1 Scope
2 Normative references
2.1 Identical Recommendations | International Standards
2.2 Paired Recommendations | International Standards equivalent in
technical content
2.3 Recommendations
2.4 Other references
3 Definitions
3.1 OSI Reference Model security architecture definitions
3.2 Baseline identity management terms and definitions
3.3 Directory model definitions
3.4 Access control framework definitions
3.5 Public-key and attribute certificate definitions
4 Abbreviations
5 Conventions
6 Frameworks overview
6.1 Digital signatures
6.2 Public-key cryptography and cryptographic algorithms
6.3 Distinguished encoding of basic encoding rules
6.4 Applying distinguished encoding
6.5 Using repositories
7 Public keys and public-key certificates
7.1 Introduction
7.2 Public-key certificate
7.3 Public-key certificate extensions
7.4 Types of public-key certificates
7.5 Trust anchor
7.6 Entity relationship
7.7 Certification path
7.8 Generation of key pairs
7.9 Public-key certificate creation
7.10 Certificate revocation list
7.11 Uniqueness of names
7.12 Indirect CRLs
7.13 Repudiation of a digital signing
8 Trust models
8.1 Three-cornered trust model
8.2 Four cornered trust model
9 Public-key certificate and CRL extensions
9.1 Policy handling
9.2 Key and policy information extensions
9.3 Subject and issuer information extensions
9.4 Certification path constraint extensions
9.5 Basic CRL extensions
9.6 CRL distribution points and delta CRL extensions
10 Delta CRL relationship to base
11 Authorization and validation lists
11.1 Authorization and validation list concept
11.2 The authorizer
11.3 Authorization and validation list syntax
11.4 Authorization and validation restrictions
12 Certification path processing procedure
12.1 Path processing inputs
12.2 Path processing outputs
12.3 Path processing variables
12.4 Initialization step
12.5 Public-key certificate processing
13 PKI directory schema
13.1 PKI directory object classes and name forms
13.2 PKI directory attributes
13.3 PKI directory matching rules
13.4 PKI directory syntax definitions
14 Attribute certificates
14.1 Attribute certificate structure
14.2 Delegation paths
14.3 Attribute certificate revocation lists
15 Attribute authority, source of
authority and certification authority relationship
15.1 Privilege in attribute certificates
15.2 Privilege in public-key certificates
16 PMI models
16.1 General model
16.2 Control model
16.3 Delegation model
16.4 Group assignment model
16.5 Roles model
16.6 Recognition of Authority Model
16.7 XML privilege information attribute
16.8 Permission attribute and matching rule
17 Attribute certificate and attribute certificate revocation list
extensions
17.1 Basic privilege management extensions
17.2 Privilege revocation extensions
17.3 Source of authority extensions
17.4 Role extensions
17.5 Delegation extensions
17.6 Recognition of authority extensions
17.7 Use of basic CRL extension for ACRLs
18 Delegation path processing procedure
18.1 Basic processing procedure
18.2 Role processing procedure
18.3 Delegation processing procedure
19 PMI directory schema
19.1 PMI directory object classes
19.2 PMI directory attributes
19.3 PMI general directory matching rules
20 Protocol support for public-key and privilege management infrastructures
20.1 General syntax
20.2 Wrapping of non-encrypted protocol data units
20.3 Wrapping of encrypted protocol data unit
20.4 Check of PKI-PMI-Wrapper protocol elements
20.5 PKI-PMI-Wrapper error codes
21 Authorization and validation list management
21.1 General
21.2 Defined protocol data unit (PDU) types
21.3 Checking of received PDU
Page
21.4 Authorization and validation management protocol
21.5 Certification authority subscription protocol
22 Trust broker protocol
Annex A – Public-key and attribute certificate frameworks
Annex B – Reference definition of cryptographic algorithms
Annex C – Certificate extension attribute types
C.1 Certificate extension attribute concept
C.2 Formal specification for certificate extension attribute
types
Annex D – External ASN.1 modules
Annex E – CRL generation and processing rules
E.1 Introduction
E.2 Determine parameters for CRLs
E.3 Determine CRLs required
E.4 Obtain CRLs
E.5 Process CRLs
Annex F – Examples of delta CRL issuance
Annex G – Privilege policy and privilege attribute definition examples
G.1 Introduction
G.2 Sample syntaxes
G.3 Privilege attribute example
Annex H – An introduction to public key cryptography2)
Annex I – Examples of use of certification path constraints
I.1 Example 1: Use of basic constraints
I.2 Example 2: Use of policy mapping and policy constraints
I.3 Use of name constraints extension
Annex J – Guidance on determining for which policies a certification path is
valid
J.1 Certification path valid for a user-specified policy required
J.2 Certification path valid for any policy required
J.3 Certification path valid regardless of policy
J.4 Certification path valid for a user-specific policy desired,
but not required
Annex K – Key usage certificate extension issues
Annex L – Deprecated extensions
L.1 CRL scope extension
Annex M – Directory concepts
M.1 Scope
M.2 Basic directory concepts
M.3 Directory schema
M.4 Directory distinguished names
M.5 Subtrees
Annex N – Considerations on strong authentication
N.1 Introduction
N.2 One-way authentication
N.3 Two-way authentication
N.4 Three-way authentication
N.5 Five-way authentication (initiated by A)
N.6 Five-way authentication (initiated by B)
Annex O – Alphabetical list of information item definitions
Annex P – Amendments and corrigenda
Bibliography