ISO/IEC 9594-8:2020/Cor 2:2024
(Corrigendum)Information technology - Open systems interconnection - Part 8: The Directory: Public-key and attribute certificate frameworks - Technical Corrigendum 2
Information technology - Open systems interconnection - Part 8: The Directory: Public-key and attribute certificate frameworks - Technical Corrigendum 2
Technologies de l'information — Interconnexion de systèmes ouverts (OSI) — Partie 8: Titre manque — Rectificatif technique 2
General Information
- Status
- Published
- Publication Date
- 21-Feb-2024
- Current Stage
- 6060 - International Standard published
- Start Date
- 22-Feb-2024
- Completion Date
- 22-Feb-2024
Relations
- Effective Date
- 27-May-2023
Overview
ISO/IEC 9594-8:2020/Cor 2:2024 is the latest technical corrigendum to the international standard ISO/IEC 9594-8, which is aligned with ITU-T X.509 (2019) concerning "The Directory: Public-key and attribute certificate frameworks." This corrigendum addresses critical defect reports and provides updates to definitions, syntax rules, and object classes within the public-key and attribute certificate directory framework.
The document refines the framework used worldwide for managing public-key infrastructure (PKI), digital certificates, attribute certificates, and associated policies, enhancing security and interoperability in IT systems. As part of the ISO/IEC and ITU collaboration, it ensures robust, standardized handling of certificates used for authentication, access control, and privilege management in open systems interconnection.
Key Topics
Role Attribute Type Update
Revised LDAP role attribute definitions to improve role syntax and XML privilege information encoding, supporting binary encoding formats such as DER.Permission and Matching Rules
Updated permission attributes and the matching rules allowing exact and flexible attribute certificate matching to enhance validation.Auxiliary Object Classes for Privilege Management
Refinements in PMI (Privilege Management Infrastructure) user, authority, source of authority, delegation path, and privilege policy object classes, facilitating efficient privilege and revocation management.New Directory Syntax Definitions
Introduced LDAP role syntax, dual string syntax, attribute certificate syntax, delegation path, and policy syntax-all expressed in binary encoding such as DER-with references to IETF RFC 4522 for LDAP Binary Encoding.No Revocation Information Extension
Added an extension to indicate when revocation information is not provided for certificates with short validity periods. This aims to reduce unnecessary revocation checking and improve performance for relying parties and privilege verifiers.Compliance and Interoperability
Incorporation of Generic String Encoding Rules (RFC 3641) for encoding ASN.1 types to ensure consistent interpretation of certificates and policies across platforms.
Applications
ISO/IEC 9594-8:2020/Cor 2:2024 plays a vital role in numerous fields related to cybersecurity, identity management, and secure communications:
Public-Key Infrastructure (PKI) Enhancement
Enables organizations to efficiently manage digital certificates and attribute certificates, crucial for authentication and encryption.Access Control and Privilege Management
Supports fine-grained control over user privileges through attribute certificates, improving security posture in enterprise IT environments.Directory Services and LDAP
Provides enhanced LDAP schema definitions and syntaxes used by directory services to store and manage certificates and their attributes securely and interoperably.Telecommunications and Network Security
Assists telecommunication providers and network operators in maintaining secure, standardized directories for public-key and attribute certificates.Short Validity Certificates
Optimizes validation processes for certificates with very short lifetimes by using the 'no revocation information available' extension to reduce overhead in certificate validation.
Related Standards
ITU-T X.509 Series
ISO/IEC 9594-8 directly corresponds to ITU-T X.509 Recommendations on public-key and attribute certificate frameworks.RFC 4522 - LDAP Binary Encoding
Provides encoding options referenced for several syntax definitions in the corrigendum.RFC 3641 - Generic String Encoding Rules (GSER)
Defines string encoding rules for ASN.1 types used in attribute certificate assertions.ISO/IEC 9594 Series
Covers the comprehensive set of standards for Open Systems Interconnection (OSI) directory services, including authentication and access control.
Summary
ISO/IEC 9594-8:2020/Cor 2:2024 updates are essential for entities employing X.509-based PKI and privilege management infrastructures. By addressing defect reports and refining directory schema, attribute definitions, and certificate extensions, this corrigendum promotes stronger security, enhanced interoperability, and optimized certificate lifecycle management in interconnected systems. The standard continues to be foundational for secure information technology and telecommunications systems worldwide.
Frequently Asked Questions
ISO/IEC 9594-8:2020/Cor 2:2024 is a standard published by the International Organization for Standardization (ISO). Its full title is "Information technology - Open systems interconnection - Part 8: The Directory: Public-key and attribute certificate frameworks - Technical Corrigendum 2". This standard covers: Information technology - Open systems interconnection - Part 8: The Directory: Public-key and attribute certificate frameworks - Technical Corrigendum 2
Information technology - Open systems interconnection - Part 8: The Directory: Public-key and attribute certificate frameworks - Technical Corrigendum 2
ISO/IEC 9594-8:2020/Cor 2:2024 is classified under the following ICS (International Classification for Standards) categories: 35.100.70 - Application layer. The ICS classification helps identify the subject area and facilitates finding related standards.
