Internet Engineering Task Force (IETF)                         S. Turner
Request for Comments: 5917                                          IECA
Category: Informational                                        June 2010
ISSN: 2070-1721
        
Internet Engineering Task Force (IETF)                         S. Turner
Request for Comments: 5917                                          IECA
Category: Informational                                        June 2010
ISSN: 2070-1721
        

Clearance Sponsor Attribute

清除赞助商属性

Abstract

摘要

This document defines the clearance sponsor attribute. It indicates the entity that sponsored (i.e., granted) the clearance. This attribute is intended for use in public key certificates and attribute certificates that also include the clearance attribute.

此文档定义了“许可发起人”属性。它表示赞助(即授予)许可的实体。此属性用于公钥证书和属性证书(也包括清除属性)。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5917.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5917.

Copyright Notice

版权公告

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

1. Introduction
1. 介绍

This document specifies the clearance sponsor attribute. It is included in public key certificates [RFC5280] and attribute certificates [RFC5755]. This attribute is only meaningful as a companion of the clearance attribute [RFC5755] [RFC5912]. The clearance sponsor is the entity (e.g., agency, department, or organization) that granted the clearance to the subject named in the certificate. For example, the clearance sponsor for a subject asserting the Amoco clearance values [RFC3114] could be "Engineering".

此文档指定了“许可发起人”属性。它包含在公钥证书[RFC5280]和属性证书[RFC5755]中。此属性仅作为清除属性[RFC5755][RFC5912]的伴星有意义。许可担保人是向证书中指定的主体授予许可的实体(如机构、部门或组织)。例如,声称阿莫科清除值[RFC3114]的受试者的清除发起人可以是“工程”。

This attribute may be used in automated authorization decisions. For example, a web server deciding whether to allow a user access could check that the clearance sponsor present in the user's certificate is on an "approved" list. This check is performed in addition to certification path validation [RFC5280]. The mechanism for managing the "approved" list is beyond the scope of this document.

此属性可用于自动授权决策。例如,决定是否允许用户访问的web服务器可以检查用户证书中的许可发起人是否在“已批准”列表中。此检查是在验证路径验证[RFC5280]之外执行的。管理“已批准”清单的机制超出了本文件的范围。

NOTE: This document does not provide an equivalent Lightweight Directory Access Protocol (LDAP) schema specification as this attribute is initially targeted at public key certificates [RFC5280] and attribute certificates [RFC5755]. Definition of an equivalent LDAP schema is left to a future specification.

注意:由于此属性最初针对公钥证书[RFC5280]和属性证书[RFC5755],因此本文档未提供等效的轻型目录访问协议(LDAP)架构规范。等效LDAP模式的定义留待将来的规范决定。

1.1. Terminology
1.1. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

1.2. ASN.1 Syntax Notation
1.2. ASN.1语法表示法

The attribute is defined using ASN.1 [X.680], [X.681], [X.682], and [X.683].

该属性是使用ASN.1[X.680]、[X.681]、[X.682]和[X.683]定义的。

2. Clearance Sponsor
2. 清关赞助商

The clearance sponsor attribute, which is only meaningful if the clearance attribute [RFC5755] [RFC5912] is also present, indicates the sponsor of the clearance of the subject with which this attribute is associated. The clearance sponsor attribute is a DirectoryString [RFC5280], which MUST use the UTF8String CHOICE, with a minimum size of 1 character and a maximum of 64 characters.

只有当清除属性[RFC5755][RFC5912]也存在时,清除发起人属性才有意义,它指示与此属性相关的受试者清除的发起人。许可发起人属性是DirectoryString[RFC5280],必须使用UTF8String选项,最小值为1个字符,最大值为64个字符。

The following object identifier identifies the sponsor attribute:

以下对象标识符标识发起人属性:

   id-clearanceSponsor OBJECT IDENTIFIER ::= {
     joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
     dod(2) infosec(1) attributes(5) 68
   }
        
   id-clearanceSponsor OBJECT IDENTIFIER ::= {
     joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
     dod(2) infosec(1) attributes(5) 68
   }
        

The ASN.1 syntax for the clearance sponsor attribute is as follows:

“许可发起人”属性的ASN.1语法如下:

   at-clearanceSponsor ATTRIBUTE ::= {
     TYPE                   DirectoryString { ub-clearance-sponsor }
                            ( WITH COMPONENTS { utf8String PRESENT } )
     EQUALITY MATCHING RULE caseIgnoreMatch
     IDENTIFIED BY          id-clearanceSponsor
   }
        
   at-clearanceSponsor ATTRIBUTE ::= {
     TYPE                   DirectoryString { ub-clearance-sponsor }
                            ( WITH COMPONENTS { utf8String PRESENT } )
     EQUALITY MATCHING RULE caseIgnoreMatch
     IDENTIFIED BY          id-clearanceSponsor
   }
        
   ub-clearance-sponsor INTEGER ::= 64
        
   ub-clearance-sponsor INTEGER ::= 64
        

There MUST only be one value of clearanceSponsor associated with a particular certificate. Distinct sponsors MUST be represented in separate certificates.

