| < draft-ietf-pkix-pi-02.txt | draft-ietf-pkix-pi-03.txt > | |||
|---|---|---|---|---|
| PKIX Working Group D. Pinkas (Integris. Bull) | PKIX Working Group D. Pinkas (Bull) | |||
| INTERNET-DRAFT T. Gindin (IBM) | INTERNET-DRAFT T. Gindin (IBM) | |||
| Expires: October, 2001 April, 2001 | Expires: August, 2002 February, 2002 | |||
| Target category: Standard Track | Target category: Standard Track | |||
| Internet X.509 Public Key Infrastructure | Internet X.509 Public Key Infrastructure | |||
| Permanent Identifier | Permanent Identifier | |||
| <draft-ietf-pkix-pi-02.txt> | <draft-ietf-pkix-pi-03.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||
| all provisions of Section 10 of [RFC 2026]. | all provisions of Section 10 of [RFC 2026]. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that other | Task Force (IETF), its areas, and its working groups. Note that other | |||
| groups may also distribute working documents as Internet-Drafts. | groups may also distribute working documents as Internet-Drafts. | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| Copyright (C) The Internet Society (2000). All Rights Reserved. | Copyright (C) The Internet Society (2002). All Rights Reserved. | |||
| Abstract | Abstract | |||
| This document define a new form of name, called permanent | This document define a new form of name, called permanent | |||
| identifier, that may be included in the subjectAltName extension | identifier, that may be included in the subjectAltName extension | |||
| of a public key certificate issued to a physical person. | of a public key certificate issued to an entity. | |||
| The permanent identifier is an optional feature that may be used | The permanent identifier is an optional feature that may be used | |||
| by a CA to indicate that the certificate relates to the same | by a CA to indicate that the certificate relates to the same | |||
| individual even if the name or the affiliation of that individual | entity even if the name or the affiliation of that entity has | |||
| has changed. | changed. | |||
| The subject name when carried in the subject field is only unique | The subject name when carried in the subject field is only unique | |||
| for each subject entity certified by the one CA as defined by the | for each subject entity certified by the one CA as defined by the | |||
| issuer name field. This new form of name also allows to carry a | issuer name field. This new form of name also can carry a | |||
| name that is unique for each subject entity certified by any CA. | name that is unique for each subject entity certified by any CA. | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119. | document are to be interpreted as described in RFC 2119. | |||
| Please send comments on this document to the ietf-pkix@imc.org | Please send comments on this document to the ietf-pkix@imc.org | |||
| mailing list. | mailing list. | |||
| Permanent Identifier Document Expiration: October 2001 | Permanent Identifier Document Expiration: August 2002 | |||
| 1 Introduction | 1 Introduction | |||
| This specification is one part of a family of standards for the | This specification is one part of a family of standards for the | |||
| X.509 Public Key Infrastructure (PKI) for the Internet. It is based | X.509 Public Key Infrastructure (PKI) for the Internet. It is based | |||
| on RFC 2459, which defines underlying certificate formats and | on RFC 2459, which defines underlying certificate formats and | |||
| semantics needed for a full implementation of this standard. | semantics needed for a full implementation of this standard. | |||
| The subject field of a public key certificate identifies the entity | The subject field of a public key certificate identifies the entity | |||
| associated with the public key stored in the subject public key | associated with the public key stored in the subject public key | |||
| field. The subject name may be carried in the subject field and/or | field. Names and identities of a subject may be carried in the | |||
| the subjectAltName extension. Where it is non-empty, the subject | subject field and/or the subjectAltName extension. Where it is | |||
| field MUST contain an X.500 distinguished name (DN). The DN MUST be | non-empty, the subject field MUST contain an X.500 distinguished | |||
