idnits 2.17.1 draft-ietf-smime-new-asn1-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? -- It seems you're using the 'non-IETF stream' Licence Notice instead Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 212: '... -- Parameters MUST be encoded in st...' RFC 2119 keyword, line 213: '...t, -- Parameters SHOULD be encoded in ...' RFC 2119 keyword, line 214: '..., -- Parameters SHOULD NOT be encoded...' RFC 2119 keyword, line 215: '... -- Parameters MUST NOT be encoded i...' RFC 2119 keyword, line 217: '... -- Parameters MAY be encoded in the...' (96 more instances...) -- The draft header indicates that this document updates RFC3370, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3565, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3851, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3852, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 584 has weird spacing: '...e could be ge...' (Using the creation date from RFC3370, updated by this document, for RFC5378 checks: 2001-04-25) (Using the creation date from RFC3565, updated by this document, for RFC5378 checks: 2000-11-22) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 9, 2009) is 5584 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 2535 -- Looks like a reference, but probably isn't: '1' on line 2536 -- Looks like a reference, but probably isn't: '2' on line 2537 == Missing Reference: 'CMSALG' is mentioned on line 1074, but not defined == Missing Reference: 'CMS' is mentioned on line 2677, but not defined -- Looks like a reference, but probably isn't: '3' on line 2538 -- Looks like a reference, but probably isn't: '4' on line 2539 == Missing Reference: 'PROFILE' is mentioned on line 2500, but not defined == Missing Reference: 'ACPROF' is mentioned on line 2503, but not defined == Missing Reference: 'MSG' is mentioned on line 2644, but not defined == Unused Reference: 'ETH' is defined on line 2722, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'ASN1-2002' -- Possible downref: Non-RFC (?) normative reference: ref. 'ETH' ** Downref: Normative reference to an Informational draft: draft-ietf-pkix-new-asn1 (ref. 'NEW-PKIX') ** Obsolete normative reference: RFC 3851 (Obsoleted by RFC 5751) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) Summary: 6 errors (**), 0 flaws (~~), 8 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Updates: 3370, 3565, 3851, 3852, J. Schaad 5 4108, 4998, 5035, 5083, 5084 Soaring Hawk Consulting 6 (if approved) January 9, 2009 7 Intended status: Standards Track 8 Expires: July 13, 2009 10 New ASN.1 Modules for CMS and S/MIME 11 draft-ietf-smime-new-asn1-02.txt 13 Status of this Memo 15 This Internet-Draft is submitted to IETF in full conformance with the 16 provisions of BCP 78 and BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on July 13, 2009. 36 Copyright Notice 38 Copyright (c) 2009 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. 48 Abstract 50 The Cryptographic Message Syntax (CMS) format, and many associated 51 formats, are expressed using ASN.1. The current ASN.1 modules 52 conform to the 1988 version of ASN.1. This document updates those 53 ASN.1 modules to conform to the 2002 version of ASN.1. There are no 54 bits-on-the-wire changes to any of the formats; this is simply a 55 change to the syntax. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4 61 1.2. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 1.2.1. Module OIDs Changing . . . . . . . . . . . . . . . . . 4 63 2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 5 64 3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14 65 4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 19 66 5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 21 67 6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24 68 7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34 69 8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 40 70 9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41 71 10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 48 72 11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48 73 12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 51 74 13. Security Considerations . . . . . . . . . . . . . . . . . . . 58 75 14. Normative References . . . . . . . . . . . . . . . . . . . . . 58 76 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 59 77 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 78 draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 59 79 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 60 80 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 . . . 60 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 83 1. Introduction 85 Some developers would like the IETF to use the latest version of 86 ASN.1 in its standards. Most of the RFCs that relate to security 87 protocols still use ASN.1 from the 1988 standard, which has been 88 deprecated. This is particularly true for the standards that relate 89 to PKIX, CMS, and S/MIME. 91 This document updates the following RFCs to use ASN.1 modules that 92 conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all 93 the modules are updated; some are included to simply make the set 94 complete. 96 o RFC 3370, CMS Algorithms [RFC3370] 98 o RFC 3565, Use of AES in CMS [RFC3565] 100 o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851] 102 o RFC 3852, CMS main [RFC3852] 104 o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108] 106 o RFC 4998, Evidence Record Syntax (ERS) [RFC4998] 108 o RFC 5035, Enhanced Security Services (ESS) [RFC5035] 110 o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083] 112 o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in 113 CMS [RFC5084] 115 o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275] 117 Note that some of the modules in this document get some of their 118 definitions from places different than the modules in the original 119 RFCs. The idea is that these modules, when combined with the modules 120 in [NEW-PKIX] can stand on their own and do not need to import 121 definitions from anywhere else. 123 The document also includes a module of common defintions called 124 "AlgorithmInformation". These definitions are used here and in 125 [NEW-PKIX]. 127 Note that some of the modules here import definitions from the common 128 definitions module, "PKIX-CommonTypes", in [NEW-PKIX]. 130 1.1. Design Notes 132 The modules in this document use the object model available in the 133 2002 ASN.1 documents to a great extent. Objects for each of the 134 different algorithm types are defined. Also, all of the places where 135 in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax 136 now have objects. 138 Much like the way that the PKIX and S/MIME working groups use the 139 prefix of id- for object identifiers, this document has also adopted 140 a set of two, three, and four letter prefixes to allow for quick 141 identification of the type of an object based on its name. This 142 allows, for example, the same back half of the name to be used for 143 the different objects. Thus, "id-sha1" is the object identifier, 144 while "mda-sha1" is the message digest object for "sha1". 146 One or more object sets for the different type of algorithms are 147 defined. A single consistent name for each of the different 148 algorithm types is used. For example, an object set named PublicKeys 149 might contain the public keys defined in that module. If no public 150 keys are defined, then the object set is not created. When 151 referencing these objects sets when imported, one needs to be able to 152 disambiguate between the different modules. This is done by using 153 both the module name (as specified in the IMPORT statement) and the 154 object set name. For example, in the module for RFC 5280: 156 PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 } 157 PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 } 159 PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ..., 160 PKIX1-PSS-OAEP-Algorithms.PublicKeys } 162 1.2. Issues 164 This section will be removed before final publication. 166 1.2.1. Module OIDs Changing 168 The OIDs given in the modules in this version of the document are the 169 same as the OIDs from the original modules, even though some of the 170 modules have changed syntax. That is clearly incorrect. In a later 171 version of this document, we will change the OIDs for every changed 172 module. The WG (hopefully in coordination with the PKIX WG) needs to 173 determine how to do this and what the result will be. 175 2. ASN.1 Module AlgorithmInformation 177 This section contains a module that is imported by many other modules 178 in this document and in [NEW-PKIX]. This module does not come from 179 any existing RFC. 181 AlgorithmInformation 182 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 183 mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} 185 DEFINITIONS EXPLICIT TAGS ::= 186 BEGIN 188 EXPORTS ALL; 189 IMPORTS 191 KeyUsage 192 FROM PKIX1Implicit88 193 { iso(1) identified-organization(3) dod(6) internet(1) 194 security(5) mechanisms(5) pkix(7) id-mod(0) 195 id-pkix1-implicit(19) } 196 ; 198 -- Suggested prefixes for algorithm objects are: 199 -- 200 -- mda- Message Digest Algorithms 201 -- sa- Signature Algorithms 202 -- kta- Key Transport Algorithms (Asymetric) 203 -- kaa- Key Agreement Algorithms (Asymetric) 204 -- kwa- Key Wrap Algorithms (Symetric) 205 -- kda- Key Derivation Algorithms 206 -- maca- Message Authentication Code Algorithms 207 -- pk- Public Key 208 -- cea- Content (symetric) Encryption Algorithm 209 -- cap- S/MIME Capabilities 211 ParamOptions ::= ENUMERATED { 212 required, -- Parameters MUST be encoded in structure 213 preferredPresent, -- Parameters SHOULD be encoded in structure 214 preferredAbsent, -- Parameters SHOULD NOT be encoded in structure 215 absent, -- Parameters MUST NOT be encoded in structure 216 inheritable, -- Parameters are inheritied if not present 217 optional, -- Parameters MAY be encoded in the structure 218 ... 219 } 221 -- DIGEST-ALGORITHM 222 -- 223 -- Describes the basic information for ASN.1 and a digest 224 -- algorithm. 225 -- 226 -- &id - contains the OID identifying the digest algorithm 227 -- &Params - contains the type for the algoithm parameters, 228 -- if present; absent implies no paameters 229 -- ¶mPresence - parameter presence requirement 230 -- 231 -- Additional information such as the length of the hash could also 232 -- be encoded. 