X.500 Standard status
(Implementors' Guide)

X.509 Related activities

How to be involved

More Information

Tutorial section 1
X.500 General

Tutorial section 2
X.509 specific

Other PKI organizations

edit SideBar

Search

ISSS Schema

The X.500 standard defines several schema elements for general purpose use. In the first edition (the 1988 edition) some very useful object classes were defined. Each of these object classes includes utilise these new attribute types auxiliary object classes have to be defined to complement the structural object classes defined within X.500. Administrators of directories may therefore feel the need to develop own auxiliary object classes and at times also additional attribute types. Such "home grown" directory schema definition makes future interworking problematic. Standardised schema elements should be used whenever possible. During its lifetime the CEN/ISSS Directory Workshop (CEN = European Committee for Standardization; ISSS = Information Society Standardization System) developed a set of directory schema elements. The schema elements defined here should be used in preference to defining own schema elements.

The object identifier subtree used for developing these schema elements were:

euroDir ::= { iso(1) identified-organisation(3) ewos(16) eg(2) dir(1) }

From this root object identifiers are allocated as described below.

The allocation of CEN/ISSS object identifiers is consistent with the object identifier structure of the base Directory Specification (see ISO/IEC 9594-2 or X.501 Annex A). The allocated values are shown below.

euroModule  OBJECT IDENTIFIER ::= {euroDir 1}   -- for ASN.1 modules
euro-at     OBJECT IDENTIFIER ::= {euroDir 4}   -- for attributes types
euro-as     OBJECT IDENTIFIER ::= {euroDir 5}   -- for attribute syntaxes
euro-oc     OBJECT IDENTIFIER ::= {euroDir 6}   -- for object classes
euro-alg    OBJECT IDENTIFIER ::= {euroDir 8}   -- for security algorithms
euro-mr     OBJECT IDENTIFIER ::= {euroDir 13}  -- for matching rules
euro-nf     OBJECT IDENTIFIER ::= {euroDir 15}  -- for name forms

The schema elements defined here refer to schema elements defined within the Internet environment.

Object identifier allocation

id-euro-oc-organization  OBJECT IDENTIFIER ::= { euro-oc 1 }
id-euro-oc-orgUnit       OBJECT IDENTIFIER ::= { euro-oc 2 }
id-euro-oc-orgPerson     OBJECT IDENTIFIER ::= { euro-oc 3 }
id-euro-oc-resPerson     OBJECT IDENTIFIER ::= { euro-oc 4 }

id-euro-at-orgID         OBJECT IDENTIFIER ::= { euro-at 1 }
id-euro-at-floor         OBJECT IDENTIFIER ::= { euro-at 2 }
id-euro-at-floorEntity   OBJECT IDENTIFIER ::= { euro-at 3 }
id-euro-at-telExten      OBJECT IDENTIFIER ::= { euro-at 4 }
id-euro-at-fax           OBJECT IDENTIFIER ::= { euro-at 5 }
id-euro-at-localEmails   OBJECT IDENTIFIER ::= { euro-at 6 }
id-euro-at-area          OBJECT IDENTIFIER ::= { euro-at 7 }

id-euro-nf-orgNF         OBJECT IDENTIFIER ::= { euro-nf 1 }
id-euro-nf-orgPersNF     OBJECT IDENTIFIER ::= { euro-nf 2 }
id-euro-nf-resPersNF     OBJECT IDENTIFIER ::= { euro-nf 3 }

Object class definitions

The telephone related attribute types taken from RFC-1274 have the syntax TelephoneNumberSyntax, which is defined in the 1988 edition of ISO/IEC 9594-6 or CCITT X.520, but removed in later editions. It is the same as the PrintableString syntax.

The textEncodedORAddress has been included to allow this attribute type as an alternative to the more complex attribute type mhs-or-addresses defined in X.402 | ISO/IEC 10021-2.

