< draft-ietf-stir-certificates-09.txt   draft-ietf-stir-certificates-10.txt >
Network Working Group J. Peterson Network Working Group J. Peterson
Internet-Draft Neustar Internet-Draft Neustar
Intended status: Standards Track S. Turner Intended status: Standards Track S. Turner
Expires: April 9, 2017 sn3rd Expires: April 21, 2017 sn3rd
October 6, 2016 October 18, 2016
Secure Telephone Identity Credentials: Certificates Secure Telephone Identity Credentials: Certificates
draft-ietf-stir-certificates-09.txt draft-ietf-stir-certificates-10.txt
Abstract Abstract
In order to prevent the impersonation of telephone numbers on the In order to prevent the impersonation of telephone numbers on the
Internet, some kind of credential system needs to exist that Internet, some kind of credential system needs to exist that
cryptographically asserts authority over telephone numbers. This cryptographically asserts authority over telephone numbers. This
document describes the use of certificates in establishing authority document describes the use of certificates in establishing authority
over telephone numbers, as a component of a broader architecture for over telephone numbers, as a component of a broader architecture for
managing telephone numbers as identities in protocols like SIP. managing telephone numbers as identities in protocols like SIP.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 9, 2017. This Internet-Draft will expire on April 21, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 29 skipping to change at page 2, line 29
9. TN Authorization List Syntax . . . . . . . . . . . . . . . . 11 9. TN Authorization List Syntax . . . . . . . . . . . . . . . . 11
10. Certificate Freshness and Revocation . . . . . . . . . . . . 12 10. Certificate Freshness and Revocation . . . . . . . . . . . . 12
10.1. Choosing a Verification Method . . . . . . . . . . . . . 13 10.1. Choosing a Verification Method . . . . . . . . . . . . . 13
10.2. Using OCSP with TN Auth List . . . . . . . . . . . . . . 14 10.2. Using OCSP with TN Auth List . . . . . . . . . . . . . . 14
10.2.1. OCSP Extension Specification . . . . . . . . . . . . 15 10.2.1. OCSP Extension Specification . . . . . . . . . . . . 15
10.3. Acquiring TN Lists By Reference . . . . . . . . . . . . 17 10.3. Acquiring TN Lists By Reference . . . . . . . . . . . . 17
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
12. Security Considerations . . . . . . . . . . . . . . . . . . . 18 12. Security Considerations . . . . . . . . . . . . . . . . . . . 18
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
14.1. Normative References . . . . . . . . . . . . . . . . . . 18
14.2. Informative References . . . . . . . . . . . . . . . . . 20
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 21 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
The STIR problem statement [RFC7340] identifies the primary enabler The STIR problem statement [RFC7340] identifies the primary enabler
of robocalling, vishing, swatting and related attacks as the of robocalling, vishing, swatting and related attacks as the
capability to impersonate a calling party number. The starkest capability to impersonate a calling party number. The starkest
examples of these attacks are cases where automated callees on the examples of these attacks are cases where automated callees on the
PSTN rely on the calling number as a security measure, for example to PSTN rely on the calling number as a security measure, for example to
skipping to change at page 6, line 9 skipping to change at page 6, line 9
either trust the subject entirely or have some direct means of either trust the subject entirely or have some direct means of
determining whether or not a number falls under a subject's determining whether or not a number falls under a subject's
authority; and another where an extension to the certificate as authority; and another where an extension to the certificate as
described in Section 9 identifies the scope of authority of the described in Section 9 identifies the scope of authority of the
certificate. certificate.
4. The cryptographic algorithms required to validate the 4. The cryptographic algorithms required to validate the
credentials: for this specification, that means the signature credentials: for this specification, that means the signature
algorithms used to sign certificates. This specification algorithms used to sign certificates. This specification
REQUIRES that implementations support both ECDSA with the P-256 REQUIRES that implementations support both ECDSA with the P-256
curve (see [RFC4754]) and RSA PKCS#1 v1.5 (see [RFC3447] curve (see [DSS]) and RSA PKCS#1 v1.5 (see [RFC3447] Section 8.2)
Section 8.2) for certificate signatures. Implementers are for certificate signatures. Implementers are advised that RS256
advised that RS256 is mandated only as a transitional mechanism, is mandated only as a transitional mechanism, due to its
due to its widespread use in existing PKI, but we anticipate that widespread use in existing PKI, but we anticipate that this
this mechanism will eventually be deprecated. mechanism will eventually be deprecated.
