< draft-ietf-pkix-new-asn1-07.txt   draft-ietf-pkix-new-asn1-08.txt >
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft VPN Consortium Internet-Draft VPN Consortium
Intended status: Informational J. Schaad Intended status: Informational J. Schaad
Expires: February 14, 2010 Soaring Hawk Consulting Expires: September 8, 2010 Soaring Hawk Consulting
August 13, 2009 March 7, 2010
New ASN.1 Modules for PKIX New ASN.1 Modules for PKIX
draft-ietf-pkix-new-asn1-07.txt draft-ietf-pkix-new-asn1-08.txt
Abstract
The PKIX certificate format, and many associated formats, are
expressed using ASN.1. The current ASN.1 modules conform to the 1988
version of ASN.1. This document updates those ASN.1 modules to
conform to the 2002 version of ASN.1. There are no bits-on-the-wire
changes to any of the formats; this is simply a change to the syntax.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79.
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on February 14, 2010. This Internet-Draft will expire on September 8, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
The PKIX certificate format, and many associated formats, are This document may contain material from IETF Documents or IETF
expressed using ASN.1. The current ASN.1 modules conform to the 1988 Contributions published or made publicly available before November
version of ASN.1. This document updates those ASN.1 modules to 10, 2008. The person(s) controlling the copyright in some of this
conform to the 2002 version of ASN.1. There are no bits-on-the-wire material may not have granted the IETF Trust the right to allow
changes to any of the formats; this is simply a change to the syntax. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . 5
2. ASN.1 Module PKIX-CommonTypes . . . . . . . . . . . . . . . . 4 2. ASN.1 Module PKIX-CommonTypes . . . . . . . . . . . . . . . . 5
3. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 8 3. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 9
4. ASN.1 Module for RFC 2560 . . . . . . . . . . . . . . . . . . 18 4. ASN.1 Module for RFC 2560 . . . . . . . . . . . . . . . . . . 19
5. ASN.1 Module for RFC 2986 . . . . . . . . . . . . . . . . . . 22 5. ASN.1 Module for RFC 2986 . . . . . . . . . . . . . . . . . . 23
6. ASN.1 Module for RFC 3279 . . . . . . . . . . . . . . . . . . 23 6. ASN.1 Module for RFC 3279 . . . . . . . . . . . . . . . . . . 24
7. ASN.1 Module for RFC 3281 . . . . . . . . . . . . . . . . . . 34 7. ASN.1 Module for RFC 3852 (Attribute Certificate v1) . . . . 35
8. ASN.1 Module for RFC 3852 (Attribute Certificate v1) . . . . 40 8. ASN.1 Module for RFC 4055 . . . . . . . . . . . . . . . . . . 37
9. ASN.1 Module for RFC 4055 . . . . . . . . . . . . . . . . . . 41 9. ASN.1 Module for RFC 4210 . . . . . . . . . . . . . . . . . . 43
10. ASN.1 Module for RFC 4210 . . . . . . . . . . . . . . . . . . 48 10. ASN.1 Module for RFC 4211 . . . . . . . . . . . . . . . . . . 54
11. ASN.1 Module for RFC 4211 . . . . . . . . . . . . . . . . . . 58 11. ASN.1 Module for RFC 5055 . . . . . . . . . . . . . . . . . . 62
12. ASN.1 Module for RFC 5055 . . . . . . . . . . . . . . . . . . 67 12. ASN.1 Module for RFC 5272 . . . . . . . . . . . . . . . . . . 75
13. ASN.1 Module for RFC 5272 . . . . . . . . . . . . . . . . . . 80 13. ASN.1 Module for RFC 5755 . . . . . . . . . . . . . . . . . . 87
14. ASN.1 Module for RFC 5280, Explicit and Implicit . . . . . . 91 14. ASN.1 Module for RFC 5280, Explicit and Implicit . . . . . . 93
15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 116 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 117
16. Security Considerations . . . . . . . . . . . . . . . . . . . 116 16. Security Considerations . . . . . . . . . . . . . . . . . . . 117
17. Normative References . . . . . . . . . . . . . . . . . . . . 116 17. Normative References . . . . . . . . . . . . . . . . . . . . 118
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 117 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 119
A.1. Changes between draft-hoffman-pkix-new-asn1-00 and A.1. Changes between draft-hoffman-pkix-new-asn1-00 and
draft-ietf-pkix-new-asn1-00 . . . . . . . . . . . . . . . 117 draft-ietf-pkix-new-asn1-00 . . . . . . . . . . . . . . . 119
A.2. Changes between draft-ietf-pkix-new-asn1-00 and -01 . . . 118 A.2. Changes between draft-ietf-pkix-new-asn1-00 and -01 . . . 120
A.3. Changes between draft-ietf-pkix-new-asn1-01 and -02 . . . 118 A.3. Changes between draft-ietf-pkix-new-asn1-01 and -02 . . . 120
A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 . . . 118 A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 . . . 120
A.5. Changes between draft-ietf-pkix-new-asn1-03 and -04 . . . 118 A.5. Changes between draft-ietf-pkix-new-asn1-03 and -04 . . . 120
A.6. Changes between draft-ietf-pkix-new-asn1-04 and -05 . . . 119 A.6. Changes between draft-ietf-pkix-new-asn1-04 and -05 . . . 121
A.7. Changes between draft-ietf-pkix-new-asn1-05 and -06 . . . 119 A.7. Changes between draft-ietf-pkix-new-asn1-05 and -06 . . . 121
A.8. Changes between draft-ietf-pkix-new-asn1-06 and -07 . . . 119 A.8. Changes between draft-ietf-pkix-new-asn1-06 and -07 . . . 121
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 120 A.9. Changes between draft-ietf-pkix-new-asn1-06 and -07 . . . 122
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 122
1. Introduction 1. Introduction
Some developers would like the IETF to use the latest version of Some developers would like the IETF to use the latest version of
ASN.1 in its standards. Most of the RFCs that relate to security ASN.1 in its standards. Most of the RFCs that relate to security
protocols still use ASN.1 from the 1988 standard, which has been protocols still use ASN.1 from the 1988 standard, which has been
deprecated. This is particularly true for the standards that relate deprecated. This is particularly true for the standards that relate
to PKIX, CMS, and S/MIME. to PKIX, CMS, and S/MIME.
This document updates the following RFCs to use ASN.1 modules that This document updates the following RFCs to use ASN.1 modules that
conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all
the modules are updated; some are included to simply make the set the modules are updated; some are included to simply make the set
complete. complete.
o RFC 2560, PKIX Online Certificate Status Protocol (OCSP) [RFC2560] o RFC 2560, PKIX Online Certificate Status Protocol (OCSP) [RFC2560]
o RFC 2986, PKCS #10 certificate request [RFC2986] o RFC 2986, PKCS #10 certificate request [RFC2986]
o RFC 3279, PKIX algorithms and identifier [RFC3279] o RFC 3279, PKIX algorithms and identifier [RFC3279]
o RFC 3281, PKIX attribute certificates, version 2 [RFC3281]
o RFC 3852, contains PKIX attribute certificates, version 1 o RFC 3852, contains PKIX attribute certificates, version 1
[RFC3852] [RFC3852]
o RFC 4055, Additional Algorithms and Identifiers for RSA o RFC 4055, Additional Algorithms and Identifiers for RSA
Cryptography [RFC4055] Cryptography [RFC4055]
o RFC 4210, PKIX CMP (Certificate Management Protocol) [RFC4210] o RFC 4210, PKIX CMP (Certificate Management Protocol) [RFC4210]
o RFC 4211, PKIX CRMF (Certificate Request Message Format) [RFC4211] o RFC 4211, PKIX CRMF (Certificate Request Message Format) [RFC4211]
o RFC 5055, PKIX SCVP (Server-based Certificate Validation Protocol) o RFC 5055, PKIX SCVP (Server-based Certificate Validation Protocol)
[RFC5055] [RFC5055]
o RFC 5272, Certificate Management over CMS (CMC) [RFC5272] o RFC 5272, Certificate Management over CMS (CMC) [RFC5272]
o RFC 5280, PKIX certificate and CRL profile [RFC5280] (both the o RFC 5280, PKIX certificate and CRL profile [RFC5280] (both the
implicit and explicit modules) implicit and explicit modules)
o RFC 5755, PKIX attribute certificates, version 2 [RFC5755]
Note that some of the modules in this document get some of their Note that some of the modules in this document get some of their
definitions from places different than the modules in the original definitions from places different than the modules in the original
RFCs. The idea is that these modules, when combined with the modules RFCs. The idea is that these modules, when combined with the modules
in [NEW-CMS-SMIME] can stand on their own and do not need to import in [NEW-CMS-SMIME] can stand on their own and do not need to import
definitions from anywhere else. definitions from anywhere else. Also note that the ASN.1 modules in
this document have references in their text comments that need to be
looked up in original RFCs, and that some of those references may
have already been superseded by later RFCs.
The document also includes a module of common definitions called The document also includes a module of common definitions called
"PKIX-CommonTypes". These definitions are used here and in "PKIX-CommonTypes". These definitions are used here and in
[NEW-CMS-SMIME]. [NEW-CMS-SMIME].
The document also includes a module of common defintions called The document also includes a module of common definitions called
"AlgorithmInformation". These definitions are used here and in "AlgorithmInformation". These definitions are used here and in
[NEW-CMS-SMIME]. [NEW-CMS-SMIME].