233 -- 234 -- Example: 235 -- sha1 DIGEST-ALGORITHM ::= { 236 -- IDENTIFIER id-sha1 237 -- PARAM TYPE NULL ARE preferredAbsent 238 -- } 240 DIGEST-ALGORITHM ::= CLASS { 241 &id OBJECT IDENTIFIER, 242 &Params OPTIONAL, 243 ¶mPresence ParamOptions DEFAULT absent 244 } WITH SYNTAX { 245 IDENTIFIER &id 246 [PARAMS [TYPE &Params] [ARE ¶mPresence] ] 247 } 249 -- SIGNATURE-ALGORITHM 250 -- 251 -- Describes the basic properities of a signature algorithm 252 -- 253 -- &id - contains the OID identifying the signature algoithm 254 -- &Params - contains the type for the algoithm parameters, 255 -- if present; absent implies no paameters 256 -- ¶mPresence - parameter presence requirement 257 -- &HashSet - The set of hash algorithms used with this 258 -- signature algoirthm 259 -- &PublicKeySet - the set of public key algorithms for this 260 -- signature algorithm 261 -- Example: 262 -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { 263 -- IDENTIFIER id-RSASSA-PSS 264 -- PARAMS TYPE RSASSA-PSS-params ARE required 265 -- HASHES {sha1 | md5, ... } 266 -- PUBLIC KEYS { pk-rsa | pk-rsa-pss } 267 -- } 269 SIGNATURE-ALGORITHM ::= CLASS { 270 &id OBJECT IDENTIFIER, 271 &Params OPTIONAL, 272 &Value OPTIONAL, 273 ¶mPresence ParamOptions DEFAULT absent, 274 &HashSet DIGEST-ALGORITHM OPTIONAL, 275 &PublicKeySet PUBLIC-KEY OPTIONAL, 276 &smimeCaps SMIME-CAPS OPTIONAL 277 } WITH SYNTAX { 278 IDENTIFIER &id 279 [VALUE &Value] 280 [PARAMS [TYPE &Params] ARE ¶mPresence ] 281 [HASHES &HashSet] 282 [PUBLIC KEYS &PublicKeySet] 283 [SMIME CAPS &smimeCaps] 284 } 286 -- PUBLIC-KEY 287 -- 288 -- Describes the basic properities of a public key 289 -- 290 -- &id - contains the OID identifying the public key 291 -- &Params - contains the type for the algoithm parameters, 292 -- if present; absent implies no paameters 293 -- ¶mPresence - parameter presence requirement 294 -- &KeyValue - contains the type for the key value 295 -- 296 -- Could add information about the keyUsage bits 297 -- 298 -- Example: 299 -- pk-rsa-pss PUBLIC-KEY ::= { 300 -- IDENTIFIER id-RSASSA-PSS 301 -- KEY RSAPublicKey 302 -- PARAMS TYPE RSASSA-PSS-params ARE optional 303 -- KEY USAGE BITS { .... } 304 -- } 306 PUBLIC-KEY ::= CLASS { 307 &id OBJECT IDENTIFIER, 308 &Params OPTIONAL, 309 ¶mPresence ParamOptions DEFAULT absent, 310 &KeyValue OPTIONAL, 311 &PrivateKey OPTIONAL, 312 &keyUsage KeyUsage OPTIONAL 313 } WITH SYNTAX { 314 IDENTIFIER &id 315 [KEY &KeyValue] 316 [PARAMS [TYPE &Params] ARE ¶mPresence] 317 [CERT KEY USAGE &keyUsage] 318 [PRIVATE KEY &PrivateKey] 320 } 322 -- KEY-TRANSPORT 323 -- 324 -- Describes the basic properities of a key transport algorithm 325 -- 326 -- &id - contains the OID identifying the key transport algorithm 327 -- &Params - contains the type for the algoithm parameters, 328 -- if present; absent implies no paameters 329 -- ¶mPresence - parameter presence requirement 330 -- &PublicKeySet - specify which public keys are used with 331 -- this algorithm 332 -- 333 -- Example: 334 -- rsaTransport KEY-TRANSPORT ::= { 335 -- &id rsaEncryption 336 -- &Params NULL 337 -- ¶mPresence required 338 -- &PublicKeySet { pk-rsa | pk-rsa-pss } 339 -- } 341 KEY-TRANSPORT ::= CLASS { 342 &id OBJECT IDENTIFIER UNIQUE, 343 &Params OPTIONAL, 344 ¶mPresence ParamOptions DEFAULT absent, 345 &PublicKeySet PUBLIC-KEY OPTIONAL, 346 &smimeCaps SMIME-CAPS OPTIONAL 347 } WITH SYNTAX { 348 IDENTIFIER &id 349 [PARAMS [TYPE &Params] ARE ¶mPresence] 350 [PUBLIC KEYS &PublicKeySet] 351 [SMIME CAPS &smimeCaps] 352 } 354 -- KEY-AGREE 355 -- 356 -- Describes the basic properities of a key agreement algorithm 357 -- 358 -- &id - contains the OID identifying the key transport algorithm 359 -- &Params - contains the type for the algoithm parameters, 360 -- if present; absent implies no paameters 361 -- ¶mPresence - parameter presence requirement 362 -- &Ukm - type of user keying material used 363 -- &PublicKeySet - specify which public keys are used with 364 -- this algorithm 365 -- 366 -- Additional items could be a restricted set of key wrap algoithms 367 -- 368 -- Example: 369 -- dh-static-ephemerial KEY-AGREE ::= { 370 -- IDENTIFIER id-alg-ESDH 371 -- PARAMS TYPE KeyWrapAlgorithm ARE required 372 -- - - user key material is not ASN.1 encoded. 373 -- PUBLIC KEYS { 374 -- {IDENTIFIER dh-public-number KEY DHPublicKey 375 -- HASH PARAMS DHDomainParamters PARAMS ARE inheritable } 376 -- } 377 -- - - UKM should be present, but is not separately 378 -- - - ASN.1 encoded 379 -- UKM ARE preferredPresent 380 -- } 382 KEY-AGREE ::= CLASS { 383 &id OBJECT IDENTIFIER UNIQUE, 384 &Params OPTIONAL, 385 ¶mPresence ParamOptions DEFAULT absent, 386 &Ukm OPTIONAL, 387 &ukmPresence ParamOptions DEFAULT absent, 388 &PublicKeySet PUBLIC-KEY OPTIONAL, 389 &smimeCaps SMIME-CAPS OPTIONAL 390 } WITH SYNTAX { 391 IDENTIFIER &id 392 [PARAMS [TYPE &Params] ARE ¶mPresence] 393 [PUBLIC KEYS &PublicKeySet] 394 [UKM [TYPE &Ukm] ARE &ukmPresence] 395 [SMIME CAPS &smimeCaps] 396 } 398 -- KEY-WRAP 399 -- 400 -- Describes the basic properities of a key wrap algorithm 401 -- 402 -- &id - contains the OID identifying the key transport algorithm 403 -- &Params - contains the type for the algoithm parameters, 404 -- if present; absent implies no paameters 405 -- ¶mPresence - parameter presence requirement 406 -- 407 -- Example: 408 -- cms3DESwrap KEY-WRAP ::= { 409 -- IDENTIFIER id-alg-CMS3DESwrap 410 -- PARAMS TYPE NULL ARE required 411 -- } 413 KEY-WRAP ::= CLASS { 414 &id OBJECT IDENTIFIER UNIQUE, 415 &Params OPTIONAL, 416 ¶mPresence ParamOptions DEFAULT absent, 417 &smimeCaps SMIME-CAPS OPTIONAL 418 } WITH SYNTAX { 419 IDENTIFIER &id 420 [PARAMS [TYPE &Params] ARE ¶mPresence] 421 [SMIME CAPS &smimeCaps] 422 } 424 -- KEY-DERIVATION 425 -- 426 -- Describes the basic properities of a key transport algorithm 427 -- 428 -- &id - contains the OID identifying the key transport algorithm 429 -- &Params - contains the type for the algoithm parameters, 430 -- if present; absent implies no paameters 431 -- ¶mPresence - parameter presence requirement 432 -- 433 -- Could add information about defaults for the derivation algorithm 434 -- such as PRFs 435 -- 436 -- Example: 437 -- pbkdf2 KEY-DERIVATION ::= { 438 -- IDENTIFIER id-PBKF2 439 -- PARAMS TYPE PBKDF2-params ARE required 440 -- } 442 KEY-DERIVATION ::= CLASS { 443 &id OBJECT IDENTIFIER UNIQUE, 444 &Params OPTIONAL, 445 ¶mPresence ParamOptions DEFAULT absent, 446 &smimeCaps SMIME-CAPS OPTIONAL 447 } WITH SYNTAX { 448 IDENTIFIER &id 449 [PARAMS [TYPE &Params] ARE ¶mPresence] 450 [SMIME CAPS &smimeCaps] 451 } 453 -- MAC-ALGORITHM 454 -- 455 -- Describes the basic properities of a key transport algorithm 456 -- 457 -- &id - contains the OID identifying the key transport algorithm 458 -- &Params - contains the type for the algoithm parameters, 459 -- if present; absent implies no paameters 460 -- ¶mPresence - parameter presence requirement 461 -- &keyed - MAC algorithm is a keyed MAC algorithm 462 -- 463 -- It would make sense to also add minimum and maximum MAC lengths 464 -- 465 -- Example: 466 -- maca-hmac-sha1 MAC-ALGORITHM ::= { 467 -- IDENTIFIER hMAC-SHA1 468 -- PARAMS TYPE NULL ARE perferedAbsent 469 -- } 471 MAC-ALGORITHM ::= CLASS { 472 &id OBJECT IDENTIFIER UNIQUE, 473 &Params OPTIONAL, 474 ¶mPresence ParamOptions DEFAULT absent, 475 &keyed BOOLEAN, 476 &smimeCaps SMIME-CAPS OPTIONAL 477 } WITH SYNTAX { 478 IDENTIFIER &id 479 [PARAMS [TYPE &Params] [ARE ¶mPresence]] 480 IS KEYED MAC &keyed 481 [SMIME CAPS &smimeCaps] 482 } 484 -- CONTENT-ENCRYPTION 485 -- 486 -- Describes the basic properities of a symetric encryption 487 -- algorithm 488 -- 489 -- &id - contains the OID identifying the key transport algorithm 490 -- &Params - contains the type for the algoithm parameters, 491 -- if present; absent implies no paameters 492 -- ¶mPresence - parameter presence requirement 493 -- 494 -- Example: 495 -- cms3DESwrap KEY-WRAP ::= { 496 -- IDENTIFIER id-alg-CMS3DESwrap 497 -- PARAMS TYPE NULL ARE required 498 -- } 500 CONTENT-ENCRYPTION ::= CLASS { 501 &id OBJECT IDENTIFIER UNIQUE, 502 &Params OPTIONAL, 503 ¶mPresence ParamOptions DEFAULT absent, 504 &smimeCaps SMIME-CAPS OPTIONAL 505 } WITH SYNTAX { 506 IDENTIFIER &id 507 [PARAMS [TYPE &Params] ARE ¶mPresence] 508 [SMIME CAPS &smimeCaps] 509 } 511 -- ALGORITHM 512 -- 513 -- Describes a generic algorithm identifier 514 -- 515 -- &id - contains the OID identifying the key transport algorithm 516 -- &Params - contains the type for the algoithm parameters, 517 -- if present; absent implies no paameters 518 -- 519 -- This would be used for cases where an unknown algorithm is 520 -- used. One should consider using TYPE-IDENTIFIER in these cases. 522 ALGORITHM ::= CLASS { 523 &id OBJECT IDENTIFIER UNIQUE, 524 &Params OPTIONAL, 525 ¶mPresence ParamOptions DEFAULT absent, 526 &smimeCaps SMIME-CAPS OPTIONAL 527 } WITH SYNTAX { 528 IDENTIFIER &id 529 [PARAMS [TYPE &Params] ARE ¶mPresence] 530 [SMIME CAPS &smimeCaps] 531 } 533 -- AlgorithmIdentifier 534 -- 535 -- Provides the generic structure that is used to encode algorithm 536 -- identification and the parameters associated with the 537 -- algorithm. 538 -- 539 -- The first parameter represents the type of the algorithm being 540 -- used. 541 -- The second parameter represents a object set containing the set of 542 -- algorithms that may occur in this situation. 543 -- The first set of required algorithms should occur to the left 544 -- of an extension marker, all other algorithms should occur to 545 -- the right of an extension marker. 546 -- 547 -- The object class ALGORITHM can be used for generic unspecified 548 -- items. 549 -- If new ALGORITHM objects are defined, the fields &id and &Params 550 -- need to be present as field in the object. 551 -- 553 AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= 554 SEQUENCE { 555 algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), 556 parameters ALGORITHM-TYPE. 557 &Params({AlgorithmSet}{@algorithm}) OPTIONAL 558 } 560 -- S/MIME Capabilities 561 -- 562 -- We have moved the SMIME-CAPS out of rfc3851.asn to here since it 563 -- is used in the PKIX document RFC 4262 - Use of S/MIME Caps in 564 -- certificate extension 565 -- 566 -- 567 -- This class is used to represent an S/MIME capability. S/MIME 568 -- capabilities are used to represent what algorithm capabilities 569 -- an individual has. The classic example was the content encryption 570 -- algorithm RC2 where the algorithm id and the RC2 key lengths 571 -- supported needed to be advertised, but the IV used is not fixed. 572 -- Thus for RC2 we used 573 -- 574 -- cap-RC2CBC SMIME-CAPS ::= { 575 -- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } 576 -- 577 -- where 40 and 128 represent the RC2 key length in number of bits. 578 -- 579 -- Another example where infomation needs to be shown is for 580 -- RSA-OAEP where only specific hash functions or mask generation 581 -- functions are suppoted, but the saltLength is specified by the 582 -- sender and not the recipient. In this case one can either 583 -- generate a number of different capability items are generated, 584 -- or a new S/MIME capability type could be generated where 585 -- multiple hash functions could be specified. 586 -- 587 -- 588 -- SMIME-CAP 589 -- 590 -- This class is used to associate the type descibing capabilities 591 -- with the object identifier. 592 -- 594 SMIME-CAPS ::= CLASS { 595 &id OBJECT IDENTIFIER UNIQUE, 596 &Type OPTIONAL 597 } 598 WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id } 600 -- 601 -- Generic type - this is used for defining values. 602 -- 604 -- Parameterized Type - this is used in structures to allow for 605 -- automatic decoding to occur on capaiblity parameters for a 606 -- specific set of values. 608 SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { 609 capabilityID SMIME-CAPS.&id({CapabilitySet}), 610 parameters SMIME-CAPS.