idnits 2.17.1 draft-ietf-smime-new-asn1-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 205: '... -- Parameters MUST be encoded in st...' RFC 2119 keyword, line 206: '...t, -- Parameters SHOULD be encoded in ...' RFC 2119 keyword, line 207: '..., -- Parameters SHOULD NOT be encoded...' RFC 2119 keyword, line 208: '... -- Parameters MUST NOT be encoded i...' RFC 2119 keyword, line 210: '... -- Parameters MAY be encoded in the...' (96 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 602 has weird spacing: '...e could be ge...' -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 6, 2009) is 5499 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 2515 -- Looks like a reference, but probably isn't: '1' on line 2516 -- Looks like a reference, but probably isn't: '2' on line 2517 == Missing Reference: 'CMSALG' is mentioned on line 1077, but not defined == Missing Reference: 'CMS' is mentioned on line 1088, but not defined -- Looks like a reference, but probably isn't: '3' on line 2518 -- Looks like a reference, but probably isn't: '4' on line 2519 ** Obsolete normative reference: RFC 3851 (Obsoleted by RFC 5751) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) Summary: 5 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft VPN Consortium 4 Intended status: Informational J. Schaad 5 Expires: October 8, 2009 Soaring Hawk Consulting 6 April 6, 2009 8 New ASN.1 Modules for CMS and S/MIME 9 draft-ietf-smime-new-asn1-05.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. This document may contain material 15 from IETF Documents or IETF Contributions published or made publicly 16 available before November 10, 2008. The person(s) controlling the 17 copyright in some of this material may not have granted the IETF 18 Trust the right to allow modifications of such material outside the 19 IETF Standards Process. Without obtaining an adequate license from 20 the person(s) controlling the copyright in such materials, this 21 document may not be modified outside the IETF Standards Process, and 22 derivative works of it may not be created outside the IETF Standards 23 Process, except to format it for publication as an RFC or to 24 translate it into languages other than English. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt. 39 The list of Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 This Internet-Draft will expire on October 8, 2009. 44 Copyright Notice 46 Copyright (c) 2009 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents in effect on the date of 51 publication of this document (http://trustee.ietf.org/license-info). 52 Please review these documents carefully, as they describe your rights 53 and restrictions with respect to this document. 55 Abstract 57 The Cryptographic Message Syntax (CMS) format, and many associated 58 formats, are expressed using ASN.1. The current ASN.1 modules 59 conform to the 1988 version of ASN.1. This document updates those 60 ASN.1 modules to conform to the 2002 version of ASN.1. There are no 61 bits-on-the-wire changes to any of the formats; this is simply a 62 change to the syntax. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4 68 2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 4 69 3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14 70 4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 19 71 5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 21 72 6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24 73 7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34 74 8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 39 75 9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41 76 10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 48 77 11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48 78 12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 50 79 13. Security Considerations . . . . . . . . . . . . . . . . . . . 58 80 14. Normative References . . . . . . . . . . . . . . . . . . . . . 58 81 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 59 82 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 83 draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 59 84 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 60 85 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 . . . 60 86 A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 . . . 60 87 A.5. Changes between draft-ietf-smime-new-asn1-03 and -04 . . . 60 88 A.6. Changes between draft-ietf-smime-new-asn1-04 and -05 . . . 60 89 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 91 1. Introduction 93 Some developers would like the IETF to use the latest version of 94 ASN.1 in its standards. Most of the RFCs that relate to security 95 protocols still use ASN.1 from the 1988 standard, which has been 96 deprecated. This is particularly true for the standards that relate 97 to PKIX, CMS, and S/MIME. 99 This document updates the following RFCs to use ASN.1 modules that 100 conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all 101 the modules are updated; some are included to simply make the set 102 complete. 104 o RFC 3370, CMS Algorithms [RFC3370] 106 o RFC 3565, Use of AES in CMS [RFC3565] 108 o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851] 110 o RFC 3852, CMS main [RFC3852] 112 o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108] 114 o RFC 4998, Evidence Record Syntax (ERS) [RFC4998] 116 o RFC 5035, Enhanced Security Services (ESS) [RFC5035] 118 o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083] 120 o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in 121 CMS [RFC5084] 123 o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275] 125 Note that some of the modules in this document get some of their 126 definitions from places different than the modules in the original 127 RFCs. The idea is that these modules, when combined with the modules 128 in [NEW-PKIX] can stand on their own and do not need to import 129 definitions from anywhere else. 131 The document also includes a module of common definitions called 132 "AlgorithmInformation". These definitions are used here and in 133 [NEW-PKIX]. 135 Note that some of the modules here import definitions from the common 136 definitions module, "PKIX-CommonTypes", in [NEW-PKIX]. 138 1.1. Design Notes 140 The modules in this document use the object model available in the 141 2002 ASN.1 documents to a great extent. Objects for each of the 142 different algorithm types are defined. Also, all of the places where 143 in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax 144 now have objects. 146 Much like the way that the PKIX and S/MIME working groups use the 147 prefix of id- for object identifiers, this document has also adopted 148 a set of two, three, and four letter prefixes to allow for quick 149 identification of the type of an object based on its name. This 150 allows, for example, the same back half of the name to be used for 151 the different objects. Thus, "id-sha1" is the object identifier, 152 while "mda-sha1" is the message digest object for "sha1". 154 One or more object sets for the different type of algorithms are 155 defined. A single consistent name for each of the different 156 algorithm types is used. For example, an object set named PublicKeys 157 might contain the public keys defined in that module. If no public 158 keys are defined, then the object set is not created. When 159 referencing these objects sets when imported, one needs to be able to 160 disambiguate between the different modules. This is done by using 161 both the module name (as specified in the IMPORT statement) and the 162 object set name. For example, in the module for RFC 5280: 164 PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 } 165 PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 } 167 PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ..., 168 PKIX1-PSS-OAEP-Algorithms.PublicKeys } 170 2. ASN.1 Module AlgorithmInformation 172 This section contains a module that is imported by many other modules 173 in this document. Note that this module is also given in [NEW-PKIX]. 174 This module does not come from any existing RFC. 176 AlgorithmInformation-2009 177 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 178 mechanisms(5) pkix(7) id-mod(0) 179 id-mod-algorithmInformation-02(58)} 181 DEFINITIONS EXPLICIT TAGS ::= 182 BEGIN 183 EXPORTS ALL; 184 IMPORTS 185 KeyUsage 186 FROM PKIX1Implicit-2009 187 {iso(1) identified-organization(3) dod(6) internet(1) 188 security(5) mechanisms(5) pkix(7) id-mod(0) 189 id-mod-pkix1-implicit-02(59)} ; 191 -- Suggested prefixes for algorithm objects are: 192 -- 193 -- mda- Message Digest Algorithms 194 -- sa- Signature Algorithms 195 -- kta- Key Transport Algorithms (Asymmetric) 196 -- kaa- Key Agreement Algorithms (Asymmetric) 197 -- kwa- Key Wrap Algorithms (Symmetric) 198 -- kda- Key Derivation Algorithms 199 -- maca- Message Authentication Code Algorithms 200 -- pk- Public Key 201 -- cea- Content (symmetric) Encryption Algorithm 202 -- cap- S/MIME Capabilities 204 ParamOptions ::= ENUMERATED { 205 required, -- Parameters MUST be encoded in structure 206 preferredPresent, -- Parameters SHOULD be encoded in structure 207 preferredAbsent, -- Parameters SHOULD NOT be encoded in structure 208 absent, -- Parameters MUST NOT be encoded in structure 209 inheritable, -- Parameters are inherited if not present 210 optional, -- Parameters MAY be encoded in the structure 211 ... 212 } 214 -- DIGEST-ALGORITHM 215 -- 216 -- Describes the basic information for ASN.1 and a digest 217 -- algorithm. 218 -- 219 -- &id - contains the OID identifying the digest algorithm 220 -- &Params - contains the type for the algorithm parameters, 221 -- if present; absent implies no paramters 222 -- ¶mPresence - parameter presence requirement 223 -- 224 -- Additional information such as the length of the hash could also 225 -- be encoded. 226 -- 227 -- Example: 228 -- sha1 DIGEST-ALGORITHM ::= { 229 -- IDENTIFIER id-sha1 230 -- PARAMS TYPE NULL ARE preferredAbsent 231 -- } 232 DIGEST-ALGORITHM ::= CLASS { 233 &id OBJECT IDENTIFIER UNIQUE, 234 &Params OPTIONAL, 235 ¶mPresence ParamOptions DEFAULT absent 236 } WITH SYNTAX { 237 IDENTIFIER &id 238 [PARAMS [TYPE &Params] [ARE ¶mPresence] ] 239 } 241 -- SIGNATURE-ALGORITHM 242 -- 243 -- Describes the basic properties of a signature algorithm 244 -- 245 -- &id - contains the OID identifying the signature algorithm 246 -- &Value - contains a type defintion for the value structure of 247 -- the signature 248 -- &Params - contains the type for the algorithm parameters, 249 -- if present; absent implies no paramters 250 -- ¶mPresence - parameter presence resquirement 251 -- &HashSet - The set of hash algorithms used with this 252 -- signature algorithm 253 -- &PublicKeySet - the set of public key algorithms for this 254 -- signature algorithm 255 -- &smimeCaps - contains the object describing how the S/MIME 256 -- capabilities are presented. 