与特定证书关联的Clearance赞助商只能有一个值。不同的发起人必须在单独的证书中表示。

When an environment uses the Clearance Sponsor attribute, it is important that the same representation of the sponsor be used throughout the environment (e.g., using the same acronym). Further, the value in this attribute is not meant to be globally unique. When included in certificates, it is unique within the scope of the issuer.

当环境使用“许可赞助商”属性时,在整个环境中使用相同的赞助商表示(例如,使用相同的首字母缩略词)非常重要。此外,此属性中的值并不意味着全局唯一。当包含在证书中时,它在颁发者的范围内是唯一的。

3. Security Considerations
3. 安全考虑

If this attribute is used as part of an authorization process, the procedures employed by the entity that assigns each clearance sponsor value must ensure that the correct value is applied. Including this attribute in a public key certificate or attribute certificate ensures that the value for the clearance sponsor is integrity protected.

如果该属性用作授权流程的一部分,则分配每个许可担保人价值的实体所采用的程序必须确保应用了正确的价值。在公钥证书或属性证书中包含此属性可确保许可发起人的值受完整性保护。

The certificate issuer and clearance sponsor are not necessarily the same entity. If they are separate entities, then the mechanism used by the clearance sponsor to convey to the certificate issuer that the clearance sponsor did in fact grant the clearance to the subject needs to be protected from unauthorized modification.

证书发行人和清算发起人不一定是同一实体。如果它们是单独的实体,则需要保护清算发起人用于向证书发行人传达清算发起人确实向主体授予了清算的机制,以防止未经授权的修改。

If two entities are verifying each other's certificates, they do not share the same issuer, and they use the same clearance sponsor value (e.g., a United Kingdom PKI includes "MoD" and a New Zealand PKI also includes "MoD"), then the relying party has two choices: 1) accept

如果两个实体正在验证彼此的证书,它们不共享同一个发行人,并且它们使用相同的清算发起人价值(例如,英国PKI包括“MoD”,新西兰PKI也包括“MoD”),则依赖方有两个选择:1)接受

the two strings as equivalent, or 2) indicate the sponsor as well as the trust anchor. To solve this problem, a mechanism, which is outside the scope of this specification, could be developed to allow a relying party to group together issuers that share a same context within which sponsor names have a unique significance.

两个字符串等效,或2)表示发起人和信任锚。为了解决这一问题,可以开发一种不在本规范范围内的机制,允许依赖方将具有相同背景的发行人组合在一起,在这种背景下,发起人名称具有独特的意义。

While values of DirectoryString can include the NUL (U+0000) code point, values used to represent clearance sponsors typically would not. Implementations of the caseIgnoreMatch rule must, per X.501, consider all of the assertion value and attribute value in matching and hence protect against truncation attacks.

虽然DirectoryString的值可以包括NUL(U+0000)代码点,但用于表示许可发起人的值通常不包括。CaseNealMeMeCATCH规则的实现必须按X.501考虑匹配中的所有断言值和属性值,从而防止截断攻击。

4. References
4. 工具书类
4.1. Normative References
4.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.

[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 52802008年5月。

[RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet Attribute Certificate Profile for Authorization", RFC 5755, January 2010.

[RFC5755]Farrell,S.,Housley,R.,和S.Turner,“用于授权的互联网属性证书配置文件”,RFC 57552010年1月。

[RFC5912] Schaad, J. and P. Hoffman, "New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, June 2010.

[RFC5912]Schaad,J.和P.Hoffman,“使用X.509(PKIX)的公钥基础设施的新ASN.1模块”,RFC 5912,2010年6月。

[X.520] ITU-T Recommendation X.520 (2002) | ISO/IEC 9594-6:2002, Information technology - The Directory:Selected Attribute Types.

[X.520]ITU-T建议X.520(2002)| ISO/IEC 9594-6:2002,信息技术-目录:选定的属性类型。

[X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002, Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation.

[X.680]ITU-T建议X.680(2002)| ISO/IEC 8824-1:2002,信息技术-抽象语法符号1(ASN.1):基本符号规范。

[X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002, Information Technology - Abstract Syntax Notation One: Information Object Specification.

[X.681]ITU-T建议X.681(2002)| ISO/IEC 8824-2:2002,信息技术-抽象语法符号1:信息对象规范。

[X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002, Information Technology - Abstract Syntax Notation One: Constraint Specification.

