SIZE" "("SizeConstraint")"@@ Pe in b[ Gentries if attributes of this type are defined to have only one value.GlX9.5.3The following ASN.1 macro may (but need not) be used to define an attribute type:X <  ATTRIBUTE MACRO::=@@$  BEGIN@ ` DTYPENOTATION::= AttributeSyntax Multivalued | empty@ @'P\efining the attribute syntax for the attribute type;Ox  dc)indicating whether an attribute of this type may have only one or may have more than one d. value (recur). x d9.5.2The Directory ensures that the indicated attribute syntax is used for every attribute of this dv btype. The Directory also ensures that attributes of this type will have one and only one valu vwNote 2w - Entries of a subclass of the class %!&entries.%!&@P r>"9.5wAttribute type definitionw%!H 49.5.1The definition of an attribute type involves:4 U  Aa)assigning an object identifier to the attribute type:A c  Ob)indicating or daMuseful attribute types for RDNs of alias entries (see Recommendation^X.521).M o OwNote 2w - Entries of a subclass of the class "Alias" are alias entries.%!'@ Pare alias entries.alias entry. Administrative Authorities may specify subclasses of the class "AliasP@"X :wNote 2w - Entries of a subclass of the class "Alias%!'@'Pare alias entries.Alias ::=@ 0 OBJECT-CLASS @ 8  SUBCLASS OF top@I 1MUST CONTAIN {aliasedObjectName}@  ]DLewNote 1w - The object class "Alias" does not specify appropriate attribute types for the RDN of%!@=y} ean alias entry. Administrative Authorities may specify subclasses of the class "Alias" which specify P@ation ("ATTRIBUTE-@D@ N8SET") can be used to denote any possible attribute set.@5 h T9.4.8The object classes previously mentioned are defined in ^9.4.8.1, ^9.4.8.2.T ewNotew - These are partial definitions: the object identifiers are actually allocated for these%!Y}y eobject classes in Recommendation^X.521 so as to provide a single point of allocation of these obj8  $assignment of the macro;$ y eb)the set of attributes comprising the attribute set is that formed by the set union of the e}  eattributes and sets of attributes identified by the Attributes production, i.e. following ?@ /  "CONTAINS". @DLTeShould the "empty" alternative of the notation be selected, the resulting notserviceElementOBJECT IDENTIFIER ::=^{ds 2}@@@-ECT IDENTIFIER ::={ds 2}@@@WO7applicationContextOBJECT IDENTIFIER ::=^{ds 3}@@@WO7attributeType OBJECT IDENTIFIER ::=^{ds 4}@@@Wned7attributeSyntaxOBJECT IDENTIFIER ::=^{ds 5}@@@W 7objectClassOBJECT IDENTIFIER ::=^{ds 6}@ @@W  L 0Attribute::= value(ATTRIBUTE) @ @ P 4AttributeSet::= value(ATTRIBUTE-SET) @ @ 'END @ P 4AttributeSet::= value(ATTRIBUTE-SET) @ @ $END @[AbuteSet @ 0 ::= value(ATTRIBUTE-SET)@" {"Attributes"}" | empty @ @& Y =VALUE NOTATION^::= value(VALUE OBJECT IDENTIFIER) @@"P 2P Attributes ::= @U=AttributeTerm | AttributeTerm "," Attributes@, T8AttributeTerm::= Attribute | AttributeSet @ @P  AttributeSet@ *es ::= @Us whose members c6 "together form the set." y eThe following ASN.1 macro may (but need not) be used to define a set of attributes for use withe0 the OBJECT-CLASS macro:@ DL;TATTRIBUTE-SET-MACRO^::=@@)BEGIN @\ @TYPE NOTATION^::= "CONTAINSn be used to denote any possible object )@ -class.d9.4.7An wattribute setw is a set of attributes identified by an object identifier. The definition % !L~2 of an attribute set involves:J  6a)assigning an object identifier to the set;6 w  cb)listing the object identifiers of the attributes and other attribute seten Zappears in both the mandatory set and the optional set, it shall be considered mandatory.Z|`wNote^2w - The macro is used in defining selected object classes in Recommendation^X.521.%!R ion^X.521.!Rw cShould all of the pieces of notation introduced by the macro and described in b), c), and d) cz babove be empty, the resulting notation ("OBJECT-CLASS") ca  ed)the optional attributes are those identified by the list of object identifiers produced byen  Rthe OptionalAttributes production, i.e. those following "MAY CONTAIN".