&Type({CapabilitySet} 611 {@capabilityID}) OPTIONAL 612 } 614 -- Parameterized Type - this is used in structures to all for 615 -- automatic decoding to occur on capability parametes for a 616 -- specific set of values. 618 SMIMECapabilities { SMIME-CAPS : CapabilitySet } ::= 619 SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} } 621 END 623 3. ASN.1 Module for RFC 3370 625 CryptographicMessageSyntaxAlgorithms 626 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 627 smime(16) modules(0) cmsalg-2001(16) } 628 DEFINITIONS IMPLICIT TAGS ::= 629 BEGIN 631 IMPORTS 633 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 634 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 635 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 636 AlgorithmIdentifier{}, SMIME-CAPS 637 FROM AlgorithmInformation 638 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 639 mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} 641 pk-rsa, pk-dh, pk-dsa, 642 rsaEncryption, DHPublicKey, dhpublicnumber 643 FROM 644 PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6) 645 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 995 } 647 cap-RC2CBC 648 FROM SecureMimeMessageV3dot1 649 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 650 smime(16) modules(0) msg-v3dot1(21) } 652 ; 654 -- 2. Hash algorthms in this document 656 MessageDigestAlgs DIGEST-ALGORITHM ::= { 657 -- mda-md5 | 658 -- mda-sha1, 659 ... } 661 -- 3. Signature algorithms in this document 663 SignatureAlgs SIGNATURE-ALGORITHM ::= { 664 -- See rfc3279.asn 665 -- sa-dsaWithSHA1 | 666 -- sa-rsaWithMD5 | 667 -- sa-rsaWithSHA1, 668 ... } 670 -- 4. Key Managment Algorithms 671 -- 4.1 Key Agreement Algorithms 673 KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...} 674 KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...} 676 -- 4.2 Key Transport Algorithms 678 KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... } 680 -- 4.3 Symmetric Key-Encryption Key Algorithms 682 KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... } 684 -- 4.4 Key Derivation Algorithms 686 KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... } 688 -- 5. Content Encryption Algorithms 690 ContentEncryptionAlgs CONTENT-ENCRYPTION ::= 691 { cea-3DES-cbc | cea-RC2-cbc, ... } 693 -- 6. Message Authenticaiton Code Algorithms 695 MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... } 697 -- SMIME Capabilities for these items 699 SMimeCaps SMIME-CAPS ::= { 700 kaa-esdh.&smimeCaps | 701 kaa-ssdh.&smimeCaps | 702 kt-rsa.&smimeCaps | 703 kwa-3DESWrap.&smimeCaps | 704 kwa-RC2Wrap.&smimeCaps | 705 cea-3DES-cbc.&smimeCaps | 706 cea-RC2-cbc.&smimeCaps | 707 maca-hMAC-SHA1.&smimeCaps, 708 ...} 710 -- 711 -- 712 -- 714 -- Algorithm Identifiers 716 -- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) 717 -- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 719 id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 720 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 } 722 id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 723 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 } 725 id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 726 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } 728 id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 729 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 } 731 des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 732 us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } 734 rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 735 rsadsi(113549) encryptionAlgorithm(3) 2 } 737 hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 738 dod(6) internet(1) security(5) mechanisms(5) 8 1 2 } 740 id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 741 rsadsi(113549) pkcs(1) pkcs-5(5) 12 } 743 -- Algorithm Identifier Parameter Types 745 KeyWrapAlgorithm ::= 746 AlgorithmIdentifier {KEY-WRAP, {KeyWrapAlgs }} 748 RC2wrapParameter ::= RC2ParameterVersion 749 RC2ParameterVersion ::= INTEGER 751 CBCParameter ::= IV 753 IV ::= OCTET STRING -- exactly 8 octets 755 RC2CBCParameter ::= SEQUENCE { 756 rc2ParameterVersion INTEGER (1..256), 757 iv OCTET STRING } -- exactly 8 octets 759 maca-hMAC-SHA1 MAC-ALGORITHM ::= { 760 IDENTIFIER hMAC-SHA1 761 PARAMS TYPE NULL ARE preferredAbsent 762 IS KEYED MAC TRUE 763 SMIME CAPS {IDENTIFIED BY hMAC-SHA1} 764 } 766 -- Another way to do the following would be: 767 -- alg-hMAC-SHA1 AlgorithmIdentifier{{PBKDF2-PRFs}} ::= 768 -- { algorithm hMAC-SHA1, parameters NULL:NULL } 770 PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM, 771 {PBKDF2-PRFs} } 773 alg-hMAC-SHA1 -- PBKDF2-PRFsAlgorithmIdentifier ::= 774 ALGORITHM ::= 775 { IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required } 777 PBKDF2-SaltSources ALGORITHM ::= { ... } 779 PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... } 781 PBKDF2-SaltSourcesAlgorithmIdentifier ::= 782 AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}} 784 defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::= 785 { algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL } 787 PBKDF2-params ::= SEQUENCE { 788 salt CHOICE { 789 specified OCTET STRING, 790 otherSource PBKDF2-SaltSourcesAlgorithmIdentifier }, 791 iterationCount INTEGER (1..MAX), 792 keyLength INTEGER (1..MAX) OPTIONAL, 793 prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT 794 defaultPBKDF2 795 } 797 -- 798 -- This object is included for completeness. It should not be used 799 -- for encoding of signtures, but was sometimes used in older 800 -- versions of CMS for encoding of RSA signatures. 801 -- 802 -- 803 -- sa-rsa SIGNATURE-ALGORITHM ::= { 804 -- IDENTIFIER rsaEncryption 805 -- - - value is not ASN.1 encoded 806 -- PARAMS TYPE NULL ARE required 807 -- HASHES {mda-sha1 | mda-md5, ...} 808 -- PUBLIC KEYS { pk-rsa} 809 -- } 810 -- 811 -- No ASN.1 encoding is applied to the signature value 812 -- for these items 814 kaa-esdh KEY-AGREE ::= { 815 IDENTIFIER id-alg-ESDH 816 PARAMS TYPE KeyWrapAlgorithm ARE required 817 PUBLIC KEYS { pk-dh } 818 -- UKM is not ASN.1 encoded 819 UKM ARE optional 820 SMIME CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH} 821 } 823 kaa-ssdh KEY-AGREE ::= { 824 IDENTIFIER id-alg-SSDH 825 PARAMS TYPE KeyWrapAlgorithm ARE required 826 PUBLIC KEYS {pk-dh} 827 -- UKM is not ASN.1 encoded 828 UKM ARE optional 829 SMIME CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH} 830 } 832 dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber 834 pk-originator-dh PUBLIC-KEY ::= { 835 IDENTIFIER dh-public-number 836 KEY DHPublicKey 837 PARAMS ARE absent 838 CERT KEY USAGE {keyAgreement, encipherOnly, decipherOnly} 839 } 841 kwa-3DESWrap KEY-WRAP ::= { 842 IDENTIFIER id-alg-CMS3DESwrap 843 PARAMS TYPE NULL ARE required 844 SMIME CAPS {IDENTIFIED BY id-alg-CMSRC2wrap} 845 } 847 kwa-RC2Wrap KEY-WRAP ::= { 848 IDENTIFIER id-alg-CMSRC2wrap 849 PARAMS TYPE RC2wrapParameter ARE required 850 SMIME CAPS { IDENTIFIED BY id-alg-CMSRC2wrap } 851 } 853 kda-PBKDF2 KEY-DERIVATION ::= { 854 IDENTIFIER id-PBKDF2 855 PARAMS TYPE PBKDF2-params ARE required 856 -- No s/mime caps defined 857 } 859 cea-3DES-cbc CONTENT-ENCRYPTION ::= { 860 IDENTIFIER des-ede3-cbc 861 PARAMS TYPE IV ARE required 862 SMIME CAPS { IDENTIFIED BY des-ede3-cbc } 863 } 865 cea-RC2-cbc CONTENT-ENCRYPTION ::= { 866 IDENTIFIER rc2-cbc 867 PARAMS TYPE RC2CBCParameter ARE required 868 SMIME CAPS cap-RC2CBC 869 } 871 kt-rsa KEY-TRANSPORT ::= { 872 IDENTIFIER rsaEncryption 873 PARAMS TYPE NULL ARE required 874 PUBLIC KEYS { pk-rsa } 875 SMIME CAPS {IDENTIFIED BY rsaEncryption} 876 } 878 -- S/MIME Capabilities - most have no label. 880 cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap } 882 END 884 4. ASN.1 Module for RFC 3565 886 CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549) 887 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) } 888 DEFINITIONS IMPLICIT TAGS ::= 889 BEGIN 890 IMPORTS 892 CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS 893 FROM AlgorithmInformation 894 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 895 mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} 896 ; 898 AES-ContentEncryption CONTENT-ENCRYPTION ::= { 899 cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ... 900 } 902 AES-KeyWrap KEY-WRAP ::= { 903 kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ... 904 } 906 SMimeCaps SMIME-CAPS ::= { 907 cea-aes128-cbc.&smimeCaps | 908 cea-aes192-cbc.&smimeCaps | 909 cea-aes256-cbc.&smimeCaps | 910 kwa-aes128-wrap.&smimeCaps | 911 kwa-aes192-wrap.&smimeCaps | 912 kwa-aes256-wrap.&smimeCaps, ... 913 } 915 -- AES information object identifiers -- 917 aes OBJECT IDENTIFIER ::= 918 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 919 csor(3) nistAlgorithms(4) 1 } 921 -- AES using CBC-chaining mode for key sizes of 128, 192, 256 923 id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 } 924 id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 } 925 id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 } 927 cea-aes128-cbc CONTENT-ENCRYPTION ::= { 928 IDENTIFIER id-aes128-CBC 929 PARAMS TYPE AES-IV ARE required 930 SMIME CAPS { IDENTIFIED BY id-aes128-CBC } 931 } 933 cea-aes192-cbc CONTENT-ENCRYPTION ::= { 934 IDENTIFIER id-aes192-CBC 935 PARAMS TYPE AES-IV ARE required 936 SMIME CAPS { IDENTIFIED BY id-aes192-CBC } 937 } 939 cea-aes256-cbc CONTENT-ENCRYPTION ::= { 940 IDENTIFIER id-aes256-CBC 941 PARAMS TYPE AES-IV ARE required 942 SMIME CAPS { IDENTIFIED BY id-aes256-CBC } 943 } 945 -- AES-IV is a the parameter for all the above object identifiers. 947 AES-IV ::= OCTET STRING (SIZE(16)) 949 -- AES Key Wrap Algorithm Identifiers - Parameter is absent 951 id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } 952 id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } 953 id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } 955 kwa-aes128-wrap KEY-WRAP ::= { 956 IDENTIFIER id-aes128-wrap 957 PARAMS ARE absent 958 SMIME CAPS { IDENTIFIED BY id-aes128-wrap } 959 } 961 kwa-aes192-wrap KEY-WRAP ::= { 962 IDENTIFIER id-aes192-wrap 963 PARAMS ARE absent 964 SMIME CAPS { IDENTIFIED BY id-aes192-wrap } 965 } 967 kwa-aes256-wrap KEY-WRAP ::= { 968 IDENTIFIER id-aes256-wrap 969 PARAMS ARE absent 970 SMIME CAPS { IDENTIFIED BY id-aes256-wrap } 971 } 973 END 975 5. ASN.1 Module for RFC 3851 977 SecureMimeMessageV3dot1 978 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 979 smime(16) modules(0) msg-v3dot1(21) } 980 DEFINITIONS IMPLICIT TAGS ::= 981 BEGIN 983 IMPORTS 985 SMIME-CAPS, SMIMECapabilities{} 986 FROM AlgorithmInformation 987 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 988 mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} 990 ATTRIBUTE 991 FROM PKIX-CommonTypes 992 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 993 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } 995 SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier 996 FROM CryptographicMessageSyntax2004 997 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 998 smime(16) modules(0) cms-2004(24) } 1000 rc2-cbc, SMimeCaps 1001 FROM CryptographicMessageSyntaxAlgorithms 1002 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1003 smime(16) modules(0) cmsalg-2001(16) } 1005 SMimeCaps 1006 FROM PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6) 1007 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 995 } 1009 SMimeCaps 1010 FROM PKIX1-PSS-OAEP-Algorithms 1011 { iso(1) identified-organization(3) dod(6) 1012 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 1013 id-mod-pkix1-rsa-pkalgs(33) } 1014 ; 1016 SMimeAttributeSet ATTRIBUTE ::= 1017 { aa-smimeCapabilities | aa-encrypKeyPref, ... } 1019 -- id-aa is the arc with all new authenticated and unauthenticated 1020 -- attributes produced the by S/MIME Working Group 1022 id-aa OBJECT IDENTIFIER ::= 1023 { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1024 smime(16) attributes(2)} 1026 -- S/MIME Capabilities provides a method of broadcasting the symmetric 1027 -- capabilities understood. Algorithms SHOULD be ordered by 1028 -- preference and grouped by type 1030 aa-smimeCapabilities ATTRIBUTE ::= 1031 { TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY 1032 smimeCapabilities } 1034 smimeCapabilities OBJECT IDENTIFIER ::= 1035 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1036 15 } 1038 SMimeCapsSet SMIME-CAPS ::= 1039 { cap-preferBinaryInside | cap-RC2CBC | 1040 PKIXAlgs-2008.SMimeCaps | 1041 CryptographicMessageSyntaxAlgorithms.SMimeCaps | 1042 PKIX1-PSS-OAEP-Algorithms.SMimeCaps, ... } 1044 --- Encryption Key Preference provides a method of broadcasting the 1045 -- preferred encryption certificate. 