Network Working Group S. Boeyen
Request for Comments: 2559 Entrust
Updates: 1778 T. Howes
Category: Standards Track Netscape
P. Richard
Xcert
April 1999
Network Working Group S. Boeyen
Request for Comments: 2559 Entrust
Updates: 1778 T. Howes
Category: Standards Track Netscape
P. Richard
Xcert
April 1999
Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2
Internet X.509公钥基础设施操作协议-LDAPv2
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
The protocol described in this document is designed to satisfy some of the operational requirements within the Internet X.509 Public Key Infrastructure (IPKI). Specifically, this document addresses requirements to provide access to Public Key Infrastructure (PKI) repositories for the purposes of retrieving PKI information and managing that same information. The mechanism described in this document is based on the Lightweight Directory Access Protocol (LDAP) v2, defined in RFC 1777, defining a profile of that protocol for use within the IPKI and updates encodings for certificates and revocation lists from RFC 1778. Additional mechanisms addressing PKIX operational requirements are specified in separate documents.
本文档中描述的协议旨在满足Internet X.509公钥基础设施(IPKI)中的一些操作要求。具体而言,本文档阐述了为检索PKI信息和管理相同信息而提供对公钥基础设施(PKI)存储库的访问的要求。本文档中描述的机制基于RFC 1777中定义的轻量级目录访问协议(LDAP)v2,该协议定义了IPKI中使用的协议配置文件,并从RFC 1778更新证书和吊销列表的编码。解决PKIX操作要求的其他机制在单独的文件中规定。
The key words 'MUST', 'REQUIRED', 'SHOULD', 'RECOMMENDED', and 'MAY' in this document are to be interpreted as described in RFC 2119.
本文件中的关键词“必须”、“必需”、“应该”、“建议”和“可能”应按照RFC 2119中的说明进行解释。
This specification is part of a multi-part standard for development of a Public Key Infrastructure (PKI) for the Internet. This specification addresses requirements to provide retrieval of X.509 PKI information, including certificates and CRLs from a repository. This specification also addresses requirements to add, delete and
本规范是互联网公钥基础设施(PKI)开发多部分标准的一部分。本规范解决了从存储库中检索X.509 PKI信息(包括证书和CRL)的要求。本规范还说明了添加、删除和删除的要求
modify PKI information in a repository. A profile based on the LDAP version 2 protocol is provided to satisfy these requirements.
修改存储库中的PKI信息。为了满足这些要求,提供了基于LDAP版本2协议的概要文件。
The PKI components, as defined in PKIX Part 1, which are involved in PKIX operational protocol interactions include:
PKIX第1部分中定义的参与PKIX操作协议交互的PKI组件包括:
- End Entities - Certification Authorities (CA) - Repository
- 终端实体-证书颁发机构(CA)-存储库
End entities and CAs using LDAPv2, retrieve PKI information from the repository using a subset of the LDAPv2 protocol.
使用LDAPv2的终端实体和CA使用LDAPv2协议的子集从存储库中检索PKI信息。
CAs populate the repository with PKI information using a subset of the LDAPv2 protocol.
CA使用LDAPv2协议的子集向存储库填充PKI信息。
The following sections examine the retrieval of PKI information from a repository and management of PKI information in a repository. A profile of the LDAPv2 protocol is defined for providing these services.
以下各节将研究如何从存储库中检索PKI信息以及如何管理存储库中的PKI信息。为提供这些服务,定义了LDAPv2协议的配置文件。
Section 5 satisfies the requirement to retrieve PKI information (a certificate, CRL, or other information of interest) from an entry in the repository, where the retrieving entity (either an end entity or a CA) has knowledge of the name of the entry. This is termed "repository read".
第5节满足了从存储库中的条目中检索PKI信息(证书、CRL或其他感兴趣的信息)的要求,其中检索实体(终端实体或CA)知道条目的名称。这被称为“存储库读取”。
Section 6 satisfies the same requirement as 5 for the situation where the name of the entry is not known, but some other related information which may optionally be used as a filter against candidate entries in the repository, is known. This is termed "repository search".
第6节满足与第5节相同的要求,即条目名称未知,但某些其他相关信息已知,这些信息可以选择性地用作对存储库中候选条目的筛选。这被称为“存储库搜索”。
Section 7 satisfies the requirement of CAs to add, delete and modify PKI information information (a certificate, CRL, or other information of interest)in the repository. This is termed "repository modify".
