ISO/IEC 9594-7:2017

INTERNATIONAL ISO/IEC
STANDARD 9594-7
Eighth edition
2017-05
Information technology — Open
Systems Interconnection — The
Directory —
Part 7:
Selected object classes
Technologies de l’information — Interconnexion de systèmes ouverts
(OSI) — L’annuaire —
Partie 7: Classes d’objets sélectionnées
Reference number
©
ISO/IEC 2017
© ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non‐governmental, in liaison with ISO and IEC, also
take part in the work. In the field of information technology, ISO and IEC have established a joint
technical committee, ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does
not constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO's adherence to the World Trade Organization (WTO)
principles in the Technical Barriers to Trade (TBT) see the following
URL: www.iso.org/iso/foreword.html.
This eighth edition cancels and replaces the seventh edition (ISO/IEC 9594‐7:2014), which
has been technically revised.te
This document was prepared by ISO/IEC JTC 1, Information technology, SC 6, Telecommunications
and information exchange between systems, in collaboration with ITU‐T. The identical text is
published as ITU‐T X.521 (10/2016).
A list of all parts in the ISO/IEC 9594 series, published under the general title Information technology
— Open Systems Interconnection — The Directory, can be found on the ISO website.
© ISO/IEC 2017 – All rights reserved ii-1

CONTENTS
Page
SECTION 1 – GENERAL . 1
1 Scope . 1
2 Normative references. 1
2.1 Identical Recommendations | International Standards . 1
3 Definitions . 2
3.1 Communication Model definitions . 2
3.2 Directory Model definitions . 2
4 Conventions . 2
SECTION 2 – SELECTED OBJECT CLASSES . 4
5 Definition of useful attribute sets . 4
5.1 Telecommunication attribute set . 4
5.2 Postal attribute set . 4
5.3 Locale attribute set . 4
5.4 Organizational attribute set . 5
6 Definition of selected object classes . 5
6.1 Country . 5
6.2 Locality . 5
6.3 Organization . 5
6.4 Organizational Unit . 5
6.5 Person . 6
6.6 Organizational Person . 6
6.7 Organizational Role. 6
6.8 Group Of Names . 6
6.9 Group Of Unique Names . 7
6.10 Residential Person . 7
6.11 Application Process . 7
6.12 Application Entity . 7
6.13 DSA . 8
6.14 Device . 8
6.15 Strong Authentication User . 8
6.16 User Security Information . 8
6.17 User Password . 9
6.18 Certification Authority . 9
6.19 Certification Authority-V2 . 9
6.20 DMD . 9
6.21 OID Obj1 . 9
6.22 OID Obj2 . 10
6.23 OID ObjC . 10
6.24 OID root . 10
6.25 OID arc . 10
6.26 URN ObjC . 10
6.27 ISO Tag Information . 10
6.28 ISO Tag Type . 11
6.29 EPC Tag Information object class . 11
6.30 EPC Tag Type Object Class . 11
SECTION 3 – SELECTED NAME FORMS . 12
7 Definition of selected name forms . 12
7.1 Country name form . 12
7.2 Locality name form . 12
7.3 State Or Province name form . 12
7.4 Organization name form . 12
Rec. ITU-T X.521 (10/2016) iii