1047 aa-encrypKeyPref ATTRIBUTE ::= 1048 { TYPE SMIMEEncryptionKeyPreference 1049 IDENTIFIED BY id-aa-encrypKeyPref } 1051 id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} 1053 SMIMEEncryptionKeyPreference ::= CHOICE { 1054 issuerAndSerialNumber [0] IssuerAndSerialNumber, 1055 receipentKeyId [1] RecipientKeyIdentifier, 1056 subjectAltKeyIdentifier [2] SubjectKeyIdentifier 1057 } 1059 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1060 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 1062 id-cap OBJECT IDENTIFIER ::= { id-smime 11 } 1064 -- The preferBinaryInside indicates an ability to receive messages 1065 -- with binary encoding inside the CMS wrapper 1067 cap-preferBinaryInside SMIME-CAPS ::= 1068 { -- No value -- IDENTIFIED BY id-cap-preferBinaryInside } 1070 id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } 1072 -- The following list the OIDs to be used with S/MIME V3 1074 -- Signature Algorithms Not Found in [CMSALG] 1075 -- 1076 -- md2WithRSAEncryption OBJECT IDENTIFIER ::= 1077 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1078 -- 2} 1079 -- 1080 -- Other Signed Attributes 1081 -- 1082 -- signingTime OBJECT IDENTIFIER ::= 1083 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1084 -- 5} 1085 -- See [CMS] for a description of how to encode the attribute 1086 -- value. 1088 cap-RC2CBC SMIME-CAPS ::= 1089 { TYPE SMIMECapabilitiesParametersForRC2CBC 1090 IDENTIFIED BY rc2-cbc} 1092 SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...) 1093 -- (RC2 Key Length (number of bits)) 1095 END 1097 6. ASN.1 Module for RFC 3852 1099 This module has an ASN.1 idiom for noting in which version of CMS 1100 changes were made from the original PKCS #7; that idiom is "[[v:", 1101 where "v" is an integer. For example: 1103 RevocationInfoChoice ::= CHOICE { 1104 crl CertificateList, 1105 ..., 1106 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1108 Similarly, this module adds the ASN.1 idiom for extensiblity (the 1109 "...,") in all places that have been extended in the past. See the 1110 example above. 1112 CryptographicMessageSyntax2004 1113 { iso(1) member-body(2) us(840) rsadsi(113549) 1114 pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } 1115 DEFINITIONS IMPLICIT TAGS ::= 1116 BEGIN 1118 -- Set MAX and MIN for attributes 1120 IMPORTS 1121 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 1122 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 1123 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 1124 AlgorithmIdentifier 1125 FROM AlgorithmInformation 1126 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1127 mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} 1129 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 1130 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 1131 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 1132 FROM CryptographicMessageSyntaxAlgorithms 1133 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1134 smime(16) modules(0) cmsalg-2001(16) } 1136 Certificate, CertificateList, CertificateSerialNumber, 1137 Name, ATTRIBUTE 1138 FROM PKIX1Explicit88 1139 { iso(1) identified-organization(3) dod(6) internet(1) 1140 security(5) mechanisms(5) pkix(7) id-mod(0) 1141 id-pkix1-explicit(18) } 1143 AttributeCertificate 1144 FROM PKIXAttributeCertificate 1145 { iso(1) identified-organization(3) dod(6) internet(1) 1146 security(5) mechanisms(5) pkix(7) id-mod(0) 1147 id-mod-attribute-cert(12) } 1149 AttributeCertificateV1 1150 FROM AttributeCertificateVersion1 1151 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1152 smime(16) modules(0) v1AttrCert(15) } ; 1154 -- Cryptographic Message Syntax 1156 -- The following are used for version numbers using the ASN.1 1157 -- idiom "[[n:" 1158 -- Version 1 = PKCS #7 1159 -- Version 2 = S/MIME V2 1160 -- Version 3 = RFC 2630 1161 -- Version 4 = RFC 3369 1162 -- Version 5 = RFC 3852 1164 CONTENT-TYPE ::= TYPE-IDENTIFIER 1165 ContentType ::= CONTENT-TYPE.&id 1167 ContentInfo ::= SEQUENCE { 1168 contentType CONTENT-TYPE. 1169 &id({ContentSet}), 1170 content [0] EXPLICIT CONTENT-TYPE. 1171 &Type({ContentSet}{@contentType})} 1173 ContentSet CONTENT-TYPE ::= { 1174 -- Define the set of content types to be recognized. 1175 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 1176 ct-AuthenticatedData | ct-DigestedData, ... } 1178 SignedData ::= SEQUENCE { 1179 version CMSVersion, 1180 digestAlgorithms SET OF DigestAlgorithmIdentifier, 1181 encapContentInfo EncapsulatedContentInfo, 1182 certificates [0] IMPLICIT CertificateSet OPTIONAL, 1183 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 1184 signerInfos SignerInfos } 1186 SignerInfos ::= SET OF SignerInfo 1188 EncapsulatedContentInfo ::= SEQUENCE { 1189 eContentType CONTENT-TYPE.&id({ContentSet}), 1190 eContent [0] EXPLICIT OCTET STRING 1191 ( CONTAINING CONTENT-TYPE. 1192 &Type({ContentSet}{@eContentType})) OPTIONAL } 1194 SignerInfo ::= SEQUENCE { 1195 version CMSVersion, 1196 sid SignerIdentifier, 1197 digestAlgorithm DigestAlgorithmIdentifier, 1198 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 1199 signatureAlgorithm SignatureAlgorithmIdentifier, 1200 signature SignatureValue, 1201 unsignedAttrs [1] IMPLICIT Attributes 1202 {{UnsignedAttributes}} OPTIONAL } 1204 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 1206 SignerIdentifier ::= CHOICE { 1207 issuerAndSerialNumber IssuerAndSerialNumber, 1208 ..., 1209 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 1211 -- M00QUEST - should we add in the ESS & S/MIME attributes or 1212 -- leave them out 1214 SignedAttributesSet ATTRIBUTE ::= 1215 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 1217 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 1219 SignatureValue ::= OCTET STRING 1221 EnvelopedData ::= SEQUENCE { 1222 version CMSVersion, 1223 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1224 recipientInfos RecipientInfos, 1225 encryptedContentInfo EncryptedContentInfo, 1226 ..., 1227 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1228 {{ UnprotectedAttributes }} OPTIONAL ]] } 1230 OriginatorInfo ::= SEQUENCE { 1231 certs [0] IMPLICIT CertificateSet OPTIONAL, 1232 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 1234 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 1236 EncryptedContentInfo ::= SEQUENCE { 1237 contentType CONTENT-TYPE.&id({ContentSet}), 1238 contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 1239 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 1241 -- If you want to do constraints, you might use: 1242 -- EncryptedContentInfo ::= SEQUENCE { 1243 -- contentType CONTENT-TYPE.&id({ContentSet}), 1244 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 1245 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 1246 -- &Type({ContentSet}{@contentType}) OPTIONAL } 1247 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 1248 -- { ToBeEncrypted } ) 1250 UnprotectedAttributes ATTRIBUTE ::= { ... } 1252 RecipientInfo ::= CHOICE { 1253 ktri KeyTransRecipientInfo, 1254 ..., 1255 [[3: kari [1] KeyAgreeRecipientInfo ]], 1256 [[4: kekri [2] KEKRecipientInfo]], 1257 [[5: pwri [3] PasswordRecipientInfo, 1258 ori [4] OtherRecipientInfo ]] } 1260 EncryptedKey ::= OCTET STRING 1262 KeyTransRecipientInfo ::= SEQUENCE { 1263 version CMSVersion, -- always set to 0 or 2 1264 rid RecipientIdentifier, 1265 keyEncryptionAlgorithm AlgorithmIdentifier 1266 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 1267 encryptedKey EncryptedKey } 1269 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 1271 RecipientIdentifier ::= CHOICE { 1272 issuerAndSerialNumber IssuerAndSerialNumber, 1273 ..., 1274 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 1276 KeyAgreeRecipientInfo ::= SEQUENCE { 1277 version CMSVersion, -- always set to 3 1278 originator [0] EXPLICIT OriginatorIdentifierOrKey, 1279 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 1280 keyEncryptionAlgorithm AlgorithmIdentifier 1281 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 1282 recipientEncryptedKeys RecipientEncryptedKeys } 1284 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 1286 OriginatorIdentifierOrKey ::= CHOICE { 1287 issuerAndSerialNumber IssuerAndSerialNumber, 1288 subjectKeyIdentifier [0] SubjectKeyIdentifier, 1289 originatorKey [1] OriginatorPublicKey } 1291 OriginatorPublicKey ::= SEQUENCE { 1292 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 1293 publicKey BIT STRING } 1295 OriginatorKeySet PUBLIC-KEY ::= { 1296 KeyAgreePublicKeys, ... 1297 } 1299 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 1301 RecipientEncryptedKey ::= SEQUENCE { 1302 rid KeyAgreeRecipientIdentifier, 1303 encryptedKey EncryptedKey } 1305 KeyAgreeRecipientIdentifier ::= CHOICE { 1306 issuerAndSerialNumber IssuerAndSerialNumber, 1307 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 1309 RecipientKeyIdentifier ::= SEQUENCE { 1310 subjectKeyIdentifier SubjectKeyIdentifier, 1311 date GeneralizedTime OPTIONAL, 1312 other OtherKeyAttribute OPTIONAL } 1314 SubjectKeyIdentifier ::= OCTET STRING 1316 KEKRecipientInfo ::= SEQUENCE { 1317 version CMSVersion, -- always set to 4 1318 kekid KEKIdentifier, 1319 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 1320 encryptedKey EncryptedKey } 1322 KEKIdentifier ::= SEQUENCE { 1323 keyIdentifier OCTET STRING, 1324 date GeneralizedTime OPTIONAL, 1325 other OtherKeyAttribute OPTIONAL } 1327 PasswordRecipientInfo ::= SEQUENCE { 1328 version CMSVersion, -- always set to 0 1329 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 1330 OPTIONAL, 1331 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 1332 encryptedKey EncryptedKey } 1334 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 1336 OtherRecipientInfo ::= SEQUENCE { 1337 oriType OTHER-RECIPIENT. 1338 &id({SupportedOtherRecipInfo}), 1339 oriValue OTHER-RECIPIENT. 