WPCL 2BJ|x H   X  6p&6p&   Hh   c4 P  Fascicle VIII.8 Rec. X.501 PAGE13 ~  HH   c4 P PAGE14 Fascicle VIII.8 Rec. X.501 ~ H Hp P X`h!(# X     c4 P  The drawings contained in this Recommendation have been done in AUTOCAD   VALUENOTATION ::=  hpvalue(VALUE OBJECT IDENTIFIER)   SubclassOf ::=  hp"SUBCLASS OF" Subclasses |  hpempty   Subclasses ::= Subclass | subclass ","  hp Subclasses   Subclass ::= value (OBJECTCLASS)   MandatoryAttributes ::=  hp"MUST CONTAIN {"Attributes"}" | empty   OptionalAttributes ::=  hp"MAY CONTAIN {"Attributes"}" | empty  Hx   Attributes  ::= AttributeTerm | AttributeTerm "," Attributes   AttributeTerm ::= Attribute | AttributeSet   Attribute  ::= value(ATTRIBUTE)   AttributeSet  ::= value(ATTRIBUTESET)   END  H  The correspondence between the parts of the definition, as listed in 9.4.1, and the various pieces of the notation introduced by the macro, is as follows:  H   a)pthe object identifier to the object class is the value supplied in the value assignment of the macro;  H   b)pthe superclasses of which this object class is a subclass are those identified by the SubclassOf production, i.e. that following "SUBCLASS OF";  H   c)pthe mandatory attributes are those identified by the list of object identifiers produced by the MandatoryAttributes production, i.e. those following "MUST CONTAIN";  H   d)pthe optional attributes are those identified by the list of object identifiers produced by the OptionalAttributes production, i.e. those following "MAY CONTAIN".  H  Note1 ĩ The object identifiers in c) and d) identify both individual attributes and sets of attributes (see9.4.7). The effective list in both cases is the set union of these. If an attribute appears in both the mandatory set and the optional set, it shall be considered mandatory.  Note2 ĩ The macro is used in defining selected object classes in RecommendationX.521.  H  Should all of the pieces of notation introduced by the macro and described in b), c), and d) above be empty, the resulting notation ( "OBJECTCLASS" ) can be used to denote any possible object class. 9.4.7 An attribute set is a set of attributes identified by an object identifier. The definition of an attribute set involves:   a)passigning an object identifier to the set;  H   b)plisting the object identifiers of the attributes and other attribute sets whose members together form the set.  H  The following ASN.1 macro may (but need not) be used to define a set of attributes for use with the OBJECTCLASS macro:   ATTRIBUTESETMACRO::=  hpBEGIN  hpTYPE NOTATION::= "CONTAINS" {"Attributes"}" | empty  hpVALUE NOTATION::= value(VALUE OBJECT IDENTIFIER) Attributes ::=  hpAttributeTerm | AttributeTerm "," Attributes   AttributeTerm ::= Attribute | AttributeSet   Attribute  ::= value(ATTRIBUTE)   AttributeSet  ::= value(ATTRIBUTESET)   END  H  The correspondence between the parts of the definition of an attribute set and the notation introduced by the macro is as follows:  H   a)pthe object identifier assigned to the attribute set is the value supplied in the value assignment of the macro;  H   b)pthe set of attributes comprising the attribute set is that formed by the set union of the attributes and sets of attributes identified by the Attributes production, i.e. following "CONTAINS".  H  Should the "empty" alternative of the notation be selected, the resulting notation ( "ATTRIBUTE SET" ) can be used to denote any possible attribute set. 9.4.8 The object classes previously mentioned are defined in 9.4.8.1, 9.4.8.2.  H  Note ĩ These are partial definitions: the object identifiers are actually allocated for these object classes in RecommendationX.521 so as to provide a single point of allocation of these object identifiers in this series of Recommendations. 9.4.8.1pThe object class "Top" is defined as follows:   Top ::=  hpOBJECTCLASS  hph pMUST CONTAIN {ObjectClass}  HH 9.4.8.2pThe object class "Alias" is defined as follows:   Alias ::=  hpOBJECTCLASS  hph pSUBCLASS OF top  hph pMUST CONTAIN {aliasedObjectName}  H  Note 1 ĩ The object class "Alias" does not specify appropriate attribute types for the RDN of an alias entry. Administrative Authorities may specify subclasses of the class "Alias" which specify useful attribute types for RDNs of alias entries (see RecommendationX.521).  H  Note 2 ĩ Entries of a subclass of the class "Alias" are alias entries. 9.5h  Attribute type definition 9.5.1 The definition of an attribute type involves:   a)passigning an object identifier to the attribute type:  H   b)pindicating or defining the attribute syntax for the attribute type;  H   c)pindicating whether an attribute of this type may have only one or may have more than one value (recur).  H 9.5.2 The Directory ensures that the indicated attribute syntax is used for every attribute of this type. The Directory also ensures that attributes of this type will have one and only one value in entries if attributes of this type are defined to have only one value. 