idnits 2.17.1 draft-ietf-smime-new-asn1-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 207: '... -- Parameters MUST be encoded in st...' RFC 2119 keyword, line 208: '...t, -- Parameters SHOULD be encoded in ...' RFC 2119 keyword, line 209: '..., -- Parameters SHOULD NOT be encoded...' RFC 2119 keyword, line 210: '... -- Parameters MUST NOT be encoded i...' RFC 2119 keyword, line 212: '... -- Parameters MAY be encoded in the...' (96 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 13, 2009) is 5360 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 2517 -- Looks like a reference, but probably isn't: '1' on line 2518 -- Looks like a reference, but probably isn't: '2' on line 2519 == Missing Reference: 'CMSALG' is mentioned on line 1079, but not defined == Missing Reference: 'CMS' is mentioned on line 1090, but not defined -- Looks like a reference, but probably isn't: '3' on line 2520 -- Looks like a reference, but probably isn't: '4' on line 2521 ** Obsolete normative reference: RFC 3851 (Obsoleted by RFC 5751) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Intended status: Informational J. Schaad 5 Expires: February 14, 2010 Soaring Hawk Consulting 6 August 13, 2009 8 New ASN.1 Modules for CMS and S/MIME 9 draft-ietf-smime-new-asn1-07.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. This document may contain material 15 from IETF Documents or IETF Contributions published or made publicly 16 available before November 10, 2008. The person(s) controlling the 17 copyright in some of this material may not have granted the IETF 18 Trust the right to allow modifications of such material outside the 19 IETF Standards Process. Without obtaining an adequate license from 20 the person(s) controlling the copyright in such materials, this 21 document may not be modified outside the IETF Standards Process, and 22 derivative works of it may not be created outside the IETF Standards 23 Process, except to format it for publication as an RFC or to 24 translate it into languages other than English. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt. 39 The list of Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 This Internet-Draft will expire on February 14, 2010. 44 Copyright Notice 46 Copyright (c) 2009 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents in effect on the date of 51 publication of this document (http://trustee.ietf.org/license-info). 52 Please review these documents carefully, as they describe your rights 53 and restrictions with respect to this document. 55 Abstract 57 The Cryptographic Message Syntax (CMS) format, and many associated 58 formats, are expressed using ASN.1. The current ASN.1 modules 59 conform to the 1988 version of ASN.1. This document updates those 60 ASN.1 modules to conform to the 2002 version of ASN.1. There are no 61 bits-on-the-wire changes to any of the formats; this is simply a 62 change to the syntax. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4 68 2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 4 69 3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14 70 4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 19 71 5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 21 72 6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24 73 7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34 74 8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 39 75 9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41 76 10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 48 77 11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48 78 12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 50 79 13. Security Considerations . . . . . . . . . . . . . . . . . . . 58 80 14. Normative References . . . . . . . . . . . . . . . . . . . . . 58 81 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 59 82 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 83 draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 59 84 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 60 85 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 . . . 60 86 A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 . . . 60 87 A.5. Changes between draft-ietf-smime-new-asn1-03 and -04 . . . 60 88 A.6. Changes between draft-ietf-smime-new-asn1-04 and -05 . . . 60 89 A.7. Changes between draft-ietf-smime-new-asn1-05 and -06 . . . 60 90 A.8. Changes between draft-ietf-smime-new-asn1-06 and -07 . . . 60 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 61 93 1. Introduction 95 Some developers would like the IETF to use the latest version of 96 ASN.1 in its standards. Most of the RFCs that relate to security 97 protocols still use ASN.1 from the 1988 standard, which has been 98 deprecated. This is particularly true for the standards that relate 99 to PKIX, CMS, and S/MIME. 101 This document updates the following RFCs to use ASN.1 modules that 102 conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all 103 the modules are updated; some are included to simply make the set 104 complete. 106 o RFC 3370, CMS Algorithms [RFC3370] 108 o RFC 3565, Use of AES in CMS [RFC3565] 110 o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851] 112 o RFC 3852, CMS main [RFC3852] 114 o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108] 116 o RFC 4998, Evidence Record Syntax (ERS) [RFC4998] 118 o RFC 5035, Enhanced Security Services (ESS) [RFC5035] 120 o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083] 122 o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in 123 CMS [RFC5084] 125 o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275] 127 Note that some of the modules in this document get some of their 128 definitions from places different than the modules in the original 129 RFCs. The idea is that these modules, when combined with the modules 130 in [NEW-PKIX] can stand on their own and do not need to import 131 definitions from anywhere else. 133 The document also includes a module of common definitions called 134 "AlgorithmInformation". These definitions are used here and in 135 [NEW-PKIX]. 137 Note that some of the modules here import definitions from the common 138 definitions module, "PKIX-CommonTypes", in [NEW-PKIX]. 140 1.1. Design Notes 142 The modules in this document use the object model available in the 143 2002 ASN.1 documents to a great extent. Objects for each of the 144 different algorithm types are defined. Also, all of the places where 145 in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax 146 now have objects. 148 Much like the way that the PKIX and S/MIME working groups use the 149 prefix of id- for object identifiers, this document has also adopted 150 a set of two, three, and four letter prefixes to allow for quick 151 identification of the type of an object based on its name. This 152 allows, for example, the same back half of the name to be used for 153 the different objects. Thus, "id-sha1" is the object identifier, 154 while "mda-sha1" is the message digest object for "sha1". 156 One or more object sets for the different type of algorithms are 157 defined. A single consistent name for each of the different 158 algorithm types is used. For example, an object set named PublicKeys 159 might contain the public keys defined in that module. If no public 160 keys are defined, then the object set is not created. When 161 referencing these objects sets when imported, one needs to be able to 162 disambiguate between the different modules. This is done by using 163 both the module name (as specified in the IMPORT statement) and the 164 object set name. For example, in the module for RFC 5280: 166 PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 } 167 PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 } 169 PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ..., 170 PKIX1-PSS-OAEP-Algorithms.PublicKeys } 172 2. ASN.1 Module AlgorithmInformation 174 This section contains a module that is imported by many other modules 175 in this document. Note that this module is also given in [NEW-PKIX]. 176 This module does not come from any existing RFC. 178 AlgorithmInformation-2009 179 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 180 mechanisms(5) pkix(7) id-mod(0) 181 id-mod-algorithmInformation-02(58)} 183 DEFINITIONS EXPLICIT TAGS ::= 184 BEGIN 185 EXPORTS ALL; 186 IMPORTS 187 KeyUsage 188 FROM PKIX1Implicit-2009 189 {iso(1) identified-organization(3) dod(6) internet(1) 190 security(5) mechanisms(5) pkix(7) id-mod(0) 191 id-mod-pkix1-implicit-02(59)} ; 193 -- Suggested prefixes for algorithm objects are: 194 -- 195 -- mda- Message Digest Algorithms 196 -- sa- Signature Algorithms 197 -- kta- Key Transport Algorithms (Asymmetric) 198 -- kaa- Key Agreement Algorithms (Asymmetric) 199 -- kwa- Key Wrap Algorithms (Symmetric) 200 -- kda- Key Derivation Algorithms 201 -- maca- Message Authentication Code Algorithms 202 -- pk- Public Key 203 -- cea- Content (symmetric) Encryption Algorithm 204 -- cap- S/MIME Capabilities 206 ParamOptions ::= ENUMERATED { 207 required, -- Parameters MUST be encoded in structure 208 preferredPresent, -- Parameters SHOULD be encoded in structure 209 preferredAbsent, -- Parameters SHOULD NOT be encoded in structure 210 absent, -- Parameters MUST NOT be encoded in structure 211 inheritable, -- Parameters are inherited if not present 212 optional, -- Parameters MAY be encoded in the structure 213 ... 214 } 216 -- DIGEST-ALGORITHM 217 -- 218 -- Describes the basic information for ASN.1 and a digest 219 -- algorithm. 220 -- 221 -- &id - contains the OID identifying the digest algorithm 222 -- &Params - contains the type for the algorithm parameters, 223 -- if present; absent implies no paramters 224 -- ¶mPresence - parameter presence requirement 225 -- 226 -- Additional information such as the length of the hash could also 227 -- be encoded. 228 -- 229 -- Example: 230 -- sha1 DIGEST-ALGORITHM ::= { 231 -- IDENTIFIER id-sha1 232 -- PARAMS TYPE NULL ARE preferredAbsent 233 -- } 234 DIGEST-ALGORITHM ::= CLASS { 235 &id OBJECT IDENTIFIER UNIQUE, 236 &Params OPTIONAL, 237 ¶mPresence ParamOptions DEFAULT absent 238 } WITH SYNTAX { 239 IDENTIFIER &id 240 [PARAMS [TYPE &Params] [ARE ¶mPresence] ] 241 } 243 -- SIGNATURE-ALGORITHM 244 -- 245 -- Describes the basic properties of a signature algorithm 246 -- 247 -- &id - contains the OID identifying the signature algorithm 248 -- &Value - contains a type defintion for the value structure of 249 -- the signature 250 -- &Params - contains the type for the algorithm parameters, 251 -- if present; absent implies no paramters 252 -- ¶mPresence - parameter presence resquirement 253 -- &HashSet - The set of hash algorithms used with this 254 -- signature algorithm 255 -- &PublicKeySet - the set of public key algorithms for this 256 -- signature algorithm 257 -- &smimeCaps - contains the object describing how the S/MIME 258 -- capabilities are presented. 