@"@   ewNote^1w - The object identifiers in c) and d) identify both individual attributes and sets of %!W}y eattributes (see ^9.4.7). The effective list in both cases is the set union of these. If an attribute  "END@xdThe correspondence between the parts of the definition, as listed in ^9.4.1, and the various dS ?pieces of the notation introduced by the macro, is as follows:? y  ea)the object identifier to the object class is the value supplied in the value assignment ofe*  the macro; AttributeTerm::= Attribute | AttributeSet@ @F *Attribute::= value(ATTRIBUTE)@ @ J .AttributeSet::= value(ATTRIBUTE-SET)@ @ "  END@@ J .AttributeSet::= value(ATTRIBUTE-SET)@ @  END@f" ::= value(ATTRIBUTE-SET)@alue (OBJECT-CLASS)@ @6MandatoryAttributes ::=@J2"MUST CONTAIN {"Attributes"}" | empty  @%5 OptionalAttributes ::=@I 1"MAY CONTAIN {"Attributes"}" | empty  @$ b FAttributes::= AttributeTerm | AttributeTerm "," Attributes@ @0N 2P @VALUENOTATION::= value (VALUE OBJECT IDENTIFIER)@ @#<  AttributeSyntax::=@@HDL0"WITH ATTRIBUTE-SYNTAX" SyntaxChoice @$K/Multivalued::= "SINGLE VALUE"@ @N6| "MULTIVALUE" | empty@ T8SyntaxChoice::= sd tOprotocolObjectIdentifierOBJECT IDENTIFIER^::=^{module 4}@@@@ storOselectedAttributeTypesOBJECT IDENTIFIER^::=^{module 5}@@@@ R::= {module 1}@@@o OdirectoryAbstractServiceOBJECT IDENTIFIER::= {module 2}@@@oachOdistributedOperationsOBJECT IDENTIFIER::= {module 3}@@@ ou ab)the superclasses of which this object class is a subclass are those identified by the aa ESubclassOf production, i.e. that following "SUBCLASS OF"; @ !@  x ]DLdc)the mandatory attributes are those identified by the list of object identifiers produced ds TWby the MandatoryAttributes production, i.e. those following "MUST CONTAIN";@#@ yr  0ue(ATTRIBUTE-SET) @' 'END @vbThe correspondence between the parts of the definition of an attribute set and the notation b; 'introduced by the macro is as follows:'v  ba)the object identifier assigned to the attribute set is the value supplied in the value bect eC /identifiers in this series of Recommendations./ Q99.4.8.1The object class "Top" is defined as follows:@ & Top ::=@0 OBJECT-CLASS @ C +MUST CONTAIN {ObjectClass}@ S;9.4.8.2The object class "Alias" is defined as follows:@(::= "MATCHES FOR" Matches | empty@ @! R 6Matches::= Match Matches | Match@@ X <Match::= "EQUALITY" | "SUBSTRINGS" |@@|@GS"|@ atchTypes::= "MATCHES FOR" Matches |@ @ emptFS 9Match::= "EQUALITY" | "SUBSTRINGS"@@,|@teSet @ @@V6Attribute::=value(ATTRIBUTE) @ @@Z*t1:AttributeSet::=value(ATTRIBUTE-SET) @ @@ab'l4H&END @cabA e%ATTRIBUTE MACRO::=@ @$  BEGIN@OiOITYPENOTATION::=Attribute ewill allow a presented value to be described as less than, equal to, or greater than eg Sa target value. The presented value must conform to the data type S, syntax.R >9.6.2If no equality matching rule is defined, the Directory:> u ]a)treats values as attributes of this attribute syntax as having type ANY0VALUENOTATION ::=@B *value(VALUE OBJECT IDENTIFIER) @ - SubclassOf ::=@>&"SUBCLASS OF" Subclasses | @) empty @I -Subclasses ::=Subclass | subclass ","@@8]DL Subclasses@ FT*Subclass ::=vntaxes:Y e.9 ynt!ATTRIBUTE-SYNTAX MACRO ::=@$ 3 BEGIN@?R*t1#TYPE NOTATION ::=Syntax@@Gab/MatchTypes | empty@e1h VALUE NOTATION ::=@CO+value (VALUE OBJECT IDENTIFIER) @O/OSyntax ::= type@OO3MatchTypes ::=^"MATCHES FOR" Matches | empty@@edD (Matches ::=^Match Matches | Match@ @ S 7Match ::="EQUALITY" | "SUBSTRINGS" | "ORDERING"@ @&d t "ORDERING"@ @ed9 MaE +Match ::="EQUALITY" | "SUBSTRINGS" |@ @a!d t "ORDERING"@ <&d t Match ::="EQUALITY"@ @ "ORDERING"@ @"e |Match@ @pe   /A O 3Match ::="EQUALITY"|"SUBSTRINGS"|"ORDERING"@ @""  END@ x cabdThe correspondence between the parts of the definition, as listed in ^9.6.1, and the various dchSe ?pieces of the notation introduced by the macro, is as follows:?w tesca)the object identifier assigned to the attribute syntax is a value supplied in the value cspondence between the parts of the definition, as listed in NJpe 6pieces of the notation introduced by the macro, is as 6the macro, is as Oi"EQUALITY"|"SUBSTRINGS"|"ORDERING"8%  END @RDERING" appears. If &@ @\ Hthe production is empty, then no matching rules are defined.H4H& eeShould the "empty" alternative of the notation be selected, the resulting notation ("ATTRIBUTE-@D@ T >SYNTAX") can be used to denote any possible attribute syntax.@8 z ^wNote 1w - No support is provided in the macro for actually defining the matching rules %!PY Ethemselves: this must be done by natural language or by other means.EO dwNote 2w - The macro is used in defining selected attribute syntaxes in Recommendation^X.520.%!V~ h T9.6.5The attribute syntaxes used in ^9.5.4 are defined in ^9.6.5.1 and 9.6.5.2.T  ewNotew - These are partial definitions: the object identifiers are actually allocated for these%!Y}v battribute syntaxes in Recommendation^X.520 so as to provide a single point of allocation of these b n of these q aattribute syntaxes in Recommendation^X.520 so as to provide a single point of atorj Vattribute syntaxes in Recommendation^X.520 so as to provide a single point of allocatiVtor n of these J6object identifiers in this series of Recommendations.6cabQ 99.6.5.1ObjectIdentifierSyntax is defined as follows: @ach9!ObjectIdentifierSyntax ::=@4tesATTRIBUTE-SYNTAX @:tor"OBJECT IDENTIFIER@=e %MATCHES FOR EQUALITY@ ppe.