# OpenLDAP X.509 PMI schema # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## ## Copyright 1998-2019 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## . # ## Portions Copyright (C) The Internet Society (1997-2006). ## All Rights Reserved. ## ## This document and translations of it may be copied and furnished to ## others, and derivative works that comment on or otherwise explain it ## or assist in its implementation may be prepared, copied, published ## and distributed, in whole or in part, without restriction of any ## kind, provided that the above copyright notice and this paragraph are ## included on all such copies and derivative works. However, this ## document itself may not be modified in any way, such as by removing ## the copyright notice or references to the Internet Society or other ## Internet organizations, except as needed for the purpose of ## developing Internet standards in which case the procedures for ## copyrights defined in the Internet Standards process must be ## followed, or as required to translate it into languages other than ## English. ## ## The limited permissions granted above are perpetual and will not be ## revoked by the Internet Society or its successors or assigns. ## ## This document and the information contained herein is provided on an ## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING ## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION ## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF ## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. # # # Includes LDAPv3 schema items from: # ITU X.509 (08/2005) # ## X.509 (08/2005) pp. 120-121 ## ## -- object identifier assignments -- ## -- object classes -- ## id-oc-pmiUser OBJECT IDENTIFIER ::= {id-oc 24} ## id-oc-pmiAA OBJECT IDENTIFIER ::= {id-oc 25} ## id-oc-pmiSOA OBJECT IDENTIFIER ::= {id-oc 26} ## id-oc-attCertCRLDistributionPts OBJECT IDENTIFIER ::= {id-oc 27} ## id-oc-privilegePolicy OBJECT IDENTIFIER ::= {id-oc 32} ## id-oc-pmiDelegationPath OBJECT IDENTIFIER ::= {id-oc 33} ## id-oc-protectedPrivilegePolicy OBJECT IDENTIFIER ::= {id-oc 34} ## -- directory attributes -- ## id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58} ## id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59} ## id-at-aACertificate OBJECT IDENTIFIER ::= {id-at 61} ## id-at-attributeDescriptorCertificate OBJECT IDENTIFIER ::= {id-at 62} ## id-at-attributeAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 63} ## id-at-privPolicy OBJECT IDENTIFIER ::= {id-at 71} ## id-at-role OBJECT IDENTIFIER ::= {id-at 72} ## id-at-delegationPath OBJECT IDENTIFIER ::= {id-at 73} ## id-at-protPrivPolicy OBJECT IDENTIFIER ::= {id-at 74} ## id-at-xMLPrivilegeInfo OBJECT IDENTIFIER ::= {id-at 75} ## id-at-xMLPprotPrivPolicy OBJECT IDENTIFIER ::= {id-at 76} ## -- attribute certificate extensions -- ## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38} ## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39} ## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41} ## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42} ## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43} ## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48} ## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49} ## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50} ## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52} ## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55} ## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56} ## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57} ## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61} ## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62} ## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64} ## -- PMI matching rules -- ## id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42} ## id-mr-attributeCertificateExactMatch OBJECT IDENTIFIER ::= {id-mr 45} ## id-mr-holderIssuerMatch OBJECT IDENTIFIER ::= {id-mr 46} ## id-mr-authAttIdMatch OBJECT IDENTIFIER ::= {id-mr 53} ## id-mr-roleSpecCertIdMatch OBJECT IDENTIFIER ::= {id-mr 54} ## id-mr-basicAttConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 55} ## id-mr-delegatedNameConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 