Page
7.5 Organizational Unit name form . 12
7.6 Person name form . 13
7.7 Organizational Person name form . 13
7.8 Organizational Role name form . 13
7.9 Group Of Names name form . 13
7.10 Residential Person name form . 13
7.11 Application Process name form . 13
7.12 Application Entity name form . 13
7.13 DSA name form . 14
7.14 Device name form . 14
7.15 DMD name form . 14
7.16 OIDC1 name form . 14
7.17 OIDC2 name form . 14
7.18 OIDC name form . 14
7.19 URNC name form . 14
7.20 OID root name form . 15
7.21 OID arc name form . 15
Annex A – Selected object classes and name forms in ASN.1 . 16
Annex B – Suggested name forms and Directory information tree (DIT) structures . 24
B.1 Country . 24
B.2 Organization . 25
B.3 Locality . 25
B.4 Organizational Unit . 25
B.5 Organizational Person . 26
B.6 Organizational Role. 26
B.7 Group of Names . 26
B.8 Residential Person . 27
B.9 Application Entity . 27
B.10 Device . 27
B.11 Application Process . 27
B.12 Alternative Structure Rule for Locality . 27
Annex C – Amendments and corrigenda . 29
iv Rec. ITU-T X.521 (10/2016)
Introduction
This Recommendation | International Standard, together with other Recommendations | International Standards, has been
produced to facilitate the interconnection of information processing systems to provide directory services. A set of such
systems, together with the directory information that they hold, can be viewed as an integrated whole, called the Directory.
The information held by the Directory, collectively known as the Directory Information Base (DIB), is typically used to
facilitate communication between, with or about objects such as application entities, people, terminals, and distribution
lists.
The Directory plays a significant role in Open Systems Interconnection, whose aim is to allow, with a minimum of
technical agreement outside of the interconnection standards themselves, the interconnection of information processing
systems:
– from different manufacturers;
– under different managements;
– of different levels of complexity; and
– of different ages.
This Recommendation | International Standard defines a number of attribute sets and object classes which may be found
useful across a range of applications of the Directory.
This Recommendation | International Standard provides the foundation frameworks upon which industry profiles can be
defined by other standards groups and industry forums. Many of the features defined as optional in these frameworks may
be mandated for use in certain environments through profiles. This eighth edition technically revises and enhances the
seventh edition of this Recommendation | International Standard.
This eight edition specifies versions 1 and 2 of the Directory protocols.
The first and second editions specified only version 1. Most of the services and protocols specified in this edition are
designed to function under version 1. However some enhanced services and protocols, e.g., signed errors, will not function
unless all Directory entities involved in the operation have negotiated version 2. Whichever version has been negotiated,
differences between the services and between the protocols defined in the eight editions, except for those specifically
assigned to version 2, are accommodated using the rules of extensibility defined in Rec. ITU-T X.519 | ISO/IEC 9594-5.
Annex A, which is an integral part of this Recommendation | International Standard, provides an ASN.1 module
containing all of the type and value definitions which appear in this Recommendation | International Standard.
Annex B, which is not an integral part of this Recommendation | International Standard, provides some common naming
and structure rules which may or may not be used by administrative authorities.
Annex C, which is not an integral part of this Recommendation | International Standard, lists the amendments and defect
reports that have been incorporated to form this edition of this Recommendation | International Standard.

