idnits 2.17.1 draft-turner-additional-new-asn-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC5911, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC5911, updated by this document, for RFC5378 checks: 2007-12-21) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 28, 2011) is 4772 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'RFC3851' is mentioned on line 200, but not defined ** Obsolete undefined reference: RFC 3851 (Obsoleted by RFC 5751) == Missing Reference: 'RFC5280' is mentioned on line 296, but not defined -- Looks like a reference, but probably isn't: '0' on line 1222 -- Looks like a reference, but probably isn't: '1' on line 1104 -- Looks like a reference, but probably isn't: '2' on line 1106 -- Looks like a reference, but probably isn't: '3' on line 1107 -- Looks like a reference, but probably isn't: '4' on line 926 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schaad 3 Internet-Draft Soaring Hawk Consulting 4 Updates: 5911 (if approved) S. Turner 5 Intended status: Informational IECA, Inc. 6 Expires: September 29, 2011 March 28, 2011 8 Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) 9 and the Public Key Infrastructure Using X.509 (PKIX) 10 draft-turner-additional-new-asn-08 12 Abstract 14 The Cryptographic Message Syntax (CMS) format, and many associated 15 formats, are expressed using ASN.1. The current ASN.1 modules 16 conform to the 1988 version of ASN.1. This document updates some 17 auxiliary ASN.1 modules to conform to the 2008 version of ASN.1; the 18 1988 ASN.1 modules remain the normative version. There are no bits- 19 on-the-wire changes to any of the formats; this is simply a change to 20 the syntax. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 29, 2011. 39 Copyright Notice 41 Copyright (c) 2011 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 This document may contain material from IETF Documents or IETF 55 Contributions published or made publicly available before November 56 10, 2008. The person(s) controlling the copyright in some of this 57 material may not have granted the IETF Trust the right to allow 58 modifications of such material outside the IETF Standards Process. 59 Without obtaining an adequate license from the person(s) controlling 60 the copyright in such materials, this document may not be modified 61 outside the IETF Standards Process, and derivative works of it may 62 not be created outside the IETF Standards Process, except to format 63 it for publication as an RFC or to translate it into languages other 64 than English. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 1.1. ASN.1 Updates (2002 to 2008) . . . . . . . . . . . . . . . 5 70 1.2. Requirements Terminology . . . . . . . . . . . . . . . . . 5 71 2. ASN.1 Module RFC 3274 . . . . . . . . . . . . . . . . . . . . 6 72 3. ASN.1 Module RFC 3779 . . . . . . . . . . . . . . . . . . . . 9 73 4. ASN.1 Module RFC 6019 . . . . . . . . . . . . . . . . . . . . 12 74 5. ASN.1 Module RFC 4073 . . . . . . . . . . . . . . . . . . . . 14 75 6. ASN.1 Module RFC 4231 . . . . . . . . . . . . . . . . . . . . 16 76 7. ASN.1 Module RFC 4334 . . . . . . . . . . . . . . . . . . . . 19 77 8. ASN.1 Module RFC 5083 . . . . . . . . . . . . . . . . . . . . 21 78 9. ASN.1 Module RFC 5652 . . . . . . . . . . . . . . . . . . . . 23 79 10. ASN.1 Module RFC 5752 . . . . . . . . . . . . . . . . . . . . 34 80 11. Module Identifiers in ASN.1 . . . . . . . . . . . . . . . . . 36 81 12. Security Considerations . . . . . . . . . . . . . . . . . . . 38 82 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 83 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 40 84 14.1. Normative References . . . . . . . . . . . . . . . . . . . 40 85 14.2. Informative . . . . . . . . . . . . . . . . . . . . . . . 41 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 42 88 1. Introduction 90 Some developers would like the IETF to use the latest version of 91 ASN.1 in its standards. Most of the RFCs that relate to security 92 protocols still use ASN.1 from the 1988 standard, which has been 93 deprecated. This is particularly true for the standards that relate 94 to PKIX, CMS, and S/MIME. 96 In this document we have either changed the syntax to use the 2008 97 ASN.1 standard, or done some updates from previous conversions: 99 RFC 3274, Compressed Data Content Type for Cryptographic Message 100 Syntax (CMS) [RFC3274]. 102 RFC 3779, X.509 Extensions for IP Addresses and AS Identifiers 103 [RFC3779]. 105 RFC 6019, BinaryTime: An Alternate Format for Representing Date 106 and Time in ASN.1 [RFC6019]. 108 RFC 4073, Protecting Multiple Contents with the Cryptographic 109 Message Syntax (CMS) [RFC4073]. 111 RFC 4231, Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA- 112 256, HMAC-SHA-384, and HMAC-SHA-512 [RFC4231]. 114 RFC 4334, Certificate Extensions and Attributes Supporting 115 Authentication in Point-to-Point Protocol (PPP) and Wireless Local 116 Area Networks (WLAN) [RFC4334]. 118 RFC 5083, Cryptographic Message Syntax (CMS) Authenticated- 119 Enveloped-Data Content Type [RFC5083]. 121 RFC 5652, Cryptographic Message Syntax (CMS) [RFC5652]. 123 RFC 5752, Multiple Signatures in Cryptographic Message Syntax 124 (CMS) [RFC5752]. 126 Note that some of the modules in this document get some of their 127 definitions from places different than the modules in the original 128 RFCs. The idea is that these modules, when combined with the modules 129 in [RFC5912] and [RFC5911] can stand on their own and do not need to 130 import definitions from anywhere else. 132 This document does not explicitly update the RFCs that the ASN.1 133 modules have been extracted from. This is because the orginal 1988 134 ASN.1 syntax remains the normative version and the modules in this 135 document as well as in [RFC5911] and [RFC5912] are informative (but 136 hopefully useful) annexes. 