| < draft-ietf-pkix-new-asn1-07.txt | draft-ietf-pkix-new-asn1-08.txt > | |||
|---|---|---|---|---|
| Network Working Group P. Hoffman | Network Working Group P. Hoffman | |||
| Internet-Draft VPN Consortium | Internet-Draft VPN Consortium | |||
| Intended status: Informational J. Schaad | Intended status: Informational J. Schaad | |||
| Expires: February 14, 2010 Soaring Hawk Consulting | Expires: September 8, 2010 Soaring Hawk Consulting | |||
| August 13, 2009 | March 7, 2010 | |||
| New ASN.1 Modules for PKIX | New ASN.1 Modules for PKIX | |||
| draft-ietf-pkix-new-asn1-07.txt | draft-ietf-pkix-new-asn1-08.txt | |||
| Abstract | ||||
| The PKIX certificate format, and many associated formats, are | ||||
| expressed using ASN.1. The current ASN.1 modules conform to the 1988 | ||||
| version of ASN.1. This document updates those ASN.1 modules to | ||||
| conform to the 2002 version of ASN.1. There are no bits-on-the-wire | ||||
| changes to any of the formats; this is simply a change to the syntax. | ||||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. This document may contain material | provisions of BCP 78 and BCP 79. | |||
| from IETF Documents or IETF Contributions published or made publicly | ||||
| available before November 10, 2008. The person(s) controlling the | ||||
| copyright in some of this material may not have granted the IETF | ||||
| Trust the right to allow modifications of such material outside the | ||||
| IETF Standards Process. Without obtaining an adequate license from | ||||
| the person(s) controlling the copyright in such materials, this | ||||
| document may not be modified outside the IETF Standards Process, and | ||||
| derivative works of it may not be created outside the IETF Standards | ||||
| Process, except to format it for publication as an RFC or to | ||||
| translate it into languages other than English. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on February 14, 2010. | This Internet-Draft will expire on September 8, 2010. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents in effect on the date of | Provisions Relating to IETF Documents | |||
| publication of this document (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | ||||
| Abstract | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | ||||
| described in the BSD License. | ||||
| The PKIX certificate format, and many associated formats, are | This document may contain material from IETF Documents or IETF | |||
| expressed using ASN.1. The current ASN.1 modules conform to the 1988 | Contributions published or made publicly available before November | |||
| version of ASN.1. This document updates those ASN.1 modules to | 10, 2008. The person(s) controlling the copyright in some of this | |||
| conform to the 2002 version of ASN.1. There are no bits-on-the-wire | material may not have granted the IETF Trust the right to allow | |||
| changes to any of the formats; this is simply a change to the syntax. | modifications of such material outside the IETF Standards Process. | |||
| Without obtaining an adequate license from the person(s) controlling | ||||
| the copyright in such materials, this document may not be modified | ||||
| outside the IETF Standards Process, and derivative works of it may | ||||
| not be created outside the IETF Standards Process, except to format | ||||
| it for publication as an RFC or to translate it into languages other | ||||
| than English. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . 4 | 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2. ASN.1 Module PKIX-CommonTypes . . . . . . . . . . . . . . . . 4 | 2. ASN.1 Module PKIX-CommonTypes . . . . . . . . . . . . . . . . 5 | |||
| 3. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 8 | 3. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 9 | |||
| 4. ASN.1 Module for RFC 2560 . . . . . . . . . . . . . . . . . . 18 | 4. ASN.1 Module for RFC 2560 . . . . . . . . . . . . . . . . . . 19 | |||
| 5. ASN.1 Module for RFC 2986 . . . . . . . . . . . . . . . . . . 22 | 5. ASN.1 Module for RFC 2986 . . . . . . . . . . . . . . . . . . 23 | |||
| 6. ASN.1 Module for RFC 3279 . . . . . . . . . . . . . . . . . . 23 | 6. ASN.1 Module for RFC 3279 . . . . . . . . . . . . . . . . . . 24 | |||
| 7. ASN.1 Module for RFC 3281 . . . . . . . . . . . . . . . . . . 34 | 7. ASN.1 Module for RFC 3852 (Attribute Certificate v1) . . . . 35 | |||
| 8. ASN.1 Module for RFC 3852 (Attribute Certificate v1) . . . . 40 | 8. ASN.1 Module for RFC 4055 . . . . . . . . . . . . . . . . . . 37 | |||
| 9. ASN.1 Module for RFC 4055 . . . . . . . . . . . . . . . . . . 41 | 9. ASN.1 Module for RFC 4210 . . . . . . . . . . . . . . . . . . 43 | |||
| 10. ASN.1 Module for RFC 4210 . . . . . . . . . . . . . . . . . . 48 | 10. ASN.1 Module for RFC 4211 . . . . . . . . . . . . . . . . . . 54 | |||
| 11. ASN.1 Module for RFC 4211 . . . . . . . . . . . . . . . . . . 58 | 11. ASN.1 Module for RFC 5055 . . . . . . . . . . . . . . . . . . 62 | |||
| 12. ASN.1 Module for RFC 5055 . . . . . . . . . . . . . . . . . . 67 | 12. ASN.1 Module for RFC 5272 . . . . . . . . . . . . . . . . . . 75 | |||
| 13. ASN.1 Module for RFC 5272 . . . . . . . . . . . . . . . . . . 80 | 13. ASN.1 Module for RFC 5755 . . . . . . . . . . . . . . . . . . 87 | |||
| 14. ASN.1 Module for RFC 5280, Explicit and Implicit . . . . . . 91 | 14. ASN.1 Module for RFC 5280, Explicit and Implicit . . . . . . 93 | |||
| 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 116 | 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 117 | |||
| 16. Security Considerations . . . . . . . . . . . . . . . . . . . 116 | 16. Security Considerations . . . . . . . . . . . . . . . . . . . 117 | |||
| 17. Normative References . . . . . . . . . . . . . . . . . . . . 116 | 17. Normative References . . . . . . . . . . . . . . . . . . . . 118 | |||
| Appendix A. Change History . . . . . . . . . . . . . . . . . . . 117 | Appendix A. Change History . . . . . . . . . . . . . . . . . . . 119 | |||
| A.1. Changes between draft-hoffman-pkix-new-asn1-00 and | A.1. Changes between draft-hoffman-pkix-new-asn1-00 and | |||
| draft-ietf-pkix-new-asn1-00 . . . . . . . . . . . . . . . 117 | draft-ietf-pkix-new-asn1-00 . . . . . . . . . . . . . . . 119 | |||
| A.2. Changes between draft-ietf-pkix-new-asn1-00 and -01 . . . 118 | A.2. Changes between draft-ietf-pkix-new-asn1-00 and -01 . . . 120 | |||
| A.3. Changes between draft-ietf-pkix-new-asn1-01 and -02 . . . 118 | A.3. Changes between draft-ietf-pkix-new-asn1-01 and -02 . . . 120 | |||
| A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 . . . 118 | A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 . . . 120 | |||
| A.5. Changes between draft-ietf-pkix-new-asn1-03 and -04 . . . 118 | A.5. Changes between draft-ietf-pkix-new-asn1-03 and -04 . . . 120 | |||
| A.6. Changes between draft-ietf-pkix-new-asn1-04 and -05 . . . 119 | A.6. Changes between draft-ietf-pkix-new-asn1-04 and -05 . . . 121 | |||
| A.7. Changes between draft-ietf-pkix-new-asn1-05 and -06 . . . 119 | A.7. Changes between draft-ietf-pkix-new-asn1-05 and -06 . . . 121 | |||
| A.8. Changes between draft-ietf-pkix-new-asn1-06 and -07 . . . 119 | A.8. Changes between draft-ietf-pkix-new-asn1-06 and -07 . . . 121 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 120 | A.9. Changes between draft-ietf-pkix-new-asn1-06 and -07 . . . 122 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 122 | ||||
| 1. Introduction | 1. Introduction | |||
| Some developers would like the IETF to use the latest version of | Some developers would like the IETF to use the latest version of | |||
| ASN.1 in its standards. Most of the RFCs that relate to security | ASN.1 in its standards. Most of the RFCs that relate to security | |||
| protocols still use ASN.1 from the 1988 standard, which has been | protocols still use ASN.1 from the 1988 standard, which has been | |||
| deprecated. This is particularly true for the standards that relate | deprecated. This is particularly true for the standards that relate | |||
| to PKIX, CMS, and S/MIME. | to PKIX, CMS, and S/MIME. | |||
| This document updates the following RFCs to use ASN.1 modules that | This document updates the following RFCs to use ASN.1 modules that | |||
| conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all | conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all | |||
| the modules are updated; some are included to simply make the set | the modules are updated; some are included to simply make the set | |||
| complete. | complete. | |||
| o RFC 2560, PKIX Online Certificate Status Protocol (OCSP) [RFC2560] | o RFC 2560, PKIX Online Certificate Status Protocol (OCSP) [RFC2560] | |||
| o RFC 2986, PKCS #10 certificate request [RFC2986] | o RFC 2986, PKCS #10 certificate request [RFC2986] | |||
| o RFC 3279, PKIX algorithms and identifier [RFC3279] | o RFC 3279, PKIX algorithms and identifier [RFC3279] | |||
| o RFC 3281, PKIX attribute certificates, version 2 [RFC3281] | ||||
| o RFC 3852, contains PKIX attribute certificates, version 1 | o RFC 3852, contains PKIX attribute certificates, version 1 | |||
| [RFC3852] | [RFC3852] | |||
| o RFC 4055, Additional Algorithms and Identifiers for RSA | o RFC 4055, Additional Algorithms and Identifiers for RSA | |||
| Cryptography [RFC4055] | Cryptography [RFC4055] | |||
| o RFC 4210, PKIX CMP (Certificate Management Protocol) [RFC4210] | o RFC 4210, PKIX CMP (Certificate Management Protocol) [RFC4210] | |||
| o RFC 4211, PKIX CRMF (Certificate Request Message Format) [RFC4211] | o RFC 4211, PKIX CRMF (Certificate Request Message Format) [RFC4211] | |||
| o RFC 5055, PKIX SCVP (Server-based Certificate Validation Protocol) | o RFC 5055, PKIX SCVP (Server-based Certificate Validation Protocol) | |||
| [RFC5055] | [RFC5055] | |||
| o RFC 5272, Certificate Management over CMS (CMC) [RFC5272] | o RFC 5272, Certificate Management over CMS (CMC) [RFC5272] | |||
| o RFC 5280, PKIX certificate and CRL profile [RFC5280] (both the | o RFC 5280, PKIX certificate and CRL profile [RFC5280] (both the | |||
| implicit and explicit modules) | implicit and explicit modules) | |||
| o RFC 5755, PKIX attribute certificates, version 2 [RFC5755] | ||||
| Note that some of the modules in this document get some of their | Note that some of the modules in this document get some of their | |||
| definitions from places different than the modules in the original | definitions from places different than the modules in the original | |||
| RFCs. The idea is that these modules, when combined with the modules | RFCs. The idea is that these modules, when combined with the modules | |||
| in [NEW-CMS-SMIME] can stand on their own and do not need to import | in [NEW-CMS-SMIME] can stand on their own and do not need to import | |||
| definitions from anywhere else. | definitions from anywhere else. Also note that the ASN.1 modules in | |||
| this document have references in their text comments that need to be | ||||
| looked up in original RFCs, and that some of those references may | ||||
| have already been superseded by later RFCs. | ||||
| The document also includes a module of common definitions called | The document also includes a module of common definitions called | |||
| "PKIX-CommonTypes". These definitions are used here and in | "PKIX-CommonTypes". These definitions are used here and in | |||
| [NEW-CMS-SMIME]. | [NEW-CMS-SMIME]. | |||
| The document also includes a module of common defintions called | The document also includes a module of common definitions called | |||
| "AlgorithmInformation". These definitions are used here and in | "AlgorithmInformation". These definitions are used here and in | |||
| [NEW-CMS-SMIME]. | [NEW-CMS-SMIME]. | |||
| 1.1. Design Notes | 1.1. Design Notes | |||
| The modules in this document use the object model available in the | The modules in this document use the object model available in the | |||
| 2002 ASN.1 documents to a great extent. Objects for each of the | 2002 ASN.1 documents to a great extent. Objects for each of the | |||
| different algorithm types are defined. Also, all of the places where | different algorithm types are defined. Also, all of the places where | |||
