< draft-turner-additional-new-asn-01.txt   draft-turner-additional-new-asn-02.txt >
Network Working Group J. Schaad Network Working Group J. Schaad
Internet-Draft Soaring Hawk Consulting Internet-Draft Soaring Hawk Consulting
Intended status: Standards Track S. Turner Intended status: Standards Track S. Turner
Expires: January 12, 2011 IECA, Inc. Expires: May 12, 2011 IECA, Inc.
July 11, 2010 November 8, 2010
Additional New ASN.1 Modules Additional New ASN.1 Modules
draft-turner-additional-new-asn-01 draft-turner-additional-new-asn-02
Abstract Abstract
The Cryptographic Message Syntax (CMS) format, and many associated The Cryptographic Message Syntax (CMS) format, and many associated
formats, are expressed using ASN.1. The current ASN.1 modules formats, are expressed using ASN.1. The current ASN.1 modules
conform to the 1988 version of ASN.1. This document updates some conform to the 1988 version of ASN.1. This document updates some
auxiliary ASN.1 modules to conform to the 2008 version of ASN.1. auxiliary ASN.1 modules to conform to the 2008 version of ASN.1.
There are no bits-on-the-wire changes to any of the formats; this is There are no bits-on-the-wire changes to any of the formats; this is
simply a change to the syntax. simply a change to the syntax.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 12, 2011. This Internet-Draft will expire on May 12, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 22 skipping to change at page 2, line 22
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Terminology . . . . . . . . . . . . . . . . . 3 1.1. ASN.1 Updates (2002 to 2008) . . . . . . . . . . . . . . . 3
1.2. Requirements Terminology . . . . . . . . . . . . . . . . . 4
2. ASN.1 Module RFC 3274 . . . . . . . . . . . . . . . . . . . . 5 2. ASN.1 Module RFC 3274 . . . . . . . . . . . . . . . . . . . . 5
3. ASN.1 Module RFC 3379 . . . . . . . . . . . . . . . . . . . . 7 3. ASN.1 Module RFC 3779 . . . . . . . . . . . . . . . . . . . . 8
4. ASN.1 Module RFC 4049 . . . . . . . . . . . . . . . . . . . . 9 4. ASN.1 Module RFC 4049 . . . . . . . . . . . . . . . . . . . . 11
5. ASN.1 Module RFC 4073 . . . . . . . . . . . . . . . . . . . . 10 5. ASN.1 Module RFC 4073 . . . . . . . . . . . . . . . . . . . . 13
6. ASN.1 Module RFC 4231 . . . . . . . . . . . . . . . . . . . . 12 6. ASN.1 Module RFC 4231 . . . . . . . . . . . . . . . . . . . . 15
7. ASN.1 Module RFC 4334 . . . . . . . . . . . . . . . . . . . . 15 7. ASN.1 Module RFC 4334 . . . . . . . . . . . . . . . . . . . . 18
8. ASN.1 Module RFC 5752 . . . . . . . . . . . . . . . . . . . . 17 8. ASN.1 Module RFC 5083 . . . . . . . . . . . . . . . . . . . . 20
9. ASN.1 Module RFC 5652 . . . . . . . . . . . . . . . . . . . . 19 9. ASN.1 Module RFC 5652 . . . . . . . . . . . . . . . . . . . . 22
10. ASN.1 Module RFC 5083 . . . . . . . . . . . . . . . . . . . . 29 10. ASN.1 Module RFC 5752 . . . . . . . . . . . . . . . . . . . . 33
11. Module Identifiers in ASN.1 . . . . . . . . . . . . . . . . . 31 11. Module Identifiers in ASN.1 . . . . . . . . . . . . . . . . . 35
12. Security Considerations . . . . . . . . . . . . . . . . . . . 33 12. Security Considerations . . . . . . . . . . . . . . . . . . . 37
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
14. Normative References . . . . . . . . . . . . . . . . . . . . . 35 14. Normative References . . . . . . . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 1. Introduction
Some developers would like the IETF to use the latest version of Some developers would like the IETF to use the latest version of
ASN.1 in its standards. Most of the RFCs that relate to security ASN.1 in its standards. Most of the RFCs that relate to security
protocols still use ASN.1 from the 1988 standard, which has been protocols still use ASN.1 from the 1988 standard, which has been
deprecated. This is particularly true for the standards that relate deprecated. This is particularly true for the standards that relate
to PKIX, CMS, and S/MIME. to PKIX, CMS, and S/MIME.
In this document we have either change the syntax to use the 2008 In this document we have either change the syntax to use the 2008
ASN.1 standard, or done some updates from previous conversions: ASN.1 standard, or done some updates from previous conversions:
RFC 3274, Compressed Data Content Type for Cryptographic Message RFC 3274, Compressed Data Content Type for Cryptographic Message
Syntax (CMS) [RFC3274] Syntax (CMS) [RFC3274].
RFC 3379, Delegated Path Validation and Delegated Path Discovery RFC 3779, X.509 Extensions for IP Addresses and AS Identifiers
Protocol Requirements [RFC3379] [RFC3779].
RFC 4049, BinaryTime: An Alternate Format for Representing Date RFC 4049, BinaryTime: An Alternate Format for Representing Date
and Time in ASN.1 [RFC4049] and Time in ASN.1 [RFC4049].
RFC 4073, Protecting Multiple Contents with the Cryptographic RFC 4073, Protecting Multiple Contents with the Cryptographic
Message Syntax (CMS) [RFC4073] Message Syntax (CMS) [RFC4073].
RFC 4231, Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA- RFC 4231, Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA-
256, HMAC-SHA-384, and HMAC-SHA-512 [RFC4231] 256, HMAC-SHA-384, and HMAC-SHA-512 [RFC4231].