138 1.1. ASN.1 Updates (2002 to 2008) 140 The modules defined in this document are compatible with the most 141 current ASN.1 specification published in 2008 (see [ASN1-2008]). The 142 changes between the 2002 specification and the 2008 specification 143 include the creation of some additional pre-defined types (DATE, 144 DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE-OID-IRI, TIME, 145 TIME-OF-DAY). The ability to define different encoding rules 146 (ENCODING-CONTROL, INSTRUCTIONS). None of the newly defined tokens 147 are currently used in any of the ASN.1 specifications published here. 149 Information on the changes to ASN.1 between the 1988 and 2002 150 versions can be found in [RFC6025]. 152 1.2. Requirements Terminology 154 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 155 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 156 document are to be interpreted as described in [RFC2119]. 158 2. ASN.1 Module RFC 3274 160 We have updated the ASN.1 module associated with this document to be 161 2008 compliant and to use the set of classes previously defined in 162 [RFC5911]. 164 CompressedDataContent-2010 165 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 166 smime(16) modules(0) id-mod-compressedDataContent(54) } 168 DEFINITIONS IMPLICIT TAGS ::= 169 BEGIN 171 IMPORTS 172 CMSVersion, EncapsulatedContentInfo, 173 CONTENT-TYPE 174 FROM CryptographicMessageSyntax-2009 175 { iso(1) member-body(2) us(840) rsadsi(113549) 176 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 178 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 179 FROM AlgorithmInformation-2009 180 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 181 mechanisms(5) pkix(7) id-mod(0) 182 id-mod-algorithmInformation-02(58)} 183 ; 185 -- 186 -- ContentTypes contains the set of content types that are 187 -- defined in this module. 188 -- 189 -- The contents of ContentTypes should be added to 190 -- ContentSet defined in [RFC5652] 191 -- 193 ContentTypes CONTENT-TYPE ::= {ct-compressedData} 195 -- 196 -- SMimeCaps contains the set of S/MIME capabilities that 197 -- are associated with the algorithms defined in this 198 -- document. 199 -- 200 -- SMimeCaps are added to SMimeCapsSet defined in [RFC3851]. 201 -- 203 SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps, ...} 205 -- 206 -- Define the compressed data content type 207 -- 209 ct-compressedData CONTENT-TYPE ::= { 210 TYPE CompressedData IDENTIFIED BY id-ct-compressedData 211 } 213 CompressedData ::= SEQUENCE { 214 version CMSVersion (v0), -- Always set to 0 215 compressionAlgorithm CompressionAlgorithmIdentifier, 216 encapContentInfo EncapsulatedContentInfo 217 } 219 CompressionAlgorithmIdentifier ::= 220 AlgorithmIdentifier{COMPRESS-ALGORITHM, {CompressAlgorithmSet}} 222 CompressAlgorithmSet COMPRESS-ALGORITHM ::= { 223 cpa-zlibCompress, ... 224 } 226 -- Algorithm Identifiers 228 id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2) 229 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 } 231 cpa-zlibCompress COMPRESS-ALGORITHM ::= { 232 IDENTIFIER id-alg-zlibCompress 233 PARAMS TYPE NULL ARE preferredAbsent 234 SMIME-CAPS {IDENTIFIED BY id-alg-zlibCompress} 235 } 237 -- Content Type Object Identifiers 239 id-ct-compressedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 240 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 9 } 242 -- 243 -- Class defined for compression algorithms 244 -- 246 COMPRESS-ALGORITHM ::= CLASS { 247 &id OBJECT IDENTIFIER UNIQUE, 248 &Params OPTIONAL, 249 ¶mPresence ParamOptions DEFAULT absent, 250 &smimeCaps SMIME-CAPS OPTIONAL 251 } 252 WITH SYNTAX { 253 IDENTIFIER &id 255 [PARAMS [TYPE &Params] ARE ¶mPresence] 256 [SMIME-CAPS &smimeCaps] 257 } 259 END 261 3. ASN.1 Module RFC 3779 263 We have updated the ASN.1 module associated with RFC 3779 to be ASN.1 264 2008 compliant and to use the set of classes previously defined in 265 [RFC5912]. 267 IPAddrAndASCertExtn-2010 { iso(1) identified-organization(3) dod(6) 268 internet(1) security(5) mechanisms(5) pkix(7) mod(0) 269 id-mod-ip-addr-and-as-ident-2(72) } 270 DEFINITIONS EXPLICIT TAGS ::= 271 BEGIN 272 EXPORTS ALL; 274 IMPORTS 276 -- PKIX specific OIDs and arcs -- 277 id-pe 278 FROM PKIX1Explicit-2009 279 { iso(1) identified-organization(3) dod(6) internet(1) 280 security(5) mechanisms(5) pkix(7) id-mod(0) 281 id-mod-pkix1-explicit-02(51)} 283 EXTENSION 284 FROM PKIX-CommonTypes-2009 285 { iso(1) identified-organization(3) dod(6) internet(1) 286 security(5) mechanisms(5) pkix(7) id-mod(0) 287 id-mod-pkixCommon-02(57)} 288 ; 290 -- 291 -- Extensions contains the set of extensions defined in this 292 -- module 293 -- 294 -- These are intended to be placed in public key certificates 295 -- and thus should be added to the CertExtensions extension 296 -- set in PKIXImplicit-2009 defined for [RFC5280] 297 -- 299 Extensions EXTENSION ::= { 300 ext-pe-ipAddrBlocks | ext-pe-autonomousSysIds 301 } 303 -- IP Address Delegation Extension OID -- 305 ext-pe-ipAddrBlocks EXTENSION ::= { 306 SYNTAX IPAddrBlocks 307 IDENTIFIED BY id-pe-ipAddrBlocks 308 } 309 id-pe-ipAddrBlocks OBJECT IDENTIFIER ::= { id-pe 7 } 311 -- IP Address Delegation Extension Syntax -- 313 IPAddrBlocks ::= SEQUENCE OF IPAddressFamily 315 IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI -- 316 addressFamily OCTET STRING (SIZE (2..3)), 317 ipAddressChoice IPAddressChoice } 319 IPAddressChoice ::= CHOICE { 320 inherit NULL, -- inherit from issuer -- 321 addressesOrRanges SEQUENCE OF IPAddressOrRange } 323 IPAddressOrRange ::= CHOICE { 324 addressPrefix IPAddress, 325 addressRange IPAddressRange } 327 IPAddressRange ::= SEQUENCE { 328 min IPAddress, 329 max IPAddress } 331 IPAddress ::= BIT STRING 333 -- Autonomous System Identifier Delegation Extension OID -- 335 ext-pe-autonomousSysIds EXTENSION ::= { 336 SYNTAX ASIdentifiers 337 IDENTIFIED BY id-pe-autonomousSysIds 338 } 340 id-pe-autonomousSysIds OBJECT IDENTIFIER ::= { id-pe 8 } 342 -- Autonomous System Identifier Delegation Extension Syntax -- 344 ASIdentifiers ::= SEQUENCE { 345 asnum [0] ASIdentifierChoice OPTIONAL, 346 rdi [1] ASIdentifierChoice OPTIONAL } 347 (WITH COMPONENTS {..., asnum PRESENT} | 348 WITH COMPONENTS {..., rdi PRESENT}) 350 ASIdentifierChoice ::= CHOICE { 351 inherit NULL, -- inherit from issuer -- 352 asIdsOrRanges SEQUENCE OF ASIdOrRange } 354 ASIdOrRange ::= CHOICE { 355 id ASId, 356 range ASRange } 358 ASRange ::= SEQUENCE { 359 min ASId, 360 max ASId } 362 ASId ::= INTEGER 364 END 366 4. ASN.1 Module RFC 6019 368 We have updated the ASN.1 module associated with this document to be 369 2008 compliant and to use the set of classes previously defined in 370 [RFC5911]. 