1.1. Design Notes 1.1. Design Notes
The modules in this document use the object model available in the The modules in this document use the object model available in the
2002 ASN.1 documents to a great extent. Objects for each of the 2002 ASN.1 documents to a great extent. Objects for each of the
different algorithm types are defined. Also, all of the places where different algorithm types are defined. Also, all of the places where
in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax
now have objects. now have objects.
skipping to change at page 5, line 12 skipping to change at page 6, line 16
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
-- ATTRIBUTE -- ATTRIBUTE
-- --
-- Describe the set of data associated with an attribute of some type -- Describe the set of data associated with an attribute of some type
-- --
-- &id is an OID identifying the attribute -- &id is an OID identifying the attribute
-- &Type is the ASN.1 type structure for the attribute; not all -- &Type is the ASN.1 type structure for the attribute; not all
-- attributes have a data struture, so this field is optional -- attributes have a data structure, so this field is optional
-- &minCount contains the minimum number of time the attribute can -- &minCount contains the minimum number of time the attribute can
-- occur in an AttributeSet -- occur in an AttributeSet
-- &maxCount contains the maximum number of times the attribute can -- &maxCount contains the maximum number of times the attribute can
-- appear in an AttributeSet -- appear in an AttributeSet
-- Note: this cannot be automatically enforced as the field -- Note: this cannot be automatically enforced as the field
-- cannot be defaulted to MAX. -- cannot be defaulted to MAX.
-- &equality-match contains information about how matching should be -- &equality-match contains information about how matching should be
-- done -- done
-- --
-- Currently we are using two different prefixes for attributes. -- Currently we are using two different prefixes for attributes.
-- --
-- at- for certificiate attributes -- at- for certificate attributes
-- aa- for CMS attributes -- aa- for CMS attributes
-- --
ATTRIBUTE ::= CLASS { ATTRIBUTE ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL, &Type OPTIONAL,
&equality-match MATCHING-RULE OPTIONAL, &equality-match MATCHING-RULE OPTIONAL,
&minCount INTEGER DEFAULT 1, &minCount INTEGER DEFAULT 1,
&maxCount INTEGER OPTIONAL &maxCount INTEGER OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
skipping to change at page 6, line 4 skipping to change at page 7, line 8
-- --
MATCHING-RULE ::= CLASS { MATCHING-RULE ::= CLASS {
&ParentMatchingRules MATCHING-RULE OPTIONAL, &ParentMatchingRules MATCHING-RULE OPTIONAL,
&AssertionType OPTIONAL, &AssertionType OPTIONAL,
&uniqueMatchIndicator ATTRIBUTE OPTIONAL, &uniqueMatchIndicator ATTRIBUTE OPTIONAL,
&id OBJECT IDENTIFIER UNIQUE &id OBJECT IDENTIFIER UNIQUE
} }
WITH SYNTAX { WITH SYNTAX {
[PARENT &ParentMatchingRules] [PARENT &ParentMatchingRules]
[SYNTAX &AssertionType] [SYNTAX &AssertionType]
[UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator] [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator]
ID &id ID &id
} }
-- AttributeSet -- AttributeSet
-- --
-- Used when a set of attributes is to occur. -- Used when a set of attributes is to occur.
-- --
-- type contains the identifier of the attribute -- type contains the identifier of the attribute
-- values conains a set of values where the structure of the ASN.1 -- values contains a set of values where the structure of the ASN.1
-- is defined by the attribute -- is defined by the attribute
-- --
-- The parameter contains the set of objects describing -- The parameter contains the set of objects describing
-- those attributes than can occur in this location. -- those attributes than can occur in this location.
-- --
AttributeSet{ATTRIBUTE:AttrSet} ::= SEQUENCE { AttributeSet{ATTRIBUTE:AttrSet} ::= SEQUENCE {
type ATTRIBUTE.&id({AttrSet}), type ATTRIBUTE.&id({AttrSet}),
values SET SIZE (1..MAX) OF ATTRIBUTE. values SET SIZE (1..MAX) OF ATTRIBUTE.
&Type({AttrSet}{@type}) &Type({AttrSet}{@type})
} }
-- SingleAttribute -- SingleAttribute
-- --
-- Used for a single valued attribute -- Used for a single valued attribute
-- --
-- The parameter contains the set of objects describing the -- The parameter contains the set of objects describing the
-- attibutes that can occur in this location -- attributes that can occur in this location
-- --
SingleAttribute{ATTRIBUTE:AttrSet} ::= SEQUENCE { SingleAttribute{ATTRIBUTE:AttrSet} ::= SEQUENCE {
type ATTRIBUTE.&id({AttrSet}), type ATTRIBUTE.&id({AttrSet}),
value ATTRIBUTE.&Type({AttrSet}{@type}) value ATTRIBUTE.&Type({AttrSet}{@type})
} }
-- EXTENSION -- EXTENSION
-- --
-- This class definition is used to describe the association of -- This class definition is used to describe the association of
-- object identifier and ASN.1 type structure for extensions -- object identifier and ASN.1 type structure for extensions
-- --
-- All extensions are prefixed with ext- -- All extensions are prefixed with ext-
-- --
-- &id conains the object identifier for the extension -- &id contains the object identifier for the extension
-- &ExtenType specifies the ASN.1 type structure for the extension -- &ExtenType specifies the ASN.1 type structure for the extension
-- &Critical contains the set of legal values for the critical field. -- &Critical contains the set of legal values for the critical field.
-- This is normally {TRUE|FALSE} but in some instances may be -- This is normally {TRUE|FALSE} but in some instances may be
-- restricted just one of these values. -- restricted just one of these values.
-- --
EXTENSION ::= CLASS { EXTENSION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&ExtnType, &ExtnType,
&Critical BOOLEAN DEFAULT {TRUE | FALSE } &Critical BOOLEAN DEFAULT {TRUE | FALSE }
} WITH SYNTAX { } WITH SYNTAX {
SYNTAX &ExtnType IDENTIFIED BY &id SYNTAX &ExtnType IDENTIFIED BY &id
skipping to change at page 7, line 36 skipping to change at page 8, line 39
Extensions{EXTENSION:ExtensionSet} ::= Extensions{EXTENSION:ExtensionSet} ::=
SEQUENCE SIZE (1..MAX) OF Extension{{ExtensionSet}} SEQUENCE SIZE (1..MAX) OF Extension{{ExtensionSet}}
-- Extension -- Extension
-- --
-- Used for a single extension -- Used for a single extension
-- --
-- The parameter contains the set of legal extensions that can -- The parameter contains the set of legal extensions that can
-- occur this extension. -- occur this extension.
-- --
-- The restriction on the critial field has been commented out -- The restriction on the critical field has been commented out
-- the authors are not completely sure it is correct. -- the authors are not completely sure it is correct.
-- The restriction could be done using custom code rather than -- The restriction could be done using custom code rather than
-- compiler-generated code. however. -- compiler-generated code. however.
-- --
Extension{EXTENSION:ExtensionSet} ::= SEQUENCE { Extension{EXTENSION:ExtensionSet} ::= SEQUENCE {
extnID EXTENSION.&id({ExtensionSet}), extnID EXTENSION.&id({ExtensionSet}),
critical BOOLEAN critical BOOLEAN
-- (EXTENSION.&Critical({ExtensionSet}{@extnID})) -- (EXTENSION.&Critical({ExtensionSet}{@extnID}))
DEFAULT FALSE, DEFAULT FALSE,
extnValue OCTET STRING (CONTAINING extnValue OCTET STRING (CONTAINING
EXTENSION.&ExtnType({ExtensionSet}{@extnID})) EXTENSION.&ExtnType({ExtensionSet}{@extnID}))
-- contains the DER encding of the ASN.1 value -- contains the DER encoding of the ASN.1 value
-- corresponding to the extension type identified -- corresponding to the extension type identified
-- by extnID -- by extnID
} }
-- Security Category -- Security Category
-- --
-- Security categories are used both for specifing clearances and for -- Security categories are used both for specifying clearances and
-- labeling objects. We move this here from RFC 3281 so that they -- for labeling objects. We move this here from RFC 3281 so that
-- will use a common single object class to express this information. -- they will use a common single object class to express this
-- information.
-- --
SECURITY-CATEGORY ::= TYPE-IDENTIFIER SECURITY-CATEGORY ::= TYPE-IDENTIFIER
SecurityCategory{SECURITY-CATEGORY:Supported} ::= SEQUENCE { SecurityCategory{SECURITY-CATEGORY:Supported} ::= SEQUENCE {
type [0] IMPLICIT SECURITY-CATEGORY. type [0] IMPLICIT SECURITY-CATEGORY.
&id({Supported}), &id({Supported}),
value [1] EXPLICIT SECURITY-CATEGORY. value [1] EXPLICIT SECURITY-CATEGORY.
&Type({Supported}{@type}) &Type({Supported}{@type})
} }
skipping to change at page 9, line 29 skipping to change at page 10, line 35
... ...
} }
-- DIGEST-ALGORITHM -- DIGEST-ALGORITHM
-- --
-- Describes the basic information for ASN.1 and a digest -- Describes the basic information for ASN.1 and a digest
-- algorithm. -- algorithm.
-- --
-- &id - contains the OID identifying the digest algorithm -- &id - contains the OID identifying the digest algorithm
-- &Params - contains the type for the algorithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters -- if present; absent implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- --
-- Additional information such as the length of the hash could also -- Additional information such as the length of the hash could also
-- be encoded. -- be encoded.
-- --
-- Example: -- Example:
-- sha1 DIGEST-ALGORITHM ::= { -- sha1 DIGEST-ALGORITHM ::= {
-- IDENTIFIER id-sha1 -- IDENTIFIER id-sha1
-- PARAMS TYPE NULL ARE preferredAbsent -- PARAMS TYPE NULL ARE preferredAbsent
-- } -- }
skipping to change at page 9, line 47 skipping to change at page 11, line 4
-- IDENTIFIER id-sha1 -- IDENTIFIER id-sha1
-- PARAMS TYPE NULL ARE preferredAbsent -- PARAMS TYPE NULL ARE preferredAbsent
-- } -- }
DIGEST-ALGORITHM ::= CLASS { DIGEST-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent &paramPresence ParamOptions DEFAULT absent
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] [ARE &paramPresence] ] [PARAMS [TYPE &Params] [ARE &paramPresence] ]
} }
-- SIGNATURE-ALGORITHM -- SIGNATURE-ALGORITHM
-- --
-- Describes the basic properties of a signature algorithm -- Describes the basic properties of a signature algorithm
-- --
-- &id - contains the OID identifying the signature algorithm -- &id - contains the OID identifying the signature algorithm
-- &Value - contains a type defintion for the value structure of -- &Value - contains a type definition for the value structure of
-- the signature -- the signature
-- &Params - contains the type for the algorithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters -- if present; absent implies no parameters
-- &paramPresence - parameter presence resquirement -- &paramPresence - parameter presence requirement
-- &HashSet - The set of hash algorithms used with this -- &HashSet - The set of hash algorithms used with this
-- signature algorithm -- signature algorithm
-- &PublicKeySet - the set of public key algorithms for this -- &PublicKeySet - the set of public key algorithms for this
-- signature algorithm -- signature algorithm
-- &smimeCaps - contains the object describing how the S/MIME -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented. -- capabilities are presented.