1340 &Type({SupportedOtherRecipInfo}{@oriType})} 1342 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 1344 DigestedData ::= SEQUENCE { 1345 version CMSVersion, 1346 digestAlgorithm DigestAlgorithmIdentifier, 1347 encapContentInfo EncapsulatedContentInfo, 1348 digest Digest, ... } 1350 Digest ::= OCTET STRING 1352 EncryptedData ::= SEQUENCE { 1353 version CMSVersion, 1354 encryptedContentInfo EncryptedContentInfo, 1355 ..., 1356 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1357 {{UnprotectedAttributes}} OPTIONAL ]] } 1359 AuthenticatedData ::= SEQUENCE { 1360 version CMSVersion, 1361 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1362 recipientInfos RecipientInfos, 1363 macAlgorithm MessageAuthenticationCodeAlgorithm, 1364 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 1365 encapContentInfo EncapsulatedContentInfo, 1366 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 1367 mac MessageAuthenticationCode, 1368 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 1370 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 1371 {{AuthAttributeSet}} 1373 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 1374 {{UnauthAttributeSet}} 1376 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 1377 | aa-signingTime, ...} 1379 UnauthAttributeSet ATTRIBUTE ::= {...} 1381 MessageAuthenticationCode ::= OCTET STRING 1383 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1384 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 1386 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 1387 CryptographicMessageSyntaxAlgorithms.MessageDigestAlgs, ... } 1389 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 1390 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 1392 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 1393 { SignatureAlgs, ... } 1395 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1396 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1398 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 1400 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1401 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 1403 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 1404 { ContentEncryptionAlgs, ... } 1406 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 1407 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 1409 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 1410 { MessageAuthAlgs, ... } 1412 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 1413 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 1415 RevocationInfoChoices ::= SET OF RevocationInfoChoice 1417 RevocationInfoChoice ::= CHOICE { 1418 crl CertificateList, 1419 ..., 1420 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1422 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 1424 OtherRevocationInfoFormat ::= SEQUENCE { 1425 otherRevInfoFormat OTHER-REVOK-INFO. 1426 &id({SupportedOtherRevokInfo}), 1427 otherRevInfo OTHER-REVOK-INFO. 1428 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 1430 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 1432 CertificateChoices ::= CHOICE { 1433 certificate Certificate, 1434 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1435 -- Obsolete 1436 ..., 1437 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 1438 -- Obsolete 1439 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 1440 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 1442 AttributeCertificateV2 ::= AttributeCertificate 1444 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 1446 OtherCertificateFormat ::= SEQUENCE { 1447 otherCertFormat OTHER-CERT-FMT. 1448 &id({SupportedCertFormats}), 1449 otherCert OTHER-CERT-FMT. 1450 &Type({SupportedCertFormats}{@otherCertFormat})} 1452 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 1454 CertificateSet ::= SET OF CertificateChoices 1456 IssuerAndSerialNumber ::= SEQUENCE { 1457 issuer Name, 1458 serialNumber CertificateSerialNumber } 1460 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1462 UserKeyingMaterial ::= OCTET STRING 1464 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1466 OtherKeyAttribute ::= SEQUENCE { 1467 keyAttrId KEY-ATTRIBUTE. 1468 &id({SupportedKeyAttributes}), 1469 keyAttr KEY-ATTRIBUTE. 1470 &Type({SupportedKeyAttributes}{@keyAttrId})} 1472 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1474 -- Content Type Object Identifiers 1476 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1477 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1479 ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data} 1481 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1482 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1484 ct-SignedData CONTENT-TYPE ::= 1485 { SignedData IDENTIFIED BY id-signedData} 1487 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1488 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1490 ct-EnvelopedData CONTENT-TYPE ::= 1491 { EnvelopedData IDENTIFIED BY id-envelopedData} 1493 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1494 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1496 ct-DigestedData CONTENT-TYPE ::= 1497 { DigestedData IDENTIFIED BY id-digestedData} 1499 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1500 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1502 ct-EncryptedData CONTENT-TYPE ::= 1503 { EncryptedData IDENTIFIED BY id-encryptedData} 1505 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1506 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1508 ct-AuthenticatedData CONTENT-TYPE ::= 1509 { AuthenticatedData IDENTIFIED BY id-ct-authData} 1511 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1512 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1514 -- The CMS Attributes 1516 MessageDigest ::= OCTET STRING 1518 SigningTime ::= Time 1520 Time ::= CHOICE { 1521 utcTime UTCTime, 1522 generalTime GeneralizedTime } 1524 Countersignature ::= SignerInfo 1526 -- Attribute Object Identifiers 1528 aa-contentType ATTRIBUTE ::= 1529 { TYPE ContentType IDENTIFIED BY id-contentType } 1531 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1532 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1534 aa-messageDigest ATTRIBUTE ::= 1535 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1537 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1538 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1540 aa-signingTime ATTRIBUTE ::= 1541 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1543 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1544 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1546 aa-countersignature ATTRIBUTE ::= 1547 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1549 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1550 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1552 -- Obsolete Extended Certificate syntax from PKCS#6 1553 ExtendedCertificateOrCertificate ::= CHOICE { 1554 certificate Certificate, 1555 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1557 ExtendedCertificate ::= SEQUENCE { 1558 extendedCertificateInfo ExtendedCertificateInfo, 1559 signatureAlgorithm SignatureAlgorithmIdentifier, 1560 signature Signature } 1562 ExtendedCertificateInfo ::= SEQUENCE { 1563 version CMSVersion, 1564 certificate Certificate, 1565 attributes UnauthAttributes } 1567 Signature ::= BIT STRING 1569 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1570 attrType ATTRIBUTE. 1571 &id({AttrList}), 1572 attrValues SET OF ATTRIBUTE. 1573 &Type({AttrList}{@attrType}) } 1575 Attributes { ATTRIBUTE:AttrList } ::= 1576 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1578 END 1580 7. ASN.1 Module for RFC 4108 1582 CMSFirmwareWrapper 1583 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1584 smime(16) modules(0) cms-firmware-wrap(22) } 1585 DEFINITIONS IMPLICIT TAGS ::= 1586 BEGIN 1588 IMPORTS 1590 OTHER-NAME 1591 FROM PKIX1Implicit88 1592 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1593 mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } 1595 EnvelopedData, CONTENT-TYPE, ATTRIBUTE 1596 FROM CryptographicMessageSyntax 1597 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1598 smime(16) modules(0) cms-2004(24) }; 1600 FirmwareContentTypes CONTENT-TYPE ::= { 1601 ct-firmwarePackage | ct-firmwareLoadReceipt | 1602 ct-firmwareLoadError,... } 1604 FirmwareSignedAttrs ATTRIBUTE ::= { 1605 aa-firmwarePackageID | aa-targetHardwareIDs | 1606 aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs | 1607 aa-communityIdentifiers | aa-firmwarePackageInfo,... } 1609 FirmwareUnsignedAttrs ATTRIBUTE ::= { 1610 aa-wrappedFirmwareKey, ... } 1612 FirmwareOtherNames OTHER-NAME ::= { 1613 on-hardwareModuleName, ... } 1615 -- Firmware Package Content Type and Object Identifier 1617 ct-firmwarePackage CONTENT-TYPE ::= 1618 { FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage } 1620 id-ct-firmwarePackage OBJECT IDENTIFIER ::= { 1621 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1622 smime(16) ct(1) 16 } 1624 FirmwarePkgData ::= OCTET STRING 1626 -- Firmware Package Signed Attributes and Object Identifiers 1628 aa-firmwarePackageID ATTRIBUTE ::= 1629 { TYPE FirmwarePackageIdentifier IDENTIFIED BY 1630 id-aa-firmwarePackageID } 1632 id-aa-firmwarePackageID OBJECT IDENTIFIER ::= { 1633 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1634 smime(16) aa(2) 35 } 1636 FirmwarePackageIdentifier ::= SEQUENCE { 1637 name PreferredOrLegacyPackageIdentifier, 1638 stale PreferredOrLegacyStalePackageIdentifier OPTIONAL } 1640 PreferredOrLegacyPackageIdentifier ::= CHOICE { 1641 preferred PreferredPackageIdentifier, 1642 legacy OCTET STRING } 1644 PreferredPackageIdentifier ::= SEQUENCE { 1645 fwPkgID OBJECT IDENTIFIER, 1646 verNum INTEGER (0..MAX) } 1648 PreferredOrLegacyStalePackageIdentifier ::= CHOICE { 1649 preferredStaleVerNum INTEGER (0..MAX), 1650 legacyStaleVersion OCTET STRING } 1652 aa-targetHardwareIDs ATTRIBUTE ::= 1653 { TYPE TargetHardwareIdentifiers IDENTIFIED BY 1654 id-aa-targetHardwareIDs } 1656 id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= { 1657 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1658 smime(16) aa(2) 36 } 1660 TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER 1662 aa-decryptKeyID ATTRIBUTE ::= 1663 { TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID} 1665 id-aa-decryptKeyID OBJECT IDENTIFIER ::= { 1666 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1667 smime(16) aa(2) 37 } 1669 DecryptKeyIdentifier ::= OCTET STRING 1671 aa-implCryptoAlgs ATTRIBUTE ::= 1672 { TYPE ImplementedCryptoAlgorithms IDENTIFIED BY 1673 id-aa-implCryptoAlgs } 1675 id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= { 1676 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1677 smime(16) aa(2) 38 } 1679 ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1681 aa-implCompressAlgs ATTRIBUTE ::= 1682 { TYPE ImplementedCompressAlgorithms IDENTIFIED BY 1683 id-aa-implCompressAlgs } 1685 id-aa-implCompressAlgs OBJECT IDENTIFIER ::= { 1686 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1687 smime(16) aa(2) 43 } 1689 ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1691 aa-communityIdentifiers ATTRIBUTE ::= 1692 { TYPE CommunityIdentifiers IDENTIFIED BY 1693 id-aa-communityIdentifiers } 1695 id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { 1696 