W <- 4. Definitions -> Y
X
$ X.400
(N) An ITU-T Recommendation [X400] that is one part of a joint
ITU-T/ISO multi-part standard (X.400-X.421) that defines the
Message Handling Systems. (The ISO equivalent is IS 10021, parts
1-7.) (See: Message Handling Systems.)
$ X.500
(N) An ITU-T Recommendation [X500] that is one part of a joint
ITU-T/ISO multi-part standard (X.500-X.525) that defines the X.500
Directory, a conceptual collection of systems that provide
distributed directory capabilities for OSI entities, processes,
applications, and services. (The ISO equivalent is IS 9594-1 and
related standards, IS 9594-x.) (See: directory vs. Directory,
X.509.)
Tutorial: The X.500 Directory is structured as a tree (the
Directory Information Tree), and information is stored in
directory entries. Each entry is a collection of information about
one object, and each object has a DN. A directory entry is
composed of attributes, each with a type and one or more values.
For example, if a PKI uses the Directory to distribute
Shirey Informational [Page 338]
RFC 4949 Internet Security Glossary, Version 2 August 2007
certificates, then the X.509 public-key certificate of an end user
is normally stored as a value of an attribute of type
"userCertificate" in the Directory entry that has the DN that is
the subject of the certificate.
$ X.509
(N) An ITU-T Recommendation [X509] that defines a framework to
provide and support data origin authentication and peer entity
authentication, including formats for X.509 public-key
certificates, X.509 attribute certificates, and X.509 CRLs. (The
ISO equivalent is IS 9498-4.) (See: X.500.)
Tutorial: X.509 describes two "levels" of authentication: "simple
authentication" and "strong authentication". It recommends, "While
simple authentication offers some limited protection against
unauthorized access, only strong authentication should be used as
the basis for providing secure services."
$ X.509 attribute certificate
(N) An attribute certificate in the version 1 (v1) format defined
by X.509. (The v1 designation for an X.509 attribute certificate
is disjoint from the v1 designation for an X.509 public-key
certificate, and from the v1 designation for an X.509 CRL.)
Tutorial: An X.509 attribute certificate has a "subject" field,
but the attribute certificate is a separate data structure from
that subject's public-key certificate. A subject may have multiple
attribute certificates associated with each of its public-key
certificates, and an attribute certificate may be issued by a
different CA than the one that issued the associated public-key
certificate.
An X.509 attribute certificate contains a sequence of data items
and has a digital signature that is computed from that sequence.
Besides the signature, an attribute certificate contains items 1
through 9 listed below:
1. version Identifies v1.
2. subject Is one of the following:
2a. baseCertificateID Issuer and serial number of an
X.509 public-key certificate.
2b. subjectName DN of the subject.
3. issuer DN of the issuer (the CA who signed).
4. signature OID of algorithm that signed the cert.
5. serialNumber Certificate serial number;
an integer assigned by the issuer.
6. attCertValidityPeriod Validity period; a pair of UTCTime
values: "not before" and "not after".
Shirey Informational [Page 339]
RFC 4949 Internet Security Glossary, Version 2 August 2007
7. attributes Sequence of attributes describing the
subject.
8. issuerUniqueId Optional, when a DN is not sufficient.
9. extensions Optional.
$ X.509 certificate
(N) Synonym for "X.509 public-key certificate".
Usage: IDOCs MAY use this term as an abbreviation of "X.509
public-key certificate", but only after using the full term at the
first instance. Otherwise, the term is ambiguous, because X.509
specifies both public-key certificates and attribute certificates.
(See: X.509 attribute certificate, X.509 public-key certificate.)
Deprecated Usage: IDOCs SHOULD NOT use this term as an
abbreviation of "X.509 attribute certificate", because the term is
much more commonly used to mean "X.509 public-key certificate"
and, therefore, is likely to be misunderstood.
$ X.509 certificate revocation list (CRL)
(N) A CRL in one of the formats defined by X.509 -- version 1 (v1)
or version 2 (v2). (The v1 and v2 designations for an X.509 CRL
are disjoint from the v1 and v2 designations for an X.509 public-
key certificate, and from the v1 designation for an X.509
attribute certificate.) (See: certificate revocation.)
Usage: IDOCs SHOULD NOT refer to an X.509 CRL as a digital
certificate; however, note that an X.509 CRL does meet this
Glossary's definition of "digital certificate". That is, like a
digital certificate, an X.509 CRL makes an assertion and is signed
by a CA. But instead of binding a key or other attributes to a
subject, an X.509 CRL asserts that certain previously issued,
X.509 certificates have been revoked.
Tutorial: An X.509 CRL contains a sequence of data items and has a
digital signature computed on that sequence. Besides the
signature, both v1 and v2 contain items 2 through 6b listed below.
Version 2 contains item 1 and may optionally contain 6c and 7.
1. version Optional. If present, identifies v2.
2. signature OID of the algorithm that signed CRL.
3. issuer DN of the issuer (the CA who signed).
4. thisUpdate A UTCTime value.
5. nextUpdate A UTCTime value.
6. revokedCertificates 3-tuples of 6a, 6b, and (optional) 6c:
6a. userCertificate A certificate's serial number.
6b. revocationDate UTCTime value for the revocation date.
6c. crlEntryExtensions Optional.
Shirey Informational [Page 340]
RFC 4949 Internet Security Glossary, Version 2 August 2007
7. crlExtensions Optional.
$ X.509 public-key certificate
(N) A public-key certificate in one of the formats defined by
X.509 -- version 1 (v1), version 2 (v2), or version 3 (v3). (The
v1 and v2 designations for an X.509 public-key certificate are
disjoint from the v1 and v2 designations for an X.509 CRL, and
from the v1 designation for an X.509 attribute certificate.)
Tutorial: An X.509 public-key certificate contains a sequence of
data items and has a digital signature computed on that sequence.
Besides the signature, all three versions contain items 1 through
7 listed below. Only v2 and v3 certificates may also contain items
8 and 9, and only v3 may contain item 10.
1. version Identifies v1, v2, or v3.
2. serialNumber Certificate serial number;
an integer assigned by the issuer.
3. signature OID of algorithm that was used to
sign the certificate.
4. issuer DN of the issuer (the CA who signed).
5. validity Validity period; a pair of UTCTime
values: "not before" and "not after".
6. subject DN of entity who owns the public key.
7. subjectPublicKeyInfo Public key value and algorithm OID.
8. issuerUniqueIdentifier Defined for v2, v3; optional.
9. subjectUniqueIdentifier Defined for v2, v2; optional.
10. extensions Defined only for v3; optional.
$ X9
(N) See: "Accredited Standards Committee X9" under "ANSI".
$ XML
(N) See: Extensible Markup Language.
$ XML-Signature.
(N) A W3C Recommendation (i.e., approved standard) that specifies
XML syntax and processing rules for creating and representing
digital signatures (based on asymmetric cryptography) that can be
applied to any digital content (i.e., any data object) including
other XML material.
W <- 4. Definitions -> Y