GIST v0.7 ― X
“X.400” to “XTACACS”
X
-
- X.400 n.
-
RFC 2828 (2000)
-
(N) An ITU-T Recommendation [X400] that is one part of a joint ITU-T/ISO multi-part standard (X.400-X.421) that defines the Message Handling Systems. (The ISO equivalent is IS 10021, parts 1-7.) (See: Message Handling Systems.)
-
- X.500, - X.500 Directory n.
-
RFC 2828 (2000)
-
(N) An ITU-T Recommendation [X500] that is one part of a joint ITU-T/ISO multi-part standard (X.500-X.525) that defines the X.500 Directory, a conceptual collection of systems that provide distributed directory capabilities for OSI entities, processes, applications, and services. (The ISO equivalent is IS 9594-1 and related standards, IS 9594-x.) (See: directory vs. Directory, X.509.)
-
(C) The X.500 Directory is structured as a tree (the Directory Information Tree), and information is stored in directory entries. Each entry is a collection of information about one object, and each object has a DN. A directory entry is composed of attributes, each with a type and one or more values. For example, if a PKI uses the Directory to distribute certificates, then the X.509 public-key certificate of an end user is normally stored as a value of an attribute of type userCertificate in the Directory entry that has the DN that is the subject of the certificate.
-
- X.509 n.
-
RFC 2828 (2000)
-
(N) An ITU-T Recommendation [X509] that defines a framework to provide and support data origin authentication and peer entity authentication services, including formats for X.509 public-key certificates, X.509 attribute certificates, and X.509 CRLs. (The ISO equivalent is IS 9498-4.) (See: X.500.)
-
(C) X.509 describes two levels of authentication: simple authentication based on a password, and strong authentication based on a public-key certificate.
-
- X.509 attribute certificate n.
-
RFC 2828 (2000)
-
(N) An attribute certificate in the version 1 (v1) format defined by X.509. (The v1 designation for an X.509 attribute certificate is disjoint from the v1 designation for an X.509 public-key certificate, and from the v1 designation for an X.509 CRL.)
-
(C) An X.509 attribute certificate has a subject field, but the attribute certificate is a separate data structure from that subject’s public-key certificate. A subject may have multiple attribute certificates associated with each of its public-key certificates, and an attribute certificate may be issued by a different CA than the one that issued the associated public-key certificate.
-
(C) An X.509 attribute certificate contains a sequence of data items and has a digital signature that is computed from that sequence. In addition to the signature, an attribute certificate contains items 1 through 9 listed below:
|
1.
|
version
|
Identifies v1.
|
|
2.
|
subject
|
Is one of the following:
|
|
|
2a. baseCertificateID
|
- Issuer and serial number of an X.509 public-key certificate.
|
|
|
2b. subjectName
|
- DN of the subject.
|
|
3.
|
issuer
|
DN of the issuer (the CA who signed).
|
|
4.
|
signature
|
OID of algorithm that signed the cert.
|
|
5.
|
serialNumber
|
Certificate serial number; an integer assigned by the issuer.
|
|
6.
|
attCertValidityPeriod
|
Validity period; a pair of UTCTime values: "not before" and "not after".
|
|
7.
|
attributes
|
Sequence of attributes describing the subject.
|
|
8.
|
issuerUniqueId
|
Optional, when a DN is not sufficient.
|
|
9.
|
extensions
|
Optional.
|
-
- X.509 authority revocation list n.
-
RFC 2828 (2000)
-
(N) An ARL in one of the formats defined by X.509 – version 1 (v1) or version 2 (v2). A specialized kind of certificate revocation list.
-
- X.509 certificate n.
-
RFC 2828 (2000)
-
(N) Either an X.509 public-key certificate or an X.509 attribute certificate.
-
(C) This Glossary uses the term with the precise meaning recommended here. However, some who use the term may not be aware that X.509 specifies attribute certificates that do not contain a public key. Even among those who are aware, this term is commonly used as an abbreviation to mean X.509 public-key certificate. ISDs MAY use the term as an abbreviation for X.509 public-key certificate, but only after using the full term at the first instance.
-
(D) ISDs SHOULD NOT use this term as an abbreviation to mean X.509 attribute certificate.
-
NIST IR 7298 (2006)
-
SP 800-57
-
The International Organization for Standardization/International Telecommunication Union – Standardization Department (ISO/ITU-T) X.509 standard defined two types of certificates – the X.509 public key certificate, and the X.509 attribute certificate. Most commonly (including this document), an X.509 certificate refers to the X.509 public key certificate.
-
- X.509 certificate revocation list (CRL) n.
-
RFC 2828 (2000)
-
(N) A CRL in one of the formats defined by X.509 – version 1 (v1) or version 2 (v2). (The v1 and v2 designations for an X.509 CRL are disjoint from the v1 and v2 designations for an X.509 public-key certificate, and from the v1 designation for an X.509 attribute certificate.) (See: certificate revocation.)