259 -- 260 -- Example: 261 -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { 262 -- IDENTIFIER id-RSASSA-PSS 263 -- PARAMS TYPE RSASSA-PSS-params ARE required 264 -- HASHES { mda-sha1 | mda-md5, ... } 265 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 266 -- } 268 SIGNATURE-ALGORITHM ::= CLASS { 269 &id OBJECT IDENTIFIER UNIQUE, 270 &Value OPTIONAL, 271 &Params OPTIONAL, 272 ¶mPresence ParamOptions DEFAULT absent, 273 &HashSet DIGEST-ALGORITHM OPTIONAL, 274 &PublicKeySet PUBLIC-KEY OPTIONAL, 275 &smimeCaps SMIME-CAPS OPTIONAL 276 } WITH SYNTAX { 277 IDENTIFIER &id 278 [VALUE &Value] 279 [PARAMS [TYPE &Params] ARE ¶mPresence ] 280 [HASHES &HashSet] 281 [PUBLIC-KEYS &PublicKeySet] 283 [SMIME-CAPS &smimeCaps] 284 } 286 -- PUBLIC-KEY 287 -- 288 -- Describes the basic properties of a public key 289 -- 290 -- &id - contains the OID identifying the public key 291 -- &KeyValue - contains the type for the key value 292 -- &Params - contains the type for the algorithm parameters, 293 -- if present; absent implies no paramters 294 -- ¶mPresence - parameter presence requirement 295 -- &keyUsage - contains the set of bits that are legal for this 296 -- key type. Note that is does not make any statement 297 -- about how bits may be paired. 298 -- &PrivateKey - contains a type structure for encoding the private 299 -- key information. 300 -- 301 -- Example: 302 -- pk-rsa-pss PUBLIC-KEY ::= { 303 -- IDENTIFIER id-RSASSA-PSS 304 -- KEY RSAPublicKey 305 -- PARAMS TYPE RSASSA-PSS-params ARE optional 306 -- CERT-KEY-USAGE { .... } 307 -- } 309 PUBLIC-KEY ::= CLASS { 310 &id OBJECT IDENTIFIER UNIQUE, 311 &KeyValue OPTIONAL, 312 &Params OPTIONAL, 313 ¶mPresence ParamOptions DEFAULT absent, 314 &keyUsage KeyUsage OPTIONAL, 315 &PrivateKey OPTIONAL 316 } WITH SYNTAX { 317 IDENTIFIER &id 318 [KEY &KeyValue] 319 [PARAMS [TYPE &Params] ARE ¶mPresence] 320 [CERT-KEY-USAGE &keyUsage] 321 [PRIVATE-KEY &PrivateKey] 322 } 324 -- KEY-TRANSPORT 325 -- 326 -- Describes the basic properties of a key transport algorithm 327 -- 328 -- &id - contains the OID identifying the key transport algorithm 329 -- &Params - contains the type for the algorithm parameters, 330 -- if present; absent implies no paramters 331 -- ¶mPresence - parameter presence requirement 332 -- &PublicKeySet - specify which public keys are used with 333 -- this algorithm 334 -- &smimeCaps - contains the object describing how the S/MIME 335 -- capabilities are presented. 336 -- 337 -- Example: 338 -- rsaTransport KEY-TRANSPORT ::= { 339 -- IDENTIFIER &id 340 -- PARAMS TYPE NULL ARE required 341 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 342 -- } 344 KEY-TRANSPORT ::= CLASS { 345 &id OBJECT IDENTIFIER UNIQUE, 346 &Params OPTIONAL, 347 ¶mPresence ParamOptions DEFAULT absent, 348 &PublicKeySet PUBLIC-KEY OPTIONAL, 349 &smimeCaps SMIME-CAPS OPTIONAL 350 } WITH SYNTAX { 351 IDENTIFIER &id 352 [PARAMS [TYPE &Params] ARE ¶mPresence] 353 [PUBLIC-KEYS &PublicKeySet] 354 [SMIME-CAPS &smimeCaps] 355 } 357 -- KEY-AGREE 358 -- 359 -- Describes the basic properties of a key agreement algorithm 360 -- 361 -- &id - contains the OID identifying the key agreement algorithm 362 -- &Params - contains the type for the algorithm parameters, 363 -- if present; absent implies no paramters 364 -- ¶mPresence - parameter presence requirement 365 -- &PublicKeySet - specify which public keys are used with 366 -- this algorithm 367 -- &Ukm - type of user keying material used 368 -- &ukmPresence - specifies the requirements to define the UKM field 369 -- &smimeCaps - contains the object describing how the S/MIME 370 -- capabilities are presented. 371 -- 372 -- Example: 373 -- dh-static-ephemerial KEY-AGREE ::= { 374 -- IDENTIFIER id-alg-ESDH 375 -- PARAMS TYPE KeyWrapAlgorithm ARE required 376 -- - - user key material is not ASN.1-encoded. 377 -- PUBLIC-KEYS { 378 -- {IDENTIFIER dh-public-number KEY DHPublicKey 379 -- PARAMS TYPE DHDomainParameters ARE inheritable } 380 -- } 381 -- - - UKM should be present but is not separately ASN.1-encoded 382 -- UKM ARE preferredPresent 383 -- } 385 KEY-AGREE ::= CLASS { 386 &id OBJECT IDENTIFIER UNIQUE, 387 &Params OPTIONAL, 388 ¶mPresence ParamOptions DEFAULT absent, 389 &PublicKeySet PUBLIC-KEY OPTIONAL, 390 &Ukm OPTIONAL, 391 &ukmPresence ParamOptions DEFAULT absent, 392 &smimeCaps SMIME-CAPS OPTIONAL 393 } WITH SYNTAX { 394 IDENTIFIER &id 395 [PARAMS [TYPE &Params] ARE ¶mPresence] 396 [PUBLIC-KEYS &PublicKeySet] 397 [UKM [TYPE &Ukm] ARE &ukmPresence] 398 [SMIME-CAPS &smimeCaps] 399 } 401 -- KEY-WRAP 402 -- 403 -- Describes the basic properties of a key wrap algorithm 404 -- 405 -- &id - contains the OID identifying the key wrap algorithm 406 -- &Params - contains the type for the algorithm parameters, 407 -- if present; absent implies no paramters 408 -- ¶mPresence - parameter presence requirement 409 -- &smimeCaps - contains the object describing how the S/MIME 410 -- capabilities are presented. 411 -- 412 -- Example: 413 -- cms3DESwrap KEY-WRAP ::= { 414 -- IDENTIFIER id-alg-CMS3DESwrap 415 -- PARAMS TYPE NULL ARE required 416 -- } 418 KEY-WRAP ::= CLASS { 419 &id OBJECT IDENTIFIER UNIQUE, 420 &Params OPTIONAL, 421 ¶mPresence ParamOptions DEFAULT absent, 422 &smimeCaps SMIME-CAPS OPTIONAL 423 } WITH SYNTAX { 424 IDENTIFIER &id 425 [PARAMS [TYPE &Params] ARE ¶mPresence] 426 [SMIME-CAPS &smimeCaps] 428 } 430 -- KEY-DERIVATION 431 -- 432 -- Describes the basic properties of a key derivation algorithm 433 -- 434 -- &id - contains the OID identifying the key derivation algorithm 435 -- &Params - contains the type for the algorithm parameters, 436 -- if present; absent implies no paramters 437 -- ¶mPresence - parameter presence requirement 438 -- &smimeCaps - contains the object describing how the S/MIME 439 -- capabilities are presented. 440 -- 441 -- Could add information about defaults for the derivation algorithm 442 -- such as PRFs 443 -- 444 -- Example: 445 -- pbkdf2 KEY-DERIVATION ::= { 446 -- IDENTIFIER id-PBKDF2 447 -- PARAMS TYPE PBKDF2-params ARE required 448 -- } 450 KEY-DERIVATION ::= CLASS { 451 &id OBJECT IDENTIFIER UNIQUE, 452 &Params OPTIONAL, 453 ¶mPresence ParamOptions DEFAULT absent, 454 &smimeCaps SMIME-CAPS OPTIONAL 455 } WITH SYNTAX { 456 IDENTIFIER &id 457 [PARAMS [TYPE &Params] ARE ¶mPresence] 458 [SMIME-CAPS &smimeCaps] 459 } 461 -- MAC-ALGORITHM 462 -- 463 -- Describes the basic properties of a MAC algorithm 464 -- 465 -- &id - contains the OID identifying the MAC algorithm 466 -- &Params - contains the type for the algorithm parameters, 467 -- if present; absent implies no paramters 468 -- ¶mPresence - parameter presence requirement 469 -- &keyed - MAC algorithm is a keyed MAC algorithm 470 -- &smimeCaps - contains the object describing how the S/MIME 471 -- capabilities are presented. 472 -- 473 -- It would make sense to also add minimum and maximum MAC lengths 474 -- 475 -- Example: 477 -- maca-hmac-sha1 MAC-ALGORITHM ::= { 478 -- IDENTIFIER hMAC-SHA1 479 -- PARAMS TYPE NULL ARE preferredAbsent 480 -- IS KEYED MAC TRUE 481 -- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} 482 -- } 484 MAC-ALGORITHM ::= CLASS { 485 &id OBJECT IDENTIFIER UNIQUE, 486 &Params OPTIONAL, 487 ¶mPresence ParamOptions DEFAULT absent, 488 &keyed BOOLEAN, 489 &smimeCaps SMIME-CAPS OPTIONAL 490 } WITH SYNTAX { 491 IDENTIFIER &id 492 [PARAMS [TYPE &Params] [ARE ¶mPresence]] 493 IS-KEYED-MAC &keyed 494 [SMIME-CAPS &smimeCaps] 495 } 497 -- CONTENT-ENCRYPTION 498 -- 499 -- Describes the basic properties of a content encryption 500 -- algorithm 501 -- 502 -- &id - contains the OID identifying the content 503 -- encryption algorithm 504 -- &Params - contains the type for the algorithm parameters, 505 -- if present; absent implies no paramters 506 -- ¶mPresence - parameter presence requirement 507 -- &smimeCaps - contains the object describing how the S/MIME 508 -- capabilities are presented. 509 -- 510 -- Example: 511 -- cea-3DES-cbc CONTENT-ENCRYPTION ::= { 512 -- IDENTIFIER des-ede3-cbc 513 -- PARAMS TYPE IV ARE required 514 -- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } 515 -- } 517 CONTENT-ENCRYPTION ::= CLASS { 518 &id OBJECT IDENTIFIER UNIQUE, 519 &Params OPTIONAL, 520 ¶mPresence ParamOptions DEFAULT absent, 521 &smimeCaps SMIME-CAPS OPTIONAL 522 } WITH SYNTAX { 523 IDENTIFIER &id 524 [PARAMS [TYPE &Params] ARE ¶mPresence] 526 [SMIME-CAPS &smimeCaps] 527 } 529 -- ALGORITHM 530 -- 531 -- Describes a generic algorithm identifier 532 -- 533 -- &id - contains the OID identifying the algorithm 534 -- &Params - contains the type for the algorithm parameters, 535 -- if present; absent implies no paramters 536 -- ¶mPresence - parameter presence requirement 537 -- &smimeCaps - contains the object describing how the S/MIME 538 -- capabilities are presented. 539 -- 540 -- This would be used for cases where an unknown algorithm is 541 -- used. One should consider using TYPE-IDENTIFIER in these cases. 543 ALGORITHM ::= CLASS { 544 &id OBJECT IDENTIFIER UNIQUE, 545 &Params OPTIONAL, 546 ¶mPresence ParamOptions DEFAULT absent, 547 &smimeCaps SMIME-CAPS OPTIONAL 548 } WITH SYNTAX { 549 IDENTIFIER &id 550 [PARAMS [TYPE &Params] ARE ¶mPresence] 551 [SMIME-CAPS &smimeCaps] 552 } 554 -- AlgorithmIdentifier 555 -- 556 -- Provides the generic structure that is used to encode algorithm 557 -- identification and the parameters associated with the 558 -- algorithm. 559 -- 560 -- The first parameter represents the type of the algorithm being 561 -- used. 562 -- The second parameter represents an object set containing the 563 -- algorithms that may occur in this situation. 564 -- The initial list of required algorithms should occur to the 565 -- left of an extension marker, all other algorithms should 566 -- occur to the right of an extension marker. 567 -- 568 -- The object class ALGORITHM can be used for generic unspecified 569 -- items. 570 -- If new ALGORITHM objects are defined, the fields &id and &Params 571 -- need to be present as field in the object. 572 -- 573 AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= 574 SEQUENCE { 575 algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), 576 parameters ALGORITHM-TYPE. 577 &Params({AlgorithmSet}{@algorithm}) OPTIONAL 578 } 580 -- S/MIME Capabilities 581 -- 582 -- We have moved the SMIME-CAPS from the module for RFC 3851 to here 583 -- because it is used in the PKIX document RFC 4262 - Use of S/MIME 584 -- Caps in certificate extension 585 -- 586 -- 587 -- This class is used to represent an S/MIME capability. S/MIME 588 -- capabilities are used to represent what algorithm capabilities 589 -- an individual has. The classic example was the content encryption 590 -- algorithm RC2 where the algorithm id and the RC2 key lengths 591 -- supported needed to be advertised, but the IV used is not fixed. 592 -- Thus for RC2 we used 593 -- 594 -- cap-RC2CBC SMIME-CAPS ::= { 595 -- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } 596 -- 597 -- where 40 and 128 represent the RC2 key length in number of bits. 598 -- 599 -- Another example where information needs to be shown is for 600 -- RSA-OAEP where only specific hash functions or mask generation 601 -- functions are supported, but the saltLength is specified by the 602 -- sender and not the recipient. In this case one can either 603 -- generate a number of capability items, 604 -- or a new S/MIME capability type could be generated where 605 -- multiple hash functions could be specified. 606 -- 607 -- 608 -- SMIME-CAP 609 -- 610 -- This class is used to associate the type describing capabilities 611 -- with the object identifier. 612 -- 614 SMIME-CAPS ::= CLASS { 615 &id OBJECT IDENTIFIER UNIQUE, 616 &Type OPTIONAL 617 } 618 WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id } 619 -- 620 -- Generic type - this is used for defining values. 621 -- 623 -- Define a single S/MIME capability encoding 625 SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { 626 capabilityID SMIME-CAPS.