257 -- 258 -- Example: 259 -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { 260 -- IDENTIFIER id-RSASSA-PSS 261 -- PARAMS TYPE RSASSA-PSS-params ARE required 262 -- HASHES {sha1 | md5, ... } 263 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 264 -- } 266 SIGNATURE-ALGORITHM ::= CLASS { 267 &id OBJECT IDENTIFIER UNIQUE, 268 &Value OPTIONAL, 269 &Params OPTIONAL, 270 ¶mPresence ParamOptions DEFAULT absent, 271 &HashSet DIGEST-ALGORITHM OPTIONAL, 272 &PublicKeySet PUBLIC-KEY OPTIONAL, 273 &smimeCaps SMIME-CAPS OPTIONAL 274 } WITH SYNTAX { 275 IDENTIFIER &id 276 [VALUE &Value] 277 [PARAMS [TYPE &Params] ARE ¶mPresence ] 278 [HASHES &HashSet] 279 [PUBLIC-KEYS &PublicKeySet] 281 [SMIME-CAPS &smimeCaps] 282 } 284 -- PUBLIC-KEY 285 -- 286 -- Describes the basic properties of a public key 287 -- 288 -- &id - contains the OID identifying the public key 289 -- &KeyValue - contains the type for the key value 290 -- &Params - contains the type for the algorithm parameters, 291 -- if present; absent implies no paramters 292 -- ¶mPresence - parameter presence requirement 293 -- &keyUsage - contains the set of bits that are legal for this 294 -- key type. Note that is does not make any statement 295 -- about how bits may be paired. 296 -- &PrivateKey - contains a type structure for encoding the private 297 -- key information. 298 -- 299 -- Example: 300 -- pk-rsa-pss PUBLIC-KEY ::= { 301 -- IDENTIFIER id-RSASSA-PSS 302 -- KEY RSAPublicKey 303 -- PARAMS TYPE RSASSA-PSS-params ARE optional 304 -- CERT-KEY-USAGE { .... } 305 -- } 307 PUBLIC-KEY ::= CLASS { 308 &id OBJECT IDENTIFIER UNIQUE, 309 &KeyValue OPTIONAL, 310 &Params OPTIONAL, 311 ¶mPresence ParamOptions DEFAULT absent, 312 &keyUsage KeyUsage OPTIONAL, 313 &PrivateKey OPTIONAL 314 } WITH SYNTAX { 315 IDENTIFIER &id 316 [KEY &KeyValue] 317 [PARAMS [TYPE &Params] ARE ¶mPresence] 318 [CERT-KEY-USAGE &keyUsage] 319 [PRIVATE-KEY &PrivateKey] 320 } 322 -- KEY-TRANSPORT 323 -- 324 -- Describes the basic properties of a key transport algorithm 325 -- 326 -- &id - contains the OID identifying the key transport algorithm 327 -- &Params - contains the type for the algorithm parameters, 328 -- if present; absent implies no paramters 329 -- ¶mPresence - parameter presence requirement 330 -- &PublicKeySet - specify which public keys are used with 331 -- this algorithm 332 -- &smimeCaps - contains the object describing how the S/MIME 333 -- capabilities are presented. 334 -- 335 -- Example: 336 -- rsaTransport KEY-TRANSPORT ::= { 337 -- IDENTIFIER &id 338 -- PARAMS TYPE NULL ARE required 339 -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } 340 -- } 342 KEY-TRANSPORT ::= CLASS { 343 &id OBJECT IDENTIFIER UNIQUE, 344 &Params OPTIONAL, 345 ¶mPresence ParamOptions DEFAULT absent, 346 &PublicKeySet PUBLIC-KEY OPTIONAL, 347 &smimeCaps SMIME-CAPS OPTIONAL 348 } WITH SYNTAX { 349 IDENTIFIER &id 350 [PARAMS [TYPE &Params] ARE ¶mPresence] 351 [PUBLIC-KEYS &PublicKeySet] 352 [SMIME-CAPS &smimeCaps] 353 } 355 -- KEY-AGREE 356 -- 357 -- Describes the basic properties of a key agreement algorithm 358 -- 359 -- &id - contains the OID identifying the key agreement algorithm 360 -- &Params - contains the type for the algorithm parameters, 361 -- if present; absent implies no paramters 362 -- ¶mPresence - parameter presence requirement 363 -- &PublicKeySet - specify which public keys are used with 364 -- this algorithm 365 -- &Ukm - type of user keying material used 366 -- &ukmPresence - specifies the requirements to define the UKM field 367 -- &smimeCaps - contains the object describing how the S/MIME 368 -- capabilities are presented. 369 -- 370 -- Example: 371 -- dh-static-ephemerial KEY-AGREE ::= { 372 -- IDENTIFIER id-alg-ESDH 373 -- PARAMS TYPE KeyWrapAlgorithm ARE required 374 -- - - user key material is not ASN.1-encoded. 375 -- PUBLIC-KEYS { 376 -- {IDENTIFIER dh-public-number KEY DHPublicKey 377 -- PARAMS TYPE DHDomainParameters ARE inheritable } 378 -- } 379 -- - - UKM should be present but is not separately ASN.1-encoded 380 -- UKM ARE preferredPresent 381 -- } 383 KEY-AGREE ::= CLASS { 384 &id OBJECT IDENTIFIER UNIQUE, 385 &Params OPTIONAL, 386 ¶mPresence ParamOptions DEFAULT absent, 387 &PublicKeySet PUBLIC-KEY OPTIONAL, 388 &Ukm OPTIONAL, 389 &ukmPresence ParamOptions DEFAULT absent, 390 &smimeCaps SMIME-CAPS OPTIONAL 391 } WITH SYNTAX { 392 IDENTIFIER &id 393 [PARAMS [TYPE &Params] ARE ¶mPresence] 394 [PUBLIC-KEYS &PublicKeySet] 395 [UKM [TYPE &Ukm] ARE &ukmPresence] 396 [SMIME-CAPS &smimeCaps] 397 } 399 -- KEY-WRAP 400 -- 401 -- Describes the basic properties of a key wrap algorithm 402 -- 403 -- &id - contains the OID identifying the key wrap algorithm 404 -- &Params - contains the type for the algorithm parameters, 405 -- if present; absent implies no paramters 406 -- ¶mPresence - parameter presence requirement 407 -- &smimeCaps - contains the object describing how the S/MIME 408 -- capabilities are presented. 409 -- 410 -- Example: 411 -- cms3DESwrap KEY-WRAP ::= { 412 -- IDENTIFIER id-alg-CMS3DESwrap 413 -- PARAMS TYPE NULL ARE required 414 -- } 416 KEY-WRAP ::= CLASS { 417 &id OBJECT IDENTIFIER UNIQUE, 418 &Params OPTIONAL, 419 ¶mPresence ParamOptions DEFAULT absent, 420 &smimeCaps SMIME-CAPS OPTIONAL 421 } WITH SYNTAX { 422 IDENTIFIER &id 423 [PARAMS [TYPE &Params] ARE ¶mPresence] 424 [SMIME-CAPS &smimeCaps] 426 } 428 -- KEY-DERIVATION 429 -- 430 -- Describes the basic properties of a key derivation algorithm 431 -- 432 -- &id - contains the OID identifying the key derivation algorithm 433 -- &Params - contains the type for the algorithm parameters, 434 -- if present; absent implies no paramters 435 -- ¶mPresence - parameter presence requirement 436 -- &smimeCaps - contains the object describing how the S/MIME 437 -- capabilities are presented. 438 -- 439 -- Could add information about defaults for the derivation algorithm 440 -- such as PRFs 441 -- 442 -- Example: 443 -- pbkdf2 KEY-DERIVATION ::= { 444 -- IDENTIFIER id-PBKDF2 445 -- PARAMS TYPE PBKDF2-params ARE required 446 -- } 448 KEY-DERIVATION ::= CLASS { 449 &id OBJECT IDENTIFIER UNIQUE, 450 &Params OPTIONAL, 451 ¶mPresence ParamOptions DEFAULT absent, 452 &smimeCaps SMIME-CAPS OPTIONAL 453 } WITH SYNTAX { 454 IDENTIFIER &id 455 [PARAMS [TYPE &Params] ARE ¶mPresence] 456 [SMIME-CAPS &smimeCaps] 457 } 459 -- MAC-ALGORITHM 460 -- 461 -- Describes the basic properties of a MAC algorithm 462 -- 463 -- &id - contains the OID identifying the MAC algorithm 464 -- &Params - contains the type for the algorithm parameters, 465 -- if present; absent implies no paramters 466 -- ¶mPresence - parameter presence requirement 467 -- &keyed - MAC algorithm is a keyed MAC algorithm 468 -- &smimeCaps - contains the object describing how the S/MIME 469 -- capabilities are presented. 470 -- 471 -- It would make sense to also add minimum and maximum MAC lengths 472 -- 473 -- Example: 475 -- maca-hmac-sha1 MAC-ALGORITHM ::= { 476 -- IDENTIFIER hMAC-SHA1 477 -- PARAMS TYPE NULL ARE preferredAbsent 478 -- IS KEYED MAC TRUE 479 -- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} 480 -- } 482 MAC-ALGORITHM ::= CLASS { 483 &id OBJECT IDENTIFIER UNIQUE, 484 &Params OPTIONAL, 485 ¶mPresence ParamOptions DEFAULT absent, 486 &keyed BOOLEAN, 487 &smimeCaps SMIME-CAPS OPTIONAL 488 } WITH SYNTAX { 489 IDENTIFIER &id 490 [PARAMS [TYPE &Params] [ARE ¶mPresence]] 491 IS-KEYED-MAC &keyed 492 [SMIME-CAPS &smimeCaps] 493 } 495 -- CONTENT-ENCRYPTION 496 -- 497 -- Describes the basic properties of a content encryption 498 -- algorithm 499 -- 500 -- &id - contains the OID identifying the content 501 -- encryption algorithm 502 -- &Params - contains the type for the algorithm parameters, 503 -- if present; absent implies no paramters 504 -- ¶mPresence - parameter presence requirement 505 -- &smimeCaps - contains the object describing how the S/MIME 506 -- capabilities are presented. 507 -- 508 -- Example: 509 -- cea-3DES-cbc CONTENT-ENCRYPTION ::= { 510 -- IDENTIFIER des-ede3-cbc 511 -- PARAMS TYPE IV ARE required 512 -- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } 513 -- } 515 CONTENT-ENCRYPTION ::= CLASS { 516 &id OBJECT IDENTIFIER UNIQUE, 517 &Params OPTIONAL, 518 ¶mPresence ParamOptions DEFAULT absent, 519 &smimeCaps SMIME-CAPS OPTIONAL 520 } WITH SYNTAX { 521 IDENTIFIER &id 522 [PARAMS [TYPE &Params] ARE ¶mPresence] 524 [SMIME-CAPS &smimeCaps] 525 } 527 -- ALGORITHM 528 -- 529 -- Describes a generic algorithm identifier 530 -- 531 -- &id - contains the OID identifying the algorithm 532 -- &Params - contains the type for the algorithm parameters, 533 -- if present; absent implies no paramters 534 -- ¶mPresence - parameter presence requirement 535 -- &smimeCaps - contains the object describing how the S/MIME 536 -- capabilities are presented. 537 -- 538 -- This would be used for cases where an unknown algorithm is 539 -- used. One should consider using TYPE-IDENTIFIER in these cases. 541 ALGORITHM ::= CLASS { 542 &id OBJECT IDENTIFIER UNIQUE, 543 &Params OPTIONAL, 544 ¶mPresence ParamOptions DEFAULT absent, 545 &smimeCaps SMIME-CAPS OPTIONAL 546 } WITH SYNTAX { 547 IDENTIFIER &id 548 [PARAMS [TYPE &Params] ARE ¶mPresence] 549 [SMIME-CAPS &smimeCaps] 550 } 552 -- AlgorithmIdentifier 553 -- 554 -- Provides the generic structure that is used to encode algorithm 555 -- identification and the parameters associated with the 556 -- algorithm. 557 -- 558 -- The first parameter represents the type of the algorithm being 559 -- used. 560 -- The second parameter represents an object set containing the 561 -- algorithms that may occur in this situation. 562 -- The initial list of required algorithms should occur to the 563 -- left of an extension marker, all other algorithms should 564 -- occur to the right of an extension marker. 565 -- 566 -- The object class ALGORITHM can be used for generic unspecified 567 -- items. 568 -- If new ALGORITHM objects are defined, the fields &id and &Params 569 -- need to be present as field in the object. 570 -- 571 AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= 572 SEQUENCE { 573 algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), 574 parameters ALGORITHM-TYPE. 575 &Params({AlgorithmSet}{@algorithm}) OPTIONAL 576 } 578 -- S/MIME Capabilities 579 -- 580 -- We have moved the SMIME-CAPS from the module for RFC 3851 to here 581 -- because it is used in the PKIX document RFC 4262 - Use of S/MIME 582 -- Caps in certificate extension 583 -- 584 -- 585 -- This class is used to represent an S/MIME capability. S/MIME 586 -- capabilities are used to represent what algorithm capabilities 587 -- an individual has. The classic example was the content encryption 588 -- algorithm RC2 where the algorithm id and the RC2 key lengths 589 -- supported needed to be advertised, but the IV used is not fixed. 590 -- Thus for RC2 we used 591 -- 592 -- cap-RC2CBC SMIME-CAPS ::= { 593 -- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } 594 -- 595 -- where 40 and 128 represent the RC2 key length in number of bits. 596 -- 597 -- Another example where information needs to be shown is for 598 -- RSA-OAEP where only specific hash functions or mask generation 599 -- functions are supported, but the saltLength is specified by the 600 -- sender and not the recipient. In this case one can either 601 -- generate a number of capability items, 602 -- or a new S/MIME capability type could be generated where 603 -- multiple hash functions could be specified. 604 -- 605 -- 606 -- SMIME-CAP 607 -- 608 -- This class is used to associate the type describing capabilities 609 -- with the object identifier. 610 -- 612 SMIME-CAPS ::= CLASS { 613 &id OBJECT IDENTIFIER UNIQUE, 614 &Type OPTIONAL 615 } 616 WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id } 617 -- 618 -- Generic type - this is used for defining values. 