| unique for each subject entity certified by the one CA as defined by | name (DN). The DN MUST be unique for each subject entity certified | |||
| the issuer name field. | by a single CA as defined by the issuer name field. | |||
| The subject name changes as soon as one of the components of that | The subject name changes whenever any of the components of that | |||
| name gets changed. There are several reasons for this change to | name gets changed. There are several reasons for such a change to | |||
| happen. | happen. | |||
| For companyÆs or organizationÆs employees, the person may get | For employees of a company or organization, the person may get | |||
| a different position within the same company and thus will | a different position within the same company and thus will | |||
| move from an organization unit to another one. Including the | move from one organization unit to another one. Including the | |||
| organisation unit in the name may however be very useful to | organization unit in the name may however be very useful to | |||
| allow the relying parties (RPs) using that certificate to | allow the relying parties (RPÆs) using that certificate to | |||
| identify the right individual. | identify the right individual. | |||
| For citizens, an individual may change their name by legal | For citizens, an individual may change their name by legal | |||
| processes, especially women as a result of marriage. | processes, especially women as a result of marriage. | |||
| Any certificate subject identified by geographical location may | ||||
| relocate and change at least some of the location attributes | ||||
| (e.g. country name, state or province, locality, or street). | ||||
| A permanent identifier may be useful both in the context of access | A permanent identifier may be useful both in the context of access | |||
| control and of non repudiation. | control and of non repudiation. | |||
| For access control, the permanent identifier may be used in | For access control, the permanent identifier may be used in | |||
| an ACL (Access Control List) instead of the DN or any other | an ACL (Access Control List) instead of the DN or any other | |||
| form of name and would not need to be changed, even if the | form of name and would not need to be changed, even if the | |||
| subject name of the individual changes. | subject name of the entity changes. | |||
| For non-repudiation, the permanent identifier may be used to | For non-repudiation, the permanent identifier may be used to | |||
| link different transactions to the same individual, even when | link different transactions to the same entity, even when | |||
| the subject name of the individual changes. | the subject name of the entity changes. | |||
| When two certificates from the same CA contain the same permanent | When two certificates from the same CA contain the same permanent | |||
| identifier, then these certificates relate to the same individual. | identifier value, then these certificates relate to the same | |||
| entity, whatever the content of the DN or other subjectAltName | ||||
| components may be. | ||||
| 2. Definition | When two certificates from different CAÆs contain both the same | |||
| permanent identifier value and the same type of permanent | ||||
| identifier from a given Assigner Authority, then these | ||||
| A permanent identifier is a name assigned by an organization, | Permanent Identifier Document Expiration: August 2002 | |||
| unique within that organization, that singles out a particular | ||||
| individual from all other individuals. A CA which includes such | ||||
| an identifier in a certificate is certifying that any different | ||||
| public key certificate containing that identifier refers to the | ||||
| same individual. | ||||
| Permanent Identifier Document Expiration: October 2001 | certificates relate to the same entity, whatever the content of | |||
| the DN or other subjectAltName components may be. | ||||
| 2. Definition of a Permanent Identifier | ||||
| A CA which includes a permanent identifier in a certificate is | ||||
| certifying that any public key certificate containing that | ||||