RFC 4334, Certificate Extensions and Attributes Supporting RFC 4334, Certificate Extensions and Attributes Supporting
Authentication in Point-to-Point Protocol (PPP) and Wireless Local Authentication in Point-to-Point Protocol (PPP) and Wireless Local
Area Networks (WLAN) [RFC4334] Area Networks (WLAN) [RFC4334].
RFC 5752, Multiple Signatures in Cryptographic Message Syntax
(CMS) [RFC5752]
RFC 5652, Cryptogrphic Message Syntax (CMS) [RFC5652]
RFC 5083, Cryptographic Message Syntax (CMS) Authenticated- RFC 5083, Cryptographic Message Syntax (CMS) Authenticated-
Enveloped-Data Content Type [RFC5083]. Enveloped-Data Content Type [RFC5083].
RFC 5652, Cryptographic Message Syntax (CMS) [RFC5652].
RFC 5752, Multiple Signatures in Cryptographic Message Syntax
(CMS) [RFC5752].
Note that some of the modules in this document get some of their Note that some of the modules in this document get some of their
definitions from places different than the modules in the original definitions from places different than the modules in the original
RFCs. The idea is that these modules, when combined with the modules RFCs. The idea is that these modules, when combined with the modules
in [RFC5912] and [RFC5911] can stand on their own and do not need to in [RFC5912] and [RFC5911] can stand on their own and do not need to
import definitions from anywhere else. import definitions from anywhere else.
1.1. Requirements Terminology 1.1. ASN.1 Updates (2002 to 2008)
The modules defined in this document are compatible with the most
current ASN.1 specification published in 2008 (see [ASN1-2008]). The
changes between the 2002 specification and the 2008 specification
include the creation of some additional pre-defined types (DATE,
DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE-OID-IRI, TIME,
TIME-OF-DAY). The ability to define different encoding rules
(ENCODING-CONTROL, INSTRUCTIONS). None of the newly defined tokens
are currently used in any of the ASN.1 specifications published here.
1.2. Requirements Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. ASN.1 Module RFC 3274 2. ASN.1 Module RFC 3274
We have updated the ASN.1 module associated with this document to be
2008 compliant and to use the set of classes previously defined in
[RFC5911].
CompressedDataContent CompressedDataContent
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) TBD } smime(16) modules(0) TBD4 }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
CMSVersion, EncapsulatedContentInfo, CMSVersion, EncapsulatedContentInfo,
CONTENT-TYPE CONTENT-TYPE
FROM CryptographicMessageSyntax-2009 FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } pkcs(1) pkcs-9(9) smime(16) modules(0) TBD1 }
AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions
FROM AlgorithmInformation-2009 FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)} id-mod-algorithmInformation-02(58)}
; ;
-- --
-- ContentTypes contains the set of content types that are
-- defined in this module.
-- --
-- The contents of ContentTypes should be added to
-- ContentSet defined in [RFC5652]
-- --
ContentTypes CONTENT-TYPE ::= {ct-compressedData} ContentTypes CONTENT-TYPE ::= {ct-compressedData}
--
-- SMimeCaps contains the set of S/MIME capabilities that
-- are associated with the algorithms defined in this
-- document.
--
-- SMimeCaps are added to SMimeCapsSet defined in [RFC3851].
--
SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps} SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps}
--
-- Define the compressed data content type
--
ct-compressedData CONTENT-TYPE ::= { ct-compressedData CONTENT-TYPE ::= {
CompressedData IDENTIFIED BY id-ct-compressedData TYPE CompressedData IDENTIFIED BY id-ct-compressedData
} }
CompressedData ::= SEQUENCE { CompressedData ::= SEQUENCE {
version CMSVersion, -- Always set to 0 version CMSVersion (v0), -- Always set to 0
compressionAlgorithm CompressionAlgorithmIdentifier, compressionAlgorithm CompressionAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo encapContentInfo EncapsulatedContentInfo
} }
CompressionAlgorithmIdentifier ::= CompressionAlgorithmIdentifier ::=
AlgorithmIdentifier{COMPRESS-ALGORITHM, {CompressAlgorithmSet}} AlgorithmIdentifier{COMPRESS-ALGORITHM, {CompressAlgorithmSet}}
CompressAlgorithmSet COMPRESS-ALGORITHM ::= { CompressAlgorithmSet COMPRESS-ALGORITHM ::= {
cpa-zlibCompress, ... cpa-zlibCompress, ...
} }
-- Algorithm Identifiers -- Algorithm Identifiers
id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-alg-zlibCompress OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 } us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 8 }
cpa-zlibCompress COMPRESS-ALGORITHM ::= { cpa-zlibCompress COMPRESS-ALGORITHM ::= {
IDENTIFIER id-alg-zlibCompress IDENTIFIER id-alg-zlibCompress
PARAMS TYPE NULL ARE preferredAbsent PARAMS TYPE NULL ARE preferredAbsent
skipping to change at page 6, line 35 skipping to change at page 7, line 4
-- --
COMPRESS-ALGORITHM ::= CLASS { COMPRESS-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL &smimeCaps SMIME-CAPS OPTIONAL
} }
WITH SYNTAX { WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME-CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
END END
3. ASN.1 Module RFC 3379 3. ASN.1 Module RFC 3779
IPAddrAndASCertExtn { iso(1) identified-organization(3) dod(6) We have updated the ASN.1 module associated with RFC 3779 to be ASN.1
internet(1) security(5) mechanisms(5) pkix(7) mod(0) 2008 compliant and to use the set of classes previously defined in
TBD } [RFC5912].