5. Finally, note that all certificates compliant with this 5. Finally, note that all certificates compliant with this
specification: specification:
* MUST provide cryptographic keying material sufficient to * MUST provide cryptographic keying material sufficient to
generate the ECDSA using P-256 and SHA-256 signatures generate the ECDSA using P-256 and SHA-256 signatures
necessary to support the ES256 hashed signatures required by necessary to support the ES256 hashed signatures required by
PASSporT [I-D.ietf-stir-passport], which in turn follows JSON PASSporT [I-D.ietf-stir-passport], which in turn follows JSON
Web Token (JWT) [RFC7519]. Web Token (JWT) [RFC7519].
skipping to change at page 10, line 7 skipping to change at page 10, line 7
verify a signature is for the certificate be conveyed in a SIP verify a signature is for the certificate be conveyed in a SIP
request along with the signature itself. In SIP, for example, a request along with the signature itself. In SIP, for example, a
certificate could be carried in a multipart MIME body [RFC2046], and certificate could be carried in a multipart MIME body [RFC2046], and
the URI in the Identity header "info" parameter could specify that the URI in the Identity header "info" parameter could specify that
body with a CID URI [RFC2392]. However, in many environments this is body with a CID URI [RFC2392]. However, in many environments this is
not feasible due to message size restrictions or lack of necessary not feasible due to message size restrictions or lack of necessary
support for multipart MIME. support for multipart MIME.
The Identity header "info" parameter in a SIP request may contain a The Identity header "info" parameter in a SIP request may contain a
URI that the verifier dereferences. Implementations of this URI that the verifier dereferences. Implementations of this
specification are required to support the use of SIP for this specification are REQUIRED to support the use of SIP for this
function (via the SUBSCRIBE/NOTIFY mechanism), as well as HTTP, via function (via the SUBSCRIBE/NOTIFY mechanism), as well as HTTP, via
the Enrollment over Secure Transport mechanisms described in RFC 7030 the Enrollment over Secure Transport mechanisms described in RFC 7030
[RFC7030]. [RFC7030].
Note well that as an optimization, a verifier may have access to a Note well that as an optimization, a verifier may have access to a
service, a cache or other local store that grants access to service, a cache or other local store that grants access to
certificates for a particular telephone number. However, there may certificates for a particular telephone number. However, there may
be multiple valid certificates that can sign a call setup request for be multiple valid certificates that can sign a call setup request for
a telephone number, and as a consequence, there needs to be some a telephone number, and as a consequence, there needs to be some
discriminator that the signer uses to identify their credentials. discriminator that the signer uses to identify their credentials.
skipping to change at page 12, line 9 skipping to change at page 12, line 9
E164Number ::= IA5String (SIZE (1..15)) (FROM ("0123456789")) E164Number ::= IA5String (SIZE (1..15)) (FROM ("0123456789"))
The TN Authorization List certificate extension indicates the The TN Authorization List certificate extension indicates the
authorized phone numbers for the call setup signer. It indicates one authorized phone numbers for the call setup signer. It indicates one
or more blocks of telephone number entries that have been authorized or more blocks of telephone number entries that have been authorized
for use by the call setup signer. There are three ways to identify for use by the call setup signer. There are three ways to identify
the block: the block:
1. A Service Provider Identifier (SPID, also known as an Operating 1. A Service Provider Identifier (SPID, also known as an Operating
Company Number (OCN) or Carrier Identification Code (CIC), as Company Number (OCN) as specified in [ATIS-0300251]) can be used
specified in [ATIS-0300050]) can be used to indirectly name all to indirectly name all of the telephone numbers associated with
of the telephone numbers associated with that service provider, that service provider,
2. Telephone numbers can be listed in a range (in the 2. Telephone numbers can be listed in a range (in the
TelephoneNumberRange format), or TelephoneNumberRange format), or
3. A single telephone number can be listed (as an E164Number). 3. A single telephone number can be listed (as an E164Number).