372 BinarySigningTimeModule-2010 373 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 374 pkcs-9(9) smime(16) modules(0) 375 id-mod-binSigningTime-2009(55) } 376 DEFINITIONS IMPLICIT TAGS ::= 377 BEGIN 378 IMPORTS 380 -- From PKIX-CommonTypes-2009 [RFC5912] 382 ATTRIBUTE 383 FROM PKIX-CommonTypes-2009 384 { iso(1) identified-organization(3) dod(6) internet(1) 385 security(5) mechanisms(5) pkix(7) id-mod(0) 386 id-mod-pkixCommon-02(57) } 387 ; 389 -- 390 -- BinaryTime Definition 391 -- 392 -- BinaryTime contains the number seconds since 393 -- midnight Jan 1, 1970 UTC. 394 -- Leap seconds are EXCLUDED from the computation. 395 -- 397 BinaryTime ::= INTEGER (0..MAX) 399 -- 400 -- Signing Binary Time Attribute 401 -- 402 -- The binary signing time should be added to 403 -- SignedAttributeSet and tAuthenticatedAttributeSet 404 -- in CMS [RFC5652] and to AuthEnvDataAttributeSet 405 -- in [RFC5083]. 406 -- 408 aa-binarySigningTime ATTRIBUTE ::= { 409 TYPE BinarySigningTime 410 IDENTIFIED BY id-aa-binarySigningTime } 412 id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1) 413 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 414 smime(16) aa(2) 46 } 416 BinarySigningTime ::= BinaryTime 418 END 420 5. ASN.1 Module RFC 4073 422 We have updated the ASN.1 module associated with this document to be 423 2008 compliant and to use the set of classes previously defined in 424 [RFC5911]. 426 ContentCollectionModule-2010 427 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 428 pkcs-9(9) smime(16) modules(0) id-mod-context-Collect-2009(56) } 429 DEFINITIONS IMPLICIT TAGS ::= 430 BEGIN 431 IMPORTS 433 -- From CryptographicMessageSyntax-2009 [RFC5911] 435 CONTENT-TYPE, ContentInfo 436 FROM CryptographicMessageSyntax-2009 437 { iso(1) member-body(2) us(840) rsadsi(113549) 438 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 440 AttributeSet{}, ATTRIBUTE 441 FROM PKIX-CommonTypes-2009 442 { iso(1) identified-organization(3) dod(6) internet(1) 443 security(5) mechanisms(5) pkix(7) id-mod(0) 444 id-mod-pkixCommon-02(57) } 445 ; 447 -- 448 -- An object set of all content types defined by this module. 449 -- This is to be added to ContentSet in the CMS module 450 -- 452 ContentSet CONTENT-TYPE ::= { 453 ct-ContentCollection | ct-ContentWithAttributes, ... 454 } 456 -- 457 -- Content Collection Content Type and Object Identifier 458 -- 460 ct-ContentCollection CONTENT-TYPE ::= { 461 TYPE ContentCollection IDENTIFIED BY id-ct-contentCollection } 463 id-ct-contentCollection OBJECT IDENTIFIER ::= { 464 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 465 smime(16) ct(1) 19 } 467 ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo 468 -- 469 -- Content With Attributes Content Type and Object Identifier 470 -- 472 ct-ContentWithAttributes CONTENT-TYPE ::= { 473 TYPE ContentWithAttributes IDENTIFIED BY id-ct-contentWithAttrs } 475 id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { 476 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 477 smime(16) ct(1) 20 } 479 ContentWithAttributes ::= SEQUENCE { 480 content ContentInfo, 481 attrs SEQUENCE SIZE (1..MAX) OF AttributeSet 482 {{ ContentAttributeSet }} 483 } 485 ContentAttributeSet ATTRIBUTE ::= { ... } 486 END 488 6. ASN.1 Module RFC 4231 490 RFC 4231 does not contain an ASN.1 module to be updated. We have 491 therefore created an ASN.1 module to represent the ASN.1 that is 492 present in the document. Note that the parameters are defined as 493 expecting a parameter for the algorithm identifiers in this module, 494 this is different from most of the algorithms used in PKIX and 495 S/MIME. There is no concept of being able to truncate the MAC 496 (Message Authentication Code) value in the ASN.1 unlike the XML 497 definitions. This is reflected by not having a minimum MAC length 498 defined in the ASN.1. 500 HMAC-2010 { iso(1) identified-organization(3) dod(6) internet(1) 501 security(5) mechanisms(5) pkix(7) mod(0) id-mod-hmac(74) } 502 DEFINITIONS EXPLICIT TAGS ::= 503 BEGIN 504 EXPORTS ALL; 506 IMPORTS 508 MAC-ALGORITHM, SMIME-CAPS 509 FROM AlgorithmInformation-2009 510 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 511 mechanisms(5) pkix(7) id-mod(0) 512 id-mod-algorithmInformation-02(58)}; 514 -- 515 -- This object set contains all of the MAC algorithms that are 516 -- defined in this module. 517 -- One would add it to a constraining set of objects such as the 518 -- MessageAuthenticationCodeAlgorithmSet in [RFC5652] 519 -- 521 MessageAuthAlgs MAC-ALGORITHM ::= { 522 maca-hMAC-SHA224 | 523 maca-hMAC-SHA256 | 524 maca-hMAC-SHA384 | 525 maca-hMAC-SHA512 526 } 528 -- 529 -- This object set contains all of the S/MIME capabilities that 530 -- have been defined for all the MAC algorithms in this module. 531 -- One would add this to an object set that is used to restrict 532 -- smime capabilities such as the SMimeCapsSet variable in 533 -- the S/MIME message draft 534 -- 535 SMimeCaps SMIME-CAPS ::= { 536 maca-hMAC-SHA224.&smimeCaps | 537 maca-hMAC-SHA256.&smimeCaps | 538 maca-hMAC-SHA384.&smimeCaps | 539 maca-hMAC-SHA512.