-
(C) ISDs SHOULD NOT refer to an X.509 CRL as a digital certificate, but note that an X.509 CRL does meet this Glossary’s definition of digital certificate. Like a digital certificate, an X.509 CRL makes an assertion and is signed by a CA. But instead of binding a key or other attributes to a subject, an X.509 CRL asserts that certain previously-issued X.509 certificates have been revoked.
-
(C) An X.509 CRL contains a sequence of data items and has a digital signature computed on that sequence. In addition to the signature, both v1 and v2 contain items 2 through 6b listed below. Version 2 contains item 1 and may optionally contain 6c and 7.
|
1.
|
version
|
Optional. If present, identifies v2.
|
|
2.
|
signature
|
OID of the algorithm that signed CRL.
|
|
3.
|
issuer
|
DN of the issuer (the CA who signed).
|
|
4.
|
thisUpdate
|
A UTCTime value.
|
|
5.
|
nextUpdate
|
A UTCTime value.
|
|
6.
|
revokedCertificates
|
3-tuples of 6a, 6b, and (optional) 6c:
|
|
|
6a.userCertificate
|
- A certificate’s serial number.
|
|
|
6b.revocationDate
|
- UTCTime value for the revocation date.
|
|
|
6c.crlEntryExtensions
|
- Optional.
|
|
7.
|
crlExtensions
|
Optional.
|
-
- X.509 public-key certificate n.
-
RFC 2828 (2000)
-
(N) A public-key certificate in one of the formats defined by X.509 – version 1 (v1), version 2 (v2), or version 3 (v3). (The v1 and v2 designations for an X.509 public-key certificate are disjoint from the v1 and v2 designations for an X.509 CRL, and from the v1 designation for an X.509 attribute certificate.)
-
(C) An X.509 public-key certificate contains a sequence of data items and has a digital signature computed on that sequence. In addition to the signature, all three versions contain items 1 through 7 listed below. Only v2 and v3 certificates may also contain items 8 and 9, and only v3 may contain item 10.
|
1.
|
version
|
Identifies v1, v2, or v3.
|
|
2.
|
serialNumber
|
Certificate serial number; an integer assigned by the issuer.
|
|
3.
|
signature
|
OID of algorithm that was used to sign the certificate.
|
|
4.
|
issuer
|
DN of the issuer (the CA who signed).
|
|
5.
|
validity
|
Validity period; a pair of UTCTime values: not before and not after.
|
|
6.
|
subject
|
DN of entity who owns the public key.
|
|
7.
|
subjectPublicKeyInfo
|
Public key value and algorithm OID.
|
|
8.
|
issuerUniqueIdentifier
|
Defined for v2, v3; optional.
|
|
9.
|
subjectUniqueIdentifier
|
Defined for v2, v2; optional.
|
|
10.
|
extensions
|
Defined only for v3; optional.
|
-
NIST IR 7298 (2006)
-
SP 800-57
-
The public key for a user (or device) and a name for the user (or device), together with some other information, rendered unforgeable by the digital signature of the certification authority that issued the certificate, encoded in the format defined in the ISO/ITU-T X.509 standard.
-
- XACML n.
-
See: eXtensible Access Control Markup Language.
-
- XML n.
-
See: eXtensible Markup Language.
-
- XML attribute n.
-
OASIS SAML 2.0 (2005)
-
An XML data structure that is embedded in the start-tag of an XML element and that has a name and a value. For example, the highlighted portion below is an instance of an XML attribute:
<Address AddressID="A12345">…</Address>
-
See also attribute.
-
- XML element n.
-
OASIS SAML 2.0 (2005)
-
An XML data structure that is hierarchically arranged among other such structures in an XML document and is indicated by either a start-tag and end-tag or an empty tag. For example:
<Address AddressID="A12345">
<Street>105 Main Street</Street>
<City>Springfield</City>
<StateOrProvince>
<Full>Massachusetts</Full>
<Abbrev>MA</Abbrev>
</StateOrProvince>
<Post Code="56789"/>
</Address>
-
- XML namespace n.
-
OASIS SAML 2.0 (2005)
-
A collection of names, identified by a URI reference, which are used in XML documents as element types and attribute names. An XML namespace is often associated with an XML schema. For example, SAML defines two schemas, and each has a unique XML namespace.
-
- XML Schema n., - XML schema n.
-
OASIS SAML 2.0 (2005)
-
The format developed by the World Wide Web Consortium (W3C) for describing rules for a markup language to be used in a set of XML documents.
-
In the lowercase, a “schema” or “XML schema” is an individual instance of this format. For example, SAML defines two schemas, one containing the rules for XML documents that encode security assertions and one containing the rules for XML documents that encode request/response protocol messages. Schemas define not only XML elements and XML attributes, but also datatypes that apply to these constructs.
-
- XTACACS n.
-
See: (secondary definition under) Terminal Access Controller (TAC) Access Control System.
