< draft-ietf-pkix-ta-format-03.txt   draft-ietf-pkix-ta-format-04.txt >
Network Working Group R. Housley Network Working Group R. Housley
Internet-Draft Vigil Security, LLC Internet-Draft Vigil Security, LLC
Intended status: Standards Track S. Ashmore Intended status: Standards Track S. Ashmore
Expires: November 27, 2009 National Security Agency Expires: April 18, 2010 National Security Agency
C. Wallace C. Wallace
Cygnacom Solutions Cygnacom Solutions
May 26, 2009 October 15, 2009
Trust Anchor Format Trust Anchor Format
draft-ietf-pkix-ta-format-03 draft-ietf-pkix-ta-format-04
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from IETF Standards Process. Without obtaining an adequate license from
skipping to change at page 1, line 45 skipping to change at page 1, line 45
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 27, 2009. This Internet-Draft will expire on April 18, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 26 skipping to change at page 3, line 26
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Trust Anchor Information Syntax . . . . . . . . . . . . . . . 5 2. Trust Anchor Information Syntax . . . . . . . . . . . . . . . 5
2.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Public Key . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Public Key . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3. Key Identifier . . . . . . . . . . . . . . . . . . . . . . 5 2.3. Key Identifier . . . . . . . . . . . . . . . . . . . . . . 5
2.4. Trust Anchor Title . . . . . . . . . . . . . . . . . . . . 5 2.4. Trust Anchor Title . . . . . . . . . . . . . . . . . . . . 5
2.5. Certification Path Controls . . . . . . . . . . . . . . . 6 2.5. Certification Path Controls . . . . . . . . . . . . . . . 6
2.6. Extensions . . . . . . . . . . . . . . . . . . . . . . . . 9 2.6. Extensions . . . . . . . . . . . . . . . . . . . . . . . . 10
3. Trust Anchor List . . . . . . . . . . . . . . . . . . . . . . 10 3. Trust Anchor List . . . . . . . . . . . . . . . . . . . . . . 11
4. Security Considerations . . . . . . . . . . . . . . . . . . . 11 4. Security Considerations . . . . . . . . . . . . . . . . . . . 12
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.1. Normative References . . . . . . . . . . . . . . . . . . . 13 6.1. Normative References . . . . . . . . . . . . . . . . . . . 14
6.2. Informative References . . . . . . . . . . . . . . . . . . 13 6.2. Informative References . . . . . . . . . . . . . . . . . . 14
Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . . 14 Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . . 15
A.1. ASN.1 Module Using 1993 Syntax . . . . . . . . . . . . . . 14 A.1. ASN.1 Module Using 1993 Syntax . . . . . . . . . . . . . . 15
A.2. ASN.1 Module Using 1988 Syntax . . . . . . . . . . . . . . 15 A.2. ASN.1 Module Using 1988 Syntax . . . . . . . . . . . . . . 16
A.2.1. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 15 A.2.1. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
Trust anchors are widely used to verify digital signatures and Trust anchors are widely used to verify digital signatures and
validate certification paths [RFC5280][X.509]. They are required validate certification paths [RFC5280][X.509]. They are required
when validating certification paths. Though widely used, there is no when validating certification paths. Though widely used, there is no
standard format for representing trust anchor information. This standard format for representing trust anchor information. This
document describes the TrustAnchorInfo structure. This structure is document describes the TrustAnchorInfo structure. This structure is
intended to satisfy the format-related requirements expressed in intended to satisfy the format-related requirements expressed in
Trust Anchor Management Requirements Trust Anchor Management Requirements
[I-D.draft-ietf-pkix-ta-mgmt-reqs]. It can provide a more compact [I-D.draft-ietf-pkix-ta-mgmt-reqs] and is expressed using ASN.1
alternative to X.509 certificates for exchanging trust anchor [X.680]. It can provide a more compact alternative to X.509
information and provides a means of associating additional or certificates for exchanging trust anchor information and provides a
alternative constraints with certificates without breaking the means of associating additional or alternative constraints with
signature on the certificate. certificates without breaking the signature on the certificate.