9.5.3 The following ASN.1 macro may (but need not) be used to define an attribute type:   ATTRIBUTE MACRO ::=   BEGIN   TYPENOTATION ::= AttributeSyntax Multivalued | empty   VALUENOTATION ::= value (VALUE OBJECT IDENTIFIER)   AttributeSyntax ::=  hp"WITH ATTRIBUTESYNTAX" SyntaxChoice   Multivalued  X%::= "SINGLE VALUE"  hp   X%|"MULTIVALUE" | empty   SyntaxChoice  X%::= value(ATTRIBUTESYNTAX)  hp   Constraint | type MatchTypes  HX   Constraint  X%::= "("ConstraintAlternative")" | empty  H   ConstraintAlternative"X%::= StringConstraint | IntegerConstraint   StringConstraint ::= "SIZE" "("SizeConstraint")"   SizeConstraint X%::= SingleValue | Range   SingleValue  X%::= value(INTEGER)   Range   X%::= value(INTEGER) ".." value  hp   X%(INTEGER)   IntegerConstraint ::= Range   MatchTypes  X%::= "MATCHES FOR" Matches | empty   MatchesP   X%::= Match Matches | Match   Match   X%::= "EQUALITY" | "SUBSTRINGS" |  hp   X%"ORDERING"   END  H  The correspondence between the parts of the definition, as listed in 9.5.1, and the various pieces of the notation introduced by the macro, is as follows:  H   a)pthe object identifier assigned to the attribute type is the value supplied in the value assignment of the MACRO;  H   b)pthe attribute syntax for the attribute type is that identified by the AttributeSyntax production. This either points to a separately defined attribute syntax, or explicitly defines an attribute syntax by giving its ASN.1 type and matching rules (see 9.6). If a separately identified attribute syntax is employed, a size constraint for underlying string types or a value range for an underlying integer type may optionally be indicated;  H   c)pthe attribute is single valued if the MultiValued production is "SINGLE VALUE" , and may have one or more values if it is "MULTI VALUE" or empty.  Hh  Note ĩ The macro is used in defining selected attribute types in RecommendationX.520.  H  Should the "empty" alternative of the type notation be selected, the resulting notation ( "ATTRIBUTE" ) can be used to denote any possible attribute type.  H 9.5.4 The attribute types identified in 7.3.3 which are known to and used by the Directory for its own purposes are defined as follows:   ObjectClass::=ATTRIBUTE  hpWITH ATTRIBUTESYNTAX objectIdentifierSyntax   AliasedObjectName::=ATTRIBUTE  hpWITH ATTRIBUTESYNTAX distinguishedNameSyntax  hpSINGLE VALUE  Hx  Note 1 ĩ These are partial definitions: the object identifiers are actually allocated for these attribute types in RecommendationX.520 so as to provide a single point of allocation of these object identifiers in this series of Recommendations.  Note 2 ĩ The attribute syntaxes referred to in these definitions are themselves defined in 9.6.5. 9.6h  Attribute syntax definition 9.6.1 The definition of an attribute syntax involves:  H   a)poptionally, assigning an object identifier to the attribute syntax;  H   b)pindicating the data type, in ASN.1 of the attribute syntax;  H   c)pdefining appropriate rules for matching a presented value with a target attribute value held in the DIB. None, some, or all of the following matching rules may be defined for a particular attribute syntax:  H  hpi) equality. Applicable to any attribute syntax. The presented value must conform to the data type of the attribute syntax;  H  hpii) substrings. Applicable to any attribute syntax with a string data type. The presented value must be a sequence ( "SEQUENCE OF" ), each of whose elements conforms to the data type;  H  hpiii) ordering. Applicable to any attribute syntax for which a rule can be defined that will allow a presented value to be described as less than, equal to, or greater than a target value. The presented value must conform to the data type of - the attribute syntax.  HH 9.6.2 If no equality matching rule is defined, the Directory:  H   a)ptreats values as attributes of this attribute syntax as having type ANY , i.e. the Directory does not check that those values conform with the data type indicated for the attribute syntax;  H   b)pwill not attempt to match presented values against target values of such an attribute type.  H  Note ĩ It follows that the Directory will not permit such an attribute to be used in a distinguished name, nor allow for a specific value to be modified. 9.6.3 If an equality matching rule is defined, the Directory:  H   a)ptreats values of attributes of this attribute syntax as having type ANY DEFINED BY the data type indicated for the attribute syntax;  H   b)pwill only match according to the matching rules defined for that attribute syntax;  H   c)pwill only match a presented value of a suitable data type as specified in 9.6.1c).  H 9.6.4 The following ASN.1 macro may, but need not, be used to define attribute syntaxes:   ATTRIBUTESYNTAX MACRO ::=   BEGIN   TYPE NOTATION ::= Syntax Hp X`h!(#hpp   MatchTypes | empty Hp P X`h!(#  VALUE NOTATION ::=  hpvalue (VALUE OBJECT IDENTIFIER)   Syntax ::= type   MatchTypes ::="MATCHES FOR" Matches | empty   Matches ::=Match Matches | Match   Match ::= "EQUALITY" | "SUBSTRINGS" | "ORDERING"   END  H  The correspondence between the parts of the definition, as listed in 9.6.1, and the various pieces of the notation introduced by the macro, is as follows:  H   a)pthe object identifier assigned to the attribute syntax is a value supplied in the value assignment of the macro;  H   b)pthe data type of the attribute syntax is that identified by the Syntax production, i.e. that following macro name;  H   c)pthe defined matching rules are equality, if "EQUALITY" appears in the MatchTypes production, substrings if "SUBSTRINGS" appears, and ordering if "ORDERING" appears. If the production is empty, then no matching rules are defined.  