Rec. ITU-T X.521 (10/2016) v
INTERNATIONAL STANDARD
ITU-T RECOMMENDATION
Information technology – Open Systems Interconnection –
The Directory: Selected object classes
SECTION 1 – GENERAL
1 Scope
This Recommendation | International Standard defines a number of object classes and name forms which may be found
useful across a range of applications of the Directory. The definition of an object class involves listing a number of
attribute types which are relevant to objects of that class. The definition of a name form involves naming the object class
to which it applies and listing the attributes to be used in forming names for objects of that class. These definitions are
used by the administrative authority which is responsible for the management of the directory information.
Any administrative authority can define its own object classes or subclasses and name forms for any purpose.
NOTE 1 – Those definitions may or may not use the notation specified in Rec. ITU-T X.501 | ISO/IEC 9594-2.
NOTE 2 – It is recommended that an object class defined in this Recommendation | International Standard, or a subclass derived
from one, or a name form defined in this Recommendation | International Standard, be used in preference to the generation of a
new one, whenever the semantics is appropriate for the application.
Administrative authorities may support some or all the selected object classes and name forms, and may also add
additional ones.
All administrative authorities shall support the object classes which the directory uses for its own purpose (the top, alias
and Directory system agent (DSA) object classes).
2 Normative references
The following Recommendations and International Standards contain provisions which, through reference in this text,
constitute provisions of this Recommendation | International Standard. At the time of publication, the editions indicated
were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this
Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent editions
of the Recommendations and Standards listed below. Members of IEC and ISO maintain registers of currently valid
International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid
ITU-T Recommendations.
2.1 Identical Recommendations | International Standards
– Recommendation ITU-T X.200 (1994) | ISO/IEC 7498-1:1994, Information technology – Open Systems
Interconnection – Basic Reference Model: The Basic Model.
– Recommendation ITU-T X.500 (2016) | ISO/IEC 9594-1:2017, Information technology – Open Systems
Interconnection – The Directory: Overview of concepts, models and services.
– Recommendation ITU-T X.501 (2016) | ISO/IEC 9594-2:2017, Information technology – Open Systems
Interconnection – The Directory: Models.
– Recommendation ITU-T X.509 (2016) | ISO/IEC 9594-8:2017, Information technology – Open Systems
Interconnection – The Directory: Public-key and attribute certificate frameworks.
– Recommendation ITU-T X.511 (2016) | ISO/IEC 9594-3:2017, Information technology – Open Systems
Interconnection – The Directory: Abstract service definition.
– Recommendation ITU-T X.518 (2016) | ISO/IEC 9594-4:2017, Information technology – Open Systems
Interconnection – The Directory: Procedures for distributed operation.
– Recommendation ITU-T X.519 (2016) | ISO/IEC 9594-5:2017, Information technology – Open Systems
Interconnection – The Directory: Protocol specifications.
– Recommendation ITU-T X.520 (2016) | ISO/IEC 9594-6:2017, Information technology – Open Systems
Interconnection – The Directory: Selected attribute types.
Rec. ITU-T X.521 (10/2016) 1
– Recommendation ITU-T X.525 (2016) | ISO/IEC 9594-9:2017, Information technology – Open Systems
Interconnection – The Directory: Replication.
3 Definitions
For the purposes of this Recommendation | International Standard, the following definitions apply.
3.1 Communication Model definitions
The following terms are defined in Rec. ITU-T X.519 | ISO/IEC 9594-5:
a) application-entity;
b) application process.
3.2 Directory Model definitions
The following terms are defined in Rec. ITU-T X.501 | ISO/IEC 9594-2:
a) attribute;
b) attribute type;
c) Directory information tree (DIT);
d) Directory system agent (DSA);
e) attribute set;
f) entry;
g) name;
h) object class;
i) subclass;
j) name form;
k) structure rule.
4 Conventions
The term "Directory Specification" (as in "this Directory Specification") shall be taken to mean Rec. ITU-T X.521 |
ISO/IEC 9594-7. The term "Directory Specifications" shall be taken to mean the ITU-T X.500-series Recommendations
and all parts of ISO/IEC 9594.
This Directory Specification uses the term first edition systems to refer to systems conforming to the first edition of the
Directory Specifications, i.e., the 1988 edition of the CCITT X.500-series Recommendations and the ISO/IEC 9594:1990
edition.
This Directory Specification uses the term second edition systems to refer to systems conforming to the second edition of
the Directory Specifications, i.e., the 1993 edition of the ITU-T X.500-series Recommendations and the
ISO/IEC 9594:1995 edition.
This Directory Specification uses the term third edition systems to refer to systems conforming to the third edition of the
Directory Specifications, i.e., the 1997 edition of the ITU-T X.500-series Recommendations and the ISO/IEC 9594:1998
edition.
This Directory Specification uses the term fourth edition systems to refer to systems conforming to the fourth edition of
the Directory Specifications, i.e., the 2001 editions of Recs ITU-T X.500, ITU-T X.501, ITU-T X.511, ITU-T X.518,
ITU-T X.519, ITU-T X.520, ITU-T X.521, ITU-T X.525, and ITU-T X.530, the 2000 edition of Rec. ITU-T X.509, and
parts 1-10 of the ISO/IEC 9594:2001 edition.
This Directory Specification uses the term fifth edition systems to refer to systems conforming to the fifth edition of the
Directory Specifications, i.e., the 2005 edition of the ITU-T X.500-series Recommendations and the ISO/IEC 9594:2005
edition.
This Directory Specification uses the term sixth edition systems to refer to systems conforming to the sixth edition of the
Directory Specifications, i.e., the 2008 edition of the ITU-T X.500-series Recommendations and the ISO/IEC 9594:2008
edition.
2 Rec. ITU-T X.521 (10/2016)
This Directory Specification uses the term seventh edition systems to refer to systems conforming to the seventh edition
of the Directory Specifications, i.e., the 2012 edition of the ITU-T X.500-series Recommendations and the
ISO/IEC 9594:2014 edition.
This Directory Specification uses the term eighth edition systems to refer to systems conforming to the eighth edition of
the Directory Specifications, i.e., the 2016 edition of the ITU-T X.500-series Recommendations and the
ISO/IEC 9594:2017 edition.
This Directory Specification presents ASN.1 notation in the bold Courier New typeface. When ASN.1 types and values
are referenced in normal text, they are differentiated from normal text by presenting them in the bold Courier New
typeface. The names of procedures, typically referenced when specifying the semantics of processing, are differentiated
from normal text by displaying them in bold Times New Roman. Access control permissions are presented in italicized
Times New Roman.
Object classes and name forms are defined in this Directory Specification as values of the OBJECT-CLASS and
NAME-FORM information object classes defined in Rec. ITU-T X.501 | ISO/IEC 9594-2.