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. Trust Anchor Information Syntax 2. Trust Anchor Information Syntax
This section describes the TrustAnchorInfo structure. This section describes the TrustAnchorInfo structure.
TrustAnchorInfo ::= SEQUENCE { TrustAnchorInfo ::= SEQUENCE {
version TrustAnchorInfoVersion DEFAULT v1, version TrustAnchorInfoVersion DEFAULT v1,
pubKey SubjectPublicKeyInfo, pubKey SubjectPublicKeyInfo,
keyId KeyIdentifier, keyId KeyIdentifier,
taTitle TrustAnchorTitle OPTIONAL, taTitle TrustAnchorTitle OPTIONAL,
certPath CertPathControls OPTIONAL, certPath CertPathControls OPTIONAL,
exts [1] EXPLICIT Extensions OPTIONAL } exts [1] EXPLICIT Extensions OPTIONAL,
taTitleLangTag [2] UTF8String OPTIONAL }
TrustAnchorInfoVersion ::= INTEGER { v1(1) } TrustAnchorInfoVersion ::= INTEGER { v1(1) }
2.1. Version 2.1. Version
version identifies the version of TrustAnchorInfo. version identifies the version of TrustAnchorInfo. Future updates to
this document may include changes to the TrustAnchorInfo structure,
in which case the version number should be incremented. However, the
default value, v1, cannot be changed.
2.2. Public Key 2.2. Public Key
pubKey identifies the public key and algorithm associated with the pubKey identifies the public key and algorithm associated with the
trust anchor using the SubjectPublicKeyInfo structure. The trust anchor using the SubjectPublicKeyInfo structure [RFC5280]. The
SubjectPublicKeyInfo structure contains the algorithm identifier SubjectPublicKeyInfo structure contains the algorithm identifier
followed by the public key itself. The algorithm field is an followed by the public key itself. The algorithm field is an
AlgorithmIdentifier, which contains an object identifier and OPTIONAL AlgorithmIdentifier, which contains an object identifier and OPTIONAL
parameters. The object identifier names the public key algorithm and parameters. The object identifier names the public key algorithm and
indicates the syntax of the parameters, if present, as well as the indicates the syntax of the parameters, if present, as well as the
format of the public key. The public key is encoded as a BIT STRING. format of the public key. The public key is encoded as a BIT STRING.
2.3. Key Identifier 2.3. Key Identifier
keyId contains the public key identifier of the trust anchor public keyId contains the public key identifier of the trust anchor public
key. key. See section 4.2.1.2 of [RFC5280] for a description of common
key identifier calculation methods.
2.4. Trust Anchor Title 2.4. Trust Anchor Title
TrustAnchorTitle ::= UTF8String (SIZE (1..64)) TrustAnchorTitle ::= UTF8String (SIZE (1..64))
taTitle is OPTIONAL. When it is present, it provides a human taTitle is OPTIONAL. When it is present, it provides a human
readable name for the trust anchor. The text is encoded in UTF-8 readable name for the trust anchor. The text is encoded in UTF-8
[RFC3629], which accommodates most of the world's writing systems. [RFC3629], which accommodates most of the world's writing systems.
The taTitleLangTag field identifies the language used to express the
taTitle. When taTitleLangTag is absent, English is used. The value
of the taTitleLangTag should be a language tag as described in
[RFC5646]
2.5. Certification Path Controls 2.5. Certification Path Controls
CertPathControls ::= SEQUENCE { CertPathControls ::= SEQUENCE {
taName Name, taName Name,
certificate [0] Certificate OPTIONAL, certificate [0] Certificate OPTIONAL,
policySet [1] CertificatePolicies OPTIONAL, policySet [1] CertificatePolicies OPTIONAL,
policyFlags [2] CertPolicyFlags OPTIONAL, policyFlags [2] CertPolicyFlags OPTIONAL,
nameConstr [3] NameConstraints OPTIONAL } nameConstr [3] NameConstraints OPTIONAL,
pathLenConstraint[4] INTEGER (0..MAX) OPTIONAL}
certPath is OPTIONAL. When it is present, it provides the controls certPath is OPTIONAL. When it is present, it provides the controls
needed to initialize an X.509 certification path validation algorithm needed to initialize an X.509 certification path validation algorithm
implementation (see Section 6 in [RFC5280]). When absent, the trust implementation (see Section 6 in [RFC5280]). When absent, the trust
anchor cannot be used to validate the signature on an X.509 anchor cannot be used to validate the signature on an X.509
certificate. certificate.