H Ђ Should the "empty" alternative of the notation be selected, the resulting notation ( "ATTRIBUTE - SYNTAX" ) can be used to denote any possible attribute syntax.  H Ё Note 1 ĩ No support is provided in the macro for actually defining the matching rules themselves: this must be done by natural language or by other means.  Note 2 ĩ The macro is used in defining selected attribute syntaxes in RecommendationX.520.  H 9.6.5 The attribute syntaxes used in 9.5.4 are defined in 9.6.5.1 and 9.6.5.2.  H  Note ĩ These are partial definitions: the object identifiers are actually allocated for these attribute syntaxes in RecommendationX.520 so as to provide a single point of allocation of these object identifiers in this series of Recommendations. 9.6.5.1p ObjectIdentifierSyntax is defined as follows:   ObjectIdentifierSyntax ::=  hpATTRIBUTESYNTAX  hph pOBJECT IDENTIFIER  hph pMATCHES FOR EQUALITY  H Ё The matching rule for equality is inherent in the definition of the ASN.1 type object identifier. 9.6.5.2p DistinguishedNameSyntax is defined as follows:   DistinguishedNameSyntax ::=  hpATTRIBUTESYNTAX  hph pDistinguishedName  hph pMATCHES FOR EQUALITY  H  A presented distinguished name value is equal to a target distinguished name value if and only if all of the following are true:   a)pthe number of RDNs in each is the same;   b)pcorresponding RDNs have the same number of AVAs;  H   c)pcorresponding AVAs (i.e. those with identical attribute types) have attribute values which match for equality (in such a match, the attribute values take the same roles i.e. as presented or target value as the distinguished name which contains them does in the overall match).  HH SECTION 3 Security model 10  Security  H Ё10.1  The directory exists in an environment where various authorities provide access to their fragment of the DIB. Such access shall be in conformance to the security policy (see RecommendationX.509) of the security domain in which the fragment of the DIB exists. 10.2  Two specific components of a security policy are addressed here:   a)pthe definition of an authorization policy;   b)pthe definition of an authentication policy.  H 10.3  The definition of authorization in the context of the Directory includes the methods to:   a)pspecify access rights;   b)penforce access rights (access control);   c)pmaintain access rights.  H 10.4  The definition of authentication in the context of the Directory includes the methods to verify:   a)pthe identity of DSAs and directory users;  H   b)pthe identity of the origin of received information at an access point.  H  The integrity of received information is a local matter and shall be in conformance to the security policy in force. 10.5  This Recommendation does not define a Security Policy. 10.6  Annex F describes guidelines for specifying access rights.  H 10.7  Recommendation X.509 defines authentication procedures. The DAP and DSP may provide strong authentication of the initiator by the signing of the request, data integrity of the request by signing of the request, strong authentification of the responder and data integrity of the result by signing the result. The DAP may provide simple authentication between a DUA and a DSA. The DSP may provide simple authentication between two DSAs.  H 10.8  Administrative authorities of applications which make use of the Directory can use their own security policy. The directory can support applications by holding authentication information (e.g. distinguished names, passwords, certificates) about communication entities. This is further described in RecommendationX.509. V c4 P ANNEX A M c4 P (to Recommendation X.501) M The mathematics of trees  This Annex is not part of the standard. O c4 P FIGURE T070436088  c4 P   H Ё A tree is a set of points, called vertices, and a set of directed lines, called arcs; each arc a leads from a vertex V to a vertex Vw'. For example, the tree in the Figure has seven vertices, labelled V1 through V7, and six arcs, labelled a1 through a6.  Two vertices V and Vw' are said to be the initial and final vertices, respectively, of an arc a from V to Vw'.For example, V2 and V3 are the initial and final vertices, respectively, of arca2. Several different arcs may have the same initial vertex, but not the same final vertex. For example, arcs a1 and a3 have the same initial vertex, V1, but no two arcs in the Figure have the same final vertex.  H  The vertex that is not the final vertex of any arc is often referred to as the root vertex, or even more informally as the "root" of the tree. For example, in the Figure, V1 is the root.  H  A vertex that is not the initial vertex of any arc is often referred to informally as a leaf vertex, or even more informally, as a "leaf" of the tree graph. For example, vertices V3, V6, and V7 are leaves.  An oriented path from a vertex V to a vertex Vw' is a set of arcs (a1,a2,...,an) (nw_ 1) such that V is the initial vertex of arca1, Vw' is the final vertex of arcan, and the final vertex of arcak is also the initial vertex of arc ak+1 for 1w_ k