| 4 |
- |
1 |
# OpenLDAP X.509 PMI schema
|
| 9 |
- |
2 |
# $OpenLDAP$
|
| 4 |
- |
3 |
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
|
4 |
##
|
| 9 |
- |
5 |
## Copyright 1998-2014 The OpenLDAP Foundation.
|
| 4 |
- |
6 |
## All rights reserved.
|
|
|
7 |
##
|
|
|
8 |
## Redistribution and use in source and binary forms, with or without
|
|
|
9 |
## modification, are permitted only as authorized by the OpenLDAP
|
|
|
10 |
## Public License.
|
|
|
11 |
##
|
|
|
12 |
## A copy of this license is available in the file LICENSE in the
|
|
|
13 |
## top-level directory of the distribution or, alternatively, at
|
|
|
14 |
## <http://www.OpenLDAP.org/license.html>.
|
|
|
15 |
#
|
|
|
16 |
## Portions Copyright (C) The Internet Society (1997-2006).
|
|
|
17 |
## All Rights Reserved.
|
|
|
18 |
##
|
|
|
19 |
## This document and translations of it may be copied and furnished to
|
|
|
20 |
## others, and derivative works that comment on or otherwise explain it
|
|
|
21 |
## or assist in its implementation may be prepared, copied, published
|
|
|
22 |
## and distributed, in whole or in part, without restriction of any
|
|
|
23 |
## kind, provided that the above copyright notice and this paragraph are
|
|
|
24 |
## included on all such copies and derivative works. However, this
|
|
|
25 |
## document itself may not be modified in any way, such as by removing
|
|
|
26 |
## the copyright notice or references to the Internet Society or other
|
|
|
27 |
## Internet organizations, except as needed for the purpose of
|
|
|
28 |
## developing Internet standards in which case the procedures for
|
|
|
29 |
## copyrights defined in the Internet Standards process must be
|
|
|
30 |
## followed, or as required to translate it into languages other than
|
|
|
31 |
## English.
|
|
|
32 |
##
|
|
|
33 |
## The limited permissions granted above are perpetual and will not be
|
|
|
34 |
## revoked by the Internet Society or its successors or assigns.
|
|
|
35 |
##
|
|
|
36 |
## This document and the information contained herein is provided on an
|
|
|
37 |
## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
|
|
38 |
## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
|
|
39 |
## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
|
|
40 |
## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
|
|
41 |
## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
42 |
|
|
|
43 |
#
|
|
|
44 |
#
|
|
|
45 |
# Includes LDAPv3 schema items from:
|
|
|
46 |
# ITU X.509 (08/2005)
|
|
|
47 |
#
|
|
|
48 |
## X.509 (08/2005) pp. 120-121
|
|
|
49 |
##
|
|
|
50 |
## -- object identifier assignments --
|
|
|
51 |
## -- object classes --
|
|
|
52 |
## id-oc-pmiUser OBJECT IDENTIFIER ::= {id-oc 24}
|
|
|
53 |
## id-oc-pmiAA OBJECT IDENTIFIER ::= {id-oc 25}
|
|
|
54 |
## id-oc-pmiSOA OBJECT IDENTIFIER ::= {id-oc 26}
|
|
|
55 |
## id-oc-attCertCRLDistributionPts OBJECT IDENTIFIER ::= {id-oc 27}
|
|
|
56 |
## id-oc-privilegePolicy OBJECT IDENTIFIER ::= {id-oc 32}
|
|
|
57 |
## id-oc-pmiDelegationPath OBJECT IDENTIFIER ::= {id-oc 33}
|
|
|
58 |
## id-oc-protectedPrivilegePolicy OBJECT IDENTIFIER ::= {id-oc 34}
|
|
|
59 |
## -- directory attributes --
|
|
|
60 |
## id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}
|
|
|
61 |