| identifier refers to the same entity, whatever the content of | ||||
| the DN or other subjectAltName components may be. | ||||
| The use of a permanent identifier is optional. This name is | The use of a permanent identifier is optional. This name is | |||
| defined as a form of otherName from the GeneralName structure in | defined as a form of otherName from the GeneralName structure in | |||
| SubjectAltName. The permanent identifier is defined as follows: | SubjectAltName. The permanent identifier is defined as follows: | |||
| id-on-permanentIdentifier AttributeType ::= { id-on 2 } | id-on-permanentIdentifier AttributeType ::= { id-on 2 } | |||
| PermanentIdentifier ::= SEQUENCE { | ||||
| assignerAuthority GeneralName OPTIONAL, | ||||
| identifier Name | ||||
| } | ||||
| The assignerAuthority field of this attribute, when present, | PermanentIdentifier ::= SEQUENCE { | |||
| identifies the organization responsible for assigning the content | identifierValue IdentifierValue, | |||
| of the identifier field. When the assignerAuthority field is | identifierType IdentifierType OPTIONAL | |||
| missing, the assigner Authority is the CA itself and it is assumed | } | |||
| to be the issuer name of the certificate. | ||||
| Two forms of names are supported for the assignerAuthority. That | IdentifierValue ::= CHOICE { | |||
| field may either contain a directoryName (which is a Name) or a | iA5String IA5String, | |||
| registeredID (which is an OID). | uTF8String UTF8String | |||
| } | ||||
| If, directoryName is used, then the permanent identifier is locally | IdentifierType ::= CHOICE { | |||
| unique to the CA. The CA must locally make ensure that that, once | registeredOID OBJECT IDENTIFIER, | |||
| assigned, a name for an assignerAuthority is never re-used. | uniformResourceIdentifier IA5String, | |||
| intluniformResourceIdentifier UTF8String | ||||
| } | ||||
| If, registeredID is used, then the permanent identifier is globally | The IdentifierType field, when present, identifies both the | |||
| unique to all CAs (i.e. the same OID can never be re-used). | organization responsible for assigning the content of the | |||
| identifier field and the type of that field. | ||||
| The identifier field may contain any series of directory | When the IdentifierType field is missing, then it is assumed that | |||
| attributes. In particular, it may contain a serialNumber | the organization responsible for assigning the content of the | |||
| attribute. A serialNumber attribute may be used for two | identifier field is the CA itself and that there is only one type | |||
| different purposes in the DN of a person: | of such identifier for the CA. | |||
| 1) In a DN or a SubjectAltName to differentiate between | Two forms of values are supported for the IdentifierValue: | |||
| two names (for two different individuals) that otherwise | IA5String or UTF8String. | |||
| would not be different. | ||||
| 2) In the identifier field from a permanent identifier. | The IdentifierType field may contain a registeredOID in the form of : | |||
| This is the recommended use for national ID's and | ||||
| employee ID's, for example. | a) an Object Identifier (i.e. an OID), or | |||
| b) a permanent URI using IA5String, or | ||||
| c) a permanent URI using UTF8String. | ||||
| Characteristically, when an OID is used, the prefix of the OID | ||||
| identifies the organization, and a suffix is used to identify the | ||||
| type of permanent identifier being identified. Essentially the | ||||
| same thing is true of URIÆs. | ||||
| Permanent Identifier Document Expiration: August 2002 | ||||
| If identifierType is missing, then the permanent identifier is | ||||
| locally unique to the CA. | ||||
| If identifierType is present, then the permanent identifier is | ||||
| globally unique among all CAÆs. | ||||
| Note: the full arc of the object identifier is derived using: | Note: the full arc of the object identifier is derived using: | |||
| id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) | id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) } | dod(6) internet(1) security(5) mechanisms(5) pkix(7) } | |||
| id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms | id-on OBJECT IDENTIFIER ::= { id-pkix 8 } -- other name forms | |||