taName provides the X.500 distinguished name associated with the taName provides the X.500 distinguished name associated with the
trust anchor, and this distinguished name is used to construct and trust anchor, and this distinguished name is used to construct and
validate an X.509 certification path. The name MUST NOT be an empty validate an X.509 certification path. The name MUST NOT be an empty
skipping to change at page 6, line 34 skipping to change at page 6, line 43
certificate provides an OPTIONAL X.509 certificate, which can be used certificate provides an OPTIONAL X.509 certificate, which can be used
in some environments to represent the trust anchor in certification in some environments to represent the trust anchor in certification
path development and validation. If the certificate is present, the path development and validation. If the certificate is present, the
subject name in the certificate MUST exactly match the X.500 subject name in the certificate MUST exactly match the X.500
distinguished name provided in the taName field, the public key MUST distinguished name provided in the taName field, the public key MUST
exactly match the public key in the pubKey field and the exactly match the public key in the pubKey field and the
subjectKeyIdentifier extension, if present, MUST exactly match the subjectKeyIdentifier extension, if present, MUST exactly match the
key identifier in the keyId field. The complete description of the key identifier in the keyId field. The complete description of the
syntax and semantics of the Certificate are provided in [RFC5280]. syntax and semantics of the Certificate are provided in [RFC5280].
Constraints defined in the policySet, policyFlags, nameConstr and Constraints defined in the policySet, policyFlags, nameConstr,
exts fields within TrustAnchorInfo replace values contained in a pathLenConstraint and exts fields within TrustAnchorInfo replace
certificate or provide values for extensions not present in the values contained in a certificate or provide values for extensions
certificate. Values defined in these TrustAnchorInfo fields are not present in the certificate. Values defined in these
always enforced. Extensions included in a certificate are enforced TrustAnchorInfo fields are always enforced. Extensions included in a
only if there is no corresponding value in the TrustAnchorInfo. certificate are enforced only if there is no corresponding value in
Correspondence between extensions within a certificate and the TrustAnchorInfo. Correspondence between extensions within a
TrustAnchorInfo fields is defined as follows: certificate and TrustAnchorInfo fields is defined as follows:
o an id-ce-certificatePolicies certificate extension corresponds to o an id-ce-certificatePolicies certificate extension corresponds to
the CertPathControls.policySet field. the CertPathControls.policySet field.
o an id-ce-policyConstraints certificate extension corresponds to o an id-ce-policyConstraints certificate extension corresponds to
the CertPolicyFlags.inhibitPolicyMapping and the CertPolicyFlags.inhibitPolicyMapping and
CertPolicyFlags.requireExplicitPolicy fields. CertPolicyFlags.requireExplicitPolicy fields.
o an id-ce-inhibitAnyPolicy certificate extension corresponds to the o an id-ce-inhibitAnyPolicy certificate extension corresponds to the
CertPolicyFlags.inhibitAnyPolicy field. CertPolicyFlags.inhibitAnyPolicy field.
o an id-ce-nameConstraints certificate extension corresponds to the o an id-ce-nameConstraints certificate extension corresponds to the
CertPathControls.nameConstr field. CertPathControls.nameConstr field.
o the pathLenConstraint field of an id-ce-basicConstraints
certificate extension corresponds to the
CertPathControls.pathLenConstraint field (the presence of a
CertPathControls structure corresponds to a TRUE value in the cA
field of a BasicConstraints extension).
o any other certificate extension corresponds to the same type of o any other certificate extension corresponds to the same type of
extension in the TrustAnchorInfo.exts field. extension in the TrustAnchorInfo.exts field.
CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
PolicyInformation ::= SEQUENCE { PolicyInformation ::= SEQUENCE {
policyIdentifier CertPolicyId, policyIdentifier CertPolicyId,
policyQualifiers SEQUENCE SIZE (1..MAX) OF policyQualifiers SEQUENCE SIZE (1..MAX) OF
PolicyQualifierInfo OPTIONAL } PolicyQualifierInfo OPTIONAL }
skipping to change at page 9, line 5 skipping to change at page 9, line 17
list of permitted names and a list of excluded names. The definition list of permitted names and a list of excluded names. The definition
of GeneralName can be found in [RFC5280]. When it is present, of GeneralName can be found in [RFC5280]. When it is present,
constraints are provided on names (including alternative names) that constraints are provided on names (including alternative names) that
might appear in subsequent X.509 certificates in a certification might appear in subsequent X.509 certificates in a certification
path. This field is used to set the initial-permitted-subtrees and path. This field is used to set the initial-permitted-subtrees and
initial-excluded-subtrees input values to the certification path initial-excluded-subtrees input values to the certification path
validation algorithm described in section 6.1.1 of [RFC5280]. When validation algorithm described in section 6.1.1 of [RFC5280]. When
this field is absent, the initial-permitted-subtrees variable is this field is absent, the initial-permitted-subtrees variable is
unbounded and the initial-excluded-subtrees variable is empty. unbounded and the initial-excluded-subtrees variable is empty.
The pathLenConstraint field gives the maximum number of non-self-
issued intermediate certificates that may follow this certificate in
a valid certification path. (Note: The last certificate in the
certification path is not an intermediate certificate, and is not
included in this limit. Usually, the last certificate is an end
entity certificate, but it can be a CA certificate.) A
pathLenConstraint of zero indicates that no non- self-issued
intermediate certification authority (CA) certificates may follow in
a valid certification path. Where it appears, the pathLenConstraint
field MUST be greater than or equal to zero. Where pathLenConstraint
does not appear, no limit is imposed.
When the trust anchor is used to validate a certification path, When the trust anchor is used to validate a certification path,
CertPathControls provides limitations on certification paths that CertPathControls provides limitations on certification paths that
will successfully validate. An application that is validating a will successfully validate. An application that is validating a
certification path SHOULD NOT ignore these limitations, but the certification path SHOULD NOT ignore these limitations, but the
application can impose additional limitations to ensure that the application can impose additional limitations to ensure that the
validated certification path is appropriate for the intended validated certification path is appropriate for the intended
application context. As input to the certification path validation application context. As input to the certification path validation
algorithm, an application MAY: algorithm, an application MAY:
o Provide a subset of the certification policies provided in the o Provide a subset of the certification policies provided in the
policySet; policySet;
o Provide a TRUE value, if appropriate, for any of the flags in the o Provide a TRUE value, if appropriate, for any of the flags in the
policyFlags; policyFlags;
o Provide a subset of the permitted names provided in the o Provide a subset of the permitted names provided in the
nameConstr; nameConstr;
o Provide additional excluded names to the ones that are provided in o Provide additional excluded names to the ones that are provided in
the nameConstr the nameConstr;
o Provide a smaller value for pathLenConstraint
2.6. Extensions 2.6. Extensions
exts is OPTIONAL. When it is present, it can be used to associate exts is OPTIONAL. When it is present, it can be used to associate
additional information with the trust anchor using the standard additional information with the trust anchor using the standard
Extensions structure. Extensions that are anticipated to be widely Extensions structure. Extensions that are anticipated to be widely
used have been included in the CertPathControls structure to avoid used have been included in the CertPathControls structure to avoid
overhead associated with use of the Extensions structure. To avoid overhead associated with use of the Extensions structure. To avoid
duplication with the CertPathControls field, the following types of duplication with the CertPathControls field, the following types of
extensions MUST NOT appear in the exts field and are ignored if they extensions MUST NOT appear in the exts field and are ignored if they
skipping to change at page 11, line 8 skipping to change at page 12, line 8
{ TrustAnchorList IDENTIFIED BY id-ct-trustAnchorList } { TrustAnchorList IDENTIFIED BY id-ct-trustAnchorList }
The TrustAnchorList structure can be protected using the SignedData The TrustAnchorList structure can be protected using the SignedData
structured defined in the Cryptographic Message Syntax(CMS) structured defined in the Cryptographic Message Syntax(CMS)
[RFC3852]. The id-ct-trustAnchorList object identifier has been [RFC3852]. The id-ct-trustAnchorList object identifier has been
defined to represent TrustAnchorList payloads with CMS structures. defined to represent TrustAnchorList payloads with CMS structures.