&smimeCaps 540 } 542 -- 543 -- Define the base OID for the algorithm identifiers 544 -- 546 rsadsi OBJECT IDENTIFIER ::= 547 {iso(1) member-body(2) us(840) rsadsi(113549)} 549 digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} 551 -- 552 -- Define the necessary algorithm identifiers 553 -- 555 id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} 556 id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} 557 id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} 558 id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} 560 -- 561 -- Define each of the MAC-ALGORITHM objects to describe the 562 -- algorithms defined 563 -- 565 maca-hMAC-SHA224 MAC-ALGORITHM ::= { 566 IDENTIFIER id-hmacWithSHA224 567 PARAMS TYPE NULL ARE preferredPresent 568 IS-KEYED-MAC TRUE 569 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA224} 570 } 572 maca-hMAC-SHA256 MAC-ALGORITHM ::= { 573 IDENTIFIER id-hmacWithSHA256 574 PARAMS TYPE NULL ARE preferredPresent 575 IS-KEYED-MAC TRUE 576 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA256} 577 } 579 maca-hMAC-SHA384 MAC-ALGORITHM ::= { 580 IDENTIFIER id-hmacWithSHA384 581 PARAMS TYPE NULL ARE preferredPresent 582 IS-KEYED-MAC TRUE 583 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA384} 584 } 586 maca-hMAC-SHA512 MAC-ALGORITHM ::= { 587 IDENTIFIER id-hmacWithSHA512 588 PARAMS TYPE NULL ARE preferredPresent 589 IS-KEYED-MAC TRUE 590 SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA512} 591 } 593 END 595 7. ASN.1 Module RFC 4334 597 We have updated the ASN.1 module associated with RFC 4334 to be ASN.1 598 2008 compliant and to use the set of classes previously defined in 599 [RFC5912]. 601 WLANCertExtn-2010 602 { iso(1) identified-organization(3) dod(6) internet(1) 603 security(5) mechanisms(5) pkix(7) id-mod(0) 604 id-mod-wlan-extns-2(73) } 606 DEFINITIONS IMPLICIT TAGS ::= 607 BEGIN 608 EXPORTS ALL; 610 IMPORTS 612 EXTENSION, ATTRIBUTE 613 FROM PKIX-CommonTypes-2009 614 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 615 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 617 id-pe, id-kp 618 FROM PKIX1Explicit-2009 619 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 620 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} 622 id-aca 623 FROM PKIXAttributeCertificate-2009 624 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 625 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} 627 ; 629 -- Extended Key Usage Values 631 KeyUsageValues OBJECT IDENTIFIER ::= { 632 id-kp-eapOverPPP | id-kp-eapOverLAN 633 } 635 id-kp-eapOverPPP OBJECT IDENTIFIER ::= { id-kp 13 } 637 id-kp-eapOverLAN OBJECT IDENTIFIER ::= { id-kp 14 } 639 -- Wireless LAN SSID Extension 640 ext-pe-wlanSSID EXTENSION ::= { 641 SYNTAX SSIDList 642 IDENTIFIED BY id-pe-wlanSSID 643 CRITICALITY {FALSE} 644 } 646 id-pe-wlanSSID OBJECT IDENTIFIER ::= { id-pe 13 } 648 SSIDList ::= SEQUENCE SIZE (1..MAX) OF SSID 650 SSID ::= OCTET STRING (SIZE (1..32)) 652 -- Wireless LAN SSID Attribute Certificate Attribute 653 -- Uses same syntax as the certificate extension: SSIDList 655 at-aca-wlanSSID ATTRIBUTE ::= { 656 TYPE SSIDList 657 IDENTIFIED BY id-aca-wlanSSID 658 } 660 id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 7 } 662 END 664 8. ASN.1 Module RFC 5083 666 This module is updated from RFC 5911 [RFC5911] by the following 667 changes: 669 1. Define separate attribute sets for the unprotected attributes 670 used in EnvelopedData, EncryptedData and 671 AuthenticatedEnvelopedData (RFC 5083). 673 2. Define a parameterized type EncryptedContentInfoType so that the 674 basic type can be used with different algorithm sets (used for 675 EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC 676 5083)). The parameterized type is assigned to an unparameterized 677 type of EncryptedContentInfo to minimize the output changes from 678 previous versions. 680 Protocol designers can make use of the '08 ASN.1 constraints to 681 define different sets of attributes for EncryptedData and 682 EnvelopedData and for AuthenticatedData and AuthEnvelopedData. 683 Previously, attributes could only be constrained based on whether 684 they were in the clear or unauthenticated not on the encapsulating 685 content type. 687 CMS-AuthEnvelopedData-2010 688 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 689 smime(16) modules(0) id-mod-cmsAuthEnvData-2009(57) } 690 DEFINITIONS IMPLICIT TAGS ::= 691 BEGIN 692 IMPORTS 694 CMSVersion, EncryptedContentInfoType{}, 695 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 696 CONTENT-TYPE, Attributes{}, ATTRIBUTE, CONTENT-ENCRYPTION, 697 AlgorithmIdentifier{}, 698 aa-signingTime, aa-messageDigest, aa-contentType 699 FROM CryptographicMessageSyntax-2009 700 { iso(1) member-body(2) us(840) rsadsi(113549) 701 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 703 ContentEncryptionAlgs 704 FROM CMS-AES-CCM-and-AES-GCM-2009 705 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 706 pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } 707 ; 709 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 711 ct-authEnvelopedData CONTENT-TYPE ::= { 712 TYPE AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 713 } 715 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 716 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 717 smime(16) ct(1) 23} 719 AuthEnvelopedData ::= SEQUENCE { 720 version CMSVersion, 721 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 722 recipientInfos RecipientInfos, 723 authEncryptedContentInfo EncryptedContentInfo, 724 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 725 mac MessageAuthenticationCode, 726 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL 727 } 729 EncryptedContentInfo ::= 730 EncryptedContentInfoType { AuthContentEncryptionAlgorithmIdentifier } 732 AuthContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 733 {CONTENT-ENCRYPTION, {AuthContentEncryptionAlgorithmSet}} 735 AuthContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= { 736 ContentEncryptionAlgs, ...