13. Strong Authentication Package

Back to Table of Contents

This Chapter describes the Strong Authentication Package (SAP). In addition to the attribute types, attribute syntaxes, and object classes defined in the Basic Directory Contents Package, the standards also contain definitions to support authentication mechanisms. They include such objects as Strong-Authentication-User.

These definitions are chiefly in The Directory: Selected Attribute Types (ISO 9594-6, CCITT X.520) and The Directory: Selected Object Classes (ISO 9594-7, CCITT X.521) with additional material in The Directory: Overview of Concepts, Models, and Services (ISO 9594-1, CCITT X.500) and The Directory: Authentication Framework (ISO 9594-8, CCITT X.509).

This chapter outlines names for each of these items, and it defines OM classes to represent those that are not represented directly by OM syntaxes. The values of attributes in the directory are not restricted to those discussed in this chapter, and new attribute types and syntaxes can be created at any time. (For further information on how the values of other syntaxes are represented in the interface, see Section 10.6.1.)

The constants and OM classes in this chapter are defined in addition to those in Chapter 11, since they are not essential to the working of the interface, but instead allow directory entries to be utilized. The definitions belong to the Strong Authentication Package (SAP), which is supported by the DCE XDS API following negotiation of its use with ds_version().

The object identifier associated with the SA Package is

{iso(1) identified-organization(3) icd-ecma(0012) member-company(2)
dec(1011) xopen(28) sap(2)}
with the following encoding:
\\x2B\\xC\\x2\\x87\\x73\\x1C\\x2
This identifier is represented by the constant DS_STRONG_AUTHENT_PKG. The C constants associated with this package are in the xdssap.h header file.
The concepts and notation used are introduced in Section 11.1. They are also fully explained in Chapters 17 through 19.
The selected attribute types are presented first, followed by the selected object classes. Next, the OM class hierarchy and OM class definitions required to support the selected attribute types are presented.
13.1. SAP Attribute Types
Back to Table of Contents This section presents the additional attribute types defined in the standards that are to be used with the Strong Authentication Package. Each attribute type has an object identifier, which is the value of the OM attribute DS_ATTRIBUTE_TYPE. These object identifiers are represented in the interface by constants with the same name as the directory attribute, and they are prefixed with DS_A_ so that they can be easily identified.
This section contains two tables that are used to indicate the object identifiers for Strong Authentication Package attribute types (see Table 13-1), and the values for Strong Authentication Package attribute types (see Table 13-2), respectively. Following these two tables is a brief description of each attribute. (See Section 12.1 for information on general matching rules).

Note: The third and fourth columns of Table 13-1 contain the contents octets of the BER encoding of the object identifier. All these object identifiers stem from the root {joint-iso-ccitt(2) ds(5) attributeType(4)}.

Table 13-1: Object Identifiers for SAP Attribute Types
Object Identifier BER

Package Attribute Type Decimal Hexadecimal

SAP DS_A_AUTHORITY_REVOC_LIST 85, 4, 38 \ex55\ex04\ex26

SAP DS_A_CA_CERT 85, 4, 37 \ex55\ex04\ex25

SAP DS_A_CERT_REVOC_LIST 85, 4, 39 \ex55\ex04\ex27

SAP DS_A_CROSS_CERT_PAIR 85, 4, 40 \ex55\ex04\ex28

SAP DS_A_USER_CERT 85, 4, 36 \ex55\ex04\ex24

Table 13-2: Representation of Values for SAP Attribute Types
Attribute Type OM Value Syntax Value Length Multi-valued Matching Rules