| 3. Security considerations | 3. Security considerations | |||
| A given individual may have at an instant of time or at different | A given entity may have at an instant of time or at different | |||
| instants of time multiple forms of identities. | instants of time multiple forms of identities. | |||
| Permanent Identifier Document Expiration: October 2001 | If the permanent identifier is locally unique to the CA (i.e. | |||
| identifierType is not present), then two certificates from the | ||||
| If the permanent identifier is locally unique to the CA (i.e. in | same CA can be compared. When they contain two identical permanent | |||
| GeneralName from AssignerAuthority, directoryName is used), then | identifiers, then a relying party may determine that they refer to | |||
| two certificates from the same CA can be compared. When they | the same entity. | |||
| contain two identical permanentIdentifiers, then a relying party | ||||
| may determine that they refer to the same individual. | ||||
| If the permanent identifier is globally unique to all CAs (i.e. in | If the permanent identifier is globally unique among all CAÆs (i.e. | |||
| GeneralName from AssignerAuthority, registeredID is used), then | identifierType is present), then two certificates from different | |||
| two certificates from different CAs are, can be compared. When they | CAÆs can be compared. When they contain two identical permanent | |||
| contain two identical permanentIdentifiers, then a relying party | identifiers, then a relying party may determine that they refer to | |||
| may determine that they refer to the same individual. | the same entity. | |||
| When a permanent identifier is present in a public key certificate | The permanent identifier identifies the entity, irrespective of any | |||
| which contains attribute extensions, the permanent identifier | attribute extension. When a public key certificate contains | |||
| should not be used for access control purposes. The reason is that | attribute extensions, the permanent identifier, if present, should | |||
| since these attributes may change and the permanent identifier | not be used for access control purposes but only for audit purposes. | |||
| will not, the permanent identifier identifies the individual, | The reason is that since these attributes may change, access could | |||
| irrespective of any attribute extension. | be granted on attributes that were originally present in a | |||
| certificate issued to that entity but are no more present in the | ||||
| current certificate. | ||||
| 4. References | 4. References | |||
| [RFC 2026] S. Bradner, ôThe Internet Standards Process û | [RFC 2026] S. Bradner, ôThe Internet Standards Process û | |||
| Revision 3 ©, November 1996. | Revision 3 ©, November 1996. | |||
| [RFC 2119] S. Bradner, "Key words for use in RFCs to Indicate | [RFC 2119] S. Bradner, "Key words for use in RFCs to Indicate | |||
| Requirement Levels", March 1997. | Requirement Levels", March 1997. | |||
| [RFC 2459] R. Housley, W. Ford, W. Polk, and D. Solo, "Internet X.509 | [RFC 2459] R. Housley, W. Ford, W. Polk, and D. Solo, "Internet X.509 | |||
| Public Key Infrastructure: Certificate and CRL Profile", January | Public Key Infrastructure: Certificate and CRL Profile", January | |||
| 1999. | 1999. | |||
| [X.501] ITU-T Recommendation X.501 (1997 E): Information Technology | [X.501] ITU-T Recommendation X.501 (1997 E): Information Technology | |||
| - Open Systems Interconnection - The Directory: Models, June 1997. | - Open Systems Interconnection - The Directory: Models, June 1997. | |||
| Permanent Identifier Document Expiration: August 2002 | ||||
| [X.509] ITU-T Recommendation X.509 (1997 E): Information Technology | [X.509] ITU-T Recommendation X.509 (1997 E): Information Technology | |||
| - Open Systems Interconnection - The Directory: Authentication | - Open Systems Interconnection - The Directory: Authentication | |||
| Framework, June 1997. | Framework, June 1997. | |||
| [X.520] ITU-T Recommendation X.520: Information Technology - Open | [X.520] ITU-T Recommendation X.520: Information Technology - Open | |||
| Systems Interconnection - The Directory: Selected Attribute Types, | Systems Interconnection - The Directory: Selected Attribute Types, | |||