## id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59}
|
|
|
62 |
## id-at-aACertificate OBJECT IDENTIFIER ::= {id-at 61}
|
|
|
63 |
## id-at-attributeDescriptorCertificate OBJECT IDENTIFIER ::= {id-at 62}
|
|
|
64 |
## id-at-attributeAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 63}
|
|
|
65 |
## id-at-privPolicy OBJECT IDENTIFIER ::= {id-at 71}
|
|
|
66 |
## id-at-role OBJECT IDENTIFIER ::= {id-at 72}
|
|
|
67 |
## id-at-delegationPath OBJECT IDENTIFIER ::= {id-at 73}
|
|
|
68 |
## id-at-protPrivPolicy OBJECT IDENTIFIER ::= {id-at 74}
|
|
|
69 |
## id-at-xMLPrivilegeInfo OBJECT IDENTIFIER ::= {id-at 75}
|
|
|
70 |
## id-at-xMLPprotPrivPolicy OBJECT IDENTIFIER ::= {id-at 76}
|
|
|
71 |
## -- attribute certificate extensions --
|
|
|
72 |
## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}
|
|
|
73 |
## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}
|
|
|
74 |
## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}
|
|
|
75 |
## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}
|
|
|
76 |
## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}
|
|
|
77 |
## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}
|
|
|
78 |
## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}
|
|
|
79 |
## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}
|
|
|
80 |
## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}
|
|
|
81 |
## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}
|
|
|
82 |
## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}
|
|
|
83 |
## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}
|
|
|
84 |
## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}
|
|
|
85 |
## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}
|
|
|
86 |
## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}
|
|
|
87 |
## -- PMI matching rules --
|
|
|
88 |
## id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42}
|
|
|
89 |
## id-mr-attributeCertificateExactMatch OBJECT IDENTIFIER ::= {id-mr 45}
|
|
|
90 |
## id-mr-holderIssuerMatch OBJECT IDENTIFIER ::= {id-mr 46}
|
|
|
91 |
## id-mr-authAttIdMatch OBJECT IDENTIFIER ::= {id-mr 53}
|
|
|
92 |
## id-mr-roleSpecCertIdMatch OBJECT IDENTIFIER ::= {id-mr 54}
|
|
|
93 |
## id-mr-basicAttConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 55}
|
|
|
94 |
## id-mr-delegatedNameConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 56}
|
|
|
95 |
## id-mr-timeSpecMatch OBJECT IDENTIFIER ::= {id-mr 57}
|
|
|
96 |
## id-mr-attDescriptorMatch OBJECT IDENTIFIER ::= {id-mr 58}
|
|
|
97 |
## id-mr-acceptableCertPoliciesMatch OBJECT IDENTIFIER ::= {id-mr 59}
|
|
|
98 |
## id-mr-delegationPathMatch OBJECT IDENTIFIER ::= {id-mr 61}
|
|
|
99 |
## id-mr-sOAIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 66}
|
|
|
100 |
## id-mr-indirectIssuerMatch OBJECT IDENTIFIER ::= {id-mr 67}
|
|
|
101 |
##
|
|
|
102 |
##
|
|
|
103 |
## X.509 (08/2005) pp. 71, 86-89
|
|
|
104 |
##
|
|
|
105 |
## 14.4.1 Role attribute
|
|
|
106 |
## role ATTRIBUTE ::= {
|
|
|
107 |
## WITH SYNTAX RoleSyntax
|
|
|
108 |
## ID id-at-role }
|
|
|
109 |
## RoleSyntax ::= SEQUENCE {
|
|
|
110 |
## roleAuthority [0] GeneralNames OPTIONAL,
|
|
|
111 |
## roleName [1] GeneralName }
|
|
|
112 |
##
|
|
|
113 |
## 14.5 XML privilege information attribute
|