DS_A_AUTHORITY_REVOC_LISTgf Object(DS_C_CERT_LIST) -- yes

DS_A_CA_CERT Object(DS_C_CERT) -- yes

DS_A_CERT_REVOC_LIST Object(DS_C_CERT_LIST) -- yes

DS_A_CROSS_CERTA_PAIR Object(DS_C_CERT_PAIR -- yes

DS_A_USER_CERT Object(DS_C_CERT) -- yes

Throughout the descriptions that follow, the term object indicates the directory object whose directory entry contains the corresponding directory attributes.
DS_A_AUTHORITY_REVOC_LIST
This attribute occurs only in entries that describe a Certification Authority (CA). It lists all the certificates issued to any of the CAs known to this CA, and later revoked. Each value of this OM attribute is signed by the CA.
DS_A_CA_CERT
This attaribute specifies the certificates assigned to the object, which is a Certification Authority.
DS_A_CERT_REVOC_LIST
This attribute occurs only in entries that describe a CA. It lists the certificates issued by this CA and later revoked. Each value of this OM attribute is signed by the CA.
DS_A_CROSS_CERT_PAIR
This attribute specifies One or two certificates, held in the entry of a CA. The first certificate is that of one CA, guaranteed by a second CA; whereas, the second certificate is that of the second CA, guaranteed by the first CA.
DS_A_USER_CERT
This attribute speciries the user certificates assigned to the object, which may be any user certificate including a CA certificate.

13.2. Strong Authentication Package Object Classes
Back to Table of Contents This section presents the Strong Authentication Package object classes that are defined in the standards. (See Table 13-3).
Note: The third and fourth columns of Table 13-3 contain the contents octets of the BER encoding of the object identifier. All these object identifiers stem from the root {joint-iso-ccitt(2) ds(5) objectClass(6)}.

Table 13-3: Object Identifiers for SAP Object Classes
Object Identifier BER

Package Attribute Type Decimal Hexadecimal

SAP DS_O_CERT_AUTHORITY 85, 6, 16 \ex55\ex06\ex10

SAP DS_O_STRONG_AUTHENT_USER 85, 6, 15 \ex55\ex06\ex0F

13.3. OM Class Hierarchy
Back to Table of Contents The remainder of this chapter defines the additional OM classes used by SAP. This section shows the hierarchical organization of the OM classes that are defined in the following sections, and it shows which OM classes inherit additional OM attributes from their OM superclasses. In the following list, subclassification is indicated by indentation, and the names of abstract OM classes are in italics.
OM_C_OBJECT
DS_C_ALGORITHM_IDENT
DS_C_CERT_PAIR
DS_C_SIGNATURE
DS_C_CERT
DS_C_CERT_LIST
DS_C_CERT_SUBLIST

None of the OM classes in the preceding list are encodable by using om_encode and om_decode.
13.4. DS_C_ALGORITHM_IDENT
Back to Table of Contents An instance of OM class DS_C_ALGORITHM_IDENT records the encryption algorithm that an object uses to digitally sign messages, together with the parameters of the algorithm.
An instance of this OM class has the OM attributes of its superclass, OM_C_OBJECT, in addition to the OM attributes listed in Table 13-4.

Table 13-4: OM Attributes of DS_C_ALGORITHM_IDENT
OM Attribute Value Syntax Value Length Value Number Value Initially

DS_ALGORITHM String(OM_S_OBJECT_IDENTIFIER_STRING) -- 1 --

DS_ALGORITHM_PARAMETERS any -- 0 or 1 --

DS_ALGORITHM
This attribute specifies an object identifier that uniquely identifies the algorithm used by some object.
DS_ALGORITHM_PARAMETERS
This attribute specifies the values of the algorithm's parameters that are used by the object. The syntax of the parameters is determined by each individual algorithm.

13.5. DS_C_CERT
Back to Table of Contents An instance of OM class DS_C_CERT comprises a user's DN, public key, and additional information, all of which is digitally signed by the issuing CA in order to make the certificate unforgeable. The OM attributes associated with DS_C_SIGNATURE (a superclass of DS_C_CERT) are present.
An instance of this OM class has the OM attributes of its superclasses, OM_C_OBJECT and DS_C_SIGNATURE, in addition to the OM attributes listed in Table 13-5.

