idnits 2.17.1 draft-hoffman-pkix-new-asn1-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 3166. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 3177. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 3184. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 3190. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 165: '... optionalSignature [0] EXPLICIT Signature OPTIONAL }...' RFC 2119 keyword, line 169: '... requestorName [1] EXPLICIT GeneralName OPTIONAL,...' RFC 2119 keyword, line 171: '... requestExtensions [2] EXPLICIT Extensions OPTIONAL }...' RFC 2119 keyword, line 176: '... certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }...' RFC 2119 keyword, line 182: '... singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }...' (222 more instances...) -- The draft header indicates that this document updates RFC3279, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC2560, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3280, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC2986, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year (Using the creation date from RFC2560, updated by this document, for RFC5378 checks: 1997-10-23) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 8, 2007) is 6013 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 2906 -- Looks like a reference, but probably isn't: '1' on line 2908 -- Looks like a reference, but probably isn't: '2' on line 2909 -- Looks like a reference, but probably isn't: '3' on line 2843 -- Looks like a reference, but probably isn't: '4' on line 2844 -- Looks like a reference, but probably isn't: '5' on line 2845 -- Looks like a reference, but probably isn't: '6' on line 2846 == Missing Reference: 'APPLICATION 1' is mentioned on line 939, but not defined == Missing Reference: 'APPLICATION 2' is mentioned on line 945, but not defined -- Looks like a reference, but probably isn't: '7' on line 2847 -- Looks like a reference, but probably isn't: '8' on line 2848 == Missing Reference: 'PKCS10' is mentioned on line 2022, but not defined == Missing Reference: 'RFC3629' is mentioned on line 2012, but not defined == Missing Reference: 'RFC3066' is mentioned on line 2013, but not defined ** Obsolete undefined reference: RFC 3066 (Obsoleted by RFC 4646, RFC 4647) == Missing Reference: 'RFC2482' is mentioned on line 2015, but not defined ** Obsolete undefined reference: RFC 2482 (Obsoleted by RFC 6082) -- Looks like a reference, but probably isn't: '9' on line 2457 -- Looks like a reference, but probably isn't: '10' on line 2028 -- Looks like a reference, but probably isn't: '11' on line 2029 -- Looks like a reference, but probably isn't: '12' on line 2030 -- Looks like a reference, but probably isn't: '13' on line 2031 -- Looks like a reference, but probably isn't: '14' on line 2032 -- Looks like a reference, but probably isn't: '15' on line 2033 -- Looks like a reference, but probably isn't: '16' on line 2034 -- Looks like a reference, but probably isn't: '17' on line 2035 -- Looks like a reference, but probably isn't: '18' on line 2036 -- Looks like a reference, but probably isn't: '19' on line 2037 -- Looks like a reference, but probably isn't: '20' on line 2038 -- Looks like a reference, but probably isn't: '21' on line 2039 -- Looks like a reference, but probably isn't: '22' on line 2040 -- Looks like a reference, but probably isn't: '23' on line 2041 -- Looks like a reference, but probably isn't: '24' on line 2042 -- Looks like a reference, but probably isn't: '25' on line 2043 -- Looks like a reference, but probably isn't: '26' on line 2044 == Missing Reference: 'PKCS11' is mentioned on line 2616, but not defined == Missing Reference: 'RFC2104' is mentioned on line 2077, but not defined == Missing Reference: 'RFC2202' is mentioned on line 2522, but not defined == Missing Reference: 'CRMF' is mentioned on line 2237, but not defined == Missing Reference: 'CMS' is mentioned on line 2417, but not defined == Missing Reference: 'HMAC' is mentioned on line 2522, but not defined == Unused Reference: 'ETH' is defined on line 3091, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'ASN1-2002' -- Possible downref: Non-RFC (?) normative reference: ref. 'ETH' -- Possible downref: Normative reference to a draft: ref. 'NEW-CMS-SMIME' ** Obsolete normative reference: RFC 2560 (Obsoleted by RFC 6960) ** Downref: Normative reference to an Informational RFC: RFC 2986 ** Obsolete normative reference: RFC 3280 (Obsoleted by RFC 5280) ** Obsolete normative reference: RFC 3281 (Obsoleted by RFC 5755) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) Summary: 10 errors (**), 0 flaws (~~), 15 warnings (==), 41 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Updates: 2560, 2986, 3279, 3280, J. Schaad 5 3281, 3852, 4210, 4211, SCVP Soaring Hawk Consulting 6 (if approved) November 8, 2007 7 Expires: May 11, 2008 9 New ASN.1 Modules for PKIX 10 draft-hoffman-pkix-new-asn1-00.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on May 11, 2008. 37 Copyright Notice 39 Copyright (C) The IETF Trust (2007). 41 Abstract 43 The PKIX certificate format, and many associated formats, are 44 expressed using ASN.1. The current ASN.1 modules conform to the 1988 45 version of ASN.1. This document updates those ASN.1 modules to 46 conform to the 2002 version of ASN.1. There are no bits-on-the-wire 47 changes to any of the formats; this is simply a change to the syntax. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 1.1. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.1.1. More Modules To Be Added . . . . . . . . . . . . . . . 3 54 1.1.2. Algorithm Structure . . . . . . . . . . . . . . . . . 4 55 1.1.3. Module OIDs Changing . . . . . . . . . . . . . . . . . 4 56 2. ASN.1 Module for RFC 2560 . . . . . . . . . . . . . . . . . . 4 57 3. ASN.1 Module for RFC 2986 . . . . . . . . . . . . . . . . . . 7 58 4. ASN.1 Module for RFC 3279 . . . . . . . . . . . . . . . . . . 8 59 5. ASN.1 Module for RFC 3280 (Explicit) . . . . . . . . . . . . . 14 60 6. ASN.1 Module for RFC 3280 (Implicit) . . . . . . . . . . . . . 26 61 7. ASN.1 Module for RFC 3281 . . . . . . . . . . . . . . . . . . 35 62 8. ASN.1 Module for RFC 3852 (Attribute Certificate v1) . . . . . 40 63 9. ASN.1 Module for RFC 4210 . . . . . . . . . . . . . . . . . . 41 64 10. ASN.1 Module for RFC 4211 . . . . . . . . . . . . . . . . . . 51 65 11. ASN.1 Module for RFC-to-be, SCVP . . . . . . . . . . . . . . . 57 66 12. Security Considerations . . . . . . . . . . . . . . . . . . . 66 67 13. Normative References . . . . . . . . . . . . . . . . . . . . . 66 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 67 69 Intellectual Property and Copyright Statements . . . . . . . . . . 68 71 1. Introduction 73 Some developers would like the IETF to use the latest version of 74 ASN.1 in its standards. Most of the RFCs that relate to security 75 protocols still use ASN.1 from the 1988 standard, which has been 76 deprecated. This is particularly true for the standards that relate 77 to PKIX, CMS, and S/MIME. 79 This document updates the following RFCs to use ASN.1 modules that 80 conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all 81 the modules are updated; some are included to simply make the set 82 compete. 84 o RFC 2560, PKIX Online Certificate Status Protocol (OCSP) [RFC2560] 86 o RFC 2986, PKCS #10 certificate request [RFC2986] 88 o RFC 3279, PKIX algorithms and identifier [RFC3279] 90 o RFC 3280, PKIX certificate and CRL profile [RFC3280] (both the 91 implicit and explicit modules) 93 o RFC 3281, PKIX attribute certificates, version 2 [RFC3281] 95 o RFC 3852, contains PKIX attribute certificates, version 1 96 [RFC3852] 98 o RFC 4210, PKIX CMP (Certificate Management Protocol) [RFC4210] 100 o RFC 4211, PKIX CRMF (Certificate Request Message Format) [RFC4211] 102 o RFC-to-be, PKIX SCVP (Server-based Certificate Validation 103 Protocol) [SCVP] 105 Note that some of the modules in this document get some of their 106 definitions from places different than the modules in the original 107 RFCs. The idea is that these modules, when combined with the modules 108 in [NEW-CMS-SMIME] can stand on their own and do not need to import 109 definitions from anywhere else. 111 1.1. Issues 113 This section will be removed before final publication. 115 1.1.1. More Modules To Be Added 117 There are many modules from standards-track RFCs that are not listed 118 in this document or the companion document on CMS and S/MIME. We 119 will discuss with the two communities which modules are appropriate 120 for the two documents. We will also consider making "super-modules", 121 individual modules which might update multiple RFCs at one time. We 122 may also add objects to some of the modules. 124 1.1.2. Algorithm Structure 126 Algorithms are currently not defined here. We need to discuss what 127 structure we want for algorithm objects. Currently, we just do 128 "parameter, OID", but we could add more. Because we don't know what 129 the final structure is, the object sets in the various modules are 130 commented out. We will fix this before finishing this project. 132 1.1.3. Module OIDs Changing 134 The OIDs given in the modules in this version of the document are the 135 same as the OIDs from the original modules, even though some of the 136 modules have changed syntax. That is clearly incorrect. In a later 137 version of this document, we will change the OIDs for every changed 138 module. 140 2. ASN.1 Module for RFC 2560 142 OCSP 143 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 144 mechanisms(5) pkix(7) id-mod(0) id-mod-ocsp(14)} 145 DEFINITIONS EXPLICIT TAGS ::= 146 BEGIN 148 IMPORTS 150 AuthorityInfoAccessSyntax, GeneralName 151 FROM PKIX1Implicit88 152 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 153 mechanisms(5) pkix(7) id-mod(0) 19} -- Change module number 155 Name, CertificateSerialNumber, Extensions, id-kp, id-ad-ocsp, 156 Certificate, AlgorithmIdentifier 157 FROM PKIX1Explicit88 158 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 159 mechanisms(5) pkix(7) id-mod(0) 18}; 161 CRLReason ::= INTEGER 163 OCSPRequest ::= SEQUENCE { 164 tbsRequest TBSRequest, 165 optionalSignature [0] EXPLICIT Signature OPTIONAL } 167 TBSRequest ::= SEQUENCE { 168 version [0] EXPLICIT Version DEFAULT v1, 169 requestorName [1] EXPLICIT GeneralName OPTIONAL, 170 requestList SEQUENCE OF Request, 171 requestExtensions [2] EXPLICIT Extensions OPTIONAL } 173 Signature ::= SEQUENCE { 174 signatureAlgorithm AlgorithmIdentifier, 175 signature BIT STRING, 176 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 178 Version ::= INTEGER { v1(0) } 180 Request ::= SEQUENCE { 181 reqCert CertID, 182 singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } 184 CertID ::= SEQUENCE { 185 hashAlgorithm AlgorithmIdentifier, 186 issuerNameHash OCTET STRING, -- Hash of Issuer's DN 187 issuerKeyHash OCTET STRING, -- Hash of Issuers public key 188 serialNumber CertificateSerialNumber } 190 OCSPResponse ::= SEQUENCE { 191 responseStatus OCSPResponseStatus, 192 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } 194 OCSPResponseStatus ::= ENUMERATED { 195 successful (0), --Response has valid confirmations 196 malformedRequest (1), --Illegal confirmation request 197 internalError (2), --Internal error in issuer 198 tryLater (3), --Try again later 199 -- (4) is not used 200 sigRequired (5), --Must sign the request 201 unauthorized (6) --Request unauthorized 202 } 204 ResponseBytes ::= SEQUENCE { 205 responseType OBJECT IDENTIFIER, 206 response OCTET STRING } 208 BasicOCSPResponse ::= SEQUENCE { 209 tbsResponseData ResponseData, 210 signatureAlgorithm AlgorithmIdentifier, 211 signature BIT STRING, 212 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 214 ResponseData ::= SEQUENCE { 215 version [0] EXPLICIT Version DEFAULT v1, 216 responderID ResponderID, 217 producedAt GeneralizedTime, 218 responses SEQUENCE OF SingleResponse, 219 responseExtensions [1] EXPLICIT Extensions OPTIONAL } 221 ResponderID ::= CHOICE { 222 byName [1] Name, 223 byKey [2] KeyHash } 225 KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key 226 -- (excluding the tag and length fields) 228 SingleResponse ::= SEQUENCE { 229 certID CertID, 230 certStatus CertStatus, 231 thisUpdate GeneralizedTime, 232 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, 233 singleExtensions [1] EXPLICIT Extensions OPTIONAL } 235 CertStatus ::= CHOICE { 236 good [0] IMPLICIT NULL, 237 revoked [1] IMPLICIT RevokedInfo, 238 unknown [2] IMPLICIT UnknownInfo } 240 RevokedInfo ::= SEQUENCE { 241 revocationTime GeneralizedTime, 242 revocationReason [0] EXPLICIT CRLReason OPTIONAL } 244 UnknownInfo ::= NULL -- this can be replaced with an enumeration 246 ArchiveCutoff ::= GeneralizedTime 248 AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER 250 ServiceLocator ::= SEQUENCE { 251 issuer Name, 252 locator AuthorityInfoAccessSyntax } 254 -- Object Identifiers 256 id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 257 id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } 258 id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } 259 id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } 260 id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } 261 id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } 262 id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } 263 id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } 264 id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } 266 END 268 3. ASN.1 Module for RFC 2986 270 PKCS-10 271 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-10(10) 272 modules(1) pkcs-10(1)} 273 DEFINITIONS IMPLICIT TAGS ::= 274 BEGIN 275 IMPORTS 277 ALGORITHM, ATTRIBUTE, Name 278 FROM PKIX1Explicit88 279 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 280 mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }; 282 -- Certificate requests 283 CertificationRequestInfo ::= SEQUENCE { 284 version INTEGER { v1(0) } (v1, ... ), 285 subject Name, 286 subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }}, 287 attributes [0] Attributes{{ CRIAttributes }} 288 } 290 SubjectPublicKeyInfo {ALGORITHM: IOSet} ::= SEQUENCE { 291 algorithm AlgorithmIdentifier {{IOSet}}, 292 subjectPublicKey BIT STRING 293 } 295 PKInfoAlgorithms ALGORITHM ::= { 296 ... -- add any locally defined algorithms here -- } 298 Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }} 300 CRIAttributes ATTRIBUTE ::= { 301 ... -- add any locally defined attributes here -- } 303 Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { 304 type ATTRIBUTE.