&id({CapabilitySet}), 627 parameters SMIME-CAPS.&Type({CapabilitySet} 628 {@capabilityID}) OPTIONAL 629 } 631 -- Define a sequence of S/MIME capability value 633 SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::= 634 SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} } 636 END 638 3. ASN.1 Module for RFC 3370 640 CryptographicMessageSyntaxAlgorithms-2009 641 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 642 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 643 DEFINITIONS IMPLICIT TAGS ::= 644 BEGIN 645 IMPORTS 647 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 648 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 649 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 650 AlgorithmIdentifier{}, SMIME-CAPS 651 FROM AlgorithmInformation-2009 652 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 653 mechanisms(5) pkix(7) id-mod(0) 654 id-mod-algorithmInformation-02(58)} 656 pk-rsa, pk-dh, pk-dsa, rsaEncryption, DHPublicKey, dhpublicnumber 657 FROM PKIXAlgs-2009 658 {iso(1) identified-organization(3) dod(6) 659 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 660 id-mod-pkix1-algorithms2008-02(56)} 662 cap-RC2CBC 663 FROM SecureMimeMessageV3dot1-2009 664 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 665 smime(16) modules(0) id-mod-msg-v3dot1-02(39)}; 667 -- 2. Hash algorthms in this document 669 MessageDigestAlgs DIGEST-ALGORITHM ::= { 670 -- mda-md5 | mda-sha1, 671 ... } 673 -- 3. Signature algorithms in this document 675 SignatureAlgs SIGNATURE-ALGORITHM ::= { 676 -- See RFC 3279 677 -- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1, 678 ... } 680 -- 4. Key Managment Algorithms 681 -- 4.1 Key Agreement Algorithms 683 KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...} 684 KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...} 686 -- 4.2 Key Transport Algorithms 688 KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... } 690 -- 4.3 Symmetric Key-Encryption Key Algorithms 692 KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... } 694 -- 4.4 Key Derivation Algorithms 696 KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... } 698 -- 5. Content Encryption Algorithms 700 ContentEncryptionAlgs CONTENT-ENCRYPTION ::= 701 { cea-3DES-cbc | cea-RC2-cbc, ... } 703 -- 6. Message Authentication Code Algorithms 705 MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... } 707 -- SMIME Capabilities for these items 709 SMimeCaps SMIME-CAPS ::= { 710 kaa-esdh.&smimeCaps | 711 kaa-ssdh.&smimeCaps | 712 kt-rsa.&smimeCaps | 713 kwa-3DESWrap.&smimeCaps | 714 kwa-RC2Wrap.&smimeCaps | 715 cea-3DES-cbc.&smimeCaps | 716 cea-RC2-cbc.&smimeCaps | 717 maca-hMAC-SHA1.&smimeCaps, 718 ...} 720 -- 721 -- 722 -- 724 -- Algorithm Identifiers 726 -- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) 727 -- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 729 id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 730 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 } 732 id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 733 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 } 735 id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 736 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } 738 id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 739 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 } 741 des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 742 us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } 744 rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 745 rsadsi(113549) encryptionAlgorithm(3) 2 } 747 hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 748 dod(6) internet(1) security(5) mechanisms(5) 8 1 2 } 750 id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 751 rsadsi(113549) pkcs(1) pkcs-5(5) 12 } 753 -- Algorithm Identifier Parameter Types 755 KeyWrapAlgorithm ::= 756 AlgorithmIdentifier {KEY-WRAP, {KeyWrapAlgs }} 758 RC2wrapParameter ::= RC2ParameterVersion 759 RC2ParameterVersion ::= INTEGER 761 CBCParameter ::= IV 763 IV ::= OCTET STRING -- exactly 8 octets 765 RC2CBCParameter ::= SEQUENCE { 766 rc2ParameterVersion INTEGER (1..256), 767 iv OCTET STRING } -- exactly 8 octets 769 maca-hMAC-SHA1 MAC-ALGORITHM ::= { 770 IDENTIFIER hMAC-SHA1 771 PARAMS TYPE NULL ARE preferredAbsent 772 IS-KEYED-MAC TRUE 773 SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} 774 } 776 PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM, 777 {PBKDF2-PRFs} } 779 alg-hMAC-SHA1 ALGORITHM ::= 780 { IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required } 782 PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... } 784 PBKDF2-SaltSources ALGORITHM ::= { ... } 786 PBKDF2-SaltSourcesAlgorithmIdentifier ::= 787 AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}} 789 defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::= 790 { algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL } 792 PBKDF2-params ::= SEQUENCE { 793 salt CHOICE { 794 specified OCTET STRING, 795 otherSource PBKDF2-SaltSourcesAlgorithmIdentifier }, 796 iterationCount INTEGER (1..MAX), 797 keyLength INTEGER (1..MAX) OPTIONAL, 798 prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT 799 defaultPBKDF2 800 } 802 -- 803 -- This object is included for completeness. It should not be used 804 -- for encoding of signatures, but was sometimes used in older 805 -- versions of CMS for encoding of RSA signatures. 806 -- 807 -- 808 -- sa-rsa SIGNATURE-ALGORITHM ::= { 809 -- IDENTIFIER rsaEncryption 810 -- - - value is not ASN.1 encoded 811 -- PARAMS TYPE NULL ARE required 812 -- HASHES {mda-sha1 | mda-md5, ...} 813 -- PUBLIC-KEYS { pk-rsa} 814 -- } 815 -- 816 -- No ASN.1 encoding is applied to the signature value 817 -- for these items 819 kaa-esdh KEY-AGREE ::= { 820 IDENTIFIER id-alg-ESDH 821 PARAMS TYPE KeyWrapAlgorithm ARE required 822 PUBLIC-KEYS { pk-dh } 823 -- UKM is not ASN.1 encoded 824 UKM ARE optional 825 SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH} 826 } 828 kaa-ssdh KEY-AGREE ::= { 829 IDENTIFIER id-alg-SSDH 830 PARAMS TYPE KeyWrapAlgorithm ARE required 831 PUBLIC-KEYS {pk-dh} 832 -- UKM is not ASN.1 encoded 833 UKM ARE optional 834 SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH} 835 } 837 dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber 839 pk-originator-dh PUBLIC-KEY ::= { 840 IDENTIFIER dh-public-number 841 KEY DHPublicKey 842 PARAMS ARE absent 843 CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly} 844 } 846 kwa-3DESWrap KEY-WRAP ::= { 847 IDENTIFIER id-alg-CMS3DESwrap 848 PARAMS TYPE NULL ARE required 849 SMIME-CAPS {IDENTIFIED BY id-alg-CMS3DESwrap} 850 } 852 kwa-RC2Wrap KEY-WRAP ::= { 853 IDENTIFIER id-alg-CMSRC2wrap 854 PARAMS TYPE RC2wrapParameter ARE required 855 SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap } 856 } 858 kda-PBKDF2 KEY-DERIVATION ::= { 859 IDENTIFIER id-PBKDF2 860 PARAMS TYPE PBKDF2-params ARE required 861 -- No s/mime caps defined 862 } 864 cea-3DES-cbc CONTENT-ENCRYPTION ::= { 865 IDENTIFIER des-ede3-cbc 866 PARAMS TYPE IV ARE required 867 SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } 868 } 870 cea-RC2-cbc CONTENT-ENCRYPTION ::= { 871 IDENTIFIER rc2-cbc 872 PARAMS TYPE RC2CBCParameter ARE required 873 SMIME-CAPS cap-RC2CBC 874 } 876 kt-rsa KEY-TRANSPORT ::= { 877 IDENTIFIER rsaEncryption 878 PARAMS TYPE NULL ARE required 879 PUBLIC-KEYS { pk-rsa } 880 SMIME-CAPS {IDENTIFIED BY rsaEncryption} 881 } 883 -- S/MIME Capabilities - most have no label. 885 cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap } 887 END 889 4. ASN.1 Module for RFC 3565 891 CMSAesRsaesOaep-2009 {iso(1) member-body(2) us(840) rsadsi(113549) 892 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38)} 893 DEFINITIONS IMPLICIT TAGS ::= 894 BEGIN 895 IMPORTS 897 CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS 898 FROM AlgorithmInformation-2009 899 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 900 mechanisms(5) pkix(7) id-mod(0) 901 id-mod-algorithmInformation-02(58)}; 903 AES-ContentEncryption CONTENT-ENCRYPTION ::= { 904 cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ... 905 } 907 AES-KeyWrap KEY-WRAP ::= { 908 kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ... 909 } 911 SMimeCaps SMIME-CAPS ::= { 912 cea-aes128-cbc.&smimeCaps | 913 cea-aes192-cbc.&smimeCaps | 914 cea-aes256-cbc.&smimeCaps | 915 kwa-aes128-wrap.&smimeCaps | 916 kwa-aes192-wrap.&smimeCaps | 917 kwa-aes256-wrap.&smimeCaps, ... 918 } 920 -- AES information object identifiers -- 922 aes OBJECT IDENTIFIER ::= 923 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 924 csor(3) nistAlgorithms(4) 1 } 926 -- AES using CBC mode for key sizes of 128, 192, 256 928 cea-aes128-cbc CONTENT-ENCRYPTION ::= { 929 IDENTIFIER id-aes128-CBC 930 PARAMS TYPE AES-IV ARE required 931 SMIME-CAPS { IDENTIFIED BY id-aes128-CBC } 932 } 933 id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 } 935 cea-aes192-cbc CONTENT-ENCRYPTION ::= { 936 IDENTIFIER id-aes192-CBC 937 PARAMS TYPE AES-IV ARE required 938 SMIME-CAPS { IDENTIFIED BY id-aes192-CBC } 939 } 940 id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 } 942 cea-aes256-cbc CONTENT-ENCRYPTION ::= { 943 IDENTIFIER id-aes256-CBC 944 PARAMS TYPE AES-IV ARE required 945 SMIME-CAPS { IDENTIFIED BY id-aes256-CBC } 947 } 948 id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 } 950 -- AES-IV is the parameter for all the above object identifiers. 952 AES-IV ::= OCTET STRING (SIZE(16)) 954 -- AES Key Wrap Algorithm Identifiers - Parameter is absent 956 kwa-aes128-wrap KEY-WRAP ::= { 957 IDENTIFIER id-aes128-wrap 958 PARAMS ARE absent 959 SMIME-CAPS { IDENTIFIED BY id-aes128-wrap } 960 } 961 id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } 963 kwa-aes192-wrap KEY-WRAP ::= { 964 IDENTIFIER id-aes192-wrap 965 PARAMS ARE absent 966 SMIME-CAPS { IDENTIFIED BY id-aes192-wrap } 967 } 968 id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } 970 kwa-aes256-wrap KEY-WRAP ::= { 971 IDENTIFIER id-aes256-wrap 972 PARAMS ARE absent 973 SMIME-CAPS { IDENTIFIED BY id-aes256-wrap } 974 } 975 id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } 977 END 979 5. ASN.1 Module for RFC 3851 981 SecureMimeMessageV3dot1-2009 982 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 983 smime(16) modules(0) id-mod-msg-v3dot1-02(39)} 984 DEFINITIONS IMPLICIT TAGS ::= 985 BEGIN 986 IMPORTS 988 SMIME-CAPS, SMIMECapabilities{} 989 FROM AlgorithmInformation-2009 990 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 991 mechanisms(5) pkix(7) id-mod(0) 992 id-mod-algorithmInformation-02(58)} 994 ATTRIBUTE 995 FROM PKIX-CommonTypes-2009 996 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 997 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 999 SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier 1000 FROM CryptographicMessageSyntax-2009 1001 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1002 smime(16) modules(0) id-mod-cms-2004-02(41)} 1004 rc2-cbc, SMimeCaps 1005 FROM CryptographicMessageSyntaxAlgorithms-2009 1006 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1007 smime(16) modules(0) id-mod-cmsalg-2001-02(37)} 1009 SMimeCaps 1010 FROM PKIXAlgs-2009 1011 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1012 mechanisms(5) pkix(7) id-mod(0) 1013 id-mod-pkix1-algorithms2008-02(56)} 1015 SMimeCaps 1016 FROM PKIX1-PSS-OAEP-Algorithms-2009 1017 {iso(1) identified-organization(3) dod(6) internet(1) 1018 security(5) mechanisms(5) pkix(7) id-mod(0) 1019 id-mod-pkix1-rsa-pkalgs-02(54)}; 1021 SMimeAttributeSet ATTRIBUTE ::= 1022 { aa-smimeCapabilities | aa-encrypKeyPref, ... } 1024 -- id-aa is the arc with all new authenticated and unauthenticated 1025 -- attributes produced by the S/MIME Working Group 1027 id-aa OBJECT IDENTIFIER ::= 1028 { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1029 smime(16) attributes(2)} 1031 -- S/MIME Capabilities provides a method of broadcasting the symmetric 1032 -- capabilities understood. Algorithms SHOULD be ordered by 1033 -- preference and grouped by type 1035 aa-smimeCapabilities ATTRIBUTE ::= 1036 { TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY 1037 smimeCapabilities } 1039 smimeCapabilities OBJECT IDENTIFIER ::= 1040 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1041 15 } 1043 SMimeCapsSet SMIME-CAPS ::= 1044 { cap-preferBinaryInside | cap-RC2CBC | 1045 PKIXAlgs-2009.SMimeCaps | 1046 CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps | 1047 PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... } 1049 -- Encryption Key Preference provides a method of broadcasting the 1050 -- preferred encryption certificate. 