619 -- 621 -- Define a single S/MIME capability encoding 623 SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { 624 capabilityID SMIME-CAPS.&id({CapabilitySet}), 625 parameters SMIME-CAPS.&Type({CapabilitySet} 626 {@capabilityID}) OPTIONAL 627 } 629 -- Define a sequence of S/MIME capability value 631 SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::= 632 SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} } 634 END 636 3. ASN.1 Module for RFC 3370 638 CryptographicMessageSyntaxAlgorithms-2009 639 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 640 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 641 DEFINITIONS IMPLICIT TAGS ::= 642 BEGIN 643 IMPORTS 645 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 646 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 647 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 648 AlgorithmIdentifier{}, SMIME-CAPS 649 FROM AlgorithmInformation-2009 650 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 651 mechanisms(5) pkix(7) id-mod(0) 652 id-mod-algorithmInformation-02(58)} 654 pk-rsa, pk-dh, pk-dsa, rsaEncryption, DHPublicKey, dhpublicnumber 655 FROM PKIXAlgs-2009 656 {iso(1) identified-organization(3) dod(6) 657 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 658 id-mod-pkix1-algorithms2008-02(56)} 660 cap-RC2CBC 661 FROM SecureMimeMessageV3dot1-2009 662 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 663 smime(16) modules(0) id-mod-msg-v3dot1-02(39)}; 665 -- 2. Hash algorthms in this document 667 MessageDigestAlgs DIGEST-ALGORITHM ::= { 668 -- mda-md5 | mda-sha1, 669 ... } 671 -- 3. Signature algorithms in this document 673 SignatureAlgs SIGNATURE-ALGORITHM ::= { 674 -- See RFC 3279 675 -- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1, 676 ... } 678 -- 4. Key Managment Algorithms 679 -- 4.1 Key Agreement Algorithms 681 KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...} 682 KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...} 684 -- 4.2 Key Transport Algorithms 686 KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... } 688 -- 4.3 Symmetric Key-Encryption Key Algorithms 690 KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... } 692 -- 4.4 Key Derivation Algorithms 694 KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... } 696 -- 5. Content Encryption Algorithms 698 ContentEncryptionAlgs CONTENT-ENCRYPTION ::= 699 { cea-3DES-cbc | cea-RC2-cbc, ... } 701 -- 6. Message Authentication Code Algorithms 703 MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... } 705 -- SMIME Capabilities for these items 707 SMimeCaps SMIME-CAPS ::= { 708 kaa-esdh.&smimeCaps | 709 kaa-ssdh.&smimeCaps | 710 kt-rsa.&smimeCaps | 711 kwa-3DESWrap.&smimeCaps | 712 kwa-RC2Wrap.&smimeCaps | 713 cea-3DES-cbc.&smimeCaps | 714 cea-RC2-cbc.&smimeCaps | 715 maca-hMAC-SHA1.&smimeCaps, 716 ...} 718 -- 719 -- 720 -- 722 -- Algorithm Identifiers 724 -- rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) 725 -- us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 727 id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 728 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 } 730 id-alg-SSDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 731 rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 10 } 733 id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 734 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } 736 id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) 737 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 } 739 des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 740 us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } 742 rc2-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 743 rsadsi(113549) encryptionAlgorithm(3) 2 } 745 hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 746 dod(6) internet(1) security(5) mechanisms(5) 8 1 2 } 748 id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 749 rsadsi(113549) pkcs(1) pkcs-5(5) 12 } 751 -- Algorithm Identifier Parameter Types 753 KeyWrapAlgorithm ::= 754 AlgorithmIdentifier {KEY-WRAP, {KeyWrapAlgs }} 756 RC2wrapParameter ::= RC2ParameterVersion 757 RC2ParameterVersion ::= INTEGER 759 CBCParameter ::= IV 761 IV ::= OCTET STRING -- exactly 8 octets 763 RC2CBCParameter ::= SEQUENCE { 764 rc2ParameterVersion INTEGER (1..256), 765 iv OCTET STRING } -- exactly 8 octets 767 maca-hMAC-SHA1 MAC-ALGORITHM ::= { 768 IDENTIFIER hMAC-SHA1 769 PARAMS TYPE NULL ARE preferredAbsent 770 IS-KEYED-MAC TRUE 771 SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} 772 } 774 PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM, 775 {PBKDF2-PRFs} } 777 alg-hMAC-SHA1 ALGORITHM ::= 778 { IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required } 780 PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... } 782 PBKDF2-SaltSources ALGORITHM ::= { ... } 784 PBKDF2-SaltSourcesAlgorithmIdentifier ::= 785 AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}} 787 defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::= 788 { algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL } 790 PBKDF2-params ::= SEQUENCE { 791 salt CHOICE { 792 specified OCTET STRING, 793 otherSource PBKDF2-SaltSourcesAlgorithmIdentifier }, 794 iterationCount INTEGER (1..MAX), 795 keyLength INTEGER (1..MAX) OPTIONAL, 796 prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT 797 defaultPBKDF2 798 } 800 -- 801 -- This object is included for completeness. It should not be used 802 -- for encoding of signatures, but was sometimes used in older 803 -- versions of CMS for encoding of RSA signatures. 804 -- 805 -- 806 -- sa-rsa SIGNATURE-ALGORITHM ::= { 807 -- IDENTIFIER rsaEncryption 808 -- - - value is not ASN.1 encoded 809 -- PARAMS TYPE NULL ARE required 810 -- HASHES {mda-sha1 | mda-md5, ...} 811 -- PUBLIC-KEYS { pk-rsa} 812 -- } 813 -- 814 -- No ASN.1 encoding is applied to the signature value 815 -- for these items 817 kaa-esdh KEY-AGREE ::= { 818 IDENTIFIER id-alg-ESDH 819 PARAMS TYPE KeyWrapAlgorithm ARE required 820 PUBLIC-KEYS { pk-dh } 821 -- UKM is not ASN.1 encoded 822 UKM ARE optional 823 SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH} 824 } 826 kaa-ssdh KEY-AGREE ::= { 827 IDENTIFIER id-alg-SSDH 828 PARAMS TYPE KeyWrapAlgorithm ARE required 829 PUBLIC-KEYS {pk-dh} 830 -- UKM is not ASN.1 encoded 831 UKM ARE optional 832 SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH} 833 } 835 dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber 837 pk-originator-dh PUBLIC-KEY ::= { 838 IDENTIFIER dh-public-number 839 KEY DHPublicKey 840 PARAMS ARE absent 841 CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly} 842 } 844 kwa-3DESWrap KEY-WRAP ::= { 845 IDENTIFIER id-alg-CMS3DESwrap 846 PARAMS TYPE NULL ARE required 847 SMIME-CAPS {IDENTIFIED BY id-alg-CMS3DESwrap} 848 } 850 kwa-RC2Wrap KEY-WRAP ::= { 851 IDENTIFIER id-alg-CMSRC2wrap 852 PARAMS TYPE RC2wrapParameter ARE required 853 SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap } 854 } 856 kda-PBKDF2 KEY-DERIVATION ::= { 857 IDENTIFIER id-PBKDF2 858 PARAMS TYPE PBKDF2-params ARE required 859 -- No s/mime caps defined 860 } 862 cea-3DES-cbc CONTENT-ENCRYPTION ::= { 863 IDENTIFIER des-ede3-cbc 864 PARAMS TYPE IV ARE required 865 SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } 866 } 868 cea-RC2-cbc CONTENT-ENCRYPTION ::= { 869 IDENTIFIER rc2-cbc 870 PARAMS TYPE RC2CBCParameter ARE required 871 SMIME-CAPS cap-RC2CBC 872 } 874 kt-rsa KEY-TRANSPORT ::= { 875 IDENTIFIER rsaEncryption 876 PARAMS TYPE NULL ARE required 877 PUBLIC-KEYS { pk-rsa } 878 SMIME-CAPS {IDENTIFIED BY rsaEncryption} 879 } 881 -- S/MIME Capabilities - most have no label. 883 cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap } 885 END 887 4. ASN.1 Module for RFC 3565 889 CMSAesRsaesOaep-2009 {iso(1) member-body(2) us(840) rsadsi(113549) 890 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38)} 891 DEFINITIONS IMPLICIT TAGS ::= 892 BEGIN 893 IMPORTS 895 CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS 896 FROM AlgorithmInformation-2009 897 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 898 mechanisms(5) pkix(7) id-mod(0) 899 id-mod-algorithmInformation-02(58)}; 901 AES-ContentEncryption CONTENT-ENCRYPTION ::= { 902 cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ... 903 } 905 AES-KeyWrap KEY-WRAP ::= { 906 kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ... 907 } 909 SMimeCaps SMIME-CAPS ::= { 910 cea-aes128-cbc.&smimeCaps | 911 cea-aes192-cbc.&smimeCaps | 912 cea-aes256-cbc.&smimeCaps | 913 kwa-aes128-wrap.&smimeCaps | 914 kwa-aes192-wrap.&smimeCaps | 915 kwa-aes256-wrap.&smimeCaps, ... 916 } 918 -- AES information object identifiers -- 920 aes OBJECT IDENTIFIER ::= 921 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 922 csor(3) nistAlgorithms(4) 1 } 924 -- AES using CBC mode for key sizes of 128, 192, 256 926 cea-aes128-cbc CONTENT-ENCRYPTION ::= { 927 IDENTIFIER id-aes128-CBC 928 PARAMS TYPE AES-IV ARE required 929 SMIME-CAPS { IDENTIFIED BY id-aes128-CBC } 930 } 931 id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 } 933 cea-aes192-cbc CONTENT-ENCRYPTION ::= { 934 IDENTIFIER id-aes192-CBC 935 PARAMS TYPE AES-IV ARE required 936 SMIME-CAPS { IDENTIFIED BY id-aes192-CBC } 937 } 938 id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 } 940 cea-aes256-cbc CONTENT-ENCRYPTION ::= { 941 IDENTIFIER id-aes256-CBC 942 PARAMS TYPE AES-IV ARE required 943 SMIME-CAPS { IDENTIFIED BY id-aes256-CBC } 945 } 946 id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 } 948 -- AES-IV is the parameter for all the above object identifiers. 950 AES-IV ::= OCTET STRING (SIZE(16)) 952 -- AES Key Wrap Algorithm Identifiers - Parameter is absent 954 kwa-aes128-wrap KEY-WRAP ::= { 955 IDENTIFIER id-aes128-wrap 956 PARAMS ARE absent 957 SMIME-CAPS { IDENTIFIED BY id-aes128-wrap } 958 } 959 id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } 961 kwa-aes192-wrap KEY-WRAP ::= { 962 IDENTIFIER id-aes192-wrap 963 PARAMS ARE absent 964 SMIME-CAPS { IDENTIFIED BY id-aes192-wrap } 965 } 966 id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } 968 kwa-aes256-wrap KEY-WRAP ::= { 969 IDENTIFIER id-aes256-wrap 970 PARAMS ARE absent 971 SMIME-CAPS { IDENTIFIED BY id-aes256-wrap } 972 } 973 id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } 975 END 977 5. ASN.1 Module for RFC 3851 979 SecureMimeMessageV3dot1-2009 980 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 981 smime(16) modules(0) id-mod-msg-v3dot1-02(39)} 982 DEFINITIONS IMPLICIT TAGS ::= 983 BEGIN 984 IMPORTS 986 SMIME-CAPS, SMIMECapabilities{} 987 FROM AlgorithmInformation-2009 988 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 989 mechanisms(5) pkix(7) id-mod(0) 990 id-mod-algorithmInformation-02(58)} 992 ATTRIBUTE 993 FROM PKIX-CommonTypes-2009 994 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 995 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} 997 SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier 998 FROM CryptographicMessageSyntax-2009 999 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1000 smime(16) modules(0) id-mod-cms-2004-02(41)} 1002 rc2-cbc, SMimeCaps 1003 FROM CryptographicMessageSyntaxAlgorithms-2009 1004 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1005 smime(16) modules(0) id-mod-cmsalg-2001-02(37)} 1007 SMimeCaps 1008 FROM PKIXAlgs-2009 1009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1010 mechanisms(5) pkix(7) id-mod(0) 1011 id-mod-pkix1-algorithms2008-02(56)} 1013 SMimeCaps 1014 FROM PKIX1-PSS-OAEP-Algorithms-2009 1015 {iso(1) identified-organization(3) dod(6) internet(1) 1016 security(5) mechanisms(5) pkix(7) id-mod(0) 1017 id-mod-pkix1-rsa-pkalgs-02(54)}; 1019 SMimeAttributeSet ATTRIBUTE ::= 1020 { aa-smimeCapabilities | aa-encrypKeyPref, ... } 1022 -- id-aa is the arc with all new authenticated and unauthenticated 1023 -- attributes produced by the S/MIME Working Group 1025 id-aa OBJECT IDENTIFIER ::= 1026 { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1027 smime(16) attributes(2)} 1029 -- S/MIME Capabilities provides a method of broadcasting the symmetric 1030 -- capabilities understood. Algorithms SHOULD be ordered by 1031 -- preference and grouped by type 1033 aa-smimeCapabilities ATTRIBUTE ::= 1034 { TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY 1035 smimeCapabilities } 1037 smimeCapabilities OBJECT IDENTIFIER ::= 1038 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1039 15 } 1041 SMimeCapsSet SMIME-CAPS ::= 1042 { cap-preferBinaryInside | cap-RC2CBC | 1043 PKIXAlgs-2009.SMimeCaps | 1044 CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps | 1045 PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... } 1047 -- Encryption Key Preference provides a method of broadcasting the 1048 -- preferred encryption certificate. 