&id({IOSet}), 305 values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) 306 } 307 CertificationRequest ::= SEQUENCE { 308 certificationRequestInfo CertificationRequestInfo, 309 signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }}, 310 signature BIT STRING 311 } 313 AlgorithmIdentifier {ALGORITHM:IOSet } ::= SEQUENCE { 314 algorithm ALGORITHM.&id({IOSet}), 315 parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL 316 } 318 SignatureAlgorithms ALGORITHM ::= { 319 ... -- add any locally defined algorithms here -- } 321 END 323 4. ASN.1 Module for RFC 3279 325 PKIX1Algorithms88 326 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 327 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-algorithms(17) } 328 DEFINITIONS EXPLICIT TAGS ::= 329 BEGIN 331 -- 332 -- One-way Hash Functions 333 -- 335 md2 OBJECT IDENTIFIER ::= { 336 iso(1) member-body(2) us(840) rsadsi(113549) 337 digestAlgorithm(2) 2 } 339 md5 OBJECT IDENTIFIER ::= { 340 iso(1) member-body(2) us(840) rsadsi(113549) 341 digestAlgorithm(2) 5 } 343 id-sha1 OBJECT IDENTIFIER ::= { 344 iso(1) identified-organization(3) oiw(14) secsig(3) 345 algorithms(2) 26 } 347 -- 348 -- DSA Keys and Signatures 349 -- 351 -- OID for DSA public key 352 id-dsa OBJECT IDENTIFIER ::= { 353 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 355 -- encoding for DSA public key 357 DSAPublicKey ::= INTEGER -- public key, y 359 Dss-Parms ::= SEQUENCE { 360 p INTEGER, 361 q INTEGER, 362 g INTEGER } 364 -- OID for DSA signature generated with SHA-1 hash 366 id-dsa-with-sha1 OBJECT IDENTIFIER ::= { 367 iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 } 369 -- encoding for DSA signature generated with SHA-1 hash 371 Dss-Sig-Value ::= SEQUENCE { 372 r INTEGER, 373 s INTEGER } 375 -- 376 -- RSA Keys and Signatures 377 -- 379 -- arc for RSA public key and RSA signature OIDs 381 pkcs-1 OBJECT IDENTIFIER ::= { 382 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } 384 -- OID for RSA public keys 386 rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } 388 -- OID for RSA signature generated with MD2 hash 390 md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } 392 -- OID for RSA signature generated with MD5 hash 394 md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } 396 -- OID for RSA signature generated with SHA-1 hash 398 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } 399 -- encoding for RSA public key 401 RSAPublicKey ::= SEQUENCE { 402 modulus INTEGER, -- n 403 publicExponent INTEGER } -- e 405 -- 406 -- Diffie-Hellman Keys 407 -- 409 dhpublicnumber OBJECT IDENTIFIER ::= { 410 iso(1) member-body(2) us(840) ansi-x942(10046) 411 number-type(2) 1 } 413 -- encoding for DSA public key 415 DHPublicKey ::= INTEGER -- public key, y = g^x mod p 417 DomainParameters ::= SEQUENCE { 418 p INTEGER, -- odd prime, p=jq +1 419 g INTEGER, -- generator, g 420 q INTEGER, -- factor of p-1 421 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 422 validationParms ValidationParms OPTIONAL } 424 ValidationParms ::= SEQUENCE { 425 seed BIT STRING, 426 pgenCounter INTEGER } 428 -- 429 -- KEA Keys 430 -- 432 id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= 433 { 2 16 840 1 101 2 1 1 22 } 435 KEA-Parms-Id ::= OCTET STRING 437 -- 438 -- Elliptic Curve Keys, Signatures, and Curves 439 -- 441 ansi-X9-62 OBJECT IDENTIFIER ::= { 442 iso(1) member-body(2) us(840) 10045 } 444 FIELD-ID ::= TYPE-IDENTIFIER 446 FieldID ::= -- Finite field 447 SEQUENCE { 448 fieldType FIELD-ID. 449 &id({SupportedFields}), 450 parameters FIELD-ID. 451 &Type({SupportedFields}{@fieldType}) OPTIONAL 452 } 454 SupportedFields FIELD-ID ::= 455 {fid-prime-field | fid-characteristic-two-field} 457 -- Arc for ECDSA signature OIDS 459 id-ecSigType OBJECT IDENTIFIER ::= { ansi-X9-62 signatures(4) } 461 -- OID for ECDSA signatures with SHA-1 463 ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { id-ecSigType 1 } 465 -- OID for an elliptic curve signature 466 -- format for the value of an ECDSA signature value 468 ECDSA-Sig-Value ::= SEQUENCE { 469 r INTEGER, 470 s INTEGER } 472 -- recognized field type OIDs are defined in the following arc 474 id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1) } 476 -- where fieldType is prime-field, the parameters are of type Prime-p 478 fid-prime-field FIELD-ID ::= {Prime-p IDENTIFIED BY prime-field} 480 prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 } 482 Prime-p ::= INTEGER -- Finite field F(p), where p is an odd prime 484 -- where fieldType is characteristic-two-field, the parameters are 485 -- of type Characteristic-two 487 fid-characteristic-two-field FIELD-ID ::= 488 {Characteristic-two IDENTIFIED BY characteristic-two-field} 490 characteristic-two-field OBJECT IDENTIFIER ::= { id-fieldType 2 } 492 CHARACTERISTIC-TWO ::= TYPE-IDENTIFIER 494 Characteristic-two ::= SEQUENCE { 495 m INTEGER, -- Field size 2^m 496 basis CHARACTERISTIC-TWO. 497 &id({SupportedCharacteristicTwo}), 498 parameters CHARACTERISTIC-TWO. 499 &Type({SupportedCharacteristicTwo}{@basis}) 500 } 502 SupportedCharacteristicTwo CHARACTERISTIC-TWO ::= 503 {char2-gnBasis | char2-tpBasis | char2-ppBasis } 505 -- recognized basis type OIDs are defined in the following arc 507 id-characteristic-two-basis OBJECT IDENTIFIER ::= { 508 characteristic-two-field basisType(3) } 510 -- gnbasis is identified by OID gnBasis and indicates 511 -- parameters are NULL 513 char2-gnBasis CHARACTERISTIC-TWO ::= {NULL IDENTIFIED BY gnBasis} 515 gnBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 1 } 517 -- parameters for this basis are NULL 519 -- trinomial basis is identified by OID tpBasis and indicates 520 -- parameters of type Pentanomial 522 char2-tpBasis CHARACTERISTIC-TWO ::= 523 {Trinomial IDENTIFIED BY tpBasis} 525 tpBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 2 } 527 -- Trinomial basis representation of F2^m 528 -- Integer k for reduction polynomial xm + xk + 1 530 Trinomial ::= INTEGER 532 -- for pentanomial basis is identified by OID ppBasis and indicates 533 -- parameters of type Pentanomial 535 char2-ppBasis CHARACTERISTIC-TWO ::= 536 {Pentanomial IDENTIFIED BY ppBasis} 538 ppBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 3 } 540 -- Pentanomial basis representation of F2^m 541 -- reduction polynomial integers k1, k2, k3 542 -- f(x) = x**m + x**k3 + x**k2 + x**k1 + 1 543 Pentanomial ::= SEQUENCE { 544 k1 INTEGER, 545 k2 INTEGER, 546 k3 INTEGER } 548 -- The object identifiers gnBasis, tpBasis and ppBasis name 549 -- three kinds of basis for characteristic-two finite fields 551 FieldElement ::= OCTET STRING -- Finite field element 553 ECPoint ::= OCTET STRING -- Elliptic curve point 555 -- Elliptic Curve parameters may be specified explicitly, 556 -- specified implicitly through a "named curve", or 557 -- inherited from the CA 559 EcpkParameters ::= CHOICE { 560 ecParameters ECParameters, 561 namedCurve OBJECT IDENTIFIER, 562 implicitlyCA NULL } 564 ECParameters ::= SEQUENCE { -- Elliptic curve parameters 565 version ECPVer, 566 fieldID FieldID, 567 curve Curve, 568 base ECPoint, -- Base point G 569 order INTEGER, -- Order n of the base point 570 cofactor INTEGER OPTIONAL } -- The integer h = #E(Fq)/n 572 ECPVer ::= INTEGER {ecpVer1(1)} 574 Curve ::= SEQUENCE { 575 a FieldElement, -- Elliptic curve coefficient a 576 b FieldElement, -- Elliptic curve coefficient b 577 seed BIT STRING OPTIONAL } 579 id-publicKeyType OBJECT IDENTIFIER ::= { ansi-X9-62 keyType(2) } 581 id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 } 583 -- Named Elliptic Curves in ANSI X9.62. 585 ellipticCurve OBJECT IDENTIFIER ::= { ansi-X9-62 curves(3) } 587 c-TwoCurve OBJECT IDENTIFIER ::= { 588 ellipticCurve characteristicTwo(0) } 590 c2pnb163v1 OBJECT IDENTIFIER ::= { c-TwoCurve 1 } 591 c2pnb163v2 OBJECT IDENTIFIER ::= { c-TwoCurve 2 } 592 c2pnb163v3 OBJECT IDENTIFIER ::= { c-TwoCurve 3 } 593 c2pnb176w1 OBJECT IDENTIFIER ::= { c-TwoCurve 4 } 594 c2tnb191v1 OBJECT IDENTIFIER ::= { c-TwoCurve 5 } 595 c2tnb191v2 OBJECT IDENTIFIER ::= { c-TwoCurve 6 } 596 c2tnb191v3 OBJECT IDENTIFIER ::= { c-TwoCurve 7 } 597 c2onb191v4 OBJECT IDENTIFIER ::= { c-TwoCurve 8 } 598 c2onb191v5 OBJECT IDENTIFIER ::= { c-TwoCurve 9 } 599 c2pnb208w1 OBJECT IDENTIFIER ::= { c-TwoCurve 10 } 600 c2tnb239v1 OBJECT IDENTIFIER ::= { c-TwoCurve 11 } 601 c2tnb239v2 OBJECT IDENTIFIER ::= { c-TwoCurve 12 } 602 c2tnb239v3 OBJECT IDENTIFIER ::= { c-TwoCurve 13 } 603 c2onb239v4 OBJECT IDENTIFIER ::= { c-TwoCurve 14 } 604 c2onb239v5 OBJECT IDENTIFIER ::= { c-TwoCurve 15 } 605 c2pnb272w1 OBJECT IDENTIFIER ::= { c-TwoCurve 16 } 606 c2pnb304w1 OBJECT IDENTIFIER ::= { c-TwoCurve 17 } 607 c2tnb359v1 OBJECT IDENTIFIER ::= { c-TwoCurve 18 } 608 c2pnb368w1 OBJECT IDENTIFIER ::= { c-TwoCurve 19 } 609 c2tnb431r1 OBJECT IDENTIFIER ::= { c-TwoCurve 20 } 611 primeCurve OBJECT IDENTIFIER ::= { ellipticCurve prime(1) } 613 prime192v1 OBJECT IDENTIFIER ::= { primeCurve 1 } 614 prime192v2 OBJECT IDENTIFIER ::= { primeCurve 2 } 615 prime192v3 OBJECT IDENTIFIER ::= { primeCurve 3 } 616 prime239v1 OBJECT IDENTIFIER ::= { primeCurve 4 } 617 prime239v2 OBJECT IDENTIFIER ::= { primeCurve 5 } 618 prime239v3 OBJECT IDENTIFIER ::= { primeCurve 6 } 619 prime256v1 OBJECT IDENTIFIER ::= { primeCurve 7 } 621 END 623 5. ASN.1 Module for RFC 3280 (Explicit) 625 PKIX1Explicit88 626 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 627 mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } 628 DEFINITIONS EXPLICIT TAGS ::= 629 BEGIN 631 id-pkix OBJECT IDENTIFIER ::= 632 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 633 mechanisms(5) pkix(7) } 635 -- PKIX arcs 636 id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } 637 -- arc for private certificate extensions 638 id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 639 -- arc for policy qualifier types 640 id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 641 -- arc for extended key purpose OIDS 642 id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } 643 -- arc for access descriptors 645 -- policyQualifierIds for Internet policy qualifiers 647 id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 648 -- OID for CPS qualifier 649 id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 650 -- OID for user notice qualifier 652 -- access descriptor definitions 654 id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } 655 id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } 656 id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 } 657 id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 } 659 -- attribute data types 661 ATTRIBUTE ::= TYPE-IDENTIFIER 663 Attribute ::= SEQUENCE { 664 type ATTRIBUTE.&id({SupportedAttributes}), 665 values SET OF ATTRIBUTE.&Type({SupportedAttributes}{@type}) 666 } 667 -- at least one value is required 669 SupportedAttributes ATTRIBUTE ::= 670 { commonName | x520name | x520LocalityName | 671 x520StateOrProvinceName | x520OrganizationName | 672 x520OrganizationalUnitName | x520Title | x520dnQualifier | 673 x520countryName | x520SerialNumber | x520Pseudonym | 674 domainComponent | emailAddress, ... } 676 AttributeType ::= OBJECT IDENTIFIER 678 AttributeTypeAndValue ::= SEQUENCE { 679 type ATTRIBUTE.&id({SupportedAttributes}), 680 value ATTRIBUTE.&Type({SupportedAttributes}{@type}) } 682 -- suggested naming attributes: Definition of the following 683 -- information object set may be augmented to meet local 684 -- requirements. Note that deleting members of the set may 685 -- prevent interoperability with conforming implementations. 686 -- presented in pairs: the AttributeType followed by the 687 -- type definition for the corresponding AttributeValue 688 --Arc for standard naming attributes 690 id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } 692 -- Naming attributes of type X520name 694 id-at-name AttributeType ::= { id-at 41 } 695 id-at-surname AttributeType ::= { id-at 4 } 696 id-at-givenName AttributeType ::= { id-at 42 } 697 id-at-initials AttributeType ::= { id-at 43 } 698 id-at-generationQualifier AttributeType ::= { id-at 44 } 700 -- Directory string type -- 702 DirectoryString{INTEGER:maxSize} ::= CHOICE { 703 teletexString TeletexString(SIZE (1..maxSize)), 704 printableString PrintableString(SIZE(1..maxSize)), 705 universalString UniversalString(SIZE(1..maxSize)), 706 utf8String UTF8String(SIZE(1..maxSize)), 707 bmpString BMPString(SIZE(1..maxSize)) 708 } 710 x520name ATTRIBUTE ::= { X520name IDENTIFIED BY id-at-name } 711 X520name ::= DirectoryString {ub-name} 713 -- Naming attributes of type X520CommonName 715 id-at-commonName AttributeType ::= { id-at 3 } 717 commonName ATTRIBUTE ::= {CommonName IDENTIFIED BY id-at-commonName } 718 CommonName ::= DirectoryString {ub-common-name} 720 -- Naming attributes of type X520LocalityName 722 id-at-localityName AttributeType ::= { id-at 7 } 724 x520LocalityName ATTRIBUTE ::= { DirectoryString {ub-locality-name} 725 IDENTIFIED BY id-at-localityName } 727 -- Naming attributes of type X520StateOrProvinceName 729 id-at-stateOrProvinceName AttributeType ::= { id-at 8 } 731 x520StateOrProvinceName ATTRIBUTE ::= 732 { DirectoryString {ub-state-name} 733 IDENTIFIED BY id-at-stateOrProvinceName } 735 -- Naming attributes of type X520OrganizationName 737 id-at-organizationName AttributeType ::= { id-at 10 } 739 x520OrganizationName ATTRIBUTE ::= 740 { DirectoryString {ub-organization-name} 741 IDENTIFIED BY id-at-organizationName } 743 -- Naming attributes of type X520OrganizationalUnitName 745 id-at-organizationalUnitName AttributeType ::= { id-at 11 } 747 x520OrganizationalUnitName ATTRIBUTE ::= 748 { DirectoryString {ub-organizational-unit-name} 749 IDENTIFIED BY id-at-organizationalUnitName } 751 -- Naming attributes of type X520Title 