1052 aa-encrypKeyPref ATTRIBUTE ::= 1053 { TYPE SMIMEEncryptionKeyPreference 1054 IDENTIFIED BY id-aa-encrypKeyPref } 1056 id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} 1058 SMIMEEncryptionKeyPreference ::= CHOICE { 1059 issuerAndSerialNumber [0] IssuerAndSerialNumber, 1060 receipentKeyId [1] RecipientKeyIdentifier, 1061 subjectAltKeyIdentifier [2] SubjectKeyIdentifier 1062 } 1064 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1065 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 1067 id-cap OBJECT IDENTIFIER ::= { id-smime 11 } 1069 -- The preferBinaryInside indicates an ability to receive messages 1070 -- with binary encoding inside the CMS wrapper 1072 cap-preferBinaryInside SMIME-CAPS ::= 1073 { -- No value -- IDENTIFIED BY id-cap-preferBinaryInside } 1075 id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } 1077 -- The following list OIDs to be used with S/MIME V3 1079 -- Signature Algorithms Not Found in [CMSALG] 1080 -- 1081 -- md2WithRSAEncryption OBJECT IDENTIFIER ::= 1082 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1083 -- 2} 1084 -- 1085 -- Other Signed Attributes 1086 -- 1087 -- signingTime OBJECT IDENTIFIER ::= 1088 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1089 -- 5} 1090 -- See [CMS] for a description of how to encode the attribute 1091 -- value. 1093 cap-RC2CBC SMIME-CAPS ::= 1094 { TYPE SMIMECapabilitiesParametersForRC2CBC 1095 IDENTIFIED BY rc2-cbc} 1097 SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...) 1098 -- (RC2 Key Length (number of bits)) 1100 END 1102 6. ASN.1 Module for RFC 3852 1104 This module has an ASN.1 idiom for noting in which version of CMS 1105 changes were made from the original PKCS #7; that idiom is "[[v:", 1106 where "v" is an integer. For example: 1108 RevocationInfoChoice ::= CHOICE { 1109 crl CertificateList, 1110 ..., 1111 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1113 Similarly, this module adds the ASN.1 idiom for extensiblity (the 1114 "...,") in all places that have been extended in the past. See the 1115 example above. 1117 CryptographicMessageSyntax-2009 1118 { iso(1) member-body(2) us(840) rsadsi(113549) 1119 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } 1120 DEFINITIONS IMPLICIT TAGS ::= 1121 BEGIN 1122 IMPORTS 1124 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 1125 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 1126 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 1127 AlgorithmIdentifier 1128 FROM AlgorithmInformation-2009 1129 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1130 mechanisms(5) pkix(7) id-mod(0) 1131 id-mod-algorithmInformation-02(58)} 1133 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 1134 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 1135 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 1136 FROM CryptographicMessageSyntaxAlgorithms-2009 1137 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1138 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 1140 Certificate, CertificateList, CertificateSerialNumber, 1141 Name, ATTRIBUTE 1142 FROM PKIX1Explicit-2009 1143 { iso(1) identified-organization(3) dod(6) internet(1) 1144 security(5) mechanisms(5) pkix(7) id-mod(0) 1145 id-mod-pkix1-explicit-02(51) } 1147 AttributeCertificate 1148 FROM PKIXAttributeCertificate-2009 1149 { iso(1) identified-organization(3) dod(6) internet(1) 1150 security(5) mechanisms(5) pkix(7) id-mod(0) 1151 id-mod-attribute-cert-02(47) } 1153 AttributeCertificateV1 1154 FROM AttributeCertificateVersion1-2009 1155 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1156 smime(16) modules(0) id-mod-v1AttrCert-02(49) } ; 1158 -- Cryptographic Message Syntax 1160 -- The following are used for version numbers using the ASN.1 1161 -- idiom "[[n:" 1162 -- Version 1 = PKCS #7 1163 -- Version 2 = S/MIME V2 1164 -- Version 3 = RFC 2630 1165 -- Version 4 = RFC 3369 1166 -- Version 5 = RFC 3852 1168 CONTENT-TYPE ::= TYPE-IDENTIFIER 1169 ContentType ::= CONTENT-TYPE.&id 1171 ContentInfo ::= SEQUENCE { 1172 contentType CONTENT-TYPE. 1173 &id({ContentSet}), 1174 content [0] EXPLICIT CONTENT-TYPE. 1175 &Type({ContentSet}{@contentType})} 1177 ContentSet CONTENT-TYPE ::= { 1178 -- Define the set of content types to be recognized. 1179 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 1180 ct-AuthenticatedData | ct-DigestedData, ... } 1182 SignedData ::= SEQUENCE { 1183 version CMSVersion, 1184 digestAlgorithms SET OF DigestAlgorithmIdentifier, 1185 encapContentInfo EncapsulatedContentInfo, 1186 certificates [0] IMPLICIT CertificateSet OPTIONAL, 1187 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 1188 signerInfos SignerInfos } 1190 SignerInfos ::= SET OF SignerInfo 1192 EncapsulatedContentInfo ::= SEQUENCE { 1193 eContentType CONTENT-TYPE.&id({ContentSet}), 1194 eContent [0] EXPLICIT OCTET STRING 1195 ( CONTAINING CONTENT-TYPE. 1196 &Type({ContentSet}{@eContentType})) OPTIONAL } 1198 SignerInfo ::= SEQUENCE { 1199 version CMSVersion, 1200 sid SignerIdentifier, 1201 digestAlgorithm DigestAlgorithmIdentifier, 1202 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 1203 signatureAlgorithm SignatureAlgorithmIdentifier, 1204 signature SignatureValue, 1205 unsignedAttrs [1] IMPLICIT Attributes 1206 {{UnsignedAttributes}} OPTIONAL } 1208 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 1210 SignerIdentifier ::= CHOICE { 1211 issuerAndSerialNumber IssuerAndSerialNumber, 1212 ..., 1213 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 1215 SignedAttributesSet ATTRIBUTE ::= 1216 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 1218 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 1220 SignatureValue ::= OCTET STRING 1222 EnvelopedData ::= SEQUENCE { 1223 version CMSVersion, 1224 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1225 recipientInfos RecipientInfos, 1226 encryptedContentInfo EncryptedContentInfo, 1227 ..., 1229 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1230 {{ UnprotectedAttributes }} OPTIONAL ]] } 1232 OriginatorInfo ::= SEQUENCE { 1233 certs [0] IMPLICIT CertificateSet OPTIONAL, 1234 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 1236 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 1238 EncryptedContentInfo ::= SEQUENCE { 1239 contentType CONTENT-TYPE.&id({ContentSet}), 1240 contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 1241 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 1243 -- If you want to do constraints, you might use: 1244 -- EncryptedContentInfo ::= SEQUENCE { 1245 -- contentType CONTENT-TYPE.&id({ContentSet}), 1246 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 1247 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 1248 -- &Type({ContentSet}{@contentType}) OPTIONAL } 1249 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 1250 -- { ToBeEncrypted } ) 1252 UnprotectedAttributes ATTRIBUTE ::= { ... } 1254 RecipientInfo ::= CHOICE { 1255 ktri KeyTransRecipientInfo, 1256 ..., 1257 [[3: kari [1] KeyAgreeRecipientInfo ]], 1258 [[4: kekri [2] KEKRecipientInfo]], 1259 [[5: pwri [3] PasswordRecipientInfo, 1260 ori [4] OtherRecipientInfo ]] } 1262 EncryptedKey ::= OCTET STRING 1264 KeyTransRecipientInfo ::= SEQUENCE { 1265 version CMSVersion, -- always set to 0 or 2 1266 rid RecipientIdentifier, 1267 keyEncryptionAlgorithm AlgorithmIdentifier 1268 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 1269 encryptedKey EncryptedKey } 1271 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 1273 RecipientIdentifier ::= CHOICE { 1274 issuerAndSerialNumber IssuerAndSerialNumber, 1275 ..., 1276 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 1278 KeyAgreeRecipientInfo ::= SEQUENCE { 1279 version CMSVersion, -- always set to 3 1280 originator [0] EXPLICIT OriginatorIdentifierOrKey, 1281 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 1282 keyEncryptionAlgorithm AlgorithmIdentifier 1283 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 1284 recipientEncryptedKeys RecipientEncryptedKeys } 1286 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 1288 OriginatorIdentifierOrKey ::= CHOICE { 1289 issuerAndSerialNumber IssuerAndSerialNumber, 1290 subjectKeyIdentifier [0] SubjectKeyIdentifier, 1291 originatorKey [1] OriginatorPublicKey } 1293 OriginatorPublicKey ::= SEQUENCE { 1294 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 1295 publicKey BIT STRING } 1297 OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } 1299 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 1301 RecipientEncryptedKey ::= SEQUENCE { 1302 rid KeyAgreeRecipientIdentifier, 1303 encryptedKey EncryptedKey } 1305 KeyAgreeRecipientIdentifier ::= CHOICE { 1306 issuerAndSerialNumber IssuerAndSerialNumber, 1307 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 1309 RecipientKeyIdentifier ::= SEQUENCE { 1310 subjectKeyIdentifier SubjectKeyIdentifier, 1311 date GeneralizedTime OPTIONAL, 1312 other OtherKeyAttribute OPTIONAL } 1314 SubjectKeyIdentifier ::= OCTET STRING 1316 KEKRecipientInfo ::= SEQUENCE { 1317 version CMSVersion, -- always set to 4 1318 kekid KEKIdentifier, 1319 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 1320 encryptedKey EncryptedKey } 1322 KEKIdentifier ::= SEQUENCE { 1323 keyIdentifier OCTET STRING, 1324 date GeneralizedTime OPTIONAL, 1325 other OtherKeyAttribute OPTIONAL } 1327 PasswordRecipientInfo ::= SEQUENCE { 1328 version CMSVersion, -- always set to 0 1329 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 1330 OPTIONAL, 1331 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 1332 encryptedKey EncryptedKey } 1334 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 1336 OtherRecipientInfo ::= SEQUENCE { 1337 oriType OTHER-RECIPIENT. 1338 &id({SupportedOtherRecipInfo}), 1339 oriValue OTHER-RECIPIENT. 