Note that because large-scale service providers may want to associate Note that because large-scale service providers may want to associate
many numbers, possibly millions of numbers, with a particular many numbers, possibly millions of numbers, with a particular
certificate, optimizations are required for those cases to prevent certificate, optimizations are required for those cases to prevent
certificate size from becoming unmanageable. In these cases, the TN certificate size from becoming unmanageable. In these cases, the TN
skipping to change at page 18, line 35 skipping to change at page 18, line 35
13. Acknowledgments 13. Acknowledgments
Anders Kristensen, Russ Housley, Brian Rosen, Cullen Jennings, Dave Anders Kristensen, Russ Housley, Brian Rosen, Cullen Jennings, Dave
Crocker, Tony Rutkowski, John Braunberger, and Eric Rescorla provided Crocker, Tony Rutkowski, John Braunberger, and Eric Rescorla provided
key input to the discussions leading to this document. Russ Housley key input to the discussions leading to this document. Russ Housley
provided some direct assistance and text surrounding the ASN.1 provided some direct assistance and text surrounding the ASN.1
module. module.
14. References 14. References
[ATIS-0300050] 14.1. Normative References
ATIS Recommendation 0300050, "Carrier Identification Code
(CIC) Assignment Guidelines", 2012. [ATIS-0300251]
ATIS Recommendation 0300251, "Codes for Identification of
Service Providers for Information Exchange", 2007.
[DSS] National Institute of Standards and Technology, U.S.
Department of Commerce | NIST FIPS PUB 186-4, "Digital
Signature Standard, version 4", 2013.
[I-D.ietf-stir-passport] [I-D.ietf-stir-passport]
Wendt, C. and J. Peterson, "Personal Assertion Token Wendt, C. and J. Peterson, "Personal Assertion Token
(PASSporT)", draft-ietf-stir-passport-08 (work in (PASSporT)", draft-ietf-stir-passport-08 (work in
progress), September 2016. progress), September 2016.
[I-D.ietf-stir-rfc4474bis] [I-D.ietf-stir-rfc4474bis]
Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, Peterson, J., Jennings, C., Rescorla, E., and C. Wendt,
"Authenticated Identity Management in the Session "Authenticated Identity Management in the Session
Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-13 Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-13
(work in progress), September 2016. (work in progress), September 2016.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046,
DOI 10.17487/RFC2046, November 1996,
<http://www.rfc-editor.org/info/rfc2046>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2392] Levinson, E., "Content-ID and Message-ID Uniform Resource [RFC2392] Levinson, E., "Content-ID and Message-ID Uniform Resource
Locators", RFC 2392, DOI 10.17487/RFC2392, August 1998, Locators", RFC 2392, DOI 10.17487/RFC2392, August 1998,
<http://www.rfc-editor.org/info/rfc2392>. <http://www.rfc-editor.org/info/rfc2392>.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February
2003, <http://www.rfc-editor.org/info/rfc3447>. 2003, <http://www.rfc-editor.org/info/rfc3447>.
[RFC3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S.
Wu, "Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework", RFC 3647,
DOI 10.17487/RFC3647, November 2003,
<http://www.rfc-editor.org/info/rfc3647>.
[RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional
Algorithms and Identifiers for RSA Cryptography for use in Algorithms and Identifiers for RSA Cryptography for use in
the Internet X.509 Public Key Infrastructure Certificate the Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile", RFC 4055, and Certificate Revocation List (CRL) Profile", RFC 4055,
DOI 10.17487/RFC4055, June 2005, DOI 10.17487/RFC4055, June 2005,
<http://www.rfc-editor.org/info/rfc4055>. <http://www.rfc-editor.org/info/rfc4055>.