753 id-at-title AttributeType ::= { id-at 12 } 755 x520Title ATTRIBUTE ::= { DirectoryString { ub-title } 756 IDENTIFIED BY id-at-title } 758 -- Naming attributes of type X520dnQualifier 760 id-at-dnQualifier AttributeType ::= { id-at 46 } 762 x520dnQualifier ATTRIBUTE ::= { PrintableString 763 IDENTIFIED BY id-at-dnQualifier } 765 -- Naming attributes of type X520countryName (digraph from IS 3166) 767 id-at-countryName AttributeType ::= { id-at 6 } 769 x520countryName ATTRIBUTE ::= { PrintableString (SIZE (2)) 770 IDENTIFIED BY id-at-countryName } 772 -- Naming attributes of type X520SerialNumber 774 id-at-serialNumber AttributeType ::= { id-at 5 } 776 x520SerialNumber ATTRIBUTE ::= {PrintableString 777 (SIZE (1..ub-serial-number)) IDENTIFIED BY id-at-serialNumber } 779 -- Naming attributes of type X520Pseudonym 780 id-at-pseudonym AttributeType ::= { id-at 65 } 782 x520Pseudonym ATTRIBUTE ::= { DirectoryString {ub-pseudonym} 783 IDENTIFIED BY id-at-pseudonym } 784 -- Naming attributes of type DomainComponent (from RFC 2247) 786 id-domainComponent AttributeType ::= 787 { 0 9 2342 19200300 100 1 25 } 789 domainComponent ATTRIBUTE ::= {IA5String 790 IDENTIFIED BY id-domainComponent } 792 -- Legacy attributes 794 pkcs-9 OBJECT IDENTIFIER ::= 795 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } 797 id-emailAddress AttributeType ::= { pkcs-9 1 } 799 emailAddress ATTRIBUTE ::= {IA5String 800 (SIZE (1..ub-emailaddress-length)) IDENTIFIED BY 801 id-emailAddress } 803 -- naming data types -- 805 Name ::= CHOICE { -- only one possibility for now -- 806 rdnSequence RDNSequence } 808 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 810 DistinguishedName ::= RDNSequence 812 RelativeDistinguishedName ::= 813 SET SIZE (1 .. MAX) OF AttributeTypeAndValue 815 -- certificate and CRL specific structures begin here 817 Certificate ::= SIGNED{TBSCertificate} 819 TBSCertificate ::= SEQUENCE { 820 version [0] Version DEFAULT v1, 821 serialNumber CertificateSerialNumber, 822 signature AlgorithmIdentifier, 823 issuer Name, 824 validity Validity, 825 subject Name, 826 subjectPublicKeyInfo SubjectPublicKeyInfo, 827 ... , 829 [[2: -- If present, version MUST be v2 or v3 830 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 831 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL 832 ]], 833 [[3: -- If present, version MUST be v3 -- 834 extensions [3] Extensions OPTIONAL 835 ]], ... } 837 Version ::= INTEGER { v1(0), v2(1), v3(2) } 839 CertificateSerialNumber ::= INTEGER 841 Validity ::= SEQUENCE { 842 notBefore Time, 843 notAfter Time } 845 Time ::= CHOICE { 846 utcTime UTCTime, 847 generalTime GeneralizedTime } 849 UniqueIdentifier ::= BIT STRING 851 SubjectPublicKeyInfo ::= SEQUENCE { 852 algorithm AlgorithmIdentifier, 853 subjectPublicKey BIT STRING } 855 Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension 857 EXTENSION ::= CLASS {&id OBJECT IDENTIFIER UNIQUE, 858 &ExtnType 859 }WITH SYNTAX {SYNTAX &ExtnType 860 IDENTIFIED BY &id 861 } 863 Extension ::= SEQUENCE { 864 extnID EXTENSION.&id({ExtensionSet}), 865 critical BOOLEAN DEFAULT FALSE, 866 extnValue OCTET STRING (CONTAINING 867 EXTENSION.&ExtnType({ExtensionSet}{@extnID})) 868 } 870 ExtensionSet EXTENSION ::= { ... } 872 -- CRL structures 874 CertificateList ::= SIGNED{TBSCertList} 876 TBSCertList ::= SEQUENCE { 877 version Version OPTIONAL, 878 -- if present, MUST be v2 879 signature AlgorithmIdentifier, 880 issuer Name, 881 thisUpdate Time, 882 nextUpdate Time OPTIONAL, 883 revokedCertificates SEQUENCE OF SEQUENCE { 884 userCertificate CertificateSerialNumber, 885 revocationDate Time, 886 ... , 887 [[2: -- if present, MUST be v2 888 crlEntryExtensions Extensions OPTIONAL 889 ]], ... 890 } OPTIONAL, 891 ... , 892 [[2: -- if present, MUST be v2 893 crlExtensions [0] Extensions OPTIONAL 894 ]], ... } 896 -- Version, Time, CertificateSerialNumber, and Extensions were 897 -- defined earlier for use in the certificate structure 899 ALGORITHM ::= TYPE-IDENTIFIER 901 AlgorithmIdentifier ::= SEQUENCE { 902 algorithm ALGORITHM. 903 &id({SupportedAlgorithms}), 904 parameters ALGORITHM. 905 &Type({SupportedAlgorithms}{@algorithm}) OPTIONAL } 906 -- contains a value of the type 907 -- registered for use with the 908 -- algorithm object identifier value 910 SupportedAlgorithms ALGORITHM ::= { ... } 912 -- X.400 address syntax starts here 914 ORAddress ::= SEQUENCE { 915 built-in-standard-attributes BuiltInStandardAttributes, 916 built-in-domain-defined-attributes 917 BuiltInDomainDefinedAttributes OPTIONAL, 918 -- see also teletex-domain-defined-attributes 919 extension-attributes ExtensionAttributes OPTIONAL } 921 -- Built-in Standard Attributes 922 BuiltInStandardAttributes ::= SEQUENCE { 923 country-name CountryName OPTIONAL, 924 administration-domain-name AdministrationDomainName OPTIONAL, 925 network-address [0] IMPLICIT NetworkAddress OPTIONAL, 926 -- see also extended-network-address 927 terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL, 928 private-domain-name [2] PrivateDomainName OPTIONAL, 929 organization-name [3] IMPLICIT OrganizationName OPTIONAL, 930 -- see also teletex-organization-name 931 numeric-user-identifier [4] IMPLICIT NumericUserIdentifier 932 OPTIONAL, 933 personal-name [5] IMPLICIT PersonalName OPTIONAL, 934 -- see also teletex-personal-name 935 organizational-unit-names [6] IMPLICIT OrganizationalUnitNames 936 OPTIONAL } 937 -- see also teletex-organizational-unit-names 939 CountryName ::= [APPLICATION 1] CHOICE { 940 x121-dcc-code NumericString 941 (SIZE (ub-country-name-numeric-length)), 942 iso-3166-alpha2-code PrintableString 943 (SIZE (ub-country-name-alpha-length)) } 945 AdministrationDomainName ::= [APPLICATION 2] CHOICE { 946 numeric NumericString (SIZE (0..ub-domain-name-length)), 947 printable PrintableString (SIZE (0..ub-domain-name-length)) } 949 NetworkAddress ::= X121Address -- see also extended-network-address 951 X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) 953 TerminalIdentifier ::= PrintableString (SIZE 954 (1..ub-terminal-id-length)) 956 PrivateDomainName ::= CHOICE { 957 numeric NumericString (SIZE (1..ub-domain-name-length)), 958 printable PrintableString (SIZE (1..ub-domain-name-length)) } 960 OrganizationName ::= PrintableString 961 (SIZE (1..ub-organization-name-length)) 962 -- see also teletex-organization-name 964 NumericUserIdentifier ::= NumericString 965 (SIZE (1..ub-numeric-user-id-length)) 967 PersonalName ::= SET { 968 surname [0] IMPLICIT PrintableString 969 (SIZE (1..ub-surname-length)), 971 given-name [1] IMPLICIT PrintableString 972 (SIZE (1..ub-given-name-length)) OPTIONAL, 973 initials [2] IMPLICIT PrintableString 974 (SIZE (1..ub-initials-length)) OPTIONAL, 975 generation-qualifier [3] IMPLICIT PrintableString 976 (SIZE (1..ub-generation-qualifier-length)) 977 OPTIONAL } 978 -- see also teletex-personal-name 980 OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) 981 OF OrganizationalUnitName 982 -- see also teletex-organizational-unit-names 984 OrganizationalUnitName ::= PrintableString (SIZE 985 (1..ub-organizational-unit-name-length)) 987 -- Built-in Domain-defined Attributes 989 BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE 990 (1..ub-domain-defined-attributes) OF 991 BuiltInDomainDefinedAttribute 993 BuiltInDomainDefinedAttribute ::= SEQUENCE { 994 type PrintableString (SIZE 995 (1..ub-domain-defined-attribute-type-length)), 996 value PrintableString (SIZE 997 (1..ub-domain-defined-attribute-value-length)) } 999 -- Extension Attributes 1001 ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF 1002 ExtensionAttribute 1004 EXTENSION-ATTRIBUTE ::= CLASS { 1005 &id INTEGER (0..ub-extension-attributes) UNIQUE, 1006 &Type 1007 } WITH SYNTAX { &Type IDENTIFIED BY &id } 1009 ExtensionAttribute ::= SEQUENCE { 1010 extension-attribute-type [0] IMPLICIT EXTENSION-ATTRIBUTE. 1011 &id({SupportedExtensionAttributes}), 1012 extension-attribute-value [1] EXTENSION-ATTRIBUTE. 1013 &Type({SupportedExtensionAttributes} 1014 {@extension-attribute-type})} 1016 SupportedExtensionAttributes EXTENSION-ATTRIBUTE ::= { ... } 1018 -- Extension types and attribute values 1019 ea-commonName EXTENSION-ATTRIBUTE ::= { PrintableString 1020 (SIZE (1..ub-common-name-length)) IDENTIFIED BY 1} 1022 teletexCommonName EXTENSION-ATTRIBUTE ::= {TeletexString 1023 (SIZE (1..ub-common-name-length)) IDENTIFIED BY 2 } 1025 teletexOrganizationName EXTENSION-ATTRIBUTE::= { TeletexString 1026 (SIZE (1..ub-organization-name-length)) IDENTIFIED BY 3 } 1028 teletexPersonalName EXTENSION-ATTRIBUTE ::= {SET { 1029 surname [0] IMPLICIT TeletexString 1030 (SIZE (1..ub-surname-length)), 1031 given-name [1] IMPLICIT TeletexString 1032 (SIZE (1..ub-given-name-length)) OPTIONAL, 1033 initials [2] IMPLICIT TeletexString 1034 (SIZE (1..ub-initials-length)) OPTIONAL, 1035 generation-qualifier [3] IMPLICIT TeletexString 1036 (SIZE (1..ub-generation-qualifier-length)) 1037 OPTIONAL } IDENTIFIED BY 4 } 1039 teletexOrganizationalUnitNames EXTENSION-ATTRIBUTE ::= { SEQUENCE SIZE 1040 (1..ub-organizational-units) OF TeletexOrganizationalUnitName 1041 IDENTIFIED BY 5 } 1043 TeletexOrganizationalUnitName ::= TeletexString 1044 (SIZE (1..ub-organizational-unit-name-length)) 1046 pDSName EXTENSION-ATTRIBUTE ::= {PrintableString 1047 (SIZE (1..ub-pds-name-length)) IDENTIFIED BY 7 } 1049 physicalDeliveryCountryName EXTENSION-ATTRIBUTE ::= {CHOICE { 1050 x121-dcc-code NumericString (SIZE 1051 (ub-country-name-numeric-length)), 1052 iso-3166-alpha2-code PrintableString 1053 (SIZE (ub-country-name-alpha-length)) } 1054 IDENTIFIED BY 8 } 1056 postalCode EXTENSION-ATTRIBUTE ::= { CHOICE { 1057 numeric-code NumericString (SIZE (1..ub-postal-code-length)), 1058 printable-code PrintableString (SIZE (1..ub-postal-code-length)) } 1059 IDENTIFIED BY 9 } 1061 physicalDeliveryOfficeName EXTENSION-ATTRIBUTE ::= 1062 { PDSParameter IDENTIFIED BY 10 } 1064 physicalDeliveryOfficeNumber EXTENSION-ATTRIBUTE ::= 1065 {PDSParameter IDENTIFIED BY 11 } 1067 extensionORAddressComponents EXTENSION-ATTRIBUTE ::= 1068 {PDSParameter IDENTIFIED BY 12 } 1070 physicalDeliveryPersonalName EXTENSION-ATTRIBUTE ::= 1071 {PDSParameter IDENTIFIED BY 13} 1073 physicalDeliveryOrganizationName EXTENSION-ATTRIBUTE ::= 1074 {PDSParameter IDENTIFIED BY 14 } 1076 extensionPhysicalDeliveryAddressComponents EXTENSION-ATTRIBUTE ::= 1077 {PDSParameter IDENTIFIED BY 15 } 1079 unformattedPostalAddress EXTENSION-ATTRIBUTE ::= { SET { 1080 printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) 1081 OF PrintableString (SIZE (1..ub-pds-parameter-length)) 1082 OPTIONAL, 1083 teletex-string TeletexString 1084 (SIZE (1..ub-unformatted-address-length)) OPTIONAL } 1085 IDENTIFIED BY 16 } 1087 streetAddress EXTENSION-ATTRIBUTE ::= 1088 {PDSParameter IDENTIFIED BY 17 } 1090 postOfficeBoxAddress EXTENSION-ATTRIBUTE ::= 1091 {PDSParameter IDENTIFIED BY 18 } 1093 posteRestanteAddress EXTENSION-ATTRIBUTE ::= 1094 {PDSParameter IDENTIFIED BY 19 } 1096 uniquePostalName EXTENSION-ATTRIBUTE ::= 1097 { PDSParameter IDENTIFIED BY 20 } 1099 localPostalAttributes EXTENSION-ATTRIBUTE ::= 1100 {PDSParameter IDENTIFIED BY 21 } 1102 PDSParameter ::= SET { 1103 printable-string PrintableString 1104 (SIZE(1..ub-pds-parameter-length)) OPTIONAL, 1105 teletex-string TeletexString 1106 (SIZE(1..ub-pds-parameter-length)) OPTIONAL } 1108 extendedNetworkAddress EXTENSION-ATTRIBUTE ::= {CHOICE { 1109 e163-4-address SEQUENCE { 1110 number [0] IMPLICIT NumericString 1111 (SIZE (1..ub-e163-4-number-length)), 1112 sub-address [1] IMPLICIT NumericString 1113 (SIZE (1..ub-e163-4-sub-address-length)) 1114 OPTIONAL }, 1116 psap-address [0] IMPLICIT PresentationAddress } 1117 IDENTIFIED BY 22 } 1119 PresentationAddress ::= SEQUENCE { 1120 pSelector [0] EXPLICIT OCTET STRING OPTIONAL, 1121 sSelector [1] EXPLICIT OCTET STRING OPTIONAL, 1122 tSelector [2] EXPLICIT OCTET STRING OPTIONAL, 1123 nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING } 1125 terminalType EXTENSION-ATTRIBUTE ::= {INTEGER { 1126 telex (3), 1127 teletex (4), 1128 g3-facsimile (5), 1129 g4-facsimile (6), 1130 ia5-terminal (7), 1131 videotex (8) } (0..ub-integer-options) 1132 IDENTIFIED BY 23 } 1134 -- Extension Domain-defined Attributes 1136 teletexDomainDefinedAttributes EXTENSION-ATTRIBUTE ::= {SEQUENCE SIZE 1137 (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute 1138 IDENTIFIED BY 6 } 1140 TeletexDomainDefinedAttribute ::= SEQUENCE { 1141 type TeletexString 1142 (SIZE (1..ub-domain-defined-attribute-type-length)), 1143 value TeletexString 1144 (SIZE (1..ub-domain-defined-attribute-value-length)) } 1146 -- specifications of Upper Bounds MUST be regarded as mandatory 1147 -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter 1148 -- Upper Bounds 1150 -- Upper Bounds 1151 ub-name INTEGER ::= 32768 1152 ub-common-name INTEGER ::= 64 1153 ub-locality-name INTEGER ::= 128 1154 ub-state-name INTEGER ::= 128 1155 ub-organization-name INTEGER ::= 64 1156 ub-organizational-unit-name INTEGER ::= 64 1157 ub-title INTEGER ::= 64 1158 ub-serial-number INTEGER ::= 64 1159 ub-match INTEGER ::= 128 1160 ub-emailaddress-length INTEGER ::= 128 1161 ub-common-name-length INTEGER ::= 64 1162 ub-country-name-alpha-length INTEGER ::= 2 1163 ub-country-name-numeric-length INTEGER ::= 3 1164 ub-domain-defined-attributes INTEGER ::= 4 1165 ub-domain-defined-attribute-type-length INTEGER ::= 8 1166 ub-domain-defined-attribute-value-length INTEGER ::= 128 1167 ub-domain-name-length INTEGER ::= 16 1168 ub-extension-attributes INTEGER ::= 256 1169 ub-e163-4-number-length INTEGER ::= 15 1170 ub-e163-4-sub-address-length INTEGER ::= 40 1171 ub-generation-qualifier-length INTEGER ::= 3 1172 ub-given-name-length INTEGER ::= 16 1173 ub-initials-length INTEGER ::= 5 1174 ub-integer-options INTEGER ::= 256 1175 ub-numeric-user-id-length INTEGER ::= 32 1176 ub-organization-name-length INTEGER ::= 64 1177 ub-organizational-unit-name-length INTEGER ::= 32 1178 ub-organizational-units INTEGER ::= 4 1179 ub-pds-name-length INTEGER ::= 16 1180 ub-pds-parameter-length INTEGER ::= 30 1181 ub-pds-physical-address-lines INTEGER ::= 6 1182 ub-postal-code-length INTEGER ::= 16 1183 ub-pseudonym INTEGER ::= 128 1184 ub-surname-length INTEGER ::= 40 1185 ub-terminal-id-length INTEGER ::= 24 1186 ub-unformatted-address-length INTEGER ::= 180 1187 ub-x121-address-length INTEGER ::= 16 1189 -- Note - upper bounds on string types, such as TeletexString, are 1190 -- measured in characters. Excepting PrintableString or IA5String, a 1191 -- significantly greater number of octets will be required to hold 1192 -- such a value. As a minimum, 16 octets, or twice the specified 1193 -- upper bound, whichever is the larger, should be allowed for 1194 -- TeletexString. For UTF8String or UniversalString at least four 1195 -- times the upper bound should be allowed. 