Table 13-5: OM Attributes of DS_C_CERT
OM Attribute Value Syntax Value Length Value Number Value Initially

DS_SERIAL_NUMBER OM_S_INTEGER -- 1 --

DS_SUBJECT Object(DS_C_NAME) -- 1 --

DS_SUBJECT_ALGORITHM Object(DS_C_ALGORITHM_IDENT -- 1 --

DS_SUBJECT_PUBLIC_KEY String(OM_S_BIT_STRING) -- 1 --

DS_VALIDITY_NOT_AFTER String(OM_S_UTC_TIME_STRING) 0-17 1 --

DS_VALIDITY_NOT_BEFORE String(OM_S_UTC_TIME_STRING) 0-17 1 --

DS_VERSION Enum(DS_Version) -- 1 DS_V1988

DS_SERIAL_NUMBER
This attribute distinguishes the certificate from all other certificates that were ever or will be issued by the CA which issued this certificate.
DS_SUBJECT
This attribute specifies the subject's name.
DS_SUBJECT_ALGORITHM
This attribute specifies the algorithm that is used by the subject for encryption. and which is associated with the public key.
DS_SUBJECT_PUBLIC_KEY
This attribute specifies the subject's public key, associated with the algorithm.
DS_VALIDITY_NOT_AFTER
This attribute specifies the last day on which the certificate is valid.
DS_VALIDITY_NOT_BEFORE
This attribute specifies the first day on which the certificate is valid.
DS_VERSION
This attribute identifies the certificate's design. Its value is as follows:
DS_V1988, meaning the design specified in the 1988 version of the standards.

13.6. DS_C_CERT_LIST
Back to Table of Contents An instance of OM class DS_C_CERT_LIST documents the revocation of zero or more certificates. The documentation is provided by the object, which is a CA whose signature is affixed to the instance.
An instance of this OM class has the OM attributes of its superclasses, OM_C_OBJECT and DS_C_SIGNATURE, in addition to the OM attributes listed in Table 13-6.

Table 13-6: OM Attributes of DS_C_CERT_LIST
OM Attribute Value Syntax Value Length Value Number Value Initially

DS_LAST_UPDATE String(OM_S_UTC_TIME_STRING) 0-17 1 --

DS_REVOKED_CERTS Object(DS_C_CERT_SUBLIST) -- 0 or more --

DS_LAST_UPDATE
This attribute indicates the time at which the revocation list was updated to its current state.
DS_REVOKED_CERTS
This attribute identifies the revoked certificates.

13.7. DS_C_CERT_PAIR
Back to Table of Contents An instance of OM class DS_C_CERT_PAIR contains one or both of a forward and reverse certificate, that assists users in building a certification path.
An instance of this OM class has the OM attributes of its superclass, OM_C_OBJECT, in addition to the OM attributes listed in Table 13-7.
CAPTION>Table 13-7: OMAttributes of DS_C_CERT_PAIR

OM Attribute Value Syntax Value Length Value Number Value Initially

DS_FORWARD Object(DS_C_CERT) -- 0 or 1¹ --

DS_REVERSE Object(DS_C_CERT) -- 0 or 1¹ --

1
At least one of these OM attributes must be present

DS_FORWARD
This attribute specifies the certificate of a first CA issued by a second CA.
DS_REVERSE
This attribute specifies the certificate of the second CA issued by the first CA.

13.8. DS_C_CERT_SUBLIST
Back to Table of Contents An instance of OM class DS_C_CERT_SUBLIST documents the revocation of zero or more certificates issued by the CA whose signature is affixed to the instance.
An instance of this OM class has the OM attributes of its superclasses, OM_C_OBJECT and DS_C_SIGNATURE, in addition to the OM attributes listed in Table 13-8.

Table 13-8: OM Attributes for DS_C-CERT_SUBLIST
OM Attribute Value Syntax Value Length Value Number Value Initially

DS_REVOCATION_DATE String(OM_S_UTC_TIME_STRING) 0-17 0 or more¹ --

DS_SERIAL_NUMBERS OM_S_INTEGER -- 0 or more¹ --

¹
The values of these two OM attributes parallel one another and shall be equal in number.

DS_REVOCATION_DATE
This attribute specifies the epoch at which each of the certificates was revoked. The serial numbers of the certificates are the corresponding values of the OM attribute DS_SUBJECT.
DS_SERIAL_NUMBERS
This attribute specifies the serial numbers assigned to the revoked certificates.

13.9. DS_C_SIGNATURE
Back to Table of Contents An instance of the abstract OM class DS_C_SIGNATURE contains the algorithm identifier used to produce a digital signature and the name of the object that produced it. The scope of the signature is any instance of any subclass of this OM class.
An instance of this OM class has the OM attributes of its superclass, OM_C_OBJECT, in addition to the OM attributes listed in Table 13-9.