第7节满足了CAs在存储库中添加、删除和修改PKI信息(证书、CRL或其他感兴趣的信息)的要求。这被称为“存储库修改”。
The subset of LDAPv2 needed to support each of these functions is described below. Note that the repository search service is a superset of the repository read service in terms of the LDAPv2 functionality needed.
支持这些功能所需的LDAPv2子集如下所述。请注意,就所需的LDAPv2功能而言,存储库搜索服务是存储库读取服务的超集。
Note that all tags are implicit by default in the ASN.1 definitions that follow.
请注意,在随后的ASN.1定义中,默认情况下所有标记都是隐式的。
To retrieve information from an entry corresponding to the subject or issuer name of a certificate, requires a subset of the following three LDAP operations:
要从与证书的使用者或颁发者名称对应的条目中检索信息,需要以下三个LDAP操作的子集:
BindRequest (and BindResponse) SearchRequest (and SearchResponse) UnbindRequest
BindRequest(和BindResponse)SearchRequest(和SearchResponse)取消绑定请求
The subset of each REQUIRED operation is given below.
下面给出了每个所需操作的子集。
The full LDAP v2 Bind Request is defined in RFC 1777.
RFC1777中定义了完整的LDAP v2绑定请求。
An application providing a LDAP repository read service MUST implement the following subset of this operation:
提供LDAP存储库读取服务的应用程序必须实现此操作的以下子集:
BindRequest ::=
[APPLICATION 0] SEQUENCE {
version INTEGER (2),
name LDAPDN, -- MUST accept NULL LDAPDN
simpleauth [0] OCTET STRING -- MUST accept NULL simple
}
BindRequest ::=
[APPLICATION 0] SEQUENCE {
version INTEGER (2),
name LDAPDN, -- MUST accept NULL LDAPDN
simpleauth [0] OCTET STRING -- MUST accept NULL simple
}
An application providing a LDAP repository read service MAY implement other aspects of the BindRequest as well.
提供LDAP存储库读取服务的应用程序也可以实现BindRequest的其他方面。
Different services may have different security requirements. Some services may allow anonymous search, others may require authentication. Those services allowing anonymous search may choose only to allow search based on certain criteria and not others.
不同的服务可能有不同的安全要求。有些服务可能允许匿名搜索,有些可能需要身份验证。那些允许匿名搜索的服务可能只允许基于某些条件而不是其他条件进行搜索。
A LDAP repository read service SHOULD implement some level of anonymous search access. A LDAP repository read service MAY implement authenticated search access.
LDAP存储库读取服务应该实现某种级别的匿名搜索访问。LDAP存储库读取服务可以实现经过身份验证的搜索访问。
The full LDAPv2 BindResponse is described in RFC 1777.
RFC 1777中描述了完整的LDAPv2 BindResponse。
An application providing a LDAP repository read service MUST implement this entire protocol element, though only the following error codes may be returned from a Bind operation:
提供LDAP存储库读取服务的应用程序必须实现整个协议元素,但绑定操作只能返回以下错误代码:
success (0), operationsError (1), protocolError (2), authMethodNotSupported (7), noSuchObject (32), invalidDNSyntax (34), inappropriateAuthentication (48), invalidCredentials (49), busy (51), unavailable (52), unwillingToPerform (53), other (80)
成功(0)、操作错误(1)、协议错误(2)、authMethodNotSupported(7)、noSuchObject(32)、invalidDNSyntax(34)、身份验证不正确(48)、invalidCredentials(49)、忙(51)、不可用(52)、不愿意操作(53)、其他(80)
The full LDAPv2 SearchRequest is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2搜索请求。
An application providing a LDAP repository read service MUST implement the following subset of the SearchRequest.