| in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax | in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax | |||
| now have objects. | now have objects. | |||
| skipping to change at page 5, line 12 ¶ | skipping to change at page 6, line 16 ¶ | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- ATTRIBUTE | -- ATTRIBUTE | |||
| -- | -- | |||
| -- Describe the set of data associated with an attribute of some type | -- Describe the set of data associated with an attribute of some type | |||
| -- | -- | |||
| -- &id is an OID identifying the attribute | -- &id is an OID identifying the attribute | |||
| -- &Type is the ASN.1 type structure for the attribute; not all | -- &Type is the ASN.1 type structure for the attribute; not all | |||
| -- attributes have a data struture, so this field is optional | -- attributes have a data structure, so this field is optional | |||
| -- &minCount contains the minimum number of time the attribute can | -- &minCount contains the minimum number of time the attribute can | |||
| -- occur in an AttributeSet | -- occur in an AttributeSet | |||
| -- &maxCount contains the maximum number of times the attribute can | -- &maxCount contains the maximum number of times the attribute can | |||
| -- appear in an AttributeSet | -- appear in an AttributeSet | |||
| -- Note: this cannot be automatically enforced as the field | -- Note: this cannot be automatically enforced as the field | |||
| -- cannot be defaulted to MAX. | -- cannot be defaulted to MAX. | |||
| -- &equality-match contains information about how matching should be | -- &equality-match contains information about how matching should be | |||
| -- done | -- done | |||
| -- | -- | |||
| -- Currently we are using two different prefixes for attributes. | -- Currently we are using two different prefixes for attributes. | |||
| -- | -- | |||
| -- at- for certificiate attributes | -- at- for certificate attributes | |||
| -- aa- for CMS attributes | -- aa- for CMS attributes | |||
| -- | -- | |||
| ATTRIBUTE ::= CLASS { | ATTRIBUTE ::= CLASS { | |||
| &id OBJECT IDENTIFIER UNIQUE, | &id OBJECT IDENTIFIER UNIQUE, | |||
| &Type OPTIONAL, | &Type OPTIONAL, | |||
| &equality-match MATCHING-RULE OPTIONAL, | &equality-match MATCHING-RULE OPTIONAL, | |||
| &minCount INTEGER DEFAULT 1, | &minCount INTEGER DEFAULT 1, | |||
| &maxCount INTEGER OPTIONAL | &maxCount INTEGER OPTIONAL | |||
| } WITH SYNTAX { | } WITH SYNTAX { | |||
| skipping to change at page 6, line 4 ¶ | skipping to change at page 7, line 8 ¶ | |||
| -- | -- | |||
| MATCHING-RULE ::= CLASS { | MATCHING-RULE ::= CLASS { | |||
| &ParentMatchingRules MATCHING-RULE OPTIONAL, | &ParentMatchingRules MATCHING-RULE OPTIONAL, | |||
| &AssertionType OPTIONAL, | &AssertionType OPTIONAL, | |||
| &uniqueMatchIndicator ATTRIBUTE OPTIONAL, | &uniqueMatchIndicator ATTRIBUTE OPTIONAL, | |||
| &id OBJECT IDENTIFIER UNIQUE | &id OBJECT IDENTIFIER UNIQUE | |||
| } | } | |||
| WITH SYNTAX { | WITH SYNTAX { | |||
| [PARENT &ParentMatchingRules] | [PARENT &ParentMatchingRules] | |||
| [SYNTAX &AssertionType] | [SYNTAX &AssertionType] | |||
| [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator] | [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator] | |||
| ID &id | ID &id | |||
| } | } | |||
| -- AttributeSet | -- AttributeSet | |||
| -- | -- | |||
| -- Used when a set of attributes is to occur. | -- Used when a set of attributes is to occur. | |||
| -- | -- | |||
| -- type contains the identifier of the attribute | -- type contains the identifier of the attribute | |||
| -- values conains a set of values where the structure of the ASN.1 | -- values contains a set of values where the structure of the ASN.1 | |||
| -- is defined by the attribute | -- is defined by the attribute | |||
| -- | -- | |||
| -- The parameter contains the set of objects describing | -- The parameter contains the set of objects describing | |||
| -- those attributes than can occur in this location. | -- those attributes than can occur in this location. | |||
| -- | -- | |||
| AttributeSet{ATTRIBUTE:AttrSet} ::= SEQUENCE { | AttributeSet{ATTRIBUTE:AttrSet} ::= SEQUENCE { | |||
| type ATTRIBUTE.&id({AttrSet}), | type ATTRIBUTE.&id({AttrSet}), | |||
| values SET SIZE (1..MAX) OF ATTRIBUTE. | values SET SIZE (1..MAX) OF ATTRIBUTE. | |||
| &Type({AttrSet}{@type}) | &Type({AttrSet}{@type}) | |||
| } | } | |||
| -- SingleAttribute | -- SingleAttribute | |||
| -- | -- | |||
| -- Used for a single valued attribute | -- Used for a single valued attribute | |||
| -- | -- | |||
| -- The parameter contains the set of objects describing the | -- The parameter contains the set of objects describing the | |||
| -- attibutes that can occur in this location | -- attributes that can occur in this location | |||
| -- | -- | |||
| SingleAttribute{ATTRIBUTE:AttrSet} ::= SEQUENCE { | SingleAttribute{ATTRIBUTE:AttrSet} ::= SEQUENCE { | |||
| type ATTRIBUTE.&id({AttrSet}), | type ATTRIBUTE.&id({AttrSet}), | |||
| value ATTRIBUTE.&Type({AttrSet}{@type}) | value ATTRIBUTE.&Type({AttrSet}{@type}) | |||
| } | } | |||
| -- EXTENSION | -- EXTENSION | |||
| -- | -- | |||
| -- This class definition is used to describe the association of | -- This class definition is used to describe the association of | |||
| -- object identifier and ASN.1 type structure for extensions | -- object identifier and ASN.1 type structure for extensions | |||
| -- | -- | |||
| -- All extensions are prefixed with ext- | -- All extensions are prefixed with ext- | |||
| -- | -- | |||
| -- &id conains the object identifier for the extension | -- &id contains the object identifier for the extension | |||
| -- &ExtenType specifies the ASN.1 type structure for the extension | -- &ExtenType specifies the ASN.1 type structure for the extension | |||
| -- &Critical contains the set of legal values for the critical field. | -- &Critical contains the set of legal values for the critical field. | |||
| -- This is normally {TRUE|FALSE} but in some instances may be | -- This is normally {TRUE|FALSE} but in some instances may be | |||
| -- restricted just one of these values. | -- restricted just one of these values. | |||
| -- | -- | |||
| EXTENSION ::= CLASS { | EXTENSION ::= CLASS { | |||
| &id OBJECT IDENTIFIER UNIQUE, | &id OBJECT IDENTIFIER UNIQUE, | |||
| &ExtnType, | &ExtnType, | |||
| &Critical BOOLEAN DEFAULT {TRUE | FALSE } | &Critical BOOLEAN DEFAULT {TRUE | FALSE } | |||
| } WITH SYNTAX { | } WITH SYNTAX { | |||
| SYNTAX &ExtnType IDENTIFIED BY &id | SYNTAX &ExtnType IDENTIFIED BY &id | |||
| skipping to change at page 7, line 36 ¶ | skipping to change at page 8, line 39 ¶ | |||
| Extensions{EXTENSION:ExtensionSet} ::= | Extensions{EXTENSION:ExtensionSet} ::= | |||
| SEQUENCE SIZE (1..MAX) OF Extension{{ExtensionSet}} | SEQUENCE SIZE (1..MAX) OF Extension{{ExtensionSet}} | |||
| -- Extension | -- Extension | |||
| -- | -- | |||
| -- Used for a single extension | -- Used for a single extension | |||
| -- | -- | |||
| -- The parameter contains the set of legal extensions that can | -- The parameter contains the set of legal extensions that can | |||
| -- occur this extension. | -- occur this extension. | |||
| -- | -- | |||
| -- The restriction on the critial field has been commented out | -- The restriction on the critical field has been commented out | |||
| -- the authors are not completely sure it is correct. | -- the authors are not completely sure it is correct. | |||
| -- The restriction could be done using custom code rather than | -- The restriction could be done using custom code rather than | |||
| -- compiler-generated code. however. | -- compiler-generated code. however. | |||
| -- | -- | |||
| Extension{EXTENSION:ExtensionSet} ::= SEQUENCE { | Extension{EXTENSION:ExtensionSet} ::= SEQUENCE { | |||
| extnID EXTENSION.&id({ExtensionSet}), | extnID EXTENSION.&id({ExtensionSet}), | |||
| critical BOOLEAN | critical BOOLEAN | |||
| -- (EXTENSION.&Critical({ExtensionSet}{@extnID})) | -- (EXTENSION.&Critical({ExtensionSet}{@extnID})) | |||
| DEFAULT FALSE, | DEFAULT FALSE, | |||
| extnValue OCTET STRING (CONTAINING | extnValue OCTET STRING (CONTAINING | |||
| EXTENSION.&ExtnType({ExtensionSet}{@extnID})) | EXTENSION.&ExtnType({ExtensionSet}{@extnID})) | |||
| -- contains the DER encding of the ASN.1 value | -- contains the DER encoding of the ASN.1 value | |||
| -- corresponding to the extension type identified | -- corresponding to the extension type identified | |||
| -- by extnID | -- by extnID | |||
| } | } | |||
| -- Security Category | -- Security Category | |||
| -- | -- | |||
| -- Security categories are used both for specifing clearances and for | -- Security categories are used both for specifying clearances and | |||
| -- labeling objects. We move this here from RFC 3281 so that they | -- for labeling objects. We move this here from RFC 3281 so that | |||
| -- will use a common single object class to express this information. | -- they will use a common single object class to express this | |||
| -- information. | ||||
| -- | -- | |||
| SECURITY-CATEGORY ::= TYPE-IDENTIFIER | SECURITY-CATEGORY ::= TYPE-IDENTIFIER | |||
| SecurityCategory{SECURITY-CATEGORY:Supported} ::= SEQUENCE { | SecurityCategory{SECURITY-CATEGORY:Supported} ::= SEQUENCE { | |||
| type [0] IMPLICIT SECURITY-CATEGORY. | type [0] IMPLICIT SECURITY-CATEGORY. | |||
| &id({Supported}), | &id({Supported}), | |||
| value [1] EXPLICIT SECURITY-CATEGORY. | value [1] EXPLICIT SECURITY-CATEGORY. | |||
| &Type({Supported}{@type}) | &Type({Supported}{@type}) | |||
| } | } | |||
| skipping to change at page 9, line 29 ¶ | skipping to change at page 10, line 35 ¶ | |||
| ... | ... | |||
| } | } | |||
| -- DIGEST-ALGORITHM | -- DIGEST-ALGORITHM | |||
| -- | -- | |||
| -- Describes the basic information for ASN.1 and a digest | -- Describes the basic information for ASN.1 and a digest | |||
| -- algorithm. | -- algorithm. | |||
| -- | -- | |||
| -- &id - contains the OID identifying the digest algorithm | -- &id - contains the OID identifying the digest algorithm | |||
| -- &Params - contains the type for the algorithm parameters, | -- &Params - contains the type for the algorithm parameters, | |||
| -- if present; absent implies no paramters | -- if present; absent implies no parameters | |||
| -- ¶mPresence - parameter presence requirement | -- ¶mPresence - parameter presence requirement | |||
| -- | -- | |||
| -- Additional information such as the length of the hash could also | -- Additional information such as the length of the hash could also | |||
| -- be encoded. | -- be encoded. | |||
| -- | -- | |||
| -- Example: | -- Example: | |||
| -- sha1 DIGEST-ALGORITHM ::= { | -- sha1 DIGEST-ALGORITHM ::= { | |||
| -- IDENTIFIER id-sha1 | -- IDENTIFIER id-sha1 | |||
| -- PARAMS TYPE NULL ARE preferredAbsent | -- PARAMS TYPE NULL ARE preferredAbsent | |||
| -- } | -- } | |||
| skipping to change at page 9, line 47 ¶ | skipping to change at page 11, line 4 ¶ | |||
| -- IDENTIFIER id-sha1 | -- IDENTIFIER id-sha1 | |||
| -- PARAMS TYPE NULL ARE preferredAbsent | -- PARAMS TYPE NULL ARE preferredAbsent | |||
| -- } | -- } | |||
| DIGEST-ALGORITHM ::= CLASS { | DIGEST-ALGORITHM ::= CLASS { | |||
| &id OBJECT IDENTIFIER UNIQUE, | &id OBJECT IDENTIFIER UNIQUE, | |||
| &Params OPTIONAL, | &Params OPTIONAL, | |||
| ¶mPresence ParamOptions DEFAULT absent | ¶mPresence ParamOptions DEFAULT absent | |||
| } WITH SYNTAX { | } WITH SYNTAX { | |||
| IDENTIFIER &id | IDENTIFIER &id | |||
| [PARAMS [TYPE &Params] [ARE ¶mPresence] ] | [PARAMS [TYPE &Params] [ARE ¶mPresence] ] | |||
| } | } | |||
| -- SIGNATURE-ALGORITHM | -- SIGNATURE-ALGORITHM | |||
| -- | -- | |||
| -- Describes the basic properties of a signature algorithm | -- Describes the basic properties of a signature algorithm | |||
| -- | -- | |||
| -- &id - contains the OID identifying the signature algorithm | -- &id - contains the OID identifying the signature algorithm | |||
| -- &Value - contains a type defintion for the value structure of | -- &Value - contains a type definition for the value structure of | |||
| -- the signature | -- the signature | |||
| -- &Params - contains the type for the algorithm parameters, | -- &Params - contains the type for the algorithm parameters, | |||
| -- if present; absent implies no paramters | -- if present; absent implies no parameters | |||