1197 -- information object classes used in the defintion 1198 -- of certificates and CRLs 1199 -- Parameterized Type SIGNED 1201 SIGNED{ToBeSigned} ::= SEQUENCE { 1202 toBeSigned ToBeSigned, 1203 algorithm AlgorithmIdentifier, 1204 signature BIT STRING 1205 } 1207 END 1209 6. ASN.1 Module for RFC 3280 (Implicit) 1210 PKIX1Implicit88 1211 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1212 mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } 1213 DEFINITIONS IMPLICIT TAGS ::= 1214 BEGIN 1216 IMPORTS 1218 id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name, 1219 RelativeDistinguishedName, CertificateSerialNumber, Attribute, 1220 DirectoryString, EXTENSION 1221 FROM PKIX1Explicit88 1222 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1223 mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }; 1225 -- ISO arc for standard certificate and CRL extensions 1227 id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} 1229 -- authority key identifier OID and syntax 1231 xt-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX 1232 AuthorityKeyIdentifier IDENTIFIED BY 1233 id-ce-authorityKeyIdentifier } 1235 id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } 1237 AuthorityKeyIdentifier ::= SEQUENCE { 1238 keyIdentifier [0] KeyIdentifier OPTIONAL, 1239 authorityCertIssuer [1] GeneralNames OPTIONAL, 1240 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } 1241 -- authorityCertIssuer and authorityCertSerialNumber MUST both 1242 -- be present or both be absent 1244 KeyIdentifier ::= OCTET STRING 1246 -- subject key identifier OID and syntax 1248 id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } 1250 ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX 1251 KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier } 1253 -- key usage extension OID and syntax 1255 ext-KeyUsage EXTENSION ::= { SYNTAX 1256 KeyUsage IDENTIFIED BY id-ce-keyUsage } 1258 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } 1260 KeyUsage ::= BIT STRING { 1261 digitalSignature (0), 1262 nonRepudiation (1), 1263 keyEncipherment (2), 1264 dataEncipherment (3), 1265 keyAgreement (4), 1266 keyCertSign (5), 1267 cRLSign (6), 1268 encipherOnly (7), 1269 decipherOnly (8) } 1271 -- private key usage period extension OID and syntax 1273 ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX 1274 PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod } 1276 id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } 1278 PrivateKeyUsagePeriod ::= SEQUENCE { 1279 notBefore [0] GeneralizedTime OPTIONAL, 1280 notAfter [1] GeneralizedTime OPTIONAL } 1281 -- either notBefore or notAfter MUST be present 1283 -- certificate policies extension OID and syntax 1285 ext-CertificatePolicies EXTENSION ::= { SYNTAX 1286 CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies} 1288 id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } 1290 anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } 1292 CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 1294 PolicyInformation ::= SEQUENCE { 1295 policyIdentifier CertPolicyId, 1296 policyQualifiers SEQUENCE SIZE (1..MAX) OF 1297 PolicyQualifierInfo OPTIONAL } 1299 CertPolicyId ::= OBJECT IDENTIFIER 1301 POLICY-QUALIFIER-INFO ::= TYPE-IDENTIFIER 1303 PolicyQualifierInfo ::= SEQUENCE { 1304 policyQualifierId POLICY-QUALIFIER-INFO. 1305 &id({PolicyQualifierId}), 1307 qualifier POLICY-QUALIFIER-INFO. 1308 &Type({PolicyQualifierId}{@policyQualifierId})} 1310 -- Implementations that recognize additional policy qualifiers MUST 1311 -- augment the following definition for PolicyQualifierId 1313 PolicyQualifierId POLICY-QUALIFIER-INFO ::= 1314 { pqid-cps | pqid-unotice } 1316 pqid-cps POLICY-QUALIFIER-INFO ::= { CPSuri IDENTIFIED BY id-qt-cps } 1318 pqid-unotice POLICY-QUALIFIER-INFO ::= { UserNotice 1319 IDENTIFIED BY id-qt-unotice } 1321 -- CPS pointer qualifier 1323 CPSuri ::= IA5String 1325 -- user notice qualifier 1327 UserNotice ::= SEQUENCE { 1328 noticeRef NoticeReference OPTIONAL, 1329 explicitText DisplayText OPTIONAL} 1331 NoticeReference ::= SEQUENCE { 1332 organization DisplayText, 1333 noticeNumbers SEQUENCE OF INTEGER } 1335 DisplayText ::= CHOICE { 1336 ia5String IA5String (SIZE (1..200)), 1337 visibleString VisibleString (SIZE (1..200)), 1338 bmpString BMPString (SIZE (1..200)), 1339 utf8String UTF8String (SIZE (1..200)) } 1341 -- policy mapping extension OID and syntax 1343 ext-PolicyMappings EXTENSION ::= { SYNTAX 1344 PolicyMappings IDENTIFIED BY id-ce-policyMappings } 1346 id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } 1348 PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { 1349 issuerDomainPolicy CertPolicyId, 1350 subjectDomainPolicy CertPolicyId } 1352 -- subject alternative name extension OID and syntax 1354 ext-SubjectAltName EXTENSION ::= { SYNTAX 1355 GeneralNames IDENTIFIED BY id-ce-subjectAltName } 1357 id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } 1359 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 1361 GeneralName ::= CHOICE { 1362 otherName [0] INSTANCE OF OTHER-NAME, 1363 rfc822Name [1] IA5String, 1364 dNSName [2] IA5String, 1365 x400Address [3] ORAddress, 1366 directoryName [4] Name, 1367 ediPartyName [5] EDIPartyName, 1368 uniformResourceIdentifier [6] IA5String, 1369 iPAddress [7] OCTET STRING, 1370 registeredID [8] OBJECT IDENTIFIER } 1372 -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as 1373 -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax 1375 OTHER-NAME ::= TYPE-IDENTIFIER 1377 EDIPartyName ::= SEQUENCE { 1378 nameAssigner [0] DirectoryString {ubMax} OPTIONAL, 1379 partyName [1] DirectoryString {ubMax} } 1381 -- issuer alternative name extension OID and syntax 1383 ext-IssuerAltName EXTENSION ::= { SYNTAX 1384 GeneralNames IDENTIFIED BY id-ce-issuerAltName } 1386 id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } 1388 ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX 1389 SubjectDirectoryAttributes IDENTIFIED BY 1390 id-ce-subjectDirectoryAttributes } 1392 id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } 1394 SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute 1396 -- basic constraints extension OID and syntax 1398 ext-BasicConstraints EXTENSION ::= { SYNTAX 1399 BasicConstraints IDENTIFIED BY id-ce-basicConstraints } 1401 id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 1402 BasicConstraints ::= SEQUENCE { 1403 cA BOOLEAN DEFAULT FALSE, 1404 pathLenConstraint INTEGER (0..MAX) OPTIONAL } 1406 -- name constraints extension OID and syntax 1408 ext-NameConstraints EXTENSION ::= { SYNTAX 1409 NameConstraints IDENTIFIED BY id-ce-nameConstraints } 1411 id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } 1413 NameConstraints ::= SEQUENCE { 1414 permittedSubtrees [0] GeneralSubtrees OPTIONAL, 1415 excludedSubtrees [1] GeneralSubtrees OPTIONAL } 1417 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 1419 GeneralSubtree ::= SEQUENCE { 1420 base GeneralName, 1421 minimum [0] BaseDistance DEFAULT 0, 1422 maximum [1] BaseDistance OPTIONAL } 1424 BaseDistance ::= INTEGER (0..MAX) 1426 -- policy constraints extension OID and syntax 1428 ext-PolicyConstraints EXTENSION ::= { SYNTAX 1429 PolicyConstraints IDENTIFIED BY id-ce-policyConstraints } 1431 id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } 1433 PolicyConstraints ::= SEQUENCE { 1434 requireExplicitPolicy [0] SkipCerts OPTIONAL, 1435 inhibitPolicyMapping [1] SkipCerts OPTIONAL } 1437 SkipCerts ::= INTEGER (0..MAX) 1439 -- CRL distribution points extension OID and syntax 1441 ext-CRLDistributionPoints EXTENSION ::= { SYNTAX 1442 CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints} 1444 id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} 1446 CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 1448 DistributionPoint ::= SEQUENCE { 1449 distributionPoint [0] DistributionPointName OPTIONAL, 1450 reasons [1] ReasonFlags OPTIONAL, 1451 cRLIssuer [2] GeneralNames OPTIONAL } 1453 DistributionPointName ::= CHOICE { 1454 fullName [0] GeneralNames, 1455 nameRelativeToCRLIssuer [1] RelativeDistinguishedName } 1457 ReasonFlags ::= BIT STRING { 1458 unused (0), 1459 keyCompromise (1), 1460 cACompromise (2), 1461 affiliationChanged (3), 1462 superseded (4), 1463 cessationOfOperation (5), 1464 certificateHold (6), 1465 privilegeWithdrawn (7), 1466 aACompromise (8) } 1468 -- extended key usage extension OID and syntax 1470 ext-ExtKeyUsageSyntax EXTENSION ::= { SYNTAX 1471 ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage } 1473 id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} 1475 ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 1477 KeyPurposeId ::= OBJECT IDENTIFIER 1479 -- permit unspecified key uses 1481 anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } 1483 -- extended key purpose OIDs 1485 id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } 1486 id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } 1487 id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } 1488 id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } 1489 id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } 1490 id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 1492 -- inhibit any policy OID and syntax 1494 ext-InhibitAnyPolicy EXTENSION ::= {SYNTAX 1495 SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy } 1497 id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } 1498 -- freshest (delta)CRL extension OID and syntax 1500 ext-FreshestCRL EXTENSION ::= {SYNTAX 1501 CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL } 1503 id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } 1505 -- authority info access 1507 ext-AuthorityInfoAccessSyntax EXTENSION ::= { SYNTAX 1508 AuthorityInfoAccessSyntax IDENTIFIED BY 1509 id-pe-authorityInfoAccess } 1511 id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } 1513 AuthorityInfoAccessSyntax ::= 1514 SEQUENCE SIZE (1..MAX) OF AccessDescription 1516 AccessDescription ::= SEQUENCE { 1517 accessMethod OBJECT IDENTIFIER, 1518 accessLocation GeneralName } 1520 -- subject info access 1522 ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX 1523 SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess } 1525 id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } 1527 SubjectInfoAccessSyntax ::= 1528 SEQUENCE SIZE (1..MAX) OF AccessDescription 1530 -- CRL number extension OID and syntax 1532 ext-CRLNumber EXTENSION ::= {SYNTAX 1533 INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber } 1535 id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } 1537 CRLNumber ::= INTEGER (0..MAX) 1539 -- issuing distribution point extension OID and syntax 1541 ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX 1542 IssuingDistributionPoint IDENTIFIED BY 1543 id-ce-issuingDistributionPoint } 1545 id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } 1546 IssuingDistributionPoint ::= SEQUENCE { 1547 distributionPoint [0] DistributionPointName OPTIONAL, 1548 onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, 1549 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, 1550 onlySomeReasons [3] ReasonFlags OPTIONAL, 1551 indirectCRL [4] BOOLEAN DEFAULT FALSE, 1552 onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE } 1554 ext-BaseCRLNumber EXTENSION ::= { SYNTAX 1555 CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator } 1557 id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } 1559 -- CRL reasons extension OID and syntax 1561 ext-CRLReason EXTENSION ::= { SYNTAX 1562 CRLReason IDENTIFIED BY id-ce-cRLReasons } 1564 id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } 1566 CRLReason ::= ENUMERATED { 1567 unspecified (0), 1568 keyCompromise (1), 1569 cACompromise (2), 1570 affiliationChanged (3), 1571 superseded (4), 1572 cessationOfOperation (5), 1573 certificateHold (6), 1574 removeFromCRL (8), 1575 privilegeWithdrawn (9), 1576 aACompromise (10) } 1578 -- certificate issuer CRL entry extension OID and syntax 1580 ext-CertificateIssuer EXTENSION ::= { SYNTAX 1581 GeneralNames IDENTIFIED BY id-ce-certificateIssuer } 1583 id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } 1585 -- hold instruction extension OID and syntax 1587 ext-HoldInstructionCode EXTENSION ::= { SYNTAX 1588 OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode } 1590 id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } 1592 -- ANSI x9 holdinstructions 1593 -- ANSI x9 arc holdinstruction arc 1595 holdInstruction OBJECT IDENTIFIER ::= 1596 {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} 1598 -- ANSI X9 holdinstructions referenced by this standard 1600 id-holdinstruction-none OBJECT IDENTIFIER ::= 1601 {holdInstruction 1} -- deprecated 1603 id-holdinstruction-callissuer OBJECT IDENTIFIER ::= 1604 {holdInstruction 2} 1606 id-holdinstruction-reject OBJECT IDENTIFIER ::= 1607 {holdInstruction 3} 1609 -- invalidity date CRL entry extension OID and syntax 1611 ext-InvalidityDate EXTENSION ::= { SYNTAX 1612 GeneralizedTime IDENTIFIED BY id-ce-invalidityDate } 1614 id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 } 1616 ubMax INTEGER ::= 32768 1618 END 1620 7. ASN.1 Module for RFC 3281 1622 PKIXAttributeCertificate 1623 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1624 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert(12)} 1625 DEFINITIONS IMPLICIT TAGS ::= 1626 BEGIN 1628 IMPORTS 1630 Attribute, AlgorithmIdentifier, CertificateSerialNumber, Extensions, 1631 UniqueIdentifier, id-pkix, id-pe, id-kp, id-ad, id-at, SIGNED, 