-- --
-- Example: -- Example:
-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER id-RSASSA-PSS -- IDENTIFIER id-RSASSA-PSS
skipping to change at page 10, line 51 skipping to change at page 12, line 8
[SMIME-CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- PUBLIC-KEY -- PUBLIC-KEY
-- --
-- Describes the basic properties of a public key -- Describes the basic properties of a public key
-- --
-- &id - contains the OID identifying the public key -- &id - contains the OID identifying the public key
-- &KeyValue - contains the type for the key value -- &KeyValue - contains the type for the key value
-- &Params - contains the type for the algorithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters -- if present; absent implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &keyUsage - contains the set of bits that are legal for this -- &keyUsage - contains the set of bits that are legal for this
-- key type. Note that is does not make any statement -- key type. Note that is does not make any statement
-- about how bits may be paired. -- about how bits may be paired.
-- &PrivateKey - contains a type structure for encoding the private -- &PrivateKey - contains a type structure for encoding the private
-- key information. -- key information.
-- --
-- Example: -- Example:
-- pk-rsa-pss PUBLIC-KEY ::= { -- pk-rsa-pss PUBLIC-KEY ::= {
-- IDENTIFIER id-RSASSA-PSS -- IDENTIFIER id-RSASSA-PSS
skipping to change at page 11, line 40 skipping to change at page 12, line 45
[CERT-KEY-USAGE &keyUsage] [CERT-KEY-USAGE &keyUsage]
[PRIVATE-KEY &PrivateKey] [PRIVATE-KEY &PrivateKey]
} }
-- KEY-TRANSPORT -- KEY-TRANSPORT
-- --
-- Describes the basic properties of a key transport algorithm -- Describes the basic properties of a key transport algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algorithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters -- if present; absent implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &PublicKeySet - specify which public keys are used with -- &PublicKeySet - specify which public keys are used with
-- this algorithm -- this algorithm
-- &smimeCaps - contains the object describing how the S/MIME -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented. -- capabilities are presented.
-- --
-- Example: -- Example:
-- rsaTransport KEY-TRANSPORT ::= { -- rsaTransport KEY-TRANSPORT ::= {
-- IDENTIFIER &id -- IDENTIFIER &id
-- PARAMS TYPE NULL ARE required -- PARAMS TYPE NULL ARE required
skipping to change at page 12, line 25 skipping to change at page 13, line 30
[PUBLIC-KEYS &PublicKeySet] [PUBLIC-KEYS &PublicKeySet]
[SMIME-CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- KEY-AGREE -- KEY-AGREE
-- --
-- Describes the basic properties of a key agreement algorithm -- Describes the basic properties of a key agreement algorithm
-- --
-- &id - contains the OID identifying the key agreement algorithm -- &id - contains the OID identifying the key agreement algorithm
-- &Params - contains the type for the algorithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters -- if present; absent implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &PublicKeySet - specify which public keys are used with -- &PublicKeySet - specify which public keys are used with
-- this algorithm -- this algorithm
-- &Ukm - type of user keying material used -- &Ukm - type of user keying material used
-- &ukmPresence - specifies the requirements to define the UKM field -- &ukmPresence - specifies the requirements to define the UKM field
-- &smimeCaps - contains the object describing how the S/MIME -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented. -- capabilities are presented.
-- --
-- Example: -- Example:
-- dh-static-ephemerial KEY-AGREE ::= { -- dh-static-ephemerial KEY-AGREE ::= {
skipping to change at page 13, line 21 skipping to change at page 14, line 26
[UKM [TYPE &Ukm] ARE &ukmPresence] [UKM [TYPE &Ukm] ARE &ukmPresence]
[SMIME-CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- KEY-WRAP -- KEY-WRAP
-- --
-- Describes the basic properties of a key wrap algorithm -- Describes the basic properties of a key wrap algorithm
-- --
-- &id - contains the OID identifying the key wrap algorithm -- &id - contains the OID identifying the key wrap algorithm
-- &Params - contains the type for the algorithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters -- if present; absent implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented. -- capabilities are presented.
-- --
-- Example: -- Example:
-- cms3DESwrap KEY-WRAP ::= { -- cms3DESwrap KEY-WRAP ::= {
-- IDENTIFIER id-alg-CMS3DESwrap -- IDENTIFIER id-alg-CMS3DESwrap
-- PARAMS TYPE NULL ARE required -- PARAMS TYPE NULL ARE required
-- } -- }
skipping to change at page 13, line 49 skipping to change at page 15, line 6
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME-CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- KEY-DERIVATION -- KEY-DERIVATION
-- --
-- Describes the basic properties of a key derivation algorithm -- Describes the basic properties of a key derivation algorithm
-- --
-- &id - contains the OID identifying the key derivation algorithm -- &id - contains the OID identifying the key derivation algorithm
-- &Params - contains the type for the algorithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters -- if present; absent implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented. -- capabilities are presented.
-- --
-- Could add information about defaults for the derivation algorithm -- Could add information about defaults for the derivation algorithm
-- such as PRFs -- such as PRFs
-- --
-- Example: -- Example:
-- pbkdf2 KEY-DERIVATION ::= { -- pbkdf2 KEY-DERIVATION ::= {
-- IDENTIFIER id-PBKDF2 -- IDENTIFIER id-PBKDF2
skipping to change at page 14, line 32 skipping to change at page 15, line 37
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME-CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- MAC-ALGORITHM -- MAC-ALGORITHM
-- --
-- Describes the basic properties of a MAC algorithm -- Describes the basic properties of a MAC algorithm
-- --
-- &id - contains the OID identifying the MAC algorithm -- &id - contains the OID identifying the MAC algorithm
-- &Params - contains the type for the algorithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters -- if present; absent implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &keyed - MAC algorithm is a keyed MAC algorithm -- &keyed - MAC algorithm is a keyed MAC algorithm
-- &smimeCaps - contains the object describing how the S/MIME -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented. -- capabilities are presented.
-- --
-- It would make sense to also add minimum and maximum MAC lengths -- It would make sense to also add minimum and maximum MAC lengths
-- --
-- Example: -- Example:
-- maca-hmac-sha1 MAC-ALGORITHM ::= { -- maca-hmac-sha1 MAC-ALGORITHM ::= {
-- IDENTIFIER hMAC-SHA1 -- IDENTIFIER hMAC-SHA1
skipping to change at page 15, line 21 skipping to change at page 16, line 25
} }
-- CONTENT-ENCRYPTION -- CONTENT-ENCRYPTION
-- --
-- Describes the basic properties of a content encryption -- Describes the basic properties of a content encryption
-- algorithm -- algorithm
-- --
-- &id - contains the OID identifying the content -- &id - contains the OID identifying the content
-- encryption algorithm -- encryption algorithm
-- &Params - contains the type for the algorithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters -- if present; absent implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented. -- capabilities are presented.
-- --
-- Example: -- Example:
-- cea-3DES-cbc CONTENT-ENCRYPTION ::= { -- cea-3DES-cbc CONTENT-ENCRYPTION ::= {
-- IDENTIFIER des-ede3-cbc -- IDENTIFIER des-ede3-cbc
-- PARAMS TYPE IV ARE required -- PARAMS TYPE IV ARE required
-- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } -- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
-- } -- }
skipping to change at page 15, line 50 skipping to change at page 17, line 6
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME-CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- ALGORITHM -- ALGORITHM
-- --
-- Describes a generic algorithm identifier -- Describes a generic algorithm identifier
-- --
-- &id - contains the OID identifying the algorithm -- &id - contains the OID identifying the algorithm
-- &Params - contains the type for the algorithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters -- if present; absent implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented. -- capabilities are presented.
-- --
-- This would be used for cases where an unknown algorithm is -- This would be used for cases where an unknown algorithm is
-- used. One should consider using TYPE-IDENTIFIER in these cases. -- used. One should consider using TYPE-IDENTIFIER in these cases.
ALGORITHM ::= CLASS { ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
skipping to change at page 23, line 26 skipping to change at page 24, line 30
signature BIT STRING signature BIT STRING
} }
SignatureAlgorithms SIGNATURE-ALGORITHM ::= { SignatureAlgorithms SIGNATURE-ALGORITHM ::= {
... -- add any locally defined algorithms here -- } ... -- add any locally defined algorithms here -- }
END END
6. ASN.1 Module for RFC 3279 6. ASN.1 Module for RFC 3279
Note that this module also contains information from RFC-to-be 5480. Note that this module also contains information from [RFC5480]RFC
5480.
PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms2008-02(56) } id-mod-pkix1-algorithms2008-02(56) }
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
-- FROM [PKI-ASN] -- FROM [PKI-ASN]
skipping to change at page 24, line 45 skipping to change at page 25, line 50
sa-ecdsaWithSHA384 | sa-ecdsaWithSHA384 |
sa-ecdsaWithSHA512 sa-ecdsaWithSHA512
} }
-- --
-- S/MIME CAPS for algorithms in this document -- S/MIME CAPS for algorithms in this document
-- --
-- For all of the algorithms laid out in this document, the -- For all of the algorithms laid out in this document, the
-- parameters for the S/MIME capabilities is defined as ABSENT -- parameters for the S/MIME capabilities is defined as ABSENT
-- as there are no specific values that need to be known by the -- as there are no specific values that need to be known by the
-- reciever for negotiation. -- receiver for negotiation.