|
|
114 |
## xmlPrivilegeInfo ATTRIBUTE ::= {
|
|
|
115 |
## WITH SYNTAX UTF8String -- contains XML-encoded privilege information
|
|
|
116 |
## ID id-at-xMLPrivilegeInfo }
|
|
|
117 |
##
|
|
|
118 |
## 17.1 PMI directory object classes
|
|
|
119 |
##
|
|
|
120 |
## 17.1.1 PMI user object class
|
|
|
121 |
## pmiUser OBJECT-CLASS ::= {
|
|
|
122 |
## -- a PMI user (i.e., a "holder")
|
|
|
123 |
## SUBCLASS OF {top}
|
|
|
124 |
## KIND auxiliary
|
|
|
125 |
## MAY CONTAIN {attributeCertificateAttribute}
|
|
|
126 |
## ID id-oc-pmiUser }
|
|
|
127 |
##
|
|
|
128 |
## 17.1.2 PMI AA object class
|
|
|
129 |
## pmiAA OBJECT-CLASS ::= {
|
|
|
130 |
## -- a PMI AA
|
|
|
131 |
## SUBCLASS OF {top}
|
|
|
132 |
## KIND auxiliary
|
|
|
133 |
## MAY CONTAIN {aACertificate |
|
|
|
134 |
## attributeCertificateRevocationList |
|
|
|
135 |
## attributeAuthorityRevocationList}
|
|
|
136 |
## ID id-oc-pmiAA }
|
|
|
137 |
##
|
|
|
138 |
## 17.1.3 PMI SOA object class
|
|
|
139 |
## pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority
|
|
|
140 |
## SUBCLASS OF {top}
|
|
|
141 |
## KIND auxiliary
|
|
|
142 |
## MAY CONTAIN {attributeCertificateRevocationList |
|
|
|
143 |
## attributeAuthorityRevocationList |
|
|
|
144 |
## attributeDescriptorCertificate}
|
|
|
145 |
## ID id-oc-pmiSOA }
|
|
|
146 |
##
|
|
|
147 |
## 17.1.4 Attribute certificate CRL distribution point object class
|
|
|
148 |
## attCertCRLDistributionPt OBJECT-CLASS ::= {
|
|
|
149 |
## SUBCLASS OF {top}
|
|
|
150 |
## KIND auxiliary
|
|
|
151 |
## MAY CONTAIN { attributeCertificateRevocationList |
|
|
|
152 |
## attributeAuthorityRevocationList }
|
|
|
153 |
## ID id-oc-attCertCRLDistributionPts }
|
|
|
154 |
##
|
|
|
155 |
## 17.1.5 PMI delegation path
|
|
|
156 |
## pmiDelegationPath OBJECT-CLASS ::= {
|
|
|
157 |
## SUBCLASS OF {top}
|
|
|
158 |
## KIND auxiliary
|
|
|
159 |
## MAY CONTAIN { delegationPath }
|
|
|
160 |
## ID id-oc-pmiDelegationPath }
|
|
|
161 |
##
|
|
|
162 |
## 17.1.6 Privilege policy object class
|
|
|
163 |
## privilegePolicy OBJECT-CLASS ::= {
|
|
|
164 |
## SUBCLASS OF {top}
|
|
|
165 |
## KIND auxiliary
|
|
|
166 |
## MAY CONTAIN {privPolicy }
|
|
|
167 |
## ID id-oc-privilegePolicy }
|
|
|
168 |
##
|
|
|
169 |
## 17.1.7 Protected privilege policy object class
|
|
|
170 |
## protectedPrivilegePolicy OBJECT-CLASS ::= {
|
|
|
171 |
## SUBCLASS OF {top}
|
|
|
172 |
## KIND auxiliary
|
|
|
173 |
## MAY CONTAIN {protPrivPolicy }
|
|
|
174 |
## ID id-oc-protectedPrivilegePolicy }
|
|
|
175 |
##
|
|
|
176 |
## 17.2 PMI Directory attributes
|
|
|
177 |
##
|
|
|
178 |
## 17.2.1 Attribute certificate attribute
|
|
|
179 |
## attributeCertificateAttribute ATTRIBUTE ::= {
|
|
|
180 |
## WITH SYNTAX AttributeCertificate
|
|
|
181 |
## EQUALITY MATCHING RULE attributeCertificateExactMatch
|
|
|
182 |
## ID id-at-attributeCertificate }
|
|
|
183 |
##
|
|
|
184 |
## 17.2.2 AA certificate attribute
|
|
|
185 |
## aACertificate ATTRIBUTE ::= {
|
|
|
186 |
## WITH SYNTAX AttributeCertificate
|
|
|
187 |
## EQUALITY MATCHING RULE attributeCertificateExactMatch
|
|
|
188 |
## ID id-at-aACertificate }
|
|
|
189 |
##
|
|
|
190 |
## 17.2.3 Attribute descriptor certificate attribute
|
|
|
191 |
## attributeDescriptorCertificate ATTRIBUTE ::= {
|