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS IPAddrAndASCertExtn { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) mod(0)
TBD6 }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
-- PKIX specific OIDs and arcs -- IMPORTS
id-pe
FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-explicit-02(51)}
EXTENSION -- PKIX specific OIDs and arcs --
FROM PKIX-CommonTypes-2009 id-pe
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) FROM PKIX1Explicit-2009
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} { iso(1) identified-organization(3) dod(6) internet(1)
; security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-explicit-02(51)}
-- IP Address Delegation Extension OID -- EXTENSION
FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57)}
;
ext-pe-ipAddrBlocks EXTENSION ::= { --
SYNTAX IPAddrBlocks -- Extensions contains the set of extensions defined in this
IDENTIFIED BY id-pe-ipAddrBlocks -- module
} --
-- These are intended to be placed in public key certificates
-- and thus should be added to the CertExtensions extension
-- set in PKIXImplicit-2009 defined for [RFC5280]
--
id-pe-ipAddrBlocks OBJECT IDENTIFIER ::= { id-pe 7 } Extensions EXTENSION ::= {
ext-pe-ipAddrBlocks | ext-pe-autonomousSysIds
}
-- IP Address Delegation Extension Syntax -- -- IP Address Delegation Extension OID --
IPAddrBlocks ::= SEQUENCE OF IPAddressFamily ext-pe-ipAddrBlocks EXTENSION ::= {
SYNTAX IPAddrBlocks
IDENTIFIED BY id-pe-ipAddrBlocks
}
id-pe-ipAddrBlocks OBJECT IDENTIFIER ::= { id-pe 7 }
IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI -- -- IP Address Delegation Extension Syntax --
addressFamily OCTET STRING (SIZE (2..3)),
ipAddressChoice IPAddressChoice }
IPAddressChoice ::= CHOICE { IPAddrBlocks ::= SEQUENCE OF IPAddressFamily
inherit NULL, -- inherit from issuer --
addressesOrRanges SEQUENCE OF IPAddressOrRange }
IPAddressOrRange ::= CHOICE { IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI --
addressPrefix IPAddress, addressFamily OCTET STRING (SIZE (2..3)),
addressRange IPAddressRange } ipAddressChoice IPAddressChoice }
IPAddressRange ::= SEQUENCE { IPAddressChoice ::= CHOICE {
min IPAddress, inherit NULL, -- inherit from issuer --
max IPAddress } addressesOrRanges SEQUENCE OF IPAddressOrRange }
IPAddress ::= BIT STRING IPAddressOrRange ::= CHOICE {
addressPrefix IPAddress,
addressRange IPAddressRange }
-- Autonomous System Identifier Delegation Extension OID -- IPAddressRange ::= SEQUENCE {
min IPAddress,
max IPAddress }
ext-pe-autonomousSysIds EXTENSION ::= { IPAddress ::= BIT STRING
SYNTAX ASIdentifiers
IDENTIFIED BY id-pe-autonomousSysIds
}
id-pe-autonomousSysIds OBJECT IDENTIFIER ::= { id-pe 8 } -- Autonomous System Identifier Delegation Extension OID --
-- Autonomous System Identifier Delegation Extension Syntax -- ext-pe-autonomousSysIds EXTENSION ::= {
SYNTAX ASIdentifiers
IDENTIFIED BY id-pe-autonomousSysIds
}
ASIdentifiers ::= SEQUENCE { id-pe-autonomousSysIds OBJECT IDENTIFIER ::= { id-pe 8 }
asnum [0] ASIdentifierChoice OPTIONAL,
rdi [1] ASIdentifierChoice OPTIONAL }
(WITH COMPONENTS {..., asnum PRESENT} |
WITH COMPONENTS {..., rdi PRESENT})
ASIdentifierChoice ::= CHOICE { -- Autonomous System Identifier Delegation Extension Syntax --
inherit NULL, -- inherit from issuer --
asIdsOrRanges SEQUENCE OF ASIdOrRange }
ASIdOrRange ::= CHOICE { ASIdentifiers ::= SEQUENCE {
id ASId, asnum [0] ASIdentifierChoice OPTIONAL,
range ASRange } rdi [1] ASIdentifierChoice OPTIONAL }
(WITH COMPONENTS {..., asnum PRESENT} |
WITH COMPONENTS {..., rdi PRESENT})
ASRange ::= SEQUENCE { ASIdentifierChoice ::= CHOICE {
min ASId, inherit NULL, -- inherit from issuer --
max ASId } asIdsOrRanges SEQUENCE OF ASIdOrRange }
ASId ::= INTEGER ASIdOrRange ::= CHOICE {
id ASId,
range ASRange }
END ASRange ::= SEQUENCE {
min ASId,
max ASId }
ASId ::= INTEGER
END
4. ASN.1 Module RFC 4049 4. ASN.1 Module RFC 4049
BinarySigningTimeModule-2009 We have updated the ASN.1 module associated with this document to be
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 2008 compliant and to use the set of classes previously defined in
pkcs-9(9) smime(16) modules(0) TBD0 } [RFC5911].
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
-- From PKIX-CommonTypes-2009 [RFC5912] BinarySigningTimeModule-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) TBD6 }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
ATTRIBUTE -- From PKIX-CommonTypes-2009 [RFC5912]
FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1) ATTRIBUTE
security(5) mechanisms(5) pkix(7) id-mod(0) FROM PKIX-CommonTypes-2009
id-mod-pkixCommon-02(57) } { iso(1) identified-organization(3) dod(6) internet(1)
; security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) }
;
-- --
-- BinaryTime Definition -- BinaryTime Definition
-- --
-- BinaryTime contains the number seconds since -- BinaryTime contains the number seconds since
-- midnight Jan 1, 1970 UTC. -- midnight Jan 1, 1970 UTC.