-- --
SMimeCaps SMIME-CAPS ::= { SMimeCaps SMIME-CAPS ::= {
sa-rsaWithMD2.&smimeCaps | sa-rsaWithMD2.&smimeCaps |
sa-rsaWithMD5.&smimeCaps | sa-rsaWithMD5.&smimeCaps |
sa-rsaWithSHA1.&smimeCaps | sa-rsaWithSHA1.&smimeCaps |
sa-dsaWithSHA1.&smimeCaps | sa-dsaWithSHA1.&smimeCaps |
sa-dsaWithSHA224.&smimeCaps | sa-dsaWithSHA224.&smimeCaps |
sa-dsaWithSHA256.&smimeCaps | sa-dsaWithSHA256.&smimeCaps |
sa-ecdsaWithSHA1.&smimeCaps | sa-ecdsaWithSHA1.&smimeCaps |
skipping to change at page 25, line 38 skipping to change at page 26, line 46
RSAPublicKey ::= SEQUENCE { RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n modulus INTEGER, -- n
publicExponent INTEGER -- e publicExponent INTEGER -- e
} }
-- DSA PK Algorithm, Parameters, and Keys -- DSA PK Algorithm, Parameters, and Keys
pk-dsa PUBLIC-KEY ::= { pk-dsa PUBLIC-KEY ::= {
IDENTIFIER id-dsa IDENTIFIER id-dsa
KEY DSAPublicKey KEY DSAPublicKey
PARAMS TYPE DSA-Parms ARE inheritable PARAMS TYPE DSA-Params ARE inheritable
-- Private key format not in this module -- -- Private key format not in this module --
CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign,
cRLSign } cRLSign }
} }
id-dsa OBJECT IDENTIFIER ::= { id-dsa OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
DSA-Parms ::= SEQUENCE { DSA-Params ::= SEQUENCE {
p INTEGER, p INTEGER,
q INTEGER, q INTEGER,
g INTEGER g INTEGER
} }
DSAPublicKey ::= INTEGER -- public key, y DSAPublicKey ::= INTEGER -- public key, y
-- Diffie-Hellman PK Algorithm, Parameters, and Keys -- Diffie-Hellman PK Algorithm, Parameters, and Keys
pk-dh PUBLIC-KEY ::= { pk-dh PUBLIC-KEY ::= {
IDENTIFIER dhpublicnumber IDENTIFIER dhpublicnumber
KEY DHPublicKey KEY DHPublicKey
PARAMS TYPE DomainParameters ARE inheritable PARAMS TYPE DomainParameters ARE inheritable
-- Private key format not in this module -- -- Private key format not in this module --
CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly }
skipping to change at page 26, line 25 skipping to change at page 27, line 33
dhpublicnumber OBJECT IDENTIFIER ::= { dhpublicnumber OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) ansi-x942(10046) iso(1) member-body(2) us(840) ansi-x942(10046)
number-type(2) 1 } number-type(2) 1 }
DomainParameters ::= SEQUENCE { DomainParameters ::= SEQUENCE {
p INTEGER, -- odd prime, p=jq +1 p INTEGER, -- odd prime, p=jq +1
g INTEGER, -- generator, g g INTEGER, -- generator, g
q INTEGER, -- factor of p-1 q INTEGER, -- factor of p-1
j INTEGER OPTIONAL, -- subgroup factor, j>= 2 j INTEGER OPTIONAL, -- subgroup factor, j>= 2
validationParms ValidationParms OPTIONAL validationParams ValidationParams OPTIONAL
} }
ValidationParms ::= SEQUENCE { ValidationParams ::= SEQUENCE {
seed BIT STRING, seed BIT STRING,
pgenCounter INTEGER pgenCounter INTEGER
} }
DHPublicKey ::= INTEGER -- public key, y = g^x mod p DHPublicKey ::= INTEGER -- public key, y = g^x mod p
-- KEA PK Algorithm and Parameters -- KEA PK Algorithm and Parameters
pk-kea PUBLIC-KEY ::= { pk-kea PUBLIC-KEY ::= {
IDENTIFIER id-keyExchangeAlgorithm IDENTIFIER id-keyExchangeAlgorithm
-- key is not encoded -- -- key is not encoded --
PARAMS TYPE KEA-Parms-Id ARE required PARAMS TYPE KEA-Params-Id ARE required
-- Private key format not in this module -- -- Private key format not in this module --
CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly }
} }
id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1) joint-iso-itu-t(2) country(16) us(840) organization(1)
gov(101) dod(2) infosec(1) algorithms(1) 22 } gov(101) dod(2) infosec(1) algorithms(1) 22 }
KEA-Parms-Id ::= OCTET STRING KEA-Params-Id ::= OCTET STRING
-- Elliptic Curve (EC) Signatures: Unrestricted Algorithms -- Elliptic Curve (EC) Signatures: Unrestricted Algorithms
-- (Section 2.1.1 of RFC 5480) -- (Section 2.1.1 of RFC 5480)
-- --
-- EC Unrestricted Algorithm ID -- -- this is used for ECDSA -- EC Unrestricted Algorithm ID -- -- this is used for ECDSA
pk-ec PUBLIC-KEY ::= { pk-ec PUBLIC-KEY ::= {
IDENTIFIER id-ecPublicKey IDENTIFIER id-ecPublicKey
KEY ECPoint KEY ECPoint
PARAMS TYPE ECParameters ARE required PARAMS TYPE ECParameters ARE required
skipping to change at page 28, line 8 skipping to change at page 29, line 15
CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly }
} }
id-ecMQV OBJECT IDENTIFIER ::= { id-ecMQV OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) certicom(132) schemes(1) iso(1) identified-organization(3) certicom(132) schemes(1)
ecmqv(13) } ecmqv(13) }
-- Parameters and Keys for both Restricted and Unrestricted EC -- Parameters and Keys for both Restricted and Unrestricted EC
ECParameters ::= CHOICE { ECParameters ::= CHOICE {
namedCurve CURVE.&id({NamedCurve}) --, namedCurve CURVE.&id({NamedCurve})
-- implicitCurve NULL -- implicitCurve NULL
-- implicitCurve MUST NOT be used in PKIX -- implicitCurve MUST NOT be used in PKIX
-- specifiedCurve SpecifiedCurve -- specifiedCurve SpecifiedCurve
-- specifiedCurve MUST NOT be used in PKIX -- specifiedCurve MUST NOT be used in PKIX
-- Details for specifiedCurve can be found in [X9.62] -- Details for specifiedCurve can be found in [X9.62]
-- Any future additions to this CHOICE should be coordinated -- Any future additions to this CHOICE should be coordinated
-- with ANSI X.9. -- with ANSI X.9.
} }
-- If you need to be able to decode ANSI X.9 parameter structures, -- If you need to be able to decode ANSI X.9 parameter structures,
-- uncomment the implicitCurve and specificCurve above, and also -- uncomment the implicitCurve and specificCurve above, and also
skipping to change at page 34, line 30 skipping to change at page 35, line 39
IDENTIFIER id-sha1 IDENTIFIER id-sha1
PARAMS TYPE NULL ARE preferredAbsent PARAMS TYPE NULL ARE preferredAbsent
} }
id-sha1 OBJECT IDENTIFIER ::= { id-sha1 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) oiw(14) secsig(3) iso(1) identified-organization(3) oiw(14) secsig(3)
algorithm(2) 26 } algorithm(2) 26 }
END END
7. ASN.1 Module for RFC 3281 7. ASN.1 Module for RFC 3852 (Attribute Certificate v1)
PKIXAttributeCertificate-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
AttributeSet{}, Extensions{}, SecurityCategory{},
EXTENSION, ATTRIBUTE, SECURITY-CATEGORY
FROM PKIX-CommonTypes-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp,
id-ad, id-at, SIGNED{}, SignatureAlgorithms
FROM PKIX1Explicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}
GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier,
ext-AuthorityInfoAccess, ext-CRLDistributionPoints
FROM PKIX1Implicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)};
-- Define the set of extensions that can appear.