ISO/IEC 9594-8:2020/Cor 2:2024 has the following relationships with other standards: It is inter standard links to ISO/IEC 9594-8:2020. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase ISO/IEC 9594-8:2020/Cor 2:2024 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of ISO standards.
Standards Content (Sample)
International
Standard
ISO/IEC 9594-8
Information technology — Open
Ninth edition
systems interconnection —
2020-11
Part 8:
TECHNICAL
CORRIGENDUM 2
The Directory: Public-key and
attribute certificate frameworks
TECHNICAL CORRIGENDUM 2
Reference number
ISO/IEC 9594-8:2020/Cor.2:2024(en) © ISO/IEC 2024
ISO/IEC 9594-8:2020/Cor.2:2024(en)
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
ISO/IEC 9594-8:2020/Cor.2:2024(en)
This document was prepared by ITU-T as ITU-T X.509 (2019) Cor. 2 (10/2023) and drafted in
accordance with its editorial rules, in collaboration with Joint Technical Committee ISO/IEC JTC
1, Information technology, Subcommittee SC 6, Telecommunications and information exchange
between systems.
© ISO/IEC 2024 – All rights reserved
iii
ISO/IEC 9594-8:2020/Cor.2:2024(en)
INTERNATIONAL STANDARD ISO/IEC 9594-8
RECOMMENDATION ITU-T X.509
Information technology – Open Systems Interconnection – The Directory: Public-key and
attribute certificate frameworks
Technical Corrigendum 2
Summary
Corrigendum 2 to ITU-T X.509 (2019) | ISO/IEC 9594-8:2020 covers resolution to defect reports 434 and 435.
*
History
Edition Recommendation Approval Study Group Unique ID
ITU-T X.509 11.1002/1000/2999
1.0 1988-11-25
ITU-T X.509 11.1002/1000/3000
2.0 1993-11-16 7
ITU-T X.509 11.1002/1000/4123
3.0 1997-08-09 7
ITU-T X.509 (1997) Technical Cor. 1 11.1002/1000/5033
3.1 2000-03-31 7
ITU-T X.509 (1997) Technical Cor. 2 11.1002/1000/5311
3.2 2001-02-02 7
ITU-T X.509 (1997) Technical Cor. 3 11.1002/1000/5559
3.3 2001-10-29 7
ITU-T X.509 (1997) Technical Cor. 4 11.1002/1000/6025
3.4 2002-04-13 17
ITU-T X.509 (1997) Technical Cor. 5 11.1002/1000/6236
3.5 2003-02-13 17
ITU-T X.509 (1997) Technical Cor. 6 11.1002/1000/7285
3.6 2004-04-29 17
ITU-T X.509 11.1002/1000/5034
4.0 2000-03-31 7
ITU-T X.509 (2000) Technical Cor. 1 11.1002/1000/5560
4.1 2001-10-29 7
ITU-T X.509 (2000) Technical Cor. 2 11.1002/1000/6026
4.2 2002-04-13 17
ITU-T X.509 (2000) Technical Cor. 3 11.1002/1000/15258
4.3 2003-02-13 17
ITU-T X.509 (2000) Technical Cor. 3 11.1002/1000/7284
4.3 2004-04-29 17
ITU-T X.509 (2000) Technical Cor. 4 11.1002/1000/8637
4.4 2007-01-13 17
ITU-T X.509 11.1002/1000/8501
5.0 2005-08-29 17
ITU-T X.509 (2005) Cor. 1 11.1002/1000/9051
5.1 2007-01-13 17
ITU-T X.509 (2005) Cor. 2 11.1002/1000/9591
5.2 2008-11-13 17
ITU-T X.509 (2005) Cor. 3 11.1002/1000/11042
5.3 2011-02-13 17
ITU-T X.509 (2005) Cor. 4 11.1002/1000/11577
5.4 2012-04-13 17
ITU-T X.509 11.1002/1000/9590
6.0 2008-11-13 17
ITU-T X.509 (2008) Cor. 1 11.1002/1000/11043
6.1 2011-02-13 17
ITU-T X.509 (2008) Cor. 2 11.1002/1000/11578
6.2 2012-04-13 17
ITU-T X.509 (2008) Cor. 3 11.1002/1000/11736
6.3 2012-10-14 17
ITU-T X.509 11.1002/1000/11735
7.0 2012-10-14 17
____________________
*
To access the Recommendation, type the URL https://handle.itu.int/ in the address field of your web
browser, followed by the Recommendation's unique ID.