1340 &Type({SupportedOtherRecipInfo}{@oriType})} 1342 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 1344 DigestedData ::= SEQUENCE { 1345 version CMSVersion, 1346 digestAlgorithm DigestAlgorithmIdentifier, 1347 encapContentInfo EncapsulatedContentInfo, 1348 digest Digest, ... } 1350 Digest ::= OCTET STRING 1352 EncryptedData ::= SEQUENCE { 1353 version CMSVersion, 1354 encryptedContentInfo EncryptedContentInfo, 1355 ..., 1356 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1357 {{UnprotectedAttributes}} OPTIONAL ]] } 1359 AuthenticatedData ::= SEQUENCE { 1360 version CMSVersion, 1361 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1362 recipientInfos RecipientInfos, 1363 macAlgorithm MessageAuthenticationCodeAlgorithm, 1364 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 1365 encapContentInfo EncapsulatedContentInfo, 1366 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 1367 mac MessageAuthenticationCode, 1368 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 1370 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 1371 {{AuthAttributeSet}} 1373 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 1374 | aa-signingTime, ...} 1376 MessageAuthenticationCode ::= OCTET STRING 1378 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 1379 {{UnauthAttributeSet}} 1381 UnauthAttributeSet ATTRIBUTE ::= {...} 1383 -- 1384 -- General algorithm definitions 1385 -- 1387 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1388 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 1390 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 1391 CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } 1393 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 1394 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 1396 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 1397 { SignatureAlgs, ... } 1399 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1400 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1402 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 1404 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1405 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 1407 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 1408 { ContentEncryptionAlgs, ... } 1410 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 1411 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 1413 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 1414 { MessageAuthAlgs, ... } 1416 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 1417 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 1419 RevocationInfoChoices ::= SET OF RevocationInfoChoice 1421 RevocationInfoChoice ::= CHOICE { 1422 crl CertificateList, 1423 ..., 1425 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1427 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 1429 OtherRevocationInfoFormat ::= SEQUENCE { 1430 otherRevInfoFormat OTHER-REVOK-INFO. 1431 &id({SupportedOtherRevokInfo}), 1432 otherRevInfo OTHER-REVOK-INFO. 1433 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 1435 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 1437 CertificateChoices ::= CHOICE { 1438 certificate Certificate, 1439 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1440 -- Obsolete 1441 ..., 1442 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 1443 -- Obsolete 1444 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 1445 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 1447 AttributeCertificateV2 ::= AttributeCertificate 1449 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 1451 OtherCertificateFormat ::= SEQUENCE { 1452 otherCertFormat OTHER-CERT-FMT. 1453 &id({SupportedCertFormats}), 1454 otherCert OTHER-CERT-FMT. 1455 &Type({SupportedCertFormats}{@otherCertFormat})} 1457 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 1459 CertificateSet ::= SET OF CertificateChoices 1461 IssuerAndSerialNumber ::= SEQUENCE { 1462 issuer Name, 1463 serialNumber CertificateSerialNumber } 1465 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1467 UserKeyingMaterial ::= OCTET STRING 1469 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1471 OtherKeyAttribute ::= SEQUENCE { 1472 keyAttrId KEY-ATTRIBUTE. 1474 &id({SupportedKeyAttributes}), 1475 keyAttr KEY-ATTRIBUTE. 1476 &Type({SupportedKeyAttributes}{@keyAttrId})} 1478 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1480 -- Content Type Object Identifiers 1482 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1483 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1485 ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data} 1487 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1488 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1490 ct-SignedData CONTENT-TYPE ::= 1491 { SignedData IDENTIFIED BY id-signedData} 1493 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1494 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1496 ct-EnvelopedData CONTENT-TYPE ::= 1497 { EnvelopedData IDENTIFIED BY id-envelopedData} 1499 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1500 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1502 ct-DigestedData CONTENT-TYPE ::= 1503 { DigestedData IDENTIFIED BY id-digestedData} 1505 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1506 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1508 ct-EncryptedData CONTENT-TYPE ::= 1509 { EncryptedData IDENTIFIED BY id-encryptedData} 1511 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1512 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1514 ct-AuthenticatedData CONTENT-TYPE ::= 1515 { AuthenticatedData IDENTIFIED BY id-ct-authData} 1517 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1518 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1520 -- 1521 -- The CMS Attributes 1522 -- 1524 MessageDigest ::= OCTET STRING 1526 SigningTime ::= Time 1528 Time ::= CHOICE { 1529 utcTime UTCTime, 1530 generalTime GeneralizedTime } 1532 Countersignature ::= SignerInfo 1534 -- Attribute Object Identifiers 1536 aa-contentType ATTRIBUTE ::= 1537 { TYPE ContentType IDENTIFIED BY id-contentType } 1538 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1539 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1541 aa-messageDigest ATTRIBUTE ::= 1542 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1543 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1544 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1546 aa-signingTime ATTRIBUTE ::= 1547 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1548 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1549 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1551 aa-countersignature ATTRIBUTE ::= 1552 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1553 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1554 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1556 -- 1557 -- Obsolete Extended Certificate syntax from PKCS#6 1558 -- 1560 ExtendedCertificateOrCertificate ::= CHOICE { 1561 certificate Certificate, 1562 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1564 ExtendedCertificate ::= SEQUENCE { 1565 extendedCertificateInfo ExtendedCertificateInfo, 1566 signatureAlgorithm SignatureAlgorithmIdentifier, 1567 signature Signature } 1569 ExtendedCertificateInfo ::= SEQUENCE { 1570 version CMSVersion, 1571 certificate Certificate, 1572 attributes UnauthAttributes } 1574 Signature ::= BIT STRING 1576 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1577 attrType ATTRIBUTE. 1578 &id({AttrList}), 1579 attrValues SET OF ATTRIBUTE. 1580 &Type({AttrList}{@attrType}) } 1582 Attributes { ATTRIBUTE:AttrList } ::= 1583 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1585 END 1587 7. ASN.1 Module for RFC 4108 1589 CMSFirmwareWrapper-2009 1590 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1591 smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) } 1592 DEFINITIONS IMPLICIT TAGS ::= 1593 BEGIN 1594 IMPORTS 1596 OTHER-NAME 1597 FROM PKIX1Implicit-2009 1598 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1599 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 1601 EnvelopedData, CONTENT-TYPE, ATTRIBUTE 1602 FROM CryptographicMessageSyntax-2009 1603 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1604 smime(16) modules(0) id-mod-cms-2004-02(41) }; 1606 FirmwareContentTypes CONTENT-TYPE ::= { 1607 ct-firmwarePackage | ct-firmwareLoadReceipt | 1608 ct-firmwareLoadError,... } 1610 FirmwareSignedAttrs ATTRIBUTE ::= { 1611 aa-firmwarePackageID | aa-targetHardwareIDs | 1612 aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs | 1613 aa-communityIdentifiers | aa-firmwarePackageInfo,... } 1615 FirmwareUnsignedAttrs ATTRIBUTE ::= { 1616 aa-wrappedFirmwareKey, ... } 1618 FirmwareOtherNames OTHER-NAME ::= { 1619 on-hardwareModuleName, ... } 1621 -- Firmware Package Content Type and Object Identifier 1623 ct-firmwarePackage CONTENT-TYPE ::= 1624 { FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage } 1626 id-ct-firmwarePackage OBJECT IDENTIFIER ::= { 1627 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1628 smime(16) ct(1) 16 } 1630 FirmwarePkgData ::= OCTET STRING 1632 -- Firmware Package Signed Attributes and Object Identifiers 1634 aa-firmwarePackageID ATTRIBUTE ::= 1635 { TYPE FirmwarePackageIdentifier IDENTIFIED BY 1636 id-aa-firmwarePackageID } 1638 id-aa-firmwarePackageID OBJECT IDENTIFIER ::= { 1639 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1640 smime(16) aa(2) 35 } 1642 FirmwarePackageIdentifier ::= SEQUENCE { 1643 name PreferredOrLegacyPackageIdentifier, 1644 stale PreferredOrLegacyStalePackageIdentifier OPTIONAL } 1646 PreferredOrLegacyPackageIdentifier ::= CHOICE { 1647 preferred PreferredPackageIdentifier, 1648 legacy OCTET STRING } 1650 PreferredPackageIdentifier ::= SEQUENCE { 1651 fwPkgID OBJECT IDENTIFIER, 1652 verNum INTEGER (0..MAX) } 1654 PreferredOrLegacyStalePackageIdentifier ::= CHOICE { 1655 preferredStaleVerNum INTEGER (0..MAX), 1656 legacyStaleVersion OCTET STRING } 1658 aa-targetHardwareIDs ATTRIBUTE ::= 1659 { TYPE TargetHardwareIdentifiers IDENTIFIED BY 1660 id-aa-targetHardwareIDs } 1662 id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= { 1663 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1664 smime(16) aa(2) 36 } 1666 TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER 1668 aa-decryptKeyID ATTRIBUTE ::= 1669 { TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID} 1671 id-aa-decryptKeyID OBJECT IDENTIFIER ::= { 1672 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1673 smime(16) aa(2) 37 } 1675 DecryptKeyIdentifier ::= OCTET STRING 1677 aa-implCryptoAlgs ATTRIBUTE ::= 1678 { TYPE ImplementedCryptoAlgorithms IDENTIFIED BY 1679 id-aa-implCryptoAlgs } 1681 id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= { 1682 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1683 smime(16) aa(2) 38 } 1685 ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1687 aa-implCompressAlgs ATTRIBUTE ::= 1688 { TYPE ImplementedCompressAlgorithms IDENTIFIED BY 1689 id-aa-implCompressAlgs } 1691 id-aa-implCompressAlgs OBJECT IDENTIFIER ::= { 1692 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1693 smime(16) aa(2) 43 } 1695 ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1697 aa-communityIdentifiers ATTRIBUTE ::= 1698 { TYPE CommunityIdentifiers IDENTIFIED BY 1699 id-aa-communityIdentifiers } 1701 id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { 1702 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1703 smime(16) aa(2) 40 } 1705 CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier 1707 CommunityIdentifier ::= CHOICE { 1708 communityOID OBJECT IDENTIFIER, 1709 hwModuleList HardwareModules } 1711 HardwareModules ::= SEQUENCE { 1712 hwType OBJECT IDENTIFIER, 1713 hwSerialEntries SEQUENCE OF HardwareSerialEntry } 1715 HardwareSerialEntry ::= CHOICE { 1716 all NULL, 1717 single OCTET STRING, 1718 block SEQUENCE { 1719 low OCTET STRING, 