-- Some of these are imported from PKIX Cert
AttributeCertExtensions EXTENSION ::= {
ext-auditIdentity | ext-targetInformation |
ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess |
ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying |
ext-aaControls, ... }
ext-auditIdentity EXTENSION ::= { SYNTAX
OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity}
ext-targetInformation EXTENSION ::= { SYNTAX
Targets IDENTIFIED BY id-ce-targetInformation }
ext-noRevAvail EXTENSION ::= { SYNTAX
NULL IDENTIFIED BY id-ce-noRevAvail}
ext-ac-proxying EXTENSION ::= { SYNTAX
ProxyInfo IDENTIFIED BY id-pe-ac-proxying}
ext-aaControls EXTENSION ::= { SYNTAX
AAControls IDENTIFIED BY id-pe-aaControls}
-- Define the set of attributes used here
AttributesDefined ATTRIBUTE ::= { at-authenticationInfo |
at-accesIdentity | at-chargingIdentity | at-group |
at-role | at-clearance | at-encAttrs, ...}
at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo
IDENTIFIED BY id-aca-authenticationInfo}
at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo
IDENTIFIED BY id-aca-accessIdentity}
at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax
IDENTIFIED BY id-aca-chargingIdentity}
at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax
IDENTIFIED BY id-aca-group}
at-role ATTRIBUTE ::= { TYPE RoleSyntax
IDENTIFIED BY id-at-role}
at-clearance ATTRIBUTE ::= { TYPE Clearance
IDENTIFIED BY id-at-clearance}
at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo
IDENTIFIED BY id-aca-encAttrs}
--
-- OIDs used by Attribute Certificate Extensions
--
id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 }
id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 }
id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 }
id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 }
id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 }
--
-- OIDs used by Attribute Certficate Attributes
--
id-aca OBJECT IDENTIFIER ::= { id-pkix 10 }
id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 }
id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 }
id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 }
id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 }
-- { id-aca 5 } is reserved
id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 }
id-at-role OBJECT IDENTIFIER ::= { id-at 72}
id-at-clearance OBJECT IDENTIFIER ::=
{ joint-iso-ccitt(2) ds(5) module(1)
selected-attribute-types(5) clearance (55) }
--
-- The syntax of an Attribute Certificate
--
AttributeCertificate ::= SIGNED{AttributeCertificateInfo}
AttributeCertificateInfo ::= SEQUENCE {
version AttCertVersion, -- version is v2,
holder Holder,
issuer AttCertIssuer,
signature AlgorithmIdentifier{SIGNATURE-ALGORITHM,
{SignatureAlgorithms}},
serialNumber CertificateSerialNumber,
attrCertValidityPeriod AttCertValidityPeriod,
attributes SEQUENCE SIZE (1..MAX) OF
AttributeSet{{AttributesDefined}},
issuerUniqueID UniqueIdentifier OPTIONAL,
extensions Extensions{{AttributeCertExtensions}} OPTIONAL
}
AttCertVersion ::= INTEGER { v2(1) }
Holder ::= SEQUENCE {
baseCertificateID [0] IssuerSerial OPTIONAL,
-- the issuer and serial number of
-- the holder's Public Key Certificate
entityName [1] GeneralNames OPTIONAL,
-- the name of the claimant or role
objectDigestInfo [2] ObjectDigestInfo OPTIONAL
-- used to directly authenticate the
-- holder, for example, an executable
}
ObjectDigestInfo ::= SEQUENCE {
digestedObjectType ENUMERATED {
publicKey (0),
publicKeyCert (1),
otherObjectTypes (2) },
-- otherObjectTypes MUST NOT be used in
-- this profile
otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}},
objectDigest BIT STRING
}
AttCertIssuer ::= CHOICE {
v1Form GeneralNames, -- MUST NOT be used in this
-- profile
v2Form [0] V2Form -- v2 only
}
V2Form ::= SEQUENCE {
issuerName GeneralNames OPTIONAL,
baseCertificateID [0] IssuerSerial OPTIONAL,
objectDigestInfo [1] ObjectDigestInfo OPTIONAL
-- issuerName MUST be present in this profile
-- baseCertificateID and objectDigestInfo MUST
-- NOT be present in this profile
}
IssuerSerial ::= SEQUENCE {
issuer GeneralNames,
serial CertificateSerialNumber,
issuerUID UniqueIdentifier OPTIONAL
}
AttCertValidityPeriod ::= SEQUENCE {
notBeforeTime GeneralizedTime,
notAfterTime GeneralizedTime
}
--
-- Syntax used by Attribute Certificte Extensions
--
Targets ::= SEQUENCE OF Target
Target ::= CHOICE {
targetName [0] GeneralName,
targetGroup [1] GeneralName,
targetCert [2] TargetCert
}
TargetCert ::= SEQUENCE {
targetCertificate IssuerSerial,
targetName GeneralName OPTIONAL,
certDigestInfo ObjectDigestInfo OPTIONAL
}
AAControls ::= SEQUENCE {
pathLenConstraint INTEGER (0..MAX) OPTIONAL,
permittedAttrs [0] AttrSpec OPTIONAL,
excludedAttrs [1] AttrSpec OPTIONAL,
permitUnSpecified BOOLEAN DEFAULT TRUE
}
AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER
ProxyInfo ::= SEQUENCE OF Targets
--
-- Syntax used by Attribute Certificate Attributes
--
IetfAttrSyntax ::= SEQUENCE {
policyAuthority[0] GeneralNames OPTIONAL,
values SEQUENCE OF CHOICE {
octets OCTET STRING,
oid OBJECT IDENTIFIER,
string UTF8String
}
}
SvceAuthInfo ::= SEQUENCE {
service GeneralName,
ident GeneralName,
authInfo OCTET STRING OPTIONAL
}
RoleSyntax ::= SEQUENCE {
roleAuthority [0] GeneralNames OPTIONAL,
roleName [1] GeneralName
}
Clearance ::= SEQUENCE {
policyId OBJECT IDENTIFIER,
classList ClassList DEFAULT {unclassified},
securityCategories SET OF SecurityCategory
{{SupportedSecurityCategories}} OPTIONAL
}
ClassList ::= BIT STRING {
unmarked (0),
unclassified (1),
restricted (2),
confidential (3),
secret (4),
topSecret (5)
}
SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }
ACClearAttrs ::= SEQUENCE {
acIssuer GeneralName,
acSerial INTEGER,
attrs SEQUENCE OF AttributeSet{{AttributesDefined}}
}
ContentInfo ::= INTEGER
END
8. ASN.1 Module for RFC 3852 (Attribute Certificate v1)
AttributeCertificateVersion1-2009 AttributeCertificateVersion1-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-v1AttrCert-02(49)} smime(16) modules(0) id-mod-v1AttrCert-02(49)}
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
SIGNATURE-ALGORITHM, ALGORITHM, AlgorithmIdentifier{} SIGNATURE-ALGORITHM, ALGORITHM, AlgorithmIdentifier{}
FROM AlgorithmInformation-2009 FROM AlgorithmInformation-2009
skipping to change at page 41, line 18 skipping to change at page 37, line 4
signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}}, signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}},
serialNumber CertificateSerialNumber, serialNumber CertificateSerialNumber,
attCertValidityPeriod AttCertValidityPeriod, attCertValidityPeriod AttCertValidityPeriod,
attributes SEQUENCE OF AttributeSet{{AttrList}}, attributes SEQUENCE OF AttributeSet{{AttrList}},
issuerUniqueID UniqueIdentifier OPTIONAL, issuerUniqueID UniqueIdentifier OPTIONAL,
extensions Extensions{{AttributeCertExtensionsV1}} OPTIONAL } extensions Extensions{{AttributeCertExtensionsV1}} OPTIONAL }
AttCertVersionV1 ::= INTEGER { v1(0) } AttCertVersionV1 ::= INTEGER { v1(0) }
AttrList ATTRIBUTE ::= {...} AttrList ATTRIBUTE ::= {...}
AttributeCertExtensionsV1 EXTENSION ::= {...} AttributeCertExtensionsV1 EXTENSION ::= {...}
END END
9. ASN.1 Module for RFC 4055 8. ASN.1 Module for RFC 4055
PKIX1-PSS-OAEP-Algorithms-2009 PKIX1-PSS-OAEP-Algorithms-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)} mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)}
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-TRANSPORT, AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-TRANSPORT,
SIGNATURE-ALGORITHM, PUBLIC-KEY, SMIME-CAPS SIGNATURE-ALGORITHM, PUBLIC-KEY, SMIME-CAPS
skipping to change at page 43, line 4 skipping to change at page 38, line 36
-- --
sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= { sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= {
IDENTIFIER id-RSASSA-PSS IDENTIFIER id-RSASSA-PSS
PARAMS TYPE RSASSA-PSS-params ARE required PARAMS TYPE RSASSA-PSS-params ARE required
HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384 HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384
| mda-sha512 } | mda-sha512 }
PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS } PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS }
SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS } SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS }
} }
-- --
-- Signature algorithm defintions for PKCS v1.5 signatures -- Signature algorithm definitions for PKCS v1.5 signatures
-- --
sa-sha224WithRSAEncryption SIGNATURE-ALGORITHM ::= { sa-sha224WithRSAEncryption SIGNATURE-ALGORITHM ::= {
IDENTIFIER sha224WithRSAEncryption IDENTIFIER sha224WithRSAEncryption
PARAMS TYPE NULL ARE required PARAMS TYPE NULL ARE required
HASHES { mda-sha224 } HASHES { mda-sha224 }
PUBLIC-KEYS { pk-rsa } PUBLIC-KEYS { pk-rsa }
SMIME-CAPS { IDENTIFIED BY sha224WithRSAEncryption } SMIME-CAPS { IDENTIFIED BY sha224WithRSAEncryption }
} }
sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 }
skipping to change at page 45, line 4 skipping to change at page 40, line 36
-- When id-pSpecified is used in an AlgorithmIdentifier the -- When id-pSpecified is used in an AlgorithmIdentifier the
-- parameters MUST be an OCTET STRING. -- parameters MUST be an OCTET STRING.
id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 } id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 }
-- When id-RSASSA-PSS is used in an AlgorithmIdentifier, and the -- When id-RSASSA-PSS is used in an AlgorithmIdentifier, and the
-- parameters field is present, it MUST be RSASSA-PSS-params. -- parameters field is present, it MUST be RSASSA-PSS-params.
id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 } id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 }
-- When the following OIDs are used in an AlgorithmIdentifier the -- When the following OIDs are used in an AlgorithmIdentifier the
-- parameters SHOULD be absent, but if the parameters are present, -- parameters SHOULD be absent, but if the parameters are present,
-- they MUST be NULL. -- they MUST be NULL.
-- --
-- id-sha1 is imported from RFC 3279. Additionally, the v1.5 -- id-sha1 is imported from RFC 3279. Additionally, the v1.5
-- signature algorithms (i.e. rsaWithSHA256) are now soley placed -- signature algorithms (i.e. rsaWithSHA256) are now solely placed
-- in that module. -- in that module.
-- --
id-sha224 OBJECT IDENTIFIER ::= id-sha224 OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) 4 } csor(3) nistalgorithm(4) hashalgs(2) 4 }
mda-sha224 DIGEST-ALGORITHM ::= { mda-sha224 DIGEST-ALGORITHM ::= {
IDENTIFIER id-sha224 IDENTIFIER id-sha224
PARAMS TYPE NULL ARE preferredAbsent PARAMS TYPE NULL ARE preferredAbsent
skipping to change at page 48, line 4 skipping to change at page 43, line 36
-- Note that the tags in this Sequence are explicit. -- Note that the tags in this Sequence are explicit.