1050 aa-encrypKeyPref ATTRIBUTE ::= 1051 { TYPE SMIMEEncryptionKeyPreference 1052 IDENTIFIED BY id-aa-encrypKeyPref } 1054 id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} 1056 SMIMEEncryptionKeyPreference ::= CHOICE { 1057 issuerAndSerialNumber [0] IssuerAndSerialNumber, 1058 receipentKeyId [1] RecipientKeyIdentifier, 1059 subjectAltKeyIdentifier [2] SubjectKeyIdentifier 1060 } 1062 id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1063 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } 1065 id-cap OBJECT IDENTIFIER ::= { id-smime 11 } 1067 -- The preferBinaryInside indicates an ability to receive messages 1068 -- with binary encoding inside the CMS wrapper 1070 cap-preferBinaryInside SMIME-CAPS ::= 1071 { -- No value -- IDENTIFIED BY id-cap-preferBinaryInside } 1073 id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } 1075 -- The following list OIDs to be used with S/MIME V3 1077 -- Signature Algorithms Not Found in [CMSALG] 1078 -- 1079 -- md2WithRSAEncryption OBJECT IDENTIFIER ::= 1080 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1081 -- 2} 1082 -- 1083 -- Other Signed Attributes 1084 -- 1085 -- signingTime OBJECT IDENTIFIER ::= 1086 -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1087 -- 5} 1088 -- See [CMS] for a description of how to encode the attribute 1089 -- value. 1091 cap-RC2CBC SMIME-CAPS ::= 1092 { TYPE SMIMECapabilitiesParametersForRC2CBC 1093 IDENTIFIED BY rc2-cbc} 1095 SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...) 1096 -- (RC2 Key Length (number of bits)) 1098 END 1100 6. ASN.1 Module for RFC 3852 1102 This module has an ASN.1 idiom for noting in which version of CMS 1103 changes were made from the original PKCS #7; that idiom is "[[v:", 1104 where "v" is an integer. For example: 1106 RevocationInfoChoice ::= CHOICE { 1107 crl CertificateList, 1108 ..., 1109 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1111 Similarly, this module adds the ASN.1 idiom for extensiblity (the 1112 "...,") in all places that have been extended in the past. See the 1113 example above. 1115 CryptographicMessageSyntax-2009 1116 { iso(1) member-body(2) us(840) rsadsi(113549) 1117 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } 1118 DEFINITIONS IMPLICIT TAGS ::= 1119 BEGIN 1120 IMPORTS 1122 ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, 1123 PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, 1124 KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, 1125 AlgorithmIdentifier 1126 FROM AlgorithmInformation-2009 1127 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1128 mechanisms(5) pkix(7) id-mod(0) 1129 id-mod-algorithmInformation-02(58)} 1131 SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, 1132 MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, 1133 KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys 1134 FROM CryptographicMessageSyntaxAlgorithms-2009 1135 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1136 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 1138 Certificate, CertificateList, CertificateSerialNumber, 1139 Name, ATTRIBUTE 1140 FROM PKIX1Explicit-2009 1141 { iso(1) identified-organization(3) dod(6) internet(1) 1142 security(5) mechanisms(5) pkix(7) id-mod(0) 1143 id-mod-pkix1-explicit-02(51) } 1145 AttributeCertificate 1146 FROM PKIXAttributeCertificate-2009 1147 { iso(1) identified-organization(3) dod(6) internet(1) 1148 security(5) mechanisms(5) pkix(7) id-mod(0) 1149 id-mod-attribute-cert-02(47) } 1151 AttributeCertificateV1 1152 FROM AttributeCertificateVersion1-2009 1153 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1154 smime(16) modules(0) id-mod-v1AttrCert-02(49) } ; 1156 -- Cryptographic Message Syntax 1158 -- The following are used for version numbers using the ASN.1 1159 -- idiom "[[n:" 1160 -- Version 1 = PKCS #7 1161 -- Version 2 = S/MIME V2 1162 -- Version 3 = RFC 2630 1163 -- Version 4 = RFC 3369 1164 -- Version 5 = RFC 3852 1166 CONTENT-TYPE ::= TYPE-IDENTIFIER 1167 ContentType ::= CONTENT-TYPE.&id 1169 ContentInfo ::= SEQUENCE { 1170 contentType CONTENT-TYPE. 1171 &id({ContentSet}), 1172 content [0] EXPLICIT CONTENT-TYPE. 1173 &Type({ContentSet}{@contentType})} 1175 ContentSet CONTENT-TYPE ::= { 1176 -- Define the set of content types to be recognized. 1177 ct-Data | ct-SignedData | ct-EncryptedData | ct-EnvelopedData | 1178 ct-AuthenticatedData | ct-DigestedData, ... } 1180 SignedData ::= SEQUENCE { 1181 version CMSVersion, 1182 digestAlgorithms SET OF DigestAlgorithmIdentifier, 1183 encapContentInfo EncapsulatedContentInfo, 1184 certificates [0] IMPLICIT CertificateSet OPTIONAL, 1185 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, 1186 signerInfos SignerInfos } 1188 SignerInfos ::= SET OF SignerInfo 1190 EncapsulatedContentInfo ::= SEQUENCE { 1191 eContentType CONTENT-TYPE.&id({ContentSet}), 1192 eContent [0] EXPLICIT OCTET STRING 1193 ( CONTAINING CONTENT-TYPE. 1194 &Type({ContentSet}{@eContentType})) OPTIONAL } 1196 SignerInfo ::= SEQUENCE { 1197 version CMSVersion, 1198 sid SignerIdentifier, 1199 digestAlgorithm DigestAlgorithmIdentifier, 1200 signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, 1201 signatureAlgorithm SignatureAlgorithmIdentifier, 1202 signature SignatureValue, 1203 unsignedAttrs [1] IMPLICIT Attributes 1204 {{UnsignedAttributes}} OPTIONAL } 1206 SignedAttributes ::= Attributes {{ SignedAttributesSet }} 1208 SignerIdentifier ::= CHOICE { 1209 issuerAndSerialNumber IssuerAndSerialNumber, 1210 ..., 1211 [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 1213 SignedAttributesSet ATTRIBUTE ::= 1214 { aa-signingTime | aa-messageDigest | aa-contentType, ... } 1216 UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } 1218 SignatureValue ::= OCTET STRING 1220 EnvelopedData ::= SEQUENCE { 1221 version CMSVersion, 1222 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1223 recipientInfos RecipientInfos, 1224 encryptedContentInfo EncryptedContentInfo, 1225 ..., 1227 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1228 {{ UnprotectedAttributes }} OPTIONAL ]] } 1230 OriginatorInfo ::= SEQUENCE { 1231 certs [0] IMPLICIT CertificateSet OPTIONAL, 1232 crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } 1234 RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo 1236 EncryptedContentInfo ::= SEQUENCE { 1237 contentType CONTENT-TYPE.&id({ContentSet}), 1238 contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 1239 encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } 1241 -- If you want to do constraints, you might use: 1242 -- EncryptedContentInfo ::= SEQUENCE { 1243 -- contentType CONTENT-TYPE.&id({ContentSet}), 1244 -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, 1245 -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. 1246 -- &Type({ContentSet}{@contentType}) OPTIONAL } 1247 -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY 1248 -- { ToBeEncrypted } ) 1250 UnprotectedAttributes ATTRIBUTE ::= { ... } 1252 RecipientInfo ::= CHOICE { 1253 ktri KeyTransRecipientInfo, 1254 ..., 1255 [[3: kari [1] KeyAgreeRecipientInfo ]], 1256 [[4: kekri [2] KEKRecipientInfo]], 1257 [[5: pwri [3] PasswordRecipientInfo, 1258 ori [4] OtherRecipientInfo ]] } 1260 EncryptedKey ::= OCTET STRING 1262 KeyTransRecipientInfo ::= SEQUENCE { 1263 version CMSVersion, -- always set to 0 or 2 1264 rid RecipientIdentifier, 1265 keyEncryptionAlgorithm AlgorithmIdentifier 1266 {KEY-TRANSPORT, {KeyTransportAlgorithmSet}}, 1267 encryptedKey EncryptedKey } 1269 KeyTransportAlgorithmSet KEY-TRANSPORT ::= { KeyTransportAlgs, ... } 1271 RecipientIdentifier ::= CHOICE { 1272 issuerAndSerialNumber IssuerAndSerialNumber, 1273 ..., 1274 [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } 1276 KeyAgreeRecipientInfo ::= SEQUENCE { 1277 version CMSVersion, -- always set to 3 1278 originator [0] EXPLICIT OriginatorIdentifierOrKey, 1279 ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, 1280 keyEncryptionAlgorithm AlgorithmIdentifier 1281 {KEY-AGREE, {KeyAgreementAlgorithmSet}}, 1282 recipientEncryptedKeys RecipientEncryptedKeys } 1284 KeyAgreementAlgorithmSet KEY-AGREE ::= { KeyAgreementAlgs, ... } 1286 OriginatorIdentifierOrKey ::= CHOICE { 1287 issuerAndSerialNumber IssuerAndSerialNumber, 1288 subjectKeyIdentifier [0] SubjectKeyIdentifier, 1289 originatorKey [1] OriginatorPublicKey } 1291 OriginatorPublicKey ::= SEQUENCE { 1292 algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, 1293 publicKey BIT STRING } 1295 OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... } 1297 RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey 1299 RecipientEncryptedKey ::= SEQUENCE { 1300 rid KeyAgreeRecipientIdentifier, 1301 encryptedKey EncryptedKey } 1303 KeyAgreeRecipientIdentifier ::= CHOICE { 1304 issuerAndSerialNumber IssuerAndSerialNumber, 1305 rKeyId [0] IMPLICIT RecipientKeyIdentifier } 1307 RecipientKeyIdentifier ::= SEQUENCE { 1308 subjectKeyIdentifier SubjectKeyIdentifier, 1309 date GeneralizedTime OPTIONAL, 1310 other OtherKeyAttribute OPTIONAL } 1312 SubjectKeyIdentifier ::= OCTET STRING 1314 KEKRecipientInfo ::= SEQUENCE { 1315 version CMSVersion, -- always set to 4 1316 kekid KEKIdentifier, 1317 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 1318 encryptedKey EncryptedKey } 1320 KEKIdentifier ::= SEQUENCE { 1321 keyIdentifier OCTET STRING, 1322 date GeneralizedTime OPTIONAL, 1323 other OtherKeyAttribute OPTIONAL } 1325 PasswordRecipientInfo ::= SEQUENCE { 1326 version CMSVersion, -- always set to 0 1327 keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier 1328 OPTIONAL, 1329 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, 1330 encryptedKey EncryptedKey } 1332 OTHER-RECIPIENT ::= TYPE-IDENTIFIER 1334 OtherRecipientInfo ::= SEQUENCE { 1335 oriType OTHER-RECIPIENT. 1336 &id({SupportedOtherRecipInfo}), 1337 oriValue OTHER-RECIPIENT. 