GB/T 16264.8-2005
Information technology.Open Systems Interconnection.The Directory.Part 8:Public-key and attribute certificate frameworks (English Version)

Standard No.

GB/T 16264.8-2005

Language

Chinese, Available in English version

Release Date

2005

Published By

General Administration of Quality Supervision, Inspection and Quarantine of the People‘s Republic of China

Latest

GB/T 16264.8-2005

Replace

GB/T 16264.8-1996

Scope

This standard describes a framework that is the basis for all security services and specifies security requirements for authentication and other services. This part specifically stipulates the following three frameworks: ●Public key certificate framework; ●Attribute certificate framework; ●Authentication service framework. The public key certificate framework in this section includes the definition of public key infrastructure (PKI) information objects (such as public key certificates and certificate revocation lists (CRL), etc.). The attribute certificate framework includes the definition of Privilege Management Infrastructure (PMI) information objects (such as attribute certificates and attribute revocation lists (ACRL), etc.). This section also provides the framework for issuing certificates, managing certificates, using certificates, and revoking certificates. Extension mechanisms are included in both the specified certificate type format and the revocation list schema format. This part also includes a set of standard extensions for these two formats, which are generally applicable in the application of PKI and PMI. This section includes schema artifacts (such as object classes, attribute types, and matching rules for storing PKI objects and PMI objects in the directory). Other PKI and PMI elements beyond these frameworks (such as key and certificate management protocols, operational protocols, additional certificates, and CRL extensions) will be developed by other standards bodies (such as ISO TC68, IETF, etc.). The authentication schema defined in this section is general and can be applied to different types of applications and environments. Use public key certificates and attribute certificates for directories, and this section also specifies the framework for using these two types of certificates for directories. The directory uses public key technology (such as certificates) to implement strong authentication, signature operations and/or encryption operations, and signed data and/or encrypted data are stored in the directory. Directory enables rule-based access control by using attribute certificates. This part only stipulates the content of the framework, but the complete regulations on the use of these frameworks for the catalog, the related services provided by the catalog and their components are stipulated in the catalog series standards. This part also involves the following content in the authentication service framework: ● specifies the format of the authentication information held by the directory; ● describes how to obtain the authentication information from the directory; ● explains how to construct and store the assumptions of the authentication information in the directory; ● defines Three ways in which various applications use this authentication information to perform authentication, and describe how authentication can be used to support other security services. This section describes two levels of authentication: weak authentication that uses passwords as self-identification authentication; strong authentication that includes the use of cryptographic techniques to form credentials. Weak authentication only provides some limited protection to avoid unauthorized access, and only strong authentication can be used as the basis for providing security services. This standard is not intended to establish a general framework for authentication, but it may be general for those applications where the technology is mature, because these technologies are sufficient for them. Authentication (and other security services) can only be provided within the context of a defined security policy. User security policies, limited by the services provided by the standard, are defined by the users of an application themselves. The application standards defined using this authentication framework specify the protocol exchanges that must be performed to complete authentication based on authentication information obtained from the directory. The protocol for the application to obtain credentials from the directory is called the Directory Access Protocol (DAP), which is specified by ITU-T X.519|ISO/IEC 9594-5.

GB/T 16264.8-2005 Referenced Document

• GB/T 9387.2-1995 Information processing systems--Open Systems Interconnection--Basic Reference Model--Part 2: Security architecture
• ITU-T X.411-1999 Information technology Message Handling Systems (MHS) Message Transfer System: Abstract Service Definition and Procedures SERIES X: DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS Message Handling Systems
• ITU-T X.500-2001 Informations Technology - Open Systems Interconnection - The Directory: Overview of Concepts@ Models@ and Services Series X: Data Networks and Open System Communications Directory (Study Group 7)
• ITU-T X.518-2001 Information Technology - Open Systems Interconnection - The Directory: Procedures for Distributed Operation - Series X: Data Networks and Open System Communications Directory (Study Group 7)

GB/T 16264.8-2005 history

• 2005 GB/T 16264.8-2005 Information technology.Open Systems Interconnection.The Directory.Part 8:Public-key and attribute certificate frameworks
• 1996 GB/T 16264.8-1996 Information technology--Open systems interconnection--The directory. Part 8: Authentication framework

GB/T 16264.8-2005 -All Parts