\The matching rule for equality is inherent in the definition of the ASN.1 type object \ ynt identifier.  3R:9.6.5.2DistinguishedNameSyntax is defined as follows: @R*t1>pe "DistinguishedNameSyntax ::=@@::=@#@4l4H&ATTRIBUTE-SYNTAX @: e"DistinguishedName@= %MATCHES FOR EQUALITY@OyOeA presented distinguished name value is equal to a target distinguished name value if and only e6O"if all of the following are true:"OG 3a)the number of RDNs in each is the same;3edP  <b)corresponding RDNs have the same number of AVAs;<.u  ac)corresponding AVAs (i.e. those with identical attribute types) have attribute values ay  ewhich match for equality (in such a match, the attribute values take the same roles - i.e.ex das presented or target value - as the distinguished name which contains them does in the d/  overall match).cab 6ned tch).cabe.e.9 SECTION 3 - wSecurity modelw %!e.h pach)10Security@@ 3tesstor_10.1The directory exists in an environment where various authorities provide access to their _id tUfragment of the DIB. Such access shall be in conformance to the security policy (see Ujh pVRecommendation^X.509) of the security domain in which the fragment of the DIB exists.V,Vh pBto the security policynt[ 3G10.2Two specific components of a security policy are addressed here:GJ *t16a)the definition of an authorization policy;6e K 4H&7b)the definition of an authentication policy.7sPe_10.3The definition of authorization in the context of the Directory includes the methods to:_1] eI10.3O6 O"a)specify access rights;"OGO3b)enforce access rights (access control);3ed7 #c)maintain access rights.# s _10.4The definition of authentication in the context of the Directory includes the methods to _ verify:I 5a)the identity of DSAs and directory users;5 f abRb)the identity of the origin of received information at an access point.RchuaThe integrity of received information is a local matter and shall be in conformance to the a.essecurity policy in force.orQ t=10.5This Recommendation does not define a Security Policy.= pU.A10.6Annex F describes guidelines for specifying access rights.Antu 3a10.7Recommendation X.509 defines authentication procedures. The DAP and DSP may provide strong at`authentication of the initiator by the signing of the request, data integrity of the request by `yR*t1esigning of the request, strong authentification of the responder and data integrity of the result by exOdsigning the result. The DAP may provide simple authentication between a DUA and a DSA. The DSP may dDO0provide simple authentication between two DSAs.0ewh c10.8Administrative authorities of applications which make use of the Directory can use their own cyOesecurity policy. The directory can support applications by holding authentication information (e.g. eyOedistinguished names, passwords, certificates) about communication entities. This is further describedeThe mathematics of trees&@ achB.This Annex is not part of the standard..tesl4H& X ynteA tree is a set of points, called wverticesw, and a set of directed lines, called warcsw; each (%!&%!uJ 3.arc a leads from a vertex V to a vertex Vw'w.) !ynedeFor example, the tree in the Figure has seven vertices,eb >labelled V1 through V7, and six arcs, labelled a1 through a6.   !e :""l4H&Two vertices V and Vw'w !!# e are said to be the winitialw and wfinalw vertices, respectively, of an 1%!%!u2$$tesarc a from V to Vw'w. !~#bFor example, V eexample, arcs a1 and a3 have the same initial vertex, V1, but no two arcs in the Figure have the same -y"R*t1final vertex.POdThe vertex that is not the final vertex of any arc is often referred to as the wrootw vertex, U%! ~xned`or even more informally as the "root" of the tree. For example, in the Figure, V1 is the root.Q  eA vertex that is not the initial vyntcvertex of arc^ak is also the initial vertex of arc ak+1 for 1^ww^k^<^n. For example, the oriented $"~pe \path from vertex V1 to vertex V6 is the set of arcs (a3,^a4,^a5). The term "path" should be  z  ial vertex of arc ak+1 for 1^ww^k^<^n. For example, the $ pe \path from vertex V1 to vertex V6 is the set of arcs (a3,^a4,^a5). The term "path" should be  )TbRe`^BLTT TTT;TATKTZTbRe`^BLTT TTT;TATKTZTbRe^BLTT TTT9T;TATKTZTbRe^BLTT TTT8T;TATKTZTbRe4P޾wNote^1w - The object identifiers in c) and d) identify both individual attributes and sets of %!W}y eattributes (see ^9dX% 2R ;T D%O[en~  yntthe X*Dbe understood to denote an oyntcvertex of arc^ak is also the initial vertex of arc ak+1 for 1^ww^k^<^n. For example, $ !"1yntethe oriented path from vertex V1 to vertex V6 is the set of arcs (a3,^a4,^a5). The term "path" should qX*Dbe understood to denote an oriented path from the root to a vertex.Dtorpe O(to Recommendation X.501)?GR*t133Vpe >Object identifier usage&@ e> *This Annex is part of the standard.