1632 EXTENSION, ATTRIBUTE 1633 FROM PKIX1Explicit88 1634 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1635 mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18)} 1637 GeneralName, GeneralNames, id-ce, AuthorityKeyIdentifier, 1638 AuthorityInfoAccessSyntax, CRLDistributionPoints 1639 FROM PKIX1Implicit88 1640 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1641 mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)} ; 1643 ExtensionsDefined EXTENSION ::= { auditIdentity | targetInformation | 1644 ce-authorityKeyIdentifier | ce-authorityInfoAccess | 1645 ce-cRLDistributionPoints | ce-noRevAvail | pe-ac-proxying | 1646 pe-aaControls } 1648 auditIdentity EXTENSION ::= { SYNTAX 1649 OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity} 1650 targetInformation EXTENSION ::= { SYNTAX 1651 Targets IDENTIFIED BY id-ce-targetInformation } 1652 ce-authorityKeyIdentifier EXTENSION ::= { SYNTAX 1653 AuthorityKeyIdentifier IDENTIFIED BY 1654 id-ce-authorityKeyIdentifier } 1655 ce-authorityInfoAccess EXTENSION ::= { SYNTAX 1656 AuthorityInfoAccessSyntax 1657 IDENTIFIED BY id-ce-authorityInfoAccess} 1658 ce-cRLDistributionPoints EXTENSION ::= { SYNTAX 1659 CRLDistPointsSyntax IDENTIFIED BY id-ce-cRLDistributionPoints } 1660 ce-noRevAvail EXTENSION ::= { SYNTAX 1661 NULL IDENTIFIED BY id-ce-noRevAvail} 1662 pe-ac-proxying EXTENSION ::= { SYNTAX 1663 ProxyInfo IDENTIFIED BY id-pe-ac-proxying} 1664 pe-aaControls EXTENSION ::= { SYNTAX 1665 AAControls IDENTIFIED BY id-pe-aaControls} 1667 -- Another way to do the following might be: 1668 -- AttributesDefined ATTRIBUTE ::= { ... , aca-authenticationInfo | 1669 -- aca-accesIdentity | aca-chargingIdentity | aca-group | 1670 -- at-role | at-clearance | aca-encAttrs } 1672 aca-authenticationInfo ATTRIBUTE ::= { SvceAuthInfo 1673 IDENTIFIED BY id-aca-authenticationInfo} 1674 aca-accesIdentity ATTRIBUTE ::= { SvceAuthInfo 1675 IDENTIFIED BY id-aca-accessIdentity} 1676 aca-chargingIdentity ATTRIBUTE ::= { IetfAttrSyntax 1677 IDENTIFIED BY id-aca-chargingIdentity} 1678 aca-group ATTRIBUTE ::= { IetfAttrSyntax 1679 IDENTIFIED BY id-aca-group} 1680 at-role ATTRIBUTE ::= { RoleSyntax 1681 IDENTIFIED BY id-at-role} 1682 at-clearance ATTRIBUTE ::= { Clearance 1683 IDENTIFIED BY id-at-clearance} 1684 aca-encAttrs ATTRIBUTE ::= { ContentInfo 1685 IDENTIFIED BY id-aca-encAttrs} 1687 id-ce-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } 1688 id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 } 1689 id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 } 1690 id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 } 1691 id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } 1692 id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } 1693 id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 } 1694 id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 } 1696 id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } 1698 id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 } 1699 id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 } 1700 id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 } 1701 id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 } 1702 -- { id-aca 5 } is reserved 1703 id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 } 1705 id-at-role OBJECT IDENTIFIER ::= { id-at 72} 1706 id-at-clearance OBJECT IDENTIFIER ::= 1707 { joint-iso-ccitt(2) ds(5) module(1) 1708 selected-attribute-types(5) clearance (55) } 1710 AttributeCertificate ::= SIGNED{AttributeCertificateInfo} 1712 AttributeCertificateInfo ::= SEQUENCE { 1713 version AttCertVersion, -- version is v2, 1714 holder Holder, 1715 issuer AttCertIssuer, 1716 signature AlgorithmIdentifier, 1717 serialNumber CertificateSerialNumber, 1718 attrCertValidityPeriod AttCertValidityPeriod, 1719 attributes SEQUENCE OF Attribute, 1720 issuerUniqueID UniqueIdentifier OPTIONAL, 1721 extensions Extensions OPTIONAL 1722 } 1724 AttCertVersion ::= INTEGER { v2(1) } 1726 Holder ::= SEQUENCE { 1727 baseCertificateID [0] IssuerSerial OPTIONAL, 1728 -- the issuer and serial number of 1729 -- the holder's Public Key Certificate 1730 entityName [1] GeneralNames OPTIONAL, 1731 -- the name of the claimant or role 1732 objectDigestInfo [2] ObjectDigestInfo OPTIONAL 1733 -- used to directly authenticate the 1734 -- holder, for example, an executable 1736 } 1738 ObjectDigestInfo ::= SEQUENCE { 1739 digestedObjectType ENUMERATED { 1740 publicKey (0), 1741 publicKeyCert (1), 1742 otherObjectTypes (2) }, 1743 -- otherObjectTypes MUST NOT 1744 -- MUST NOT be used in this profile 1745 otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, 1746 digestAlgorithm AlgorithmIdentifier, 1747 objectDigest BIT STRING 1748 } 1750 AttCertIssuer ::= CHOICE { 1751 v1Form GeneralNames, -- MUST NOT be used in this 1752 -- profile 1753 v2Form [0] V2Form -- v2 only 1754 } 1756 V2Form ::= SEQUENCE { 1757 issuerName GeneralNames OPTIONAL, 1758 baseCertificateID [0] IssuerSerial OPTIONAL, 1759 objectDigestInfo [1] ObjectDigestInfo OPTIONAL 1760 -- issuerName MUST be present in this profile 1761 -- baseCertificateID and objectDigestInfo MUST 1762 -- NOT be present in this profile 1763 } 1765 IssuerSerial ::= SEQUENCE { 1766 issuer GeneralNames, 1767 serial CertificateSerialNumber, 1768 issuerUID UniqueIdentifier OPTIONAL 1769 } 1771 AttCertValidityPeriod ::= SEQUENCE { 1772 notBeforeTime GeneralizedTime, 1773 notAfterTime GeneralizedTime 1774 } 1776 Targets ::= SEQUENCE OF Target 1778 Target ::= CHOICE { 1779 targetName [0] GeneralName, 1780 targetGroup [1] GeneralName, 1781 targetCert [2] TargetCert 1782 } 1783 TargetCert ::= SEQUENCE { 1784 targetCertificate IssuerSerial, 1785 targetName GeneralName OPTIONAL, 1786 certDigestInfo ObjectDigestInfo OPTIONAL 1787 } 1789 IetfAttrSyntax ::= SEQUENCE { 1790 policyAuthority[0] GeneralNames OPTIONAL, 1791 values SEQUENCE OF CHOICE { 1792 octets OCTET STRING, 1793 oid OBJECT IDENTIFIER, 1794 string UTF8String 1795 } 1796 } 1798 SvceAuthInfo ::= SEQUENCE { 1799 service GeneralName, 1800 ident GeneralName, 1801 authInfo OCTET STRING OPTIONAL 1802 } 1804 RoleSyntax ::= SEQUENCE { 1805 roleAuthority [0] GeneralNames OPTIONAL, 1806 roleName [1] GeneralName 1807 } 1809 Clearance ::= SEQUENCE { 1810 policyId [0] OBJECT IDENTIFIER, 1811 classList [1] ClassList DEFAULT {unclassified}, 1812 securityCategories 1813 [2] SET OF SecurityCategory OPTIONAL 1814 } 1816 ClassList ::= BIT STRING { 1817 unmarked (0), 1818 unclassified (1), 1819 restricted (2), 1820 confidential (3), 1821 secret (4), 1822 topSecret (5) 1823 } 1825 SECURITY-CATEGORY ::= TYPE-IDENTIFIER 1827 SecurityCategory ::= SEQUENCE { 1828 type [0] IMPLICIT TYPE-IDENTIFIER. 1829 &id({SupportedSecurityCategories}), 1830 value [1] TYPE-IDENTIFIER. 1832 &Type({SupportedSecurityCategories}{@type}) 1833 } 1835 SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } 1837 AAControls ::= SEQUENCE { 1838 pathLenConstraint INTEGER (0..MAX) OPTIONAL, 1839 permittedAttrs [0] AttrSpec OPTIONAL, 1840 excludedAttrs [1] AttrSpec OPTIONAL, 1841 permitUnSpecified BOOLEAN DEFAULT TRUE 1842 } 1844 AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER 1846 ACClearAttrs ::= SEQUENCE { 1847 acIssuer GeneralName, 1848 acSerial INTEGER, 1849 attrs SEQUENCE OF Attribute 1850 } 1852 ProxyInfo ::= SEQUENCE OF Targets 1854 CRLDistPointsSyntax ::= CRLDistributionPoints 1856 ContentInfo ::= INTEGER 1858 END 1860 8. ASN.1 Module for RFC 3852 (Attribute Certificate v1) 1862 AttributeCertificateVersion1 1863 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1864 smime(16) modules(0) v1AttrCert(15) } 1865 DEFINITIONS EXPLICIT TAGS ::= 1866 BEGIN 1868 IMPORTS 1870 AlgorithmIdentifier, Attribute, CertificateSerialNumber, Extensions, 1871 UniqueIdentifier 1872 FROM PKIX1Explicit88 1873 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1874 mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } 1876 GeneralNames 1877 FROM PKIX1Implicit88 1878 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1879 mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } 1881 AttCertValidityPeriod, IssuerSerial 1882 FROM PKIXAttributeCertificate 1883 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1884 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert(12) } ; 1886 -- Definition extracted from X.509-1997 [X.509-97], but 1887 -- different type names are used to avoid collisions. 1889 AttributeCertificateV1 ::= SEQUENCE { 1890 acInfo AttributeCertificateInfoV1, 1891 signatureAlgorithm AlgorithmIdentifier, 1892 signature BIT STRING } 1894 AttributeCertificateInfoV1 ::= SEQUENCE { 1895 version AttCertVersionV1 DEFAULT v1, 1896 subject CHOICE { 1897 baseCertificateID [0] IssuerSerial, 1898 -- associated with a Public Key Certificate 1899 subjectName [1] GeneralNames }, 1900 -- associated with a name 1901 issuer GeneralNames, 1902 signature AlgorithmIdentifier, 1903 serialNumber CertificateSerialNumber, 1904 attCertValidityPeriod AttCertValidityPeriod, 1905 attributes SEQUENCE OF Attribute, 1906 issuerUniqueID UniqueIdentifier OPTIONAL, 1907 extensions Extensions OPTIONAL } 1909 AttCertVersionV1 ::= INTEGER { v1(0) } 1911 END 1913 9. ASN.1 Module for RFC 4210 1915 PKIXCMP 1916 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1917 mechanisms(5) pkix(7) id-mod(0) id-mod-cmp2000(16) } 1918 DEFINITIONS EXPLICIT TAGS ::= 1919 BEGIN 1921 IMPORTS 1923 Certificate, CertificateList, Extensions, AlgorithmIdentifier 1924 FROM PKIX1Explicit88 1925 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1926 mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } 1928 GeneralName, KeyIdentifier 1929 FROM PKIX1Implicit88 1930 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1931 mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } 1933 CertTemplate, PKIPublicationInfo, EncryptedValue, CertId, 1934 CertReqMessages 1935 FROM PKIXCRMF-2005 1936 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1937 mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36) } 1938 -- see also the behavioral clarifications to CRMF codified in 1939 -- Appendix C of this specification 1941 CertificationRequest 1942 FROM PKCS-10 1943 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-10(10) 1944 modules(1) pkcs-10(1) }; 1945 -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT 1946 -- tags). Alternatively, implementers may directly include 1947 -- the [PKCS10] syntax in this module 1949 -- the rest of the module contains locally-defined OIDs and 1950 -- constructs 1952 CMPCertificate ::= CHOICE { x509v3PKCert Certificate, ... } 1953 -- This syntax, while bits-on-the-wire compatible with the 1954 -- standard X.509 definition of "Certificate", allows the 1955 -- possibility of future certificate types (such as X.509 1956 -- attribute certificates, WAP WTLS certificates, or other kinds 1957 -- of certificates) within this certificate management protocol, 1958 -- should a need ever arise to support such generality. Those 1959 -- implementations that do not foresee a need to ever support 1960 -- other certificate types MAY, if they wish, comment out the 1961 -- above structure and "un-comment" the following one prior to 1962 -- compiling this ASN.1 module. (Note that interoperability 1963 -- with implementations that don't do this will be unaffected by 1964 -- this change.) 1966 -- CMPCertificate ::= Certificate 1968 PKIMessage ::= SEQUENCE { 1969 header PKIHeader, 1970 body PKIBody, 1971 protection [0] PKIProtection OPTIONAL, 1972 extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate 1973 OPTIONAL } 1975 PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage 1977 PKIHeader ::= SEQUENCE { 1978 pvno INTEGER { cmp1999(1), cmp2000(2) }, 1979 sender GeneralName, 1980 -- identifies the sender 1981 recipient GeneralName, 1982 -- identifies the intended recipient 1983 messageTime [0] GeneralizedTime OPTIONAL, 1984 -- time of production of this message (used when sender 1985 -- believes that the transport will be "suitable"; i.e., 1986 -- that the time will still be meaningful upon receipt) 1987 protectionAlg [1] AlgorithmIdentifier OPTIONAL, 1988 -- algorithm used for calculation of protection bits 1989 senderKID [2] KeyIdentifier OPTIONAL, 1990 recipKID [3] KeyIdentifier OPTIONAL, 1991 -- to identify specific keys used for protection 1992 transactionID [4] OCTET STRING OPTIONAL, 1993 -- identifies the transaction; i.e., this will be the same in 1994 -- corresponding request, response, certConf, and PKIConf 1995 -- messages 1996 senderNonce [5] OCTET STRING OPTIONAL, 1997 recipNonce [6] OCTET STRING OPTIONAL, 1998 -- nonces used to provide replay protection, senderNonce 1999 -- is inserted by the creator of this message; recipNonce 2000 -- is a nonce previously inserted in a related message by 2001 -- the intended recipient of this message 2002 freeText [7] PKIFreeText OPTIONAL, 2003 -- this may be used to indicate context-specific instructions 2004 -- (this field is intended for human consumption) 2005 generalInfo [8] SEQUENCE SIZE (1..MAX) OF 2006 InfoTypeAndValue OPTIONAL 2007 -- this may be used to convey context-specific information 2008 -- (this field not primarily intended for human consumption) 2009 } 2011 PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String 2012 -- text encoded as UTF-8 String [RFC3629] (note: each 2013 -- UTF8String MAY include an [RFC3066] language tag 2014 -- to indicate the language of the contained text 2015 -- see [RFC2482] for details) 2017 PKIBody ::= CHOICE { -- message-specific body elements 2018 ir [0] CertReqMessages, --Initialization Request 2019 ip [1] CertRepMessage, --Initialization Response 2020 cr [2] CertReqMessages, --Certification Request 2021 cp [3] CertRepMessage, --Certification Response 2022 p10cr [4] CertificationRequest, --imported from [PKCS10] 2023 popdecc [5] POPODecKeyChallContent, --pop Challenge 2024 popdecr [6] POPODecKeyRespContent, --pop Response 2025 kur [7] CertReqMessages, --Key Update Request 2026 kup [8] CertRepMessage, --Key Update Response 2027 krr [9] CertReqMessages, --Key Recovery Request 2028 krp [10] KeyRecRepContent, --Key Recovery Response 2029 rr [11] RevReqContent, --Revocation Request 2030 rp [12] RevRepContent, --Revocation Response 2031 ccr [13] CertReqMessages, --Cross-Cert. Request 2032 ccp [14] CertRepMessage, --Cross-Cert. Response 2033 ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. 