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1697 smime(16) aa(2) 40 } 1699 CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier 1701 CommunityIdentifier ::= CHOICE { 1702 communityOID OBJECT IDENTIFIER, 1703 hwModuleList HardwareModules } 1705 HardwareModules ::= SEQUENCE { 1706 hwType OBJECT IDENTIFIER, 1707 hwSerialEntries SEQUENCE OF HardwareSerialEntry } 1709 HardwareSerialEntry ::= CHOICE { 1710 all NULL, 1711 single OCTET STRING, 1712 block SEQUENCE { 1713 low OCTET STRING, 1714 high OCTET STRING } } 1716 aa-firmwarePackageInfo ATTRIBUTE ::= 1717 { TYPE FirmwarePackageInfo IDENTIFIED BY 1718 id-aa-firmwarePackageInfo } 1720 id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= { 1721 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1722 smime(16) aa(2) 42 } 1724 FirmwarePackageInfo ::= SEQUENCE { 1725 fwPkgType INTEGER OPTIONAL, 1726 dependencies SEQUENCE OF 1727 PreferredOrLegacyPackageIdentifier OPTIONAL } 1729 -- Firmware Package Unsigned Attributes and Object Identifiers 1731 aa-wrappedFirmwareKey ATTRIBUTE ::= 1732 { TYPE WrappedFirmwareKey IDENTIFIED BY 1733 id-aa-wrappedFirmwareKey } 1735 id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= { 1736 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1737 smime(16) aa(2) 39 } 1739 WrappedFirmwareKey ::= EnvelopedData 1741 -- Firmware Package Load Receipt Content Type and Object Identifier 1742 ct-firmwareLoadReceipt CONTENT-TYPE ::= 1743 { FirmwarePackageLoadReceipt IDENTIFIED BY 1744 id-ct-firmwareLoadReceipt } 1746 id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= { 1747 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1748 smime(16) ct(1) 17 } 1750 FirmwarePackageLoadReceipt ::= SEQUENCE { 1751 version FWReceiptVersion DEFAULT v1, 1752 hwType OBJECT IDENTIFIER, 1753 hwSerialNum OCTET STRING, 1754 fwPkgName PreferredOrLegacyPackageIdentifier, 1755 trustAnchorKeyID OCTET STRING OPTIONAL, 1756 decryptKeyID [1] OCTET STRING OPTIONAL } 1758 FWReceiptVersion ::= INTEGER { v1(1) } 1760 -- Firmware Package Load Error Report Content Type 1761 -- and Object Identifier 1763 ct-firmwareLoadError CONTENT-TYPE ::= 1764 { FirmwarePackageLoadError 1765 IDENTIFIED BY id-ct-firmwareLoadError } 1767 id-ct-firmwareLoadError OBJECT IDENTIFIER ::= { 1768 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1769 smime(16) ct(1) 18 } 1771 FirmwarePackageLoadError ::= SEQUENCE { 1772 version FWErrorVersion DEFAULT v1, 1773 hwType OBJECT IDENTIFIER, 1774 hwSerialNum OCTET STRING, 1775 errorCode FirmwarePackageLoadErrorCode, 1776 vendorErrorCode VendorLoadErrorCode OPTIONAL, 1777 fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL, 1778 config [1] SEQUENCE OF CurrentFWConfig OPTIONAL } 1780 FWErrorVersion ::= INTEGER { v1(1) } 1782 CurrentFWConfig ::= SEQUENCE { 1783 fwPkgType INTEGER OPTIONAL, 1784 fwPkgName PreferredOrLegacyPackageIdentifier } 1786 FirmwarePackageLoadErrorCode ::= ENUMERATED { 1787 decodeFailure (1), 1788 badContentInfo (2), 1789 badSignedData (3), 1790 badEncapContent (4), 1791 badCertificate (5), 1792 badSignerInfo (6), 1793 badSignedAttrs (7), 1794 badUnsignedAttrs (8), 1795 missingContent (9), 1796 noTrustAnchor (10), 1797 notAuthorized (11), 1798 badDigestAlgorithm (12), 1799 badSignatureAlgorithm (13), 1800 unsupportedKeySize (14), 1801 signatureFailure (15), 1802 contentTypeMismatch (16), 1803 badEncryptedData (17), 1804 unprotectedAttrsPresent (18), 1805 badEncryptContent (19), 1806 badEncryptAlgorithm (20), 1807 missingCiphertext (21), 1808 noDecryptKey (22), 1809 decryptFailure (23), 1810 badCompressAlgorithm (24), 1811 missingCompressedContent (25), 1812 decompressFailure (26), 1813 wrongHardware (27), 1814 stalePackage (28), 1815 notInCommunity (29), 1816 unsupportedPackageType (30), 1817 missingDependency (31), 1818 wrongDependencyVersion (32), 1819 insufficientMemory (33), 1820 badFirmware (34), 1821 unsupportedParameters (35), 1822 breaksDependency (36), 1823 otherError (99) } 1825 VendorLoadErrorCode ::= INTEGER 1827 -- Other Name syntax for Hardware Module Name 1829 on-hardwareModuleName OTHER-NAME ::= 1830 { HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName } 1832 id-on-hardwareModuleName OBJECT IDENTIFIER ::= { 1833 iso(1) identified-organization(3) dod(6) internet(1) security(5) 1834 mechanisms(5) pkix(7) on(8) 4 } 1836 HardwareModuleName ::= SEQUENCE { 1837 hwType OBJECT IDENTIFIER, 1838 hwSerialNum OCTET STRING } 1840 END 1842 8. ASN.1 Module for RFC 4998 1844 ERS {iso(1) identified-organization(3) dod(6) internet(1) 1845 security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1) 1846 id-mod-ers-v1(1) } 1847 DEFINITIONS IMPLICIT TAGS ::= 1848 BEGIN 1850 IMPORTS 1852 AttributeSet{}, ATTRIBUTE 1853 FROM PKIX-CommonTypes 1854 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1855 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } 1857 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM 1858 FROM AlgorithmInformation 1859 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1860 mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} 1862 ContentInfo 1863 FROM CryptographicMessageSyntax2004 1864 { iso(1) member-body(2) us(840) rsadsi(113549) 1865 pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } ; 1867 ltans OBJECT IDENTIFIER ::= 1868 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1869 mechanisms(5) ltans(11) } 1871 EvidenceRecord ::= SEQUENCE { 1872 version INTEGER { v1(1) } , 1873 digestAlgorithms SEQUENCE OF AlgorithmIdentifier 1874 {DIGEST-ALGORITHM, {...}}, 1875 cryptoInfos [0] CryptoInfos OPTIONAL, 1876 encryptionInfo [1] EncryptionInfo OPTIONAL, 1877 archiveTimeStampSequence ArchiveTimeStampSequence 1878 } 1880 CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}} 1882 ArchiveTimeStamp ::= SEQUENCE { 1883 digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} 1884 OPTIONAL, 1885 attributes [1] Attributes OPTIONAL, 1886 reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, 1887 timeStamp ContentInfo 1888 } 1890 PartialHashtree ::= SEQUENCE OF OCTET STRING 1892 Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}} 1894 ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp 1896 ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain 1898 EncryptionInfo ::= SEQUENCE { 1899 encryptionInfoType ENCINFO-TYPE. 1900 &id({SupportedEncryptionAlgorithms}), 1901 encryptionInfoValue ENCINFO-TYPE. 1902 &Type({SupportedEncryptionAlgorithms} 1903 {@encryptionInfoType}) 1904 } 1906 ENCINFO-TYPE ::= TYPE-IDENTIFIER 1908 SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...} 1910 aa-er-Internal ATTRIBUTE ::= 1911 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } 1913 id-aa-er-internal OBJECT IDENTIFIER ::= 1914 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1915 smime(16) id-aa(2) 49 } 1917 aa-er-External ATTRIBUTE ::= 1918 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } 1920 id-aa-er-external OBJECT IDENTIFIER ::= 1921 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1922 smime(16) id-aa(2) 50 } 1924 END 1926 9. ASN.1 Module for RFC 5035 1928 ExtendedSecurityServices-2006 1929 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1930 smime(16) modules(0) id-mod-ess-2006(30) } 1931 DEFINITIONS IMPLICIT TAGS ::= 1932 BEGIN 1934 IMPORTS 1936 AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{} 1937 FROM PKIX-CommonTypes 1938 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1939 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } 1941 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM 1942 FROM AlgorithmInformation 1943 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1944 mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} 1946 ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, 1947 CONTENT-TYPE 1948 FROM CryptographicMessageSyntax2004 1949 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1950 smime(16) modules(0) cms-2004(24) } 1952 CertificateSerialNumber 1953 FROM PKIX1Explicit88 1954 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1955 mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } 1957 PolicyInformation, GeneralNames 1958 FROM PKIX1Implicit88 1959 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1960 mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)} 1962 mda-sha256 1963 FROM PKIX1-PSS-OAEP-Algorithms 1964 { iso(1) identified-organization(3) dod(6) 1965 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 1966 id-mod-pkix1-rsa-pkalgs(33) } 1967 ; 1969 EssSignedAttributes ATTRIBUTE ::= { 1970 aa-receiptRequest | aa-contentIdentifier | aa-contentHint | 1971 aa-msgSigDigest | aa-contentReference | aa-securityLabel | 1972 aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate | 1973 aa-signingCertificateV2, ... } 1975 EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... } 1976 -- Extended Security Services 1977 -- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 1978 -- constructs in this module. A valid ASN.1 SEQUENCE can have zero or 1979 -- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE 1980 -- tp have at least one entry. MAX indicates the upper bound is 1981 -- unspecified. Implementations are free to choose an upper bound 1982 -- that suits their environment. 1984 -- Section 2.7 1986 aa-receiptRequest ATTRIBUTE ::= 1987 { TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest} 1989 ReceiptRequest ::= SEQUENCE { 1990 signedContentIdentifier ContentIdentifier, 1991 receiptsFrom ReceiptsFrom, 1992 receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames 1993 } 1995 ub-receiptsTo INTEGER ::= 16 1997 id-aa-receiptRequest OBJECT IDENTIFIER ::= 1998 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1999 smime(16) id-aa(2) 1} 2001 aa-contentIdentifier ATTRIBUTE ::= 2002 { TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier} 2004 ContentIdentifier ::= OCTET STRING 2006 id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2007 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7} 2009 ct-receipt CONTENT-TYPE ::= 2010 { Receipt IDENTIFIED BY id-ct-receipt } 2012 ReceiptsFrom ::= CHOICE { 2013 allOrFirstTier [0] AllOrFirstTier, 2014 -- formerly "allOrNone [0]AllOrNone" 2015 receiptList [1] SEQUENCE OF GeneralNames } 2017 AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone 2018 allReceipts (0), 2019 firstTierRecipients (1) } 2021 -- Section 2.8 2022 Receipt ::= SEQUENCE { 2023 version ESSVersion, 2024 contentType ContentType, 2025 signedContentIdentifier ContentIdentifier, 2026 originatorSignatureValue OCTET STRING } 2028 id-ct-receipt OBJECT IDENTIFIER ::= 2029 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2030 smime(16) id-ct(1) 1} 2032 ESSVersion ::= INTEGER { v1(1) } 2034 -- Section 2.9 2036 aa-contentHint ATTRIBUTE ::= 2037 { TYPE ContentHints IDENTIFIED BY id-aa-contentHint } 2039 ContentHints ::= SEQUENCE { 2040 contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL, 2041 contentType ContentType } 2043 id-aa-contentHint OBJECT IDENTIFIER ::= 2044 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2045 smime(16) id-aa(2) 4} 2047 -- Section 2.10 2049 aa-msgSigDigest ATTRIBUTE ::= 2050 { TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest } 2052 MsgSigDigest ::= OCTET STRING 2054 id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2055 