*OvObThis Annex documents the upper reaches of the object identifier subtree in which all of the bvObobject identifiers assigned in this series of Recommendations reside. It does so by providing an bxO`ASN.1 module called "UsefulDefinitions" in which all non-leaf nodes in the subtree are assigned @: names. cabX <UsefulDefinitions{joint-iso-ccitt ds(5) modules(1)@@!H0usefulDefinitions(0)}@2torDEFINITIONS^::=@ @t:@:@=@yusefulDefinitions(0)}@'torDEFINITIONS@ d t:@:@=@$  BEGIN@ &cabEXPORTS@}  emodule, serviceElement, applicationContext, attributeType, attributeSyntax, objectClass,  @YL ach4algorithm, abstractSyntax, attributeSet, @(tesg torOusefulDefinitions, informationFramework, directoryAbstractService,  @Cs d t[directoryObjectIdentifiers, algorithmObjectIdentifiers, distributedOperations,  @On h pVprotocolObjectIdentifiers, selectedAttributeTypes, selectedObjectClasses,  @J distributedOperations, @Onk h pUprotocolObjectIdentifiers, selectedAttributeTypes, selectedObjectClasses, @JqI e.1authenticationFramework, upperBounds, @%shedNameSyntax; @0 & eIMPORTS@Q 9selectedAttributeTypes, selectedObjectClasses @-jNFROMUsefulDefinitions {joint-iso-ccitt ds(5) modules(1)@@3Hh 0usefulDefinitions(0)}@' top @Y AFROM SelectedObjectClasses selectedObjectClasses@0s cab7attributeSetOBJECT IDENTIFIER ::=^{ds 7}@ @@W 7algorithmOBJECT IDENTIFIER ::=^{ds 8}@ @@W7abstractSyntaxOBJECT IDENTIFIER ::=^{ds 9}@@@Xd t8objectOBJECT IDENTIFIER ::=^{ds 10}@@@Xach8portOBJECT IDENTIFIER ::=^{ds 11}@@@h 6PO-- wmodulesw --@%@pO\ detect A Allows the protected item to be detected. \pR*t1\ \p \ compare A Allows a presented value to be compared to the protected item. \p e\ \pned\ read A Allowss OselectedObjectClassesOBJECT IDENTIFIER^::=^{module 6}@@@@ se.OauthenticationFrameworkOBJECT IDENTIFIER^::=^{module 7}@@@@ syntOalgorithmObjectIdentifiersOBJECT IDENTIFIER^::=^{module 8}@@@@ s 3OdirectoryObjectIdentifiersOBJECT IDENTIFIER^::=^{module 9}@@@@ t PupperBoundsOBJECT IDENTIFIER^::=^{module 10}@ @@@ t 3PdapOBJECT IDENTIFIER^::=^{module 11}@%@@@ tPdspOBJECT IDENTIFIER^::=^{module 12}@%@@@ t PdistributedDirectoryObjectIdentifiersOBJECT IDENTIFIER^::=^{module 13}@%@@@ R*t17pe -- wsynonymsw --@%@!@l4H&]9id-acOBJECT IDENTIFIER^::=^applicationContext@@@@Y e5id-aseOBJECT IDENTIFIER^::=^serviceElement@@@@Y 5id-asOBJECT IDENTIFIER^::=^abstractSyntax@@@@QO-id-otOBJECT IDENTIFIER^::=^object@@@@OO+id-ptOBJECT IDENTIFIER^::=^port@@@@OPP(Oned{J 6ANNEX C6G 33S?(to Recommendation X.501)?Gh 33ZOBInforma  (X^BLB(#Fascicle VIII.8 - Rec. X.501 @^BL fFascicle VIII.8 - Rec. X.501#@@| TKTZTbB (#Fascicle VIII.8 - Rec. X.509 @: Pynt 3] AInformationFramework{joint-iso-ccitt ds(5) modules(1)@@!P e8informationFramework(1)}@s(1)@@!5 e!$ e0 einformationFramework (1)}@r. 3DEFINITIONS ::=@$R*t1 BEGIN@pe &l4H&EXPORTS@f NAttribute, AttributeType, AttributeValue, AttributeValueAssertion, @BWO?DistinguishedName, Name, RelativeDistinguishedName, @3ZOBOBJECT-CLASS,ATTRIBUTE,ATTRIBUTE-SET,ATTRIBUTE-SYNTAX, @6/OTop, Alias, @ Cned+ObjectClass, AliasedObjectName, @T <ObjectIdentifierSyntax, Distinguivalues SET OF AttributeValue)@seQ-- wat least one value is requiredw --})@%@!@ 3R 6AttributeType::= OBJECT IDENTIFIER@ @ 3D(AttributeValue::= ANY@ @*t1ke OAttributeValueAssertion::= SEQUENCE {AttributeType, AttributeValue} @@-me.@eU 5DistinguishedName::=RDNSequence@ @@  hHRelativeDistinguishedName::=SET OF AttributeValueAssertion@@@ 5 -- wmacrosw --@%@!@abA %OBJECT-CLASS MACRO::=@ @$ t BEGIN@ teOETYPENOTATION::=SubclassOf MandatoryAttributes  @ @@ZtorBOptionalAttributes/@e EVALUENOTATION::=value (VALUE OBJECT IDENTIFIER) @ @@.fyntFSubclassOf::="SUBCLASS OF" Subclasses | empty @ @@ h 3HSubclasses::=Subclass | Subclass "," Subclasses @ @@"tributes or \pO\ attribute values) within the protected item. \p \ \pO\ naming E Allows the modification of the Relative Distinguished Name of, and \p e\ the creation and deletion of, entries which are immediately \ eS Z :Subclass::=value (OBJECT-CLASS) @@@k 3KMandatoryAttributes::="MUST CONTAIN {"Attributes"}" | empty @@@%jJOptionalAttributes::="MAY CONTAIN {"Attributes"}" | empty @@@$*t1hpe HAttributes::=AttributeTerm | AttributeTerm ","  @ @@"Hl4H&0Attributes%@ ^>AttributeTerm::=Attribute | AttributeSet @ @@V 