-- Note: The hash algorithm in hashFunc and in -- Note: The hash algorithm in hashFunc and in
-- maskGenFunc should be the same -- maskGenFunc should be the same
RSAES-OAEP-params ::= SEQUENCE { RSAES-OAEP-params ::= SEQUENCE {
hashFunc [0] HashAlgorithm DEFAULT sha1Identifier, hashFunc [0] HashAlgorithm DEFAULT sha1Identifier,
maskGenFunc [1] MaskGenAlgorithm DEFAULT mgf1SHA1, maskGenFunc [1] MaskGenAlgorithm DEFAULT mgf1SHA1,
pSourceFunc [2] PSourceAlgorithm DEFAULT pSourceFunc [2] PSourceAlgorithm DEFAULT
pSpecifiedEmpty pSpecifiedEmpty
} }
END END
10. ASN.1 Module for RFC 4210 9. ASN.1 Module for RFC 4210
PKIXCMP-2009 PKIXCMP-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-cmp2000-02(50) } mechanisms(5) pkix(7) id-mod(0) id-mod-cmp2000-02(50) }
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE
FROM PKIX-CommonTypes-2009 FROM PKIX-CommonTypes-2009
skipping to change at page 58, line 29 skipping to change at page 54, line 13
PollReqContent ::= SEQUENCE OF SEQUENCE { PollReqContent ::= SEQUENCE OF SEQUENCE {
certReqId INTEGER } certReqId INTEGER }
PollRepContent ::= SEQUENCE OF SEQUENCE { PollRepContent ::= SEQUENCE OF SEQUENCE {
certReqId INTEGER, certReqId INTEGER,
checkAfter INTEGER, -- time in seconds checkAfter INTEGER, -- time in seconds
reason PKIFreeText OPTIONAL } reason PKIFreeText OPTIONAL }
END END
11. ASN.1 Module for RFC 4211 10. ASN.1 Module for RFC 4211
PKIXCRMF-2009 PKIXCRMF-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)} mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)}
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE, AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE,
SingleAttribute{} SingleAttribute{}
skipping to change at page 65, line 14 skipping to change at page 60, line 46
-- key of a key pair that the receiver generates in response to -- key of a key pair that the receiver generates in response to
-- this request; set to FALSE if no archival is desired. -- this request; set to FALSE if no archival is desired.
EncryptedKey ::= CHOICE { EncryptedKey ::= CHOICE {
encryptedValue EncryptedValue, -- Deprecated encryptedValue EncryptedValue, -- Deprecated
envelopedData [0] EnvelopedData } envelopedData [0] EnvelopedData }
-- The encrypted private key MUST be placed in the envelopedData -- The encrypted private key MUST be placed in the envelopedData
-- encryptedContentInfo encryptedContent OCTET STRING. -- encryptedContentInfo encryptedContent OCTET STRING.
-- --
-- We skipped doing the full constraints here since this struture has -- We skipped doing the full constraints here since this structure
-- be deprecated in favor of EnvelopedData -- has been deprecated in favor of EnvelopedData
-- --
EncryptedValue ::= SEQUENCE { EncryptedValue ::= SEQUENCE {
intendedAlg [0] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, intendedAlg [0] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL,
-- the intended algorithm for which the value will be used -- the intended algorithm for which the value will be used
symmAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, symmAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL,
-- the symmetric algorithm used to encrypt the value -- the symmetric algorithm used to encrypt the value
encSymmKey [2] BIT STRING OPTIONAL, encSymmKey [2] BIT STRING OPTIONAL,
-- the (encrypted) symmetric key used to encrypt the value -- the (encrypted) symmetric key used to encrypt the value
keyAlg [3] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, keyAlg [3] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL,
skipping to change at page 67, line 11 skipping to change at page 62, line 42
regInfo-certReq ATTRIBUTE ::= regInfo-certReq ATTRIBUTE ::=
{ TYPE CertReq IDENTIFIED BY id-regInfo-certReq } { TYPE CertReq IDENTIFIED BY id-regInfo-certReq }
id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 } id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 }
--with syntax --with syntax
CertReq ::= CertRequest CertReq ::= CertRequest
END END
12. ASN.1 Module for RFC 5055 11. ASN.1 Module for RFC 5055
SCVP-2009 SCVP-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-scvp-02(52) } mechanisms(5) pkix(7) id-mod(0) id-mod-scvp-02(52) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
Extensions{}, EXTENSION, ATTRIBUTE Extensions{}, EXTENSION, ATTRIBUTE
FROM PKIX-CommonTypes-2009 FROM PKIX-CommonTypes-2009
skipping to change at page 71, line 4 skipping to change at page 66, line 35
} }
ValidationPolRef ::= SEQUENCE { ValidationPolRef ::= SEQUENCE {
valPolId POLICY.&id, valPolId POLICY.&id,
valPolParams POLICY.&Type OPTIONAL valPolParams POLICY.&Type OPTIONAL
} }
ValidationAlgSet POLICY ::= { ValidationAlgSet POLICY ::= {
svp-basicValAlg, ... svp-basicValAlg, ...
} }
ValidationAlg ::= SEQUENCE { ValidationAlg ::= SEQUENCE {
valAlgId POLICY.&id, valAlgId POLICY.&id,
parameters POLICY.&Type OPTIONAL parameters POLICY.&Type OPTIONAL
} }
NameValiationAlgSet POLICY ::= { NameValiationAlgSet POLICY ::= {
svp-nameValAlg, ... svp-nameValAlg, ...
} }
NameValidationAlgParms ::= SEQUENCE { NameValidationAlgParams ::= SEQUENCE {
nameCompAlgId OBJECT IDENTIFIER (NameCompAlgSet, ... ), nameCompAlgId OBJECT IDENTIFIER (NameCompAlgSet, ... ),
validationNames GeneralNames validationNames GeneralNames
} }
TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference
KeyAgreePublicKey ::= SEQUENCE { KeyAgreePublicKey ::= SEQUENCE {
algorithm AlgorithmIdentifier{KEY-AGREE, algorithm AlgorithmIdentifier{KEY-AGREE,
{SupportedKeyAgreePublicKeys}}, {SupportedKeyAgreePublicKeys}},
publicKey BIT STRING, publicKey BIT STRING,
macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM,
{SupportedMACAlgorithms}}, {SupportedMACAlgorithms}},
kDF AlgorithmIdentifier{KEY-DERIVATION, kDF AlgorithmIdentifier{KEY-DERIVATION,
{SupportedKeyDerivationFunctions}} {SupportedKeyDerivationFunctions}}
OPTIONAL OPTIONAL
} }
skipping to change at page 72, line 35 skipping to change at page 68, line 20
requestorRef [2] GeneralNames OPTIONAL, requestorRef [2] GeneralNames OPTIONAL,
requestorName [3] GeneralNames OPTIONAL, requestorName [3] GeneralNames OPTIONAL,
replyObjects [4] ReplyObjects OPTIONAL, replyObjects [4] ReplyObjects OPTIONAL,
respNonce [5] OCTET STRING OPTIONAL, respNonce [5] OCTET STRING OPTIONAL,
serverContextInfo [6] OCTET STRING OPTIONAL, serverContextInfo [6] OCTET STRING OPTIONAL,
cvResponseExtensions [7] Extensions{{CVResponseExtensions}} cvResponseExtensions [7] Extensions{{CVResponseExtensions}}
OPTIONAL, OPTIONAL,
requestorText [8] UTF8String (SIZE (1..256)) OPTIONAL requestorText [8] UTF8String (SIZE (1..256)) OPTIONAL
} }
-- This doucment defines no extensions -- This document defines no extensions
CVResponseExtensions EXTENSION ::= {...} CVResponseExtensions EXTENSION ::= {...}
ResponseStatus ::= SEQUENCE { ResponseStatus ::= SEQUENCE {
statusCode CVStatusCode DEFAULT okay, statusCode CVStatusCode DEFAULT okay,
errorMessage UTF8String OPTIONAL errorMessage UTF8String OPTIONAL
} }
CVStatusCode ::= ENUMERATED { CVStatusCode ::= ENUMERATED {
okay (0), okay (0),
skipUnrecognizedItems (1), skipUnrecognizedItems (1),
skipping to change at page 79, line 4 skipping to change at page 74, line 36
} }
id-bvae-expired OBJECT IDENTIFIER ::= { id-bvae 1 } id-bvae-expired OBJECT IDENTIFIER ::= { id-bvae 1 }
id-bvae-not-yet-valid OBJECT IDENTIFIER ::= { id-bvae 2 } id-bvae-not-yet-valid OBJECT IDENTIFIER ::= { id-bvae 2 }
id-bvae-wrongTrustAnchor OBJECT IDENTIFIER ::= { id-bvae 3 } id-bvae-wrongTrustAnchor OBJECT IDENTIFIER ::= { id-bvae 3 }
id-bvae-noValidCertPath OBJECT IDENTIFIER ::= { id-bvae 4 } id-bvae-noValidCertPath OBJECT IDENTIFIER ::= { id-bvae 4 }
id-bvae-revoked OBJECT IDENTIFIER ::= { id-bvae 5 } id-bvae-revoked OBJECT IDENTIFIER ::= { id-bvae 5 }
id-bvae-invalidKeyPurpose OBJECT IDENTIFIER ::= { id-bvae 9 } id-bvae-invalidKeyPurpose OBJECT IDENTIFIER ::= { id-bvae 9 }
id-bvae-invalidKeyUsage OBJECT IDENTIFIER ::= { id-bvae 10 } id-bvae-invalidKeyUsage OBJECT IDENTIFIER ::= { id-bvae 10 }
id-bvae-invalidCertPolicy OBJECT IDENTIFIER ::= { id-bvae 11 } id-bvae-invalidCertPolicy OBJECT IDENTIFIER ::= { id-bvae 11 }
-- SCVP Name Validation Algorithm Identifier -- SCVP Name Validation Algorithm Identifier
svp-nameValAlg POLICY ::= svp-nameValAlg POLICY ::=
{TYPE NameValidationAlgParms IDENTIFIED BY id-svp-nameValAlg } {TYPE NameValidationAlgParams IDENTIFIED BY id-svp-nameValAlg }
id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 } id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 }
-- SCVP Name Validation Algorithm DN comparison algorithm -- SCVP Name Validation Algorithm DN comparison algorithm
NameCompAlgSet OBJECT IDENTIFIER ::= { NameCompAlgSet OBJECT IDENTIFIER ::= {
id-nva-dnCompAlg id-nva-dnCompAlg
} }
id-nva-dnCompAlg OBJECT IDENTIFIER ::= { id-svp 4 } id-nva-dnCompAlg OBJECT IDENTIFIER ::= { id-svp 4 }
skipping to change at page 80, line 5 skipping to change at page 75, line 36
SvcpExtKeyUsageSet OBJECT IDENTIFIER ::= { SvcpExtKeyUsageSet OBJECT IDENTIFIER ::= {
id-kp-scvpServer | id-kp-scvpClient id-kp-scvpServer | id-kp-scvpClient
} }
id-kp-scvpServer OBJECT IDENTIFIER ::= { id-kp 15 } id-kp-scvpServer OBJECT IDENTIFIER ::= { id-kp 15 }
id-kp-scvpClient OBJECT IDENTIFIER ::= { id-kp 16 } id-kp-scvpClient OBJECT IDENTIFIER ::= { id-kp 16 }
END END