Rec. ITU-T X.509 (2019) Cor. 2 (10/2023)
© ISO/IEC 2024 – All rights reserved
iv
ISO/IEC 9594-8:2020/Cor.2:2024(en)
ITU-T X.509 (2012) Cor. 1 11.1002/1000/12474
7.1 2015-05-29 17
ITU-T X.509 (2012) Cor. 2 11.1002/1000/12844
7.2 2016-04-29 17
ITU-T X.509 (2012) Cor. 3 11.1002/1000/13032
7.3 2016-10-14 17
ITU-T X.509 11.1002/1000/13031
8.0 2016-10-14 17
ITU-T X.509 11.1002/1000/14033
9.0 2019-10-14 17
ITU-T X.509 (2019) Cor. 1 11.1002/1000/14791
9.1 2021-10-14 17
ITU-T X.509 (2019) Cor. 2 11.1002/1000/15705
9.2 2023-10-29 17
Rec. ITU-T X.509 (2019) Cor. 2 (10/2023)
© ISO/IEC 2024– All rights reserved
v
ISO/IEC 9594-8:2020/Cor.2:2024(en)
FOREWORD
The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
telecommunications, information and communication technologies (ICTs). The ITU Telecommunication
Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical,
operating and tariff questions and issuing Recommendations on them with a view to standardizing
telecommunications on a worldwide basis.
The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes
the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics.
The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1.
In some areas of information technology which fall within ITU-T's purview, the necessary standards are
prepared on a collaborative basis with ISO and IEC.
NOTE
In this Recommendation, the expression "Administration" is used for conciseness to indicate both a
telecommunication administration and a recognized operating agency.
Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain
mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the
Recommendation is achieved when all of these mandatory provisions are met. The words "shall" or some other
obligatory language such as "must" and the negative equivalents are used to express requirements. The use of
such words does not suggest that compliance with the Recommendation is required of any party.
INTELLECTUAL PROPERTY RIGHTS
ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve
the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or
applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of
the Recommendation development process.
As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected
by patents/software copyrights, which may be required to implement this Recommendation. However,
implementers are cautioned that this may not represent the latest information and are therefore strongly urged
to consult the appropriate ITU-T databases available via the ITU-T website at http://www.itu.int/ITU-T/ipr/.
© ITU 2023
All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior
written permission of ITU.
Rec. ITU-T X.509 (2019) Cor. 2 (10/2023)
© ISO/IEC 2024– All rights reserved
vi
ISO/IEC 9594-8:2020/Cor.2:2024(en)
INTERNATIONAL STANDARD
ITU-T RECOMMENDATION
Information technology – Open Systems Interconnection – The Directory: Public-key and
attribute certificate frameworks
Technical Corrigendum 2
(Covering resolution to defect reports 434 and 435)
1) Correction of the defects reported in defect report 434
Replace the definition of the role attribute type in 16.5.1 with:
role ATTRIBUTE ::= {
WITH SYNTAX RoleSyntax
LDAP-SYNTAX ldapRoleSyntax.&id
LDAP-NAME {"role"}
LDAP-DESC "LDAP role"
ID id-at-role }
Replace the definition of xmlPrivilegeInfo in 16.7 with:
xmlPrivilegeInfo ATTRIBUTE ::= {
WITH SYNTAX UTF8String --contains XML-encoded privilege information
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"xmlPrivInfo"}
LDAP-DESC "XML Privilege Info"
ID id-at-xMLPrivilegeInfo }
Replace the definition of permission attribute in 16.8.1 with:
permission ATTRIBUTE ::= {
WITH SYNTAX DualStringSyntax
EQUALITY MATCHING RULE dualStringMatch
LDAP-SYNTAX ldapDualStringSyntax.&id
LDAP-NAME {"permission"}
LDAP-DESC "LDAP permission"
ID id-at-permission }
Replace the definition of dualStringMatch matching rule in 16.8.2 with:
dualStringMatch MATCHING-RULE ::= {
SYNTAX DualStringSyntax
LDAP-SYNTAX ldapDualStringSyntax.&id
LDAP-NAME {"permission"}
LDAP-DESC "LDAP permission match"
ID id-mr-dualStringMatch }
Replace the definition of the PMI user object class in 19.1.1 with:
pmiUser OBJECT-CLASS ::= {
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {attributeCertificateAttribute}
LDAP-NAME {"pmiUser"}
LDAP-DESC "Privilege holder"
ID id-oc-pmiUser }
Replace the definition of the PMI AA object class in 19.1.2 with:
pmiAA OBJECT-CLASS ::= { -- a PMI AA
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {aACertificate |
attributeCertificateRevocationList |
eeAttrCertificateRevocationList |
attributeAuthorityRevocationList}
Rec. ITU-T X.509 (2019) Cor. 2 (10/2023)
© ISO/IEC 2024– All rights reserved
ISO/IEC 9594-8:2020/Cor.2:2024(en)
LDAP-NAME {"pmiAA"}
LDAP-DESC "Privilege authority"
ID id-oc-pmiAA }
Replace the definition of the PMI SOA object class in 19.1.3 with:
pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority
SUBCLASS OF {top}
KIND auxiliary
MAY CONTAIN {attributeCertificateRevocationList |
eeAttrCertificateRevocationList |
attributeAuthorityRevocationList |
attributeDescriptorCertificate}
LDAP-NAME {"pmiSOA"}
LDAP-DESC "Source of authority"
ID id-oc-pmiSOA }
Replace the definition of the Attribute certificate CRL distribution point object class in 19.1.4 with:
attCertCRLDistributionPt OBJECT-CLASS ::= {
SUBCLASS OF
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...