} 738 AuthAttributes ::= Attributes{{AuthEnvDataAttributeSet}} 740 UnauthAttributes ::= Attributes{{UnauthEnvDataAttributeSet}} 742 AuthEnvDataAttributeSet ATTRIBUTE ::= { 743 aa-contentType | aa-messageDigest | aa-signingTime, ... } 745 UnauthEnvDataAttributeSet ATTRIBUTE ::= {...} 747 END 749 9. ASN.1 Module RFC 5652 751 This module is updated from RFC 5911 [RFC5911] by the following 752 changes: 754 1. Define separate attribute sets for the unprotected attributes 755 used in EnvelopedData, EncryptedData and 756 AuthenticatedEnvelopedData (RFC 5083). 758 2. Define a parameterized type EncryptedContentInfoType so that the 759 basic type can be used with algorithm sets (used for 760 EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC 761 5083)). The parameterized type is assigned to an unparameterized 762 type of EncryptedContentInfo to minimize the output changes from 763 previous versions. 765 We are anticipating the definition of attributes that are going to be 766 resticted to the use of only EnvelopedData. We are therefore 767 separating the different attribute sets so that protocol designers 768 that need to do this will be able to define attributes that are used 769 for EnvelopedData, but not for EncryptedData. The same separation is 770 also being applied to AuthenticatedData and AuthEnvelopedData. 772 CryptographicMessageSyntax-2010 773 { iso(1) member-body(2) us(840) rsadsi(113549) 774 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 775 DEFINITIONS IMPLICIT TAGS ::= 776 BEGIN 777 IMPORTS 779 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 780 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 781 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 782 AlgorithmIdentifier{} 783 FROM AlgorithmInformation-2009 784 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 785 mechanisms(5) pkix(7) id-mod(0) 786 id-mod-algorithmInformation-02(58)} 788 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 789 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 790 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 791 FROM CryptographicMessageSyntaxAlgorithms-2009 792 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 793 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 795 Certificate, CertificateList, CertificateSerialNumber, 796 Name, ATTRIBUTE 798 FROM PKIX1Explicit-2009 799 { iso(1) identified-organization(3) dod(6) internet(1) 800 security(5) mechanisms(5) pkix(7) id-mod(0) 801 id-mod-pkix1-explicit-02(51) } 803 AttributeCertificate 804 FROM PKIXAttributeCertificate-2009 805 { iso(1) identified-organization(3) dod(6) internet(1) 806 security(5) mechanisms(5) pkix(7) id-mod(0) 807 id-mod-attribute-cert-02(47) } 809 AttributeCertificateV1 810 FROM AttributeCertificateVersion1-2009 811 { iso(1) identified-organization(3) dod(6) internet(1) 812 security(5) mechanisms(5) pkix(7) id-mod(0) 813 id-mod-v1AttrCert-02(49) } ; 815 -- Cryptographic Message Syntax 817 -- The following are used for version numbers using the ASN.1 818 -- idiom "[[n:" 819 -- Version 1 = PKCS #7 820 -- Version 2 = S/MIME V2 821 -- Version 3 = RFC 2630 822 -- Version 4 = RFC 3369 823 -- Version 5 = RFC 3852 825 CONTENT-TYPE ::= CLASS { 826 &id OBJECT IDENTIFIER UNIQUE, 827 &Type OPTIONAL 828 } WITH SYNTAX { 829 [TYPE &Type] IDENTIFIED BY &id 830 } 832 ContentType ::= CONTENT-TYPE.&id 834 ContentInfo ::= SEQUENCE { 835 contentType CONTENT-TYPE. 836 &id({ContentSet}), 837 content [0] EXPLICIT CONTENT-TYPE. 838 &Type({ContentSet}{@contentType})} 840 ContentSet CONTENT-TYPE ::= { 841 -- Define the set of content types to be recognized. 842 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 843 ct-AuthenticatedData | ct-DigestedData, ... } 845 SignedData ::= SEQUENCE { 846 version CMSVersion, 847 digestAlgorithms SET OF DigestAlgorithmIdentifier, 848 encapContentInfo EncapsulatedContentInfo, 849 certificates [0] IMPLICIT CertificateSet OPTIONAL, 850 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 851 signerInfos SignerInfos } 853 SignerInfos ::= SET OF SignerInfo 855 EncapsulatedContentInfo ::= SEQUENCE { 856 eContentType CONTENT-TYPE.&id({ContentSet}), 857 eContent [0] EXPLICIT OCTET STRING 858 ( CONTAINING CONTENT-TYPE. 859 &Type({ContentSet}{@eContentType})) OPTIONAL } 861 SignerInfo ::= SEQUENCE { 862 version CMSVersion, 863 sid SignerIdentifier, 864 digestAlgorithm DigestAlgorithmIdentifier, 865 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 866 signatureAlgorithm SignatureAlgorithmIdentifier, 867 signature SignatureValue, 868 unsignedAttrs [1] IMPLICIT Attributes 869 {{UnsignedAttributes}} OPTIONAL } 871 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 873 SignerIdentifier ::= CHOICE { 874 issuerAndSerialNumber IssuerAndSerialNumber, 875 ..., 876 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 878 SignedAttributesSet ATTRIBUTE ::= 879 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 881 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 883 SignatureValue ::= OCTET STRING 885 EnvelopedData ::= SEQUENCE { 886 version CMSVersion, 887 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 888 recipientInfos RecipientInfos, 889 encryptedContentInfo EncryptedContentInfo, 890 ..., 891 [[2: unprotectedAttrs [1] IMPLICIT Attributes 892 {{ UnprotectedEnvAttributes }} OPTIONAL ]] } 894 OriginatorInfo ::= SEQUENCE { 895 certs [0] IMPLICIT CertificateSet OPTIONAL, 896 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 898 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 900 EncryptedContentInfo ::= 901 EncryptedContentInfoType { ContentEncryptionAlgorithmIdentifier } 903 EncryptedContentInfoType { AlgorithmIdentifierType } ::= SEQUENCE { 904 contentType CONTENT-TYPE.