[X.682]ITU-T建议X.682(2002)| ISO/IEC 8824-3:2002,信息技术-抽象语法符号1:约束规范。

[X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002, Information Technology - Abstract Syntax Notation One: Parameterization of ASN.1 Specifications.

[X.683]ITU-T建议X.683(2002)| ISO/IEC 8824-4:2002,信息技术-抽象语法符号1:ASN.1规范的参数化。

4.2. Informative References
4.2. 资料性引用

[RFC3114] Nicolls, W., "Implementing Company Classification Policy with the S/MIME Security Label", RFC 3114, May 2002.

[RFC3114]Nicols,W.“使用S/MIME安全标签实施公司分类政策”,RFC 3114,2002年5月。

Appendix A. ASN.1 Module
附录A.ASN.1模块

This appendix provides the normative ASN.1 [X.680] definitions for the structures described in this specification using ASN.1 as defined in [X.680], [X.681], [X.682], and [X.683].

本附录使用[X.680]、[X.681]、[X.682]和[X.683]中定义的ASN.1为本规范中描述的结构提供了规范性ASN.1[X.680]定义。

   ClearanceSponsorAttribute-2008
     { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
       dod(2) infosec(1) modules(0)
       id-clearanceSponsorAttribute-2008(35) }
        
   ClearanceSponsorAttribute-2008
     { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
       dod(2) infosec(1) modules(0)
       id-clearanceSponsorAttribute-2008(35) }
        
   DEFINITIONS IMPLICIT TAGS ::=
        
   DEFINITIONS IMPLICIT TAGS ::=
        

BEGIN

开始

-- EXPORTS ALL --

--全部出口--

IMPORTS

进口

-- Imports from New PKIX ASN.1 [RFC5912]

--从新PKIX ASN.1导入[RFC5912]

     DirectoryString
       PKIX1Explicit-2009
         { iso(1) identified-organization(3) dod(6) internet(1)
           security(5) mechanisms(5) pkix(7) id-mod(0)
           id-pkix1-explicit-02(51) }
        
     DirectoryString
       PKIX1Explicit-2009
         { iso(1) identified-organization(3) dod(6) internet(1)
           security(5) mechanisms(5) pkix(7) id-mod(0)
           id-pkix1-explicit-02(51) }
        

-- Imports from New PKIX ASN.1 [RFC5912]

--从新PKIX ASN.1导入[RFC5912]

     ATTRIBUTE
       FROM PKIX-CommonTypes-2009
         { iso(1) identified-organization(3) dod(6) internet(1)
           security(5) mechanisms(5) pkix(7) id-mod(0)
           id-mod-pkixCommon-02(57) }
        
     ATTRIBUTE
       FROM PKIX-CommonTypes-2009
         { iso(1) identified-organization(3) dod(6) internet(1)
           security(5) mechanisms(5) pkix(7) id-mod(0)
           id-mod-pkixCommon-02(57) }
        

-- Imports from ITU-T X.520 [X.520]

--从ITU-T X.520进口[X.520]

     caseIgnoreMatch
       FROM SelectedAttributeTypes
         { joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 4 }
        
     caseIgnoreMatch
       FROM SelectedAttributeTypes
         { joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 4 }
        

;

;

-- sponsor attribute OID and syntax

--赞助商属性OID和语法

   id-clearanceSponsor OBJECT IDENTIFIER ::= {
     joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
     dod(2) infosec(1) attributes(5) 68
        
   id-clearanceSponsor OBJECT IDENTIFIER ::= {
     joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
     dod(2) infosec(1) attributes(5) 68
        

}

}

   at-clearanceSponsor ATTRIBUTE ::= {
     TYPE                   DirectoryString { ub-clearance-sponsor }
                            ( WITH COMPONENTS { utf8String PRESENT } )
     EQUALITY MATCHING RULE caseIgnoreMatch
     IDENTIFIED BY          id-clearanceSponsor
   }
        
   at-clearanceSponsor ATTRIBUTE ::= {
     TYPE                   DirectoryString { ub-clearance-sponsor }
                            ( WITH COMPONENTS { utf8String PRESENT } )
     EQUALITY MATCHING RULE caseIgnoreMatch
     IDENTIFIED BY          id-clearanceSponsor
   }
        
   ub-clearance-sponsor INTEGER ::= 64
        
   ub-clearance-sponsor INTEGER ::= 64
        

END

终止

Author's Address

作者地址

Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 USA

Sean Turner IECA,Inc.美国弗吉尼亚州费尔法克斯市努特利街3057号106室,邮编22031

   EMail: turners@ieca.com
        
   EMail: turners@ieca.com