https://DevOpsCloud.io -- Cloud Monk Losang Jinpa

Return to RFC 4949 Internet Security Glossary Definitions, RFC 4949 Internet Security Glossary, RFC 4949 Internet Security Glossary Bibliography, Cybersecurity, Awesome Security

([[Fair Use]] [[Source]]: [[RFC 4949])

• X.400

( N) An ITU-T Recommendation X400 that is one part of a joint ITU-T/ISO multi-part standard (X.400-X.421) that defines the Message Handling Systems. (The ISO equivalent is IS 10021, parts 1-7.) (See: Message Handling Systems.)

([[Fair Use]] [[Source]]: [[RFC 4949])

• X.500

( N) An ITU-T Recommendation [X500] that is one part of a joint ITU-T/ISO multi-part standard (X.500-X.525) that defines the X.500 Directory, a conceptual collection of systems that provide distributed directory capabilities for OSI entities, processes, applications, and services. (The ISO equivalent is IS 9594-1 and related standards, IS 9594-x.) (See: directory vs. Directory, X.509.)

Tutorial: The X.500 Directory is structured as a tree (the Directory Information Tree), and information is stored in directory entries. Each entry is a collection of information about one object, and each object has a DN. A directory entry is composed of attributes, each with a type and one or more values. For example, if a PKI uses the Directory to distribute

Shirey Informational Page 338]

RFC 4949 Internet Security Glossary, Version 2 August 2007

certificates, then the X.509 public-key certificate of an end user is normally stored as a value of an attribute of type “userCertificate” in the Directory entry that has the DN that is the subject of the certificate.

([[Fair Use]] [[Source]]: [[RFC 4949])

• X.509

( N) An ITU-T Recommendation [X509] that defines a framework to provide and support data origin authentication and peer entity authentication, including formats for X.509 public-key certificates, X.509 attribute certificates, and X.509 CRLs. (The ISO equivalent is IS 9498-4.) (See: X.500.)

Tutorial: X.509 describes two “levels” of authentication: “simple authentication” and “strong authentication”. It recommends, “While simple authentication offers some limited protection against unauthorized access, only strong authentication should be used as the basis for providing secure services.”

([[Fair Use]] [[Source]]: [[RFC 4949])

• X.509 attribute certificate

( N) An attribute certificate in the version 1 (v1) format defined by X.509. (The v1 designation for an X.509 attribute certificate is disjoint from the v1 designation for an X.509 public-key certificate, and from the v1 designation for an X.509 CRL.)

Tutorial: An X.509 attribute certificate has a “subject” field, but the attribute certificate is a separate data structure from that subject's public-key certificate. A subject may have multiple attribute certificates associated with each of its public-key certificates, and an attribute certificate may be issued by a different CA than the one that issued the associated public-key certificate.

An X.509 attribute certificate contains a sequence of data items and has a digital signature that is computed from that sequence. Besides the signature, an attribute certificate contains items 1 through 9 listed below:

1. version Identifies v1. 2. subject Is one of the following: 2a. baseCertificateIDIssuer and serial number of an X.509 public-key certificate. 2b. subjectNameDN of the subject. 3. issuerDN of the issuer (the CA who signed). 4. signatureOID of algorithm that signed the cert. 5. serialNumberCertificate serial number; an integer assigned by the issuer. 6. attCertValidityPeriodValidity period; a pair of UTCTime values: “not before” and “not after”.

Shirey Informational Page 339]

RFC 4949 Internet Security Glossary, Version 2 August 2007

7. attributes Sequence of attributes describing the subject. 8. issuerUniqueId Optional, when a DN is not sufficient. 9. extensions Optional.

([[Fair Use]] [[Source]]: [[RFC 4949])

• X.509 certificate

( N) Synonym for “X.509 public-key certificate”.

Usage: IDOCs MAY use this term as an abbreviation of “X.509 public-key certificate”, but only after using the full term at the first instance. Otherwise, the term is ambiguous, because X.509 specifies both public-key certificates and attribute certificates. (See: X.509 attribute certificate, X.509 public-key certificate.)