6Attribute::=value(ATTRIBUTE) @ @@ZO:AttributeSet::=value(ATTRIBUTE-SET) @ @@O"  END@ned*t1A %ATTRIBUTE-SET-MACRO::=@@ )eh yeNames with which human beings must deal directly should be user-friendly. A user-friendly nameevh bis one that takes the human user's point of view, not the computer's. It is one that is easy for by epeople to deduce, remember, and understand, rather than one that is easy for computers to interpret.e \OFy. A user-friendly nameevh bis one that takes thSyntax Multivalued | empty@ @@#dODVALUENOTATION::=value(VALUE OBJECT IDENTIFIER)@ @@edk KAttributeSyntax::="WITH ATTRIBUTE-SYNTAX" SyntaxChoice@ @@% l LMultivalued::="SINGLE VALUE" | "MULTI VALUE" | empty@ @@&] =SyntaxChoice::=value(ATTRIBUTE-SYNTAX)@ @@[OCConstraint | type Match Types%@ iP IConstraint::="("ConstraintAlternative")" | empty@ @@#abj JConstraintAlternative::=StringConstraint | IntegerConstraint@@@$ea AStringConstraint::="SIZE" "("SizeConstraint")"@ @@Y 9SizeConstraint::=SingleValue | Range@ @@OT 4SingleValue::=value(INTEGER)@ @@abh tHRange::=value(INTEGER) ".." value(INTEGER)@@@" 3K+IntegerConstraint::=Range@ @@*t1de DMatchTypes::="MATCHES FOR" Matches | empty @ @@ [;Matches::=Match Matches | Match@@@ l LMatch::="EQUALITY" | "SUBSTRINGS" | "ORDERING"@@@&O"O END@  ]ATTRIBUTE-SYNTAX MACRO^::=@@$  BEGIN@" TTTT!T&T+T0T5T:TATKTZTbRe^BLTT TTTT!T'TATKTZTbRe^BLTT TTTTATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTTTT7TATKTZTbRe^BLTT TTTATKTZTbRe^BLTd tJe.6ANNEX B6Gynt33S 3? ^ >TYPENOTATION::=Syntax MatchTypes | empty @ @@cCVALUENOTATION::=value(VALUE OBJECT IDENTIFIER) @ @@ IO)Syntax::=type @@@ b BMatchTypes::="MATCHES FOR "Matches | empty @ @@Zcab:Matches::=Match Matches | Match  >4H&-- wattribute typesw --@%@!@h @^*t1BMUST CONTAIN^{aliasedObjectName} @ @ >4H&-- wattribute typesw --@%@!@C e#ObjectClass::=^ATTRIBUTE@ @@ d LWITH ATTRIBUTE-SYTT"T&T+T0T5T:T?TATKTZTbRe^BLT T TTTATKTZTbTeRi^BLT T TTTATKTZTbTeRi^BLTT TTTATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTT;TATKTZTbRe^BLTT TTTTT/TATKTZTbRe^BLTT TTTTT/TATKTZTbRe`^BLTT TTTTT/TATKTZTbRe^BLTT TTTATKTZTbRe^BLTT TTTTT/TATKTZTbRe`^BLTT TTTTT/TATKTZTbRe^BLTT TTTTT/TATKTZTbRe`^BLTT TTTTT/TATKTZBEGIN @ hHTYPE NOTATION::="CONTAINS" "{Attributes"}" | empty @ @@" bOBVALUE NOTATION::=value(VALUEOBJECTIDENTIFIER) @@@ scabSAttributes::=AttributeTerm | AttributeTerm "," Attributes  @ @@,O^ 3>AttributeTerm::=Attribute | AttribuP6ANNEX D6GR*t133pe x END@JP6ANNEX D6R*t1pGp`e 333Spe ?(to Recommendation X.501)?G3Oosertion@@@ 5 -- wmacrosw --@%@!@ A %OBJECT-CLASS MACRO::=@ @ @=@BEGIN@ e ETYPENOTATION::=SubclassOf MandatoryAttributes  @ @@Z y=ned!ATTRIBUTE-SYNTAX MACRO^::=@@$  BEGIN@ 3G e33G33Sp`e =AlphabeticalG e33[ CAlphabetical index of definitions!@!OR`*t1as entry 6!MVp`e @w ............................................ ?dNwattribute 7!MVR`*t1@w ............................................. ?dONwattribute type 7!M2C5VR`*t1@w ... 9!MV ` @w ..................................... ?ew!b NEentry  6NV`O@w ................................................ ? tw!b ONIimmediate(ly) subordinate  6NV ` @w ............ectory name  8!MVn`ed@w ........................................ ?dh NwDirectory schema  9!MVn`ed@w ...................................... ?d NwDirectory System Agent (DSA)  5!MVn`ed@w 2 and V3 are the initial and final vertices, respectively, of $6-For example, V2 and V3 are the initial and final vertices, respectively, of $6}yntearc^a2. Several different arcs may have the same~#bFor example, V2 and V3 are the initial and final vertices, respectively, of $6|yntdarc^a2. Several different arcs may have the same initial vertex, but not the same final vertex. For ^OG 'Top::=OBJECT-CLASS@@@ Vab:MUST CONTAIN^{objectClass}@ @  tG 3'Alias::=OBJECT-CLASS@@@ G/SUBCLASS OF top@^*t1BMUST CONTAIN^{aliasedObjectName} @ @ ectClass}@ @ ......... ?d eNwobject entry  6!MV`O@w .......................................... ? w!bcabNPPrivate Directory Management Domain  5NV`O@w .................... ?d ONwpurported name V`O@w ........................................... ?d Nwsuperior  6!Mr............. ?Z Dwsuperior  6CV ` @w .............................................. ?w!J 6ANNEX E6Gh the cvObDIT, this means that arbitrary variety in names is possible. This section suggests criteria to be btned`considered in the design of names. The appropriate criteria have been used in the design of the `s _recommended name forms which are to be found in Recommendation^X.521. It is suggested that the _y ecriteria also be used, where appropriate, in designing the names for objects to which the recommendede-name forms do not apply.Oa MPresently, only one criterion is addressed: that of user-friendliness.McabS 7wNotew - Not all names need to be user-friendly.