&id({ContentSet}), 905 contentEncryptionAlgorithm AlgorithmIdentifierType, 906 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 908 -- If you want to do constraints, you might use: 909 -- EncryptedContentInfo ::= SEQUENCE { 910 -- contentType CONTENT-TYPE.&id({ContentSet}), 911 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 912 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 913 -- &Type({ContentSet}{@contentType}) OPTIONAL } 914 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 915 -- { ToBeEncrypted } ) 917 UnprotectedEnvAttributes ATTRIBUTE ::= { ... } 918 UnprotectedEncAttributes ATTRIBUTE ::= { ... } 920 RecipientInfo ::= CHOICE { 921 ktri KeyTransRecipientInfo, 922 ..., 923 [[3: kari [1] KeyAgreeRecipientInfo ]], 924 [[4: kekri [2] KEKRecipientInfo]], 925 [[5: pwri [3] PasswordRecipientInfo, 926 ori [4] OtherRecipientInfo ]] } 928 EncryptedKey ::= OCTET STRING 930 KeyTransRecipientInfo ::= SEQUENCE { 931 version CMSVersion, -- always set to 0 or 2 932 rid RecipientIdentifier, 933 keyEncryptionAlgorithm AlgorithmIdentifier 934 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 935 encryptedKey EncryptedKey } 937 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 939 RecipientIdentifier ::= CHOICE { 940 issuerAndSerialNumber IssuerAndSerialNumber, 941 ..., 942 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 943 KeyAgreeRecipientInfo ::= SEQUENCE { 944 version CMSVersion, -- always set to 3 945 originator [0] EXPLICIT OriginatorIdentifierOrKey, 946 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 947 keyEncryptionAlgorithm AlgorithmIdentifier 948 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 949 recipientEncryptedKeys RecipientEncryptedKeys } 951 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 953 OriginatorIdentifierOrKey ::= CHOICE { 954 issuerAndSerialNumber IssuerAndSerialNumber, 955 subjectKeyIdentifier [0] SubjectKeyIdentifier, 956 originatorKey [1] OriginatorPublicKey } 958 OriginatorPublicKey ::= SEQUENCE { 959 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 960 publicKey BIT STRING } 962 OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } 964 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 966 RecipientEncryptedKey ::= SEQUENCE { 967 rid KeyAgreeRecipientIdentifier, 968 encryptedKey EncryptedKey } 970 KeyAgreeRecipientIdentifier ::= CHOICE { 971 issuerAndSerialNumber IssuerAndSerialNumber, 972 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 974 RecipientKeyIdentifier ::= SEQUENCE { 975 subjectKeyIdentifier SubjectKeyIdentifier, 976 date GeneralizedTime OPTIONAL, 977 other OtherKeyAttribute OPTIONAL } 979 SubjectKeyIdentifier ::= OCTET STRING 981 KEKRecipientInfo ::= SEQUENCE { 982 version CMSVersion, -- always set to 4 983 kekid KEKIdentifier, 984 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 985 encryptedKey EncryptedKey } 987 KEKIdentifier ::= SEQUENCE { 988 keyIdentifier OCTET STRING, 989 date GeneralizedTime OPTIONAL, 990 other OtherKeyAttribute OPTIONAL } 991 PasswordRecipientInfo ::= SEQUENCE { 992 version CMSVersion, -- always set to 0 993 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 994 OPTIONAL, 995 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 996 encryptedKey EncryptedKey } 998 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 1000 OtherRecipientInfo ::= SEQUENCE { 1001 oriType OTHER-RECIPIENT. 1002 &id({SupportedOtherRecipInfo}), 1003 oriValue OTHER-RECIPIENT. 1004 &Type({SupportedOtherRecipInfo}{@oriType})} 1006 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 1008 DigestedData ::= SEQUENCE { 1009 version CMSVersion, 1010 digestAlgorithm DigestAlgorithmIdentifier, 1011 encapContentInfo EncapsulatedContentInfo, 1012 digest Digest, ... } 1014 Digest ::= OCTET STRING 1016 EncryptedData ::= SEQUENCE { 1017 version CMSVersion, 1018 encryptedContentInfo EncryptedContentInfo, 1019 ..., 1020 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1021 {{UnprotectedEncAttributes}} OPTIONAL ]] } 1023 AuthenticatedData ::= SEQUENCE { 1024 version CMSVersion, 1025 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1026 recipientInfos RecipientInfos, 1027 macAlgorithm MessageAuthenticationCodeAlgorithm, 1028 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 1029 encapContentInfo EncapsulatedContentInfo, 1030 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 1031 mac MessageAuthenticationCode, 1032 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 1034 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 1035 {{AuthAttributeSet}} 1037 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 1038 | aa-signingTime, ...} 1039 MessageAuthenticationCode ::= OCTET STRING 1041 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 1042 {{UnauthAttributeSet}} 1044 UnauthAttributeSet ATTRIBUTE ::= {...} 1046 -- 1047 -- General algorithm definitions 1048 -- 1050 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1051 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 1053 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 1054 CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } 1056 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 1057 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 1059 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 1060 { SignatureAlgs, ... } 1062 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1063 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1065 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 1067 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1068 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 1070 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 1071 { ContentEncryptionAlgs, ... } 1073 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 1074 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 1076 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 1077 { MessageAuthAlgs, ... } 1079 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 