Table 13-9: OM Attributes of DS_C_SIGNATURE
OM Attribute Value Syntax Value Length Value Number Value Initially

DS_ISSUER Object(DS_C_NAME) -- 1 --

DS_SIGNATURE Object(DS_C_ALGORITHM_IDENT -- 1 --

DS_SIGNATURE_VALUE String(OM_S_OCTET_STRING -- 1 --

DS_ISSUER
This attribute indicates the name of the object that produced the digital signature.
DS_SIGNATURE
This attribute identifies the algorithm that was used to produce the digital signature, and any parameters of the algorithm.
DS_SIGNATURE_VALUE
An enciphered summary of the information to which the signature is appended. The summary is produced by means of a one-way hash function, while the enciphering is carried out by using the secret key of the signer.

© 1990-1996, Transarc Corporation

		Object Identifier BER
Package	Attribute Type	Decimal	Hexadecimal
SAP	DS_A_AUTHORITY_REVOC_LIST	85, 4, 38	\ex55\ex04\ex26
SAP	DS_A_CA_CERT	85, 4, 37	\ex55\ex04\ex25
SAP	DS_A_CERT_REVOC_LIST	85, 4, 39	\ex55\ex04\ex27
SAP	DS_A_CROSS_CERT_PAIR	85, 4, 40	\ex55\ex04\ex28
SAP	DS_A_USER_CERT	85, 4, 36	\ex55\ex04\ex24

Attribute Type	OM Value Syntax	Value Length	Multi-valued
DS_A_AUTHORITY_REVOC_LISTgf	Object(DS_C_CERT_LIST)	--	yes
DS_A_CA_CERT	Object(DS_C_CERT)	--	yes
DS_A_CERT_REVOC_LIST	Object(DS_C_CERT_LIST)	--	yes
DS_A_CROSS_CERTA_PAIR	Object(DS_C_CERT_PAIR	--	yes
DS_A_USER_CERT	Object(DS_C_CERT)	--	yes

OM Attribute	Value Syntax	Value Length	Value Number	Value Initially
DS_ALGORITHM	String(OM_S_OBJECT_IDENTIFIER_STRING)	--	1	--
DS_ALGORITHM_PARAMETERS	any	--	0 or 1	--

OM Attribute	Value Syntax	Value Length	Value Number	Value Initially
DS_SERIAL_NUMBER	OM_S_INTEGER	--	1	--
DS_SUBJECT	Object(DS_C_NAME)	--	1	--
DS_SUBJECT_ALGORITHM	Object(DS_C_ALGORITHM_IDENT	--	1	--
DS_SUBJECT_PUBLIC_KEY	String(OM_S_BIT_STRING)	--	1	--
DS_VALIDITY_NOT_AFTER	String(OM_S_UTC_TIME_STRING)	0-17	1	--
DS_VALIDITY_NOT_BEFORE	String(OM_S_UTC_TIME_STRING)	0-17	1	--
DS_VERSION	Enum(DS_Version)	--	1	DS_V1988

OM Attribute	Value Syntax	Value Length	Value Number	Value Initially
DS_LAST_UPDATE	String(OM_S_UTC_TIME_STRING)	0-17	1	--
DS_REVOKED_CERTS	Object(DS_C_CERT_SUBLIST)	--	0 or more	--

OM Attribute	Value Syntax	Value Length	Value Number	Value Initially
DS_FORWARD	Object(DS_C_CERT)	--	0 or 1¹	--
DS_REVERSE	Object(DS_C_CERT)	--	0 or 1¹	--

OM Attribute	Value Syntax	Value Length	Value Number	Value Initially
DS_REVOCATION_DATE	String(OM_S_UTC_TIME_STRING)	0-17	0 or more¹	--
DS_SERIAL_NUMBERS	OM_S_INTEGER	--	0 or more¹	--

OM Attribute	Value Syntax	Value Length	Value Number	Value Initially
DS_ISSUER	Object(DS_C_NAME)	--	1	--
DS_SIGNATURE	Object(DS_C_ALGORITHM_IDENT	--	1	--
DS_SIGNATURE_VALUE	String(OM_S_OCTET_STRING	--	1	--