|
|
192 |
## WITH SYNTAX AttributeCertificate
|
|
|
193 |
## EQUALITY MATCHING RULE attributeCertificateExactMatch
|
|
|
194 |
## ID id-at-attributeDescriptorCertificate }
|
|
|
195 |
##
|
|
|
196 |
## 17.2.4 Attribute certificate revocation list attribute
|
|
|
197 |
## attributeCertificateRevocationList ATTRIBUTE ::= {
|
|
|
198 |
## WITH SYNTAX CertificateList
|
|
|
199 |
## EQUALITY MATCHING RULE certificateListExactMatch
|
|
|
200 |
## ID id-at-attributeCertificateRevocationList}
|
|
|
201 |
##
|
|
|
202 |
## 17.2.5 AA certificate revocation list attribute
|
|
|
203 |
## attributeAuthorityRevocationList ATTRIBUTE ::= {
|
|
|
204 |
## WITH SYNTAX CertificateList
|
|
|
205 |
## EQUALITY MATCHING RULE certificateListExactMatch
|
|
|
206 |
## ID id-at-attributeAuthorityRevocationList }
|
|
|
207 |
##
|
|
|
208 |
## 17.2.6 Delegation path attribute
|
|
|
209 |
## delegationPath ATTRIBUTE ::= {
|
|
|
210 |
## WITH SYNTAX AttCertPath
|
|
|
211 |
## ID id-at-delegationPath }
|
|
|
212 |
## AttCertPath ::= SEQUENCE OF AttributeCertificate
|
|
|
213 |
##
|
|
|
214 |
## 17.2.7 Privilege policy attribute
|
|
|
215 |
## privPolicy ATTRIBUTE ::= {
|
|
|
216 |
## WITH SYNTAX PolicySyntax
|
|
|
217 |
## ID id-at-privPolicy }
|
|
|
218 |
##
|
|
|
219 |
## 17.2.8 Protected privilege policy attribute
|
|
|
220 |
## protPrivPolicy ATTRIBUTE ::= {
|
|
|
221 |
## WITH SYNTAX AttributeCertificate
|
|
|
222 |
## EQUALITY MATCHING RULE attributeCertificateExactMatch
|
|
|
223 |
## ID id-at-protPrivPolicy }
|
|
|
224 |
##
|
|
|
225 |
## 17.2.9 XML Protected privilege policy attribute
|
|
|
226 |
## xmlPrivPolicy ATTRIBUTE ::= {
|
|
|
227 |
## WITH SYNTAX UTF8String -- contains XML-encoded privilege policy information
|
|
|
228 |
## ID id-at-xMLPprotPrivPolicy }
|
|
|
229 |
##
|
|
|
230 |
|
|
|
231 |
## -- object identifier assignments --
|
|
|
232 |
## -- object classes --
|
|
|
233 |
objectidentifier id-oc-pmiUser 2.5.6.24
|
|
|
234 |
objectidentifier id-oc-pmiAA 2.5.6.25
|
|
|
235 |
objectidentifier id-oc-pmiSOA 2.5.6.26
|
|
|
236 |
objectidentifier id-oc-attCertCRLDistributionPts 2.5.6.27
|
|
|
237 |
objectidentifier id-oc-privilegePolicy 2.5.6.32
|
|
|
238 |
objectidentifier id-oc-pmiDelegationPath 2.5.6.33
|
|
|
239 |
objectidentifier id-oc-protectedPrivilegePolicy 2.5.6.34
|
|
|
240 |
## -- directory attributes --
|
|
|
241 |
objectidentifier id-at-attributeCertificate 2.5.4.58
|
|
|
242 |
objectidentifier id-at-attributeCertificateRevocationList 2.5.4.59
|
|
|
243 |
objectidentifier id-at-aACertificate 2.5.4.61
|
|
|
244 |
objectidentifier id-at-attributeDescriptorCertificate 2.5.4.62
|
|
|
245 |
objectidentifier id-at-attributeAuthorityRevocationList 2.5.4.63
|
|
|
246 |
objectidentifier id-at-privPolicy 2.5.4.71
|
|
|
247 |
objectidentifier id-at-role 2.5.4.72
|
|
|
248 |
objectidentifier id-at-delegationPath 2.5.4.73
|
|
|
249 |
objectidentifier id-at-protPrivPolicy 2.5.4.74
|
|
|
250 |
objectidentifier id-at-xMLPrivilegeInfo 2.5.4.75
|
|
|
251 |
objectidentifier id-at-xMLPprotPrivPolicy 2.5.4.76
|
|
|
252 |
## -- attribute certificate extensions --
|
|
|
253 |
## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}
|
|
|
254 |
## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}