-- Leap seconds are EXCLUDED from the computation. -- Leap seconds are EXCLUDED from the computation.
-- --
BinaryTime ::= INTEGER (0..MAX) BinaryTime ::= INTEGER (0..MAX)
-- --
-- Signing Binary Time Attribute -- Signing Binary Time Attribute
-- --
-- The binary signing time should be added to the -- The binary signing time should be added to
-- SignedAttributeSet and the AuthenticatedAttributeSet -- SignedAttributeSet and tAuthenticatedAttributeSet
-- in the CMS modules. -- in CMS [RFC5652] and to AuthEnvDataAttributeSet
-- in [RFC5083].
-- --
aa-binarySigningTime ATTRIBUTE ::= { aa-binarySigningTime ATTRIBUTE ::= {
TYPE BinarySigningTime TYPE BinarySigningTime
IDENTIFIED BY id-aa-binarySigningTime } IDENTIFIED BY id-aa-binarySigningTime }
id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1) id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 46 } smime(16) aa(2) 46 }
BinarySigningTime ::= BinaryTime BinarySigningTime ::= BinaryTime
END END
5. ASN.1 Module RFC 4073 5. ASN.1 Module RFC 4073
ContentCollectionModule-2009 We have updated the ASN.1 module associated with this document to be
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 2008 compliant and to use the set of classes previously defined in
pkcs-9(9) smime(16) modules(0) TBD1 } [RFC5911].
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
-- From CryptographicMessageSyntax-2009 [RFC5911] ContentCollectionModule-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) TBD7 }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
CONTENT-TYPE, ContentInfo -- From CryptographicMessageSyntax-2009 [RFC5911]
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) TBD }
AttributeSet{} CONTENT-TYPE, ContentInfo
FROM PKIX-CommonTypes-2009 FROM CryptographicMessageSyntax-2009
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
security(5) mechanisms(5) pkix(7) id-mod(0) pkcs-9(9) smime(16) modules(0) TBD1 }
id-mod-pkixCommon-02(57) }
;
-- AttributeSet{}, ATTRIBUTE
-- An object set of all content types defined by this module. FROM PKIX-CommonTypes-2009
-- This is to be added to ContentSet in the CMS module { iso(1) identified-organization(3) dod(6) internet(1)
-- security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) }
;
ContentSet CONTENT-TYPE ::= { --
ct-ContentCollection | ct-ContentWithAttributes, ... -- An object set of all content types defined by this module.
} -- This is to be added to ContentSet in the CMS module
--
-- ContentSet CONTENT-TYPE ::= {
-- Content Collection Content Type and Object Identifier ct-ContentCollection | ct-ContentWithAttributes, ...
-- }
ct-ContentCollection CONTENT TYPE ::= { --
ContentCollection IDENTIFIED BY id-ct-contentCollection } -- Content Collection Content Type and Object Identifier
--
id-ct-contentCollection OBJECT IDENTIFIER ::= { ct-ContentCollection CONTENT-TYPE ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) TYPE ContentCollection IDENTIFIED BY id-ct-contentCollection }
smime(16) ct(1) 19 }
ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo id-ct-contentCollection OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) 19 }
-- ContentCollection ::= SEQUENCE SIZE (1..MAX) OF ContentInfo
-- Content With Attributes Content Type and Object Identifier --
-- -- Content With Attributes Content Type and Object Identifier
ct-ContentWithAttributes CONTENT TYPE ::= { --
{ ContentWithAttributes IDENTIFIED BY id-ct-contentWithAttrs }
id-ct-contentWithAttrs OBJECT IDENTIFIER ::= { ct-ContentWithAttributes CONTENT-TYPE ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) TYPE ContentWithAttributes IDENTIFIED BY id-ct-contentWithAttrs }
smime(16) ct(1) 20 }
ContentWithAttributes ::= SEQUENCE { id-ct-contentWithAttrs OBJECT IDENTIFIER ::= {
content ContentInfo, iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
attrs SEQUENCE SIZE (1..MAX) OF AttributeSet smime(16) ct(1) 20 }
{ ContentAttributeSet }
ContentAttributeSet ATTRIBUTE ::= { ... } ContentWithAttributes ::= SEQUENCE {
END content ContentInfo,
attrs SEQUENCE SIZE (1..MAX) OF AttributeSet
{{ ContentAttributeSet }}
}
ContentAttributeSet ATTRIBUTE ::= { ... }
END
6. ASN.1 Module RFC 4231 6. ASN.1 Module RFC 4231
HMAC { TBD } RFC 4231 does not contain an ASN.1 module to be updated. We have
therefore created an ASN.1 module to represent the ASN.1 that is
present in the document. Note that the parameters are defined as
expecting a parameter for the algorithm identifiers in this module,
this is different from most of the algorithms used in PKIX and
S/MIME. There is no concept of being able to truncate the MAC value
in the ASN.1 unlike the XML definitions. This is reflected by not
having a minimum MAC length defined in the ASN.1.