提供LDAP存储库读取服务的应用程序必须实现以下SearchRequest子集。
SearchRequest ::=
[APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
},
derefAliases ENUMERATED {
neverDerefAliases (0),
},
sizeLimit INTEGER (0),
timeLimit INTEGER (0),
attrsOnly BOOLEAN, -- FALSE only
filter Filter,
attributes SEQUENCE OF AttributeType
}
SearchRequest ::=
[APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
},
derefAliases ENUMERATED {
neverDerefAliases (0),
},
sizeLimit INTEGER (0),
timeLimit INTEGER (0),
attrsOnly BOOLEAN, -- FALSE only
filter Filter,
attributes SEQUENCE OF AttributeType
}
Filter ::=
CHOICE {
present [7] AttributeType, -- "objectclass" only
}
Filter ::=
CHOICE {
present [7] AttributeType, -- "objectclass" only
}
This subset of the LDAPv2 SearchRequest allows the LDAPv2 "read" operation: a base object search with a filter testing for the existence of the objectClass attribute.
LDAPv2 SearchRequest的这个子集允许LDAPv2“读取”操作:一个带有过滤器的基本对象搜索,用于测试objectClass属性的存在性。
An application providing a LDAP repository read service MAY implement other aspects of the SearchRequest as well.
提供LDAP存储库读取服务的应用程序也可以实现SearchRequest的其他方面。
5.2.2.
5.2.2.
The full LDAPv2 SearchResponse is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2搜索响应。
An application providing a LDAP repository read service over LDAPv2 MUST implement the full SearchResponse.
通过LDAPv2提供LDAP存储库读取服务的应用程序必须实现完整的SearchResponse。
Note that in the case of multivalued attributes such as userCertificate a SearchResponse containing this attribute will include all values, assuming the requester has sufficient access permissions. The application/relying party may need to select an appropriate value to be used. Also note that retrieval of a certificate from a named entry does not guarantee that the certificate will include that same Distinguished Name (DN) and in some cases the subject DN in the certificate may be NULL.
请注意,对于userCertificate等多值属性,如果请求者具有足够的访问权限,则包含此属性的SearchResponse将包含所有值。应用程序/依赖方可能需要选择要使用的适当值。还要注意,从命名条目检索证书并不保证证书将包含相同的可分辨名称(DN),在某些情况下,证书中的主题DN可能为空。
The full LDAPv2 UnbindRequest is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2解除绑定请求。
An application providing a LDAP repository read service MUST implement the full UnbindRequest.
提供LDAP存储库读取服务的应用程序必须实现完整的解除绑定请求。
To search, using arbitrary criteria, for an entry in a repository containing a certificate, CRL, or other information of interest, requires a subset of the following three LDAP operations:
要使用任意条件搜索存储库中包含证书、CRL或其他相关信息的条目,需要以下三种LDAP操作的子集:
BindRequest (and BindResponse) SearchRequest (and SearchResponse) UnbindRequest
BindRequest(和BindResponse)SearchRequest(和SearchResponse)取消绑定请求
The subset of each operation REQUIRED is given below.
下面给出了所需的每个操作的子集。
The BindRequest and BindResponse subsets needed are the same as those described in Section 5.1.
所需的BindRequest和BindResponse子集与第5.1节中所述的子集相同。
The full LDAP v2 Bind Request is defined in RFC 1777.
RFC1777中定义了完整的LDAP v2绑定请求。
The full LDAPv2 SearchRequest is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2搜索请求。
An application providing a LDAP repository search service MUST implement the following subset of the SearchRequest protocol unit.
提供LDAP存储库搜索服务的应用程序必须实现以下SearchRequest协议单元的子集。
SearchRequest ::=
[APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2)
},
derefAliases ENUMERATED {
neverDerefAliases (0),
},
sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt),
attrsOnly BOOLEAN, -- FALSE only
filter Filter,
attributes SEQUENCE OF AttributeType
}
SearchRequest ::=
[APPLICATION 3] SEQUENCE {
baseObject LDAPDN,
scope ENUMERATED {
baseObject (0),
singleLevel (1),
wholeSubtree (2)
},
derefAliases ENUMERATED {
neverDerefAliases (0),
},
sizeLimit INTEGER (0 .. maxInt),
timeLimit INTEGER (0 .. maxInt),
attrsOnly BOOLEAN, -- FALSE only
filter Filter,
attributes SEQUENCE OF AttributeType
}
All aspects of the SearchRequest MUST be supported, except for the following:
必须支持SearchRequest的所有方面,但以下方面除外:
- Only the neverDerefAliases value of derefAliases needs to be supported
- 只需要支持DereFaliasses的NeverdereFaliasses值
- Only the FALSE value for attrsOnly needs to be supported
- 只需要支持attrsOnly的FALSE值
This subset provides a more general search capability. It is a superset of the SearchRequest subset defined in Section 5.2.1. The elements added to this service are:
该子集提供了更通用的搜索功能。它是第5.2.1节中定义的SearchRequest子集的超集。添加到此服务的元素包括:
- singleLevel and wholeSubtree scope needs to be supported
- 需要支持单级和整体子树作用域
- sizeLimit is included
- 包括sizeLimit
- timeLimit is included
- 包括时间限制
- Enhanced filter capability
- 增强的过滤能力
An application providing a LDAP repository search service MAY implement other aspects of the SearchRequest as well.