1080 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 1082 RevocationInfoChoices ::= SET OF RevocationInfoChoice 1084 RevocationInfoChoice ::= CHOICE { 1085 crl CertificateList, 1086 ..., 1087 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1089 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 1091 OtherRevocationInfoFormat ::= SEQUENCE { 1092 otherRevInfoFormat OTHER-REVOK-INFO. 1093 &id({SupportedOtherRevokInfo}), 1094 otherRevInfo OTHER-REVOK-INFO. 1095 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 1097 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 1099 CertificateChoices ::= CHOICE { 1100 certificate Certificate, 1101 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1102 -- Obsolete 1103 ..., 1104 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 1105 -- Obsolete 1106 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 1107 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 1109 AttributeCertificateV2 ::= AttributeCertificate 1111 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 1113 OtherCertificateFormat ::= SEQUENCE { 1114 otherCertFormat OTHER-CERT-FMT. 1115 &id({SupportedCertFormats}), 1116 otherCert OTHER-CERT-FMT. 1117 &Type({SupportedCertFormats}{@otherCertFormat})} 1119 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 1121 CertificateSet ::= SET OF CertificateChoices 1123 IssuerAndSerialNumber ::= SEQUENCE { 1124 issuer Name, 1125 serialNumber CertificateSerialNumber } 1127 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1129 UserKeyingMaterial ::= OCTET STRING 1131 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1132 OtherKeyAttribute ::= SEQUENCE { 1133 keyAttrId KEY-ATTRIBUTE. 1134 &id({SupportedKeyAttributes}), 1135 keyAttr KEY-ATTRIBUTE. 1136 &Type({SupportedKeyAttributes}{@keyAttrId})} 1138 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1140 -- Content Type Object Identifiers 1142 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1143 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1145 ct-Data CONTENT-TYPE ::= { IDENTIFIED BY id-data } 1147 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1148 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1150 ct-SignedData CONTENT-TYPE ::= 1151 { TYPE SignedData IDENTIFIED BY id-signedData} 1153 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1154 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1156 ct-EnvelopedData CONTENT-TYPE ::= 1157 { TYPE EnvelopedData IDENTIFIED BY id-envelopedData} 1159 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1160 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1162 ct-DigestedData CONTENT-TYPE ::= 1163 { TYPE DigestedData IDENTIFIED BY id-digestedData} 1165 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1166 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1168 ct-EncryptedData CONTENT-TYPE ::= 1169 { TYPE EncryptedData IDENTIFIED BY id-encryptedData} 1171 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1172 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1174 ct-AuthenticatedData CONTENT-TYPE ::= 1175 { TYPE AuthenticatedData IDENTIFIED BY id-ct-authData} 1177 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1178 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1180 -- 1181 -- The CMS Attributes 1182 -- 1184 MessageDigest ::= OCTET STRING 1186 SigningTime ::= Time 1188 Time ::= CHOICE { 1189 utcTime UTCTime, 1190 generalTime GeneralizedTime } 1192 Countersignature ::= SignerInfo 1194 -- Attribute Object Identifiers 1196 aa-contentType ATTRIBUTE ::= 1197 { TYPE ContentType IDENTIFIED BY id-contentType } 1198 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1199 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1201 aa-messageDigest ATTRIBUTE ::= 1202 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1203 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1204 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1206 aa-signingTime ATTRIBUTE ::= 1207 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1208 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1209 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1211 aa-countersignature ATTRIBUTE ::= 1212 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1213 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1214 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1216 -- 1217 -- Obsolete Extended Certificate syntax from PKCS#6 1218 -- 1220 ExtendedCertificateOrCertificate ::= CHOICE { 1221 certificate Certificate, 1222 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1224 ExtendedCertificate ::= SEQUENCE { 1225 extendedCertificateInfo ExtendedCertificateInfo, 1226 signatureAlgorithm SignatureAlgorithmIdentifier, 1227 signature Signature } 1229 ExtendedCertificateInfo ::= SEQUENCE { 1230 version CMSVersion, 1231 certificate Certificate, 1232 attributes UnauthAttributes } 1234 Signature ::= BIT STRING 1236 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1237 attrType ATTRIBUTE. 1238 &id({AttrList}), 1239 attrValues SET OF ATTRIBUTE. 1240 &Type({AttrList}{@attrType}) } 1242 Attributes { ATTRIBUTE:AttrList } ::= 1243 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1245 END 1247 10. ASN.1 Module RFC 5752 1249 We have updated the ASN.1 module associated with this document to be 1250 2008 compliant and to use the set of classes previously defined in 1251 [RFC5911]. 1253 MultipleSignatures-2010 1254 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1255 smime(16) modules(0) id-mod-multipleSign-2009(59) } 1256 DEFINITIONS IMPLICIT TAGS ::= 1257 BEGIN 1258 -- EXPORTS All 1259 -- The types and values defined in this module are exported for use 1260 -- in the other ASN.1 modules. Other applications may use them for 1261 -- their own purposes. 