HMAC -- { TBD } --
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
MAC-ALGORITHM, SMIME-CAPS MAC-ALGORITHM, SMIME-CAPS
FROM AlgorithmInformation-2009 FROM AlgorithmInformation-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) mechanisms(5) pkix(7) id-mod(0)
skipping to change at page 14, line 4 skipping to change at page 17, line 12
PARAMS TYPE NULL ARE preferredPresent PARAMS TYPE NULL ARE preferredPresent
IS-KEYED-MAC TRUE IS-KEYED-MAC TRUE
SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA384} SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA384}
} }
maca-hMAC-SHA512 MAC-ALGORITHM ::= { maca-hMAC-SHA512 MAC-ALGORITHM ::= {
IDENTIFIER id-hmacWithSHA512 IDENTIFIER id-hmacWithSHA512
PARAMS TYPE NULL ARE preferredPresent PARAMS TYPE NULL ARE preferredPresent
IS-KEYED-MAC TRUE IS-KEYED-MAC TRUE
SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA512} SMIME-CAPS {IDENTIFIED BY id-hmacWithSHA512}
} }
END END
7. ASN.1 Module RFC 4334 7. ASN.1 Module RFC 4334
We have updated the ASN.1 module associated with RFC 4334 to be ASN.1
2008 compliant and to use the set of classes previously defined in
[RFC5912].
WLANCertExtn WLANCertExtn
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
TBD } TBD8 }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
EXTENSION, ATTRIBUTE EXTENSION, ATTRIBUTE
FROM PKIX-CommonTypes-2009 FROM PKIX-CommonTypes-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
skipping to change at page 17, line 5 skipping to change at page 20, line 5
at-aca-wlanSSID ATTRIBUTE ::= { at-aca-wlanSSID ATTRIBUTE ::= {
TYPE SSIDList TYPE SSIDList
IDENTIFIED BY id-aca-wlanSSID IDENTIFIED BY id-aca-wlanSSID
} }
id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 7 } id-aca-wlanSSID OBJECT IDENTIFIER ::= { id-aca 7 }
END END
8. ASN.1 Module RFC 5752 8. ASN.1 Module RFC 5083
MultipleSignatures-2009 This module is updated from RFC 5911 [RFC5911] by the following
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) changes:
smime(16) modules(0) TBD2 }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- EXPORTS All
-- The types and values defined in this module are exported for use
-- in the other ASN.1 modules. Other applications may use them for
-- their own purposes.
IMPORTS 1. Define separate attribute sets for the unprotected attributes
used in EnvelopedData, EncryptedData and
AuthenticatedEnvelopedData (RFC 5083).
-- Imports from PKIX-Common-Types-2009 [RFC5912] 2. Define a parameterized type EncryptedContentInfoType so that the
basic type can be used with different algorithm sets (used for
EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC
5083)). The parameterized type is assigned to an unparameterized
type of EncryptedContentInfo to minimize the output changes from
previous versions.
ATTRIBUTE The use of different attribute sets for EncryptedData and
FROM PKIX-CommonTypes-2009 EnvelopedData as well as for AuthenticatedData and AuthEnvelopedData,
{ iso(1) identified-organization(3) dod(6) internet(1) protocol designers can make use of the '08 ASN.1 constraints to
security(5) mechanisms(5) pkix(7) id-mod(0) define different sets of attributes for EncryptedData and
id-mod-pkixCommon-02(57) } EnvelopedData and for AuthenticatedData and AuthEnvelopedData.
Previously, attributes could only be constrained based on whether
they were in the clear or unauthenticated not on the encapsulating
content type.
-- Imports from CryptographicMessageSyntax-2009 [RFC5911] CMS-AuthEnvelopedData-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) TBD2}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier CMSVersion, EncryptedContentInfoType{},
FROM CryptographicMessageSyntax-2009 MessageAuthenticationCode, OriginatorInfo, RecipientInfos,
{ iso(1) member-body(2) us(840) rsadsi(113549) CONTENT-TYPE, Attributes{}, ATTRIBUTE, CONTENT-ENCRYPTION,
pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } AlgorithmIdentifier{},
aa-signingTime, aa-messageDigest, aa-contentType
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(TBD1)}
-- Imports from ExtendedSecurityServices-2009 [RFC5911] ContentEncryptionAlgs
FROM CMS-AES-CCM-and-AES-GCM-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) }
;
ESSCertIDv2 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... }
FROM ExtendedSecurityServices-2009 ct-authEnvelopedData CONTENT-TYPE ::= {
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) TYPE AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData
smime(16) modules(0) id-mod-ess-2006-02(42) } }
;
-- id-ct-authEnvelopedData OBJECT IDENTIFIER ::=
-- Section 3.0 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
-- smime(16) ct(1) 23}
-- at-multipleSignatures should be added ONLY to the
-- SignedAttributesSet defined in [RFC5652]
--
at-multipleSignatures ATTRIBUTE ::= { AuthEnvelopedData ::= SEQUENCE {
TYPE MultipleSignatures version CMSVersion,
IDENTIFIED BY id-aa-multipleSignatures originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
} recipientInfos RecipientInfos,
id-aa-multipleSignatures OBJECT IDENTIFIER ::= { authEncryptedContentInfo EncryptedContentInfo,
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) authAttrs [1] IMPLICIT AuthAttributes OPTIONAL,
id-aa(2) 51 } mac MessageAuthenticationCode,
unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL
}
MultipleSignatures ::= SEQUENCE { EncryptedContentInfo ::=
bodyHashAlg DigestAlgorithmIdentifier, EncryptedContentInfoType { AuthContentEncryptionAlgorithmIdentifier }
signAlg SignatureAlgorithmIdentifier,
signAttrsHash SignAttrsHash,
cert ESSCertIDv2 OPTIONAL
}
SignAttrsHash ::= SEQUENCE { AuthContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
algID DigestAlgorithmIdentifier, {CONTENT-ENCRYPTION, {AuthContentEncryptionAlgorithmSet}}
hash OCTET STRING
}
END AuthContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= {
ContentEncryptionAlgs, ...}
AuthAttributes ::= Attributes{{AuthEnvDataAttributeSet}}
UnauthAttributes ::= Attributes{{UnauthEnvDataAttributeSet}}
AuthEnvDataAttributeSet ATTRIBUTE ::= {
aa-contentType | aa-messageDigest | aa-signingTime, ... }
UnauthEnvDataAttributeSet ATTRIBUTE ::= {...}
END
9. ASN.1 Module RFC 5652 9. ASN.1 Module RFC 5652
This module is updated from RFC 5911 [RFC5911] by defining seperate This module is updated from RFC 5911 [RFC5911] by the following
attribute sets for the protected and unprotected attribute sets. By changes:
using different attribute sets for EncryptedData and EnvelopedData as
well as for AuthenticatedData and AuthEnvelopedData, protocol 1. Define separate attribute sets for the unprotected attributes
designers can make use of the '02 ASN.1 constraints to define used in EnvelopedData, EncryptedData and
different sets of attributes for EncryptedData and EnvelopedData and AuthenticatedEnvelopedData (RFC 5083).