提供LDAP存储库搜索服务的应用程序也可以实现SearchRequest的其他方面。
The full LDAPv2 SearchResponse is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2搜索响应。
An application providing a LDAP repository search service over LDAPv2 MUST implement the full SearchResponse.
通过LDAPv2提供LDAP存储库搜索服务的应用程序必须实现完整的SearchResponse。
An application providing a LDAP repository search service MUST implement the full UnbindRequest.
提供LDAP存储库搜索服务的应用程序必须实现完整的解除绑定请求。
To add, delete and modify PKI information in a repository requires a subset of the following LDAP operations:
要在存储库中添加、删除和修改PKI信息,需要以下LDAP操作的子集:
BindRequest (and BindResponse) ModifyRequest (and ModifyResponse) AddRequest (and AddResponse) DelRequest (and DelResponse UnbindRequest
BindRequest(和BindResponse)ModifyRequest(和ModifyResponse)AddRequest(和AddResponse)DelRequest(和DelResponse UnbindRequest
The subset of each operation REQUIRED is given below.
下面给出了所需的每个操作的子集。
The full LDAP v2 Bind Request is defined in RFC 1777.
RFC1777中定义了完整的LDAP v2绑定请求。
An application providing a LDAP repository modify service MUST implement the following subset of this operation:
提供LDAP存储库修改服务的应用程序必须实现此操作的以下子集:
BindRequest ::=
[APPLICATION 0] SEQUENCE {
version INTEGER (2),
name LDAPDN,
simpleauth [0] OCTET STRING
}
BindRequest ::=
[APPLICATION 0] SEQUENCE {
version INTEGER (2),
name LDAPDN,
simpleauth [0] OCTET STRING
}
A LDAP repository modify service MUST implement authenticated access.
LDAP存储库修改服务必须实现经过身份验证的访问。
The BindResponse subsets needed are the same as those described in Section 5.1.2.
所需的BindResponse子集与第5.1.2节所述的子集相同。
The full LDAPv2 ModifyRequest is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2修改请求。
An application providing a LDAP repository modify service MUST implement the following subset of the ModifyRequest protocol unit.
提供LDAP存储库修改服务的应用程序必须实现ModifyRequest协议单元的以下子集。
ModifyRequest ::=
[APPLICATION 6] SEQUENCE {
object LDAPDN,
modification SEQUENCE OF SEQUENCE {
operation ENUMERATED {
add (0),
delete (1)
},
modification SEQUENCE {
type AttributeType,
values SET OF
AttributeValue
}
}
}
ModifyRequest ::=
[APPLICATION 6] SEQUENCE {
object LDAPDN,
modification SEQUENCE OF SEQUENCE {
operation ENUMERATED {
add (0),
delete (1)
},
modification SEQUENCE {
type AttributeType,
values SET OF
AttributeValue
}
}
}
All aspects of the ModifyRequest MUST be supported, except for the following:
必须支持ModifyRequest的所有方面,但以下方面除外:
- Only the add and delete values of operation need to be supported
- 只需要支持操作的添加和删除值
The full LDAPv2 ModifyResponse is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2修改响应。
An application providing a LDAP repository modify service MUST implement the full ModifyResponse.
提供LDAP存储库修改服务的应用程序必须实现完整的ModifyResponse。
The full LDAPv2 AddRequest is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2 AddRequest。
An application providing a LDAP repository modify service MUST implement the full AddRequest.
提供LDAP存储库修改服务的应用程序必须实现完整的AddRequest。
The full LDAPv2 AddResponse is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2 AddResponse。
An application providing a LDAP repository modify service MUST implement the full AddResponse.