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5} 2057 -- Section 2.11 2059 aa-contentReference ATTRIBUTE ::= 2060 { TYPE ContentReference IDENTIFIED BY id-aa-contentReference } 2062 ContentReference ::= SEQUENCE { 2063 contentType ContentType, 2064 signedContentIdentifier ContentIdentifier, 2065 originatorSignatureValue OCTET STRING } 2067 id-aa-contentReference OBJECT IDENTIFIER ::= 2068 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2069 smime(16) id-aa(2) 10 } 2071 -- Section 3.2 2073 aa-securityLabel ATTRIBUTE ::= 2074 { TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel } 2076 ESSSecurityLabel ::= SET { 2077 security-policy-identifier SecurityPolicyIdentifier, 2078 security-classification SecurityClassification OPTIONAL, 2079 privacy-mark ESSPrivacyMark OPTIONAL, 2080 security-categories SecurityCategories OPTIONAL } 2082 id-aa-securityLabel OBJECT IDENTIFIER ::= 2083 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2084 smime(16) id-aa(2) 2} 2085 SecurityPolicyIdentifier ::= OBJECT IDENTIFIER 2087 SecurityClassification ::= INTEGER { 2088 unmarked (0), 2089 unclassified (1), 2090 restricted (2), 2091 confidential (3), 2092 secret (4), 2093 top-secret (5) 2094 } (0..ub-integer-options) 2096 ub-integer-options INTEGER ::= 256 2098 ESSPrivacyMark ::= CHOICE { 2099 pString PrintableString (SIZE (1..ub-privacy-mark-length)), 2100 utf8String UTF8String (SIZE (1..MAX)) 2101 } 2103 ub-privacy-mark-length INTEGER ::= 128 2105 SecurityCategories ::= 2106 SET SIZE (1..ub-security-categories) OF SecurityCategory 2107 {{SupportedSecurityCategories}} 2109 ub-security-categories INTEGER ::= 64 2111 SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } 2113 -- Section 3.4 2115 aa-equivalentLabels ATTRIBUTE ::= 2116 { TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels } 2118 EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel 2119 id-aa-equivalentLabels OBJECT IDENTIFIER ::= 2120 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2121 smime(16) id-aa(2) 9} 2123 -- Section 4.4 2125 aa-mlExpandHistory ATTRIBUTE ::= 2126 { TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory } 2128 MLExpansionHistory ::= SEQUENCE 2129 SIZE (1..ub-ml-expansion-history) OF MLData 2131 id-aa-mlExpandHistory OBJECT IDENTIFIER ::= 2132 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2133 smime(16) id-aa(2) 3 } 2135 ub-ml-expansion-history INTEGER ::= 64 2137 MLData ::= SEQUENCE { 2138 mailListIdentifier EntityIdentifier, 2139 expansionTime GeneralizedTime, 2140 mlReceiptPolicy MLReceiptPolicy OPTIONAL } 2142 EntityIdentifier ::= CHOICE { 2143 issuerAndSerialNumber IssuerAndSerialNumber, 2144 subjectKeyIdentifier SubjectKeyIdentifier } 2146 MLReceiptPolicy ::= CHOICE { 2147 none [0] NULL, 2148 insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames, 2149 inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames } 2151 -- Section 5.4 2153 aa-signingCertificate ATTRIBUTE ::= 2154 { TYPE SigningCertificate IDENTIFIED BY 2155 id-aa-signingCertificate } 2157 SigningCertificate ::= SEQUENCE { 2158 certs SEQUENCE OF ESSCertID, 2159 policies SEQUENCE OF PolicyInformation OPTIONAL 2160 } 2162 id-aa-signingCertificate OBJECT IDENTIFIER ::= 2163 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2164 smime(16) id-aa(2) 12 } 2166 aa-signingCertificateV2 ATTRIBUTE ::= 2167 { TYPE SigningCertificateV2 IDENTIFIED BY 2168 id-aa-signingCertificateV2 } 2170 SigningCertificateV2 ::= SEQUENCE { 2171 certs SEQUENCE OF ESSCertIDv2, 2172 policies SEQUENCE OF PolicyInformation OPTIONAL 2173 } 2175 id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= 2176 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2177 smime(16) id-aa(2) 47 } 2179 HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, 2180 {mda-sha256, ...}} 2182 ESSCertIDv2 ::= SEQUENCE { 2183 hashAlgorithm HashAlgorithm 2184 DEFAULT { algorithm mda-sha256.&id }, 2185 certHash Hash, 2186 issuerSerial IssuerSerial OPTIONAL 2187 } 2189 ESSCertID ::= SEQUENCE { 2190 certHash Hash, 2191 issuerSerial IssuerSerial OPTIONAL 2192 } 2194 Hash ::= OCTET STRING 2196 IssuerSerial ::= SEQUENCE { 2197 issuer GeneralNames, 2198 serialNumber CertificateSerialNumber 2199 } 2201 END 2203 10. ASN.1 Module for RFC 5083 2205 CMS-AuthEnvelopedData-2007 2206 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 2207 pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData(31) } 2208 DEFINITIONS IMPLICIT TAGS ::= 2209 BEGIN 2211 IMPORTS 2213 AuthAttributes, CMSVersion, EncryptedContentInfo, 2214 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 2215 UnauthAttributes, CONTENT-TYPE 2216 FROM CryptographicMessageSyntax2004 2217 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2218 smime(16) modules(0) cms-2004(24) } ; 2220 -- 2222 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 2224 -- 2226 ct-authEnvelopedData CONTENT-TYPE ::= { 2227 AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 2228 } 2230 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 2231 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2232 smime(16) ct(1) 23 } 2234 AuthEnvelopedData ::= SEQUENCE { 2235 version CMSVersion, 2236 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 2237 recipientInfos RecipientInfos, 2238 authEncryptedContentInfo EncryptedContentInfo, 2239 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 2240 mac MessageAuthenticationCode, 2241 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL } 2243 END 2245 11. ASN.1 Module for RFC 5084 2247 CMS-AES-CCM-and-AES-GCM 2248 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 2249 pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) } 2250 DEFINITIONS IMPLICIT TAGS ::= 2251 BEGIN 2253 EXPORTS ALL; 2255 IMPORTS 2257 CONTENT-ENCRYPTION, SMIME-CAPS 2258 FROM AlgorithmInformation 2259 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2260 mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}; 2262 -- Add this algorithm set to include all of the algorithms defined in 2263 -- this document 2265 ContentEncryptionAlgs CONTENT-ENCRYPTION ::= { 2266 cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM | 2267 cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... } 2269 SMimeCaps SMIME-CAPS ::= { 2270 cea-aes128-CCM.&smimeCaps | 2271 cea-aes192-CCM.&smimeCaps | 2272 cea-aes256-CCM.&smimeCaps | 2273 cea-aes128-GCM.&smimeCaps | 2274 cea-aes192-GCM.&smimeCaps | 2275 cea-aes256-GCM.&smimeCaps, 2276 ... 2277 } 2279 -- Object Identifiers 2281 aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) 2282 organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } 2284 id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 } 2286 id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 } 2288 id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 } 2290 id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 } 2292 id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 } 2294 id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 } 2296 -- Parameters for AigorithmIdentifier 2297 CCMParameters ::= SEQUENCE { 2298 aes-nonce OCTET STRING (SIZE(7..13)), 2299 aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } 2301 AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) 2303 GCMParameters ::= SEQUENCE { 2304 aes-nonce OCTET STRING, -- recommended size is 12 octets 2305 aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } 2307 AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) 2309 -- Defining objects 2311 cea-aes128-CCM CONTENT-ENCRYPTION ::= { 2312 IDENTIFIER id-aes128-CCM 2313 PARAMS TYPE CCMParameters ARE required 2314 SMIME CAPS { IDENTIFIED BY id-aes128-CCM } 2315 } 2317 cea-aes192-CCM CONTENT-ENCRYPTION ::= { 2318 IDENTIFIER id-aes192-CCM 2319 PARAMS TYPE CCMParameters ARE required 2320 SMIME CAPS { IDENTIFIED BY id-aes192-CCM } 2321 } 2323 cea-aes256-CCM CONTENT-ENCRYPTION ::= { 2324 IDENTIFIER id-aes256-CCM 2325 PARAMS TYPE CCMParameters ARE required 2326 SMIME CAPS { IDENTIFIED BY id-aes256-CCM } 2327 } 2329 cea-aes128-GCM CONTENT-ENCRYPTION ::= { 2330 IDENTIFIER id-aes128-GCM 2331 PARAMS TYPE GCMParameters ARE required 2332 SMIME CAPS { IDENTIFIED BY id-aes128-GCM } 2333 } 2335 cea-aes192-GCM CONTENT-ENCRYPTION ::= { 2336 IDENTIFIER id-aes128-GCM 2337 PARAMS TYPE GCMParameters ARE required 2338 SMIME CAPS { IDENTIFIED BY id-aes192-GCM } 2339 } 2341 cea-aes256-GCM CONTENT-ENCRYPTION ::= { 2342 IDENTIFIER id-aes128-GCM 2343 PARAMS TYPE GCMParameters ARE required 2344 SMIME CAPS { IDENTIFIED BY id-aes256-GCM } 2346 } 2348 END 2350 12. ASN.1 Module for RFC 5275 2352 SMIMESymmetricKeyDistribution 2353 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2354 smime(16) modules(0) symkeydist(12) } 2355 DEFINITIONS IMPLICIT TAGS ::= 2356 BEGIN 2358 EXPORTS ALL; 2360 IMPORTS 2362 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP, 2363 SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS 2364 FROM AlgorithmInformation 2365 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2366 mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} 2368 GeneralName 2369 FROM PKIX1Implicit88 2370 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2371 mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } 2373 Certificate 2374 FROM PKIX1Explicit88 2375 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2376 mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } 2378 RecipientInfos, KEKIdentifier,CertificateSet 2379 FROM CryptographicMessageSyntax2004 2380 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2381 smime(16) modules(0) cms-2004(24) } 2383 cap-3DESwrap 2384 FROM CryptographicMessageSyntaxAlgorithms 2385 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2386 smime(16) modules(0) cmsalg-2001(16) } 2388 AttributeCertificate 2389 FROM PKIXAttributeCertificate 2390 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2391 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert(12) } 2393 CMC-CONTROL, EXTENDED-FAILURE-INFO 2394 FROM EnrollmentMessageSyntax 2395 { iso(1) identified-organization(3) dod(4) internet(1) security(5) 2396 mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002(23) } 2398 cea-aes128-cbc, cea-aes192-cbc, cea-aes256-cbc 2399 FROM CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549) 2400 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) } 2401 ; 2403 -- This defines the GL symmetric key distribution object identifier 2404 -- arc. 2406 id-skd OBJECT IDENTIFIER ::= 2407 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2408 smime(16) skd(8) } 2410 SKD-ControlSet CMC-CONTROL ::= { 2411 skd-glUseKEK | skd-glDelete | skd-glAddMember | 2412 skd-glDeleteMember | skd-glRekey | skd-glAddOwner | 2413 skd-glRemoveOwner | skd-glKeyCompromise | 2414 skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert | 2415 skd-glManageCert | skd-glKey, ... } 2417 -- This defines the GL Use KEK control attribute 2419 skd-glUseKEK CMC-CONTROL ::= 2420 { GLUseKEK IDENTIFIED BY id-skd-glUseKEK } 2422 id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1} 2424 GLUseKEK ::= SEQUENCE { 2425 glInfo GLInfo, 2426 glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo, 2427 glAdministration GLAdministration DEFAULT managed, 2428 glKeyAttributes GLKeyAttributes OPTIONAL 2429 } 2431 GLInfo ::= SEQUENCE { 2432 glName GeneralName, 2433 glAddress GeneralName 2434 } 2436 GLOwnerInfo ::= SEQUENCE { 2437 glOwnerName GeneralName, 2438 glOwnerAddress GeneralName, 2439 certificates Certificates OPTIONAL 2441 } 2443 GLAdministration ::= INTEGER { 2444 unmanaged (0), 2445 managed (1), 2446 closed (2) 2447 } 2449 -- 2450 -- The set of key wrap algorithms supported by this specification 2451 -- 2453 SKD-Caps SMIME-CAPS ::= { 2454 cap-3DESwrap | cea-aes128-cbc.