for AuthenticatedData and AuthEnvelopedData. Previously, attributes
could only be constrained based on whether they were in the clear or 2. Define a parameterized type EncryptedContentInfoType so that the
unauthenticated not on the encapsulating content type. basic type can be used with algorithm sets (used for
EnvelopedData, EncryptedData and AuthenticatedEnvelopedData (RFC
5083)). The parameterized type is assigned to an unparameterized
type of EncryptedContentInfo to minimize the output changes from
previous versions.
The use of different attribute sets for EncryptedData and
EnvelopedData as well as for AuthenticatedData and AuthEnvelopedData,
protocol designers can make use of the '08 ASN.1 constraints to
define different sets of attributes for EncryptedData and
EnvelopedData and for AuthenticatedData and AuthEnvelopedData.
Previously, attributes could only be constrained based on whether
they were in the clear or unauthenticated not on the encapsulating
content type.
CryptographicMessageSyntax-2009 CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } pkcs(1) pkcs-9(9) smime(16) modules(0) TBD1 }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier AlgorithmIdentifier{}
FROM AlgorithmInformation-2009 FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)} id-mod-algorithmInformation-02(58)}
SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs,
MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs,
KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys
FROM CryptographicMessageSyntaxAlgorithms-2009 FROM CryptographicMessageSyntaxAlgorithms-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
skipping to change at page 20, line 20 skipping to change at page 23, line 33
-- Cryptographic Message Syntax -- Cryptographic Message Syntax
-- The following are used for version numbers using the ASN.1 -- The following are used for version numbers using the ASN.1
-- idiom "[[n:" -- idiom "[[n:"
-- Version 1 = PKCS #7 -- Version 1 = PKCS #7
-- Version 2 = S/MIME V2 -- Version 2 = S/MIME V2
-- Version 3 = RFC 2630 -- Version 3 = RFC 2630
-- Version 4 = RFC 3369 -- Version 4 = RFC 3369
-- Version 5 = RFC 3852 -- Version 5 = RFC 3852
CONTENT-TYPE ::= TYPE-IDENTIFIER CONTENT-TYPE ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL
} WITH SYNTAX {
[TYPE &Type] IDENTIFIED BY &id
}
ContentType ::= CONTENT-TYPE.&id ContentType ::= CONTENT-TYPE.&id
ContentInfo ::= SEQUENCE { ContentInfo ::= SEQUENCE {
contentType CONTENT-TYPE. contentType CONTENT-TYPE.
&id({ContentSet}), &id({ContentSet}),
content [0] EXPLICIT CONTENT-TYPE. content [0] EXPLICIT CONTENT-TYPE.
&Type({ContentSet}{@contentType})} &Type({ContentSet}{@contentType})}
ContentSet CONTENT-TYPE ::= { ContentSet CONTENT-TYPE ::= {
-- Define the set of content types to be recognized. -- Define the set of content types to be recognized.
skipping to change at page 21, line 40 skipping to change at page 25, line 11
..., ...,
[[2: unprotectedAttrs [1] IMPLICIT Attributes [[2: unprotectedAttrs [1] IMPLICIT Attributes
{{ UnprotectedEnvAttributes }} OPTIONAL ]] } {{ UnprotectedEnvAttributes }} OPTIONAL ]] }
OriginatorInfo ::= SEQUENCE { OriginatorInfo ::= SEQUENCE {
certs [0] IMPLICIT CertificateSet OPTIONAL, certs [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } crls [1] IMPLICIT RevocationInfoChoices OPTIONAL }
RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo
EncryptedContentInfo ::= SEQUENCE { EncryptedContentInfo ::=
EncryptedContentInfoType { ContentEncryptionAlgorithmIdentifier }
EncryptedContentInfoType { AlgorithmIdentifierType } ::= SEQUENCE {
contentType CONTENT-TYPE.&id({ContentSet}), contentType CONTENT-TYPE.&id({ContentSet}),
contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, contentEncryptionAlgorithm AlgorithmIdentifierType,
encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL }
-- If you want to do constraints, you might use: -- If you want to do constraints, you might use:
-- EncryptedContentInfo ::= SEQUENCE { -- EncryptedContentInfo ::= SEQUENCE {
-- contentType CONTENT-TYPE.&id({ContentSet}), -- contentType CONTENT-TYPE.&id({ContentSet}),
-- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
-- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE.