13. ASN.1 Module for RFC 5272 12. ASN.1 Module for RFC 5272
EnrollmentMessageSyntax-2009 EnrollmentMessageSyntax-2009
{iso(1) identified-organization(3) dod(4) internet(1) {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53)} security(5) mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53)}
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE
FROM PKIX-CommonTypes-2009 FROM PKIX-CommonTypes-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
skipping to change at page 81, line 17 skipping to change at page 77, line 4
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37) } smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
mda-sha256 mda-sha256
FROM PKIX1-PSS-OAEP-Algorithms-2009 FROM PKIX1-PSS-OAEP-Algorithms-2009
{ iso(1) identified-organization(3) dod(6) { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs-02(54) } ; id-mod-pkix1-rsa-pkalgs-02(54) } ;
-- CMS Content types defined in this document -- CMS Content types defined in this document
CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... } CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... }
-- Signaure Algorithms defined in this document -- Signature Algorithms defined in this document
SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature } SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature }
-- CMS Unsigned Attibutes -- CMS Unsigned Attributes
CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData } CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData }
-- --
-- --
id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls
id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types
-- This is the content type for a request message in the protocol -- This is the content type for a request message in the protocol
skipping to change at page 91, line 20 skipping to change at page 87, line 4
cmc-popLinkWitnessV2 CMC-CONTROL ::= cmc-popLinkWitnessV2 CMC-CONTROL ::=
{ PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 } { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 }
id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 } id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 }
PopLinkWitnessV2 ::= SEQUENCE { PopLinkWitnessV2 ::= SEQUENCE {
keyGenAlgorithm AlgorithmIdentifier{KEY-DERIVATION, keyGenAlgorithm AlgorithmIdentifier{KEY-DERIVATION,
{KeyDevAlgs}}, {KeyDevAlgs}},
macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
witness OCTET STRING witness OCTET STRING
} }
KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...} KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...}
END END
13. ASN.1 Module for RFC 5755
PKIXAttributeCertificate-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
AttributeSet{}, Extensions{}, SecurityCategory{},
EXTENSION, ATTRIBUTE, SECURITY-CATEGORY
FROM PKIX-CommonTypes-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
-- IMPORTeD module OIDs MAY Change if [PKIXPROF] changes
-- PKIX Certificate Extensions
CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp,
id-ad, id-at, SIGNED{}, SignatureAlgorithms
FROM PKIX1Explicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}
GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier,
ext-AuthorityInfoAccess, ext-CRLDistributionPoints
FROM PKIX1Implicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
ContentInfo
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) };
-- Define the set of extensions that can appear.
-- Some of these are imported from PKIX Cert
AttributeCertExtensions EXTENSION ::= {
ext-auditIdentity | ext-targetInformation |
ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess |
ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying |
ext-aaControls, ... }
ext-auditIdentity EXTENSION ::= { SYNTAX
OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity}
ext-targetInformation EXTENSION ::= { SYNTAX
Targets IDENTIFIED BY id-ce-targetInformation }
ext-noRevAvail EXTENSION ::= { SYNTAX
NULL IDENTIFIED BY id-ce-noRevAvail}
ext-ac-proxying EXTENSION ::= { SYNTAX
ProxyInfo IDENTIFIED BY id-pe-ac-proxying}
ext-aaControls EXTENSION ::= { SYNTAX
AAControls IDENTIFIED BY id-pe-aaControls}
-- Define the set of attributes used here
AttributesDefined ATTRIBUTE ::= { at-authenticationInfo |
at-accesIdentity | at-chargingIdentity | at-group |
at-role | at-clearance | at-encAttrs, ...}
at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo
IDENTIFIED BY id-aca-authenticationInfo}
at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo
IDENTIFIED BY id-aca-accessIdentity}
at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax
IDENTIFIED BY id-aca-chargingIdentity}
at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax
IDENTIFIED BY id-aca-group}
at-role ATTRIBUTE ::= { TYPE RoleSyntax
IDENTIFIED BY id-at-role}
at-clearance ATTRIBUTE ::= { TYPE Clearance
IDENTIFIED BY id-at-clearance}
at-clearance-RFC3281 ATTRIBUTE ::= {TYPE Clearance-rfc3281
IDENTIFIED BY id-at-clearance-rfc3281 }
at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo
IDENTIFIED BY id-aca-encAttrs}
--
-- OIDs used by Attribute Certificate Extensions
--
id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 }
id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 }
id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 }
id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 }
id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 }
--
-- OIDs used by Attribute Certficate Attributes
--
id-aca OBJECT IDENTIFIER ::= { id-pkix 10 }
id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 }
id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 }
id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 }
id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 }
-- { id-aca 5 } is reserved
id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 }
id-at-role OBJECT IDENTIFIER ::= { id-at 72}
id-at-clearance OBJECT IDENTIFIER ::= {
joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) }
-- Uncomment the following declaration and comment the above line if
-- using the id-at-clearance attribute as defined in [RFC3281]
-- id-at-clearance ::= id-at-clearance-3281
id-at-clearance-rfc3281 OBJECT IDENTIFIER ::= {
joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5)
clearance (55) }
--
-- The syntax of an Attribute Certificate
--
AttributeCertificate ::= SIGNED{AttributeCertificateInfo}
AttributeCertificateInfo ::= SEQUENCE {
version AttCertVersion, -- version is v2
holder Holder,
issuer AttCertIssuer,
signature AlgorithmIdentifier{SIGNATURE-ALGORITHM,
{SignatureAlgorithms}},
serialNumber CertificateSerialNumber,
attrCertValidityPeriod AttCertValidityPeriod,
attributes SEQUENCE OF
AttributeSet{{AttributesDefined}},
issuerUniqueID UniqueIdentifier OPTIONAL,
extensions Extensions{{AttributeCertExtensions}} OPTIONAL
}
AttCertVersion ::= INTEGER { v2(1) }
Holder ::= SEQUENCE {
baseCertificateID [0] IssuerSerial OPTIONAL,
-- the issuer and serial number of
-- the holder's Public Key Certificate
entityName [1] GeneralNames OPTIONAL,
-- the name of the claimant or role
objectDigestInfo [2] ObjectDigestInfo OPTIONAL
-- used to directly authenticate the
-- holder, for example, an executable
}
ObjectDigestInfo ::= SEQUENCE {
digestedObjectType ENUMERATED {
publicKey (0),
publicKeyCert (1),
otherObjectTypes (2) },
-- otherObjectTypes MUST NOT
-- MUST NOT be used in this profile
otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}},
objectDigest BIT STRING
}
AttCertIssuer ::= CHOICE {
v1Form GeneralNames, -- MUST NOT be used in this
-- profile
v2Form [0] V2Form -- v2 only
}
V2Form ::= SEQUENCE {
issuerName GeneralNames OPTIONAL,
baseCertificateID [0] IssuerSerial OPTIONAL,
objectDigestInfo [1] ObjectDigestInfo OPTIONAL
-- issuerName MUST be present in this profile
-- baseCertificateID and objectDigestInfo MUST
-- NOT be present in this profile
}
IssuerSerial ::= SEQUENCE {
issuer GeneralNames,
serial CertificateSerialNumber,
issuerUID UniqueIdentifier OPTIONAL
}
AttCertValidityPeriod ::= SEQUENCE {
notBeforeTime GeneralizedTime,
notAfterTime GeneralizedTime
}
--
-- Syntax used by Attribute Certificate Extensions
--
Targets ::= SEQUENCE OF Target
Target ::= CHOICE {
targetName [0] GeneralName,
targetGroup [1] GeneralName,
targetCert [2] TargetCert
}
TargetCert ::= SEQUENCE {
targetCertificate IssuerSerial,
targetName GeneralName OPTIONAL,
certDigestInfo ObjectDigestInfo OPTIONAL
}
AAControls ::= SEQUENCE {
pathLenConstraint INTEGER (0..MAX) OPTIONAL,
permittedAttrs [0] AttrSpec OPTIONAL,
excludedAttrs [1] AttrSpec OPTIONAL,
permitUnSpecified BOOLEAN DEFAULT TRUE
}
AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER
ProxyInfo ::= SEQUENCE OF Targets
--
-- Syntax used by Attribute Certificate Attributes
--
IetfAttrSyntax ::= SEQUENCE {
policyAuthority[0] GeneralNames OPTIONAL,
values SEQUENCE OF CHOICE {
octets OCTET STRING,
oid OBJECT IDENTIFIER,
string UTF8String
}
}
SvceAuthInfo ::= SEQUENCE {
service GeneralName,
ident GeneralName,
authInfo OCTET STRING OPTIONAL
}
RoleSyntax ::= SEQUENCE {
roleAuthority [0] GeneralNames OPTIONAL,
roleName [1] GeneralName
}
Clearance ::= SEQUENCE {
policyId OBJECT IDENTIFIER,
classList ClassList DEFAULT {unclassified},
securityCategories SET OF SecurityCategory
{{SupportedSecurityCategories}} OPTIONAL
}
-- Uncomment the following lines to support deprecated clearance
-- syntax and comment out previous Clearance.