%!+cab e6 E.1wUser-friendlinessw%!Owa  q e6 E.1wUser-friendlinessw%!n user's point of view, not the computer's. It is one that is easy for by epeople to deduce, remember, and understand, rather than one that is easy for computers to interpret.e xd tdThe goal of user-friendliness can be stated somewhat more precisely in terms of the following d$ 3two principles:y R*t1e-A human being usually should be able to correctly guess an object's user-friendly name on ex pe dthe basis of information about the object that he naturally possesses. For example, one du l4H&ashould be able to guess a business person's name given only the information about her a to correctly guess an object's user-friendly name on ex pe dthe basis of information about the object that he naturally possesses. For example, one dk l4H&Wshould be able to guesV  eBcasually acquired through normal business association.B w Oc-When an object's name is ambiguously specified, the Directory should recognize the fact cx Odrather than conclude that the name identifies one particular object. For example, where dw Octwo people have the same last name, the last name alone should be considered inadequate c name is ambiguously spe?  +identification of either party.+ \ HThe following subgoals follow from the goal of user-friendliness:Hu Oaa)Names should not artificially remove natural ambiguities. For example, if two people ay  eshare the last name "Jones", neither should be required to answer to "WJones" or "Jones2".eu cabaInstead, the naming convention should provide a user-friendly means of discriminating au  eabetween the entities. For example, it might require first name and middle initial in a6  "addition to last name."h x db)Names should admit common abbreviations and common variations in spelling. For example, dy h eif one is employed by the Conway Steel Corporation and the name of one's employer figures ey  ein one's name, any of the names "Conway Steel Corporation", "Conway Steel Corp.", "Conway e the name of one's employer figures ei  Uin one's name, any of the names "Conway Steel Corporation", "Conway Steel Uij  VSteel", and "CSC" should suffice to identify the organization in question.Vd ty  3ec)In certain cases, alias names can be used to direct the search for a particular entry, in ey eorder to be more user-friendly, or to reduce the scope of a search. The following exampleew R*t1cdemonstrates the use of an alias name for such a purpose: as shown in Figure^E-1/X.501, cf R*t1Qdemonstrates the use of an alias name for such a purpose: as shown in Qorder to be more user-friendly, or to 5fer-friendly, or to P0R*t1demonstrates {y l4H&ethe branch office in Osaka can also be identified with the name {C = Japan, L = Osaka, O =e8  $ABC, OU = Osaka-branch}.$ OOned   ~hOR <OPcab  e d td tv cabbd)If names are multi-part, both the number of mandatory parts and the number of optional b[ d tGparts should be relatively small and thus easy to remember.Gy R*t1ee)If names are multi-part, the precise order in which those parts appear should generally bee+ pe immaterial.l4H&Z Ff)User-friendly names should not involve computer addresses.F cabOF 0ames should not involve computer addresses.Fd t 3JR*t16ANNEX F6Gpe 33Sl4H&?(to Recommendation X.501)?G33R :Access control+@ OBned.This Annex is not part of the standard.. 1 wIntroductionw% ! 1 F.1wIntroductionw% !  x dDirectory users are granted access to the information in the DIB on the basis of their access dvh bcontrol rights in accordance with the access control policy in force protecting that information.bP vPObAccess Control is left as a local matter in this series of Recommendations. However, it is bwcabcrecognized that implementations will need to introduce means of controlling access and that future ct `versions of this series of Recommendations are likely to define standardized means of creating, `y eemaintaining and applying access control information. This Annex describes the principles underlying e\Haccess control, and outlines two possible approaches to access control.He l4H&/l4H&F.2wPrinciplesw% !l4H&yd teThe two principles that will guide the establishment of procedures for managing access control e 3are:p R*t1\a)there must be means of protecting information in the Directory from unauthorized \x pe ddetection, examination, and modification, including protecting the DIT from unauthorized d- 4H&modification;y  eeb)the information required to determine a user's rights to perform a given operation must beev  bavailable to the DSA(s) involved in performing the operation in order to avoid further bS O?remote operations solely to determine these rights.?Oh 4nedF.3wProtected itemsw%!  