// =================================================================== // Title: User-Security Public Key Services and Credentials 2.7 // Filename: User27_PublicKey.mof // Version: 2.7.0 // Status: Preliminary // Date: 07/07/2002 // =================================================================== // Copyright 2000-2002 Distributed Management Task Force, Inc. (DMTF). // All rights reserved. // DMTF is a not-for-profit association of industry members dedicated // to promoting enterprise and systems management and interoperability. // DMTF specifications and documents may be reproduced for uses // consistent with this purpose by members and non-members, // provided that correct attribution is given. // As DMTF specifications may be revised from time to time, // the particular version and release date should always be noted. // // Implementation of certain elements of this standard or proposed // standard may be subject to third party patent rights, including // provisional patent rights (herein "patent rights"). DMTF makes // no representations to users of the standard as to the existence // of such rights, and is not responsible to recognize, disclose, or // identify any or all such third party patent right, owners or // claimants, nor for any incomplete or inaccurate identification or // disclosure of such rights, owners or claimants. DMTF shall have no // liability to any party, in any manner or circumstance, under any // legal theory whatsoever, for failure to recognize, disclose, or // identify any such third party patent rights, or for such party's // reliance on the standard or incorporation thereof in its product, // protocols or testing procedures. DMTF shall have no liability to // any party implementing such standard, whether such implementation // is foreseeable or not, nor to any patent owner or claimant, and shall // have no liability or responsibility for costs or losses incurred if // a standard is withdrawn or modified after publication, and shall be // indemnified and held harmless by any party implementing the // standard from any and all claims of infringement by a patent owner // for such implementations. // // For information about patents held by third-parties which have // notified the DMTF that, in their opinion, such patent may relate to // or impact implementations of DMTF standards, visit // http://www.dmtf.org/about/policies/disclosures.php. // =================================================================== // Description: The User Model extends the management concepts that // are related to users and security. // This file defines the classes modeling public key // security services, credentials and the certificate\ // authority. // // The object classes below are listed in an order that // avoids forward references. Required objects, defined // by other working groups, are omitted. // =================================================================== // Change Log for v2.7 // CR784 - Deprecate Expires property from CASignsPublicKeyCertificate // =================================================================== #pragma Locale ("en_US") // ================================================================== // CertificateAuthority // ================================================================== [Version ("2.6.0"), Description ( "A Certificate Authority (CA) is a credential " "management service that issues and cryptographically " "signs certificates thus acting as an trusted third-party " "intermediary in establishing trust relationships. The CA " "authenicates the holder of the private key related to the " "certificate's public key; the authenicated entity is " "represented by the UsersAccess class.") ] class CIM_CertificateAuthority : CIM_CredentialManagementService { [Description ( "The CAPolicyStatement describes what care is taken by the " "CertificateAuthority when signing a new certificate. " "The CAPolicyStatment may be a dot-delimited ASN.1 OID " "string which identifies to the formal policy statement.") ] string CAPolicyStatement; [Octetstring, Description ( "A CRL, or CertificateRevocationList, is a " "list of certificates which the CertificateAuthority has " "revoked and which are not yet expired. Revocation is " "necessary when the private key associated with the public " "key of a certificate is lost or compromised, or when the " "person for whom the certificate is signed no longer is " "entitled to use the certificate.") ] string CRL[]; [Description ( "Certificate Revocation Lists may be " "available from a number of distribution points. " "CRLDistributionPoint array values provide URIs for those " "distribution points.") ] string CRLDistributionPoint[]; [Description ( "Certificates refer to their issuing CA by " "its Distinguished Name (as defined in X.501)."), DN] string CADistinguishedName; [Description ( "The frequency, expressed in hours, at which " "the CA will update its Certificate Revocation List. Zero " "implies that the refresh frequency is unknown."), Units("Hours") ] uint8 CRLRefreshFrequency; [Description ( "The maximum number of certificates in a " "certificate chain permitted for credentials issued by " "this certificate authority or it's subordinate CAs. \n" "The MaxChainLength of a superior CA in the trust " "hierarchy should be greater than this value and the " "MaxChainLength of a subordinate CA in the trust hierarchy " "should be less than this value.") ] uint8 MaxChainLength; }; // ================================================================== // PublicKeyManagementService // ================================================================== [Version ("2.6.0"), Description ( "CIM_PublicKeyManagementService is a credential management " "service that provides local system management of public " "keys used by the local system.") ] class CIM_PublicKeyManagementService : CIM_LocalCredentialManagementService { }; // ================================================================== // PublicKeyCertificate // ================================================================== [Version ("2.6.0"), Description ( "A Public Key Certificate is a credential " "that is cryptographically signed by a trusted Certificate " "Authority (CA) and issued to an authenticated entity " "(e.g., human user, service,etc.) called the Subject in " "the certificate and represented by the UsersAccess class. " "The public key in the certificate is cryptographically " "related to a private key that is to be held and kept " "private by the authenticated Subject. The certificate " "and its related private key can then be used for " "establishing trust relationships and securing " "communications with the Subject. Refer to the ITU/CCITT " "X.509 standard as an example of such certificates.") ] class CIM_PublicKeyCertificate : CIM_Credential { [Propagated ("CIM_CertificateAuthority.SystemCreationClassName"), Key, MaxLen (256), Description ("The scoping System's CCN.") ] string SystemCreationClassName; [Propagated ("CIM_CertificateAuthority.SystemName"), Key, MaxLen (256),Description ("The scoping System's Name.") ] string SystemName; [Propagated ("CIM_CertificateAuthority.CreationClassName"), Key, MaxLen (256), Description ("The scoping Service's CCN.") ] string ServiceCreationClassName; [Propagated ("CIM_CertificateAuthority.Name"), Key, MaxLen (256), Description ("The scoping Service's Name.") ] string ServiceName; [Key, MaxLen (256), Description ( "Certificate subject identifier.") ] string Subject; [MaxLen (256), Description ( "Alternate subject identifier for the Certificate.") ] string AltSubject; [Octetstring, Description ("The DER-encoded raw public key.") ] uint8 PublicKey[]; }; // =================================================================== // CAHasPublicCertificate // =================================================================== [Association, Version ("2.6.0"), Description ( "A CertificateAuthority may have certificates issued by other CAs. " "This association is essentially an optimization of the CA having " "a UsersAccess instance with an association to a certificate thus " "mapping more closely to LDAP-based certificate authority " "implementations.") ] class CIM_CAHasPublicCertificate : CIM_Dependency { [Max (1), Override ("Antecedent"), Description ("The Certificate used by the CA.") ] CIM_PublicKeyCertificate REF Antecedent; [Override ("Dependent"), Description ("The CA that uses a Certificate.") ] CIM_CertificateAuthority REF Dependent; }; // =================================================================== // CASignsPublicKeyCertificate // =================================================================== [Association, Version ("2.7.0"), Description ( "This relationship associates a CertificateAuthority with " "the certificates it signs.") ] class CIM_CASignsPublicKeyCertificate : CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ("The CA which signed the certificate.") ] CIM_CertificateAuthority REF Antecedent; [Override ("Dependent"), Weak, Description ("The certificate issued by the CA.") ] CIM_PublicKeyCertificate REF Dependent; [Description ( "The Serial Number")] string SerialNumber; [Octetstring, Description ( "The Signature.") ] uint8 Signature[]; [Deprecated {"CIM_Credential.Expires"}, Description ( "The time it expires.") ] datetime Expires; [Description ( "The Authority's revocation list distribution points.") ] string CRLDistributionPoint[]; }; // ================================================================== // UnsignedPublicKey // ================================================================== [Version ("2.6.0"), Description ( "A CIM_UnsignedPublicKey represents an unsigned public " "key credential. The local UsersAccess (or subclass " "thereof) accepts the public key as authentic because of " "a direct trust relationship rather than via a third-party " "Certificate Authority.") ] class CIM_UnsignedPublicKey : CIM_Credential { [Propagated ( "CIM_PublicKeyManagementService.SystemCreationClassName"), Key, MaxLen (256), Description ("The scoping System's CCN.") ] string SystemCreationClassName; [Propagated ("CIM_PublicKeyManagementService.SystemName"), Key, MaxLen (256),Description ("The scoping System's Name.") ] string SystemName; [Propagated ("CIM_PublicKeyManagementService.CreationClassName"), Key, MaxLen (256), Description ("The scoping Service's CCN.") ] string ServiceCreationClassName; [Propagated ("CIM_PublicKeyManagementService.Name"), Key, MaxLen (256), Description ("The scoping Service's Name.") ] string ServiceName; [Key, MaxLen (256), Description ( "The Identity of the Peer with whom a direct trust " "relationship exists. The public key may be used for " "security functions with the Peer."), ModelCorrespondence { "CIM_PublicKeyManagementService.PeerIdentityType"} ] string PeerIdentity; [Description ( "PeerIdentityType is used to describe the " "type of the PeerIdentity. The currently defined values " "are used for IKE identities."), ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, ModelCorrespondence { "CIM_PublicKeyManagementService.PeerIdentity"} ] uint16 PeerIdentityType; [Octetstring, Description ("The DER-encoded raw public key.") ] uint8 PublicKey[]; }; // ================================================================== // LocallyManagedPublicKey // ================================================================== [Association, Version ("2.6.0"), Description ( "CIM_LocallyManagedPublicKey association provides the " "relationship between a PublicKeyManagementService and an " "UnsignedPublicKey.") ] class CIM_LocallyManagedPublicKey : CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ( "The PublicKeyManagementService that manages " "an unsigned public key.") ] CIM_PublicKeyManagementService REF Antecedent; [Override ("Dependent"), Weak, Description ( "An unsigned public key.") ] CIM_UnsignedPublicKey REF Dependent; }; // =================================================================== // end of file // ===================================================================