-- Clearance ::= Clearance-rfc3281
Clearance-rfc3281 ::= SEQUENCE {
policyId [0] OBJECT IDENTIFIER,
classList [1] ClassList DEFAULT {unclassified},
securityCategories [2] SET OF SecurityCategory-rfc3281
{{SupportedSecurityCategories}} OPTIONAL
}
ClassList ::= BIT STRING {
unmarked (0),
unclassified (1),
restricted (2),
confidential (3),
secret (4),
topSecret (5)
}
SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }
SecurityCategory-rfc3281{SECURITY-CATEGORY:Supported} ::= SEQUENCE {
type [0] IMPLICIT SECURITY-CATEGORY.
&id({Supported}),
value [1] EXPLICIT SECURITY-CATEGORY.
&Type({Supported}{@type})
}
ACClearAttrs ::= SEQUENCE {
acIssuer GeneralName,
acSerial INTEGER,
attrs SEQUENCE OF AttributeSet{{AttributesDefined}}
}
END
14. ASN.1 Module for RFC 5280, Explicit and Implicit 14. ASN.1 Module for RFC 5280, Explicit and Implicit
Note that many of the changes in this module are similar or the same Note that many of the changes in this module are similar or the same
as the changes made in more recent versions of X.509 itself. as the changes made in more recent versions of X.509 itself.
PKIX1Explicit-2009 PKIX1Explicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-explicit-02(51)} id-mod-pkix1-explicit-02(51)}
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
skipping to change at page 105, line 4 skipping to change at page 106, line 44
id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 }
SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF
AttributeSet{{SupportedAttributes}} AttributeSet{{SupportedAttributes}}
-- basic constraints extension OID and syntax -- basic constraints extension OID and syntax
ext-BasicConstraints EXTENSION ::= { SYNTAX ext-BasicConstraints EXTENSION ::= { SYNTAX
BasicConstraints IDENTIFIED BY id-ce-basicConstraints } BasicConstraints IDENTIFIED BY id-ce-basicConstraints }
id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
BasicConstraints ::= SEQUENCE { BasicConstraints ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE, cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL pathLenConstraint INTEGER (0..MAX) OPTIONAL
} }
-- name constraints extension OID and syntax -- name constraints extension OID and syntax
ext-NameConstraints EXTENSION ::= { SYNTAX ext-NameConstraints EXTENSION ::= { SYNTAX
NameConstraints IDENTIFIED BY id-ce-nameConstraints } NameConstraints IDENTIFIED BY id-ce-nameConstraints }
id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
NameConstraints ::= SEQUENCE { NameConstraints ::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees OPTIONAL, permittedSubtrees [0] GeneralSubtrees OPTIONAL,
excludedSubtrees [1] GeneralSubtrees OPTIONAL excludedSubtrees [1] GeneralSubtrees OPTIONAL
} }
-- --
-- This is a constraint in the issued certificates by CAs, but is -- This is a constraint in the issued certificates by CAs, but is
-- not a requirement on EEs. -- not a requirement on EEs.
-- --
-- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} | -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} |
-- WITH COMPONENTS { ..., excludedSubtrees PRESEENT }} -- WITH COMPONENTS { ..., excludedSubtrees PRESENT }}
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
GeneralSubtree ::= SEQUENCE { GeneralSubtree ::= SEQUENCE {
base GeneralName, base GeneralName,
minimum [0] BaseDistance DEFAULT 0, minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL maximum [1] BaseDistance OPTIONAL
} }
BaseDistance ::= INTEGER (0..MAX) BaseDistance ::= INTEGER (0..MAX)
skipping to change at page 106, line 4 skipping to change at page 107, line 44
PolicyConstraints ::= SEQUENCE { PolicyConstraints ::= SEQUENCE {
requireExplicitPolicy [0] SkipCerts OPTIONAL, requireExplicitPolicy [0] SkipCerts OPTIONAL,
inhibitPolicyMapping [1] SkipCerts OPTIONAL } inhibitPolicyMapping [1] SkipCerts OPTIONAL }
-- --
-- This is a constraint in the issued certificates by CAs, -- This is a constraint in the issued certificates by CAs,
-- but is not a requirement for EEs -- but is not a requirement for EEs
-- --
-- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} | -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} |
-- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT}) -- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT})
SkipCerts ::= INTEGER (0..MAX) SkipCerts ::= INTEGER (0..MAX)
-- CRL distribution points extension OID and syntax -- CRL distribution points extension OID and syntax
ext-CRLDistributionPoints EXTENSION ::= { SYNTAX ext-CRLDistributionPoints EXTENSION ::= { SYNTAX
CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints} CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints}
id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE { DistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL, distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL, reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL cRLIssuer [2] GeneralNames OPTIONAL
} }
-- --
-- This is not a requiement in the text, but is seems as if it -- This is not a requirement in the text, but is seems as if it
-- should be -- should be
-- --
--(WITH COMPONENTS {..., distributionPoint PRESENT} | --(WITH COMPONENTS {..., distributionPoint PRESENT} |
-- WITH COMPONENTS {..., cRLIssuer PRESENT}) -- WITH COMPONENTS {..., cRLIssuer PRESENT})
DistributionPointName ::= CHOICE { DistributionPointName ::= CHOICE {
fullName [0] GeneralNames, fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName nameRelativeToCRLIssuer [1] RelativeDistinguishedName
} }
skipping to change at page 116, line 40 skipping to change at page 118, line 32
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986, Request Syntax Specification Version 1.7", RFC 2986,
November 2000. November 2000.
[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
Identifiers for the Internet X.509 Public Key Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 3279, April 2002. (CRL) Profile", RFC 3279, April 2002.
[RFC3281] Farrell, S. and R. Housley, "An Internet Attribute
Certificate Profile for Authorization", RFC 3281,
April 2002.
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 3852, July 2004. RFC 3852, July 2004.
[RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional
Algorithms and Identifiers for RSA Cryptography for use in Algorithms and Identifiers for RSA Cryptography for use in
the Internet X.509 Public Key Infrastructure Certificate the Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile", RFC 4055, and Certificate Revocation List (CRL) Profile", RFC 4055,
June 2005. June 2005.
[RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen,
skipping to change at page 117, line 26 skipping to change at page 119, line 14
(SCVP)", RFC 5055, December 2007. (SCVP)", RFC 5055, December 2007.
[RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS
(CMC)", RFC 5272, June 2008. (CMC)", RFC 5272, June 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
"Elliptic Curve Cryptography Subject Public Key
Information", RFC 5480, March 2009.
[RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet
Attribute Certificate Profile for Authorization",
RFC 5755, January 2010.
Appendix A. Change History Appendix A. Change History
[[ This entire section is to be removed upon publication. ]] [[ This entire section is to be removed upon publication. ]]
A.1. Changes between draft-hoffman-pkix-new-asn1-00 and A.1. Changes between draft-hoffman-pkix-new-asn1-00 and
draft-ietf-pkix-new-asn1-00 draft-ietf-pkix-new-asn1-00
Changed the draft name. Changed the draft name.
Added the PKIX common definitions module. Added the PKIX common definitions module.
skipping to change at page 118, line 33 skipping to change at page 120, line 28
Updated all modules to use objects more deeply. Updated all modules to use objects more deeply.
Removed RFC 3280 and added RFC 5280. Removed RFC 3280 and added RFC 5280.
Added RFC 5272 (CMC). Added RFC 5272 (CMC).
A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03
Many cosmetic-only changes to the modules. Many cosmetic-only changes to the modules.
Changed some multi-word keywords to hypenated (such as "SMIME CAPS" Changed some multi-word keywords to hyphenated (such as "SMIME CAPS"
to "SMIME-CAPS"). to "SMIME-CAPS").
In section 6, added "Note that this module also contains information In section 6, added "Note that this module also contains information
from RFC-to-be 5480." Will add a real reference in future version of from RFC-to-be 5480." Will add a real reference in future version of
this draft. this draft.
In section 6, added the labels for the id-keyExchangeAlgorithm OID. In section 6, added the labels for the id-keyExchangeAlgorithm OID.
Updated the reference of X.680 to X.680, X.681, X.682, and X.683. Updated the reference of X.680 to X.680, X.681, X.682, and X.683.
skipping to change at page 120, line 6 skipping to change at page 122, line 5
-- with ANSI X.9. -- with ANSI X.9.
} }
-- If you need to be able to decode ANSI X.9 parameter structures, then -- If you need to be able to decode ANSI X.9 parameter structures, then
-- uncomment the implicitCurve and specificCurve above, and also -- uncomment the implicitCurve and specificCurve above, and also
-- uncomment the follow: -- uncomment the follow:
--(WITH COMPONENTS {namedCurve PRESENT}) --(WITH COMPONENTS {namedCurve PRESENT})
Changed "memberBody" to "member-body" in the modules for RFCs 4210 Changed "memberBody" to "member-body" in the modules for RFCs 4210
and 4211. and 4211.
A.9. Changes between draft-ietf-pkix-new-asn1-06 and -07
Throughout, changed all instances of RFC 3281 to RFC 5755.
Throughout, fixed spelling errors in module comments and parameter
names.
In section 1, added "Also note that the ASN.1 modules in this
document have references in their text comments that need to be
looked up in original RFCs, and that some of those references may
have already been superseded by later RFCs."
In RFC 5272, fixed the OID for EnrollmentMessageSyntax.
In section 6, changed "RFC-to-be 5480" to "RFC 5480" and added a
reference for it.
Authors' Addresses Authors' Addresses
Paul Hoffman Paul Hoffman
VPN Consortium VPN Consortium
127 Segre Place 127 Segre Place
Santa Cruz, CA 95060 Santa Cruz, CA 95060
US US
Phone: 1-831-426-9827 Phone: 1-831-426-9827
Email: paul.hoffman@vpnc.org Email: paul.hoffman@vpnc.org
 End of changes. 82 change blocks. 
384 lines changed or deleted 454 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/