| -- ¶mPresence - parameter presence resquirement | -- ¶mPresence - parameter presence requirement | |||
| -- &HashSet - The set of hash algorithms used with this | -- &HashSet - The set of hash algorithms used with this | |||
| -- signature algorithm | -- signature algorithm | |||
| -- &PublicKeySet - the set of public key algorithms for this | -- &PublicKeySet - the set of public key algorithms for this | |||
| -- signature algorithm | -- signature algorithm | |||
| -- &smimeCaps - contains the object describing how the S/MIME | -- &smimeCaps - contains the object describing how the S/MIME | |||
| -- capabilities are presented. | -- capabilities are presented. | |||
| -- | -- | |||
| -- Example: | -- Example: | |||
| -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { | -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { | |||
| -- IDENTIFIER id-RSASSA-PSS | -- IDENTIFIER id-RSASSA-PSS | |||
| skipping to change at page 10, line 51 ¶ | skipping to change at page 12, line 8 ¶ | |||
| [SMIME-CAPS &smimeCaps] | [SMIME-CAPS &smimeCaps] | |||
| } | } | |||
| -- PUBLIC-KEY | -- PUBLIC-KEY | |||
| -- | -- | |||
| -- Describes the basic properties of a public key | -- Describes the basic properties of a public key | |||
| -- | -- | |||
| -- &id - contains the OID identifying the public key | -- &id - contains the OID identifying the public key | |||
| -- &KeyValue - contains the type for the key value | -- &KeyValue - contains the type for the key value | |||
| -- &Params - contains the type for the algorithm parameters, | -- &Params - contains the type for the algorithm parameters, | |||
| -- if present; absent implies no paramters | -- if present; absent implies no parameters | |||
| -- ¶mPresence - parameter presence requirement | -- ¶mPresence - parameter presence requirement | |||
| -- &keyUsage - contains the set of bits that are legal for this | -- &keyUsage - contains the set of bits that are legal for this | |||
| -- key type. Note that is does not make any statement | -- key type. Note that is does not make any statement | |||
| -- about how bits may be paired. | -- about how bits may be paired. | |||
| -- &PrivateKey - contains a type structure for encoding the private | -- &PrivateKey - contains a type structure for encoding the private | |||
| -- key information. | -- key information. | |||
| -- | -- | |||
| -- Example: | -- Example: | |||
| -- pk-rsa-pss PUBLIC-KEY ::= { | -- pk-rsa-pss PUBLIC-KEY ::= { | |||
| -- IDENTIFIER id-RSASSA-PSS | -- IDENTIFIER id-RSASSA-PSS | |||
| skipping to change at page 11, line 40 ¶ | skipping to change at page 12, line 45 ¶ | |||
| [CERT-KEY-USAGE &keyUsage] | [CERT-KEY-USAGE &keyUsage] | |||
| [PRIVATE-KEY &PrivateKey] | [PRIVATE-KEY &PrivateKey] | |||
| } | } | |||
| -- KEY-TRANSPORT | -- KEY-TRANSPORT | |||
| -- | -- | |||
| -- Describes the basic properties of a key transport algorithm | -- Describes the basic properties of a key transport algorithm | |||
| -- | -- | |||
| -- &id - contains the OID identifying the key transport algorithm | -- &id - contains the OID identifying the key transport algorithm | |||
| -- &Params - contains the type for the algorithm parameters, | -- &Params - contains the type for the algorithm parameters, | |||
| -- if present; absent implies no paramters | -- if present; absent implies no parameters | |||
| -- ¶mPresence - parameter presence requirement | -- ¶mPresence - parameter presence requirement | |||
| -- &PublicKeySet - specify which public keys are used with | -- &PublicKeySet - specify which public keys are used with | |||
| -- this algorithm | -- this algorithm | |||
| -- &smimeCaps - contains the object describing how the S/MIME | -- &smimeCaps - contains the object describing how the S/MIME | |||
| -- capabilities are presented. | -- capabilities are presented. | |||
| -- | -- | |||
| -- Example: | -- Example: | |||
| -- rsaTransport KEY-TRANSPORT ::= { | -- rsaTransport KEY-TRANSPORT ::= { | |||
| -- IDENTIFIER &id | -- IDENTIFIER &id | |||
| -- PARAMS TYPE NULL ARE required | -- PARAMS TYPE NULL ARE required | |||
| skipping to change at page 12, line 25 ¶ | skipping to change at page 13, line 30 ¶ | |||
| [PUBLIC-KEYS &PublicKeySet] | [PUBLIC-KEYS &PublicKeySet] | |||
| [SMIME-CAPS &smimeCaps] | [SMIME-CAPS &smimeCaps] | |||
| } | } | |||
| -- KEY-AGREE | -- KEY-AGREE | |||
| -- | -- | |||
| -- Describes the basic properties of a key agreement algorithm | -- Describes the basic properties of a key agreement algorithm | |||
| -- | -- | |||
| -- &id - contains the OID identifying the key agreement algorithm | -- &id - contains the OID identifying the key agreement algorithm | |||
| -- &Params - contains the type for the algorithm parameters, | -- &Params - contains the type for the algorithm parameters, | |||
| -- if present; absent implies no paramters | -- if present; absent implies no parameters | |||
| -- ¶mPresence - parameter presence requirement | -- ¶mPresence - parameter presence requirement | |||
| -- &PublicKeySet - specify which public keys are used with | -- &PublicKeySet - specify which public keys are used with | |||
| -- this algorithm | -- this algorithm | |||
| -- &Ukm - type of user keying material used | -- &Ukm - type of user keying material used | |||
| -- &ukmPresence - specifies the requirements to define the UKM field | -- &ukmPresence - specifies the requirements to define the UKM field | |||
| -- &smimeCaps - contains the object describing how the S/MIME | -- &smimeCaps - contains the object describing how the S/MIME | |||
| -- capabilities are presented. | -- capabilities are presented. | |||
| -- | -- | |||
| -- Example: | -- Example: | |||
| -- dh-static-ephemerial KEY-AGREE ::= { | -- dh-static-ephemerial KEY-AGREE ::= { | |||
| skipping to change at page 13, line 21 ¶ | skipping to change at page 14, line 26 ¶ | |||
| [UKM [TYPE &Ukm] ARE &ukmPresence] | [UKM [TYPE &Ukm] ARE &ukmPresence] | |||
| [SMIME-CAPS &smimeCaps] | [SMIME-CAPS &smimeCaps] | |||
| } | } | |||
| -- KEY-WRAP | -- KEY-WRAP | |||
| -- | -- | |||
| -- Describes the basic properties of a key wrap algorithm | -- Describes the basic properties of a key wrap algorithm | |||
| -- | -- | |||
| -- &id - contains the OID identifying the key wrap algorithm | -- &id - contains the OID identifying the key wrap algorithm | |||
| -- &Params - contains the type for the algorithm parameters, | -- &Params - contains the type for the algorithm parameters, | |||
| -- if present; absent implies no paramters | -- if present; absent implies no parameters | |||
| -- ¶mPresence - parameter presence requirement | -- ¶mPresence - parameter presence requirement | |||
| -- &smimeCaps - contains the object describing how the S/MIME | -- &smimeCaps - contains the object describing how the S/MIME | |||
| -- capabilities are presented. | -- capabilities are presented. | |||
| -- | -- | |||
| -- Example: | -- Example: | |||
| -- cms3DESwrap KEY-WRAP ::= { | -- cms3DESwrap KEY-WRAP ::= { | |||
| -- IDENTIFIER id-alg-CMS3DESwrap | -- IDENTIFIER id-alg-CMS3DESwrap | |||
| -- PARAMS TYPE NULL ARE required | -- PARAMS TYPE NULL ARE required | |||
| -- } | -- } | |||
| skipping to change at page 13, line 49 ¶ | skipping to change at page 15, line 6 ¶ | |||
| [PARAMS [TYPE &Params] ARE ¶mPresence] | [PARAMS [TYPE &Params] ARE ¶mPresence] | |||
| [SMIME-CAPS &smimeCaps] | [SMIME-CAPS &smimeCaps] | |||
| } | } | |||
| -- KEY-DERIVATION | -- KEY-DERIVATION | |||
| -- | -- | |||
| -- Describes the basic properties of a key derivation algorithm | -- Describes the basic properties of a key derivation algorithm | |||
| -- | -- | |||
| -- &id - contains the OID identifying the key derivation algorithm | -- &id - contains the OID identifying the key derivation algorithm | |||
| -- &Params - contains the type for the algorithm parameters, | -- &Params - contains the type for the algorithm parameters, | |||
| -- if present; absent implies no paramters | -- if present; absent implies no parameters | |||
| -- ¶mPresence - parameter presence requirement | -- ¶mPresence - parameter presence requirement | |||
| -- &smimeCaps - contains the object describing how the S/MIME | -- &smimeCaps - contains the object describing how the S/MIME | |||
| -- capabilities are presented. | -- capabilities are presented. | |||
| -- | -- | |||
| -- Could add information about defaults for the derivation algorithm | -- Could add information about defaults for the derivation algorithm | |||
| -- such as PRFs | -- such as PRFs | |||
| -- | -- | |||
| -- Example: | -- Example: | |||
| -- pbkdf2 KEY-DERIVATION ::= { | -- pbkdf2 KEY-DERIVATION ::= { | |||
| -- IDENTIFIER id-PBKDF2 | -- IDENTIFIER id-PBKDF2 | |||
| skipping to change at page 14, line 32 ¶ | skipping to change at page 15, line 37 ¶ | |||
| [PARAMS [TYPE &Params] ARE ¶mPresence] | [PARAMS [TYPE &Params] ARE ¶mPresence] | |||
| [SMIME-CAPS &smimeCaps] | [SMIME-CAPS &smimeCaps] | |||
| } | } | |||
| -- MAC-ALGORITHM | -- MAC-ALGORITHM | |||
| -- | -- | |||
| -- Describes the basic properties of a MAC algorithm | -- Describes the basic properties of a MAC algorithm | |||
| -- | -- | |||
| -- &id - contains the OID identifying the MAC algorithm | -- &id - contains the OID identifying the MAC algorithm | |||
| -- &Params - contains the type for the algorithm parameters, | -- &Params - contains the type for the algorithm parameters, | |||
| -- if present; absent implies no paramters | -- if present; absent implies no parameters | |||
| -- ¶mPresence - parameter presence requirement | -- ¶mPresence - parameter presence requirement | |||
| -- &keyed - MAC algorithm is a keyed MAC algorithm | -- &keyed - MAC algorithm is a keyed MAC algorithm | |||
| -- &smimeCaps - contains the object describing how the S/MIME | -- &smimeCaps - contains the object describing how the S/MIME | |||
| -- capabilities are presented. | -- capabilities are presented. | |||
| -- | -- | |||
| -- It would make sense to also add minimum and maximum MAC lengths | -- It would make sense to also add minimum and maximum MAC lengths | |||
| -- | -- | |||
| -- Example: | -- Example: | |||
| -- maca-hmac-sha1 MAC-ALGORITHM ::= { | -- maca-hmac-sha1 MAC-ALGORITHM ::= { | |||
| -- IDENTIFIER hMAC-SHA1 | -- IDENTIFIER hMAC-SHA1 | |||
| skipping to change at page 15, line 21 ¶ | skipping to change at page 16, line 25 ¶ | |||
| } | } | |||
| -- CONTENT-ENCRYPTION | -- CONTENT-ENCRYPTION | |||
| -- | -- | |||
| -- Describes the basic properties of a content encryption | -- Describes the basic properties of a content encryption | |||
| -- algorithm | -- algorithm | |||
| -- | -- | |||
| -- &id - contains the OID identifying the content | -- &id - contains the OID identifying the content | |||
| -- encryption algorithm | -- encryption algorithm | |||
| -- &Params - contains the type for the algorithm parameters, | -- &Params - contains the type for the algorithm parameters, | |||
| -- if present; absent implies no paramters | -- if present; absent implies no parameters | |||
| -- ¶mPresence - parameter presence requirement | -- ¶mPresence - parameter presence requirement | |||
| -- &smimeCaps - contains the object describing how the S/MIME | -- &smimeCaps - contains the object describing how the S/MIME | |||
| -- capabilities are presented. | -- capabilities are presented. | |||
| -- | -- | |||
| -- Example: | -- Example: | |||
| -- cea-3DES-cbc CONTENT-ENCRYPTION ::= { | -- cea-3DES-cbc CONTENT-ENCRYPTION ::= { | |||
| -- IDENTIFIER des-ede3-cbc | -- IDENTIFIER des-ede3-cbc | |||
| -- PARAMS TYPE IV ARE required | -- PARAMS TYPE IV ARE required | |||
| -- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } | -- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } | |||
| -- } | -- } | |||
| skipping to change at page 15, line 50 ¶ | skipping to change at page 17, line 6 ¶ | |||
| [PARAMS [TYPE &Params] ARE ¶mPresence] | [PARAMS [TYPE &Params] ARE ¶mPresence] | |||
| [SMIME-CAPS &smimeCaps] | [SMIME-CAPS &smimeCaps] | |||
| } | } | |||
| -- ALGORITHM | -- ALGORITHM | |||
| -- | -- | |||
| -- Describes a generic algorithm identifier | -- Describes a generic algorithm identifier | |||
| -- | -- | |||
| -- &id - contains the OID identifying the algorithm | -- &id - contains the OID identifying the algorithm | |||