O ;These levels of protection are presently identified:; K 7a)protection of an entire subtree of the DIT;7 B.b)protection of an individual entry;. RO>c)protection of an entire attribute within an entry;>abU Ad)protection of selected instances of attribute values.Ae6d tF.4wAccess categoriesw%! d ttd t`A need for at least five categories of access is envisaged. If access is not granted to a `ype eprotected item in any category, then the directory in so far as is possible responds as though their e9pe %protected item did not exist at all.%pe vbThe categories of access are shown in Table F-1/X.501. The items column denotes whether the bbONitem that can be so protected is an entry (E), an attribute (A) or both (EA).N 5The categories of access are shown in Table F-15Oitem ] 3Ithat can be so protected is an entry (E), an attribute (A) or both (EA).I: N:TABLE F-1/X.501:GR*t133S pe ;Access categories)@l`H&w pe es tT pe @flag specifying that the entire subtree is included.@pe y pe eb)The sets give only a capability, and implicitly include all users having that capability. ex pe dThis scheme requires that such users' capability be available locally or else carried in dt  `the BIND or operation argument. The latter may require an extension to the currently `u pe aa)The sets are described in terms of the distinguished names of the users they identify ay pe e^either the distinguished name of the user or the distinguished name of a superior with ae v pe ba)The sets are described in terms of the distinguished names of the users they identify -by pe e^either the distinguished name of the user or the distinguished name of a superior with aepe access categories.pe pR*t1\Determining if a user is in one (or more) of the noted sets must be possible from the \yeinformation supplied with the request - either from the authenticated identity and credentials of theeed tQuser as supplied in BIND, or from information carried in the operation argument.Qpe <pe (There at least two possibilities:(pe ,3pd t\Ŀ\p\ Cadd tP Ppned\ Category Items Description \pR*t1\Ĵ\ the protected item to be read. \p \ \p e\ modify A Allows the protected item to be updated. \pO\ \ph \ add/delete EA Allows the creation and deletion of new components (atK the creation and deletion of, entries which are immediately Sp\ subordinate to the protected entry. \pO\\ h E%O naming E~entry.H, entries which are immediately subordinate to the protected entry.S9 R*t1w! R*t1w!@ @@ected entry.UhOjR*t1lR*t1>P (CP@ e'F.5wDetermination of access rightsw%!ightswhich are immediately subordinate to ei@ U e> e&F.5wDetermination of access rights%;Y DEFINED BY the O@M 9data type indicated for the attribute syntax;9 r ab^b)will only match according to the matching rules defined for that attribute syntax;^chu tesac)will only match a presented value of a suitable data type as specified in ^9.6.1^c).ape md tY9.6.4The following ASN.1 macro may, but need not, be used to define attribute sy8 or$assignment of the macro;$Pe {P  tcb)the data type of the attribute syntax is that identified by the Syntax production, i.e. K@:  p&that following macro name;&.v ynt\c)the defined matching rules are equality, if "EQUALITY" appears in the MatchTypes 8@@   3cproduction, substrings if "SUBSTRINGS" appears, and ordering if "Otion framework in ASN.1#@cab >d t*This Annex is part of the standard.*d tytoreThis Annex provides a summary of all of the ASN.1 type, value, and macro definitions contained eo Win this Recommendation. The definitions form the ASN.1 module "InformationFramework".@@l4H&Rl4H&PĬ-Oin Recommendation^X.509.tes X l4H&nedJ 6ANNEX A6G 33S ?(to Recommendation X.501)?G33W ?!@ s OusefulDefinitionsOBJECT IDENTIFIER^::=^{module 0}@@@@ scabOinformationFrameworkOBJECT IDENTIFIER^::=^{module 1}@@@@ s OdirectoryAbstractServiceOBJECT IDENTIFIER^::=^{module 2}@@@@ sachOdistributedOperationsOBJECT IDENTIFIER^::=^{module 3}@@@@ "O END@ OO9O#O END@ &    O,id-otOBJECT IDENTIFIER ::= objet@@GO+id-ptOBJECT IDENTIFIER ::= port@@O"O END@O d+ yntdap,dsp @ 3G/id-ac, id-ase, id-as, id-ot, id-pt; @#R*t1`pe DdsOBJECT IDENTIFIER ::= {joint-iso-ccitt ds(5)}@ @.l4H&P0-- wcategories of information objectw -- @%@ !@ eW 7module OBJECT IDENTIFIER ::=^{ds 1}@@@WO7ed@ -- wnaming data typesw --@%@!@ qOGName::=CHOICE {-- wonly one possibility for noww --@ @@ %@!