56} ## id-mr-timeSpecMatch OBJECT IDENTIFIER ::= {id-mr 57} ## id-mr-attDescriptorMatch OBJECT IDENTIFIER ::= {id-mr 58} ## id-mr-acceptableCertPoliciesMatch OBJECT IDENTIFIER ::= {id-mr 59} ## id-mr-delegationPathMatch OBJECT IDENTIFIER ::= {id-mr 61} ## id-mr-sOAIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 66} ## id-mr-indirectIssuerMatch OBJECT IDENTIFIER ::= {id-mr 67} ## ## ## X.509 (08/2005) pp. 71, 86-89 ## ## 14.4.1 Role attribute ## role ATTRIBUTE ::= { ## WITH SYNTAX RoleSyntax ## ID id-at-role } ## RoleSyntax ::= SEQUENCE { ## roleAuthority [0] GeneralNames OPTIONAL, ## roleName [1] GeneralName } ## ## 14.5 XML privilege information attribute ## xmlPrivilegeInfo ATTRIBUTE ::= { ## WITH SYNTAX UTF8String -- contains XML-encoded privilege information ## ID id-at-xMLPrivilegeInfo } ## ## 17.1 PMI directory object classes ## ## 17.1.1 PMI user object class ## pmiUser OBJECT-CLASS ::= { ## -- a PMI user (i.e., a "holder") ## SUBCLASS OF {top} ## KIND auxiliary ## MAY CONTAIN {attributeCertificateAttribute} ## ID id-oc-pmiUser } ## ## 17.1.2 PMI AA object class ## pmiAA OBJECT-CLASS ::= { ## -- a PMI AA ## SUBCLASS OF {top} ## KIND auxiliary ## MAY CONTAIN {aACertificate | ## attributeCertificateRevocationList | ## attributeAuthorityRevocationList} ## ID id-oc-pmiAA } ## ## 17.1.3 PMI SOA object class ## pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority ## SUBCLASS OF {top} ## KIND auxiliary ## MAY CONTAIN {attributeCertificateRevocationList | ## attributeAuthorityRevocationList | ## attributeDescriptorCertificate} ## ID id-oc-pmiSOA } ## ## 17.1.4 Attribute certificate CRL distribution point object class ## attCertCRLDistributionPt OBJECT-CLASS ::= { ## SUBCLASS OF {top} ## KIND auxiliary ## MAY CONTAIN { attributeCertificateRevocationList | ## attributeAuthorityRevocationList } ## ID id-oc-attCertCRLDistributionPts } ## ## 17.1.5 PMI delegation path ## pmiDelegationPath OBJECT-CLASS ::= { ## SUBCLASS OF {top} ## KIND auxiliary ## MAY CONTAIN { delegationPath } ## ID id-oc-pmiDelegationPath } ## ## 17.1.6 Privilege policy object class ## privilegePolicy OBJECT-CLASS ::= { ## SUBCLASS OF {top} ## KIND auxiliary ## MAY CONTAIN {privPolicy } ## ID id-oc-privilegePolicy } ## ## 17.1.7 Protected privilege policy object class ## protectedPrivilegePolicy OBJECT-CLASS ::= { ## SUBCLASS OF {top} ## KIND auxiliary ## MAY CONTAIN {protPrivPolicy } ## ID id-oc-protectedPrivilegePolicy } ## ## 17.2 PMI Directory attributes ## ## 17.2.1 Attribute certificate attribute ## attributeCertificateAttribute ATTRIBUTE ::= { ## WITH SYNTAX AttributeCertificate ## EQUALITY MATCHING RULE attributeCertificateExactMatch ## ID id-at-attributeCertificate } ## ## 17.2.2 AA certificate attribute ## aACertificate ATTRIBUTE ::= { ## WITH SYNTAX AttributeCertificate ## EQUALITY MATCHING RULE attributeCertificateExactMatch ## ID id-at-aACertificate } ## ## 17.2.3 Attribute descriptor certificate attribute ## attributeDescriptorCertificate ATTRIBUTE ::= { ## WITH SYNTAX AttributeCertificate ## EQUALITY MATCHING RULE attributeCertificateExactMatch ## ID id-at-attributeDescriptorCertificate } ## ## 17.2.4 Attribute certificate revocation list attribute ## attributeCertificateRevocationList ATTRIBUTE ::= { ## WITH SYNTAX CertificateList ## EQUALITY MATCHING RULE certificateListExactMatch ## ID id-at-attributeCertificateRevocationList} ## ## 17.2.5 AA certificate revocation list attribute ## attributeAuthorityRevocationList ATTRIBUTE ::= { ## WITH SYNTAX CertificateList ## EQUALITY MATCHING RULE certificateListExactMatch ## ID id-at-attributeAuthorityRevocationList } ## ## 17.2.6 Delegation path attribute ## delegationPath ATTRIBUTE ::= { ## WITH SYNTAX AttCertPath ## ID id-at-delegationPath } ## AttCertPath ::= SEQUENCE OF AttributeCertificate ## ## 17.2.7 Privilege policy attribute ## privPolicy ATTRIBUTE ::= { ## WITH SYNTAX PolicySyntax ## ID id-at-privPolicy } ## ## 17.2.8 Protected privilege policy attribute ## protPrivPolicy ATTRIBUTE ::= { ## WITH SYNTAX AttributeCertificate ## EQUALITY MATCHING RULE attributeCertificateExactMatch ## ID id-at-protPrivPolicy } ## ## 17.2.9 XML Protected privilege policy attribute ## xmlPrivPolicy ATTRIBUTE ::= { ## WITH SYNTAX