| -- &Params - contains the type for the algorithm parameters, | -- &Params - contains the type for the algorithm parameters, | |||
| -- if present; absent implies no paramters | -- if present; absent implies no parameters | |||
| -- ¶mPresence - parameter presence requirement | -- ¶mPresence - parameter presence requirement | |||
| -- &smimeCaps - contains the object describing how the S/MIME | -- &smimeCaps - contains the object describing how the S/MIME | |||
| -- capabilities are presented. | -- capabilities are presented. | |||
| -- | -- | |||
| -- This would be used for cases where an unknown algorithm is | -- This would be used for cases where an unknown algorithm is | |||
| -- used. One should consider using TYPE-IDENTIFIER in these cases. | -- used. One should consider using TYPE-IDENTIFIER in these cases. | |||
| ALGORITHM ::= CLASS { | ALGORITHM ::= CLASS { | |||
| &id OBJECT IDENTIFIER UNIQUE, | &id OBJECT IDENTIFIER UNIQUE, | |||
| &Params OPTIONAL, | &Params OPTIONAL, | |||
| skipping to change at page 23, line 26 ¶ | skipping to change at page 24, line 30 ¶ | |||
| signature BIT STRING | signature BIT STRING | |||
| } | } | |||
| SignatureAlgorithms SIGNATURE-ALGORITHM ::= { | SignatureAlgorithms SIGNATURE-ALGORITHM ::= { | |||
| ... -- add any locally defined algorithms here -- } | ... -- add any locally defined algorithms here -- } | |||
| END | END | |||
| 6. ASN.1 Module for RFC 3279 | 6. ASN.1 Module for RFC 3279 | |||
| Note that this module also contains information from RFC-to-be 5480. | Note that this module also contains information from [RFC5480]RFC | |||
| 5480. | ||||
| PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) | PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-algorithms2008-02(56) } | id-mod-pkix1-algorithms2008-02(56) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| IMPORTS | IMPORTS | |||
| -- FROM [PKI-ASN] | -- FROM [PKI-ASN] | |||
| skipping to change at page 24, line 45 ¶ | skipping to change at page 25, line 50 ¶ | |||
| sa-ecdsaWithSHA384 | | sa-ecdsaWithSHA384 | | |||
| sa-ecdsaWithSHA512 | sa-ecdsaWithSHA512 | |||
| } | } | |||
| -- | -- | |||
| -- S/MIME CAPS for algorithms in this document | -- S/MIME CAPS for algorithms in this document | |||
| -- | -- | |||
| -- For all of the algorithms laid out in this document, the | -- For all of the algorithms laid out in this document, the | |||
| -- parameters for the S/MIME capabilities is defined as ABSENT | -- parameters for the S/MIME capabilities is defined as ABSENT | |||
| -- as there are no specific values that need to be known by the | -- as there are no specific values that need to be known by the | |||
| -- reciever for negotiation. | -- receiver for negotiation. | |||
| -- | -- | |||
| SMimeCaps SMIME-CAPS ::= { | SMimeCaps SMIME-CAPS ::= { | |||
| sa-rsaWithMD2.&smimeCaps | | sa-rsaWithMD2.&smimeCaps | | |||
| sa-rsaWithMD5.&smimeCaps | | sa-rsaWithMD5.&smimeCaps | | |||
| sa-rsaWithSHA1.&smimeCaps | | sa-rsaWithSHA1.&smimeCaps | | |||
| sa-dsaWithSHA1.&smimeCaps | | sa-dsaWithSHA1.&smimeCaps | | |||
| sa-dsaWithSHA224.&smimeCaps | | sa-dsaWithSHA224.&smimeCaps | | |||
| sa-dsaWithSHA256.&smimeCaps | | sa-dsaWithSHA256.&smimeCaps | | |||
| sa-ecdsaWithSHA1.&smimeCaps | | sa-ecdsaWithSHA1.&smimeCaps | | |||
| skipping to change at page 25, line 38 ¶ | skipping to change at page 26, line 46 ¶ | |||
| RSAPublicKey ::= SEQUENCE { | RSAPublicKey ::= SEQUENCE { | |||
| modulus INTEGER, -- n | modulus INTEGER, -- n | |||
| publicExponent INTEGER -- e | publicExponent INTEGER -- e | |||
| } | } | |||
| -- DSA PK Algorithm, Parameters, and Keys | -- DSA PK Algorithm, Parameters, and Keys | |||
| pk-dsa PUBLIC-KEY ::= { | pk-dsa PUBLIC-KEY ::= { | |||
| IDENTIFIER id-dsa | IDENTIFIER id-dsa | |||
| KEY DSAPublicKey | KEY DSAPublicKey | |||
| PARAMS TYPE DSA-Parms ARE inheritable | PARAMS TYPE DSA-Params ARE inheritable | |||
| -- Private key format not in this module -- | -- Private key format not in this module -- | |||
| CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, | CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, | |||
| cRLSign } | cRLSign } | |||
| } | } | |||
| id-dsa OBJECT IDENTIFIER ::= { | id-dsa OBJECT IDENTIFIER ::= { | |||
| iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } | iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } | |||
| DSA-Parms ::= SEQUENCE { | DSA-Params ::= SEQUENCE { | |||
| p INTEGER, | p INTEGER, | |||
| q INTEGER, | q INTEGER, | |||
| g INTEGER | g INTEGER | |||
| } | } | |||
| DSAPublicKey ::= INTEGER -- public key, y | DSAPublicKey ::= INTEGER -- public key, y | |||
| -- Diffie-Hellman PK Algorithm, Parameters, and Keys | -- Diffie-Hellman PK Algorithm, Parameters, and Keys | |||
| pk-dh PUBLIC-KEY ::= { | pk-dh PUBLIC-KEY ::= { | |||
| IDENTIFIER dhpublicnumber | IDENTIFIER dhpublicnumber | |||
| KEY DHPublicKey | KEY DHPublicKey | |||
| PARAMS TYPE DomainParameters ARE inheritable | PARAMS TYPE DomainParameters ARE inheritable | |||
| -- Private key format not in this module -- | -- Private key format not in this module -- | |||
| CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } | CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } | |||
| skipping to change at page 26, line 25 ¶ | skipping to change at page 27, line 33 ¶ | |||
| dhpublicnumber OBJECT IDENTIFIER ::= { | dhpublicnumber OBJECT IDENTIFIER ::= { | |||
| iso(1) member-body(2) us(840) ansi-x942(10046) | iso(1) member-body(2) us(840) ansi-x942(10046) | |||
| number-type(2) 1 } | number-type(2) 1 } | |||
| DomainParameters ::= SEQUENCE { | DomainParameters ::= SEQUENCE { | |||
| p INTEGER, -- odd prime, p=jq +1 | p INTEGER, -- odd prime, p=jq +1 | |||
| g INTEGER, -- generator, g | g INTEGER, -- generator, g | |||
| q INTEGER, -- factor of p-1 | q INTEGER, -- factor of p-1 | |||
| j INTEGER OPTIONAL, -- subgroup factor, j>= 2 | j INTEGER OPTIONAL, -- subgroup factor, j>= 2 | |||
| validationParms ValidationParms OPTIONAL | validationParams ValidationParams OPTIONAL | |||
| } | } | |||
| ValidationParms ::= SEQUENCE { | ValidationParams ::= SEQUENCE { | |||
| seed BIT STRING, | seed BIT STRING, | |||
| pgenCounter INTEGER | pgenCounter INTEGER | |||
| } | } | |||
| DHPublicKey ::= INTEGER -- public key, y = g^x mod p | DHPublicKey ::= INTEGER -- public key, y = g^x mod p | |||
| -- KEA PK Algorithm and Parameters | -- KEA PK Algorithm and Parameters | |||
| pk-kea PUBLIC-KEY ::= { | pk-kea PUBLIC-KEY ::= { | |||
| IDENTIFIER id-keyExchangeAlgorithm | IDENTIFIER id-keyExchangeAlgorithm | |||
| -- key is not encoded -- | -- key is not encoded -- | |||
| PARAMS TYPE KEA-Parms-Id ARE required | PARAMS TYPE KEA-Params-Id ARE required | |||
| -- Private key format not in this module -- | -- Private key format not in this module -- | |||
| CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } | CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly } | |||
| } | } | |||
| id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { | id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { | |||
| joint-iso-itu-t(2) country(16) us(840) organization(1) | joint-iso-itu-t(2) country(16) us(840) organization(1) | |||
| gov(101) dod(2) infosec(1) algorithms(1) 22 } | gov(101) dod(2) infosec(1) algorithms(1) 22 } | |||
| KEA-Parms-Id ::= OCTET STRING | KEA-Params-Id ::= OCTET STRING | |||
| -- Elliptic Curve (EC) Signatures: Unrestricted Algorithms | -- Elliptic Curve (EC) Signatures: Unrestricted Algorithms | |||
| -- (Section 2.1.1 of RFC 5480) | -- (Section 2.1.1 of RFC 5480) | |||
| -- | -- | |||
| -- EC Unrestricted Algorithm ID -- -- this is used for ECDSA | -- EC Unrestricted Algorithm ID -- -- this is used for ECDSA | |||
| pk-ec PUBLIC-KEY ::= { | pk-ec PUBLIC-KEY ::= { | |||
| IDENTIFIER id-ecPublicKey | IDENTIFIER id-ecPublicKey | |||
| KEY ECPoint | KEY ECPoint | |||
| PARAMS TYPE ECParameters ARE required | PARAMS TYPE ECParameters ARE required | |||
| skipping to change at page 28, line 8 ¶ | skipping to change at page 29, line 15 ¶ | |||
| CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } | CERT-KEY-USAGE { keyAgreement, encipherOnly, decipherOnly } | |||
| } | } | |||
| id-ecMQV OBJECT IDENTIFIER ::= { | id-ecMQV OBJECT IDENTIFIER ::= { | |||
| iso(1) identified-organization(3) certicom(132) schemes(1) | iso(1) identified-organization(3) certicom(132) schemes(1) | |||
| ecmqv(13) } | ecmqv(13) } | |||
| -- Parameters and Keys for both Restricted and Unrestricted EC | -- Parameters and Keys for both Restricted and Unrestricted EC | |||
| ECParameters ::= CHOICE { | ECParameters ::= CHOICE { | |||
| namedCurve CURVE.&id({NamedCurve}) --, | namedCurve CURVE.&id({NamedCurve}) | |||
| -- implicitCurve NULL | -- implicitCurve NULL | |||
| -- implicitCurve MUST NOT be used in PKIX | -- implicitCurve MUST NOT be used in PKIX | |||
| -- specifiedCurve SpecifiedCurve | -- specifiedCurve SpecifiedCurve | |||
| -- specifiedCurve MUST NOT be used in PKIX | -- specifiedCurve MUST NOT be used in PKIX | |||
| -- Details for specifiedCurve can be found in [X9.62] | -- Details for specifiedCurve can be found in [X9.62] | |||
| -- Any future additions to this CHOICE should be coordinated | -- Any future additions to this CHOICE should be coordinated | |||
| -- with ANSI X.9. | -- with ANSI X.9. | |||
| } | } | |||
| -- If you need to be able to decode ANSI X.9 parameter structures, | -- If you need to be able to decode ANSI X.9 parameter structures, | |||
| -- uncomment the implicitCurve and specificCurve above, and also | -- uncomment the implicitCurve and specificCurve above, and also | |||
| skipping to change at page 34, line 30 ¶ | skipping to change at page 35, line 39 ¶ | |||
| IDENTIFIER id-sha1 | IDENTIFIER id-sha1 | |||
| PARAMS TYPE NULL ARE preferredAbsent | PARAMS TYPE NULL ARE preferredAbsent | |||
| } | } | |||
| id-sha1 OBJECT IDENTIFIER ::= { | id-sha1 OBJECT IDENTIFIER ::= { | |||
| iso(1) identified-organization(3) oiw(14) secsig(3) | iso(1) identified-organization(3) oiw(14) secsig(3) | |||
| algorithm(2) 26 } | algorithm(2) 26 } | |||
| END | END | |||
| 7. ASN.1 Module for RFC 3281 | 7. ASN.1 Module for RFC 3852 (Attribute Certificate v1) | |||
| PKIXAttributeCertificate-2009 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} | ||||
| DEFINITIONS IMPLICIT TAGS ::= | ||||
| BEGIN | ||||
| IMPORTS | ||||
| AttributeSet{}, Extensions{}, SecurityCategory{}, | ||||
| EXTENSION, ATTRIBUTE, SECURITY-CATEGORY | ||||
| FROM PKIX-CommonTypes-2009 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } | ||||
| AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM | ||||
| FROM AlgorithmInformation-2009 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) | ||||
| id-mod-algorithmInformation-02(58)} | ||||
| CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp, | ||||
| id-ad, id-at, SIGNED{}, SignatureAlgorithms | ||||
| FROM PKIX1Explicit-2009 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} | ||||
| GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier, | ||||
| ext-AuthorityInfoAccess, ext-CRLDistributionPoints | ||||
| FROM PKIX1Implicit-2009 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}; | ||||
| -- Define the set of extensions that can appear. | ||||
| -- Some of these are imported from PKIX Cert | ||||
| AttributeCertExtensions EXTENSION ::= { | ||||
| ext-auditIdentity | ext-targetInformation | | ||||
| ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess | | ||||
| ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying | | ||||
| ext-aaControls, ... } | ||||
| ext-auditIdentity EXTENSION ::= { SYNTAX | ||||
| OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity} | ||||
| ext-targetInformation EXTENSION ::= { SYNTAX | ||||
| Targets IDENTIFIED BY id-ce-targetInformation } | ||||
| ext-noRevAvail EXTENSION ::= { SYNTAX | ||||
| NULL IDENTIFIED BY id-ce-noRevAvail} | ||||
| ext-ac-proxying EXTENSION ::= { SYNTAX | ||||
| ProxyInfo IDENTIFIED BY id-pe-ac-proxying} | ||||
| ext-aaControls EXTENSION ::= { SYNTAX | ||||
| AAControls IDENTIFIED BY id-pe-aaControls} | ||||
| -- Define the set of attributes used here | ||||
| AttributesDefined ATTRIBUTE ::= { at-authenticationInfo | | ||||
| at-accesIdentity | at-chargingIdentity | at-group | | ||||