Rec. ITU-T X.521 (10/2016) 3
SECTION 2 – SELECTED OBJECT CLASSES
5 Definition of useful attribute sets
5.1 Telecommunication attribute set
This set of attributes is used to define those which are commonly used for business communications.

TelecommunicationAttributeSet ATTRIBUTE ::=
{facsimileTelephoneNumber |
internationalISDNNumber |
telephoneNumber |
-- teletexTerminalIdentifier (Attribute type has been deleted)
-- teletexTerminalIdentifier | Attribute type has been deleted
telexNumber |
preferredDeliveryMethod |
destinationIndicator |
registeredAddress |
x121Address}
5.2 Postal attribute set
This set of attributes is used to define those which are directly associated with postal delivery.

PostalAttributeSet ATTRIBUTE ::=
{physicalDeliveryOfficeName |
postalAddress |
postalCode |
postOfficeBox |
streetAddress}
5.3 Locale attribute set
This set of attributes is used to define those which are commonly used for search purposes to indicate the locale of an
object.
LocaleAttributeSet ATTRIBUTE ::=
{localityName |
stateOrProvinceName |
streetAddress}
4 Rec. ITU-T X.521 (10/2016)
5.4 Organizational attribute set
This set of attributes is used to define the attributes that an organization or organizational unit may typically possess.

OrganizationalAttributeSet ATTRIBUTE ::=
{description |
LocaleAttributeSet |
PostalAttributeSet |
TelecommunicationAttributeSet |
businessCategory |
seeAlso |
searchGuide |
userPassword}
6 Definition of selected object classes
6.1 Country
The345u country object class is used to define country entries in the DIT.

country OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {countryName}
MAY CONTAIN  {description |
searchGuide}
LDAP-NAME   {"country"}
ID      id-oc-country }
6.2 Locality
The locality object class is used to define locality in the DIT.

locality OBJECT-CLASS ::= {
SUBCLASS OF {top}
MAY CONTAIN {description |
searchGuide |
LocaleAttributeSet |
seeAlso}
LDAP-NAME  {"locality"}
ID      id-oc-locality }
At least one of Locality Name or State or Province Name shall be present.
6.3 Organization
The organization object class is used to define organization entries in the DIT.

organization OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {organizationName}
MAY CONTAIN  {OrganizationalAttributeSet}
LDAP-NAME   {"organization"}
ID      id-oc-organization }
6.4 Organizational Unit
The organizationalUnit object class is used to define entries representing subdivisions of organizations.

organizationalUnit OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {organizationalUnitName}
MAY CONTAIN  {OrganizationalAttributeSet}
LDAP-NAME   {"organizationalUnit"}
ID      id-oc-organizationalUnit }
Rec. ITU-T X.521 (10/2016) 5
6.5 Person
The person object class is used to define entries representing people generically.

person OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {commonName |
surname}
MAY CONTAIN  {description |
telephoneNumber |
userPassword |
seeAlso}
LDAP-NAME   {"person"}
ID      id-oc-person }
6.6 Organizational Person
The organizationalPerson object class is used to define entries representing people employed by, or in some other
important way associated with, an organization.

organizationalPerson OBJECT-CLASS ::= {
SUBCLASS OF {person}
MAY CONTAIN {LocaleAttributeSet |
PostalAttributeSet |
TelecommunicationAttributeSet |
organizationalUnitName |
title}
LDAP-NAME  {"organizationalPerson"}
ID      id-oc-organizationalPerson }
6.7 Organizational Role
The organizationalRole object class is used to define entries representing an organizational role, i.e., a position or
role within an organization. An organizational role is normally considered to be filled by a particular organizational
person. Over its lifetime, however, an organizational role may be filled by a number of different organizational people in
succession. In general, an organizational role may be filled by a person or a non-human entity.

organizationalRole OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {commonName}
MAY CONTAIN  {description |
LocaleAttributeSet |
organizationalUnitName |
PostalAttributeSet |
preferredDeliveryMethod |
roleOccupant |
seeAlso |
TelecommunicationAttributeSet}
LDAP-NAME   {"organizationalRole"}
ID      id-oc-organizationalRole }
6.8 Group Of Names
The groupOfNames object class is used to define entries representing an unordered set of names which represent
individual objects or other groups of names. The membership of a group is static, i.e., it is explicitly modified by
administrative action, rather than dynamically determined each time the group is referred to.
The membership of a group can be reduced to a set of individual object's names by replacing each group with its
membership. This process could be carried out recursively until all constituent group names have been eliminated, and
only the names of individual objects remain.

groupOfNames OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {commonName | member}
MAY CONTAIN  {description |
organizationName |
organizationalUnitName |
owner |
6 Rec. ITU-T X.521 (10/2016)
seeAlso |
businessCategory}
LDAP-NAME   {"groupOfNames"}
ID      id-oc-groupOfNames }
6.9 Group Of Unique Names
The groupOfUniqueNames object class is used to define entries representing an unordered set of names whose integrity
can be assured and which represent individual objects or other groups of names. The membership of a group is static, i.e.,
it is explicitly modified by administrative action, rather than dynamically determined each time the group is referred to.

groupOfUniqueNames OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {commonName |
uniqueMember}
MAY CONTAIN  {description |
organizationName |
organizationalUnitName |
owner |
seeAlso |
businessCategory}
LDAP-NAME   {"groupOfUniqueNames"}
ID      id-oc-groupOfUniqueNames }
6.10 Residential Person
The residentialPerson object class is used to define entries representing a person in the residential environment.

residentialPerson OBJECT-CLASS ::= {
SUBCLASS OF  {person}
MUST CONTAIN {localityName}
MAY CONTAIN  {LocaleAttributeSet |
PostalAttributeSet |
preferredDeliveryMethod |
TelecommunicationAttributeSet |
businessCategory}
LDAP-NAME   {"residentialPerson"}
ID      id-oc-residentialPerson }
6.11 Application Process
The applicationProcess object class is used to define entries representing application processes. An application
process is an element within a real open-system which performs the information processing for a particular application
(see Rec. ITU-T X.200 | ISO/IEC 7498-1).

applicationProcess OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {commonName}
MAY CONTAIN  {description |
localityName |
organizationalUnitName |
seeAlso}
LDAP-NAME   {"applicationProcess"}
ID      id-oc-applicationProcess }
6.12 Application Entity
The applicationEntity object class is used to define entries representing application-entities. An application-entity
consists of those aspects of an application process pertinent to communications.