|
|
|
255 |
## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}
|
|
|
256 |
## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}
|
|
|
257 |
## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}
|
|
|
258 |
## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}
|
|
|
259 |
## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}
|
|
|
260 |
## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}
|
|
|
261 |
## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}
|
|
|
262 |
## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}
|
|
|
263 |
## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}
|
|
|
264 |
## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}
|
|
|
265 |
## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}
|
|
|
266 |
## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}
|
|
|
267 |
## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}
|
|
|
268 |
## -- PMI matching rules --
|
|
|
269 |
objectidentifier id-mr 2.5.13
|
|
|
270 |
objectidentifier id-mr-attributeCertificateMatch id-mr:42
|
|
|
271 |
objectidentifier id-mr-attributeCertificateExactMatch id-mr:45
|
|
|
272 |
objectidentifier id-mr-holderIssuerMatch id-mr:46
|
|
|
273 |
objectidentifier id-mr-authAttIdMatch id-mr:53
|
|
|
274 |
objectidentifier id-mr-roleSpecCertIdMatch id-mr:54
|
|
|
275 |
objectidentifier id-mr-basicAttConstraintsMatch id-mr:55
|
|
|
276 |
objectidentifier id-mr-delegatedNameConstraintsMatch id-mr:56
|
|
|
277 |
objectidentifier id-mr-timeSpecMatch id-mr:57
|
|
|
278 |
objectidentifier id-mr-attDescriptorMatch id-mr:58
|
|
|
279 |
objectidentifier id-mr-acceptableCertPoliciesMatch id-mr:59
|
|
|
280 |
objectidentifier id-mr-delegationPathMatch id-mr:61
|
|
|
281 |
objectidentifier id-mr-sOAIdentifierMatch id-mr:66
|
|
|
282 |
objectidentifier id-mr-indirectIssuerMatch id-mr:67
|
|
|
283 |
## -- syntaxes --
|
|
|
284 |
## NOTE: 1.3.6.1.4.1.4203.666.11.10 is the oid arc assigned by OpenLDAP
|
|
|
285 |
## to this work in progress
|
|
|
286 |
objectidentifier AttributeCertificate 1.3.6.1.4.1.4203.666.11.10.2.1
|
|
|
287 |
objectidentifier CertificateList 1.3.6.1.4.1.1466.115.121.1.9
|
|
|
288 |
objectidentifier AttCertPath 1.3.6.1.4.1.4203.666.11.10.2.4
|
|
|
289 |
objectidentifier PolicySyntax 1.3.6.1.4.1.4203.666.11.10.2.5
|
|
|
290 |
objectidentifier RoleSyntax 1.3.6.1.4.1.4203.666.11.10.2.6
|
|
|
291 |
# NOTE: OIDs from <draft-ietf-pkix-ldap-schema-02.txt> (expired)
|
|
|
292 |
#objectidentifier AttributeCertificate 1.2.826.0.1.3344810.7.5
|
|
|
293 |
#objectidentifier AttCertPath 1.2.826.0.1.3344810.7.10
|
|
|
294 |
#objectidentifier PolicySyntax 1.2.826.0.1.3344810.7.17
|
|
|
295 |
#objectidentifier RoleSyntax 1.2.826.0.1.3344810.7.13
|
|
|
296 |
##
|
|
|
297 |
## Substitute syntaxes
|
|
|
298 |
##
|
|
|
299 |
## AttCertPath
|
|
|
300 |
ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.4
|
|
|
301 |
NAME 'AttCertPath'
|
|
|
302 |
DESC 'X.509 PMI attribute cartificate path: SEQUENCE OF AttributeCertificate'
|
|
|
303 |
X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
|
|
|
304 |
##
|
|
|
305 |
## PolicySyntax
|
|
|
306 |
ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.5
|
|
|
307 |
NAME 'PolicySyntax'
|
|
|
308 |
DESC 'X.509 PMI policy syntax'