[RFC4754] Fu, D. and J. Solinas, "IKE and IKEv2 Authentication Using
the Elliptic Curve Digital Signature Algorithm (ECDSA)",
RFC 4754, DOI 10.17487/RFC4754, January 2007,
<http://www.rfc-editor.org/info/rfc4754>.
[RFC5019] Deacon, A. and R. Hurst, "The Lightweight Online [RFC5019] Deacon, A. and R. Hurst, "The Lightweight Online
Certificate Status Protocol (OCSP) Profile for High-Volume Certificate Status Protocol (OCSP) Profile for High-Volume
Environments", RFC 5019, DOI 10.17487/RFC5019, September Environments", RFC 5019, DOI 10.17487/RFC5019, September
2007, <http://www.rfc-editor.org/info/rfc5019>. 2007, <http://www.rfc-editor.org/info/rfc5019>.
[RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W.
Polk, "Server-Based Certificate Validation Protocol
(SCVP)", RFC 5055, DOI 10.17487/RFC5055, December 2007,
<http://www.rfc-editor.org/info/rfc5055>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>. <http://www.rfc-editor.org/info/rfc5280>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010, DOI 10.17487/RFC5912, June 2010,
<http://www.rfc-editor.org/info/rfc5912>. <http://www.rfc-editor.org/info/rfc5912>.
skipping to change at page 20, line 26 skipping to change at page 20, line 11
[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958,
DOI 10.17487/RFC5958, August 2010, DOI 10.17487/RFC5958, August 2010,
<http://www.rfc-editor.org/info/rfc5958>. <http://www.rfc-editor.org/info/rfc5958>.
[RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A.,
Galperin, S., and C. Adams, "X.509 Internet Public Key Galperin, S., and C. Adams, "X.509 Internet Public Key
Infrastructure Online Certificate Status Protocol - OCSP", Infrastructure Online Certificate Status Protocol - OCSP",
RFC 6960, DOI 10.17487/RFC6960, June 2013, RFC 6960, DOI 10.17487/RFC6960, June 2013,
<http://www.rfc-editor.org/info/rfc6960>. <http://www.rfc-editor.org/info/rfc6960>.
[RFC6961] Pettersen, Y., "The Transport Layer Security (TLS)
Multiple Certificate Status Request Extension", RFC 6961,
DOI 10.17487/RFC6961, June 2013,
<http://www.rfc-editor.org/info/rfc6961>.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030, "Enrollment over Secure Transport", RFC 7030,
DOI 10.17487/RFC7030, October 2013, DOI 10.17487/RFC7030, October 2013,
<http://www.rfc-editor.org/info/rfc7030>. <http://www.rfc-editor.org/info/rfc7030>.
[RFC7093] Turner, S., Kent, S., and J. Manger, "Additional Methods [RFC7093] Turner, S., Kent, S., and J. Manger, "Additional Methods
for Generating Key Identifiers Values", RFC 7093, for Generating Key Identifiers Values", RFC 7093,
DOI 10.17487/RFC7093, December 2013, DOI 10.17487/RFC7093, December 2013,
<http://www.rfc-editor.org/info/rfc7093>. <http://www.rfc-editor.org/info/rfc7093>.
[RFC7340] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure
Telephone Identity Problem Statement and Requirements",
RFC 7340, DOI 10.17487/RFC7340, September 2014,
<http://www.rfc-editor.org/info/rfc7340>.
[RFC7375] Peterson, J., "Secure Telephone Identity Threat Model",
RFC 7375, DOI 10.17487/RFC7375, October 2014,
<http://www.rfc-editor.org/info/rfc7375>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<http://www.rfc-editor.org/info/rfc7519>. <http://www.rfc-editor.org/info/rfc7519>.
[X.509] ITU-T Recommendation X.520 (10/2012) | ISO/IEC 9594-8, [X.509] ITU-T Recommendation X.509 (10/2012) | ISO/IEC 9594-8,
"Information technology - Open Systems Interconnection - "Information technology - Open Systems Interconnection -
The Directory: Public-key and attribute certificate The Directory: Public-key and attribute certificate
frameworks", 2012. frameworks", 2012.