UTF8String -- contains XML-encoded privilege policy information ## ID id-at-xMLPprotPrivPolicy } ## ## -- object identifier assignments -- ## -- object classes -- objectidentifier id-oc-pmiUser 2.5.6.24 objectidentifier id-oc-pmiAA 2.5.6.25 objectidentifier id-oc-pmiSOA 2.5.6.26 objectidentifier id-oc-attCertCRLDistributionPts 2.5.6.27 objectidentifier id-oc-privilegePolicy 2.5.6.32 objectidentifier id-oc-pmiDelegationPath 2.5.6.33 objectidentifier id-oc-protectedPrivilegePolicy 2.5.6.34 ## -- directory attributes -- objectidentifier id-at-attributeCertificate 2.5.4.58 objectidentifier id-at-attributeCertificateRevocationList 2.5.4.59 objectidentifier id-at-aACertificate 2.5.4.61 objectidentifier id-at-attributeDescriptorCertificate 2.5.4.62 objectidentifier id-at-attributeAuthorityRevocationList 2.5.4.63 objectidentifier id-at-privPolicy 2.5.4.71 objectidentifier id-at-role 2.5.4.72 objectidentifier id-at-delegationPath 2.5.4.73 objectidentifier id-at-protPrivPolicy 2.5.4.74 objectidentifier id-at-xMLPrivilegeInfo 2.5.4.75 objectidentifier id-at-xMLPprotPrivPolicy 2.5.4.76 ## -- attribute certificate extensions -- ## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38} ## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39} ## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41} ## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42} ## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43} ## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48} ## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49} ## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50} ## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52} ## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55} ## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56} ## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57} ## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61} ## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62} ## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64} ## -- PMI matching rules -- objectidentifier id-mr 2.5.13 objectidentifier id-mr-attributeCertificateMatch id-mr:42 objectidentifier id-mr-attributeCertificateExactMatch id-mr:45 objectidentifier id-mr-holderIssuerMatch id-mr:46 objectidentifier id-mr-authAttIdMatch id-mr:53 objectidentifier id-mr-roleSpecCertIdMatch id-mr:54 objectidentifier id-mr-basicAttConstraintsMatch id-mr:55 objectidentifier id-mr-delegatedNameConstraintsMatch id-mr:56 objectidentifier id-mr-timeSpecMatch id-mr:57 objectidentifier id-mr-attDescriptorMatch id-mr:58 objectidentifier id-mr-acceptableCertPoliciesMatch id-mr:59 objectidentifier id-mr-delegationPathMatch id-mr:61 objectidentifier id-mr-sOAIdentifierMatch id-mr:66 objectidentifier id-mr-indirectIssuerMatch id-mr:67 ## -- syntaxes -- ## NOTE: 1.3.6.1.4.1.4203.666.11.10 is the oid arc assigned by OpenLDAP ## to this work in progress objectidentifier AttributeCertificate 1.3.6.1.4.1.4203.666.11.10.2.1 objectidentifier CertificateList 1.3.6.1.4.1.1466.115.121.1.9 objectidentifier AttCertPath 1.3.6.1.4.1.4203.666.11.10.2.4 objectidentifier PolicySyntax 1.3.6.1.4.1.4203.666.11.10.2.5 objectidentifier RoleSyntax 1.3.6.1.4.1.4203.666.11.10.2.6 # NOTE: OIDs from (expired) #objectidentifier AttributeCertificate 1.2.826.0.1.3344810.7.5 #objectidentifier AttCertPath 1.2.826.0.1.3344810.7.10 #objectidentifier PolicySyntax 1.2.826.0.1.3344810.7.17 #objectidentifier RoleSyntax 1.2.826.0.1.3344810.7.13 ## ## Substitute syntaxes ## ## AttCertPath ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.4 NAME 'AttCertPath' DESC 'X.509 PMI attribute cartificate path: SEQUENCE OF AttributeCertificate' X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' ) ## ## PolicySyntax ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.5 NAME 'PolicySyntax' DESC 'X.509 PMI policy syntax' X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' ) ## ## RoleSyntax ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.6 NAME 'RoleSyntax' DESC 'X.509 PMI role syntax' X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' ) ## ## X.509 (08/2005) pp. 71, 86-89 ## ## 14.4.1 Role attribute attributeType ( id-at-role NAME 'role' DESC 'X.509 Role attribute, use ;binary' SYNTAX