Deprecated Usage: IDOCs SHOULD NOT use this term as an abbreviation of “X.509 attribute certificate”, because the term is much more commonly used to mean “X.509 public-key certificate” and, therefore, is likely to be misunderstood. (Fair Use Source: RFC 4949]) ---- * [[X.509 certificate revocation list (CRL) ( N) A CRL in one of the formats defined by X.509 – version 1 (v1) or version 2 (v2). (The v1 and v2 designations for an X.509 CRL are disjoint from the v1 and v2 designations for an X.509 public- key certificate, and from the v1 designation for an X.509 attribute certificate.) (See: certificate revocation.)

Usage: IDOCs SHOULD NOT refer to an X.509 CRL as a digital certificate; however, note that an X.509 CRL does meet this Glossary's definition of “digital certificate”. That is, like a digital certificate, an X.509 CRL makes an assertion and is signed by a CA. But instead of binding a key or other attributes to a subject, an X.509 CRL asserts that certain previously issued, X.509 certificates have been revoked.

Tutorial: An X.509 CRL contains a sequence of data items and has a digital signature computed on that sequence. Besides the signature, both v1 and v2 contain items 2 through 6b listed below. Version 2 contains item 1 and may optionally contain 6c and 7.

1. version Optional. If present, identifies v2. 2. signatureOID of the algorithm that signed CRL. 3. issuerDN of the issuer (the CA who signed). 4. thisUpdate A UTCTime value. 5. nextUpdate A UTCTime value. 6. revokedCertificates 3-tuples of 6a, 6b, and (optional) 6c: 6a. userCertificate A certificate's serial number. 6b. revocationDateUTCTime value for the revocation date. 6c. crlEntryExtensions Optional.

Shirey Informational Page 340]

RFC 4949 Internet Security Glossary, Version 2 August 2007

7. crlExtensions Optional.

([[Fair Use]] [[Source]]: [[RFC 4949])

• X.509 public-key certificate - ( N) A public-key certificate in one of the formats defined by

X.509 – version 1 (v1), version 2 (v2), or version 3 (v3). (The v1 and v2 designations for an X.509 public-key certificate are disjoint from the v1 and v2 designations for an X.509 CRL, and from the v1 designation for an X.509 attribute certificate.)

Tutorial: An X.509 public-key certificate contains a sequence of data items and has a digital signature computed on that sequence. Besides the signature, all three versions contain items 1 through 7 listed below. Only v2 and v3 certificates may also contain items 8 and 9, and only v3 may contain item 10.

• 1. version Identifies v1, v2, or v3.
• 2. serialNumberCertificate serial number;

an integer assigned by the issuer.

• 3. signatureOID of algorithm that was used to

sign the certificate.

• 4. issuerDN of the issuer (the CA who signed).
• 5. validity Validity period; a pair of UTCTime values: “not before” and “not after”.
• 6. subject DN of entity who owns the public key.
• 7. subjectPublicKeyInfo Public key value and algorithm OID.
• 8. issuerUniqueIdentifier Defined for v2, v3; optional.
• 9. subjectUniqueIdentifier Defined for v2, v2; optional.
• 10. extensions Defined only for v3; optional.

([[Fair Use]] [[Source]]: [[RFC 4949])

• X9 - ( N) See: “Accredited Standards Committee X9” under “ANSI”. (Fair Use Source: RFC 4949]) ---- * [[XML - ( N) See: Extensible Markup Language. (Fair Use Source: RFC 4949]) ---- * [[XML-Signature - ( N) A W3C Recommendation (i.e., approved standard) that specifies

XML syntax and processing rules for creating and representing digital signatures (based on asymmetric cryptography) that can be applied to any digital content (i.e., any data object) including other XML material. (Fair Use Source: RFC 4949]) ---- ---- {{navbar_rfc4949}} ==Fair Use Sources== [[Fair Use Sources:

• RFC 4949 Internet Security Glossary