提供LDAP存储库修改服务的应用程序必须实现完整的AddResponse。
The full LDAPv2 DelRequest is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2 DelRequest。
An application providing a LDAP repository modify service MUST implement the full DelRequest.
提供LDAP存储库修改服务的应用程序必须实现完整的请求。
The full LDAPv2 DelResponse is defined in RFC 1777.
RFC 1777中定义了完整的LDAPv2 DelResponse。
An application providing a LDAP repository modify service MUST implement the full DelResponse.
提供LDAP存储库修改服务的应用程序必须实现完整的响应。
An application providing a LDAP repository modify service MUST implement the full UnbindRequest.
提供LDAP存储库修改服务的应用程序必须实现完整的解除绑定请求。
When conveyed in LDAP requests and results, attributes defined in X.500 are to be encoded using string representations defined in RFC 1778, The String Representation of Standard Attribute Syntaxes. These string encodings were based on the attribute definitions from X.500(1988). Thus, the string representations of the PKI information elements are for version 1 certificates and version 1 revocation lists. Since this specification uses version 3 certificates and version 2 revocation lists, as defined in X.509(1997), the RFC 1778 string encoding of these attributes is inappropriate.
在LDAP请求和结果中传输时,X.500中定义的属性将使用RFC 1778(标准属性语法的字符串表示)中定义的字符串表示进行编码。这些字符串编码基于X.500(1988)中的属性定义。因此,PKI信息元素的字符串表示用于版本1证书和版本1撤销列表。由于本规范使用X.509(1997)中定义的版本3证书和版本2撤销列表,因此这些属性的RFC 1778字符串编码是不合适的。
For this reason, these attributes MUST be encoded using a syntax similar to the syntax "Undefined" from section 2.1 of RFC 1778: values of these attributes are encoded as if they were values of type "OCTET STRING", with the string value of the encoding being the DER-encoding of the value itself. For example, when writing a userCertificate to the repository, the CA generates a DER-encoding of the certificate and uses that encoding as the value of the userCertificate attribute in the LDAP Modify request.This encoding
因此,必须使用类似于RFC 1778第2.1节“未定义”语法的语法对这些属性进行编码:这些属性的值被编码为“八位字符串”类型的值,编码的字符串值是值本身的DER编码。例如,在将userCertificate写入存储库时,CA生成证书的DER编码,并将该编码用作LDAP修改请求中userCertificate属性的值
style is consistent with the encoding scheme proposed for LDAPv3, which is now being defined within the IETF.
样式与为LDAPv3提出的编码方案一致,该方案目前正在IETF中定义。
Note that certificates and revocation lists will be transferred using this mechanism rather than the string encodings in RFC 1778 and client systems which do not understand this encoding may experience problems with these attributes.
请注意,证书和吊销列表将使用此机制传输,而不是RFC 1778中的字符串编码,不理解此编码的客户端系统可能会遇到这些属性的问题。
An application providing a LDAP repository read service, LDAP repository search service, or LDAP repository modify service MUST support LDAPv2 transport over TCP, as defined in Section 3.1 of RFC 1777.
提供LDAP存储库读取服务、LDAP存储库搜索服务或LDAP存储库修改服务的应用程序必须支持通过TCP的LDAPv2传输,如RFC 1777第3.1节所定义。
An application providing a LDAP repository read service, LDAP repository search service, or LDAP repository modify service MAY support LDAPv2 transport over other reliable transports as well.
提供LDAP存储库读取服务、LDAP存储库搜索服务或LDAP存储库修改服务的应用程序也可以支持LDAPv2传输而不是其他可靠传输。
Since the elements of information which are key to the PKI service (certificates and CRLs) are both digitally signed pieces of information, additional integrity service is NOT REQUIRED. As neither information element need be kept secret and anonymous access to such information, for retrieval purposes is generally acceptable, privacy service is NOT REQUIRED for information retrieval requests.
由于PKI服务的关键信息元素(证书和CRL)都是经过数字签名的信息,因此不需要额外的完整性服务。由于这两个信息元素都不需要保密,而且出于检索目的匿名访问此类信息通常是可以接受的,因此信息检索请求不需要隐私服务。
CAs have additional requirements, including modification of PKI information. Simple authentication alone is not sufficient for these purposes. It is RECOMMENDED that some stronger means of authentication and/or (if simple authentication is used) some means of protecting the privacy of the password is used, (e.g. accept modifications only via physically secure networks, use IPsec, use SSH or TLS or SSL tunnel). Without such authentication, it is possible that a denial-of-service attack could occur where the attacker replaces valid certificates with bogus ones.