applicationEntity OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {commonName |
presentationAddress}
MAY CONTAIN  {description |
localityName |
organizationName |
organizationalUnitName |
Rec. ITU-T X.521 (10/2016) 7
seeAlso |
supportedApplicationContext}
LDAP-NAME   {"applicationEntity"}
ID      id-oc-applicationEntity }
NOTE – If an application-entity is represented as a Directory object that is distinct from an application process, the commonName
attribute is used to carry the value of the Application Entity Qualifier.
6.13 DSA
The dSA object class is used to define entries representing DSAs. A DSA is as defined in Rec. ITU-T X.501 |
ISO/IEC 9594-2.
dSA OBJECT-CLASS ::= {
SUBCLASS OF  {applicationEntity}
MAY CONTAIN  {knowledgeInformation}
LDAP-NAME   {"dSA"}
ID      id-oc-dSA }
6.14 Device
The device object class is used to define entries representing devices. A device is a physical unit which can communicate,
such as a modem, disk drive, etc.

device OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {commonName}
MAY CONTAIN  {description |
localityName |
organizationName |
organizationalUnitName |
owner |
seeAlso |
serialNumber}
LDAP-NAME   {"device"}
ID      id-oc-device }
NOTE – At least one instance of localityName, serialNumber or owner attribute type, should be included. The choice is
dependent on device type.
6.15 Strong Authentication User
The strongAuthenticationUser object class is used to define entries for objects which participate in strong
authentication, as defined in Rec. ITU-T X.509 | ISO/IEC 9594-8.

strongAuthenticationUser OBJECT-CLASS ::= {
SUBCLASS OF  {top}
KIND     auxiliary
MUST CONTAIN {userCertificate}
LDAP-NAME   {"strongAuthenticationUser"}
LDAP-DESC   {"X.521 strong authentication user"}
ID      id-oc-strongAuthenticationUser }
NOTE – Use of this object class has been deprecated in favour of the pkiUser and pkiCA object classes defined in Rec. ITU-T
X.509 | ISO/IEC 9594-8. Implementations that use strongAuthenticationUser, certificationAuthority and
certificationAuthorityv2 object classes are still conformant to the standard, although new implementations are strongly
recommended to move to the pkiUser and pkiCA object classes.
6.16 User Security Information
The userSecurityInformation object class is used to define entries for objects which need to indicate security
information associated with them as defined in Rec. ITU-T X.509 | ISO/IEC 9594-8.

userSecurityInformation OBJECT-CLASS ::= {
SUBCLASS OF  {top}
KIND     auxiliary
MAY CONTAIN  {supportedAlgorithms}
LDAP-NAME   {"userSecurityInformation"}
LDAP-DESC   {"X.521 user security information"}
8 Rec. ITU-T X.521 (10/2016)
ID      id-oc-userSecurityInformation }
6.17 User Password
The userPwdClass object class is used to define entries for objects that maintain a user password (userPwd).

userPwdClass OBJECT-CLASS ::= {
KIND     auxiliary
MAY CONTAIN  { userPwd }
ID      id-oc-userPwdClass }
6.18 Certification Authority
The certificationAuthority object class is used to define entries for objects which act as certification authorities,
as defined in Rec. ITU-T X.509 | ISO/IEC 9594-8.

certificationAuthority OBJECT-CLASS ::= {
SUBCLASS OF  {top}
KIND     auxiliary
MUST CONTAIN {cACertificate |
certificateRevocationList |
authorityRevocationList}
MAY CONTAIN  {crossCertificatePair}
LDAP-NAME   {"certificationAuthority"}
LDAP-DESC   {"X.509 certificate authority"}
ID      id-oc-certificationAuthority }
NOTE – Use of this object class has been deprecated in favour of the pkiUser and pkiCA object classes defined in
Rec. ITU-T X.509 | ISO/IEC 9594-8. Implementations that use strongAuthenticationUser, certificationAuthority and
certificationAuthorityv2 object classes are still conformant to the standard, although new implementations are strongly
recommended to move to the pkiUser and pkiCA object classes.
6.19 Certification Authority-V2
The certificationAuthority-V2 object class is used to define entries for objects which act as certification authorities
and can support the delta revocation list as defined in Rec. ITU-T X.509 | ISO/IEC 9594-8.