4. Security Considerations 4. Security Considerations
Compromise of a trust anchor private key permits unauthorized parties Compromise of a trust anchor private key permits unauthorized parties
to masquerade as the trust anchor. Where TA-based constraints are to masquerade as the trust anchor, with potentially severe
enforced, the unauthorized holder of the trust anchor private key consequences. Where TA-based constraints are enforced, the
will be limited by the certification path controls associated with unauthorized holder of the trust anchor private key will be limited
the trust anchor, as expressed in the certPath and exts fields. For by the certification path controls associated with the trust anchor,
example, name constraints in the trust anchor will determine the name as expressed in the certPath and exts fields. For example, name
space that will be accepted in certificates that are validated using constraints in the trust anchor will determine the name space that
the compromised trust anchor. will be accepted in certificates that are validated using the
compromised trust anchor. Reliance on an inappropriate or incorrrect
trust anchor public key has similar potentially severe consequences.
The compromise of a Certification Authority's (CA's) private key The compromise of a CA's private key leads to the same type of
leads to the same type of problems as the compromise of a trust problems as the compromise of a trust anchor private key. The
anchor private key. The unauthorized holder of the CA private key unauthorized holder of the CA private key will be limited by the
will be limited by the certification path controls associated with certification path controls associated with the trust anchor, as
the trust anchor, as expressed in the certPath field or as an expressed in the certPath field or as an extension.
extension.
Usage of a certificate independent of the TrustAnchorInfo structure Usage of a certificate independent of the TrustAnchorInfo structure
that envelopes it must be carefully managed to avoid violating that envelopes it must be carefully managed to avoid violating
constraints expressed in the TrustAnchorInfo. When enveloping a constraints expressed in the TrustAnchorInfo. When enveloping a
certificate in a TrustAnchorInfo structure, values included in the certificate in a TrustAnchorInfo structure, values included in the
certificate should be evaluated to ensure there is no confusion or certificate should be evaluated to ensure there is no confusion or
conflict with values in the TrustAnchorInfo structure. conflict with values in the TrustAnchorInfo structure.
5. IANA Considerations 5. IANA Considerations
skipping to change at page 13, line 28 skipping to change at page 14, line 28
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 3852, July 2004. RFC 3852, July 2004.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC5646] Phillips, A. and M. Davis, "Tags for Identifying
Languages", BCP 47, RFC 5646, September 2009.
[X.680] "ITU-T Recommendation X.680: Information Technology - [X.680] "ITU-T Recommendation X.680: Information Technology -
Abstract Syntax Notation One", 1997. Abstract Syntax Notation One", 1997.
6.2. Informative References 6.2. Informative References
[I-D.draft-ietf-pkix-ta-mgmt-reqs] [I-D.draft-ietf-pkix-ta-mgmt-reqs]
Reddy, R. and C. Wallace, "Trust Anchor Management Reddy, R. and C. Wallace, "Trust Anchor Management
Requirements", draft-ietf-pkix-ta-mgmt-reqs-03 (work in Requirements", draft-ietf-pkix-ta-mgmt-reqs-04 (work in
progress). progress).
[X.509] "ITU-T Recommendation X.509 - The Directory - [X.509] "ITU-T Recommendation X.509 - The Directory -
Authentication Framework", 2000. Authentication Framework", 2000.
Appendix A. ASN.1 Modules Appendix A. ASN.1 Modules
Appendix A.1 provides the normative ASN.1 definitions for the Appendix A.1 provides the normative ASN.1 definitions for the
structures described in this specification using ASN.1 as defined in structures described in this specification using ASN.1 as defined in
[X.680]. It includes definitions imported from [RFC5280] and [X.680]. It includes definitions imported from [RFC5280] and
[I-D.ietf-pkix-new-asn1]. [I-D.ietf-pkix-new-asn1].