Some of the attribute types included in the following auxiliary object classes are taken from ISO/IEC 9594-6 | ITU-T X.520 - Selected Attribute Types. This specification is in the following referred to as X.520

Auxiliary object class for organization

This auxiliary object class is intended to supplement the organization object class defined in ISO/IEC 9594-7 or ITU-T Rec. X.521.

euroOrganization OBJECT-CLASS ::= {
   SUBCLASS OF  { top }
   KIND         auxiliary
   MAY CONTAIN  { serialNumber |        -- from X.520
                secretary |             -- from RFC-1274
                mail |                  -- from RFC-1274
                textEncodedORAddress |  -- from RFC-1274
                mobile |                -- from RFC-1274
                pager |                 -- from RFC-1274
                labeledURI |            -- from RFC-2079
                area |                  -- defined here
                fax |                   -- defined here
                vATName }               -- defined here
   ID           id-euro-oc-organization }

Auxiliary object class for organizational unit

This auxiliary object class is intended to supplement the organizational unit object class defined in ISO/IEC 9594-7 or ITU-T X.521.

euroOrgUnit OBJECT-CLASS ::= {
   SUBCLASS OF  { top }
   KIND         auxiliary
   MAY CONTAIN  { serialNumber |        -- from X.520
                secretary |             -- from RFC-1274
                mail |                  -- from RFC-1274
                textEncodedORAddress |  -- from RFC-1274
                mobile |                -- from RFC-1274
                pager |                 -- from RFC-1274
                labeledURI |            -- from RFC-2079
                area |                  -- defined here
                fax }                   -- defined here
   ID           id-euro-oc-orgUnit }

Auxiliary object class for organizational person

This auxiliary object class is intended to supplement the organizationalPerson object class defined in ISO/IEC 9594-7 or ITU-T X.521.

euroOrgPerson OBJECT-CLASS ::= {
   SUBCLASS OF  { top }
   KIND         auxiliary
   MAY CONTAIN  { givenName |           -- from X.520
                initials |              -- from X.520
                generationQualifier |   -- from X.520
                uniqueIdentifier |      -- from X.520
                serialNumber |          -- from X.520
                secretary |             -- from RFC-1274
                mail |                  -- from RFC-1274
                textEncodedORAddress |  -- from RFC-1274
                uid |                   -- from RFC-1274
                mobile |                -- from RFC-1274
                homePhone |             -- from RFC-1274
                pager |                 -- from RFC-1274
                homePostalAddress |     -- from RFC-1274
                roomNumber |            -- from RFC-1274
                buildingName |          -- from RFC-1274
                labeledURI |            -- from RFC-2079
                jpegPhoto |             -- from RFC 2798
                area |                  -- defined here
                floor |                 -- defined here
                floorEntity |           -- defined here
                fax |                   -- defined here
                telExten |              -- defined here
   ID           id-euro-oc-orgPerson }

Auxiliary object class for residential person

This auxiliary object class is intended to supplement the residentialPerson object class defined in ISO/IEC 9594-7 or ITU-T X.521.

euroResPerson OBJECT-CLASS ::= {
   SUBCLASS OF  { top }
   KIND         auxiliary
   MAY CONTAIN  { givenName |           -- from X.520
                initials |              -- from X.520
                generationQualifier |   -- from X.520
                title |                 -- from X.520
                uniqueIdentifier |      -- from X.520
                serialNumber |          -- from X.520
                houseIdentifier |       -- from X.520
                mail |                  -- from RFC-1274
                textEncodedORAddress |  -- from RFC-1274
                mobile |                -- from RFC-1274
                pager |                 -- from RFC-1274
                buildingName |          -- from RFC-1274
                labeledURI |            -- from RFC-2079
                fax |                   -- defined here
                area |                  -- defined here
                floor |                 -- defined here
                floorEntity }           -- defined here
   ID           id-euro-oc-resPerson }

As seen from this object class definition, it is possible to split a postal address up into several attributes. This may not always be useful. It is possible to put street name, house number, floor, etc. together as a single string in the streetAddress attribute (included in the residentialPerson object class). However, it is easier to validate a postal address when the different address items are stored in separate attributes. A telephone operator, as an example, requires being able to validate each piece of an address. It will validate that the postal district is actual existing. It will check an address database to see if the purported street name is a real street within that postal district. It will validate that the absolute correct, official spelling of the street name is used. Otherwise, producing list sorted on street names will not be possible. It will check that house number (houseIdentifier) is valid for the street, etc. This validation is essential to avoid fraud and to ensure high quality data in the directory.