| at-role | at-clearance | at-encAttrs, ...} | ||||
| at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo | ||||
| IDENTIFIED BY id-aca-authenticationInfo} | ||||
| at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo | ||||
| IDENTIFIED BY id-aca-accessIdentity} | ||||
| at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax | ||||
| IDENTIFIED BY id-aca-chargingIdentity} | ||||
| at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax | ||||
| IDENTIFIED BY id-aca-group} | ||||
| at-role ATTRIBUTE ::= { TYPE RoleSyntax | ||||
| IDENTIFIED BY id-at-role} | ||||
| at-clearance ATTRIBUTE ::= { TYPE Clearance | ||||
| IDENTIFIED BY id-at-clearance} | ||||
| at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo | ||||
| IDENTIFIED BY id-aca-encAttrs} | ||||
| -- | ||||
| -- OIDs used by Attribute Certificate Extensions | ||||
| -- | ||||
| id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 } | ||||
| id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 } | ||||
| id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 } | ||||
| id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 } | ||||
| id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 } | ||||
| -- | ||||
| -- OIDs used by Attribute Certficate Attributes | ||||
| -- | ||||
| id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } | ||||
| id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 } | ||||
| id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 } | ||||
| id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 } | ||||
| id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 } | ||||
| -- { id-aca 5 } is reserved | ||||
| id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 } | ||||
| id-at-role OBJECT IDENTIFIER ::= { id-at 72} | ||||
| id-at-clearance OBJECT IDENTIFIER ::= | ||||
| { joint-iso-ccitt(2) ds(5) module(1) | ||||
| selected-attribute-types(5) clearance (55) } | ||||
| -- | ||||
| -- The syntax of an Attribute Certificate | ||||
| -- | ||||
| AttributeCertificate ::= SIGNED{AttributeCertificateInfo} | ||||
| AttributeCertificateInfo ::= SEQUENCE { | ||||
| version AttCertVersion, -- version is v2, | ||||
| holder Holder, | ||||
| issuer AttCertIssuer, | ||||
| signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, | ||||
| {SignatureAlgorithms}}, | ||||
| serialNumber CertificateSerialNumber, | ||||
| attrCertValidityPeriod AttCertValidityPeriod, | ||||
| attributes SEQUENCE SIZE (1..MAX) OF | ||||
| AttributeSet{{AttributesDefined}}, | ||||
| issuerUniqueID UniqueIdentifier OPTIONAL, | ||||
| extensions Extensions{{AttributeCertExtensions}} OPTIONAL | ||||
| } | ||||
| AttCertVersion ::= INTEGER { v2(1) } | ||||
| Holder ::= SEQUENCE { | ||||
| baseCertificateID [0] IssuerSerial OPTIONAL, | ||||
| -- the issuer and serial number of | ||||
| -- the holder's Public Key Certificate | ||||
| entityName [1] GeneralNames OPTIONAL, | ||||
| -- the name of the claimant or role | ||||
| objectDigestInfo [2] ObjectDigestInfo OPTIONAL | ||||
| -- used to directly authenticate the | ||||
| -- holder, for example, an executable | ||||
| } | ||||
| ObjectDigestInfo ::= SEQUENCE { | ||||
| digestedObjectType ENUMERATED { | ||||
| publicKey (0), | ||||
| publicKeyCert (1), | ||||
| otherObjectTypes (2) }, | ||||
| -- otherObjectTypes MUST NOT be used in | ||||
| -- this profile | ||||
| otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, | ||||
| digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, | ||||
| objectDigest BIT STRING | ||||
| } | ||||
| AttCertIssuer ::= CHOICE { | ||||
| v1Form GeneralNames, -- MUST NOT be used in this | ||||
| -- profile | ||||
| v2Form [0] V2Form -- v2 only | ||||
| } | ||||
| V2Form ::= SEQUENCE { | ||||
| issuerName GeneralNames OPTIONAL, | ||||
| baseCertificateID [0] IssuerSerial OPTIONAL, | ||||
| objectDigestInfo [1] ObjectDigestInfo OPTIONAL | ||||
| -- issuerName MUST be present in this profile | ||||
| -- baseCertificateID and objectDigestInfo MUST | ||||
| -- NOT be present in this profile | ||||
| } | ||||
| IssuerSerial ::= SEQUENCE { | ||||
| issuer GeneralNames, | ||||
| serial CertificateSerialNumber, | ||||
| issuerUID UniqueIdentifier OPTIONAL | ||||
| } | ||||
| AttCertValidityPeriod ::= SEQUENCE { | ||||
| notBeforeTime GeneralizedTime, | ||||
| notAfterTime GeneralizedTime | ||||
| } | ||||
| -- | ||||
| -- Syntax used by Attribute Certificte Extensions | ||||
| -- | ||||
| Targets ::= SEQUENCE OF Target | ||||
| Target ::= CHOICE { | ||||
| targetName [0] GeneralName, | ||||
| targetGroup [1] GeneralName, | ||||
| targetCert [2] TargetCert | ||||
| } | ||||
| TargetCert ::= SEQUENCE { | ||||
| targetCertificate IssuerSerial, | ||||
| targetName GeneralName OPTIONAL, | ||||
| certDigestInfo ObjectDigestInfo OPTIONAL | ||||
| } | ||||
| AAControls ::= SEQUENCE { | ||||
| pathLenConstraint INTEGER (0..MAX) OPTIONAL, | ||||
| permittedAttrs [0] AttrSpec OPTIONAL, | ||||
| excludedAttrs [1] AttrSpec OPTIONAL, | ||||
| permitUnSpecified BOOLEAN DEFAULT TRUE | ||||
| } | ||||
| AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER | ||||
| ProxyInfo ::= SEQUENCE OF Targets | ||||
| -- | ||||
| -- Syntax used by Attribute Certificate Attributes | ||||
| -- | ||||
| IetfAttrSyntax ::= SEQUENCE { | ||||
| policyAuthority[0] GeneralNames OPTIONAL, | ||||
| values SEQUENCE OF CHOICE { | ||||
| octets OCTET STRING, | ||||
| oid OBJECT IDENTIFIER, | ||||
| string UTF8String | ||||
| } | ||||
| } | ||||
| SvceAuthInfo ::= SEQUENCE { | ||||
| service GeneralName, | ||||
| ident GeneralName, | ||||
| authInfo OCTET STRING OPTIONAL | ||||
| } | ||||
| RoleSyntax ::= SEQUENCE { | ||||
| roleAuthority [0] GeneralNames OPTIONAL, | ||||
| roleName [1] GeneralName | ||||
| } | ||||
| Clearance ::= SEQUENCE { | ||||
| policyId OBJECT IDENTIFIER, | ||||
| classList ClassList DEFAULT {unclassified}, | ||||
| securityCategories SET OF SecurityCategory | ||||
| {{SupportedSecurityCategories}} OPTIONAL | ||||
| } | ||||
| ClassList ::= BIT STRING { | ||||
| unmarked (0), | ||||
| unclassified (1), | ||||
| restricted (2), | ||||
| confidential (3), | ||||
| secret (4), | ||||
| topSecret (5) | ||||
| } | ||||
| SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } | ||||
| ACClearAttrs ::= SEQUENCE { | ||||
| acIssuer GeneralName, | ||||
| acSerial INTEGER, | ||||
| attrs SEQUENCE OF AttributeSet{{AttributesDefined}} | ||||
| } | ||||
| ContentInfo ::= INTEGER | ||||
| END | ||||
| 8. ASN.1 Module for RFC 3852 (Attribute Certificate v1) | ||||
| AttributeCertificateVersion1-2009 | AttributeCertificateVersion1-2009 | |||
| {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | |||
| smime(16) modules(0) id-mod-v1AttrCert-02(49)} | smime(16) modules(0) id-mod-v1AttrCert-02(49)} | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| IMPORTS | IMPORTS | |||
| SIGNATURE-ALGORITHM, ALGORITHM, AlgorithmIdentifier{} | SIGNATURE-ALGORITHM, ALGORITHM, AlgorithmIdentifier{} | |||
| FROM AlgorithmInformation-2009 | FROM AlgorithmInformation-2009 | |||
| skipping to change at page 41, line 18 ¶ | skipping to change at page 37, line 4 ¶ | |||
| signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}}, | signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}}, | |||
| serialNumber CertificateSerialNumber, | serialNumber CertificateSerialNumber, | |||
| attCertValidityPeriod AttCertValidityPeriod, | attCertValidityPeriod AttCertValidityPeriod, | |||
| attributes SEQUENCE OF AttributeSet{{AttrList}}, | attributes SEQUENCE OF AttributeSet{{AttrList}}, | |||
| issuerUniqueID UniqueIdentifier OPTIONAL, | issuerUniqueID UniqueIdentifier OPTIONAL, | |||
| extensions Extensions{{AttributeCertExtensionsV1}} OPTIONAL } | extensions Extensions{{AttributeCertExtensionsV1}} OPTIONAL } | |||
| AttCertVersionV1 ::= INTEGER { v1(0) } | AttCertVersionV1 ::= INTEGER { v1(0) } | |||
| AttrList ATTRIBUTE ::= {...} | AttrList ATTRIBUTE ::= {...} | |||
| AttributeCertExtensionsV1 EXTENSION ::= {...} | AttributeCertExtensionsV1 EXTENSION ::= {...} | |||
| END | END | |||
| 9. ASN.1 Module for RFC 4055 | 8. ASN.1 Module for RFC 4055 | |||
| PKIX1-PSS-OAEP-Algorithms-2009 | PKIX1-PSS-OAEP-Algorithms-2009 | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | {iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)} | mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)} | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| IMPORTS | IMPORTS | |||
| AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-TRANSPORT, | AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-TRANSPORT, | |||
| SIGNATURE-ALGORITHM, PUBLIC-KEY, SMIME-CAPS | SIGNATURE-ALGORITHM, PUBLIC-KEY, SMIME-CAPS | |||
| skipping to change at page 43, line 4 ¶ | skipping to change at page 38, line 36 ¶ | |||
| -- | -- | |||
| sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= { | sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-RSASSA-PSS | IDENTIFIER id-RSASSA-PSS | |||
| PARAMS TYPE RSASSA-PSS-params ARE required | PARAMS TYPE RSASSA-PSS-params ARE required | |||
| HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384 | HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384 | |||
| | mda-sha512 } | | mda-sha512 } | |||
| PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS } | PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS } | |||
| SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS } | SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS } | |||
| } | } | |||
| -- | -- | |||
| -- Signature algorithm defintions for PKCS v1.5 signatures | -- Signature algorithm definitions for PKCS v1.5 signatures | |||
| -- | -- | |||
| sa-sha224WithRSAEncryption SIGNATURE-ALGORITHM ::= { | sa-sha224WithRSAEncryption SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER sha224WithRSAEncryption | IDENTIFIER sha224WithRSAEncryption | |||
| PARAMS TYPE NULL ARE required | PARAMS TYPE NULL ARE required | |||
| HASHES { mda-sha224 } | HASHES { mda-sha224 } | |||
| PUBLIC-KEYS { pk-rsa } | PUBLIC-KEYS { pk-rsa } | |||
| SMIME-CAPS { IDENTIFIED BY sha224WithRSAEncryption } | SMIME-CAPS { IDENTIFIED BY sha224WithRSAEncryption } | |||
| } | } | |||
| sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } | sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } | |||
| skipping to change at page 45, line 4 ¶ | skipping to change at page 40, line 36 ¶ | |||
| -- When id-pSpecified is used in an AlgorithmIdentifier the | -- When id-pSpecified is used in an AlgorithmIdentifier the | |||
| -- parameters MUST be an OCTET STRING. | -- parameters MUST be an OCTET STRING. | |||
| id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 } | id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 } | |||
| -- When id-RSASSA-PSS is used in an AlgorithmIdentifier, and the | -- When id-RSASSA-PSS is used in an AlgorithmIdentifier, and the | |||
| -- parameters field is present, it MUST be RSASSA-PSS-params. | -- parameters field is present, it MUST be RSASSA-PSS-params. | |||
| id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 } | id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 } | |||
| -- When the following OIDs are used in an AlgorithmIdentifier the | -- When the following OIDs are used in an AlgorithmIdentifier the | |||
| -- parameters SHOULD be absent, but if the parameters are present, | -- parameters SHOULD be absent, but if the parameters are present, | |||
| -- they MUST be NULL. | -- they MUST be NULL. | |||
| -- | -- | |||
| -- id-sha1 is imported from RFC 3279. Additionally, the v1.5 | -- id-sha1 is imported from RFC 3279. Additionally, the v1.5 | |||
| -- signature algorithms (i.e. rsaWithSHA256) are now soley placed | -- signature algorithms (i.e. rsaWithSHA256) are now solely placed | |||
| -- in that module. | -- in that module. | |||
| -- | -- | |||
| id-sha224 OBJECT IDENTIFIER ::= | id-sha224 OBJECT IDENTIFIER ::= | |||
| { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) | { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) | |||
| csor(3) nistalgorithm(4) hashalgs(2) 4 } | csor(3) nistalgorithm(4) hashalgs(2) 4 } | |||
| mda-sha224 DIGEST-ALGORITHM ::= { | mda-sha224 DIGEST-ALGORITHM ::= { | |||
| IDENTIFIER id-sha224 | IDENTIFIER id-sha224 | |||
| PARAMS TYPE NULL ARE preferredAbsent | PARAMS TYPE NULL ARE preferredAbsent | |||