-- &Type({ContentSet}{@contentType}) OPTIONAL } -- &Type({ContentSet}{@contentType}) OPTIONAL }
-- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY
-- { ToBeEncrypted } ) -- { ToBeEncrypted } )
skipping to change at page 26, line 28 skipping to change at page 30, line 4
IssuerAndSerialNumber ::= SEQUENCE { IssuerAndSerialNumber ::= SEQUENCE {
issuer Name, issuer Name,
serialNumber CertificateSerialNumber } serialNumber CertificateSerialNumber }
CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
UserKeyingMaterial ::= OCTET STRING UserKeyingMaterial ::= OCTET STRING
KEY-ATTRIBUTE ::= TYPE-IDENTIFIER KEY-ATTRIBUTE ::= TYPE-IDENTIFIER
OtherKeyAttribute ::= SEQUENCE { OtherKeyAttribute ::= SEQUENCE {
keyAttrId KEY-ATTRIBUTE. keyAttrId KEY-ATTRIBUTE.
&id({SupportedKeyAttributes}), &id({SupportedKeyAttributes}),
keyAttr KEY-ATTRIBUTE. keyAttr KEY-ATTRIBUTE.
&Type({SupportedKeyAttributes}{@keyAttrId})} &Type({SupportedKeyAttributes}{@keyAttrId})}
SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... }
-- Content Type Object Identifiers -- Content Type Object Identifiers
id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 }
ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data} ct-Data CONTENT-TYPE ::= {IDENTIFIED BY id-data }
id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 }
ct-SignedData CONTENT-TYPE ::= ct-SignedData CONTENT-TYPE ::=
{ SignedData IDENTIFIED BY id-signedData} { TYPE SignedData IDENTIFIED BY id-signedData}
id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }
ct-EnvelopedData CONTENT-TYPE ::= ct-EnvelopedData CONTENT-TYPE ::=
{ EnvelopedData IDENTIFIED BY id-envelopedData} { TYPE EnvelopedData IDENTIFIED BY id-envelopedData}
id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 }
ct-DigestedData CONTENT-TYPE ::= ct-DigestedData CONTENT-TYPE ::=
{ DigestedData IDENTIFIED BY id-digestedData} { TYPE DigestedData IDENTIFIED BY id-digestedData}
id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 }
ct-EncryptedData CONTENT-TYPE ::= ct-EncryptedData CONTENT-TYPE ::=
{ EncryptedData IDENTIFIED BY id-encryptedData} { TYPE EncryptedData IDENTIFIED BY id-encryptedData}
id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }
ct-AuthenticatedData CONTENT-TYPE ::= ct-AuthenticatedData CONTENT-TYPE ::=
{ AuthenticatedData IDENTIFIED BY id-ct-authData} { TYPE AuthenticatedData IDENTIFIED BY id-ct-authData}
id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 }
-- --
-- The CMS Attributes -- The CMS Attributes
-- --
MessageDigest ::= OCTET STRING MessageDigest ::= OCTET STRING
skipping to change at page 29, line 5 skipping to change at page 33, line 5
attrType ATTRIBUTE. attrType ATTRIBUTE.
&id({AttrList}), &id({AttrList}),
attrValues SET OF ATTRIBUTE. attrValues SET OF ATTRIBUTE.
&Type({AttrList}{@attrType}) } &Type({AttrList}{@attrType}) }
Attributes { ATTRIBUTE:AttrList } ::= Attributes { ATTRIBUTE:AttrList } ::=
SET SIZE (1..MAX) OF Attribute {{ AttrList }} SET SIZE (1..MAX) OF Attribute {{ AttrList }}
END END
10. ASN.1 Module RFC 5083 10. ASN.1 Module RFC 5752
This module is updated from RFC 5911 [RFC5911] by defining seperate We have updated the ASN.1 module associated with this document to be
attribute sets for the protected and unprotected attribute sets. By 2008 compliant and to use the set of classes previously defined in
using different attribute sets for AuthenticatedData and [RFC5911].
AuthEnvelopedData, protocol designers can make use of the '02 ASN.1
constraints to define different sets of attributes for
AuthenticatedData and AuthEnvelopedData. Previously, attributes
could only be constrained based on whether they were unauthenticated
not on the content type.
CMS-AuthEnvelopedData-2009 MultipleSignatures-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) modules(0) TBD} smime(16) modules(0) TBD9 }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS -- EXPORTS All
-- The types and values defined in this module are exported for use
-- in the other ASN.1 modules. Other applications may use them for
-- their own purposes.
CMSVersion, EncryptedContentInfo, IMPORTS
MessageAuthenticationCode, OriginatorInfo, RecipientInfos,
CONTENT-TYPE, Attributes{}
FROM CryptographicMessageSyntax-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41)} ;
ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } -- Imports from PKIX-Common-Types-2009 [RFC5912]
ct-authEnvelopedData CONTENT-TYPE ::= { ATTRIBUTE
AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData FROM PKIX-CommonTypes-2009
} { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) }
id-ct-authEnvelopedData OBJECT IDENTIFIER ::= -- Imports from CryptographicMessageSyntax-2009 [RFC5911]
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) 23}
AuthEnvelopedData ::= SEQUENCE { DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier
version CMSVersion, FROM CryptographicMessageSyntax-2009
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, { iso(1) member-body(2) us(840) rsadsi(113549)
recipientInfos RecipientInfos, pkcs(1) pkcs-9(9) smime(16) modules(0) TBD1 }
authEncryptedContentInfo EncryptedContentInfo,
authAttrs [1] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode,
unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL
}
AuthAttributes ::= Attributes{{AuthEnvDataAttributeSet}} -- Imports from ExtendedSecurityServices-2009 [RFC5911]
UnauthAttributes ::= Attributes{{UnauthEnvDataAttributeSet}} ESSCertIDv2
FROM ExtendedSecurityServices-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-ess-2006-02(42) }
;
AuthEnvDataAttributeSet ::= {aa-contentType | aa-messageDigest | --
aa-signedTime, ... } -- Section 3.0
--
-- at-multipleSignatures should be added ONLY to the
-- SignedAttributesSet defined in [RFC5652]
--
at-multipleSignatures ATTRIBUTE ::= {
TYPE MultipleSignatures
IDENTIFIED BY id-aa-multipleSignatures
}
UnauthEnvDataAttributeSet ::= {...} id-aa-multipleSignatures OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
id-aa(2) 51 }
MultipleSignatures ::= SEQUENCE {
bodyHashAlg DigestAlgorithmIdentifier,
signAlg SignatureAlgorithmIdentifier,
signAttrsHash SignAttrsHash,
cert ESSCertIDv2 OPTIONAL
}
SignAttrsHash ::= SEQUENCE {
algID DigestAlgorithmIdentifier,
hash OCTET STRING
}
END END
11. Module Identifiers in ASN.1 11. Module Identifiers in ASN.1
One potential issue that can occur when updating modules is the fact One potential issue that can occur when updating modules is the fact
that a large number of modules may need to be updated if they import that a large number of modules may need to be updated if they import
from a newly updated module. This section addresses one method that from a newly updated module. This section addresses one method that
can be used to deal with this problem, but the modules in this can be used to deal with this problem, but the modules in this
document don't currently implement the solution discussed here. document don't currently implement the solution discussed here.
