| X.500 Directory Interoperability | |||||||||
| No. | Section Reference | Requirement Description | Test Description | Completed | Not
Completed |
Comments | |||
| 1 | RFC 2587 3.2 | cACertificate attribute shall be used to store self-issued certificates (if any) and certificates issued to this CA by CAs in the same realm as this CA | Verify that more than one value can be stored in the attribute | ||||||
| 2 | RFC 2587 3.2 | Forward elements of the crossCertificatePair attribute of a CA's directory shall be used to store all, except self-issued certificates issued to this CA. | Verify that more than one value can be stored in the attribute | ||||||
| 3 | RFC 2587 3.2 | The reverse elements of the crossCertificatePair attribute of a CA's directory entry must contain a subset of certificates issued by this CA to other CAs | Verify that more than one value can be stored in the attribute | ||||||
| 4 | RFC 2587 3.2 | When both the forward and reverse elements are present in a single attribute value, issue name in one certificate shall match subject name in the other and vice versa, and the subject public key in one certificate shall be capable of verifying the digital signature on the other certificate and vice versa | |||||||
| 5 | RFC 2587 3.2 | CA certificates shall NOT include a basicContraints extension with the cA value set to FALSE | |||||||
| 6 | RFC 2587 3.2 | CA
entries shall be made up of the following object classes: - pkiCA OR entrustCA |
entrustCA is used to to support Entrust implementations | ||||||
| 7 | FPKI PA | An
entity's directory service must conform to the following requirements: - Information must conform to the X.500 information model and X.509 - Must support X.500 chained operations or X.500 referrals |
|||||||
| 8 | FPKI PA | Any X.500 directory shall provide all CA certificates and CRLs within its domain or provide references to these | |||||||
| 9 | FPKI PA | Directories are required to support authentication for LDAP and DSP communications [this document proposes that for DSP no authentication be used] | |||||||
| 10 | FPKI PA | FPKI directory clients that read the FPKI directory (read, list, search directory operations) require no authentication (i.e.., anonymous bind to the directory is acceptable) | |||||||
| [DoD GDS] | The directory service shall provide an average three second response time (or less) from the time the directory receives the request until it delivers the response to the network | Request a certificate that is contained in the directory to check response time | |||||||
| RFC 2587 3.2 | authorityRevocationList Shall include all CRLs issued by the provider’s CA containing the Issuing Distribution Point (IDP) extension with onlyContainsCACert set to TRUE | ||||||||
| RFC 2587 3.2 | certificateRevocationList shall include all CRLs issued by the provider’s CA that are not required to be in the authorityRevocationList attribute | ||||||||