2034 cann [16] CertAnnContent, --Certificate Ann. 2035 rann [17] RevAnnContent, --Revocation Ann. 2036 crlann [18] CRLAnnContent, --CRL Announcement 2037 pkiconf [19] PKIConfirmContent, --Confirmation 2038 nested [20] NestedMessageContent, --Nested Message 2039 genm [21] GenMsgContent, --General Message 2040 genp [22] GenRepContent, --General Response 2041 error [23] ErrorMsgContent, --Error Message 2042 certConf [24] CertConfirmContent, --Certificate confirm 2043 pollReq [25] PollReqContent, --Polling request 2044 pollRep [26] PollRepContent --Polling response 2045 } 2047 PKIProtection ::= BIT STRING 2049 ProtectedPart ::= SEQUENCE { 2050 header PKIHeader, 2051 body PKIBody } 2053 id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13} 2054 PBMParameter ::= SEQUENCE { 2055 salt OCTET STRING, 2056 -- note: implementations MAY wish to limit acceptable sizes 2057 -- of this string to values appropriate for their environment 2058 -- in order to reduce the risk of denial-of-service attacks 2059 owf AlgorithmIdentifier, 2060 -- AlgId for a One-Way Function (SHA-1 recommended) 2061 iterationCount INTEGER, 2062 -- number of times the OWF is applied 2063 -- note: implementations MAY wish to limit acceptable sizes 2064 -- of this integer to values appropriate for their environment 2065 -- in order to reduce the risk of denial-of-service attacks 2066 mac AlgorithmIdentifier 2067 -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], 2068 -- or HMAC [RFC2104, RFC2202]) 2069 } 2071 id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30} 2072 DHBMParameter ::= SEQUENCE { 2073 owf AlgorithmIdentifier, 2074 -- AlgId for a One-Way Function (SHA-1 recommended) 2075 mac AlgorithmIdentifier 2076 -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], 2077 -- or HMAC [RFC2104, RFC2202]) 2078 } 2080 NestedMessageContent ::= PKIMessages 2082 PKIStatus ::= INTEGER { 2083 accepted (0), 2084 -- you got exactly what you asked for 2085 grantedWithMods (1), 2086 -- you got something like what you asked for; the 2087 -- requester is responsible for ascertaining the differences 2088 rejection (2), 2089 -- you don't get it, more information elsewhere in the message 2090 waiting (3), 2091 -- the request body part has not yet been processed; expect to 2092 -- hear more later (note: proper handling of this status 2093 -- response MAY use the polling req/rep PKIMessages specified 2094 -- in Section 5.3.22; alternatively, polling in the underlying 2095 -- transport layer MAY have some utility in this regard) 2096 revocationWarning (4), 2097 -- this message contains a warning that a revocation is 2098 -- imminent 2099 revocationNotification (5), 2100 -- notification that a revocation has occurred 2101 keyUpdateWarning (6) 2102 -- update already done for the oldCertId specified in 2103 -- CertReqMsg 2104 } 2106 PKIFailureInfo ::= BIT STRING { 2107 -- since we can fail in more than one way! 2108 -- More codes may be added in the future if/when required. 2109 badAlg (0), 2110 -- unrecognized or unsupported Algorithm Identifier 2111 badMessageCheck (1), 2112 -- integrity check failed (e.g., signature did not verify) 2113 badRequest (2), 2114 -- transaction not permitted or supported 2115 badTime (3), 2116 -- messageTime was not sufficiently close to the system time, 2117 -- as defined by local policy 2118 badCertId (4), 2119 -- no certificate could be found matching the provided criteria 2120 badDataFormat (5), 2121 -- the data submitted has the wrong format 2122 wrongAuthority (6), 2123 -- the authority indicated in the request is different from the 2124 -- one creating the response token 2125 incorrectData (7), 2126 -- the requester's data is incorrect (for notary services) 2127 missingTimeStamp (8), 2128 -- when the timestamp is missing but should be there 2129 -- (by policy) 2130 badPOP (9), 2131 -- the proof-of-possession failed 2132 certRevoked (10), 2133 -- the certificate has already been revoked 2134 certConfirmed (11), 2135 -- the certificate has already been confirmed 2136 wrongIntegrity (12), 2137 -- invalid integrity, password based instead of signature or 2138 -- vice versa 2139 badRecipientNonce (13), 2140 -- invalid recipient nonce, either missing or wrong value 2141 timeNotAvailable (14), 2142 -- the TSA's time source is not available 2143 unacceptedPolicy (15), 2144 -- the requested TSA policy is not supported by the TSA. 2145 unacceptedExtension (16), 2146 -- the requested extension is not supported by the TSA. 2147 addInfoNotAvailable (17), 2148 -- the additional information requested could not be 2149 -- understood or is not available 2150 badSenderNonce (18), 2151 -- invalid sender nonce, either missing or wrong size 2152 badCertTemplate (19), 2153 -- invalid cert. template or missing mandatory information 2154 signerNotTrusted (20), 2155 -- signer of the message unknown or not trusted 2156 transactionIdInUse (21), 2157 -- the transaction identifier is already in use 2158 unsupportedVersion (22), 2159 -- the version of the message is not supported 2160 notAuthorized (23), 2161 -- the sender was not authorized to make the preceding 2162 -- request or perform the preceding action 2163 systemUnavail (24), 2164 -- the request cannot be handled due to system unavailability 2165 systemFailure (25), 2166 -- the request cannot be handled due to system failure 2167 duplicateCertReq (26) 2168 -- certificate cannot be issued because a duplicate 2169 -- certificate already exists 2170 } 2172 PKIStatusInfo ::= SEQUENCE { 2173 status PKIStatus, 2174 statusString PKIFreeText OPTIONAL, 2175 failInfo PKIFailureInfo OPTIONAL } 2177 OOBCert ::= CMPCertificate 2179 OOBCertHash ::= SEQUENCE { 2180 hashAlg [0] AlgorithmIdentifier OPTIONAL, 2181 certId [1] CertId OPTIONAL, 2182 hashVal BIT STRING 2183 -- hashVal is calculated over the DER encoding of the 2184 -- self-signed certificate with the identifier certID. 2185 } 2187 POPODecKeyChallContent ::= SEQUENCE OF Challenge 2188 -- One Challenge per encryption key certification request (in the 2189 -- same order as these requests appear in CertReqMessages). 2191 Challenge ::= SEQUENCE { 2192 owf AlgorithmIdentifier OPTIONAL, 2193 -- MUST be present in the first Challenge; MAY be omitted in 2194 -- any subsequent Challenge in POPODecKeyChallContent (if 2195 -- omitted, then the owf used in the immediately preceding 2196 -- Challenge is to be used). 2197 witness OCTET STRING, 2198 -- the result of applying the one-way function (owf) to a 2199 -- randomly-generated INTEGER, A. [Note that a different 2200 -- INTEGER MUST be used for each Challenge.] 2201 challenge OCTET STRING 2202 -- the encryption (under the public key for which the cert. 2203 -- request is being made) of Rand, where Rand is specified as 2204 -- Rand ::= SEQUENCE { 2205 -- int INTEGER, 2206 -- - the randomly-generated INTEGER A (above) 2207 -- sender GeneralName 2208 -- - the sender's name (as included in PKIHeader) 2209 -- } 2210 } 2211 POPODecKeyRespContent ::= SEQUENCE OF INTEGER 2212 -- One INTEGER per encryption key certification request (in the 2213 -- same order as these requests appear in CertReqMessages). The 2214 -- retrieved INTEGER A (above) is returned to the sender of the 2215 -- corresponding Challenge. 2217 CertRepMessage ::= SEQUENCE { 2218 caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate 2219 OPTIONAL, 2220 response SEQUENCE OF CertResponse } 2222 CertResponse ::= SEQUENCE { 2223 certReqId INTEGER, 2224 -- to match this response with corresponding request (a value 2225 -- of -1 is to be used if certReqId is not specified in the 2226 -- corresponding request) 2227 status PKIStatusInfo, 2228 certifiedKeyPair CertifiedKeyPair OPTIONAL, 2229 rspInfo OCTET STRING OPTIONAL 2230 -- analogous to the id-regInfo-utf8Pairs string defined 2231 -- for regInfo in CertReqMsg [CRMF] 2232 } 2234 CertifiedKeyPair ::= SEQUENCE { 2235 certOrEncCert CertOrEncCert, 2236 privateKey [0] EncryptedValue OPTIONAL, 2237 -- see [CRMF] for comment on encoding 2238 publicationInfo [1] PKIPublicationInfo OPTIONAL } 2240 CertOrEncCert ::= CHOICE { 2241 certificate [0] CMPCertificate, 2242 encryptedCert [1] EncryptedValue } 2244 KeyRecRepContent ::= SEQUENCE { 2245 status PKIStatusInfo, 2246 newSigCert [0] CMPCertificate OPTIONAL, 2247 caCerts [1] SEQUENCE SIZE (1..MAX) OF 2248 CMPCertificate OPTIONAL, 2249 keyPairHist [2] SEQUENCE SIZE (1..MAX) OF 2250 CertifiedKeyPair OPTIONAL } 2252 RevReqContent ::= SEQUENCE OF RevDetails 2254 RevDetails ::= SEQUENCE { 2255 certDetails CertTemplate, 2256 -- allows requester to specify as much as they can about 2257 -- the cert. for which revocation is requested 2258 -- (e.g., for cases in which serialNumber is not available) 2259 crlEntryDetails Extensions OPTIONAL 2260 -- requested crlEntryExtensions 2261 } 2263 RevRepContent ::= SEQUENCE { 2264 status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, 2265 -- in same order as was sent in RevReqContent 2266 revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId 2267 OPTIONAL, 2268 -- IDs for which revocation was requested 2269 -- (same order as status) 2270 crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList 2271 OPTIONAL 2272 -- the resulting CRLs (there may be more than one) 2273 } 2275 CAKeyUpdAnnContent ::= SEQUENCE { 2276 oldWithNew CMPCertificate, -- old pub signed with new priv 2277 newWithOld CMPCertificate, -- new pub signed with old priv 2278 newWithNew CMPCertificate -- new pub signed with new priv 2279 } 2281 CertAnnContent ::= CMPCertificate 2283 RevAnnContent ::= SEQUENCE { 2284 status PKIStatus, 2285 certId CertId, 2286 willBeRevokedAt GeneralizedTime, 2287 badSinceDate GeneralizedTime, 2288 crlDetails Extensions OPTIONAL 2289 -- extra CRL details (e.g., crl number, reason, location, etc.) 2290 } 2292 CRLAnnContent ::= SEQUENCE OF CertificateList 2294 CertConfirmContent ::= SEQUENCE OF CertStatus 2296 CertStatus ::= SEQUENCE { 2297 certHash OCTET STRING, 2298 -- the hash of the certificate, using the same hash algorithm 2299 -- as is used to create and verify the certificate signature 2300 certReqId INTEGER, 2301 -- to match this confirmation with the corresponding req/rep 2302 statusInfo PKIStatusInfo OPTIONAL } 2304 PKIConfirmContent ::= NULL 2306 INFO-TYPE-AND-VALUE ::= TYPE-IDENTIFIER 2307 InfoTypeAndValue ::= SEQUENCE { 2308 infoType INFO-TYPE-AND-VALUE. 2309 &id({SupportedInfoSet}), 2310 infoValue INFO-TYPE-AND-VALUE. 2311 &Type({SupportedInfoSet}{@infoType}) } 2313 SupportedInfoSet INFO-TYPE-AND-VALUE ::= { ... } 2315 -- Example InfoTypeAndValue contents include, but are not limited 2316 -- to, the following (un-comment in this ASN.1 module and use as 2317 -- appropriate for a given environment): 2318 -- 2319 -- id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1} 2320 -- CAProtEncCertValue ::= CMPCertificate 2321 -- id-it-signKeyPairTypes OBJECT IDENTIFIER ::= {id-it 2} 2322 -- SignKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier 2323 -- id-it-encKeyPairTypes OBJECT IDENTIFIER ::= {id-it 3} 2324 -- EncKeyPairTypesValue ::= SEQUENCE OF AlgorithmIdentifier 2325 -- id-it-preferredSymmAlg OBJECT IDENTIFIER ::= {id-it 4} 2326 -- PreferredSymmAlgValue ::= AlgorithmIdentifier 2327 -- id-it-caKeyUpdateInfo OBJECT IDENTIFIER ::= {id-it 5} 2328 -- CAKeyUpdateInfoValue ::= CAKeyUpdAnnContent 2329 -- id-it-currentCRL OBJECT IDENTIFIER ::= {id-it 6} 2330 -- CurrentCRLValue ::= CertificateList 2331 -- id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7} 2332 -- UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER 2333 -- id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10} 2334 -- KeyPairParamReqValue ::= OBJECT IDENTIFIER 2335 -- id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11} 2336 -- KeyPairParamRepValue ::= AlgorithmIdentifer 2337 -- id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12} 2338 -- RevPassphraseValue ::= EncryptedValue 2339 -- id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13} 2340 -- ImplicitConfirmValue ::= NULL 2341 -- id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14} 2342 -- ConfirmWaitTimeValue ::= GeneralizedTime 2343 -- id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15} 2344 -- OrigPKIMessageValue ::= PKIMessages 2345 -- id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16} 2346 -- SuppLangTagsValue ::= SEQUENCE OF UTF8String 2347 -- 2348 -- where 2349 -- 2350 -- id-pkix OBJECT IDENTIFIER ::= { 2351 -- iso(1) identified-organization(3) 2352 -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} 2353 -- and 2354 -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} 2355 -- 2356 -- 2357 -- This construct MAY also be used to define new PKIX Certificate 2358 -- Management Protocol request and response messages, or general- 2359 -- purpose (e.g., announcement) messages for future needs or for 2360 -- specific environments. 2362 GenMsgContent ::= SEQUENCE OF InfoTypeAndValue 2364 -- May be sent by EE, RA, or CA (depending on message content). 2365 -- The OPTIONAL infoValue parameter of InfoTypeAndValue will 2366 -- typically be omitted for some of the examples given above. 2367 -- The receiver is free to ignore any contained OBJ. IDs that it 2368 -- does not recognize. If sent from EE to CA, the empty set 2369 -- indicates that the CA may send 2370 -- any/all information that it wishes. 2372 GenRepContent ::= SEQUENCE OF InfoTypeAndValue 2373 -- Receiver MAY ignore any contained OIDs that it does not 2374 -- recognize. 