skipping to change at page 31, line 26 skipping to change at page 35, line 26
matching using first the object identifier and if that is not present matching using first the object identifier and if that is not present
the textual name of the module. Note however that some older the textual name of the module. Note however that some older
implementations used the textual name of the module for the purposes implementations used the textual name of the module for the purposes
of matching. In a full implementation the name assigned to the of matching. In a full implementation the name assigned to the
module is scoped to the ASN.1 module that it appears in (and thus module is scoped to the ASN.1 module that it appears in (and thus
need to match the module it is importing from). need to match the module it is importing from).
One can create a module that contains only the module number One can create a module that contains only the module number
assignments and import the module assignments from the new module. assignments and import the module assignments from the new module.
This means that when a module is replaced, one can replace the This means that when a module is replaced, one can replace the
previous module, update the module number assigment module and previous module, update the module number assignment module and
recompile without having to modify any other modules. recompile without having to modify any other modules.
A sample module assigment module would be: A sample module assignment module would be:
ModuleNumbers ModuleNumbersxs
DEFINITIONS TAGS ::= DEFINITIONS TAGS ::=
BEGIN BEGIN
id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549) id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } pkcs(1) pkcs-9(9) smime(16) modules(0) TBD }
id-mod-AlgInfo ::= id-mod-AlgInfo ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1)
mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)} id-mod-algorithmInformation-02(58)}
END END
This would be used in the following import statement: This would be used in the following import statement:
IMPORTS IMPORTS
id-mod-CMS, id-mod-AlgInfo id-mod-CMS, id-mod-AlgInfo
FROM ModuleNumber -- Note it will match on the name since no FROM ModuleNumber -- Note it will match on the name since no
-- OID is provided -- OID is provided
CMSVersion, EncapsulatedContentInfo, CONTENT-TYPE CMSVersion, EncapsulatedContentInfo, CONTENT-TYPE
FROM CryptographicMessageSyntax-2009 FROM CryptographicMessageSyntax-2009
skipping to change at page 35, line 13 skipping to change at page 39, line 13
None. None.
14. Normative References 14. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3274] Gutmann, P., "Compressed Data Content Type for [RFC3274] Gutmann, P., "Compressed Data Content Type for
Cryptographic Message Syntax (CMS)", RFC 3274, June 2002. Cryptographic Message Syntax (CMS)", RFC 3274, June 2002.
[RFC3379] Pinkas, D. and R. Housley, "Delegated Path Validation and [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Delegated Path Discovery Protocol Requirements", RFC 3379, Addresses and AS Identifiers", RFC 3779, June 2004.
September 2002.
[RFC4049] Housley, R., "BinaryTime: An Alternate Format for [RFC4049] Housley, R., "BinaryTime: An Alternate Format for
Representing Date and Time in ASN.1", RFC 4049, Representing Date and Time in ASN.1", RFC 4049,
April 2005. April 2005.
[RFC4073] Housley, R., "Protecting Multiple Contents with the [RFC4073] Housley, R., "Protecting Multiple Contents with the
Cryptographic Message Syntax (CMS)", RFC 4073, May 2005. Cryptographic Message Syntax (CMS)", RFC 4073, May 2005.
[RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-
224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512",
skipping to change at page 35, line 37 skipping to change at page 39, line 36
[RFC4334] Housley, R. and T. Moore, "Certificate Extensions and [RFC4334] Housley, R. and T. Moore, "Certificate Extensions and
Attributes Supporting Authentication in Point-to-Point Attributes Supporting Authentication in Point-to-Point
Protocol (PPP) and Wireless Local Area Networks (WLAN)", Protocol (PPP) and Wireless Local Area Networks (WLAN)",
RFC 4334, February 2006. RFC 4334, February 2006.
[RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS)
Authenticated-Enveloped-Data Content Type", RFC 5083, Authenticated-Enveloped-Data Content Type", RFC 5083,
November 2007. November 2007.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, September 2009. RFC 5652, September 2009.
[RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in [RFC5752] Turner, S. and J. Schaad, "Multiple Signatures in
Cryptographic Message Syntax (CMS)", RFC 5752, Cryptographic Message Syntax (CMS)", RFC 5752,
January 2010. January 2010.
[RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for
Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911,
June 2010. June 2010.
 End of changes. 123 change blocks. 
301 lines changed or deleted 424 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/