1720 high OCTET STRING 1721 } 1722 } 1724 aa-firmwarePackageInfo ATTRIBUTE ::= 1725 { TYPE FirmwarePackageInfo IDENTIFIED BY 1726 id-aa-firmwarePackageInfo } 1727 id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= { 1728 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1729 smime(16) aa(2) 42 } 1731 FirmwarePackageInfo ::= SEQUENCE { 1732 fwPkgType INTEGER OPTIONAL, 1733 dependencies SEQUENCE OF 1734 PreferredOrLegacyPackageIdentifier OPTIONAL } 1736 -- Firmware Package Unsigned Attributes and Object Identifiers 1738 aa-wrappedFirmwareKey ATTRIBUTE ::= 1739 { TYPE WrappedFirmwareKey IDENTIFIED BY 1740 id-aa-wrappedFirmwareKey } 1741 id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= { 1742 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1743 smime(16) aa(2) 39 } 1745 WrappedFirmwareKey ::= EnvelopedData 1747 -- Firmware Package Load Receipt Content Type and Object Identifier 1749 ct-firmwareLoadReceipt CONTENT-TYPE ::= 1750 { FirmwarePackageLoadReceipt IDENTIFIED BY 1751 id-ct-firmwareLoadReceipt } 1752 id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= { 1753 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1754 smime(16) ct(1) 17 } 1756 FirmwarePackageLoadReceipt ::= SEQUENCE { 1757 version FWReceiptVersion DEFAULT v1, 1758 hwType OBJECT IDENTIFIER, 1759 hwSerialNum OCTET STRING, 1760 fwPkgName PreferredOrLegacyPackageIdentifier, 1761 trustAnchorKeyID OCTET STRING OPTIONAL, 1762 decryptKeyID [1] OCTET STRING OPTIONAL } 1764 FWReceiptVersion ::= INTEGER { v1(1) } 1766 -- Firmware Package Load Error Report Content Type 1767 -- and Object Identifier 1769 ct-firmwareLoadError CONTENT-TYPE ::= 1770 { FirmwarePackageLoadError 1771 IDENTIFIED BY id-ct-firmwareLoadError } 1772 id-ct-firmwareLoadError OBJECT IDENTIFIER ::= { 1773 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1774 smime(16) ct(1) 18 } 1776 FirmwarePackageLoadError ::= SEQUENCE { 1777 version FWErrorVersion DEFAULT v1, 1778 hwType OBJECT IDENTIFIER, 1779 hwSerialNum OCTET STRING, 1780 errorCode FirmwarePackageLoadErrorCode, 1781 vendorErrorCode VendorLoadErrorCode OPTIONAL, 1782 fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL, 1783 config [1] SEQUENCE OF CurrentFWConfig OPTIONAL } 1785 FWErrorVersion ::= INTEGER { v1(1) } 1787 CurrentFWConfig ::= SEQUENCE { 1788 fwPkgType INTEGER OPTIONAL, 1789 fwPkgName PreferredOrLegacyPackageIdentifier } 1791 FirmwarePackageLoadErrorCode ::= ENUMERATED { 1792 decodeFailure (1), 1793 badContentInfo (2), 1794 badSignedData (3), 1795 badEncapContent (4), 1796 badCertificate (5), 1797 badSignerInfo (6), 1798 badSignedAttrs (7), 1799 badUnsignedAttrs (8), 1800 missingContent (9), 1801 noTrustAnchor (10), 1802 notAuthorized (11), 1803 badDigestAlgorithm (12), 1804 badSignatureAlgorithm (13), 1805 unsupportedKeySize (14), 1806 signatureFailure (15), 1807 contentTypeMismatch (16), 1808 badEncryptedData (17), 1809 unprotectedAttrsPresent (18), 1810 badEncryptContent (19), 1811 badEncryptAlgorithm (20), 1812 missingCiphertext (21), 1813 noDecryptKey (22), 1814 decryptFailure (23), 1815 badCompressAlgorithm (24), 1816 missingCompressedContent (25), 1817 decompressFailure (26), 1818 wrongHardware (27), 1819 stalePackage (28), 1820 notInCommunity (29), 1821 unsupportedPackageType (30), 1822 missingDependency (31), 1823 wrongDependencyVersion (32), 1824 insufficientMemory (33), 1825 badFirmware (34), 1826 unsupportedParameters (35), 1827 breaksDependency (36), 1828 otherError (99) } 1830 VendorLoadErrorCode ::= INTEGER 1832 -- Other Name syntax for Hardware Module Name 1834 on-hardwareModuleName OTHER-NAME ::= 1835 { HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName } 1836 id-on-hardwareModuleName OBJECT IDENTIFIER ::= { 1837 iso(1) identified-organization(3) dod(6) internet(1) security(5) 1838 mechanisms(5) pkix(7) on(8) 4 } 1840 HardwareModuleName ::= SEQUENCE { 1841 hwType OBJECT IDENTIFIER, 1842 hwSerialNum OCTET STRING } 1844 END 1846 8. ASN.1 Module for RFC 4998 1848 ERS {iso(1) identified-organization(3) dod(6) internet(1) 1849 security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1) 1850 id-mod-ers-v1(1) } 1851 DEFINITIONS IMPLICIT TAGS ::= 1852 BEGIN 1853 IMPORTS 1855 AttributeSet{}, ATTRIBUTE 1856 FROM PKIX-CommonTypes 1857 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1858 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1860 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM 1861 FROM AlgorithmInformation-2009 1862 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1863 mechanisms(5) pkix(7) id-mod(0) 1864 id-mod-algorithmInformation-02(58)} 1866 ContentInfo 1867 FROM CryptographicMessageSyntax2004 1868 { iso(1) member-body(2) us(840) rsadsi(113549) 1869 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } ; 1871 aa-er-Internal ATTRIBUTE ::= 1872 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } 1873 id-aa-er-internal OBJECT IDENTIFIER ::= 1874 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1875 smime(16) id-aa(2) 49 } 1877 aa-er-External ATTRIBUTE ::= 1878 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } 1879 id-aa-er-external OBJECT IDENTIFIER ::= 1880 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1881 smime(16) id-aa(2) 50 } 1883 ltans OBJECT IDENTIFIER ::= 1884 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1885 mechanisms(5) ltans(11) } 1887 EvidenceRecord ::= SEQUENCE { 1888 version INTEGER { v1(1) } , 1889 digestAlgorithms SEQUENCE OF AlgorithmIdentifier 1890 {DIGEST-ALGORITHM, {...}}, 1891 cryptoInfos [0] CryptoInfos OPTIONAL, 1892 encryptionInfo [1] EncryptionInfo OPTIONAL, 1893 archiveTimeStampSequence ArchiveTimeStampSequence 1894 } 1896 CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}} 1898 ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain 1899 ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp 1901 ArchiveTimeStamp ::= SEQUENCE { 1902 digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} 1903 OPTIONAL, 1904 attributes [1] Attributes OPTIONAL, 1905 reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, 1906 timeStamp ContentInfo 1907 } 1909 PartialHashtree ::= SEQUENCE OF OCTET STRING 1911 Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}} 1913 EncryptionInfo ::= SEQUENCE { 1914 encryptionInfoType ENCINFO-TYPE. 1915 &id({SupportedEncryptionAlgorithms}), 1916 encryptionInfoValue ENCINFO-TYPE. 1917 &Type({SupportedEncryptionAlgorithms} 1918 {@encryptionInfoType}) 1919 } 1921 ENCINFO-TYPE ::= TYPE-IDENTIFIER 1923 SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...} 1925 END 1927 9. ASN.1 Module for RFC 5035 1929 ExtendedSecurityServices-2009 1930 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1931 smime(16) modules(0) id-mod-ess-2006-02(42) } 1932 DEFINITIONS IMPLICIT TAGS ::= 1933 BEGIN 1934 IMPORTS 1936 AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{} 1937 FROM PKIX-CommonTypes-2009 1938 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1939 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1941 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM 1942 FROM AlgorithmInformation-2009 1943 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1944 mechanisms(5) pkix(7) id-mod(0) 1945 id-mod-algorithmInformation-02(58)} 1947 ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, 1948 CONTENT-TYPE 1949 FROM CryptographicMessageSyntax-2009 1950 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1951 smime(16) modules(0) id-mod-cms-2004-02(41) } 1953 CertificateSerialNumber 1954 FROM PKIX1Explicit-2009 1955 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1956 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 1958 PolicyInformation, GeneralNames 1959 FROM PKIX1Implicit-2009 1960 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1961 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 1963 mda-sha256 1964 FROM PKIX1-PSS-OAEP-Algorithms-2009 1965 { iso(1) identified-organization(3) dod(6) 1966 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 1967 id-mod-pkix1-rsa-pkalgs-02(54) } ; 1969 EssSignedAttributes ATTRIBUTE ::= { 1970 aa-receiptRequest | aa-contentIdentifier | aa-contentHint | 1971 aa-msgSigDigest | aa-contentReference | aa-securityLabel | 1972 aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate | 1973 aa-signingCertificateV2, ... } 1975 EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... } 1977 -- Extended Security Services 1978 -- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 1979 -- constructs in this module. A valid ASN.1 SEQUENCE can have zero or 1980 -- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE 1981 -- to have at least one entry. MAX indicates the upper bound is 1982 -- unspecified. Implementations are free to choose an upper bound 1983 -- that suits their environment. 1985 -- Section 2.7 1987 aa-receiptRequest ATTRIBUTE ::= 1988 { TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest} 1990 ReceiptRequest ::= SEQUENCE { 1991 signedContentIdentifier ContentIdentifier, 1992 receiptsFrom ReceiptsFrom, 1993 receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames 1994 } 1996 ub-receiptsTo INTEGER ::= 16 1998 aa-contentIdentifier ATTRIBUTE ::= 1999 { TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier} 2000 id-aa-receiptRequest OBJECT IDENTIFIER ::= 2001 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2002 smime(16) id-aa(2) 1} 2004 ContentIdentifier ::= OCTET STRING 2006 id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2007 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7} 2009 ct-receipt CONTENT-TYPE ::= 2010 { Receipt IDENTIFIED BY id-ct-receipt } 2011 id-ct-receipt OBJECT IDENTIFIER ::= 2012 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2013 smime(16) id-ct(1) 1} 2015 ReceiptsFrom ::= CHOICE { 2016 allOrFirstTier [0] AllOrFirstTier, 2017 -- formerly "allOrNone [0]AllOrNone" 2018 receiptList [1] SEQUENCE OF GeneralNames } 2020 AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone 2021 allReceipts (0), 2022 firstTierRecipients (1) } 2024 -- Section 2.8 2026 Receipt ::= SEQUENCE { 2027 version ESSVersion, 2028 contentType ContentType, 2029 signedContentIdentifier ContentIdentifier, 2030 originatorSignatureValue OCTET STRING 2031 } 2033 ESSVersion ::= INTEGER { v1(1) } 2035 -- Section 2.9 2037 aa-contentHint ATTRIBUTE ::= 2038 { TYPE ContentHints IDENTIFIED BY id-aa-contentHint } 2039 id-aa-contentHint OBJECT IDENTIFIER ::= 2040 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2041 smime(16) id-aa(2) 4} 2043 ContentHints ::= SEQUENCE { 2044 contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL, 2045 contentType ContentType } 2047 -- Section 2.10 2049 aa-msgSigDigest ATTRIBUTE ::= 2050 { TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest } 2051 id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2052 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5} 2054 MsgSigDigest ::= OCTET STRING 2056 -- Section 2.11 2058 aa-contentReference ATTRIBUTE ::= 2059 { TYPE ContentReference IDENTIFIED BY id-aa-contentReference } 2060 id-aa-contentReference OBJECT IDENTIFIER ::= 2061 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2062 smime(16) id-aa(2) 10 } 2064 ContentReference ::= SEQUENCE { 2065 contentType ContentType, 2066 signedContentIdentifier ContentIdentifier, 2067 originatorSignatureValue OCTET STRING } 2069 -- Section 3.2 2071 aa-securityLabel ATTRIBUTE ::= 2072 { TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel } 2073 