A.1. ASN.1 Module Using 1993 Syntax A.1. ASN.1 Module Using 1993 Syntax
TrustAnchorInfoModule TrustAnchorInfoModule
{ joint-iso-ccitt(2) country(16) us(840) organization(1) { joint-iso-ccitt(2) country(16) us(840) organization(1)
gov(101) dod(2) infosec(1) modules(0) 33 } gov(101) dod(2) infosec(1) modules(0) 33 }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
Certificate, Name, SubjectPublicKeyInfo, TBSCertificate Certificate, Name, SubjectPublicKeyInfo, TBSCertificate
FROM PKIX1Explicit88 -- from [RFC5280] FROM PKIX1Explicit-2009 -- from [I-D.ietf-pkix-new-asn1]
{ iso(1) identified-organization(3) dod(6) internet(1) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
security(5) mechanisms(5) pkix(7) id-mod(0) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}
id-pkix1-explicit(18) } CertificatePolicies, KeyIdentifier, NameConstraints
CertificatePolicies, KeyIdentifier, NameConstraints FROM PKIX1Implicit-2009 -- from [I-D.ietf-pkix-new-asn1]
FROM PKIX1Implicit88 -- [RFC5280] {iso(1) identified-organization(3) dod(6) internet(1) security(5)
{ iso(1) identified-organization(3) dod(6) internet(1) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
security(5) mechanisms(5) pkix(7) id-mod(0) Extensions
id-pkix1-implicit(19) } FROM PKIX-CommonTypes-2009 -- from [I-D.ietf-pkix-new-asn1]
Extensions { iso(1) identified-organization(3) dod(6) internet(1)
FROM PKIX-CommonTypes -- from [I-D.ietf-pkix-new-asn1] security(5) mechanisms(5) pkix(7) id-mod(0)
{ iso(1) identified-organization(3) dod(6) internet(1) id-mod-pkixCommon-02(57) } ;
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon(43) } ;
TrustAnchorInfo ::= SEQUENCE { TrustAnchorInfo ::= SEQUENCE {
version TrustAnchorInfoVersion DEFAULT v1, version TrustAnchorInfoVersion DEFAULT v1,
pubKey SubjectPublicKeyInfo, pubKey SubjectPublicKeyInfo,
keyId KeyIdentifier, keyId KeyIdentifier,
taTitle TrustAnchorTitle OPTIONAL, taTitle TrustAnchorTitle OPTIONAL,
certPath CertPathControls OPTIONAL, certPath CertPathControls OPTIONAL,
exts [1] EXPLICIT Extensions OPTIONAL } exts [1] EXPLICIT Extensions OPTIONAL,
taTitleLangTag [2] UTF8String OPTIONAL }
TrustAnchorInfoVersion ::= INTEGER { v1(1) } TrustAnchorInfoVersion ::= INTEGER { v1(1) }
TrustAnchorTitle ::= UTF8String (SIZE (1..64)) TrustAnchorTitle ::= UTF8String (SIZE (1..64))
CertPathControls ::= SEQUENCE { CertPathControls ::= SEQUENCE {
taName Name, taName Name,
certificate [0] Certificate OPTIONAL, certificate [0] Certificate OPTIONAL,
policySet [1] CertificatePolicies OPTIONAL, policySet [1] CertificatePolicies OPTIONAL,
policyFlags [2] CertPolicyFlags OPTIONAL, policyFlags [2] CertPolicyFlags OPTIONAL,
nameConstr [3] NameConstraints OPTIONAL } nameConstr [3] NameConstraints OPTIONAL,
pathLenConstraint[4] INTEGER (0..MAX) OPTIONAL}
CertPolicyFlags ::= BIT STRING { CertPolicyFlags ::= BIT STRING {
inhibitPolicyMapping (0), inhibitPolicyMapping (0),
requireExplicitPolicy (1), requireExplicitPolicy (1),
inhibitAnyPolicy (2) } inhibitAnyPolicy (2) }
TrustAnchorList ::= SEQUENCE SIZE (1..MAX) OF TrustAnchorChoice TrustAnchorList ::= SEQUENCE SIZE (1..MAX) OF TrustAnchorChoice
TrustAnchorChoice ::= CHOICE { TrustAnchorChoice ::= CHOICE {
certificate Certificate, certificate Certificate,
skipping to change at page 15, line 42 skipping to change at page 16, line 42
A.2. ASN.1 Module Using 1988 Syntax A.2. ASN.1 Module Using 1988 Syntax
Appendix A.1 provides the normative ASN.1 definitions for the Appendix A.1 provides the normative ASN.1 definitions for the
structures described in this specification using ASN.1 as defined in structures described in this specification using ASN.1 as defined in
[X.680]. [X.680].