| skipping to change at page 48, line 4 ¶ | skipping to change at page 43, line 36 ¶ | |||
| -- Note that the tags in this Sequence are explicit. | -- Note that the tags in this Sequence are explicit. | |||
| -- Note: The hash algorithm in hashFunc and in | -- Note: The hash algorithm in hashFunc and in | |||
| -- maskGenFunc should be the same | -- maskGenFunc should be the same | |||
| RSAES-OAEP-params ::= SEQUENCE { | RSAES-OAEP-params ::= SEQUENCE { | |||
| hashFunc [0] HashAlgorithm DEFAULT sha1Identifier, | hashFunc [0] HashAlgorithm DEFAULT sha1Identifier, | |||
| maskGenFunc [1] MaskGenAlgorithm DEFAULT mgf1SHA1, | maskGenFunc [1] MaskGenAlgorithm DEFAULT mgf1SHA1, | |||
| pSourceFunc [2] PSourceAlgorithm DEFAULT | pSourceFunc [2] PSourceAlgorithm DEFAULT | |||
| pSpecifiedEmpty | pSpecifiedEmpty | |||
| } | } | |||
| END | END | |||
| 10. ASN.1 Module for RFC 4210 | 9. ASN.1 Module for RFC 4210 | |||
| PKIXCMP-2009 | PKIXCMP-2009 | |||
| { iso(1) identified-organization(3) dod(6) internet(1) security(5) | { iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-cmp2000-02(50) } | mechanisms(5) pkix(7) id-mod(0) id-mod-cmp2000-02(50) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| IMPORTS | IMPORTS | |||
| AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE | AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE | |||
| FROM PKIX-CommonTypes-2009 | FROM PKIX-CommonTypes-2009 | |||
| skipping to change at page 58, line 29 ¶ | skipping to change at page 54, line 13 ¶ | |||
| PollReqContent ::= SEQUENCE OF SEQUENCE { | PollReqContent ::= SEQUENCE OF SEQUENCE { | |||
| certReqId INTEGER } | certReqId INTEGER } | |||
| PollRepContent ::= SEQUENCE OF SEQUENCE { | PollRepContent ::= SEQUENCE OF SEQUENCE { | |||
| certReqId INTEGER, | certReqId INTEGER, | |||
| checkAfter INTEGER, -- time in seconds | checkAfter INTEGER, -- time in seconds | |||
| reason PKIFreeText OPTIONAL } | reason PKIFreeText OPTIONAL } | |||
| END | END | |||
| 11. ASN.1 Module for RFC 4211 | 10. ASN.1 Module for RFC 4211 | |||
| PKIXCRMF-2009 | PKIXCRMF-2009 | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | {iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)} | mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)} | |||
| DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| IMPORTS | IMPORTS | |||
| AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE, | AttributeSet{}, Extensions{}, EXTENSION, ATTRIBUTE, | |||
| SingleAttribute{} | SingleAttribute{} | |||
| skipping to change at page 65, line 14 ¶ | skipping to change at page 60, line 46 ¶ | |||
| -- key of a key pair that the receiver generates in response to | -- key of a key pair that the receiver generates in response to | |||
| -- this request; set to FALSE if no archival is desired. | -- this request; set to FALSE if no archival is desired. | |||
| EncryptedKey ::= CHOICE { | EncryptedKey ::= CHOICE { | |||
| encryptedValue EncryptedValue, -- Deprecated | encryptedValue EncryptedValue, -- Deprecated | |||
| envelopedData [0] EnvelopedData } | envelopedData [0] EnvelopedData } | |||
| -- The encrypted private key MUST be placed in the envelopedData | -- The encrypted private key MUST be placed in the envelopedData | |||
| -- encryptedContentInfo encryptedContent OCTET STRING. | -- encryptedContentInfo encryptedContent OCTET STRING. | |||
| -- | -- | |||
| -- We skipped doing the full constraints here since this struture has | -- We skipped doing the full constraints here since this structure | |||
| -- be deprecated in favor of EnvelopedData | -- has been deprecated in favor of EnvelopedData | |||
| -- | -- | |||
| EncryptedValue ::= SEQUENCE { | EncryptedValue ::= SEQUENCE { | |||
| intendedAlg [0] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, | intendedAlg [0] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, | |||
| -- the intended algorithm for which the value will be used | -- the intended algorithm for which the value will be used | |||
| symmAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, | symmAlg [1] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, | |||
| -- the symmetric algorithm used to encrypt the value | -- the symmetric algorithm used to encrypt the value | |||
| encSymmKey [2] BIT STRING OPTIONAL, | encSymmKey [2] BIT STRING OPTIONAL, | |||
| -- the (encrypted) symmetric key used to encrypt the value | -- the (encrypted) symmetric key used to encrypt the value | |||
| keyAlg [3] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, | keyAlg [3] AlgorithmIdentifier{ALGORITHM, {...}} OPTIONAL, | |||
| skipping to change at page 67, line 11 ¶ | skipping to change at page 62, line 42 ¶ | |||
| regInfo-certReq ATTRIBUTE ::= | regInfo-certReq ATTRIBUTE ::= | |||
| { TYPE CertReq IDENTIFIED BY id-regInfo-certReq } | { TYPE CertReq IDENTIFIED BY id-regInfo-certReq } | |||
| id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 } | id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 } | |||
| --with syntax | --with syntax | |||
| CertReq ::= CertRequest | CertReq ::= CertRequest | |||
| END | END | |||
| 12. ASN.1 Module for RFC 5055 | 11. ASN.1 Module for RFC 5055 | |||
| SCVP-2009 | SCVP-2009 | |||
| { iso(1) identified-organization(3) dod(6) internet(1) security(5) | { iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-scvp-02(52) } | mechanisms(5) pkix(7) id-mod(0) id-mod-scvp-02(52) } | |||
| DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| IMPORTS | IMPORTS | |||
| Extensions{}, EXTENSION, ATTRIBUTE | Extensions{}, EXTENSION, ATTRIBUTE | |||
| FROM PKIX-CommonTypes-2009 | FROM PKIX-CommonTypes-2009 | |||
| skipping to change at page 71, line 4 ¶ | skipping to change at page 66, line 35 ¶ | |||
| } | } | |||
| ValidationPolRef ::= SEQUENCE { | ValidationPolRef ::= SEQUENCE { | |||
| valPolId POLICY.&id, | valPolId POLICY.&id, | |||
| valPolParams POLICY.&Type OPTIONAL | valPolParams POLICY.&Type OPTIONAL | |||
| } | } | |||
| ValidationAlgSet POLICY ::= { | ValidationAlgSet POLICY ::= { | |||
| svp-basicValAlg, ... | svp-basicValAlg, ... | |||
| } | } | |||
| ValidationAlg ::= SEQUENCE { | ValidationAlg ::= SEQUENCE { | |||
| valAlgId POLICY.&id, | valAlgId POLICY.&id, | |||
| parameters POLICY.&Type OPTIONAL | parameters POLICY.&Type OPTIONAL | |||
| } | } | |||
| NameValiationAlgSet POLICY ::= { | NameValiationAlgSet POLICY ::= { | |||
| svp-nameValAlg, ... | svp-nameValAlg, ... | |||
| } | } | |||
| NameValidationAlgParms ::= SEQUENCE { | NameValidationAlgParams ::= SEQUENCE { | |||
| nameCompAlgId OBJECT IDENTIFIER (NameCompAlgSet, ... ), | nameCompAlgId OBJECT IDENTIFIER (NameCompAlgSet, ... ), | |||
| validationNames GeneralNames | validationNames GeneralNames | |||
| } | } | |||
| TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference | TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference | |||
| KeyAgreePublicKey ::= SEQUENCE { | KeyAgreePublicKey ::= SEQUENCE { | |||
| algorithm AlgorithmIdentifier{KEY-AGREE, | algorithm AlgorithmIdentifier{KEY-AGREE, | |||
| {SupportedKeyAgreePublicKeys}}, | {SupportedKeyAgreePublicKeys}}, | |||
| publicKey BIT STRING, | publicKey BIT STRING, | |||
| macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, | macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, | |||
| {SupportedMACAlgorithms}}, | {SupportedMACAlgorithms}}, | |||
| kDF AlgorithmIdentifier{KEY-DERIVATION, | kDF AlgorithmIdentifier{KEY-DERIVATION, | |||
| {SupportedKeyDerivationFunctions}} | {SupportedKeyDerivationFunctions}} | |||
| OPTIONAL | OPTIONAL | |||
| } | } | |||
| skipping to change at page 72, line 35 ¶ | skipping to change at page 68, line 20 ¶ | |||
| requestorRef [2] GeneralNames OPTIONAL, | requestorRef [2] GeneralNames OPTIONAL, | |||
| requestorName [3] GeneralNames OPTIONAL, | requestorName [3] GeneralNames OPTIONAL, | |||
| replyObjects [4] ReplyObjects OPTIONAL, | replyObjects [4] ReplyObjects OPTIONAL, | |||
| respNonce [5] OCTET STRING OPTIONAL, | respNonce [5] OCTET STRING OPTIONAL, | |||
| serverContextInfo [6] OCTET STRING OPTIONAL, | serverContextInfo [6] OCTET STRING OPTIONAL, | |||
| cvResponseExtensions [7] Extensions{{CVResponseExtensions}} | cvResponseExtensions [7] Extensions{{CVResponseExtensions}} | |||
| OPTIONAL, | OPTIONAL, | |||
| requestorText [8] UTF8String (SIZE (1..256)) OPTIONAL | requestorText [8] UTF8String (SIZE (1..256)) OPTIONAL | |||
| } | } | |||
| -- This doucment defines no extensions | -- This document defines no extensions | |||
| CVResponseExtensions EXTENSION ::= {...} | CVResponseExtensions EXTENSION ::= {...} | |||
| ResponseStatus ::= SEQUENCE { | ResponseStatus ::= SEQUENCE { | |||
| statusCode CVStatusCode DEFAULT okay, | statusCode CVStatusCode DEFAULT okay, | |||
| errorMessage UTF8String OPTIONAL | errorMessage UTF8String OPTIONAL | |||
| } | } | |||
| CVStatusCode ::= ENUMERATED { | CVStatusCode ::= ENUMERATED { | |||
| okay (0), | okay (0), | |||
| skipUnrecognizedItems (1), | skipUnrecognizedItems (1), | |||
| skipping to change at page 79, line 4 ¶ | skipping to change at page 74, line 36 ¶ | |||
| } | } | |||
| id-bvae-expired OBJECT IDENTIFIER ::= { id-bvae 1 } | id-bvae-expired OBJECT IDENTIFIER ::= { id-bvae 1 } | |||
| id-bvae-not-yet-valid OBJECT IDENTIFIER ::= { id-bvae 2 } | id-bvae-not-yet-valid OBJECT IDENTIFIER ::= { id-bvae 2 } | |||
| id-bvae-wrongTrustAnchor OBJECT IDENTIFIER ::= { id-bvae 3 } | id-bvae-wrongTrustAnchor OBJECT IDENTIFIER ::= { id-bvae 3 } | |||
| id-bvae-noValidCertPath OBJECT IDENTIFIER ::= { id-bvae 4 } | id-bvae-noValidCertPath OBJECT IDENTIFIER ::= { id-bvae 4 } | |||
| id-bvae-revoked OBJECT IDENTIFIER ::= { id-bvae 5 } | id-bvae-revoked OBJECT IDENTIFIER ::= { id-bvae 5 } | |||
| id-bvae-invalidKeyPurpose OBJECT IDENTIFIER ::= { id-bvae 9 } | id-bvae-invalidKeyPurpose OBJECT IDENTIFIER ::= { id-bvae 9 } | |||
| id-bvae-invalidKeyUsage OBJECT IDENTIFIER ::= { id-bvae 10 } | id-bvae-invalidKeyUsage OBJECT IDENTIFIER ::= { id-bvae 10 } | |||
| id-bvae-invalidCertPolicy OBJECT IDENTIFIER ::= { id-bvae 11 } | id-bvae-invalidCertPolicy OBJECT IDENTIFIER ::= { id-bvae 11 } | |||
| -- SCVP Name Validation Algorithm Identifier | -- SCVP Name Validation Algorithm Identifier | |||
| svp-nameValAlg POLICY ::= | svp-nameValAlg POLICY ::= | |||
| {TYPE NameValidationAlgParms IDENTIFIED BY id-svp-nameValAlg } | {TYPE NameValidationAlgParams IDENTIFIED BY id-svp-nameValAlg } | |||
| id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 } | id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 } | |||
| -- SCVP Name Validation Algorithm DN comparison algorithm | -- SCVP Name Validation Algorithm DN comparison algorithm | |||
| NameCompAlgSet OBJECT IDENTIFIER ::= { | NameCompAlgSet OBJECT IDENTIFIER ::= { | |||
| id-nva-dnCompAlg | id-nva-dnCompAlg | |||
| } | } | |||
| id-nva-dnCompAlg OBJECT IDENTIFIER ::= { id-svp 4 } | id-nva-dnCompAlg OBJECT IDENTIFIER ::= { id-svp 4 } | |||
| skipping to change at page 80, line 5 ¶ | skipping to change at page 75, line 36 ¶ | |||
| SvcpExtKeyUsageSet OBJECT IDENTIFIER ::= { | SvcpExtKeyUsageSet OBJECT IDENTIFIER ::= { | |||
| id-kp-scvpServer | id-kp-scvpClient | id-kp-scvpServer | id-kp-scvpClient | |||
| } | } | |||
| id-kp-scvpServer OBJECT IDENTIFIER ::= { id-kp 15 } | id-kp-scvpServer OBJECT IDENTIFIER ::= { id-kp 15 } | |||
| id-kp-scvpClient OBJECT IDENTIFIER ::= { id-kp 16 } | id-kp-scvpClient OBJECT IDENTIFIER ::= { id-kp 16 } | |||
| END | END | |||
| 13. ASN.1 Module for RFC 5272 | 12. ASN.1 Module for RFC 5272 | |||
| EnrollmentMessageSyntax-2009 | EnrollmentMessageSyntax-2009 | |||
| {iso(1) identified-organization(3) dod(4) internet(1) | {iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53)} | security(5) mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53)} | |||
| DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| EXPORTS ALL; | EXPORTS ALL; | |||
| IMPORTS | IMPORTS | |||
| AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE | AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE | |||
| FROM PKIX-CommonTypes-2009 | FROM PKIX-CommonTypes-2009 | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | {iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} | mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} | |||
| skipping to change at page 81, line 17 ¶ | skipping to change at page 77, line 4 ¶ | |||
| { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | |||
| smime(16) modules(0) id-mod-cmsalg-2001-02(37) } | smime(16) modules(0) id-mod-cmsalg-2001-02(37) } | |||
| mda-sha256 | mda-sha256 | |||
| FROM PKIX1-PSS-OAEP-Algorithms-2009 | FROM PKIX1-PSS-OAEP-Algorithms-2009 | |||
| { iso(1) identified-organization(3) dod(6) | { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-rsa-pkalgs-02(54) } ; | id-mod-pkix1-rsa-pkalgs-02(54) } ; | |||
| -- CMS Content types defined in this document | -- CMS Content types defined in this document | |||
| CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... } | CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... } | |||
| -- Signaure Algorithms defined in this document | -- Signature Algorithms defined in this document | |||
| SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature } | SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature } | |||
| -- CMS Unsigned Attibutes | -- CMS Unsigned Attributes | |||
| CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData } | CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData } | |||
| -- | -- | |||
| -- | -- | |||
| id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls | id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls | |||
| id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types | id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types | |||
| -- This is the content type for a request message in the protocol | -- This is the content type for a request message in the protocol | |||
| skipping to change at page 91, line 20 ¶ | skipping to change at page 87, line 4 ¶ | |||
| cmc-popLinkWitnessV2 CMC-CONTROL ::= | cmc-popLinkWitnessV2 CMC-CONTROL ::= | |||
| { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 } | { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 } | |||
| id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 } | id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 } | |||
| PopLinkWitnessV2 ::= SEQUENCE { | PopLinkWitnessV2 ::= SEQUENCE { | |||
| keyGenAlgorithm AlgorithmIdentifier{KEY-DERIVATION, | keyGenAlgorithm AlgorithmIdentifier{KEY-DERIVATION, | |||
| {KeyDevAlgs}}, | {KeyDevAlgs}}, | |||
| macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, | macAlgorithm AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}}, | |||
| witness OCTET STRING | witness OCTET STRING | |||
| } | } | |||
| KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...} | KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...} | |||
| END | END | |||
| 13. ASN.1 Module for RFC 5755 | ||||
| PKIXAttributeCertificate-2009 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} | ||||
| DEFINITIONS IMPLICIT TAGS ::= | ||||
| BEGIN | ||||
| IMPORTS | ||||
| AttributeSet{}, Extensions{}, SecurityCategory{}, | ||||
| EXTENSION, ATTRIBUTE, SECURITY-CATEGORY | ||||
| FROM PKIX-CommonTypes-2009 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } | ||||
| AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM | ||||
| FROM AlgorithmInformation-2009 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) | ||||
| id-mod-algorithmInformation-02(58)} | ||||
| -- IMPORTeD module OIDs MAY Change if [PKIXPROF] changes | ||||
| -- PKIX Certificate Extensions | ||||
| CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp, | ||||
| id-ad, id-at, SIGNED{}, SignatureAlgorithms | ||||
| FROM PKIX1Explicit-2009 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} | ||||
| GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier, | ||||
| ext-AuthorityInfoAccess, ext-CRLDistributionPoints | ||||
| FROM PKIX1Implicit-2009 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} | ||||
| ContentInfo | ||||
| FROM CryptographicMessageSyntax-2009 | ||||
| { iso(1) member-body(2) us(840) rsadsi(113549) | ||||
| pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }; | ||||
| -- Define the set of extensions that can appear. | ||||
| -- Some of these are imported from PKIX Cert | ||||
| AttributeCertExtensions EXTENSION ::= { | ||||
| ext-auditIdentity | ext-targetInformation | | ||||
| ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess | | ||||
| ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying | | ||||
| ext-aaControls, ... } | ||||
| ext-auditIdentity EXTENSION ::= { SYNTAX | ||||
| OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity} | ||||
| ext-targetInformation EXTENSION ::= { SYNTAX | ||||
| Targets IDENTIFIED BY id-ce-targetInformation } | ||||
| ext-noRevAvail EXTENSION ::= { SYNTAX | ||||
| NULL IDENTIFIED BY id-ce-noRevAvail} | ||||
| ext-ac-proxying EXTENSION ::= { SYNTAX | ||||
| ProxyInfo IDENTIFIED BY id-pe-ac-proxying} | ||||
| ext-aaControls EXTENSION ::= { SYNTAX | ||||
| AAControls IDENTIFIED BY id-pe-aaControls} | ||||
| -- Define the set of attributes used here | ||||
| AttributesDefined ATTRIBUTE ::= { at-authenticationInfo | | ||||
| at-accesIdentity | at-chargingIdentity | at-group | | ||||
| at-role | at-clearance | at-encAttrs, ...} | ||||
| at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo | ||||
| IDENTIFIED BY id-aca-authenticationInfo} | ||||
| at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo | ||||
| IDENTIFIED BY id-aca-accessIdentity} | ||||
| at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax | ||||
| IDENTIFIED BY id-aca-chargingIdentity} | ||||
| at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax | ||||
| IDENTIFIED BY id-aca-group} | ||||
| at-role ATTRIBUTE ::= { TYPE RoleSyntax | ||||
| IDENTIFIED BY id-at-role} | ||||
| at-clearance ATTRIBUTE ::= { TYPE Clearance | ||||
| IDENTIFIED BY id-at-clearance} | ||||
| at-clearance-RFC3281 ATTRIBUTE ::= {TYPE Clearance-rfc3281 | ||||
| IDENTIFIED BY id-at-clearance-rfc3281 } | ||||
| at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo | ||||
| IDENTIFIED BY id-aca-encAttrs} | ||||
| -- | ||||
| -- OIDs used by Attribute Certificate Extensions | ||||
| -- | ||||
| id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 } | ||||
| id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 } | ||||
| id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 } | ||||
| id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 } | ||||
| id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 } | ||||
| -- | ||||
| -- OIDs used by Attribute Certficate Attributes | ||||
| -- | ||||
| id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } | ||||
| id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 } | ||||
| id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 } | ||||
| id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 } | ||||
| id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 } | ||||
| -- { id-aca 5 } is reserved | ||||
| id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 } | ||||
| id-at-role OBJECT IDENTIFIER ::= { id-at 72} | ||||
| id-at-clearance OBJECT IDENTIFIER ::= { | ||||
| joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) } | ||||
| -- Uncomment the following declaration and comment the above line if | ||||
| -- using the id-at-clearance attribute as defined in [RFC3281] | ||||
| -- id-at-clearance ::= id-at-clearance-3281 | ||||
| id-at-clearance-rfc3281 OBJECT IDENTIFIER ::= { | ||||
| joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5) | ||||
| clearance (55) } | ||||
| -- | ||||
| -- The syntax of an Attribute Certificate | ||||
| -- | ||||
| AttributeCertificate ::= SIGNED{AttributeCertificateInfo} | ||||
| AttributeCertificateInfo ::= SEQUENCE { | ||||
| version AttCertVersion, -- version is v2 | ||||
| holder Holder, | ||||
| issuer AttCertIssuer, | ||||
| signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, | ||||
| {SignatureAlgorithms}}, | ||||
| serialNumber CertificateSerialNumber, | ||||
| attrCertValidityPeriod AttCertValidityPeriod, | ||||
| attributes SEQUENCE OF | ||||
| AttributeSet{{AttributesDefined}}, | ||||
| issuerUniqueID UniqueIdentifier OPTIONAL, | ||||
| extensions Extensions{{AttributeCertExtensions}} OPTIONAL | ||||
| } | ||||
| AttCertVersion ::= INTEGER { v2(1) } | ||||
| Holder ::= SEQUENCE { | ||||
| baseCertificateID [0] IssuerSerial OPTIONAL, | ||||
| -- the issuer and serial number of | ||||
| -- the holder's Public Key Certificate | ||||
| entityName [1] GeneralNames OPTIONAL, | ||||
| -- the name of the claimant or role | ||||
| objectDigestInfo [2] ObjectDigestInfo OPTIONAL | ||||
| -- used to directly authenticate the | ||||
| -- holder, for example, an executable | ||||
| } | ||||
| ObjectDigestInfo ::= SEQUENCE { | ||||
| digestedObjectType ENUMERATED { | ||||
| publicKey (0), | ||||
| publicKeyCert (1), | ||||
| otherObjectTypes (2) }, | ||||
| -- otherObjectTypes MUST NOT | ||||
| -- MUST NOT be used in this profile | ||||
| otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, | ||||
| digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, | ||||
| objectDigest BIT STRING | ||||
| } | ||||
| AttCertIssuer ::= CHOICE { | ||||
| v1Form GeneralNames, -- MUST NOT be used in this | ||||
| -- profile | ||||
| v2Form [0] V2Form -- v2 only | ||||
| } | ||||
| V2Form ::= SEQUENCE { | ||||
| issuerName GeneralNames OPTIONAL, | ||||
| baseCertificateID [0] IssuerSerial OPTIONAL, | ||||
| objectDigestInfo [1] ObjectDigestInfo OPTIONAL | ||||
| -- issuerName MUST be present in this profile | ||||
| -- baseCertificateID and objectDigestInfo MUST | ||||
| -- NOT be present in this profile | ||||
| } | ||||
| IssuerSerial ::= SEQUENCE { | ||||
| issuer GeneralNames, | ||||
| serial CertificateSerialNumber, | ||||
| issuerUID UniqueIdentifier OPTIONAL | ||||
| } | ||||
| AttCertValidityPeriod ::= SEQUENCE { | ||||
| notBeforeTime GeneralizedTime, | ||||
| notAfterTime GeneralizedTime | ||||
| } | ||||
| -- | ||||
| -- Syntax used by Attribute Certificate Extensions | ||||
| -- | ||||
| Targets ::= SEQUENCE OF Target | ||||
| Target ::= CHOICE { | ||||
| targetName [0] GeneralName, | ||||
| targetGroup [1] GeneralName, | ||||
| targetCert [2] TargetCert | ||||
| } | ||||
| TargetCert ::= SEQUENCE { | ||||
| targetCertificate IssuerSerial, | ||||
| targetName GeneralName OPTIONAL, | ||||
| certDigestInfo ObjectDigestInfo OPTIONAL | ||||
| } | ||||
| AAControls ::= SEQUENCE { | ||||
| pathLenConstraint INTEGER (0..MAX) OPTIONAL, | ||||
| permittedAttrs [0] AttrSpec OPTIONAL, | ||||
| excludedAttrs [1] AttrSpec OPTIONAL, | ||||
| permitUnSpecified BOOLEAN DEFAULT TRUE | ||||
| } | ||||
| AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER | ||||
| ProxyInfo ::= SEQUENCE OF Targets | ||||
| -- | ||||
| -- Syntax used by Attribute Certificate Attributes | ||||
| -- | ||||
| IetfAttrSyntax ::= SEQUENCE { | ||||
| policyAuthority[0] GeneralNames OPTIONAL, | ||||
| values SEQUENCE OF CHOICE { | ||||
| octets OCTET STRING, | ||||
| oid OBJECT IDENTIFIER, | ||||
| string UTF8String | ||||
| } | ||||
| } | ||||
| SvceAuthInfo ::= SEQUENCE { | ||||
| service GeneralName, | ||||
| ident GeneralName, | ||||
| authInfo OCTET STRING OPTIONAL | ||||
| } | ||||
| RoleSyntax ::= SEQUENCE { | ||||
| roleAuthority [0] GeneralNames OPTIONAL, | ||||
| roleName [1] GeneralName | ||||
| } | ||||
| Clearance ::= SEQUENCE { | ||||
| policyId OBJECT IDENTIFIER, | ||||
| classList ClassList DEFAULT {unclassified}, | ||||
| securityCategories SET OF SecurityCategory | ||||
| {{SupportedSecurityCategories}} OPTIONAL | ||||
| } | ||||
| -- Uncomment the following lines to support deprecated clearance | ||||
| -- syntax and comment out previous Clearance. | ||||
| -- Clearance ::= Clearance-rfc3281 | ||||
| Clearance-rfc3281 ::= SEQUENCE { | ||||
| policyId [0] OBJECT IDENTIFIER, | ||||
| classList [1] ClassList DEFAULT {unclassified}, | ||||
| securityCategories [2] SET OF SecurityCategory-rfc3281 | ||||
| {{SupportedSecurityCategories}} OPTIONAL | ||||
| } | ||||
| ClassList ::= BIT STRING { | ||||
| unmarked (0), | ||||
| unclassified (1), | ||||
| restricted (2), | ||||
| confidential (3), | ||||
| secret (4), | ||||
| topSecret (5) | ||||
| } | ||||
| SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } | ||||
| SecurityCategory-rfc3281{SECURITY-CATEGORY:Supported} ::= SEQUENCE { | ||||
| type [0] IMPLICIT SECURITY-CATEGORY. | ||||
| &id({Supported}), | ||||
| value [1] EXPLICIT SECURITY-CATEGORY. | ||||