2376 ErrorMsgContent ::= SEQUENCE { 2377 pKIStatusInfo PKIStatusInfo, 2378 errorCode INTEGER OPTIONAL, 2379 -- implementation-specific error codes 2380 errorDetails PKIFreeText OPTIONAL 2381 -- implementation-specific error details 2382 } 2384 PollReqContent ::= SEQUENCE OF SEQUENCE { 2385 certReqId INTEGER } 2387 PollRepContent ::= SEQUENCE OF SEQUENCE { 2388 certReqId INTEGER, 2389 checkAfter INTEGER, -- time in seconds 2390 reason PKIFreeText OPTIONAL } 2392 END 2394 10. ASN.1 Module for RFC 4211 2396 PKIXCRMF-2005 2397 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2398 mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36)} 2399 DEFINITIONS IMPLICIT TAGS ::= 2400 BEGIN 2401 IMPORTS 2403 Version, AlgorithmIdentifier, Name, Time, SubjectPublicKeyInfo, 2404 Extensions, UniqueIdentifier, Attribute 2405 FROM PKIX1Explicit88 2406 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2407 mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18)} 2409 GeneralName 2410 FROM PKIX1Implicit88 2411 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2412 mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)} 2414 EnvelopedData 2415 FROM CryptographicMessageSyntax2004 2416 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2417 smime(16) modules(0) cms-2004(24) }; -- found in [CMS] 2419 id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 2420 dod(6) internet(1) security(5) mechanisms(5) 7 } 2422 -- arc for Internet X.509 PKI protocols and their components 2424 id-pkip OBJECT IDENTIFIER ::= { id-pkix 5 } 2426 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2427 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 2429 id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types 2431 -- Core definitions for this module 2433 CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg 2435 CertReqMsg ::= SEQUENCE { 2436 certReq CertRequest, 2437 popo ProofOfPossession OPTIONAL, 2438 -- content depends upon key type 2439 regInfo SEQUENCE SIZE(1..MAX) OF 2440 AttributeTypeAndValue OPTIONAL } 2442 CertRequest ::= SEQUENCE { 2443 certReqId INTEGER, -- ID for matching request and reply 2444 certTemplate CertTemplate, -- Selected fields of cert to be issued 2445 controls Controls OPTIONAL } -- Attributes affecting issuance 2447 CertTemplate ::= SEQUENCE { 2448 version [0] Version OPTIONAL, 2449 serialNumber [1] INTEGER OPTIONAL, 2450 signingAlg [2] AlgorithmIdentifier OPTIONAL, 2451 issuer [3] Name OPTIONAL, 2452 validity [4] OptionalValidity OPTIONAL, 2453 subject [5] Name OPTIONAL, 2454 publicKey [6] SubjectPublicKeyInfo OPTIONAL, 2455 issuerUID [7] UniqueIdentifier OPTIONAL, 2456 subjectUID [8] UniqueIdentifier OPTIONAL, 2457 extensions [9] Extensions OPTIONAL } 2459 OptionalValidity ::= SEQUENCE { 2460 notBefore [0] Time OPTIONAL, 2461 notAfter [1] Time OPTIONAL } -- at least one MUST be present 2463 ATTRIBUTE ::= TYPE-IDENTIFIER 2465 Controls ::= SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue 2467 AttributeTypeAndValue ::= SEQUENCE { 2468 type ATTRIBUTE.&id({SupportedAttributes}), 2469 value ATTRIBUTE.&Type({SupportedAttributes})} 2471 SupportedAttributes ATTRIBUTE ::= { ... } 2473 ProofOfPossession ::= CHOICE { 2474 raVerified [0] NULL, 2475 -- used if the RA has already verified that the requester is in 2476 -- possession of the private key 2477 signature [1] POPOSigningKey, 2478 keyEncipherment [2] POPOPrivKey, 2479 keyAgreement [3] POPOPrivKey } 2481 POPOSigningKey ::= SEQUENCE { 2482 poposkInput [0] POPOSigningKeyInput OPTIONAL, 2483 algorithmIdentifier AlgorithmIdentifier, 2484 signature BIT STRING } 2485 -- The signature (using "algorithmIdentifier") is on the 2486 -- DER-encoded value of poposkInput. NOTE: If the CertReqMsg 2487 -- certReq CertTemplate contains the subject and publicKey values, 2488 -- then poposkInput MUST be omitted and the signature MUST be 2489 -- computed over the DER-encoded value of CertReqMsg certReq. If 2490 -- the CertReqMsg certReq CertTemplate does not contain both the 2491 -- public key and subject values (i.e., if it contains only one 2492 -- of these, or neither), then poposkInput MUST be present and 2493 -- MUST be signed. 2495 POPOSigningKeyInput ::= SEQUENCE { 2496 authInfo CHOICE { 2497 sender [0] GeneralName, 2498 -- used only if an authenticated identity has been 2499 -- established for the sender (e.g., a DN from a 2500 -- previously-issued and currently-valid certificate) 2501 publicKeyMAC PKMACValue }, 2502 -- used if no authenticated GeneralName currently exists for 2503 -- the sender; publicKeyMAC contains a password-based MAC 2504 -- on the DER-encoded value of publicKey 2505 publicKey SubjectPublicKeyInfo } -- from CertTemplate 2507 PKMACValue ::= SEQUENCE { 2508 algId AlgorithmIdentifier, 2509 -- algorithm value shall be PasswordBasedMac 2510 -- {1 2 840 113533 7 66 13} 2511 -- parameter value is PBMParameter 2512 value BIT STRING } 2514 PBMParameter ::= SEQUENCE { 2515 salt OCTET STRING, 2516 owf AlgorithmIdentifier, 2517 -- AlgId for a One-Way Function (SHA-1 recommended) 2518 iterationCount INTEGER, 2519 -- number of times the OWF is applied 2520 mac AlgorithmIdentifier 2521 -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11], 2522 } -- or HMAC [HMAC, RFC2202]) 2524 POPOPrivKey ::= CHOICE { 2525 thisMessage [0] BIT STRING, -- Deprecated 2526 -- possession is proven in this message (which contains 2527 -- the private key itself (encrypted for the CA)) 2528 subsequentMessage [1] SubsequentMessage, 2529 -- possession will be proven in a subsequent message 2530 dhMAC [2] BIT STRING, -- Deprecated 2531 agreeMAC [3] PKMACValue, 2532 encryptedKey [4] EnvelopedData } 2533 -- for keyAgreement (only), possession is proven in this message 2534 -- (which contains a MAC (over the DER-encoded value of the 2535 -- certReq parameter in CertReqMsg, which MUST include both 2536 -- subject and publicKey) based on a key derived from the end 2537 -- entity's private DH key and the CA's public DH key); 2539 SubsequentMessage ::= INTEGER { 2540 encrCert (0), 2541 -- requests that resulting certificate be encrypted for the 2542 -- end entity (following which, POP will be proven in a 2543 -- confirmation message) 2544 challengeResp (1) } 2545 -- requests that CA engage in challenge-response exchange with 2546 -- end entity in order to prove private key possession 2548 -- Object identifier assignments -- 2550 -- Registration Controls in CRMF 2551 id-regCtrl OBJECT IDENTIFIER ::= { id-pkip 1 } 2553 id-regCtrl-regToken OBJECT IDENTIFIER ::= { id-regCtrl 1 } 2554 --with syntax: 2555 RegToken ::= UTF8String 2557 id-regCtrl-authenticator OBJECT IDENTIFIER ::= { id-regCtrl 2 } 2558 --with syntax: 2559 Authenticator ::= UTF8String 2561 id-regCtrl-pkiPublicationInfo OBJECT IDENTIFIER ::= { id-regCtrl 3 } 2562 --with syntax: 2563 PKIPublicationInfo ::= SEQUENCE { 2564 action INTEGER { 2565 dontPublish (0), 2566 pleasePublish (1) }, 2567 pubInfos SEQUENCE SIZE (1..MAX) OF SinglePubInfo OPTIONAL } 2568 -- pubInfos MUST NOT be present if action is "dontPublish" 2569 -- (if action is "pleasePublish" and pubInfos is omitted, 2570 -- "dontCare" is assumed) 2572 SinglePubInfo ::= SEQUENCE { 2573 pubMethod INTEGER { 2574 dontCare (0), 2575 x500 (1), 2576 web (2), 2577 ldap (3) }, 2578 pubLocation GeneralName OPTIONAL } 2580 id-regCtrl-pkiArchiveOptions OBJECT IDENTIFIER ::= { id-regCtrl 4 } 2581 --with syntax: 2582 PKIArchiveOptions ::= CHOICE { 2583 encryptedPrivKey [0] EncryptedKey, 2584 -- the actual value of the private key 2585 keyGenParameters [1] KeyGenParameters, 2586 -- parameters that allow the private key to be re-generated 2587 archiveRemGenPrivKey [2] BOOLEAN } 2588 -- set to TRUE if sender wishes receiver to archive the private 2589 -- key of a key pair that the receiver generates in response to 2590 -- this request; set to FALSE if no archival is desired. 2592 EncryptedKey ::= CHOICE { 2593 encryptedValue EncryptedValue, -- Deprecated 2594 envelopedData [0] EnvelopedData } 2595 -- The encrypted private key MUST be placed in the envelopedData 2596 -- encryptedContentInfo encryptedContent OCTET STRING. 2598 EncryptedValue ::= SEQUENCE { 2599 intendedAlg [0] AlgorithmIdentifier OPTIONAL, 2600 -- the intended algorithm for which the value will be used 2601 symmAlg [1] AlgorithmIdentifier OPTIONAL, 2602 -- the symmetric algorithm used to encrypt the value 2603 encSymmKey [2] BIT STRING OPTIONAL, 2604 -- the (encrypted) symmetric key used to encrypt the value 2605 keyAlg [3] AlgorithmIdentifier OPTIONAL, 2606 -- algorithm used to encrypt the symmetric key 2607 valueHint [4] OCTET STRING OPTIONAL, 2608 -- a brief description or identifier of the encValue content 2609 -- (may be meaningful only to the sending entity, and used only 2610 -- if EncryptedValue might be re-examined by the sending entity 2611 -- in the future) 2612 encValue BIT STRING } 2613 -- the encrypted value itself 2614 -- When EncryptedValue is used to carry a private key (as opposed to 2615 -- a certificate), implementations MUST support the encValue field 2616 -- containing an encrypted PrivateKeyInfo as defined in [PKCS11], 2617 -- section 12.11. If encValue contains some other format/encoding 2618 -- for the private key, the first octet of valueHint MAY be used 2619 -- to indicate the format/encoding (but note that the possible values 2620 -- of this octet are not specified at this time). In all cases, the 2621 -- intendedAlg field MUST be used to indicate at least the OID of 2622 -- the intended algorithm of the private key, unless this information 2623 -- is known a priori to both sender and receiver by some other means. 2625 KeyGenParameters ::= OCTET STRING 2627 id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 } 2628 --with syntax: 2629 OldCertId ::= CertId 2631 CertId ::= SEQUENCE { 2632 issuer GeneralName, 2633 serialNumber INTEGER } 2635 id-regCtrl-protocolEncrKey OBJECT IDENTIFIER ::= { id-regCtrl 6 } 2636 --with syntax: 2637 ProtocolEncrKey ::= SubjectPublicKeyInfo 2639 -- Registration Info in CRMF 2640 id-regInfo OBJECT IDENTIFIER ::= { id-pkip 2 } 2642 id-regInfo-utf8Pairs OBJECT IDENTIFIER ::= { id-regInfo 1 } 2643 --with syntax 2644 UTF8Pairs ::= UTF8String 2646 id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 } 2647 --with syntax 2648 CertReq ::= CertRequest 2650 -- id-ct-encKeyWithID is a new content type used for CMS objects. 2651 -- it contains both a private key and an identifier for key escrow 2652 -- agents to check against recovery requestors. 2654 id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} 2656 EncKeyWithID ::= SEQUENCE { 2657 privateKey PrivateKeyInfo, 2658 identifier CHOICE { 2659 string UTF8String, 2660 generalName GeneralName 2661 } OPTIONAL 2662 } 2664 PrivateKeyInfo ::= SEQUENCE { 2665 version INTEGER, 2666 privateKeyAlgorithm AlgorithmIdentifier, 2667 privateKey OCTET STRING, 2668 attributes [0] IMPLICIT Attributes OPTIONAL 2669 } 2671 Attributes ::= SET OF Attribute 2673 END 2675 11. ASN.1 Module for RFC-to-be, SCVP 2677 SCVP 2678 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2679 mechanisms(5) pkix(7) id-mod(0) 21 } 2681 DEFINITIONS IMPLICIT TAGS ::= 2682 BEGIN 2684 IMPORTS 2686 AlgorithmIdentifier, Attribute, Certificate, Extensions, 2687 CertificateList, CertificateSerialNumber 2688 FROM PKIX1Explicit88 2689 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2690 mechanisms(5) pkix(7) id-mod(0) 18 } 2692 GeneralNames, GeneralName, KeyUsage, KeyPurposeId 2693 FROM PKIX1Implicit88 2694 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2695 mechanisms(5) pkix(7) id-mod(0) 19 } 2697 AttributeCertificate 2698 FROM PKIXAttributeCertificate 2699 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2700 mechanisms(5) pkix(7) id-mod(0) 12 } 2702 OCSPResponse 2703 FROM OCSP 2704 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2705 mechanisms(5) pkix(7) id-mod(0) 14 } 2707 ContentInfo 2708 FROM CryptographicMessageSyntax2004 2709 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2710 smime(16) modules(0) cms-2004(24) } ; 2712 -- SCVP Certificate Validation Request 2714 id-ct OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2715 us(840) rsadsi(113549) pkcs(1) pkcs9(9) id-smime(16) 1 } 2717 id-ct-scvp-certValRequest OBJECT IDENTIFIER ::= { id-ct 10 } 2719 CVRequest ::= SEQUENCE { 2720 cvRequestVersion INTEGER DEFAULT 1, 2721 query Query, 2722 requestorRef [0] GeneralNames OPTIONAL, 2723 requestNonce [1] OCTET STRING OPTIONAL, 2724 requestorName [2] GeneralName OPTIONAL, 2725 responderName [3] GeneralName OPTIONAL, 2726 requestExtensions [4] Extensions OPTIONAL, 2727 signatureAlg [5] AlgorithmIdentifier OPTIONAL, 2728 hashAlg [6] OBJECT IDENTIFIER OPTIONAL, 2729 requestorText [7] UTF8String (SIZE (1..256)) OPTIONAL } 2731 Query ::= SEQUENCE { 2732 queriedCerts CertReferences, 2733 checks CertChecks, 2734 wantBack [1] WantBack OPTIONAL, 2735 validationPolicy ValidationPolicy, 2736 responseFlags ResponseFlags OPTIONAL, 2737 serverContextInfo [2] OCTET STRING OPTIONAL, 2738 validationTime [3] GeneralizedTime OPTIONAL, 2739 intermediateCerts [4] CertBundle OPTIONAL, 2740 revInfos [5] RevocationInfos OPTIONAL, 2741 producedAt [6] GeneralizedTime OPTIONAL, 2742 queryExtensions [7] Extensions OPTIONAL } 2744 CertReferences ::= CHOICE { 2745 pkcRefs [0] SEQUENCE SIZE (1..MAX) OF PKCReference, 2746 acRefs [1] SEQUENCE SIZE (1..MAX) OF ACReference } 2748 CertReference::= CHOICE { 2749 pkc PKCReference, 2750 ac ACReference } 2752 PKCReference ::= CHOICE { 2753 cert [0] Certificate, 2754 pkcRef [1] SCVPCertID } 2756 ACReference ::= CHOICE { 2757 attrCert [2] AttributeCertificate, 2758 acRef [3] SCVPCertID } 2760 SCVPCertID ::= SEQUENCE { 2761 certHash OCTET STRING, 2762 issuerSerial SCVPIssuerSerial, 2763 hashAlgorithm AlgorithmIdentifier DEFAULT { algorithm sha-1 } } 2765 SCVPIssuerSerial ::= SEQUENCE { 2766 issuer GeneralNames, 2767 serialNumber CertificateSerialNumber 2768 } 2770 ValidationPolicy ::= SEQUENCE { 2771 validationPolRef ValidationPolRef, 2772 validationAlg [0] ValidationAlg OPTIONAL, 2773 userPolicySet [1] SEQUENCE SIZE (1..MAX) OF OBJECT 2774 IDENTIFIER OPTIONAL, 2775 inhibitPolicyMapping [2] BOOLEAN OPTIONAL, 2776 requireExplicitPolicy [3] BOOLEAN OPTIONAL, 2777 inhibitAnyPolicy [4] BOOLEAN OPTIONAL, 2778 trustAnchors [5] TrustAnchors OPTIONAL, 2779 keyUsages [6] SEQUENCE OF KeyUsage OPTIONAL, 2780 extendedKeyUsages [7] SEQUENCE OF KeyPurposeId OPTIONAL, 2781 specifiedKeyUsages [8] SEQUENCE OF KeyPurposeId OPTIONAL } 2783 CertChecks ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER 2785 WantBack ::= SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER 2787 POLICY ::= TYPE-IDENTIFIER 2789 ValidationPolRef ::= SEQUENCE { 2790 valPolId POLICY.