1338 &Type({SupportedOtherRecipInfo}{@oriType})} 1340 SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... } 1342 DigestedData ::= SEQUENCE { 1343 version CMSVersion, 1344 digestAlgorithm DigestAlgorithmIdentifier, 1345 encapContentInfo EncapsulatedContentInfo, 1346 digest Digest, ... } 1348 Digest ::= OCTET STRING 1350 EncryptedData ::= SEQUENCE { 1351 version CMSVersion, 1352 encryptedContentInfo EncryptedContentInfo, 1353 ..., 1354 [[2: unprotectedAttrs [1] IMPLICIT Attributes 1355 {{UnprotectedAttributes}} OPTIONAL ]] } 1357 AuthenticatedData ::= SEQUENCE { 1358 version CMSVersion, 1359 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 1360 recipientInfos RecipientInfos, 1361 macAlgorithm MessageAuthenticationCodeAlgorithm, 1362 digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, 1363 encapContentInfo EncapsulatedContentInfo, 1364 authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, 1365 mac MessageAuthenticationCode, 1366 unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } 1368 AuthAttributes ::= SET SIZE (1..MAX) OF Attribute 1369 {{AuthAttributeSet}} 1371 AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest 1372 | aa-signingTime, ...} 1374 MessageAuthenticationCode ::= OCTET STRING 1376 UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute 1377 {{UnauthAttributeSet}} 1379 UnauthAttributeSet ATTRIBUTE ::= {...} 1381 -- 1382 -- General algorithm definitions 1383 -- 1385 DigestAlgorithmIdentifier ::= AlgorithmIdentifier 1386 {DIGEST-ALGORITHM, {DigestAlgorithmSet}} 1388 DigestAlgorithmSet DIGEST-ALGORITHM ::= { 1389 CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... } 1391 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier 1392 {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} 1394 SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= 1395 { SignatureAlgs, ... } 1397 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1398 {KEY-WRAP, {KeyEncryptionAlgorithmSet}} 1400 KeyEncryptionAlgorithmSet KEY-WRAP ::= { KeyWrapAlgs, ... } 1402 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier 1403 {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}} 1405 ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::= 1406 { ContentEncryptionAlgs, ... } 1408 MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier 1409 {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}} 1411 MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::= 1412 { MessageAuthAlgs, ... } 1414 KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier 1415 {KEY-DERIVATION, {KeyDerivationAlgs, ...}} 1417 RevocationInfoChoices ::= SET OF RevocationInfoChoice 1419 RevocationInfoChoice ::= CHOICE { 1420 crl CertificateList, 1421 ..., 1423 [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } 1425 OTHER-REVOK-INFO ::= TYPE-IDENTIFIER 1427 OtherRevocationInfoFormat ::= SEQUENCE { 1428 otherRevInfoFormat OTHER-REVOK-INFO. 1429 &id({SupportedOtherRevokInfo}), 1430 otherRevInfo OTHER-REVOK-INFO. 1431 &Type({SupportedOtherRevokInfo}{@otherRevInfoFormat})} 1433 SupportedOtherRevokInfo OTHER-REVOK-INFO ::= { ... } 1435 CertificateChoices ::= CHOICE { 1436 certificate Certificate, 1437 extendedCertificate [0] IMPLICIT ExtendedCertificate, 1438 -- Obsolete 1439 ..., 1440 [[3: v1AttrCert [1] IMPLICIT AttributeCertificateV1]], 1441 -- Obsolete 1442 [[4: v2AttrCert [2] IMPLICIT AttributeCertificateV2]], 1443 [[5: other [3] IMPLICIT OtherCertificateFormat]] } 1445 AttributeCertificateV2 ::= AttributeCertificate 1447 OTHER-CERT-FMT ::= TYPE-IDENTIFIER 1449 OtherCertificateFormat ::= SEQUENCE { 1450 otherCertFormat OTHER-CERT-FMT. 1451 &id({SupportedCertFormats}), 1452 otherCert OTHER-CERT-FMT. 1453 &Type({SupportedCertFormats}{@otherCertFormat})} 1455 SupportedCertFormats OTHER-CERT-FMT ::= { ... } 1457 CertificateSet ::= SET OF CertificateChoices 1459 IssuerAndSerialNumber ::= SEQUENCE { 1460 issuer Name, 1461 serialNumber CertificateSerialNumber } 1463 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) } 1465 UserKeyingMaterial ::= OCTET STRING 1467 KEY-ATTRIBUTE ::= TYPE-IDENTIFIER 1469 OtherKeyAttribute ::= SEQUENCE { 1470 keyAttrId KEY-ATTRIBUTE. 1472 &id({SupportedKeyAttributes}), 1473 keyAttr KEY-ATTRIBUTE. 1474 &Type({SupportedKeyAttributes}{@keyAttrId})} 1476 SupportedKeyAttributes KEY-ATTRIBUTE ::= { ... } 1478 -- Content Type Object Identifiers 1480 id-ct-contentInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1481 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 6 } 1483 ct-Data CONTENT-TYPE ::= {OCTET STRING IDENTIFIED BY id-data} 1485 id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1486 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 1 } 1488 ct-SignedData CONTENT-TYPE ::= 1489 { SignedData IDENTIFIED BY id-signedData} 1491 id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1492 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 } 1494 ct-EnvelopedData CONTENT-TYPE ::= 1495 { EnvelopedData IDENTIFIED BY id-envelopedData} 1497 id-envelopedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1498 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } 1500 ct-DigestedData CONTENT-TYPE ::= 1501 { DigestedData IDENTIFIED BY id-digestedData} 1503 id-digestedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1504 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 5 } 1506 ct-EncryptedData CONTENT-TYPE ::= 1507 { EncryptedData IDENTIFIED BY id-encryptedData} 1509 id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1510 us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } 1512 ct-AuthenticatedData CONTENT-TYPE ::= 1513 { AuthenticatedData IDENTIFIED BY id-ct-authData} 1515 id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1516 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } 1518 -- 1519 -- The CMS Attributes 1520 -- 1522 MessageDigest ::= OCTET STRING 1524 SigningTime ::= Time 1526 Time ::= CHOICE { 1527 utcTime UTCTime, 1528 generalTime GeneralizedTime } 1530 Countersignature ::= SignerInfo 1532 -- Attribute Object Identifiers 1534 aa-contentType ATTRIBUTE ::= 1535 { TYPE ContentType IDENTIFIED BY id-contentType } 1536 id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1537 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } 1539 aa-messageDigest ATTRIBUTE ::= 1540 { TYPE MessageDigest IDENTIFIED BY id-messageDigest} 1541 id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1542 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } 1544 aa-signingTime ATTRIBUTE ::= 1545 { TYPE SigningTime IDENTIFIED BY id-signingTime } 1546 id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1547 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } 1549 aa-countersignature ATTRIBUTE ::= 1550 { TYPE Countersignature IDENTIFIED BY id-countersignature } 1551 id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) 1552 us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } 1554 -- 1555 -- Obsolete Extended Certificate syntax from PKCS#6 1556 -- 1558 ExtendedCertificateOrCertificate ::= CHOICE { 1559 certificate Certificate, 1560 extendedCertificate [0] IMPLICIT ExtendedCertificate } 1562 ExtendedCertificate ::= SEQUENCE { 1563 extendedCertificateInfo ExtendedCertificateInfo, 1564 signatureAlgorithm SignatureAlgorithmIdentifier, 1565 signature Signature } 1567 ExtendedCertificateInfo ::= SEQUENCE { 1568 version CMSVersion, 1569 certificate Certificate, 1570 attributes UnauthAttributes } 1572 Signature ::= BIT STRING 1574 Attribute{ ATTRIBUTE:AttrList } ::= SEQUENCE { 1575 attrType ATTRIBUTE. 1576 &id({AttrList}), 1577 attrValues SET OF ATTRIBUTE. 1578 &Type({AttrList}{@attrType}) } 1580 Attributes { ATTRIBUTE:AttrList } ::= 1581 SET SIZE (1..MAX) OF Attribute {{ AttrList }} 1583 END 1585 7. ASN.1 Module for RFC 4108 1587 CMSFirmwareWrapper-2009 1588 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1589 smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) } 1590 DEFINITIONS IMPLICIT TAGS ::= 1591 BEGIN 1592 IMPORTS 1594 OTHER-NAME 1595 FROM PKIX1Implicit-2009 1596 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1597 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 1599 EnvelopedData, CONTENT-TYPE, ATTRIBUTE 1600 FROM CryptographicMessageSyntax-2009 1601 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1602 smime(16) modules(0) id-mod-cms-2004-02(41) }; 1604 FirmwareContentTypes CONTENT-TYPE ::= { 1605 ct-firmwarePackage | ct-firmwareLoadReceipt | 1606 ct-firmwareLoadError,... } 1608 FirmwareSignedAttrs ATTRIBUTE ::= { 1609 aa-firmwarePackageID | aa-targetHardwareIDs | 1610 aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs | 1611 aa-communityIdentifiers | aa-firmwarePackageInfo,... } 1613 FirmwareUnsignedAttrs ATTRIBUTE ::= { 1614 aa-wrappedFirmwareKey, ... } 1616 FirmwareOtherNames OTHER-NAME ::= { 1617 on-hardwareModuleName, ... } 1619 -- Firmware Package Content Type and Object Identifier 1621 ct-firmwarePackage CONTENT-TYPE ::= 1622 { FirmwarePkgData IDENTIFIED BY id-ct-firmwarePackage } 1624 id-ct-firmwarePackage OBJECT IDENTIFIER ::= { 1625 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1626 smime(16) ct(1) 16 } 1628 FirmwarePkgData ::= OCTET STRING 1630 -- Firmware Package Signed Attributes and Object Identifiers 1632 aa-firmwarePackageID ATTRIBUTE ::= 1633 { TYPE FirmwarePackageIdentifier IDENTIFIED BY 1634 id-aa-firmwarePackageID } 1636 id-aa-firmwarePackageID OBJECT IDENTIFIER ::= { 1637 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1638 smime(16) aa(2) 35 } 1640 FirmwarePackageIdentifier ::= SEQUENCE { 1641 name PreferredOrLegacyPackageIdentifier, 1642 stale PreferredOrLegacyStalePackageIdentifier OPTIONAL } 1644 PreferredOrLegacyPackageIdentifier ::= CHOICE { 1645 preferred PreferredPackageIdentifier, 1646 legacy OCTET STRING } 1648 PreferredPackageIdentifier ::= SEQUENCE { 1649 fwPkgID OBJECT IDENTIFIER, 1650 verNum INTEGER (0..MAX) } 1652 PreferredOrLegacyStalePackageIdentifier ::= CHOICE { 1653 preferredStaleVerNum INTEGER (0..MAX), 1654 legacyStaleVersion OCTET STRING } 1656 aa-targetHardwareIDs ATTRIBUTE ::= 1657 { TYPE TargetHardwareIdentifiers IDENTIFIED BY 1658 id-aa-targetHardwareIDs } 1660 id-aa-targetHardwareIDs OBJECT IDENTIFIER ::= { 1661 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1662 smime(16) aa(2) 36 } 1664 TargetHardwareIdentifiers ::= SEQUENCE OF OBJECT IDENTIFIER 1666 aa-decryptKeyID ATTRIBUTE ::= 1667 { TYPE DecryptKeyIdentifier IDENTIFIED BY id-aa-decryptKeyID} 1669 id-aa-decryptKeyID OBJECT IDENTIFIER ::= { 1670 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1671 smime(16) aa(2) 37 } 1673 DecryptKeyIdentifier ::= OCTET STRING 1675 aa-implCryptoAlgs ATTRIBUTE ::= 1676 { TYPE ImplementedCryptoAlgorithms IDENTIFIED BY 1677 id-aa-implCryptoAlgs } 1679 id-aa-implCryptoAlgs OBJECT IDENTIFIER ::= { 1680 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1681 smime(16) aa(2) 38 } 1683 ImplementedCryptoAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1685 aa-implCompressAlgs ATTRIBUTE ::= 1686 { TYPE ImplementedCompressAlgorithms IDENTIFIED BY 1687 id-aa-implCompressAlgs } 1689 id-aa-implCompressAlgs OBJECT IDENTIFIER ::= { 1690 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1691 smime(16) aa(2) 43 } 1693 ImplementedCompressAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER 1695 aa-communityIdentifiers ATTRIBUTE ::= 1696 { TYPE CommunityIdentifiers IDENTIFIED BY 1697 id-aa-communityIdentifiers } 1699 id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { 1700 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1701 smime(16) aa(2) 40 } 1703 CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier 1705 CommunityIdentifier ::= CHOICE { 1706 communityOID OBJECT IDENTIFIER, 1707 hwModuleList