A.2.1. ASN.1 Module A.2.1. ASN.1 Module
TrustAnchorInfoModule-88 TrustAnchorInfoModule-88
{ joint-iso-ccitt(2) country(16) us(840) organization(1) { joint-iso-ccitt(2) country(16) us(840) organization(1)
gov(101) dod(2) infosec(1) modules(0) 33 } gov(101) dod(2) infosec(1) modules(0) 37 }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
Certificate, Name, Extensions, Certificate, Name, Extensions,
SubjectPublicKeyInfo, TBSCertificate SubjectPublicKeyInfo, TBSCertificate
FROM PKIX1Explicit88 -- from [RFC5280] FROM PKIX1Explicit88 -- from [RFC5280]
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18) } id-pkix1-explicit(18) }
CertificatePolicies, KeyIdentifier, NameConstraints CertificatePolicies, KeyIdentifier, NameConstraints
FROM PKIX1Implicit88 -- [RFC5280] FROM PKIX1Implicit88 -- [RFC5280]
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-implicit(19) } id-pkix1-implicit(19) }
; ;
TrustAnchorInfo ::= SEQUENCE { TrustAnchorInfo ::= SEQUENCE {
version TrustAnchorInfoVersion DEFAULT v1, version TrustAnchorInfoVersion DEFAULT v1,
pubKey SubjectPublicKeyInfo, pubKey SubjectPublicKeyInfo,
keyId KeyIdentifier, keyId KeyIdentifier,
taTitle TrustAnchorTitle OPTIONAL, taTitle TrustAnchorTitle OPTIONAL,
certPath CertPathControls OPTIONAL, certPath CertPathControls OPTIONAL,
exts [1] EXPLICIT Extensions OPTIONAL } exts [1] EXPLICIT Extensions OPTIONAL,
taTitleLangTag [2] UTF8String OPTIONAL }
TrustAnchorInfoVersion ::= INTEGER { v1(1) } TrustAnchorInfoVersion ::= INTEGER { v1(1) }
TrustAnchorTitle ::= UTF8String (SIZE (1..64)) TrustAnchorTitle ::= UTF8String (SIZE (1..64))
CertPathControls ::= SEQUENCE { CertPathControls ::= SEQUENCE {
taName Name, taName Name,
certificate [0] Certificate OPTIONAL, certificate [0] Certificate OPTIONAL,
policySet [1] CertificatePolicies OPTIONAL, policySet [1] CertificatePolicies OPTIONAL,
policyFlags [2] CertPolicyFlags OPTIONAL, policyFlags [2] CertPolicyFlags OPTIONAL,
nameConstr [3] NameConstraints OPTIONAL } nameConstr [3] NameConstraints OPTIONAL,
pathLenConstraint[4] INTEGER (0..MAX) OPTIONAL}
CertPolicyFlags ::= BIT STRING { CertPolicyFlags ::= BIT STRING {
inhibitPolicyMapping (0), inhibitPolicyMapping (0),
requireExplicitPolicy (1), requireExplicitPolicy (1),
inhibitAnyPolicy (2) } inhibitAnyPolicy (2) }
TrustAnchorList ::= SEQUENCE SIZE (1..MAX) OF TrustAnchorChoice TrustAnchorList ::= SEQUENCE SIZE (1..MAX) OF TrustAnchorChoice
TrustAnchorChoice ::= CHOICE { TrustAnchorChoice ::= CHOICE {
certificate Certificate, certificate Certificate,
 End of changes. 29 change blocks. 
84 lines changed or deleted 120 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/