[X.520] ITU-T Recommendation X.520 (10/2012) | ISO/IEC 9594-6,
"Information technology - Open Systems Interconnection -
The Directory: Selected Attribute Types", 2012.
[X.680] ITU-T Recommendation X.680 (08/2015) | ISO/IEC 8824-1, [X.680] ITU-T Recommendation X.680 (08/2015) | ISO/IEC 8824-1,
"Information Technology - Abstract Syntax Notation One: "Information Technology - Abstract Syntax Notation One:
Specification of basic notation". Specification of basic notation".
[X.681] ITU-T Recommendation X.681 (08/2015) | ISO/IEC 8824-2, [X.681] ITU-T Recommendation X.681 (08/2015) | ISO/IEC 8824-2,
"Information Technology - Abstract Syntax Notation One: "Information Technology - Abstract Syntax Notation One:
Information Object Specification". Information Object Specification".
[X.682] ITU-T Recommendation X.682 (08/2015) | ISO/IEC 8824-2, [X.682] ITU-T Recommendation X.682 (08/2015) | ISO/IEC 8824-2,
"Information Technology - Abstract Syntax Notation One: "Information Technology - Abstract Syntax Notation One:
Constraint Specification". Constraint Specification".
[X.683] ITU-T Recommendation X.683 (08/2015) | ISO/IEC 8824-3, [X.683] ITU-T Recommendation X.683 (08/2015) | ISO/IEC 8824-3,
"Information Technology - Abstract Syntax Notation One: "Information Technology - Abstract Syntax Notation One:
Parameterization of ASN.1 Specifications". Parameterization of ASN.1 Specifications".
14.2. Informative References
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046,
DOI 10.17487/RFC2046, November 1996,
<http://www.rfc-editor.org/info/rfc2046>.
[RFC3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S.
Wu, "Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework", RFC 3647,
DOI 10.17487/RFC3647, November 2003,
<http://www.rfc-editor.org/info/rfc3647>.
[RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W.
Polk, "Server-Based Certificate Validation Protocol
(SCVP)", RFC 5055, DOI 10.17487/RFC5055, December 2007,
<http://www.rfc-editor.org/info/rfc5055>.
[RFC6961] Pettersen, Y., "The Transport Layer Security (TLS)
Multiple Certificate Status Request Extension", RFC 6961,
DOI 10.17487/RFC6961, June 2013,
<http://www.rfc-editor.org/info/rfc6961>.
[RFC7340] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure
Telephone Identity Problem Statement and Requirements",
RFC 7340, DOI 10.17487/RFC7340, September 2014,
<http://www.rfc-editor.org/info/rfc7340>.
[RFC7375] Peterson, J., "Secure Telephone Identity Threat Model",
RFC 7375, DOI 10.17487/RFC7375, October 2014,
<http://www.rfc-editor.org/info/rfc7375>.
[X.520] ITU-T Recommendation X.520 (10/2012) | ISO/IEC 9594-6,
"Information technology - Open Systems Interconnection -
The Directory: Selected Attribute Types", 2012.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
This appendix provides the normative ASN.1 [X.680] definitions for This appendix provides the normative ASN.1 [X.680] definitions for
the structures described in this specification using ASN.1, as the structures described in this specification using ASN.1, as
defined in [X.680] through [X.683]. defined in [X.680] through [X.683].
The modules defined in this document are compatible with the most The modules defined in this document are compatible with the most
current ASN.1 specification published in 2015 (see [X.680], [X.681], current ASN.1 specification published in 2015 (see [X.680], [X.681],
[X.682], [X.683]). None of the newly defined tokens in the 2008 [X.682], [X.683]). None of the newly defined tokens in the 2008
ASN.1 (DATE, DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE- ASN.1 (DATE, DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE-
 End of changes. 17 change blocks. 
56 lines changed or deleted 61 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/