Attribute type definitions

Organizational identification attribute

vATName ATTRIBUTE ::= {
   WITH SYNTAX               DirectoryString {ub-vATName}
   EQUALITY MATCHING RULE    caseIgnoreMatch
   SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
   ID                        id-euro-at-orgID }

This attribute type is intended for holding an organisations VAT-number, government institution-number, or similar.

Building floor attribute type

floor ATTRIBUTE ::= {
   WITH SYNTAX               DirectoryString {ub-floor}
   EQUALITY MATCHING RULE    caseIgnoreMatch
   SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
   ID                        id-euro-at-floor }

This attribute type is intended to hold a building floor identification, such as "2nd", basement, etc.

Building floor entity attribute type

floorEntity ATTRIBUTE ::= {
   WITH SYNTAX               DirectoryString {ub-floor}
   EQUALITY MATCHING RULE    caseIgnoreMatch
   SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
   ID                        id-euro-at-floorEntity }

This attribute type is intended to hold information about the actual location within a particular building floor.

Telephone extension attribute type

telExten ATTRIBUTE ::= {
   SUBTYPE OF                telephoneNumber
   ID                        id-euro-at-telExten }

This attribute type is intended to hold the telephone extension of an organizational person.

Fax attribute type

fax ATTRIBUTE ::= {
   SUBTYPE OF                telephoneNumber  -- from X.520
   ID                        id-euro-at-fax }

This attribute type is intended to hold a fax number. This attribute is an alternative to the facsimileTelephoneNumber attribute type defined in ISO/IEC 9594-6 and ITU-T X.520. This latter attribute type has no associated matching rules, which make it less useful in searches.

Area attribute type

area ATTRIBUTE ::= {
   WITH SYNTAX               DirectoryString {ub-area}
   EQUALITY MATCHING RULE    caseIgnoreMatch
   SUBSTRINGS MATCHING RULE  caseIgnoreSubstringsMatch
   ID                        id-euro-at-area }

This attribute type is intended to hold additional addressing information, where some location information is necessary within, say, a postal district.

Name form definitions

Under some circumstances it may be difficult to assign unique RDNs under, say, a locality entry. This can be the case for small companies, where company names are not controlled by any naming authorities. It is in particular a problem when assigning RDNs to person, whether they are organisational persons or residential persons. The X.500 standard has defined an attribute, the serialNumber attribute, to cope with this situation, however, the X.500 standard has not defined any name form to include that attribute. Below are defined names form for organisations, organisational person and residential persons. It is assumed that an organisation will always assigned unique names to organisation units and it is therefore not necessary to define a special name form for that type of object.

euroOrgNF NAME-FORM ::= {
   NAMES                organization
   WITH ATTRIBUTES      { organizationName }
   AND OPTIONALLY       { serialNumber }
   ID                   id-euro-nf-orgNF }

This name form is to be used when the standard organization structural object class is supplemented with the euroOrganization auxiliary object class and when it is not always possible to ensure unique naming of organisations without some additional qualification.

euroOrgPersNF NAME-FORM ::= {
   NAMES                organizationalPerson
   WITH ATTRIBUTES      { commonName }
   AND OPTIONALLY       { serialNumber }
   ID                   id-euro-nf-orgPersNF }

This name form is to be used when the standard organizationalPerson structural object class is supplemented with the euroOrgPerson auxiliary object class and when it is not always possible to ensure unique naming of organisational persons without some additional qualification.

euroResPersNF NAME-FORM ::= {
   NAMES                residentialPerson
   WITH ATTRIBUTES      { commonName }
   AND OPTIONALLY       { serialNumber }
   ID                   id-euro-nf-resPersNF }

This name form is to be used when the standard residentialPerson structural object class is supplemented with the euroResPerson auxiliary object class and when it is not always possible to ensure unique naming of residential persons without some additional qualification.

Page Actions

Recent Changes

Group & Page

Back Links