RoleSyntax ) ## ## 14.5 XML privilege information attribute ## -- contains XML-encoded privilege information attributeType ( id-at-xMLPrivilegeInfo NAME 'xmlPrivilegeInfo' DESC 'X.509 XML privilege information attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ## ## 17.2 PMI Directory attributes ## ## 17.2.1 Attribute certificate attribute attributeType ( id-at-attributeCertificate NAME 'attributeCertificateAttribute' DESC 'X.509 Attribute certificate attribute, use ;binary' SYNTAX AttributeCertificate EQUALITY attributeCertificateExactMatch ) ## ## 17.2.2 AA certificate attribute attributeType ( id-at-aACertificate NAME 'aACertificate' DESC 'X.509 AA certificate attribute, use ;binary' SYNTAX AttributeCertificate EQUALITY attributeCertificateExactMatch ) ## ## 17.2.3 Attribute descriptor certificate attribute attributeType ( id-at-attributeDescriptorCertificate NAME 'attributeDescriptorCertificate' DESC 'X.509 Attribute descriptor certificate attribute, use ;binary' SYNTAX AttributeCertificate EQUALITY attributeCertificateExactMatch ) ## ## 17.2.4 Attribute certificate revocation list attribute attributeType ( id-at-attributeCertificateRevocationList NAME 'attributeCertificateRevocationList' DESC 'X.509 Attribute certificate revocation list attribute, use ;binary' SYNTAX CertificateList X-EQUALITY 'certificateListExactMatch, not implemented yet' ) ## ## 17.2.5 AA certificate revocation list attribute attributeType ( id-at-attributeAuthorityRevocationList NAME 'attributeAuthorityRevocationList' DESC 'X.509 AA certificate revocation list attribute, use ;binary' SYNTAX CertificateList X-EQUALITY 'certificateListExactMatch, not implemented yet' ) ## ## 17.2.6 Delegation path attribute attributeType ( id-at-delegationPath NAME 'delegationPath' DESC 'X.509 Delegation path attribute, use ;binary' SYNTAX AttCertPath ) ## AttCertPath ::= SEQUENCE OF AttributeCertificate ## ## 17.2.7 Privilege policy attribute attributeType ( id-at-privPolicy NAME 'privPolicy' DESC 'X.509 Privilege policy attribute, use ;binary' SYNTAX PolicySyntax ) ## ## 17.2.8 Protected privilege policy attribute attributeType ( id-at-protPrivPolicy NAME 'protPrivPolicy' DESC 'X.509 Protected privilege policy attribute, use ;binary' SYNTAX AttributeCertificate EQUALITY attributeCertificateExactMatch ) ## ## 17.2.9 XML Protected privilege policy attribute ## -- contains XML-encoded privilege policy information attributeType ( id-at-xMLPprotPrivPolicy NAME 'xmlPrivPolicy' DESC 'X.509 XML Protected privilege policy attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ## ## 17.1 PMI directory object classes ## ## 17.1.1 PMI user object class ## -- a PMI user (i.e., a "holder") objectClass ( id-oc-pmiUser NAME 'pmiUser' DESC 'X.509 PMI user object class' SUP top AUXILIARY MAY ( attributeCertificateAttribute ) ) ## ## 17.1.2 PMI AA object class ## -- a PMI AA objectClass ( id-oc-pmiAA NAME 'pmiAA' DESC 'X.509 PMI AA object class' SUP top AUXILIARY MAY ( aACertificate $ attributeCertificateRevocationList $ attributeAuthorityRevocationList ) ) ## ## 17.1.3 PMI SOA object class ## -- a PMI Source of Authority objectClass ( id-oc-pmiSOA NAME 'pmiSOA' DESC 'X.509 PMI SOA object class' SUP top AUXILIARY MAY ( attributeCertificateRevocationList $ attributeAuthorityRevocationList $ attributeDescriptorCertificate ) ) ## ## 17.1.4 Attribute certificate CRL distribution point object class objectClass ( id-oc-attCertCRLDistributionPts NAME 'attCertCRLDistributionPt' DESC 'X.509 Attribute certificate CRL distribution point object class' SUP top AUXILIARY MAY ( attributeCertificateRevocationList $ attributeAuthorityRevocationList ) ) ## ## 17.1.5 PMI delegation path objectClass ( id-oc-pmiDelegationPath NAME 'pmiDelegationPath' DESC 'X.509 PMI delegation path' SUP top AUXILIARY MAY ( delegationPath ) ) ## ## 17.1.6 Privilege policy object class objectClass ( id-oc-privilegePolicy NAME 'privilegePolicy' DESC 'X.509 Privilege policy object class' SUP top AUXILIARY MAY ( privPolicy ) ) ## ## 17.1.7 Protected privilege policy object class objectClass ( id-oc-protectedPrivilegePolicy NAME 'protectedPrivilegePolicy' DESC 'X.509 Protected privilege policy object class' SUP top AUXILIARY MAY ( protPrivPolicy ) )