&smimeCaps | 2455 cea-aes192-cbc.&smimeCaps | cea-aes256-cbc.&smimeCaps, ... 2456 } 2458 KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}} 2459 cap-aes128-cbc KeyWrapAlgorithm ::= 2460 { capabilityID cea-aes128-cbc.&smimeCaps.&id } 2462 GLKeyAttributes ::= SEQUENCE { 2463 rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE, 2464 recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE, 2465 duration [2] INTEGER DEFAULT 0, 2466 generationCounter [3] INTEGER DEFAULT 2, 2467 requestedAlgorithm [4] KeyWrapAlgorithm 2468 DEFAULT cap-aes128-cbc 2469 } 2471 -- This defines the Delete GL control attribute. 2472 -- It has the simple type GeneralName. 2474 skd-glDelete CMC-CONTROL ::= 2475 { DeleteGL IDENTIFIED BY id-skd-glDelete } 2477 id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2} 2478 DeleteGL ::= GeneralName 2480 -- This defines the Add GL Member control attribute 2482 skd-glAddMember CMC-CONTROL ::= 2483 { GLAddMember IDENTIFIED BY id-skd-glAddMember } 2485 id-skd-glAddMember OBJECT IDENTIFIER ::= { id-skd 3} 2486 GLAddMember ::= SEQUENCE { 2487 glName GeneralName, 2488 glMember GLMember 2490 } 2492 GLMember ::= SEQUENCE { 2493 glMemberName GeneralName, 2494 glMemberAddress GeneralName OPTIONAL, 2495 certificates Certificates OPTIONAL 2496 } 2498 Certificates ::= SEQUENCE { 2499 pKC [0] Certificate OPTIONAL, 2500 -- See [PROFILE] 2501 aC [1] SEQUENCE SIZE (1.. MAX) OF 2502 AttributeCertificate OPTIONAL, 2503 -- See [ACPROF] 2504 certPath [2] CertificateSet OPTIONAL 2505 -- From [CMS] 2506 } 2508 -- This defines the Delete GL Member control attribute 2510 skd-glDeleteMember CMC-CONTROL ::= 2511 { GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember } 2513 id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4} 2515 GLDeleteMember ::= SEQUENCE { 2516 glName GeneralName, 2517 glMemberToDelete GeneralName 2518 } 2520 -- This defines the Delete GL Member control attribute 2522 skd-glRekey CMC-CONTROL ::= 2523 { GLRekey IDENTIFIED BY id-skd-glRekey } 2525 id-skd-glRekey OBJECT IDENTIFIER ::= { id-skd 5} 2527 GLRekey ::= SEQUENCE { 2528 glName GeneralName, 2529 glAdministration GLAdministration OPTIONAL, 2530 glNewKeyAttributes GLNewKeyAttributes OPTIONAL, 2531 glRekeyAllGLKeys BOOLEAN OPTIONAL 2532 } 2534 GLNewKeyAttributes ::= SEQUENCE { 2535 rekeyControlledByGLO [0] BOOLEAN OPTIONAL, 2536 recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL, 2537 duration [2] INTEGER OPTIONAL, 2538 generationCounter [3] INTEGER OPTIONAL, 2539 requestedAlgorithm [4] KeyWrapAlgorithm OPTIONAL 2540 } 2542 -- This defines the Add and Delete GL Owner control attributes 2544 skd-glAddOwner CMC-CONTROL ::= 2545 { GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner } 2547 id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6} 2549 skd-glRemoveOwner CMC-CONTROL ::= 2550 { GLOwnerAdministration IDENTIFIED BY id-skd-glRemoveOwner } 2552 id-skd-glRemoveOwner OBJECT IDENTIFIER ::= { id-skd 7} 2554 GLOwnerAdministration ::= SEQUENCE { 2555 glName GeneralName, 2556 glOwnerInfo GLOwnerInfo 2557 } 2559 -- This defines the GL Key Compromise control attribute. 2560 -- It has the simple type GeneralName. 2562 skd-glKeyCompromise CMC-CONTROL ::= 2563 { GLKCompromise IDENTIFIED BY id-skd-glKeyCompromise } 2565 id-skd-glKeyCompromise OBJECT IDENTIFIER ::= { id-skd 8} 2566 GLKCompromise ::= GeneralName 2568 -- This defines the GL Key Refresh control attribute. 2570 skd-glkRefresh CMC-CONTROL ::= 2571 { GLKRefresh IDENTIFIED BY id-skd-glkRefresh } 2573 id-skd-glkRefresh OBJECT IDENTIFIER ::= { id-skd 9} 2575 GLKRefresh ::= SEQUENCE { 2576 glName GeneralName, 2577 dates SEQUENCE SIZE (1..MAX) OF Date 2578 } 2580 Date ::= SEQUENCE { 2581 start GeneralizedTime, 2582 end GeneralizedTime OPTIONAL 2583 } 2585 -- This defines the GLA Query Request control attribute. 2587 skd-glaQueryRequest CMC-CONTROL ::= 2588 { GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest } 2590 id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11} 2592 SKD-QUERY ::= TYPE-IDENTIFIER 2594 SkdQuerySet SKD-QUERY ::= {skd-AlgRequest, ...} 2596 GLAQueryRequest ::= SEQUENCE { 2597 glaRequestType SKD-QUERY.&id ({SkdQuerySet}), 2598 glaRequestValue SKD-QUERY. 2599 &Type ({SkdQuerySet}{@glaRequestType}) 2600 } 2602 -- This defines the GLA Query Response control attribute. 2604 skd-glaQueryResponse CMC-CONTROL ::= 2605 { GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse } 2607 id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12} 2609 SKD-RESPONSE ::= TYPE-IDENTIFIER 2611 SkdResponseSet SKD-RESPONSE ::= {skd-AlgResponse, ...} 2613 GLAQueryResponse ::= SEQUENCE { 2614 glaResponseType SKD-RESPONSE. 2615 &id({SkdResponseSet}), 2616 glaResponseValue SKD-RESPONSE. 2617 &Type({SkdResponseSet}{@glaResponseType})} 2619 -- This defines the GLA Request/Response (glaRR) arc for 2620 -- glaRequestType/glaResponseType. 2622 id-cmc-glaRR OBJECT IDENTIFIER ::= 2623 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2624 mechanisms(5) pkix(7) cmc(7) glaRR(99) } 2626 -- This defines the Algorithm Request 2628 skd-AlgRequest SKD-QUERY ::= { 2629 SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest 2630 } 2632 id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 } 2633 SKDAlgRequest ::= NULL 2634 -- This defines the Algorithm Response 2636 skd-AlgResponse SKD-RESPONSE ::= { 2637 SMIMECapability{{SKD-Caps}} IDENTIFIED BY 2638 id-cmc-gla-skdAlgResponse 2639 } 2641 id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 } 2643 -- Note that the response for algorithmSupported request is the 2644 -- smimeCapabilities attribute as defined in MsgSpec [MSG]. 2645 -- This defines the control attribute to request an updated 2646 -- certificate to the GLA. 2648 skd-glProvideCert CMC-CONTROL ::= 2649 { GLManageCert IDENTIFIED BY id-skd-glProvideCert } 2651 id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13} 2653 GLManageCert ::= SEQUENCE { 2654 glName GeneralName, 2655 glMember GLMember 2656 } 2658 -- This defines the control attribute to return an updated 2659 -- certificate to the GLA. It has the type GLManageCert. 2661 skd-glManageCert CMC-CONTROL ::= 2662 { GLManageCert IDENTIFIED BY id-skd-glManageCert } 2664 id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14} 2666 -- This defines the control attribute to distribute the GL shared 2667 -- KEK. 2669 skd-glKey CMC-CONTROL ::= 2670 { GLKey IDENTIFIED BY id-skd-glKey } 2672 id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15} 2674 GLKey ::= SEQUENCE { 2675 glName GeneralName, 2676 glIdentifier KEKIdentifier, -- See [CMS] 2677 glkWrapped RecipientInfos, -- See [CMS] 2678 glkAlgorithm KeyWrapAlgorithm, 2679 glkNotBefore GeneralizedTime, 2680 glkNotAfter GeneralizedTime 2681 } 2682 -- This defines the CMC error types 2684 skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= { 2685 SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo 2686 } 2688 id-cet-skdFailInfo OBJECT IDENTIFIER ::= 2689 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2690 mechanisms(5) pkix(7) cet(15) skdFailInfo(1) } 2692 SKDFailInfo ::= INTEGER { 2693 unspecified (0), 2694 closedGL (1), 2695 unsupportedDuration (2), 2696 noGLACertificate (3), 2697 invalidCert (4), 2698 unsupportedAlgorithm (5), 2699 noGLONameMatch (6), 2700 invalidGLName (7), 2701 nameAlreadyInUse (8), 2702 noSpam (9), 2703 deniedAccess (10), 2704 alreadyAMember (11), 2705 notAMember (12), 2706 alreadyAnOwner (13), 2707 notAnOwner (14) } 2709 END 2711 13. Security Considerations 2713 Even though all the RFCs in this document are security-related, the 2714 document itself does not have any security considerations. The ASN.1 2715 modules keep the same bits-on-the-wire as the modules that they 2716 replace. 2718 14. Normative References 2720 [ASN1-2002] 2721 ITU-T, "ITU-T Recommendation X.680 Information technology 2722 [ETH] Abstract Syntax Notation One (ASN.1): Specification 2723 of basic notation", ITU-T X.680, 2002. 2725 [NEW-PKIX] 2726 Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX", 2727 draft-ietf-pkix-new-asn1 (work in progress), 2728 December 2007. 2730 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) 2731 Algorithms", RFC 3370, August 2002. 2733 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) 2734 Encryption Algorithm in Cryptographic Message Syntax 2735 (CMS)", RFC 3565, July 2003. 2737 [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail 2738 Extensions (S/MIME) Version 3.1 Message Specification", 2739 RFC 3851, July 2004. 2741 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 2742 RFC 3852, July 2004. 2744 [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to 2745 Protect Firmware Packages", RFC 4108, August 2005. 2747 [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence 2748 Record Syntax (ERS)", RFC 4998, August 2007. 2750 [RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: 2751 Adding CertID Algorithm Agility", RFC 5035, August 2007. 2753 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 2754 Authenticated-Enveloped-Data Content Type", RFC 5083, 2755 November 2007. 2757 [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated 2758 Encryption in the Cryptographic Message Syntax (CMS)", 2759 RFC 5084, November 2007. 2761 [RFC5275] Turner, S., "CMS Symmetric Key Management and 2762 Distribution", RFC 5275, June 2008. 2764 Appendix A. Change History 2766 [[ This entire section is to be removed upon publication. ]] 2768 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 2769 draft-ietf-smime-new-asn1-00 2771 Changed the draft name. 2773 Added RFC 3565, 2774 Added RFC 4998. 2776 Made RFCs-to-be 5083 and 5084 into RFCs. 2778 In RFC 3370, a line in the comment staring with "Another way to 2779 do..." was not commented out when it should have been. 2781 In RFC 3851, the name of the module from which we are importing was 2782 wrong, although the OID was right. 2784 In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate 2785 which version of CMS added the various extensions. 2787 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 2789 Added RFC 5275. 2791 Added module for algorithm classes, and modified RFC 3370 and RFC 2792 3852 to uses the classes defined. 2794 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 2796 Added design notes. 2798 Removed issue on "Algorithm Structure" and issue on "More Modules To 2799 Be Added". 2801 Updated all modules to use objects more deeply. 2803 In section 6, changed "PKCS #10" to "PKCS #7" to reflect the actual 2804 module where the changes were made. 2806 Authors' Addresses 2808 Paul Hoffman 2809 VPN Consortium 2810 127 Segre Place 2811 Santa Cruz, CA 95060 2812 US 2814 Phone: 1-831-426-9827 2815 Email: paul.hoffman@vpnc.org 2816 Jim Schaad 2817 Soaring Hawk Consulting 2819 Email: jimsch@exmsft.com