id-aa-securityLabel OBJECT IDENTIFIER ::= 2074 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2075 smime(16) id-aa(2) 2} 2077 ESSSecurityLabel ::= SET { 2078 security-policy-identifier SecurityPolicyIdentifier, 2079 security-classification SecurityClassification OPTIONAL, 2080 privacy-mark ESSPrivacyMark OPTIONAL, 2081 security-categories SecurityCategories OPTIONAL } 2083 SecurityPolicyIdentifier ::= OBJECT IDENTIFIER 2085 SecurityClassification ::= INTEGER { 2086 unmarked (0), 2087 unclassified (1), 2088 restricted (2), 2089 confidential (3), 2090 secret (4), 2091 top-secret (5) 2092 } (0..ub-integer-options) 2094 ub-integer-options INTEGER ::= 256 2096 ESSPrivacyMark ::= CHOICE { 2097 pString PrintableString (SIZE (1..ub-privacy-mark-length)), 2098 utf8String UTF8String (SIZE (1..MAX)) 2099 } 2101 ub-privacy-mark-length INTEGER ::= 128 2103 SecurityCategories ::= 2104 SET SIZE (1..ub-security-categories) OF SecurityCategory 2105 {{SupportedSecurityCategories}} 2107 ub-security-categories INTEGER ::= 64 2109 SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } 2111 -- Section 3.4 2113 aa-equivalentLabels ATTRIBUTE ::= 2114 { TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels } 2115 id-aa-equivalentLabels OBJECT IDENTIFIER ::= 2116 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2117 smime(16) id-aa(2) 9} 2119 EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel 2121 -- Section 4.4 2123 aa-mlExpandHistory ATTRIBUTE ::= 2124 { TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory } 2125 id-aa-mlExpandHistory OBJECT IDENTIFIER ::= 2126 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2127 smime(16) id-aa(2) 3 } 2129 MLExpansionHistory ::= SEQUENCE 2130 SIZE (1..ub-ml-expansion-history) OF MLData 2132 ub-ml-expansion-history INTEGER ::= 64 2134 MLData ::= SEQUENCE { 2135 mailListIdentifier EntityIdentifier, 2136 expansionTime GeneralizedTime, 2137 mlReceiptPolicy MLReceiptPolicy OPTIONAL } 2139 EntityIdentifier ::= CHOICE { 2140 issuerAndSerialNumber IssuerAndSerialNumber, 2141 subjectKeyIdentifier SubjectKeyIdentifier } 2143 MLReceiptPolicy ::= CHOICE { 2144 none [0] NULL, 2145 insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames, 2146 inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames } 2148 -- Section 5.4 2150 aa-signingCertificate ATTRIBUTE ::= 2151 { TYPE SigningCertificate IDENTIFIED BY 2152 id-aa-signingCertificate } 2153 id-aa-signingCertificate OBJECT IDENTIFIER ::= 2154 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2155 smime(16) id-aa(2) 12 } 2157 SigningCertificate ::= SEQUENCE { 2158 certs SEQUENCE OF ESSCertID, 2159 policies SEQUENCE OF PolicyInformation OPTIONAL 2160 } 2162 aa-signingCertificateV2 ATTRIBUTE ::= 2163 { TYPE SigningCertificateV2 IDENTIFIED BY 2164 id-aa-signingCertificateV2 } 2165 id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= 2166 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2167 smime(16) id-aa(2) 47 } 2169 SigningCertificateV2 ::= SEQUENCE { 2170 certs SEQUENCE OF ESSCertIDv2, 2171 policies SEQUENCE OF PolicyInformation OPTIONAL 2172 } 2174 HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, 2175 {mda-sha256, ...}} 2177 ESSCertIDv2 ::= SEQUENCE { 2178 hashAlgorithm HashAlgorithm 2179 DEFAULT { algorithm mda-sha256.&id }, 2180 certHash Hash, 2181 issuerSerial IssuerSerial OPTIONAL 2182 } 2183 ESSCertID ::= SEQUENCE { 2184 certHash Hash, 2185 issuerSerial IssuerSerial OPTIONAL 2186 } 2188 Hash ::= OCTET STRING 2190 IssuerSerial ::= SEQUENCE { 2191 issuer GeneralNames, 2192 serialNumber CertificateSerialNumber 2193 } 2195 END 2197 10. ASN.1 Module for RFC 5083 2199 CMS-AuthEnvelopedData-2009 2200 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2201 smime(16) modules(0) id-mod-cms-authEnvelopedData-02(43)} 2202 DEFINITIONS IMPLICIT TAGS ::= 2203 BEGIN 2204 IMPORTS 2206 AuthAttributes, CMSVersion, EncryptedContentInfo, 2207 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 2208 UnauthAttributes, CONTENT-TYPE 2209 FROM CryptographicMessageSyntax-2009 2210 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2211 smime(16) modules(0) id-mod-cms-2004-02(41)} ; 2213 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 2215 ct-authEnvelopedData CONTENT-TYPE ::= { 2216 AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 2217 } 2219 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 2220 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2221 smime(16) ct(1) 23} 2223 AuthEnvelopedData ::= SEQUENCE { 2224 version CMSVersion, 2225 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 2226 recipientInfos RecipientInfos, 2227 authEncryptedContentInfo EncryptedContentInfo, 2228 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 2229 mac MessageAuthenticationCode, 2230 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL 2231 } 2233 END 2235 11. ASN.1 Module for RFC 5084 2237 CMS-AES-CCM-and-AES-GCM-2009 2238 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 2239 pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } 2240 DEFINITIONS IMPLICIT TAGS ::= 2241 BEGIN 2242 EXPORTS ALL; 2243 IMPORTS 2245 CONTENT-ENCRYPTION, SMIME-CAPS 2246 FROM AlgorithmInformation-2009 2247 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2248 mechanisms(5) pkix(7) id-mod(0) 2249 id-mod-algorithmInformation-02(58)}; 2251 -- Add this algorithm set to include all of the algorithms defined in 2252 -- this document 2254 ContentEncryptionAlgs CONTENT-ENCRYPTION ::= { 2255 cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM | 2256 cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... } 2258 SMimeCaps SMIME-CAPS ::= { 2259 cea-aes128-CCM.&smimeCaps | 2260 cea-aes192-CCM.&smimeCaps | 2261 cea-aes256-CCM.&smimeCaps | 2262 cea-aes128-GCM.&smimeCaps | 2263 cea-aes192-GCM.&smimeCaps | 2264 cea-aes256-GCM.&smimeCaps, 2265 ... 2266 } 2268 -- Defining objects 2270 aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) 2271 organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } 2273 cea-aes128-CCM CONTENT-ENCRYPTION ::= { 2274 IDENTIFIER id-aes128-CCM 2275 PARAMS TYPE CCMParameters ARE required 2276 SMIME-CAPS { IDENTIFIED BY id-aes128-CCM } 2277 } 2278 id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 } 2280 cea-aes192-CCM CONTENT-ENCRYPTION ::= { 2281 IDENTIFIER id-aes192-CCM 2282 PARAMS TYPE CCMParameters ARE required 2283 SMIME-CAPS { IDENTIFIED BY id-aes192-CCM } 2284 } 2285 id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 } 2287 cea-aes256-CCM CONTENT-ENCRYPTION ::= { 2288 IDENTIFIER id-aes256-CCM 2289 PARAMS TYPE CCMParameters ARE required 2290 SMIME-CAPS { IDENTIFIED BY id-aes256-CCM } 2292 } 2293 id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 } 2295 cea-aes128-GCM CONTENT-ENCRYPTION ::= { 2296 IDENTIFIER id-aes128-GCM 2297 PARAMS TYPE GCMParameters ARE required 2298 SMIME-CAPS { IDENTIFIED BY id-aes128-GCM } 2299 } 2300 id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 } 2302 cea-aes192-GCM CONTENT-ENCRYPTION ::= { 2303 IDENTIFIER id-aes128-GCM 2304 PARAMS TYPE GCMParameters ARE required 2305 SMIME-CAPS { IDENTIFIED BY id-aes192-GCM } 2306 } 2307 id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 } 2309 cea-aes256-GCM CONTENT-ENCRYPTION ::= { 2310 IDENTIFIER id-aes128-GCM 2311 PARAMS TYPE GCMParameters ARE required 2312 SMIME-CAPS { IDENTIFIED BY id-aes256-GCM } 2313 } 2314 id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 } 2316 -- Parameters for AlgorithmIdentifier 2318 CCMParameters ::= SEQUENCE { 2319 aes-nonce OCTET STRING (SIZE(7..13)), 2320 aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } 2322 AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) 2324 GCMParameters ::= SEQUENCE { 2325 aes-nonce OCTET STRING, -- recommended size is 12 octets 2326 aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } 2328 AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) 2330 END 2332 12. ASN.1 Module for RFC 5275 2334 SMIMESymmetricKeyDistribution-2009 2335 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2336 smime(16) modules(0) id-mod-symkeydist-02(36)} 2337 DEFINITIONS IMPLICIT TAGS ::= 2338 BEGIN 2339 EXPORTS ALL; 2340 IMPORTS 2342 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP, 2343 SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS 2344 FROM AlgorithmInformation-2009 2345 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2346 mechanisms(5) pkix(7) id-mod(0) 2347 id-mod-algorithmInformation-02(58)} 2349 GeneralName 2350 FROM PKIX1Implicit-2009 2351 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2352 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 2354 Certificate 2355 FROM PKIX1Explicit-2009 2356 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2357 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 2359 RecipientInfos, KEKIdentifier,CertificateSet 2360 FROM CryptographicMessageSyntax-2009 2361 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2362 smime(16) modules(0) id-mod-cms-2004-02(41) } 2364 cap-3DESwrap 2365 FROM CryptographicMessageSyntaxAlgorithms 2366 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2367 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 2369 AttributeCertificate 2370 FROM PKIXAttributeCertificate-2009 2371 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2372 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } 2374 CMC-CONTROL, EXTENDED-FAILURE-INFO 2375 FROM EnrollmentMessageSyntax 2376 { iso(1) identified-organization(3) dod(4) internet(1) security(5) 2377 mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53) } 2379 kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap 2380 FROM CMSAesRsaesOaep-2009 2381 { iso(1) member-body(2) us(840) rsadsi(113549) 2382 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } ; 2384 -- This defines the group list (GL symmetric key distribution OID arc 2385 id-skd OBJECT IDENTIFIER ::= 2386 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2387 smime(16) skd(8) } 2389 SKD-ControlSet CMC-CONTROL ::= { 2390 skd-glUseKEK | skd-glDelete | skd-glAddMember | 2391 skd-glDeleteMember | skd-glRekey | skd-glAddOwner | 2392 skd-glRemoveOwner | skd-glKeyCompromise | 2393 skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert | 2394 skd-glManageCert | skd-glKey, ... } 2396 -- This defines the GL Use KEK control attribute 2398 skd-glUseKEK CMC-CONTROL ::= 2399 { GLUseKEK IDENTIFIED BY id-skd-glUseKEK } 2401 id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1} 2403 GLUseKEK ::= SEQUENCE { 2404 glInfo GLInfo, 2405 glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo, 2406 glAdministration GLAdministration DEFAULT managed, 2407 glKeyAttributes GLKeyAttributes OPTIONAL 2408 } 2410 GLInfo ::= SEQUENCE { 2411 glName GeneralName, 2412 glAddress GeneralName 2413 } 2415 GLOwnerInfo ::= SEQUENCE { 2416 glOwnerName GeneralName, 2417 glOwnerAddress GeneralName, 2418 certificates Certificates OPTIONAL 2419 } 2421 GLAdministration ::= INTEGER { 2422 unmanaged (0), 2423 managed (1), 2424 closed (2) 2425 } 2427 -- 2428 -- The advertised set of algorithm capabilites for the docment 2429 -- 2431 SKD-Caps SMIME-CAPS ::= { 2432 cap-3DESwrap | kwa-aes128-wrap.&smimeCaps | 2433 kwa-aes192-wrap.&smimeCaps | kwa-aes256-wrap.&smimeCaps, ... 2434 } 2436 cap-aes128-cbc KeyWrapAlgorithm ::= 2437 { capabilityID kwa-aes128-wrap.&smimeCaps.