| &Type({Supported}{@type}) | ||||
| } | ||||
| ACClearAttrs ::= SEQUENCE { | ||||
| acIssuer GeneralName, | ||||
| acSerial INTEGER, | ||||
| attrs SEQUENCE OF AttributeSet{{AttributesDefined}} | ||||
| } | ||||
| END | ||||
| 14. ASN.1 Module for RFC 5280, Explicit and Implicit | 14. ASN.1 Module for RFC 5280, Explicit and Implicit | |||
| Note that many of the changes in this module are similar or the same | Note that many of the changes in this module are similar or the same | |||
| as the changes made in more recent versions of X.509 itself. | as the changes made in more recent versions of X.509 itself. | |||
| PKIX1Explicit-2009 | PKIX1Explicit-2009 | |||
| {iso(1) identified-organization(3) dod(6) internet(1) | {iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-explicit-02(51)} | id-mod-pkix1-explicit-02(51)} | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| skipping to change at page 105, line 4 ¶ | skipping to change at page 106, line 44 ¶ | |||
| id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } | id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } | |||
| SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF | SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF | |||
| AttributeSet{{SupportedAttributes}} | AttributeSet{{SupportedAttributes}} | |||
| -- basic constraints extension OID and syntax | -- basic constraints extension OID and syntax | |||
| ext-BasicConstraints EXTENSION ::= { SYNTAX | ext-BasicConstraints EXTENSION ::= { SYNTAX | |||
| BasicConstraints IDENTIFIED BY id-ce-basicConstraints } | BasicConstraints IDENTIFIED BY id-ce-basicConstraints } | |||
| id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } | id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } | |||
| BasicConstraints ::= SEQUENCE { | BasicConstraints ::= SEQUENCE { | |||
| cA BOOLEAN DEFAULT FALSE, | cA BOOLEAN DEFAULT FALSE, | |||
| pathLenConstraint INTEGER (0..MAX) OPTIONAL | pathLenConstraint INTEGER (0..MAX) OPTIONAL | |||
| } | } | |||
| -- name constraints extension OID and syntax | -- name constraints extension OID and syntax | |||
| ext-NameConstraints EXTENSION ::= { SYNTAX | ext-NameConstraints EXTENSION ::= { SYNTAX | |||
| NameConstraints IDENTIFIED BY id-ce-nameConstraints } | NameConstraints IDENTIFIED BY id-ce-nameConstraints } | |||
| id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } | id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } | |||
| NameConstraints ::= SEQUENCE { | NameConstraints ::= SEQUENCE { | |||
| permittedSubtrees [0] GeneralSubtrees OPTIONAL, | permittedSubtrees [0] GeneralSubtrees OPTIONAL, | |||
| excludedSubtrees [1] GeneralSubtrees OPTIONAL | excludedSubtrees [1] GeneralSubtrees OPTIONAL | |||
| } | } | |||
| -- | -- | |||
| -- This is a constraint in the issued certificates by CAs, but is | -- This is a constraint in the issued certificates by CAs, but is | |||
| -- not a requirement on EEs. | -- not a requirement on EEs. | |||
| -- | -- | |||
| -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} | | -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} | | |||
| -- WITH COMPONENTS { ..., excludedSubtrees PRESEENT }} | -- WITH COMPONENTS { ..., excludedSubtrees PRESENT }} | |||
| GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree | GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree | |||
| GeneralSubtree ::= SEQUENCE { | GeneralSubtree ::= SEQUENCE { | |||
| base GeneralName, | base GeneralName, | |||
| minimum [0] BaseDistance DEFAULT 0, | minimum [0] BaseDistance DEFAULT 0, | |||
| maximum [1] BaseDistance OPTIONAL | maximum [1] BaseDistance OPTIONAL | |||
| } | } | |||
| BaseDistance ::= INTEGER (0..MAX) | BaseDistance ::= INTEGER (0..MAX) | |||
| skipping to change at page 106, line 4 ¶ | skipping to change at page 107, line 44 ¶ | |||
| PolicyConstraints ::= SEQUENCE { | PolicyConstraints ::= SEQUENCE { | |||
| requireExplicitPolicy [0] SkipCerts OPTIONAL, | requireExplicitPolicy [0] SkipCerts OPTIONAL, | |||
| inhibitPolicyMapping [1] SkipCerts OPTIONAL } | inhibitPolicyMapping [1] SkipCerts OPTIONAL } | |||
| -- | -- | |||
| -- This is a constraint in the issued certificates by CAs, | -- This is a constraint in the issued certificates by CAs, | |||
| -- but is not a requirement for EEs | -- but is not a requirement for EEs | |||
| -- | -- | |||
| -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} | | -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} | | |||
| -- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT}) | -- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT}) | |||
| SkipCerts ::= INTEGER (0..MAX) | SkipCerts ::= INTEGER (0..MAX) | |||
| -- CRL distribution points extension OID and syntax | -- CRL distribution points extension OID and syntax | |||
| ext-CRLDistributionPoints EXTENSION ::= { SYNTAX | ext-CRLDistributionPoints EXTENSION ::= { SYNTAX | |||
| CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints} | CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints} | |||
| id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} | id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} | |||
| CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint | CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint | |||
| DistributionPoint ::= SEQUENCE { | DistributionPoint ::= SEQUENCE { | |||
| distributionPoint [0] DistributionPointName OPTIONAL, | distributionPoint [0] DistributionPointName OPTIONAL, | |||
| reasons [1] ReasonFlags OPTIONAL, | reasons [1] ReasonFlags OPTIONAL, | |||
| cRLIssuer [2] GeneralNames OPTIONAL | cRLIssuer [2] GeneralNames OPTIONAL | |||
| } | } | |||
| -- | -- | |||
| -- This is not a requiement in the text, but is seems as if it | -- This is not a requirement in the text, but is seems as if it | |||
| -- should be | -- should be | |||
| -- | -- | |||
| --(WITH COMPONENTS {..., distributionPoint PRESENT} | | --(WITH COMPONENTS {..., distributionPoint PRESENT} | | |||
| -- WITH COMPONENTS {..., cRLIssuer PRESENT}) | -- WITH COMPONENTS {..., cRLIssuer PRESENT}) | |||
| DistributionPointName ::= CHOICE { | DistributionPointName ::= CHOICE { | |||
| fullName [0] GeneralNames, | fullName [0] GeneralNames, | |||
| nameRelativeToCRLIssuer [1] RelativeDistinguishedName | nameRelativeToCRLIssuer [1] RelativeDistinguishedName | |||
| } | } | |||
| skipping to change at page 116, line 40 ¶ | skipping to change at page 118, line 32 ¶ | |||
| [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | |||
| Request Syntax Specification Version 1.7", RFC 2986, | Request Syntax Specification Version 1.7", RFC 2986, | |||
| November 2000. | November 2000. | |||
| [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
| Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 3279, April 2002. | (CRL) Profile", RFC 3279, April 2002. | |||
| [RFC3281] Farrell, S. and R. Housley, "An Internet Attribute | ||||
| Certificate Profile for Authorization", RFC 3281, | ||||
| April 2002. | ||||
| [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", | [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", | |||
| RFC 3852, July 2004. | RFC 3852, July 2004. | |||
| [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional | [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional | |||
| Algorithms and Identifiers for RSA Cryptography for use in | Algorithms and Identifiers for RSA Cryptography for use in | |||
| the Internet X.509 Public Key Infrastructure Certificate | the Internet X.509 Public Key Infrastructure Certificate | |||
| and Certificate Revocation List (CRL) Profile", RFC 4055, | and Certificate Revocation List (CRL) Profile", RFC 4055, | |||
| June 2005. | June 2005. | |||
| [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, | [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, | |||
| skipping to change at page 117, line 26 ¶ | skipping to change at page 119, line 14 ¶ | |||
| (SCVP)", RFC 5055, December 2007. | (SCVP)", RFC 5055, December 2007. | |||
| [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS | [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS | |||
| (CMC)", RFC 5272, June 2008. | (CMC)", RFC 5272, June 2008. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | ||||
| "Elliptic Curve Cryptography Subject Public Key | ||||
| Information", RFC 5480, March 2009. | ||||
| [RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet | ||||
| Attribute Certificate Profile for Authorization", | ||||
| RFC 5755, January 2010. | ||||
| Appendix A. Change History | Appendix A. Change History | |||
| [[ This entire section is to be removed upon publication. ]] | [[ This entire section is to be removed upon publication. ]] | |||
| A.1. Changes between draft-hoffman-pkix-new-asn1-00 and | A.1. Changes between draft-hoffman-pkix-new-asn1-00 and | |||
| draft-ietf-pkix-new-asn1-00 | draft-ietf-pkix-new-asn1-00 | |||
| Changed the draft name. | Changed the draft name. | |||
| Added the PKIX common definitions module. | Added the PKIX common definitions module. | |||
| skipping to change at page 118, line 33 ¶ | skipping to change at page 120, line 28 ¶ | |||
| Updated all modules to use objects more deeply. | Updated all modules to use objects more deeply. | |||
| Removed RFC 3280 and added RFC 5280. | Removed RFC 3280 and added RFC 5280. | |||
| Added RFC 5272 (CMC). | Added RFC 5272 (CMC). | |||
| A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 | A.4. Changes between draft-ietf-pkix-new-asn1-02 and -03 | |||
| Many cosmetic-only changes to the modules. | Many cosmetic-only changes to the modules. | |||
| Changed some multi-word keywords to hypenated (such as "SMIME CAPS" | Changed some multi-word keywords to hyphenated (such as "SMIME CAPS" | |||
| to "SMIME-CAPS"). | to "SMIME-CAPS"). | |||
| In section 6, added "Note that this module also contains information | In section 6, added "Note that this module also contains information | |||
| from RFC-to-be 5480." Will add a real reference in future version of | from RFC-to-be 5480." Will add a real reference in future version of | |||
| this draft. | this draft. | |||
| In section 6, added the labels for the id-keyExchangeAlgorithm OID. | In section 6, added the labels for the id-keyExchangeAlgorithm OID. | |||
| Updated the reference of X.680 to X.680, X.681, X.682, and X.683. | Updated the reference of X.680 to X.680, X.681, X.682, and X.683. | |||
| skipping to change at page 120, line 6 ¶ | skipping to change at page 122, line 5 ¶ | |||
| -- with ANSI X.9. | -- with ANSI X.9. | |||
| } | } | |||
| -- If you need to be able to decode ANSI X.9 parameter structures, then | -- If you need to be able to decode ANSI X.9 parameter structures, then | |||
| -- uncomment the implicitCurve and specificCurve above, and also | -- uncomment the implicitCurve and specificCurve above, and also | |||
| -- uncomment the follow: | -- uncomment the follow: | |||
| --(WITH COMPONENTS {namedCurve PRESENT}) | --(WITH COMPONENTS {namedCurve PRESENT}) | |||
| Changed "memberBody" to "member-body" in the modules for RFCs 4210 | Changed "memberBody" to "member-body" in the modules for RFCs 4210 | |||
| and 4211. | and 4211. | |||
| A.9. Changes between draft-ietf-pkix-new-asn1-06 and -07 | ||||
| Throughout, changed all instances of RFC 3281 to RFC 5755. | ||||
| Throughout, fixed spelling errors in module comments and parameter | ||||
| names. | ||||
| In section 1, added "Also note that the ASN.1 modules in this | ||||
| document have references in their text comments that need to be | ||||
| looked up in original RFCs, and that some of those references may | ||||
| have already been superseded by later RFCs." | ||||
| In RFC 5272, fixed the OID for EnrollmentMessageSyntax. | ||||
| In section 6, changed "RFC-to-be 5480" to "RFC 5480" and added a | ||||
| reference for it. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Paul Hoffman | Paul Hoffman | |||
| VPN Consortium | VPN Consortium | |||
| 127 Segre Place | 127 Segre Place | |||
| Santa Cruz, CA 95060 | Santa Cruz, CA 95060 | |||
| US | US | |||
| Phone: 1-831-426-9827 | Phone: 1-831-426-9827 | |||
| Email: paul.hoffman@vpnc.org | Email: paul.hoffman@vpnc.org | |||
| End of changes. 82 change blocks. | ||||
| 384 lines changed or deleted | 454 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||