|
|
|
309 |
X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
|
|
|
310 |
##
|
|
|
311 |
## RoleSyntax
|
|
|
312 |
ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.6
|
|
|
313 |
NAME 'RoleSyntax'
|
|
|
314 |
DESC 'X.509 PMI role syntax'
|
|
|
315 |
X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
|
|
|
316 |
##
|
|
|
317 |
## X.509 (08/2005) pp. 71, 86-89
|
|
|
318 |
##
|
|
|
319 |
## 14.4.1 Role attribute
|
|
|
320 |
attributeType ( id-at-role
|
|
|
321 |
NAME 'role'
|
|
|
322 |
DESC 'X.509 Role attribute, use ;binary'
|
|
|
323 |
SYNTAX RoleSyntax )
|
|
|
324 |
##
|
|
|
325 |
## 14.5 XML privilege information attribute
|
|
|
326 |
## -- contains XML-encoded privilege information
|
|
|
327 |
attributeType ( id-at-xMLPrivilegeInfo
|
|
|
328 |
NAME 'xmlPrivilegeInfo'
|
|
|
329 |
DESC 'X.509 XML privilege information attribute'
|
|
|
330 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
331 |
##
|
|
|
332 |
## 17.2 PMI Directory attributes
|
|
|
333 |
##
|
|
|
334 |
## 17.2.1 Attribute certificate attribute
|
|
|
335 |
attributeType ( id-at-attributeCertificate
|
|
|
336 |
NAME 'attributeCertificateAttribute'
|
|
|
337 |
DESC 'X.509 Attribute certificate attribute, use ;binary'
|
|
|
338 |
SYNTAX AttributeCertificate
|
|
|
339 |
EQUALITY attributeCertificateExactMatch )
|
|
|
340 |
##
|
|
|
341 |
## 17.2.2 AA certificate attribute
|
|
|
342 |
attributeType ( id-at-aACertificate
|
|
|
343 |
NAME 'aACertificate'
|
|
|
344 |
DESC 'X.509 AA certificate attribute, use ;binary'
|
|
|
345 |
SYNTAX AttributeCertificate
|
|
|
346 |
EQUALITY attributeCertificateExactMatch )
|
|
|
347 |
##
|
|
|
348 |
## 17.2.3 Attribute descriptor certificate attribute
|
|
|
349 |
attributeType ( id-at-attributeDescriptorCertificate
|
|
|
350 |
NAME 'attributeDescriptorCertificate'
|
|
|
351 |
DESC 'X.509 Attribute descriptor certificate attribute, use ;binary'
|
|
|
352 |
SYNTAX AttributeCertificate
|
|
|
353 |
EQUALITY attributeCertificateExactMatch )
|
|
|
354 |
##
|
|
|
355 |
## 17.2.4 Attribute certificate revocation list attribute
|
|
|
356 |
attributeType ( id-at-attributeCertificateRevocationList
|
|
|
357 |
NAME 'attributeCertificateRevocationList'
|
|
|
358 |
DESC 'X.509 Attribute certificate revocation list attribute, use ;binary'
|
|
|
359 |
SYNTAX CertificateList
|
|
|
360 |
X-EQUALITY 'certificateListExactMatch, not implemented yet' )
|
|
|
361 |
##
|
|
|
362 |
## 17.2.5 AA certificate revocation list attribute
|
|
|
363 |
attributeType ( id-at-attributeAuthorityRevocationList
|
|
|
364 |
NAME 'attributeAuthorityRevocationList'
|
|
|
365 |
DESC 'X.509 AA certificate revocation list attribute, use ;binary'
|
|
|
366 |
SYNTAX CertificateList
|
|
|
367 |
X-EQUALITY 'certificateListExactMatch, not implemented yet' )
|
|
|
368 |
##
|
|
|
369 |
## 17.2.6 Delegation path attribute
|
|
|
370 |
attributeType ( id-at-delegationPath
|
|
|
371 |
NAME 'delegationPath'
|
|
|
372 |
DESC 'X.509 Delegation path attribute, use ;binary'
|
|
|
373 |
SYNTAX AttCertPath )
|
|
|
374 |
## AttCertPath ::= SEQUENCE OF AttributeCertificate
|
|
|
375 |
##
|
|
|
376 |
## 17.2.7 Privilege policy attribute
|
|
|
377 |
attributeType ( id-at-privPolicy
|
|
|
378 |
NAME 'privPolicy'
|
|
|
379 |