&id } 2439 -- 2440 -- The set of key wrap algorithms supported by this specification 2441 -- 2443 KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}} 2445 GLKeyAttributes ::= SEQUENCE { 2446 rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE, 2447 recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE, 2448 duration [2] INTEGER DEFAULT 0, 2449 generationCounter [3] INTEGER DEFAULT 2, 2450 requestedAlgorithm [4] KeyWrapAlgorithm 2451 DEFAULT cap-aes128-cbc 2452 } 2454 -- This defines the Delete GL control attribute. 2455 -- It has the simple type GeneralName. 2457 skd-glDelete CMC-CONTROL ::= 2458 { DeleteGL IDENTIFIED BY id-skd-glDelete } 2460 id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2} 2461 DeleteGL ::= GeneralName 2463 -- This defines the Add GL Member control attribute 2465 skd-glAddMember CMC-CONTROL ::= 2466 { GLAddMember IDENTIFIED BY id-skd-glAddMember } 2468 id-skd-glAddMember OBJECT IDENTIFIER ::= { id-skd 3} 2469 GLAddMember ::= SEQUENCE { 2470 glName GeneralName, 2471 glMember GLMember 2472 } 2474 GLMember ::= SEQUENCE { 2475 glMemberName GeneralName, 2476 glMemberAddress GeneralName OPTIONAL, 2477 certificates Certificates OPTIONAL 2478 } 2480 Certificates ::= SEQUENCE { 2481 pKC [0] Certificate OPTIONAL, 2482 -- See RFC 5280 2483 aC [1] SEQUENCE SIZE (1.. MAX) OF 2484 AttributeCertificate OPTIONAL, 2485 -- See RFC 3281 2486 certPath [2] CertificateSet OPTIONAL 2487 -- From RFC 3852 2488 } 2490 -- This defines the Delete GL Member control attribute 2492 skd-glDeleteMember CMC-CONTROL ::= 2493 { GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember } 2495 id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4} 2497 GLDeleteMember ::= SEQUENCE { 2498 glName GeneralName, 2499 glMemberToDelete GeneralName 2500 } 2502 -- This defines the Delete GL Member control attribute 2504 skd-glRekey CMC-CONTROL ::= 2505 { GLRekey IDENTIFIED BY id-skd-glRekey } 2507 id-skd-glRekey OBJECT IDENTIFIER ::= { id-skd 5} 2509 GLRekey ::= SEQUENCE { 2510 glName GeneralName, 2511 glAdministration GLAdministration OPTIONAL, 2512 glNewKeyAttributes GLNewKeyAttributes OPTIONAL, 2513 glRekeyAllGLKeys BOOLEAN OPTIONAL 2514 } 2516 GLNewKeyAttributes ::= SEQUENCE { 2517 rekeyControlledByGLO [0] BOOLEAN OPTIONAL, 2518 recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL, 2519 duration [2] INTEGER OPTIONAL, 2520 generationCounter [3] INTEGER OPTIONAL, 2521 requestedAlgorithm [4] KeyWrapAlgorithm OPTIONAL 2522 } 2524 -- This defines the Add and Delete GL Owner control attributes 2526 skd-glAddOwner CMC-CONTROL ::= 2527 { GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner } 2529 id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6} 2531 skd-glRemoveOwner CMC-CONTROL ::= 2532 { GLOwnerAdministration IDENTIFIED BY id-skd-glRemoveOwner } 2534 id-skd-glRemoveOwner OBJECT IDENTIFIER ::= { id-skd 7} 2536 GLOwnerAdministration ::= SEQUENCE { 2537 glName GeneralName, 2538 glOwnerInfo GLOwnerInfo 2539 } 2541 -- This defines the GL Key Compromise control attribute. 2542 -- It has the simple type GeneralName. 2544 skd-glKeyCompromise CMC-CONTROL ::= 2545 { GLKCompromise IDENTIFIED BY id-skd-glKeyCompromise } 2547 id-skd-glKeyCompromise OBJECT IDENTIFIER ::= { id-skd 8} 2548 GLKCompromise ::= GeneralName 2550 -- This defines the GL Key Refresh control attribute. 2552 skd-glkRefresh CMC-CONTROL ::= 2553 { GLKRefresh IDENTIFIED BY id-skd-glkRefresh } 2555 id-skd-glkRefresh OBJECT IDENTIFIER ::= { id-skd 9} 2557 GLKRefresh ::= SEQUENCE { 2558 glName GeneralName, 2559 dates SEQUENCE SIZE (1..MAX) OF Date 2560 } 2562 Date ::= SEQUENCE { 2563 start GeneralizedTime, 2564 end GeneralizedTime OPTIONAL 2565 } 2567 -- This defines the GLA Query Request control attribute. 2569 skd-glaQueryRequest CMC-CONTROL ::= 2570 { GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest } 2572 id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11} 2574 SKD-QUERY ::= TYPE-IDENTIFIER 2576 SkdQuerySet SKD-QUERY ::= {skd-AlgRequest, ...} 2577 GLAQueryRequest ::= SEQUENCE { 2578 glaRequestType SKD-QUERY.&id ({SkdQuerySet}), 2579 glaRequestValue SKD-QUERY. 2580 &Type ({SkdQuerySet}{@glaRequestType}) 2581 } 2583 -- This defines the GLA Query Response control attribute. 2585 skd-glaQueryResponse CMC-CONTROL ::= 2586 { GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse } 2588 id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12} 2590 SKD-RESPONSE ::= TYPE-IDENTIFIER 2592 SkdResponseSet SKD-RESPONSE ::= {skd-AlgResponse, ...} 2594 GLAQueryResponse ::= SEQUENCE { 2595 glaResponseType SKD-RESPONSE. 2596 &id({SkdResponseSet}), 2597 glaResponseValue SKD-RESPONSE. 2598 &Type({SkdResponseSet}{@glaResponseType})} 2600 -- This defines the GLA Request/Response (glaRR) arc for 2601 -- glaRequestType/glaResponseType. 2603 id-cmc-glaRR OBJECT IDENTIFIER ::= 2604 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2605 mechanisms(5) pkix(7) cmc(7) glaRR(99) } 2607 -- This defines the Algorithm Request 2609 skd-AlgRequest SKD-QUERY ::= { 2610 SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest 2611 } 2613 id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 } 2614 SKDAlgRequest ::= NULL 2616 -- This defines the Algorithm Response 2618 skd-AlgResponse SKD-RESPONSE ::= { 2619 SMIMECapability{{SKD-Caps}} IDENTIFIED BY 2620 id-cmc-gla-skdAlgResponse 2621 } 2623 id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 } 2624 -- Note that the response for algorithmSupported request is the 2625 -- smimeCapabilities attribute as defined in RFC 3851. 2627 -- This defines the control attribute to request an updated 2628 -- certificate to the GLA. 2630 skd-glProvideCert CMC-CONTROL ::= 2631 { GLManageCert IDENTIFIED BY id-skd-glProvideCert } 2633 id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13} 2635 GLManageCert ::= SEQUENCE { 2636 glName GeneralName, 2637 glMember GLMember 2638 } 2640 -- This defines the control attribute to return an updated 2641 -- certificate to the GLA. It has the type GLManageCert. 2643 skd-glManageCert CMC-CONTROL ::= 2644 { GLManageCert IDENTIFIED BY id-skd-glManageCert } 2646 id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14} 2648 -- This defines the control attribute to distribute the GL shared 2649 -- KEK. 2651 skd-glKey CMC-CONTROL ::= 2652 { GLKey IDENTIFIED BY id-skd-glKey } 2654 id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15} 2656 GLKey ::= SEQUENCE { 2657 glName GeneralName, 2658 glIdentifier KEKIdentifier, -- See RFC 3852 2659 glkWrapped RecipientInfos, -- See RFC 3852 2660 glkAlgorithm KeyWrapAlgorithm, 2661 glkNotBefore GeneralizedTime, 2662 glkNotAfter GeneralizedTime 2663 } 2665 -- This defines the CMC error types 2667 skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= { 2668 SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo 2669 } 2671 id-cet-skdFailInfo OBJECT IDENTIFIER ::= 2672 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2673 mechanisms(5) pkix(7) cet(15) skdFailInfo(1) } 2675 SKDFailInfo ::= INTEGER { 2676 unspecified (0), 2677 closedGL (1), 2678 unsupportedDuration (2), 2679 noGLACertificate (3), 2680 invalidCert (4), 2681 unsupportedAlgorithm (5), 2682 noGLONameMatch (6), 2683 invalidGLName (7), 2684 nameAlreadyInUse (8), 2685 noSpam (9), 2686 deniedAccess (10), 2687 alreadyAMember (11), 2688 notAMember (12), 2689 alreadyAnOwner (13), 2690 notAnOwner (14) } 2692 END 2694 13. Security Considerations 2696 Even though all the RFCs in this document are security-related, the 2697 document itself does not have any security considerations. The ASN.1 2698 modules keep the same bits-on-the-wire as the modules that they 2699 replace. 2701 14. Normative References 2703 [ASN1-2002] 2704 ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and 2705 X.683", ITU-T X.680, X.681, X.682, and X.683, 2002. 2707 [NEW-PKIX] 2708 Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX", 2709 draft-ietf-pkix-new-asn1 (work in progress), 2710 December 2007. 2712 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) 2713 Algorithms", RFC 3370, August 2002. 2715 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) 2716 Encryption Algorithm in Cryptographic Message Syntax 2717 (CMS)", RFC 3565, July 2003. 2719 [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail 2720 Extensions (S/MIME) Version 3.1 Message Specification", 2721 RFC 3851, July 2004. 2723 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 2724 RFC 3852, July 2004. 2726 [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to 2727 Protect Firmware Packages", RFC 4108, August 2005. 2729 [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence 2730 Record Syntax (ERS)", RFC 4998, August 2007. 2732 [RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: 2733 Adding CertID Algorithm Agility", RFC 5035, August 2007. 2735 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 2736 Authenticated-Enveloped-Data Content Type", RFC 5083, 2737 November 2007. 2739 [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated 2740 Encryption in the Cryptographic Message Syntax (CMS)", 2741 RFC 5084, November 2007. 2743 [RFC5275] Turner, S., "CMS Symmetric Key Management and 2744 Distribution", RFC 5275, June 2008. 2746 Appendix A. Change History 2748 [[ This entire section is to be removed upon publication. ]] 2750 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 2751 draft-ietf-smime-new-asn1-00 2753 Changed the draft name. 2755 Added RFC 3565, 2757 Added RFC 4998. 2759 Made RFCs-to-be 5083 and 5084 into RFCs. 2761 In RFC 3370, a line in the comment staring with "Another way to 2762 do..." was not commented out when it should have been. 2764 In RFC 3851, the name of the module from which we are importing was 2765 wrong, although the OID was right. 2767 In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate 2768 which version of CMS added the various extensions. 2770 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 2772 Added RFC 5275. 2774 Added module for algorithm classes, and modified RFC 3370 and RFC 2775 3852 to uses the classes defined. 2777 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 2779 Added design notes. 2781 Removed issue on "Algorithm Structure" and issue on "More Modules To 2782 Be Added". 2784 Updated all modules to use objects more deeply. 2786 In section 6, changed "PKCS #10" to "PKCS #7" to reflect the actual 2787 module where the changes were made. 2789 A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 2791 Many cosmetic-only changes to the modules. 2793 Changed some multi-word keywords to hypenated (such as "SMIME CAPS" 2794 to "SMIME-CAPS"). 2796 Updated the reference of X.680 to X.680, X.681, X.682, and X.683. 2798 A.5. Changes between draft-ietf-smime-new-asn1-03 and -04 2800 Changed the status of the document. 2802 A.6. Changes between draft-ietf-smime-new-asn1-04 and -05 2804 Removed the "Issues" section from section 1, which should have been 2805 done in the last draft. 2807 A.7. Changes between draft-ietf-smime-new-asn1-05 and -06 2809 Minor nits to keep the nits checker happy. 2811 A.8. Changes between draft-ietf-smime-new-asn1-06 and -07 2813 In the AlgorithmInformation module, there was an error in a 2814 commented-out example. Changed "-- HASHES {sha1 | md5, ... }" to "-- 2815 HASHES { mda-sha1 | mda-md5, ... }". 2817 Authors' Addresses 2819 Paul Hoffman 2820 VPN Consortium 2821 127 Segre Place 2822 Santa Cruz, CA 95060 2823 US 2825 Phone: 1-831-426-9827 2826 Email: paul.hoffman@vpnc.org 2828 Jim Schaad 2829 Soaring Hawk Consulting 2831 Email: jimsch@exmsft.com