certificationAuthority-V2 OBJECT-CLASS ::= {
SUBCLASS OF  {certificationAuthority}
KIND     auxiliary
MAY CONTAIN  {deltaRevocationList}
LDAP-NAME   {"certificationAuthority-V2"}
LDAP-DESC   {"X.509 certificate authority, version 2"}
ID      id-oc-certificationAuthority-V2 }
NOTE – Use of this object class has been deprecated in favour of the pkiUser and pkiCA object classes defined in
Rec. ITU-T X.509 | ISO/IEC 9594-8. Implementations that use strongAuthenticationUser, certificationAuthority and
certificationAuthorityv2 object classes are still conformant to the standard, although new implementations are strongly
recommended to move to the pkiUser and pkiCA object classes.
6.20 DMD
The dMD object class is used to define DMD entries in the DIT.

dMD OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {dmdName}
MAY CONTAIN  {OrganizationalAttributeSet}
LDAP-NAME   {"dmd"}
ID      id-oc-dmd }
6.21 OID Obj1
The oidC1obj object class is used to define a top level object identifier component entry in the DIT.

oidC1obj OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {oidC}
LDAP-NAME   {"oidC1obj"}
Rec. ITU-T X.521 (10/2016) 9
ID      id-oc-oidC1obj }
6.22 OID Obj2
The oidC2obj object class is used to define second level object identifier component entries in the DIT.

oidC2obj OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {oidC}
LDAP-NAME   {"oidC2obj"}
ID      id-oc-oidC2obj }
6.23 OID ObjC
The oidCobj object class is used to define the third- or lower-level object identifier component entries in the DIT.
NOTE – A tag-based object identifier typically has only three levels, where the first two values are { 2 27 }.

oidCobj OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN {oidC}
LDAP-NAME   {"oidCobj"}
ID      id-oc-oidCobj }
6.24 OID root
The oidRoot object class is moved to here from Rec. ITU-T X.660 | ISO/IEC 9834-1.

oidRoot OBJECT-CLASS ::= {
SUBCLASS OF  {alias}
MUST CONTAIN { oidC1 | oidC2 | oidC}
LDAP-NAME   {"oidRoot"}
ID      id-oidRoot }
6.25 OID arc
The oidArc object class is moved to here from Rec. ITU-T X.660 | ISO/IEC 9834-1.

oidArc OBJECT-CLASS ::= {
SUBCLASS OF  {alias}
MUST CONTAIN {oidC}
LDAP-NAME   {"oidArc"}
ID      id-oidArc }
6.26 URN ObjC
The urnCobj object class is used to define the entries of an URN subtree as determined

urnCobj OBJECT-CLASS ::= {
SUBCLASS OF  {top}
MUST CONTAIN { urnC }
LDAP-NAME   {"urnCobj"}
ID      id-oc-urnCobj }
6.27 ISO Tag Information
The isoTagInfo auxiliary object class may be used to add tag-based attribute types to an entry holding information
associated with a specific ISO tag.

isoTagInfo OBJECT-CLASS ::= {
SUBCLASS OF { top }
KIND     auxiliary
MAY CONTAIN { tagOid |
tagAfi |
uii |
uiiInUrn |
contentUrl |
tagLocation }
10 Rec. ITU-T X.521 (10/2016)
LDAP-NAME  {"isoTagInfo"}
ID      id-oc-isoTagInfo }
6.28 ISO Tag Type
The isoTagType auxiliary object class may be used to add tag-based attribute types to an entry holding information
about a specific type of tag (see Annex G of Rec. ITU-T X.520 | ISO/IEC 9594-6).

isoTagType OBJECT-CLASS ::= {
SUBCLASS OF { top }
KIND     auxiliary
MAY CONTAIN { tagOid |
tagAfi |
uiiFormat }
LDAP-NAME  {"isoTagType"}
ID      id-oc-isoTagType }
6.29 EPC Tag Information object class
The epcTagInfoObj auxiliary object class may be used to add tag-based attribute types to an entry holding information
associated with a specific EPC tag.

epcTagInfoObj OBJECT-CLASS ::= {
SUBCLASS OF { top }
KIND     auxiliary
MAY CONTAIN { epcHead
...