HardwareModules } 1709 HardwareModules ::= SEQUENCE { 1710 hwType OBJECT IDENTIFIER, 1711 hwSerialEntries SEQUENCE OF HardwareSerialEntry } 1713 HardwareSerialEntry ::= CHOICE { 1714 all NULL, 1715 single OCTET STRING, 1716 block SEQUENCE { 1717 low OCTET STRING, 1718 high OCTET STRING 1719 } 1720 } 1722 aa-firmwarePackageInfo ATTRIBUTE ::= 1723 { TYPE FirmwarePackageInfo IDENTIFIED BY 1724 id-aa-firmwarePackageInfo } 1725 id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= { 1726 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1727 smime(16) aa(2) 42 } 1729 FirmwarePackageInfo ::= SEQUENCE { 1730 fwPkgType INTEGER OPTIONAL, 1731 dependencies SEQUENCE OF 1732 PreferredOrLegacyPackageIdentifier OPTIONAL } 1734 -- Firmware Package Unsigned Attributes and Object Identifiers 1736 aa-wrappedFirmwareKey ATTRIBUTE ::= 1737 { TYPE WrappedFirmwareKey IDENTIFIED BY 1738 id-aa-wrappedFirmwareKey } 1739 id-aa-wrappedFirmwareKey OBJECT IDENTIFIER ::= { 1740 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1741 smime(16) aa(2) 39 } 1743 WrappedFirmwareKey ::= EnvelopedData 1745 -- Firmware Package Load Receipt Content Type and Object Identifier 1747 ct-firmwareLoadReceipt CONTENT-TYPE ::= 1748 { FirmwarePackageLoadReceipt IDENTIFIED BY 1749 id-ct-firmwareLoadReceipt } 1750 id-ct-firmwareLoadReceipt OBJECT IDENTIFIER ::= { 1751 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1752 smime(16) ct(1) 17 } 1754 FirmwarePackageLoadReceipt ::= SEQUENCE { 1755 version FWReceiptVersion DEFAULT v1, 1756 hwType OBJECT IDENTIFIER, 1757 hwSerialNum OCTET STRING, 1758 fwPkgName PreferredOrLegacyPackageIdentifier, 1759 trustAnchorKeyID OCTET STRING OPTIONAL, 1760 decryptKeyID [1] OCTET STRING OPTIONAL } 1762 FWReceiptVersion ::= INTEGER { v1(1) } 1764 -- Firmware Package Load Error Report Content Type 1765 -- and Object Identifier 1767 ct-firmwareLoadError CONTENT-TYPE ::= 1768 { FirmwarePackageLoadError 1769 IDENTIFIED BY id-ct-firmwareLoadError } 1770 id-ct-firmwareLoadError OBJECT IDENTIFIER ::= { 1771 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1772 smime(16) ct(1) 18 } 1774 FirmwarePackageLoadError ::= SEQUENCE { 1775 version FWErrorVersion DEFAULT v1, 1776 hwType OBJECT IDENTIFIER, 1777 hwSerialNum OCTET STRING, 1778 errorCode FirmwarePackageLoadErrorCode, 1779 vendorErrorCode VendorLoadErrorCode OPTIONAL, 1780 fwPkgName PreferredOrLegacyPackageIdentifier OPTIONAL, 1781 config [1] SEQUENCE OF CurrentFWConfig OPTIONAL } 1783 FWErrorVersion ::= INTEGER { v1(1) } 1785 CurrentFWConfig ::= SEQUENCE { 1786 fwPkgType INTEGER OPTIONAL, 1787 fwPkgName PreferredOrLegacyPackageIdentifier } 1789 FirmwarePackageLoadErrorCode ::= ENUMERATED { 1790 decodeFailure (1), 1791 badContentInfo (2), 1792 badSignedData (3), 1793 badEncapContent (4), 1794 badCertificate (5), 1795 badSignerInfo (6), 1796 badSignedAttrs (7), 1797 badUnsignedAttrs (8), 1798 missingContent (9), 1799 noTrustAnchor (10), 1800 notAuthorized (11), 1801 badDigestAlgorithm (12), 1802 badSignatureAlgorithm (13), 1803 unsupportedKeySize (14), 1804 signatureFailure (15), 1805 contentTypeMismatch (16), 1806 badEncryptedData (17), 1807 unprotectedAttrsPresent (18), 1808 badEncryptContent (19), 1809 badEncryptAlgorithm (20), 1810 missingCiphertext (21), 1811 noDecryptKey (22), 1812 decryptFailure (23), 1813 badCompressAlgorithm (24), 1814 missingCompressedContent (25), 1815 decompressFailure (26), 1816 wrongHardware (27), 1817 stalePackage (28), 1818 notInCommunity (29), 1819 unsupportedPackageType (30), 1820 missingDependency (31), 1821 wrongDependencyVersion (32), 1822 insufficientMemory (33), 1823 badFirmware (34), 1824 unsupportedParameters (35), 1825 breaksDependency (36), 1826 otherError (99) } 1828 VendorLoadErrorCode ::= INTEGER 1830 -- Other Name syntax for Hardware Module Name 1832 on-hardwareModuleName OTHER-NAME ::= 1833 { HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName } 1834 id-on-hardwareModuleName OBJECT IDENTIFIER ::= { 1835 iso(1) identified-organization(3) dod(6) internet(1) security(5) 1836 mechanisms(5) pkix(7) on(8) 4 } 1838 HardwareModuleName ::= SEQUENCE { 1839 hwType OBJECT IDENTIFIER, 1840 hwSerialNum OCTET STRING } 1842 END 1844 8. ASN.1 Module for RFC 4998 1846 ERS {iso(1) identified-organization(3) dod(6) internet(1) 1847 security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1) 1848 id-mod-ers-v1(1) } 1849 DEFINITIONS IMPLICIT TAGS ::= 1850 BEGIN 1851 IMPORTS 1853 AttributeSet{}, ATTRIBUTE 1854 FROM PKIX-CommonTypes 1855 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1856 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1858 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM 1859 FROM AlgorithmInformation-2009 1860 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1861 mechanisms(5) pkix(7) id-mod(0) 1862 id-mod-algorithmInformation-02(58)} 1864 ContentInfo 1865 FROM CryptographicMessageSyntax2004 1866 { iso(1) member-body(2) us(840) rsadsi(113549) 1867 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } ; 1869 aa-er-Internal ATTRIBUTE ::= 1870 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } 1871 id-aa-er-internal OBJECT IDENTIFIER ::= 1872 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1873 smime(16) id-aa(2) 49 } 1875 aa-er-External ATTRIBUTE ::= 1876 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } 1877 id-aa-er-external OBJECT IDENTIFIER ::= 1878 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 1879 smime(16) id-aa(2) 50 } 1881 ltans OBJECT IDENTIFIER ::= 1882 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1883 mechanisms(5) ltans(11) } 1885 EvidenceRecord ::= SEQUENCE { 1886 version INTEGER { v1(1) } , 1887 digestAlgorithms SEQUENCE OF AlgorithmIdentifier 1888 {DIGEST-ALGORITHM, {...}}, 1889 cryptoInfos [0] CryptoInfos OPTIONAL, 1890 encryptionInfo [1] EncryptionInfo OPTIONAL, 1891 archiveTimeStampSequence ArchiveTimeStampSequence 1892 } 1894 CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}} 1896 ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain 1897 ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp 1899 ArchiveTimeStamp ::= SEQUENCE { 1900 digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} 1901 OPTIONAL, 1902 attributes [1] Attributes OPTIONAL, 1903 reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, 1904 timeStamp ContentInfo 1905 } 1907 PartialHashtree ::= SEQUENCE OF OCTET STRING 1909 Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}} 1911 EncryptionInfo ::= SEQUENCE { 1912 encryptionInfoType ENCINFO-TYPE. 1913 &id({SupportedEncryptionAlgorithms}), 1914 encryptionInfoValue ENCINFO-TYPE. 1915 &Type({SupportedEncryptionAlgorithms} 1916 {@encryptionInfoType}) 1917 } 1919 ENCINFO-TYPE ::= TYPE-IDENTIFIER 1921 SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...} 1923 END 1925 9. ASN.1 Module for RFC 5035 1927 ExtendedSecurityServices-2009 1928 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1929 smime(16) modules(0) id-mod-ess-2006-02(42) } 1930 DEFINITIONS IMPLICIT TAGS ::= 1931 BEGIN 1932 IMPORTS 1934 AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{} 1935 FROM PKIX-CommonTypes-2009 1936 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1937 mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } 1939 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM 1940 FROM AlgorithmInformation-2009 1941 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 1942 mechanisms(5) pkix(7) id-mod(0) 1943 id-mod-algorithmInformation-02(58)} 1945 ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, 1946 CONTENT-TYPE 1947 FROM CryptographicMessageSyntax-2009 1948 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1949 smime(16) modules(0) id-mod-cms-2004-02(41) } 1951 CertificateSerialNumber 1952 FROM PKIX1Explicit-2009 1953 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1954 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 1956 PolicyInformation, GeneralNames 1957 FROM PKIX1Implicit-2009 1958 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 1959 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} 1961 mda-sha256 1962 FROM PKIX1-PSS-OAEP-Algorithms-2009 1963 { iso(1) identified-organization(3) dod(6) 1964 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 1965 id-mod-pkix1-rsa-pkalgs-02(54) } ; 1967 EssSignedAttributes ATTRIBUTE ::= { 1968 aa-receiptRequest | aa-contentIdentifier | aa-contentHint | 1969 aa-msgSigDigest | aa-contentReference | aa-securityLabel | 1970 aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate | 1971 aa-signingCertificateV2, ... } 1973 EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... } 1975 -- Extended Security Services 1976 -- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 1977 -- constructs in this module. A valid ASN.1 SEQUENCE can have zero or 1978 -- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE 1979 -- to have at least one entry. MAX indicates the upper bound is 1980 -- unspecified. Implementations are free to choose an upper bound 1981 -- that suits their environment. 1983 -- Section 2.7 1985 aa-receiptRequest ATTRIBUTE ::= 1986 { TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest} 1988 ReceiptRequest ::= SEQUENCE { 1989 signedContentIdentifier ContentIdentifier, 1990 receiptsFrom ReceiptsFrom, 1991 receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames 1992 } 1994 ub-receiptsTo INTEGER ::= 16 1996 aa-contentIdentifier ATTRIBUTE ::= 1997 { TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier} 1998 id-aa-receiptRequest OBJECT IDENTIFIER ::= 1999 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2000 smime(16) id-aa(2) 1} 2002 ContentIdentifier ::= OCTET STRING 2004 id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2005 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7} 2007 ct-receipt CONTENT-TYPE ::= 2008 { Receipt IDENTIFIED BY id-ct-receipt } 2009 id-ct-receipt OBJECT IDENTIFIER ::= 2010 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2011 smime(16) id-ct(1) 1} 2013 ReceiptsFrom ::= CHOICE { 2014 allOrFirstTier [0] AllOrFirstTier, 2015 -- formerly "allOrNone [0]AllOrNone" 2016 receiptList [1] SEQUENCE OF GeneralNames } 2018 AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone 2019 allReceipts (0), 2020 firstTierRecipients (1) } 2022 -- Section 2.8 2024 Receipt ::= SEQUENCE { 2025 version ESSVersion, 2026 contentType ContentType, 2027 signedContentIdentifier ContentIdentifier, 2028 originatorSignatureValue OCTET STRING 2029 } 2031 ESSVersion ::= INTEGER { v1(1) } 2033 -- Section 2.9 2035 aa-contentHint ATTRIBUTE ::= 2036 { TYPE ContentHints IDENTIFIED BY id-aa-contentHint } 2037 id-aa-contentHint OBJECT IDENTIFIER ::= 2038 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2039 smime(16) id-aa(2) 4} 2041 ContentHints ::= SEQUENCE { 2042 contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL, 2043 contentType ContentType } 2045 -- Section 2.10 2047 aa-msgSigDigest ATTRIBUTE ::= 2048 { TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest } 2049 id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) 2050 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5} 2052 MsgSigDigest ::= OCTET STRING 2054 -- Section 2.11 2056 aa-contentReference ATTRIBUTE ::= 2057 { TYPE ContentReference IDENTIFIED BY id-aa-contentReference } 2058 id-aa-contentReference OBJECT IDENTIFIER ::= 2059 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2060 smime(16) id-aa(2) 10 } 2062 