| June 1997. | June 1997. | |||
| [X.660] ITU-T Recommendation X.660: Information Technology - | ||||
| Open Systems Interconnection û Procedures for the Operation of | ||||
| OSI Registration Authorities: General Procedures, 1992. | ||||
| [X.680] ITU-T Recommendation X.680: Information Technology - | [X.680] ITU-T Recommendation X.680: Information Technology - | |||
| Abstract Syntax Notation One, 1997. | Abstract Syntax Notation One, 1997. | |||
| 5. AuthorÆs Addresses | 5. AuthorÆs Addresses | |||
| Denis Pinkas | Denis Pinkas | |||
| Integris. Bull S.A. | Bull, | |||
| 68, Route de Versailles | 68, Route de Versailles | |||
| 78434 Louveciennes Cedex | 78434 Louveciennes Cedex | |||
| FRANCE | FRANCE | |||
| Email: Denis.Pinkas@bull.net | Email: Denis.Pinkas@bull.net | |||
| Permanent Identifier Document Expiration: October 2001 | ||||
| Thomas Gindin | Thomas Gindin | |||
| IBM Corporation | IBM Corporation | |||
| 6710 Rockledge Drive | 6710 Rockledge Drive | |||
| Bethesda, MD 20817 | Bethesda, MD 20817 | |||
| USA | USA | |||
| Email: tgindin@us.ibm.com | Email: tgindin@us.ibm.com | |||
| 6 Intellectual Property Rights | 6 Intellectual Property Rights | |||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| skipping to change at page 6, line 5 ¶ | skipping to change at page 6, line 5 ¶ | |||
| obtain a general license or permission for the use of such proprietary | obtain a general license or permission for the use of such proprietary | |||
| rights by implementors or users of this specification can be obtained | rights by implementors or users of this specification can be obtained | |||
| from the IETF Secretariat. | from the IETF Secretariat. | |||
| The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
| rights which may cover technology that may be required to practice | rights which may cover technology that may be required to practice | |||
| this standard. Please address the information to the IETF Executive | this standard. Please address the information to the IETF Executive | |||
| Director. | Director. | |||
| Permanent Identifier Document Expiration: October 2001 | Permanent Identifier Document Expiration: August 2002 | |||
| APPENDIX | APPENDIX | |||
| ASN.1 definitions | ASN.1 definitions | |||
| A.1 1988 ASN.1 Module | A.1. 1988 ASN.1 Module | |||
| PKIXpermanentidentifier88 {iso(1) identified-organization(3) dod(6) | PKIXpermanentidentifier88 {iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-permanent-identifier-88(14) } | id-mod-permanent-identifier-88(14) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL -- | -- EXPORTS ALL -- | |||
| IMPORTS | IMPORTS | |||
| id-pkix, AttributeType, Name, GeneralName | id-pkix, AttributeType, | |||
| FROM PKIX1Explicit88 {iso(1) identified-organization(3) | FROM PKIX1Explicit88 {iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | dod(6) internet(1) security(5) mechanisms(5) pkix(7) | |||
| id-mod(0) id-pkix1-explicit-88(1)} | id-mod(0) id-pkix1-explicit-88(1)} | |||
| GeneralName | ||||
| FROM PKIX1Implicit88 {iso(1) identified-organization(3) | ||||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | ||||
| id-mod(0) id-pkix1-implicit-88(2)}; | ||||
| -- Object Identifiers | -- Object Identifiers | |||
| -- Externally defined OIDs | -- Externally defined OIDs | |||
| -- Arc for other name forms | -- Arc for other name forms | |||
| id-on OBJECT IDENTIFIER ::= { id-pkix 8 } | id-on OBJECT IDENTIFIER ::= { id-pkix 8 } | |||
| -- permanent identifier | -- permanent identifier | |||
| id-on-permanentIdentifier AttributeType ::= { id-on 2 } | id-on-permanentIdentifier AttributeType ::= { id-on 2 } | |||
| PermanentIdentifier ::= SEQUENCE { | PermanentIdentifier ::= SEQUENCE { | |||
| assignerAuthority GeneralName OPTIONAL, | identifierValue IdentifierValue, | |||
| identifier Name | identifierType IdentifierType OPTIONAL | |||
| } | } | |||
| IdentifierValue ::= CHOICE { | ||||
| iA5String IA5String, | ||||
| uTF8String UTF8String | ||||
| } | ||||
| IdentifierType ::= CHOICE { | ||||
| registeredOID OBJECT IDENTIFIER, | ||||
| uniformResourceIdentifier IA5String, | ||||
| intluniformResourceIdentifier UTF8String | ||||
| } | ||||
| END | END | |||