DESC 'X.509 Privilege policy attribute, use ;binary'
|
|
|
380 |
SYNTAX PolicySyntax )
|
|
|
381 |
##
|
|
|
382 |
## 17.2.8 Protected privilege policy attribute
|
|
|
383 |
attributeType ( id-at-protPrivPolicy
|
|
|
384 |
NAME 'protPrivPolicy'
|
|
|
385 |
DESC 'X.509 Protected privilege policy attribute, use ;binary'
|
|
|
386 |
SYNTAX AttributeCertificate
|
|
|
387 |
EQUALITY attributeCertificateExactMatch )
|
|
|
388 |
##
|
|
|
389 |
## 17.2.9 XML Protected privilege policy attribute
|
|
|
390 |
## -- contains XML-encoded privilege policy information
|
|
|
391 |
attributeType ( id-at-xMLPprotPrivPolicy
|
|
|
392 |
NAME 'xmlPrivPolicy'
|
|
|
393 |
DESC 'X.509 XML Protected privilege policy attribute'
|
|
|
394 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
395 |
##
|
|
|
396 |
## 17.1 PMI directory object classes
|
|
|
397 |
##
|
|
|
398 |
## 17.1.1 PMI user object class
|
|
|
399 |
## -- a PMI user (i.e., a "holder")
|
|
|
400 |
objectClass ( id-oc-pmiUser
|
|
|
401 |
NAME 'pmiUser'
|
|
|
402 |
DESC 'X.509 PMI user object class'
|
|
|
403 |
SUP top
|
|
|
404 |
AUXILIARY
|
|
|
405 |
MAY ( attributeCertificateAttribute ) )
|
|
|
406 |
##
|
|
|
407 |
## 17.1.2 PMI AA object class
|
|
|
408 |
## -- a PMI AA
|
|
|
409 |
objectClass ( id-oc-pmiAA
|
|
|
410 |
NAME 'pmiAA'
|
|
|
411 |
DESC 'X.509 PMI AA object class'
|
|
|
412 |
SUP top
|
|
|
413 |
AUXILIARY
|
|
|
414 |
MAY ( aACertificate $
|
|
|
415 |
attributeCertificateRevocationList $
|
|
|
416 |
attributeAuthorityRevocationList
|
|
|
417 |
) )
|
|
|
418 |
##
|
|
|
419 |
## 17.1.3 PMI SOA object class
|
|
|
420 |
## -- a PMI Source of Authority
|
|
|
421 |
objectClass ( id-oc-pmiSOA
|
|
|
422 |
NAME 'pmiSOA'
|
|
|
423 |
DESC 'X.509 PMI SOA object class'
|
|
|
424 |
SUP top
|
|
|
425 |
AUXILIARY
|
|
|
426 |
MAY ( attributeCertificateRevocationList $
|
|
|
427 |
attributeAuthorityRevocationList $
|
|
|
428 |
attributeDescriptorCertificate
|
|
|
429 |
) )
|
|
|
430 |
##
|
|
|
431 |
## 17.1.4 Attribute certificate CRL distribution point object class
|
|
|
432 |
objectClass ( id-oc-attCertCRLDistributionPts
|
|
|
433 |
NAME 'attCertCRLDistributionPt'
|
|
|
434 |
DESC 'X.509 Attribute certificate CRL distribution point object class'
|
|
|
435 |
SUP top
|
|
|
436 |
AUXILIARY
|
|
|
437 |
MAY ( attributeCertificateRevocationList $
|
|
|
438 |
attributeAuthorityRevocationList
|
|
|
439 |
) )
|
|
|
440 |
##
|
|
|
441 |
## 17.1.5 PMI delegation path
|
|
|
442 |
objectClass ( id-oc-pmiDelegationPath
|
|
|
443 |
NAME 'pmiDelegationPath'
|
|
|
444 |
DESC 'X.509 PMI delegation path'
|
|
|
445 |
SUP top
|
|
|
446 |
AUXILIARY
|
|
|
447 |
MAY ( delegationPath ) )
|
|
|
448 |
##
|
|
|
449 |
## 17.1.6 Privilege policy object class
|
|
|
450 |
objectClass ( id-oc-privilegePolicy
|
|
|
451 |
NAME 'privilegePolicy'
|
|
|
452 |
DESC 'X.509 Privilege policy object class'
|
|
|
453 |
SUP top
|
|
|
454 |
AUXILIARY
|
|
|
455 |
MAY ( privPolicy ) )
|
|
|
456 |
##
|
|
|
457 |
## 17.1.7 Protected privilege policy object class
|
|
|
458 |
objectClass ( id-oc-protectedPrivilegePolicy
|
|
|
459 |
NAME 'protectedPrivilegePolicy'
|
|
|
460 |
DESC 'X.509 Protected privilege policy object class'
|
|
|
461 |
SUP top
|
|
|
462 |
AUXILIARY
|
|
|
463 |
MAY ( protPrivPolicy ) )
|
|
|
464 |
|