ContentReference ::= SEQUENCE { 2063 contentType ContentType, 2064 signedContentIdentifier ContentIdentifier, 2065 originatorSignatureValue OCTET STRING } 2067 -- Section 3.2 2069 aa-securityLabel ATTRIBUTE ::= 2070 { TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel } 2071 id-aa-securityLabel OBJECT IDENTIFIER ::= 2072 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2073 smime(16) id-aa(2) 2} 2075 ESSSecurityLabel ::= SET { 2076 security-policy-identifier SecurityPolicyIdentifier, 2077 security-classification SecurityClassification OPTIONAL, 2078 privacy-mark ESSPrivacyMark OPTIONAL, 2079 security-categories SecurityCategories OPTIONAL } 2081 SecurityPolicyIdentifier ::= OBJECT IDENTIFIER 2083 SecurityClassification ::= INTEGER { 2084 unmarked (0), 2085 unclassified (1), 2086 restricted (2), 2087 confidential (3), 2088 secret (4), 2089 top-secret (5) 2090 } (0..ub-integer-options) 2092 ub-integer-options INTEGER ::= 256 2094 ESSPrivacyMark ::= CHOICE { 2095 pString PrintableString (SIZE (1..ub-privacy-mark-length)), 2096 utf8String UTF8String (SIZE (1..MAX)) 2097 } 2099 ub-privacy-mark-length INTEGER ::= 128 2101 SecurityCategories ::= 2102 SET SIZE (1..ub-security-categories) OF SecurityCategory 2103 {{SupportedSecurityCategories}} 2105 ub-security-categories INTEGER ::= 64 2107 SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } 2109 -- Section 3.4 2111 aa-equivalentLabels ATTRIBUTE ::= 2112 { TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels } 2113 id-aa-equivalentLabels OBJECT IDENTIFIER ::= 2114 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2115 smime(16) id-aa(2) 9} 2117 EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel 2119 -- Section 4.4 2121 aa-mlExpandHistory ATTRIBUTE ::= 2122 { TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory } 2123 id-aa-mlExpandHistory OBJECT IDENTIFIER ::= 2124 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2125 smime(16) id-aa(2) 3 } 2127 MLExpansionHistory ::= SEQUENCE 2128 SIZE (1..ub-ml-expansion-history) OF MLData 2130 ub-ml-expansion-history INTEGER ::= 64 2132 MLData ::= SEQUENCE { 2133 mailListIdentifier EntityIdentifier, 2134 expansionTime GeneralizedTime, 2135 mlReceiptPolicy MLReceiptPolicy OPTIONAL } 2137 EntityIdentifier ::= CHOICE { 2138 issuerAndSerialNumber IssuerAndSerialNumber, 2139 subjectKeyIdentifier SubjectKeyIdentifier } 2141 MLReceiptPolicy ::= CHOICE { 2142 none [0] NULL, 2143 insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames, 2144 inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames } 2146 -- Section 5.4 2148 aa-signingCertificate ATTRIBUTE ::= 2149 { TYPE SigningCertificate IDENTIFIED BY 2150 id-aa-signingCertificate } 2151 id-aa-signingCertificate OBJECT IDENTIFIER ::= 2152 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2153 smime(16) id-aa(2) 12 } 2155 SigningCertificate ::= SEQUENCE { 2156 certs SEQUENCE OF ESSCertID, 2157 policies SEQUENCE OF PolicyInformation OPTIONAL 2158 } 2160 aa-signingCertificateV2 ATTRIBUTE ::= 2161 { TYPE SigningCertificateV2 IDENTIFIED BY 2162 id-aa-signingCertificateV2 } 2163 id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= 2164 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 2165 smime(16) id-aa(2) 47 } 2167 SigningCertificateV2 ::= SEQUENCE { 2168 certs SEQUENCE OF ESSCertIDv2, 2169 policies SEQUENCE OF PolicyInformation OPTIONAL 2170 } 2172 HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, 2173 {mda-sha256, ...}} 2175 ESSCertIDv2 ::= SEQUENCE { 2176 hashAlgorithm HashAlgorithm 2177 DEFAULT { algorithm mda-sha256.&id }, 2178 certHash Hash, 2179 issuerSerial IssuerSerial OPTIONAL 2180 } 2181 ESSCertID ::= SEQUENCE { 2182 certHash Hash, 2183 issuerSerial IssuerSerial OPTIONAL 2184 } 2186 Hash ::= OCTET STRING 2188 IssuerSerial ::= SEQUENCE { 2189 issuer GeneralNames, 2190 serialNumber CertificateSerialNumber 2191 } 2193 END 2195 10. ASN.1 Module for RFC 5083 2197 CMS-AuthEnvelopedData-2009 2198 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2199 smime(16) modules(0) id-mod-cms-authEnvelopedData-02(43)} 2200 DEFINITIONS IMPLICIT TAGS ::= 2201 BEGIN 2202 IMPORTS 2204 AuthAttributes, CMSVersion, EncryptedContentInfo, 2205 MessageAuthenticationCode, OriginatorInfo, RecipientInfos, 2206 UnauthAttributes, CONTENT-TYPE 2207 FROM CryptographicMessageSyntax-2009 2208 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2209 smime(16) modules(0) id-mod-cms-2004-02(41)} ; 2211 ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } 2213 ct-authEnvelopedData CONTENT-TYPE ::= { 2214 AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData 2215 } 2217 id-ct-authEnvelopedData OBJECT IDENTIFIER ::= 2218 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2219 smime(16) ct(1) 23} 2221 AuthEnvelopedData ::= SEQUENCE { 2222 version CMSVersion, 2223 originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, 2224 recipientInfos RecipientInfos, 2225 authEncryptedContentInfo EncryptedContentInfo, 2226 authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, 2227 mac MessageAuthenticationCode, 2228 unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL 2229 } 2231 END 2233 11. ASN.1 Module for RFC 5084 2235 CMS-AES-CCM-and-AES-GCM-2009 2236 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 2237 pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } 2238 DEFINITIONS IMPLICIT TAGS ::= 2239 BEGIN 2240 EXPORTS ALL; 2241 IMPORTS 2243 CONTENT-ENCRYPTION, SMIME-CAPS 2244 FROM AlgorithmInformation-2009 2245 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2246 mechanisms(5) pkix(7) id-mod(0) 2247 id-mod-algorithmInformation-02(58)}; 2249 -- Add this algorithm set to include all of the algorithms defined in 2250 -- this document 2252 ContentEncryptionAlgs CONTENT-ENCRYPTION ::= { 2253 cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM | 2254 cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... } 2256 SMimeCaps SMIME-CAPS ::= { 2257 cea-aes128-CCM.&smimeCaps | 2258 cea-aes192-CCM.&smimeCaps | 2259 cea-aes256-CCM.&smimeCaps | 2260 cea-aes128-GCM.&smimeCaps | 2261 cea-aes192-GCM.&smimeCaps | 2262 cea-aes256-GCM.&smimeCaps, 2263 ... 2264 } 2266 -- Defining objects 2268 aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) 2269 organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } 2271 cea-aes128-CCM CONTENT-ENCRYPTION ::= { 2272 IDENTIFIER id-aes128-CCM 2273 PARAMS TYPE CCMParameters ARE required 2274 SMIME-CAPS { IDENTIFIED BY id-aes128-CCM } 2275 } 2276 id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 } 2278 cea-aes192-CCM CONTENT-ENCRYPTION ::= { 2279 IDENTIFIER id-aes192-CCM 2280 PARAMS TYPE CCMParameters ARE required 2281 SMIME-CAPS { IDENTIFIED BY id-aes192-CCM } 2282 } 2283 id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 } 2285 cea-aes256-CCM CONTENT-ENCRYPTION ::= { 2286 IDENTIFIER id-aes256-CCM 2287 PARAMS TYPE CCMParameters ARE required 2288 SMIME-CAPS { IDENTIFIED BY id-aes256-CCM } 2290 } 2291 id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 } 2293 cea-aes128-GCM CONTENT-ENCRYPTION ::= { 2294 IDENTIFIER id-aes128-GCM 2295 PARAMS TYPE GCMParameters ARE required 2296 SMIME-CAPS { IDENTIFIED BY id-aes128-GCM } 2297 } 2298 id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 } 2300 cea-aes192-GCM CONTENT-ENCRYPTION ::= { 2301 IDENTIFIER id-aes128-GCM 2302 PARAMS TYPE GCMParameters ARE required 2303 SMIME-CAPS { IDENTIFIED BY id-aes192-GCM } 2304 } 2305 id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 } 2307 cea-aes256-GCM CONTENT-ENCRYPTION ::= { 2308 IDENTIFIER id-aes128-GCM 2309 PARAMS TYPE GCMParameters ARE required 2310 SMIME-CAPS { IDENTIFIED BY id-aes256-GCM } 2311 } 2312 id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 } 2314 -- Parameters for AlgorithmIdentifier 2316 CCMParameters ::= SEQUENCE { 2317 aes-nonce OCTET STRING (SIZE(7..13)), 2318 aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } 2320 AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) 2322 GCMParameters ::= SEQUENCE { 2323 aes-nonce OCTET STRING, -- recommended size is 12 octets 2324 aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } 2326 AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) 2328 END 2330 12. ASN.1 Module for RFC 5275 2332 SMIMESymmetricKeyDistribution-2009 2333 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2334 smime(16) modules(0) id-mod-symkeydist-02(36)} 2335 DEFINITIONS IMPLICIT TAGS ::= 2336 BEGIN 2337 EXPORTS ALL; 2338 IMPORTS 2340 AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP, 2341 SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS 2342 FROM AlgorithmInformation-2009 2343 {iso(1) identified-organization(3) dod(6) internet(1) security(5) 2344 mechanisms(5) pkix(7) id-mod(0) 2345 id-mod-algorithmInformation-02(58)} 2347 GeneralName 2348 FROM PKIX1Implicit-2009 2349 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2350 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } 2352 Certificate 2353 FROM PKIX1Explicit-2009 2354 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2355 mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } 2357 RecipientInfos, KEKIdentifier,CertificateSet 2358 FROM CryptographicMessageSyntax-2009 2359 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2360 smime(16) modules(0) id-mod-cms-2004-02(41) } 2362 cap-3DESwrap 2363 FROM CryptographicMessageSyntaxAlgorithms 2364 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2365 smime(16) modules(0) id-mod-cmsalg-2001-02(37) } 2367 AttributeCertificate 2368 FROM PKIXAttributeCertificate-2009 2369 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2370 mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } 2372 CMC-CONTROL, EXTENDED-FAILURE-INFO 2373 FROM EnrollmentMessageSyntax 2374 { iso(1) identified-organization(3) dod(4) internet(1) security(5) 2375 mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53) } 2377 kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap 2378 FROM CMSAesRsaesOaep-2009 2379 { iso(1) member-body(2) us(840) rsadsi(113549) 2380 pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } ; 2382 -- This defines the group list (GL symmetric key distribution OID arc 2383 id-skd OBJECT IDENTIFIER ::= 2384 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 2385 smime(16) skd(8) } 2387 SKD-ControlSet CMC-CONTROL ::= { 2388 skd-glUseKEK | skd-glDelete | skd-glAddMember | 2389 skd-glDeleteMember | skd-glRekey | skd-glAddOwner | 2390 skd-glRemoveOwner | skd-glKeyCompromise | 2391 skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert | 2392 skd-glManageCert | skd-glKey, ... } 2394 -- This defines the GL Use KEK control attribute 2396 skd-glUseKEK CMC-CONTROL ::= 2397 { GLUseKEK IDENTIFIED BY id-skd-glUseKEK } 2399 id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1} 2401 GLUseKEK ::= SEQUENCE { 2402 glInfo GLInfo, 2403 glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo, 2404 glAdministration GLAdministration DEFAULT managed, 2405 glKeyAttributes GLKeyAttributes OPTIONAL 2406 } 2408 GLInfo ::= SEQUENCE { 2409 glName GeneralName, 2410 glAddress GeneralName 2411 } 2413 GLOwnerInfo ::= SEQUENCE { 2414 glOwnerName GeneralName, 2415 glOwnerAddress GeneralName, 2416 certificates Certificates OPTIONAL 2417 } 2419 GLAdministration ::= INTEGER { 2420 unmanaged (0), 2421 managed (1), 2422 closed (2) 2423 } 2425 -- 2426 -- The advertised set of algorithm capabilites for the docment 2427 -- 2429 SKD-Caps SMIME-CAPS ::= { 2430 cap-3DESwrap | kwa-aes128-wrap.