| Permanent Identifier Document Expiration: October 2001 | Permanent Identifier Document Expiration: August 2002 | |||
| A.2 1993 ASN.1 Module | A.2. 1993 ASN.1 Module | |||
| PKIXpermanentidentifier93 {iso(1) identified-organization(3) dod(6) | PKIXpermanentidentifier93 {iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-permanent-identifier-93(15) } | id-mod-permanent-identifier-93(15) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL -- | -- EXPORTS ALL -- | |||
| IMPORTS | IMPORTS | |||
| GeneralName | id-pkix, ATTRIBUTE | |||
| FROM PKIX1Implicit93 {iso(1) identified-organization(3) dod(6) | ||||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | ||||
| id-pkix1-implicit-93(4)} | ||||
| id-pkix, ATTRIBUTE, Name | ||||
| FROM PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) | FROM PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-pkix1-explicit-93(3)}; | id-pkix1-explicit-93(3)}; | |||
| -- Object Identifiers | -- Object Identifiers | |||
| -- Externally defined OIDs | -- Externally defined OIDs | |||
| -- Arc for other name forms | -- Arc for other name forms | |||
| id-on OBJECT IDENTIFIER ::= { id-pkix 8 } | id-on OBJECT IDENTIFIER ::= { id-pkix 8 } | |||
| -- Locally defined OIDs | -- Locally defined OIDs | |||
| id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 2 } | id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 2 } | |||
| -- permanent identifier | -- permanent identifier | |||
| permanentIdentifier ATTRIBUTE ::= { | permanentIdentifier ATTRIBUTE ::= { | |||
| WITH SYNTAX PermanentIdentifier, | WITH SYNTAX PermanentIdentifier, | |||
| ID id-on-permanentIdentifier } | ID id-on-permanentIdentifier } | |||
| PermanentIdentifier ::= SEQUENCE { | PermanentIdentifier ::= SEQUENCE { | |||
| assignerAuthority GeneralName OPTIONAL, | identifierValue IdentifierValue, | |||
| identifier Name | identifierType IdentifierType OPTIONAL | |||
| } | } | |||
| IdentifierValue ::= CHOICE { | ||||
| iA5String IA5String, | ||||
| uTF8String UTF8String | ||||
| } | ||||
| IdentifierType ::= CHOICE { | ||||
| registeredOID OBJECT IDENTIFIER, | ||||
| uniformResourceIdentifier IA5String, | ||||
| intluniformResourceIdentifier UTF8String | ||||
| } | ||||
| END | END | |||
| Permanent Identifier Document Expiration: October 2001 | Permanent Identifier Document Expiration: August 2002 | |||
| A3. OIDs for organizations | B. OIDÆs for organizations | |||
| There are various ways for a company to obtain an OID. In some cases, | In order to obtain an OID for an identifier type, organizations need | |||
| they are provided for free. In other cases a one-time fee is required. | first to have a registered OID for themselves (or must use a permanent | |||
| The main difference lies in the nature of the information that is | URI). In some cases, OIDÆs are provided for free. In other cases a | |||
| collected at the time of registration and how this information is | one-time fee is required. The main difference lies in the nature of | |||
| verified for its accuracy. | the information that is collected at the time of registration and how | |||
| this information is verified for its accuracy. | ||||
| A.3.1. Using IANA (Internet Assigned Numbers Authority) | B.1. Using IANA (Internet Assigned Numbers Authority) | |||
| The application form for a Private Enterprise Number in the IANA's | The application form for a Private Enterprise Number in the IANA's | |||
| OID list is: http://www.iana.org/cgi-bin/enterprise.pl. | OID list is: http://www.iana.org/cgi-bin/enterprise.pl. | |||
| Currently IANA assigns numbers for free. The IANA-registered Private | Currently IANA assigns numbers for free. The IANA-registered Private | |||
| Enterprises prefix is: iso.org.dod.internet.private.enterprise | Enterprises prefix is: iso.org.dod.internet.private.enterprise | |||
| (1.3.6.1.4.1) | (1.3.6.1.4.1) | |||
| These numbers are used, among other things, for defining private | These numbers are used, among other things, for defining private | |||
| SNMP MIBs. | SNMP MIBs. | |||
| The official assignments under this OID are stored in the IANA file | The official assignments under this OID are stored in the IANA file | |||
| "enterprise-numbers" available at: | "enterprise-numbers" available at: | |||
