ISO/IEC 9594-11:2020

INTERNATIONAL ISO/IEC
STANDARD 9594-11
First edition
2020-12
Information technology — Open
systems interconnection directory —
Part 11:
Protocol specifications for secure
operations
Reference number
©
ISO/IEC 2020
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 9594-11
RECOMMENDATION ITU-T X.510
Information technology – Open Systems Interconnection –
The Directory: Protocol specifications for secure operations

Summary
Recommendation ITU-T X.510 | ISO/IEC 9594-11 specifies a general protocol, called the wrapper protocol, that provides
cybersecurity for protocols designed for its protection. The wrapper protocol provides authentication, integrity and
optionally confidentiality (encryption). The wrapper protocol allows cybersecurity to be provided independently of the
protected protocols, which means that security may be enhanced without affecting protected protocol specifications.
The wrapper protocol is specified without specifying specific cryptographic algorithms, but is designed for plucking-in
cryptographic algorithms as required.
The wrapper protocol is designed for easy migration of cryptographic algorithms, as stronger cryptographic algorithms
become necessary.
Recommendation ITU-T X.510 | ISO/IEC 9594-11 contains recommendations for how other Recommendations and
International Standards may include features for migration of cryptographic algorithms, and it includes ASN.1
specifications to be applied for that purpose.
Recommendation ITU-T X.510 | ISO/IEC 9594-11 also specifies three protocols that make use of the wrapper protocol
protection. This includes a protocol for maintenance of authorization and validation lists (AVLs), a protocol for subscribing
of public-key certificate status and a protocol for accessing a trust broker.

History
*
Edition Recommendation Approval Study Group Unique ID
1.0 ITU-T X.510 2020-08-22 17 11.1002/1000/14320

Keywords
Certification authority, cryptography, cryptographic algorithm, digital signature, public-key certificate, PKI, quantum-safe,
trust anchor, validation.
*
To access the Recommendation, type the URL http://handle.itu.int/ in the address field of your web browser, followed by the
Recommendation's unique ID. For example, http://handle.itu.int/11.1002/1000/11830-en.
© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.510 (08/2020) i
FOREWORD
The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
telecommunications, information and communication technologies (ICTs). The ITU Telecommunication
Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical,
operating and tariff questions and issuing Recommendations on them with a view to standardizing
telecommunications on a worldwide basis.
The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes
the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics.
The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1.
In some areas of information technology which fall within ITU-T's purview, the necessary standards are
prepared on a collaborative basis with ISO and IEC.

NOTE
In this Recommendation, the expression "Administration" is used for conciseness to indicate both a
telecommunication administration and a recognized operating agency.
Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain
mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the
Recommendation is achieved when all of these mandatory provisions are met. The words "shall" or some other
obligatory language such as "must" and the negative equivalents are used to express requirements. The use of
such words does not suggest that compliance with the Recommendation is required of any party.

INTELLECTUAL PROPERTY RIGHTS
ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve
the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or
applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of
the Recommendation development process.
As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected
by patents, which may be required to implement this Recommendation. However, implementers are cautioned
that this may not represent the latest information and are therefore strongly urged to consult the TSB patent
database at http://www.itu.int/ITU-T/ipr/.

 ITU 2020
All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior
written permission of ITU.
© ISO/IEC 2020 – All rights reserved
ii Rec. ITU-T X.510 (08/2020)
CONTENTS
Page
SECTION 1 – GENERAL . 1
1 Scope . 1
2 Normative references . 1
2.1 Identical Recommendations | International Standards . 1
2.2 Other references . 1
3 Definitions . 2
3.1 OSI Reference Model definitions . 2
3.2 Directory model definitions . 2
3.3 Public-key and attribute certificate definitions . 2
3.4 Terms specified by this Recommendation | International Standard . 2
4 Abbreviations . 3
5 Conventions . 4
6 Common data types and special cryptographic algorithms . 4
6.1 Introduction . 4
6.2 ASN.1 information object class specification tool . 4
6.3 Multiple-cryptographic algorithm specifications . 6
6.4 Key establishment algorithms . 7
6.5 Multiple-cryptographic algorithm-value pairs . 9
6.6 Formal specification of encipherment . 11
7 General concepts for securing protocols. 11
7.1 Introduction . 11
7.2 Protected protocol plug-in concept. 12
7.3 Communications structure. 12
7.4 Another view of the relationship between the wrapper protocol and the protected protocol . 12
7.5 Structure of application protocol data unit . 13
7.6 Exception conditions . 13
SECTION 2 – THE WRAPPER PROTOCOL . 14
8 Wrapper protocol general concepts . 14
8.1 Introduction . 14
8.2 UTC time specification . 14
8.3 Use of alternative cryptographic algorithms . 14
8.4 General on establishing shared keys . 14
8.5 Sequence numbers . 15
8.6 Use of invocation identification in the wrapper protocol . 15
8.7 Mapping to underlying services . 15
8.8 Definition of protected protocols . 15
8.9 Overview of wrapper protocol data units . 15
9 Association management . 16
9.1 Introduction to association management . 16
9.2 Association handshake request . 16
9.3 Association accept . 18
9.4 Association reject due to security issues . 19
9.5 Association reject by the protected protocol . 20
9.6 Handshake security abort . 21
9.7 Handshake abort by protected protocol . 21
9.8 Data transfer security abort . 22
9.9 Abort by protected protocol . 22
9.10 Release request WrPDU . 23
9.11 Release response WrPDU . 23
9.12 Release collision. 24
© ISO/IEC 2020 – All rights reserved
Rec. ITU-T X.510 (08/2020) iii

Page
10 Data transfer phase . 24
10.1 Symmetric keys renewal . 24
10.2 Data transfer by the client . 24
10.3 Data transfer by the server . 26
11 Information flow . 28
11.1 Purpose and general model . 28
11.2 Protected protocol SAOC . 29
11.3 Wrapper SAOC . 29
12 Wrapper error handling .
...