&smimeCaps | 2431 kwa-aes192-wrap.&smimeCaps | kwa-aes256-wrap.&smimeCaps, ... 2432 } 2434 cap-aes128-cbc KeyWrapAlgorithm ::= 2435 { capabilityID kwa-aes128-wrap.&smimeCaps.&id } 2437 -- 2438 -- The set of key wrap algorithms supported by this specification 2439 -- 2441 KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}} 2443 GLKeyAttributes ::= SEQUENCE { 2444 rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE, 2445 recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE, 2446 duration [2] INTEGER DEFAULT 0, 2447 generationCounter [3] INTEGER DEFAULT 2, 2448 requestedAlgorithm [4] KeyWrapAlgorithm 2449 DEFAULT cap-aes128-cbc 2450 } 2452 -- This defines the Delete GL control attribute. 2453 -- It has the simple type GeneralName. 2455 skd-glDelete CMC-CONTROL ::= 2456 { DeleteGL IDENTIFIED BY id-skd-glDelete } 2458 id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2} 2459 DeleteGL ::= GeneralName 2461 -- This defines the Add GL Member control attribute 2463 skd-glAddMember CMC-CONTROL ::= 2464 { GLAddMember IDENTIFIED BY id-skd-glAddMember } 2466 id-skd-glAddMember OBJECT IDENTIFIER ::= { id-skd 3} 2467 GLAddMember ::= SEQUENCE { 2468 glName GeneralName, 2469 glMember GLMember 2470 } 2472 GLMember ::= SEQUENCE { 2473 glMemberName GeneralName, 2474 glMemberAddress GeneralName OPTIONAL, 2475 certificates Certificates OPTIONAL 2476 } 2478 Certificates ::= SEQUENCE { 2479 pKC [0] Certificate OPTIONAL, 2480 -- See RFC 5280 2481 aC [1] SEQUENCE SIZE (1.. MAX) OF 2482 AttributeCertificate OPTIONAL, 2483 -- See RFC 3281 2484 certPath [2] CertificateSet OPTIONAL 2485 -- From RFC 3852 2486 } 2488 -- This defines the Delete GL Member control attribute 2490 skd-glDeleteMember CMC-CONTROL ::= 2491 { GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember } 2493 id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4} 2495 GLDeleteMember ::= SEQUENCE { 2496 glName GeneralName, 2497 glMemberToDelete GeneralName 2498 } 2500 -- This defines the Delete GL Member control attribute 2502 skd-glRekey CMC-CONTROL ::= 2503 { GLRekey IDENTIFIED BY id-skd-glRekey } 2505 id-skd-glRekey OBJECT IDENTIFIER ::= { id-skd 5} 2507 GLRekey ::= SEQUENCE { 2508 glName GeneralName, 2509 glAdministration GLAdministration OPTIONAL, 2510 glNewKeyAttributes GLNewKeyAttributes OPTIONAL, 2511 glRekeyAllGLKeys BOOLEAN OPTIONAL 2512 } 2514 GLNewKeyAttributes ::= SEQUENCE { 2515 rekeyControlledByGLO [0] BOOLEAN OPTIONAL, 2516 recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL, 2517 duration [2] INTEGER OPTIONAL, 2518 generationCounter [3] INTEGER OPTIONAL, 2519 requestedAlgorithm [4] KeyWrapAlgorithm OPTIONAL 2520 } 2522 -- This defines the Add and Delete GL Owner control attributes 2524 skd-glAddOwner CMC-CONTROL ::= 2525 { GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner } 2527 id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6} 2529 skd-glRemoveOwner CMC-CONTROL ::= 2530 { GLOwnerAdministration IDENTIFIED BY id-skd-glRemoveOwner } 2532 id-skd-glRemoveOwner OBJECT IDENTIFIER ::= { id-skd 7} 2534 GLOwnerAdministration ::= SEQUENCE { 2535 glName GeneralName, 2536 glOwnerInfo GLOwnerInfo 2537 } 2539 -- This defines the GL Key Compromise control attribute. 2540 -- It has the simple type GeneralName. 2542 skd-glKeyCompromise CMC-CONTROL ::= 2543 { GLKCompromise IDENTIFIED BY id-skd-glKeyCompromise } 2545 id-skd-glKeyCompromise OBJECT IDENTIFIER ::= { id-skd 8} 2546 GLKCompromise ::= GeneralName 2548 -- This defines the GL Key Refresh control attribute. 2550 skd-glkRefresh CMC-CONTROL ::= 2551 { GLKRefresh IDENTIFIED BY id-skd-glkRefresh } 2553 id-skd-glkRefresh OBJECT IDENTIFIER ::= { id-skd 9} 2555 GLKRefresh ::= SEQUENCE { 2556 glName GeneralName, 2557 dates SEQUENCE SIZE (1..MAX) OF Date 2558 } 2560 Date ::= SEQUENCE { 2561 start GeneralizedTime, 2562 end GeneralizedTime OPTIONAL 2563 } 2565 -- This defines the GLA Query Request control attribute. 2567 skd-glaQueryRequest CMC-CONTROL ::= 2568 { GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest } 2570 id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11} 2572 SKD-QUERY ::= TYPE-IDENTIFIER 2574 SkdQuerySet SKD-QUERY ::= {skd-AlgRequest, ...} 2575 GLAQueryRequest ::= SEQUENCE { 2576 glaRequestType SKD-QUERY.&id ({SkdQuerySet}), 2577 glaRequestValue SKD-QUERY. 2578 &Type ({SkdQuerySet}{@glaRequestType}) 2579 } 2581 -- This defines the GLA Query Response control attribute. 2583 skd-glaQueryResponse CMC-CONTROL ::= 2584 { GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse } 2586 id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12} 2588 SKD-RESPONSE ::= TYPE-IDENTIFIER 2590 SkdResponseSet SKD-RESPONSE ::= {skd-AlgResponse, ...} 2592 GLAQueryResponse ::= SEQUENCE { 2593 glaResponseType SKD-RESPONSE. 2594 &id({SkdResponseSet}), 2595 glaResponseValue SKD-RESPONSE. 2596 &Type({SkdResponseSet}{@glaResponseType})} 2598 -- This defines the GLA Request/Response (glaRR) arc for 2599 -- glaRequestType/glaResponseType. 2601 id-cmc-glaRR OBJECT IDENTIFIER ::= 2602 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2603 mechanisms(5) pkix(7) cmc(7) glaRR(99) } 2605 -- This defines the Algorithm Request 2607 skd-AlgRequest SKD-QUERY ::= { 2608 SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest 2609 } 2611 id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 } 2612 SKDAlgRequest ::= NULL 2614 -- This defines the Algorithm Response 2616 skd-AlgResponse SKD-RESPONSE ::= { 2617 SMIMECapability{{SKD-Caps}} IDENTIFIED BY 2618 id-cmc-gla-skdAlgResponse 2619 } 2621 id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 } 2622 -- Note that the response for algorithmSupported request is the 2623 -- smimeCapabilities attribute as defined in RFC 3851. 2625 -- This defines the control attribute to request an updated 2626 -- certificate to the GLA. 2628 skd-glProvideCert CMC-CONTROL ::= 2629 { GLManageCert IDENTIFIED BY id-skd-glProvideCert } 2631 id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13} 2633 GLManageCert ::= SEQUENCE { 2634 glName GeneralName, 2635 glMember GLMember 2636 } 2638 -- This defines the control attribute to return an updated 2639 -- certificate to the GLA. It has the type GLManageCert. 2641 skd-glManageCert CMC-CONTROL ::= 2642 { GLManageCert IDENTIFIED BY id-skd-glManageCert } 2644 id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14} 2646 -- This defines the control attribute to distribute the GL shared 2647 -- KEK. 2649 skd-glKey CMC-CONTROL ::= 2650 { GLKey IDENTIFIED BY id-skd-glKey } 2652 id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15} 2654 GLKey ::= SEQUENCE { 2655 glName GeneralName, 2656 glIdentifier KEKIdentifier, -- See RFC 3852 2657 glkWrapped RecipientInfos, -- See RFC 3852 2658 glkAlgorithm KeyWrapAlgorithm, 2659 glkNotBefore GeneralizedTime, 2660 glkNotAfter GeneralizedTime 2661 } 2663 -- This defines the CMC error types 2665 skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= { 2666 SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo 2667 } 2669 id-cet-skdFailInfo OBJECT IDENTIFIER ::= 2670 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 2671 mechanisms(5) pkix(7) cet(15) skdFailInfo(1) } 2673 SKDFailInfo ::= INTEGER { 2674 unspecified (0), 2675 closedGL (1), 2676 unsupportedDuration (2), 2677 noGLACertificate (3), 2678 invalidCert (4), 2679 unsupportedAlgorithm (5), 2680 noGLONameMatch (6), 2681 invalidGLName (7), 2682 nameAlreadyInUse (8), 2683 noSpam (9), 2684 deniedAccess (10), 2685 alreadyAMember (11), 2686 notAMember (12), 2687 alreadyAnOwner (13), 2688 notAnOwner (14) } 2690 END 2692 13. Security Considerations 2694 Even though all the RFCs in this document are security-related, the 2695 document itself does not have any security considerations. The ASN.1 2696 modules keep the same bits-on-the-wire as the modules that they 2697 replace. 2699 14. Normative References 2701 [ASN1-2002] 2702 ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and 2703 X.683", ITU-T X.680, X.681, X.682, and X.683, 2002. 2705 [NEW-PKIX] 2706 Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX", 2707 draft-ietf-pkix-new-asn1 (work in progress), 2708 December 2007. 2710 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) 2711 Algorithms", RFC 3370, August 2002. 2713 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) 2714 Encryption Algorithm in Cryptographic Message Syntax 2715 (CMS)", RFC 3565, July 2003. 2717 [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail 2718 Extensions (S/MIME) Version 3.1 Message Specification", 2719 RFC 3851, July 2004. 2721 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 2722 RFC 3852, July 2004. 2724 [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to 2725 Protect Firmware Packages", RFC 4108, August 2005. 2727 [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence 2728 Record Syntax (ERS)", RFC 4998, August 2007. 2730 [RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: 2731 Adding CertID Algorithm Agility", RFC 5035, August 2007. 2733 [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) 2734 Authenticated-Enveloped-Data Content Type", RFC 5083, 2735 November 2007. 2737 [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated 2738 Encryption in the Cryptographic Message Syntax (CMS)", 2739 RFC 5084, November 2007. 2741 [RFC5275] Turner, S., "CMS Symmetric Key Management and 2742 Distribution", RFC 5275, June 2008. 2744 Appendix A. Change History 2746 [[ This entire section is to be removed upon publication. ]] 2748 A.1. Changes between draft-hoffman-cms-new-asn1-00 and 2749 draft-ietf-smime-new-asn1-00 2751 Changed the draft name. 2753 Added RFC 3565, 2755 Added RFC 4998. 2757 Made RFCs-to-be 5083 and 5084 into RFCs. 2759 In RFC 3370, a line in the comment staring with "Another way to 2760 do..." was not commented out when it should have been. 2762 In RFC 3851, the name of the module from which we are importing was 2763 wrong, although the OID was right. 2765 In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate 2766 which version of CMS added the various extensions. 2768 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 2770 Added RFC 5275. 2772 Added module for algorithm classes, and modified RFC 3370 and RFC 2773 3852 to uses the classes defined. 2775 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 2777 Added design notes. 2779 Removed issue on "Algorithm Structure" and issue on "More Modules To 2780 Be Added". 2782 Updated all modules to use objects more deeply. 2784 In section 6, changed "PKCS #10" to "PKCS #7" to reflect the actual 2785 module where the changes were made. 2787 A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 2789 Many cosmetic-only changes to the modules. 2791 Changed some multi-word keywords to hypenated (such as "SMIME CAPS" 2792 to "SMIME-CAPS"). 2794 Updated the reference of X.680 to X.680, X.681, X.682, and X.683. 2796 A.5. Changes between draft-ietf-smime-new-asn1-03 and -04 2798 Changed the status of the document. 2800 A.6. Changes between draft-ietf-smime-new-asn1-04 and -05 2802 Removed the "Issues" section from section 1, which should have been 2803 done in the last draft. 2805 Authors' Addresses 2807 Paul Hoffman 2808 VPN Consortium 2809 127 Segre Place 2810 Santa Cruz, CA 95060 2811 US 2813 Phone: 1-831-426-9827 2814 Email: paul.hoffman@vpnc.org 2816 Jim Schaad 2817 Soaring Hawk Consulting 2819 Email: jimsch@exmsft.com