1263 IMPORTS 1265 -- Imports from PKIX-Common-Types-2009 [RFC5912] 1267 ATTRIBUTE 1268 FROM PKIX-CommonTypes-2009 1269 { iso(1) identified-organization(3) dod(6) internet(1) 1270 security(5) mechanisms(5) pkix(7) id-mod(0) 1271 id-mod-pkixCommon-02(57)} 1273 -- Imports from CryptographicMessageSyntax-2009 [RFC5911] 1275 DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier 1276 FROM CryptographicMessageSyntax-2009 1277 { iso(1) member-body(2) us(840) rsadsi(113549) 1278 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 1280 -- Imports from ExtendedSecurityServices-2009 [RFC5911] 1282 ESSCertIDv2 1283 FROM ExtendedSecurityServices-2009 1284 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1285 smime(16) modules(0) id-mod-ess-2006-02(42) } 1286 ; 1288 -- 1289 -- Section 3.0 1290 -- 1291 -- at-multipleSignatures should be added ONLY to the 1292 -- SignedAttributesSet defined in [RFC5652] 1293 -- 1294 at-multipleSignatures ATTRIBUTE ::= { 1295 TYPE MultipleSignatures 1296 IDENTIFIED BY id-aa-multipleSignatures 1297 } 1299 id-aa-multipleSignatures OBJECT IDENTIFIER ::= { 1300 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1301 id-aa(2) 51 } 1303 MultipleSignatures ::= SEQUENCE { 1304 bodyHashAlg DigestAlgorithmIdentifier, 1305 signAlg SignatureAlgorithmIdentifier, 1306 signAttrsHash SignAttrsHash, 1307 cert ESSCertIDv2 OPTIONAL 1308 } 1310 SignAttrsHash ::= SEQUENCE { 1311 algID DigestAlgorithmIdentifier, 1312 hash OCTET STRING 1313 } 1315 END 1317 11. Module Identifiers in ASN.1 1319 One potential issue that can occur when updating modules is the fact 1320 that a large number of modules may need to be updated if they import 1321 from a newly updated module. This section addresses one method that 1322 can be used to deal with this problem, but the modules in this 1323 document don't currently implement the solution discussed here. 1325 When looking at an import statement, there are three portions: The 1326 list of items imported, a textual name for the module and an object 1327 identifier for the module. Full implementations of ASN.1 do module 1328 matching using first the object identifier, and if that is not 1329 present, the textual name of the module. Note however that some 1330 older implementations used the textual name of the module for the 1331 purposes of matching. In a full implementation the name assigned to 1332 the module is scoped to the ASN.1 module that it appears in (and thus 1333 the need to match the module it is importing from). 1335 One can create a module that contains only the module number 1336 assignments and import the module assignments from the new module. 1337 This means that when a module is replaced, one can replace the 1338 previous module, update the module number assignment module and 1339 recompile without having to modify any other modules. 1341 A sample module assignment module would be: 1343 ModuleNumbers 1344 DEFINITIONS TAGS ::= 1345 BEGIN 1346 id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1347 pkcs(1) pkcs-9(9) smime(16) modules(0) 58 } 1349 id-mod-AlgInfo ::= 1350 {iso(1) identified-organization(3) dod(6) internet(1) 1351 security(5) mechanisms(5) pkix(7) id-mod(0) 1352 id-mod-algorithmInformation-02(58)} 1353 END 1355 This would be used in the following import statement: 1357 IMPORTS 1358 id-mod-CMS, id-mod-AlgInfo 1359 FROM ModuleNumber -- Note it will match on the name since no 1360 -- OID is provided 1362 CMSVersion, EncapsulatedContentInfo, CONTENT-TYPE 1363 FROM CryptographicMessageSyntax-2009 1364 id-mod-CMS 1366 AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions 1367 FROM AlgorithmInformation-2009 id-mod-AlgInfo 1368 ; 1370 12. Security Considerations 1372 This document itself does not have any security considerations. The 1373 ASN.1 modules keep the same bits-on-the-wire as the modules that they 1374 replace. 1376 13. IANA Considerations 1378 None. 1380 14. References 1382 14.1. Normative References 1384 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1385 Requirement Levels", BCP 14, RFC 2119, March 1997. 1387 [RFC3274] Gutmann, P., "Compressed Data Content Type for 1388 Cryptographic Message Syntax (CMS)", RFC 3274, June 2002. 1390 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 1391 Addresses and AS Identifiers", RFC 3779, June 2004. 1393 [RFC6019] Housley, R., "BinaryTime: An Alternate Format for 1394 Representing Date and Time in ASN.1", RFC 6019, 1395 September 2010. 1397 [RFC4073] Housley, R., "Protecting Multiple Contents with the 1398 Cryptographic Message Syntax (CMS)", RFC 4073, May 2005. 1400 [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 1401 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 1402 RFC 4231, December 2005. 1404 [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and 1405 Attributes Supporting Authentication in Point-to-Point 1406 Protocol (PPP) and Wireless Local Area Networks (WLAN)", 1407 RFC 4334, February 2006. 1409 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 1410 Authenticated-Enveloped-Data Content Type", RFC 5083, 1411 November 2007. 1413 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 1414 RFC 5652, September 2009. 1416 [RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in 1417 Cryptographic Message Syntax (CMS)", RFC 5752, 1418 January 2010. 1420 [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for 1421 Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, 1422 June 2010. 1424 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 1425 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 1426 June 2010. 1428 [ASN1-2008] 1429 ITU-T, "ITU-T Recommendations X.680, X.681, X.682, and 1430 X.683", 2008. 1432 14.2. Informative 1434 [RFC6025] Wallace, C. and C. Gardiner, "ASN.1 Translation", 1435 RFC 6025, October 2010. 1437 Authors' Addresses 1439 Jim Schaad 1440 Soaring Hawk Consulting 1442 Email: jimsch@augustcellars.com 1444 Sean Turner 1445 IECA, Inc. 1446 3057 Nutley Street, Suite 106 1447 Fairfax, VA 22031 1449 Email: turners@ieca.com