@ DO,RDNSequence}@ OUned5RDNSequence::=SEQUENCE OF@ @@ ` HRelativeDistinguishedNa@ @@k KMatch::="EQUALITY" | "SUBSTRINGS" | "ORDERING" @@@&e"  END@e e= -- wobject classesw --@%@!@OG 'Top::=OBJECT-CLASS@@@ Vab:MUST CONTAIN^{objectClass}@ @ TNTAX objectIdentifierSyntax@,OFO&AliasedObjectName^::=^ATTRIBUTE@@@ iOMWITH ATTRIBUTE-SYNTAX^distinguishedNameSyntax@@D ,SINGLE VALUE@  A!-- wattribute syntaxesw --@%@!@ 9O!ObjectIdentifier BO.This Annex is not part of the standard..nedy eThis Annex alphabetically lists all of the terms defined in this Recommendation together with aeH 4cross reference to the ^in which they are defined.4bh NAaccess point  5NEerence to the ^in which they are defined.4Ocab33Sd t?(to Recommendation X.501)?G 33Gh 33G 333U=Name design criteria(@pe Oh O;FIGURE E-1/X.501;Gh 33S ;Aliasing example*@Ocab  e h D0FIGURE E.1/X.5010 cpe ;n argument. The latter may require an extension to the NÛ2 pe defined protocols..,e, BIND or operation argument. The latterP1pe currently defined protocols.ntly defined protocols.=pe O  R*t1pe l4H&~d thR*t1R*t1  eF.5ation of access rights%pe tD 9 e%F.5Determination of access rights%,yl4H&eOne scheme for managing access control associates with every protected item, either explicitelyeyR*t1eor implicitely, a list of access rights. Each item in such a list pairs a set of users with a set ofe'parately defined attribute syntax, or explicitly 8defines an attribute syntax by giving its ASN.1 type and matching rules (^see^9.6). If aet  `separately identified attribute syntax is em y  edefines an attribute syntax by giving its ASN.1 type and matching rules (see^^9.6). If aet  `separately identified attribute syntax is employed, a size constraint for underlying `y  NDthe Directory  5NV`@w .......................................... ?dONwDirectory entry  6!MV ` @w ......................................... ?dONwDirectory Information Base (DIB)  6!MC6V ` @Syntax ::=@4 ATTRIBUTE-SYNTAX @5cabOBJECT IDENTIFIER @8  MATCHES FOR EQUALITY @e: "DistinguishedNameSyntax ::=@4ATTRIBUTE-SYNTAX @5h DistinguishedName @8  MATCHES FOR EQUALITY @O"  END@J[objectIdentifierSyntax, distinguishedNameSyntax, objectClass, aliasedObjectName @O\ DFROM SelectedAttributeTypes selectedAttributeTypes;@3EP t#-- wattribute data typesw --@%@!@OJtor.Attribute::= SEQUENCE{@ @` Dtype^^^AttributeType)@ @ ^ eF::= "MATCHES FOR" Matches | empty@ @! R 6Matches::= Match Matches | Match@@ X <Match::= "EQUALITY" | "SUBSTRINGS" |@@|@GS"|@ atchTypes::= "MATCHES FOR" Matches |@ @ emptFS 9Match::= "EQUALITY" | "SUBSTRINGS"@ TKTZTb  more informally, as a "leaf" of the tree graph. For example, vertices V3, V6, and V7X{  are leaves. ^B e.This Annex is not part of the standard.. uOaThe information framework is very general, and allows for arbitrary variety of entries and awOcattributes within the DIT. Since, as defined there, names are closely related to paths througV`@w ......................................... ?dONwattribute value 7!MV` 3@w ......................................... ?d Nwattribute value assertion 7!MV` 3@w ................................. ?*t1w!b ............................ ?d NwDirectory User Agent (DUA)  5!MVn`ed@w ............................. ?d Nwdistinguished name  8!MVn`ed@w ..................................... ?d NwDIT Structure Rule V ` @w ......................... ?dONwDirectory Information Tree (DIT)  6!MV ` @w ......................... ?dnedNwDirectory Management Domain (DMD)  5!MVn`ed@w ..................... ?d NwDir................... ?d Nwimmediate(ly) superior  6!MVd` t@w .................................. ?edw!b NNname  8NVp`e @w ................................................ ?d Nwnaming authority  8!MV`O@w ....................................... ?ew!b NRrelative distinguished name  8NV ` @w .............................. ?w!bh NSsubordinate  6N:w .......................V`@w ........................................... ?dNwAdministration Directory Management Domain 5!MV`@w .............. ?dR*t1Nwalias 8!MVl`H&@w ................................................. ?dpe Nwali  8!MV`@w ....................................... ? w!bNOobject (of interest)  6NV `e@w ..................................... ?dONwobject class  6!MV`@w ..................................(n^ww^1) such that V is the initial vertex of arc^a1, Vw'w !. !|*Odis the final vertex of arc^an, and the final Syntevertex of|*Odis the final vertex of arc^an, and the final SdzyntVvertex of arc^ak is also the initial vertex of arc ak+1 for 1^ww^k^<^n. For example, $ ! S`BO,#"!& '($) +-./0123456789:;<=>?h@AC]DEFGI%KLMNPQHRSTVWa*YZ[\c^i_bdegfjklmXnopqrstuvwxyz{|}~JU