CA有其他要求,包括修改PKI信息。仅凭简单的身份验证不足以达到这些目的。建议使用更强的身份验证和/或(如果使用简单身份验证)保护密码隐私的方法(例如,仅通过物理安全网络接受修改、使用IPsec、使用SSH或TLS或SSL隧道)。如果没有这种身份验证,攻击者可能会用伪造证书替换有效证书,从而发生拒绝服务攻击。
For the LDAP repository modify service, profiled in section 7, there are some specific security considerations with respect to access control. These controls apply to a repository which is under the same management control as the CA. Organizations operating directories are NOT REQUIRED to provide external CAs access permission to their directories.
对于第7节介绍的LDAP repository modify服务,在访问控制方面有一些特定的安全注意事项。这些控制适用于与CA处于相同管理控制下的存储库。运行目录的组织无需向其目录提供外部CAs访问权限。
The CA MUST have access control permissions allowing it to:
CA必须具有访问控制权限,才能:
For CA entries: - add, modify and delete all PKI attributes for its own directory entry; - add, modify and delete all values of these attributes.
对于CA条目:-为其自己的目录条目添加、修改和删除所有PKI属性;-添加、修改和删除这些属性的所有值。
For CRL distribution point entries (if used): - create, modify and delete entries of object class cRLDistributionPoint immediately subordinate to its own entry; - add, modify and delete all attributes, and all values of these attributes for these entries.
对于CRL分发点条目(如果使用):-创建、修改和删除直接从属于其自身条目的对象类cRLDistributionPoint的条目;-为这些条目添加、修改和删除所有属性以及这些属性的所有值。
For subscriber (end-entity) entries: - add, modify and delete the attribute userCertificate and all values of that attribute, issued by this CA to/from these entries.
对于订户(终端实体)条目:-添加、修改和删除属性userCertificate以及该CA向这些条目颁发的该属性的所有值。
The CA is the ONLY entity with these permissions.
CA是唯一具有这些权限的实体。
An application providing LDAP repository read, LDAP repository search, or LDAP repository modify service as defined in this specification is NOT REQUIRED to implement any additional security features other than those described herein, however an implementation SHOULD do so.
提供本规范中定义的LDAP存储库读取、LDAP存储库搜索或LDAP存储库修改服务的应用程序不需要实现除本文所述之外的任何其他安全功能,但是实现应该这样做。
[1] Yeong, Y., Howes, T. and S. Kille, "Lightweight Directory Access Protocol", RFC 1777, March 1995.
[1] Yeong,Y.,Howes,T.和S.Kille,“轻量级目录访问协议”,RFC 17771995年3月。
[2] Howes, T., Kille, S., Yeong, W. and C. Robbins, "The String Representation of Standard Attribute Syntaxes", RFC 1778, March 1995.
[2] Howes,T.,Kille,S.,Yeong,W.和C.Robbins,“标准属性语法的字符串表示”,RFC 17781995年3月。
[3] Bradner, S., "Key Words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[3] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
Sharon Boeyen Entrust Technologies Limited 750 Heron Road Ottawa, Ontario Canada K1V 1A7
加拿大安大略省渥太华Heron路750号Sharon Boeyn信托科技有限公司K1V 1A7
EMail: sharon.boeyen@entrust.com
EMail: sharon.boeyen@entrust.com
Tim Howes Netscape Communications Corp. 501 E. Middlefield Rd. Mountain View, CA 94043 USA
Tim Howes Netscape Communications Corp.美国加利福尼亚州山景城米德菲尔德东路501号,邮编94043
EMail: howes@netscape.com
EMail: howes@netscape.com
Patrick Richard Xcert Software Inc. Suite 1001, 701 W. Georgia Street P.O. Box 10145 Pacific Centre Vancouver, B.C. Canada V7Y 1C6
Patrick Richard Xcert Software Inc.加拿大不列颠哥伦比亚省温哥华太平洋中心10145号邮政信箱乔治亚街西701号1001室V7Y 1C6
EMail: patr@xcert.com
EMail: patr@xcert.com
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。