&id, 2791 valPolParams POLICY.&Type OPTIONAL } 2793 ValidationAlg ::= SEQUENCE { 2794 valAlgId POLICY.&id, 2795 parameters POLICY.&Type OPTIONAL } 2797 NameValidationAlgParms ::= SEQUENCE { 2798 nameCompAlgId OBJECT IDENTIFIER, 2799 validationNames GeneralNames } 2801 TrustAnchors ::= SEQUENCE SIZE (1..MAX) OF PKCReference 2803 KeyAgreePublicKey ::= SEQUENCE { 2804 algorithm AlgorithmIdentifier, 2805 publicKey BIT STRING, 2806 macAlgorithm AlgorithmIdentifier, 2807 kDF AlgorithmIdentifier OPTIONAL } 2809 ResponseFlags ::= SEQUENCE { 2810 fullRequestInResponse [0] BOOLEAN DEFAULT FALSE, 2811 responseValidationPolByRef [1] BOOLEAN DEFAULT TRUE, 2812 protectResponse [2] BOOLEAN DEFAULT TRUE, 2813 cachedResponse [3] BOOLEAN DEFAULT TRUE } 2815 CertBundle ::= SEQUENCE SIZE (1..MAX) OF Certificate 2817 RevocationInfos ::= SEQUENCE SIZE (1..MAX) OF RevocationInfo 2819 RevocationInfo ::= CHOICE { 2820 crl [0] CertificateList, 2821 delta-crl [1] CertificateList, 2822 ocsp [2] OCSPResponse, 2823 other [3] OtherRevInfo } 2825 REV-INFO ::= TYPE-IDENTIFIER 2827 OtherRevInfo ::= SEQUENCE { 2828 riType REV-INFO.&id, 2829 riValue REV-INFO.&Type } 2831 -- SCVP Certificate Validation Response 2833 id-ct-scvp-certValResponse OBJECT IDENTIFIER ::= { id-ct 11 } 2835 CVResponse ::= SEQUENCE { 2836 cvResponseVersion INTEGER, 2837 serverConfigurationID INTEGER, 2838 producedAt GeneralizedTime, 2839 responseStatus ResponseStatus, 2840 respValidationPolicy [0] RespValidationPolicy OPTIONAL, 2841 requestRef [1] RequestReference OPTIONAL, 2842 requestorRef [2] GeneralNames OPTIONAL, 2843 requestorName [3] GeneralNames OPTIONAL, 2844 replyObjects [4] ReplyObjects OPTIONAL, 2845 respNonce [5] OCTET STRING OPTIONAL, 2846 serverContextInfo [6] OCTET STRING OPTIONAL, 2847 cvResponseExtensions [7] Extensions OPTIONAL, 2848 requestorText [8] UTF8String (SIZE (1..256)) OPTIONAL } 2850 ResponseStatus ::= SEQUENCE { 2851 statusCode CVStatusCode DEFAULT okay, 2852 errorMessage UTF8String OPTIONAL } 2854 CVStatusCode ::= ENUMERATED { 2855 okay (0), 2856 skipUnrecognizedItems (1), 2857 tooBusy (10), 2858 invalidRequest (11), 2859 internalError (12), 2860 badStructure (20), 2861 unsupportedVersion (21), 2862 abortUnrecognizedItems (22), 2863 unrecognizedSigKey (23), 2864 badSignatureOrMAC (24), 2865 unableToDecode (25), 2866 notAuthorized (26), 2867 unsupportedChecks (27), 2868 unsupportedWantBacks (28), 2869 unsupportedSignatureOrMAC (29), 2870 invalidSignatureOrMAC (30), 2871 protectedResponseUnsupported (31), 2872 unrecognizedResponderName (32), 2873 relayingLoop (40), 2874 unrecognizedValPol (50), 2875 unrecognizedValAlg (51), 2876 fullRequestInResponseUnsupported (52), 2877 fullPolResponseUnsupported (53), 2878 inhibitPolicyMappingUnsupported (54), 2879 requireExplicitPolicyUnsupported (55), 2880 inhibitAnyPolicyUnsupported (56), 2881 validationTimeUnsupported (57), 2882 unrecognizedCritQueryExt (63), 2883 unrecognizedCritRequestExt (64) } 2885 RespValidationPolicy ::= ValidationPolicy 2887 RequestReference ::= CHOICE { 2888 requestHash [0] HashValue, -- hash of CVRequest 2889 fullRequest [1] CVRequest } 2891 HashValue ::= SEQUENCE { 2892 algorithm AlgorithmIdentifier DEFAULT { algorithm sha-1 }, 2893 value OCTET STRING } 2895 sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 2896 oiw(14) secsig(3) algorithm(2) 26 } 2898 ReplyObjects ::= SEQUENCE SIZE (1..MAX) OF CertReply 2900 CertReply ::= SEQUENCE { 2901 cert CertReference, 2902 replyStatus ReplyStatus DEFAULT success, 2903 replyValTime GeneralizedTime, 2904 replyChecks ReplyChecks, 2905 replyWantBacks ReplyWantBacks, 2906 validationErrors [0] SEQUENCE SIZE (1..MAX) OF 2907 OBJECT IDENTIFIER OPTIONAL, 2908 nextUpdate [1] GeneralizedTime OPTIONAL, 2909 certReplyExtensions [2] Extensions OPTIONAL } 2911 ReplyStatus ::= ENUMERATED { 2912 success (0), 2913 malformedPKC (1), 2914 malformedAC (2), 2915 unavailableValidationTime (3), 2916 referenceCertHashFail (4), 2917 certPathConstructFail (5), 2918 certPathNotValid (6), 2919 certPathNotValidNow (7), 2920 wantBackUnsatisfied (8) } 2922 ReplyChecks ::= SEQUENCE OF ReplyCheck 2924 ReplyCheck ::= SEQUENCE { 2925 check OBJECT IDENTIFIER, 2926 status INTEGER DEFAULT 0 } 2928 ReplyWantBacks ::= SEQUENCE OF ReplyWantBack 2930 ReplyWantBack::= SEQUENCE { 2931 wb OBJECT IDENTIFIER, 2932 value OCTET STRING } 2934 CertBundles ::= SEQUENCE SIZE (1..MAX) OF CertBundle 2936 RevInfoWantBack ::= SEQUENCE { 2937 revocationInfo RevocationInfos, 2938 extraCerts CertBundle OPTIONAL } 2940 SCVPResponses ::= SEQUENCE OF ContentInfo 2942 -- SCVP Validation Policies Request 2944 id-ct-scvp-valPolRequest OBJECT IDENTIFIER ::= { id-ct 12 } 2946 ValPolRequest ::= SEQUENCE { 2947 vpRequestVersion INTEGER DEFAULT 1, 2948 requestNonce OCTET STRING } 2950 -- SCVP Validation Policies Response 2952 id-ct-scvp-valPolResponse OBJECT IDENTIFIER ::= { id-ct 13 } 2954 ValPolResponse ::= SEQUENCE { 2955 vpResponseVersion INTEGER, 2956 maxCVRequestVersion INTEGER, 2957 maxVPRequestVersion INTEGER, 2958 serverConfigurationID INTEGER, 2959 thisUpdate GeneralizedTime, 2960 nextUpdate GeneralizedTime OPTIONAL, 2961 supportedChecks CertChecks, 2962 supportedWantBacks WantBack, 2963 validationPolicies SEQUENCE OF OBJECT IDENTIFIER, 2964 validationAlgs SEQUENCE OF OBJECT IDENTIFIER, 2965 authPolicies SEQUENCE OF AuthPolicy, 2966 responseTypes ResponseTypes, 2967 defaultPolicyValues RespValidationPolicy, 2968 revocationInfoTypes RevocationInfoTypes, 2969 signatureGeneration SEQUENCE OF AlgorithmIdentifier, 2970 signatureVerification SEQUENCE OF AlgorithmIdentifier, 2971 hashAlgorithms SEQUENCE SIZE (1..MAX) OF 2972 OBJECT IDENTIFIER, 2973 serverPublicKeys SEQUENCE OF KeyAgreePublicKey 2974 OPTIONAL, 2975 clockSkew INTEGER DEFAULT 10, 2976 requestNonce OCTET STRING OPTIONAL } 2978 ResponseTypes ::= ENUMERATED { 2979 cached-only (0), 2980 non-cached-only (1), 2981 cached-and-non-cached (2) } 2983 RevocationInfoTypes ::= BIT STRING { 2984 fullCRLs (0), 2985 deltaCRLs (1), 2986 indirectCRLs (2), 2987 oCSPResponses (3) } 2989 AuthPolicy ::= OBJECT IDENTIFIER 2991 -- SCVP Check Identifiers 2993 id-stc OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 2994 dod(6) internet(1) security(5) mechanisms(5) pkix(7) 17 } 2996 id-stc-build-pkc-path OBJECT IDENTIFIER ::= { id-stc 1 } 2997 id-stc-build-valid-pkc-path OBJECT IDENTIFIER ::= { id-stc 2 } 2998 id-stc-build-status-checked-pkc-path 2999 OBJECT IDENTIFIER ::= { id-stc 3 } 3001 id-stc-build-aa-path OBJECT IDENTIFIER ::= { id-stc 4 } 3002 id-stc-build-valid-aa-path OBJECT IDENTIFIER ::= { id-stc 5 } 3003 id-stc-build-status-checked-aa-path 3004 OBJECT IDENTIFIER ::= { id-stc 6 } 3005 id-stc-status-check-ac-and-build-status-checked-aa-path 3006 OBJECT IDENTIFIER ::= { id-stc 7 } 3008 -- SCVP WantBack Identifiers 3010 id-swb OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 3011 dod(6) internet(1) security(5) mechanisms(5) pkix(7) 18 } 3013 id-swb-pkc-best-cert-path OBJECT IDENTIFIER ::= { id-swb 1 } 3014 id-swb-pkc-revocation-info OBJECT IDENTIFIER ::= { id-swb 2 } 3015 id-swb-pkc-public-key-info OBJECT IDENTIFIER ::= { id-swb 4 } 3016 id-swb-aa-cert-path OBJECT IDENTIFIER ::= { id-swb 5 } 3017 id-swb-aa-revocation-info OBJECT IDENTIFIER ::= { id-swb 6 } 3018 id-swb-ac-revocation-info OBJECT IDENTIFIER ::= { id-swb 7 } 3019 id-swb-relayed-responses OBJECT IDENTIFIER ::= { id-swb 9 } 3020 id-swb-pkc-cert OBJECT IDENTIFIER ::= { id-swb 10} 3021 id-swb-ac-cert OBJECT IDENTIFIER ::= { id-swb 11} 3022 id-swb-pkc-all-cert-paths OBJECT IDENTIFIER ::= { id-swb 12} 3023 id-swb-pkc-ee-revocation-info OBJECT IDENTIFIER ::= { id-swb 13} 3024 id-swb-pkc-CAs-revocation-info OBJECT IDENTIFIER ::= { id-swb 14} 3026 -- SCVP Validation Policy and Algorithm Identifiers 3028 id-svp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 3029 dod(6) internet(1) security(5) mechanisms(5) pkix(7) 19 } 3031 id-svp-defaultValPolicy OBJECT IDENTIFIER ::= { id-svp 1 } 3033 -- SCVP Basic Validation Algorithm Identifier 3035 id-svp-basicValAlg OBJECT IDENTIFIER ::= { id-svp 3 } 3037 -- SCVP Basic Validation Algorithm Errors 3039 id-bvae OBJECT IDENTIFIER ::= id-svp-basicValAlg 3041 id-bvae-expired OBJECT IDENTIFIER ::= { id-bvae 1 } 3042 id-bvae-not-yet-valid OBJECT IDENTIFIER ::= { id-bvae 2 } 3043 id-bvae-wrongTrustAnchor OBJECT IDENTIFIER ::= { id-bvae 3 } 3044 id-bvae-noValidCertPath OBJECT IDENTIFIER ::= { id-bvae 4 } 3045 id-bvae-revoked OBJECT IDENTIFIER ::= { id-bvae 5 } 3046 id-bvae-invalidKeyPurpose OBJECT IDENTIFIER ::= { id-bvae 9 } 3047 id-bvae-invalidKeyUsage OBJECT IDENTIFIER ::= { id-bvae 10 } 3048 id-bvae-invalidCertPolicy OBJECT IDENTIFIER ::= { id-bvae 11 } 3050 -- SCVP Name Validation Algorithm Identifier 3052 id-svp-nameValAlg OBJECT IDENTIFIER ::= { id-svp 2 } 3054 -- SCVP Name Validation Algorithm DN comparison algorithm 3056 id-nva-dnCompAlg OBJECT IDENTIFIER ::= { id-svp 4 } 3058 -- SCVP Name Validation Algorithm Errors 3060 id-nvae OBJECT IDENTIFIER ::= id-svp-nameValAlg 3062 id-nvae-name-mismatch OBJECT IDENTIFIER ::= { id-nvae 1 } 3063 id-nvae-no-name OBJECT IDENTIFIER ::= { id-nvae 2 } 3064 id-nvae-unknown-alg OBJECT IDENTIFIER ::= { id-nvae 3 } 3065 id-nvae-bad-name OBJECT IDENTIFIER ::= { id-nvae 4 } 3066 id-nvae-bad-name-type OBJECT IDENTIFIER ::= { id-nvae 5 } 3067 id-nvae-mixed-names OBJECT IDENTIFIER ::= { id-nvae 6 } 3069 -- SCVP Extended Key Usage Key Purpose Identifiers 3071 id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 3072 dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 } 3074 id-kp-scvpServer OBJECT IDENTIFIER ::= { id-kp 15 } 3076 id-kp-scvpClient OBJECT IDENTIFIER ::= { id-kp 16 } 3078 END 3080 12. Security Considerations 3082 Even though all the RFCs in this document are security-related, the 3083 document itself does not have any security considerations. The ASN.1 3084 modules keep the same bits-on-the-wire as the modules that they 3085 replace. 3087 13. Normative References 3089 [ASN1-2002] 3090 ITU-T, "ITU-T Recommendation X.680 Information technology 3091 [ETH] Abstract Syntax Notation One (ASN.1): Specification 3092 of basic notation", ITU-T X.680, 2002. 3094 [NEW-CMS-SMIME] 3095 Hoffman, P. and J. Schaad, "New ASN.1 Modules for CMS and 3096 S/MIME", draft-hoffman-cms-new-asn1 (work in progress), 3097 November 2007. 3099 [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. 3100 Adams, "X.509 Internet Public Key Infrastructure Online 3101 Certificate Status Protocol - OCSP", RFC 2560, June 1999. 3103 [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification 3104 Request Syntax Specification Version 1.7", RFC 2986, 3105 November 2000. 3107 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 3108 Identifiers for the Internet X.509 Public Key 3109 Infrastructure Certificate and Certificate Revocation List 3110 (CRL) Profile", RFC 3279, April 2002. 3112 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet 3113 X.509 Public Key Infrastructure Certificate and 3114 Certificate Revocation List (CRL) Profile", RFC 3280, 3115 April 2002. 3117 [RFC3281] Farrell, S. and R. Housley, "An Internet Attribute 3118 Certificate Profile for Authorization", RFC 3281, 3119 April 2002. 3121 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 3122 RFC 3852, July 2004. 3124 [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, 3125 "Internet X.509 Public Key Infrastructure Certificate 3126 Management Protocol (CMP)", RFC 4210, September 2005. 3128 [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure 3129 Certificate Request Message Format (CRMF)", RFC 4211, 3130 September 2005. 3132 [SCVP] Freeman, T., "Server-based Certificate Validation Protocol 3133 (SCVP)", draft-ietf-pkix-scvp-33.txt (work in progress), 3134 September 2007. 3136 Authors' Addresses 3138 Paul Hoffman 3139 VPN Consortium 3140 127 Segre Place 3141 Santa Cruz, CA 95060 3142 US 3144 Phone: 1-831-426-9827 3145 Email: paul.hoffman@vpnc.org 3147 Jim Schaad 3148 Soaring Hawk Consulting 3150 Email: jimsch@exmsft.com 3152 Full Copyright Statement 3154 Copyright (C) The IETF Trust (2007). 3156 This document is subject to the rights, licenses and restrictions 3157 contained in BCP 78, and except as set forth therein, the authors 3158 retain all their rights. 3160 This document and the information contained herein are provided on an 3161 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 3162 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 3163 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 3164 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 3165 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 3166 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 3168 Intellectual Property 3170 The IETF takes no position regarding the validity or scope of any 3171 Intellectual Property Rights or other rights that might be claimed to 3172 pertain to the implementation or use of the technology described in 3173 this document or the extent to which any license under such rights 3174 might or might not be available; nor does it represent that it has 3175 made any independent effort to identify any such rights. Information 3176 on the procedures with respect to rights in RFC documents can be 3177 found in BCP 78 and BCP 79. 3179 Copies of IPR disclosures made to the IETF Secretariat and any 3180 assurances of licenses to be made available, or the result of an 3181 attempt made to obtain a general license or permission for the use of 3182 such proprietary rights by implementers or users of this 3183 specification can be obtained from the IETF on-line IPR repository at 3184 http://www.ietf.org/ipr. 3186 The IETF invites any interested party to bring to its attention any 3187 copyrights, patents or patent applications, or other proprietary 3188 rights that may cover technology that may be required to implement 3189 this standard. Please address the information to the IETF at 3190 ietf-ipr@ietf.org. 3192 Acknowledgment 3194 Funding for the RFC Editor function is provided by the IETF 3195 Administrative Support Activity (IASA).