| ftp://ftp.isi.edu/in-notes/iana/assignments/enterprise-numbers | ftp://ftp.isi.edu/in-notes/iana/assignments/enterprise-numbers | |||
| A.3.2. Using an ISO member body | B.2. Using an ISO member body | |||
| ISO has defined the OID structure in a such a way so that every ISO | ISO has defined the OID structure in a such a way so that every ISO | |||
| member-body has its own unique OID. Then every ISO member-body is free | member-body has its own unique OID. Then every ISO member-body is free | |||
| to allocate its own arc space below. | to allocate its own arc space below. | |||
| Organizations and enterprises may contact the ISO member-body where | Organizations and enterprises may contact the ISO member-body where | |||
| their organization or enterprise is established to obtain an | their organization or enterprise is established to obtain an | |||
| organization/enterprise OID. | organization/enterprise OID. | |||
| Currently, ISO members do not assign organization/enterprise OIDs for | Currently, ISO members do not assign organization/enterprise OIDÆs for | |||
| free. | free. | |||
| Most of them do not publish registries of such OIDs which they have | Most of them do not publish registries of such OIDÆs which they have | |||
| assigned, sometimes restricting the access to registered organizations | assigned, sometimes restricting the access to registered organizations | |||
| or preferring to charge inquirers for the assignee of an OID on a | or preferring to charge inquirers for the assignee of an OID on a | |||
| per-inquiry basis. The use of OIDs from an ISO member organization | per-inquiry basis. The use of OIDÆs from an ISO member organization | |||
| which does not publish such a registry may impose extra costs on the | which does not publish such a registry may impose extra costs on the | |||
| CA that needs to make sure that the OID corresponds to the registered | CA that needs to make sure that the OID corresponds to the registered | |||
| organization. | organization. | |||
| As an example, AFNOR (Association Francaise de Normalisation - the | As an example, AFNOR (Association Francaise de Normalisation - the | |||
| French organization that is a member of ISO) has defined an arc to | French organization that is a member of ISO) has defined an arc to | |||
| allocate OIDs for companies: | allocate OIDÆs for companies: | |||
| {iso (1) member-body (2) fr (250) type-org (1) organisation (n)} | {iso (1) member-body (2) fr (250) type-org (1) organisation (n)} | |||
| Permanent Identifier Document Expiration: October 2001 | Permanent Identifier Document Expiration: August 2002 | |||
| E. Full Copyright Statement | C. Full Copyright Statement | |||
| Copyright (C) The Internet Society (2000). All Rights Reserved. | Copyright (C) The Internet Society (2002). All Rights Reserved. | |||
| This document and translations of it may be copied and furnished to | This document and translations of it may be copied and furnished to | |||
| others, and derivative works that comment on or otherwise explain it | others, and derivative works that comment on or otherwise explain it | |||
| or assist in its implementation may be prepared, copied, published | or assist in its implementation may be prepared, copied, published | |||
| and distributed, in whole or in part, without restriction of any | and distributed, in whole or in part, without restriction of any | |||
| kind, provided that the above copyright notice and this paragraph are | kind, provided that the above copyright notice and this paragraph are | |||
| included on all such copies and derivative works. In addition, the | included on all such copies and derivative works. In addition, the | |||
| ASN.1 modules presented in Appendices A and B may be used in whole or | ASN.1 modules presented in Appendices A and B may be used in whole or | |||
| in part without inclusion of the copyright notice. However, this | in part without inclusion of the copyright notice. However, this | |||
| document itself may not be modified in any way, such as by removing | document itself may not be modified in any way, such as by removing | |||
| End of changes. 57 change blocks. | ||||
| 123 lines changed or deleted | 166 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||