RFC 5912
New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)
14. ASN.1 Module for RFC 5280, Explicit and Implicit
Note that many of the changes in this module are similar or the same as the changes made in more recent versions of X.509 itself. PKIX1Explicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS Extensions{}, EXTENSION, ATTRIBUTE, SingleAttribute{} FROM PKIX-CommonTypes-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
AlgorithmIdentifier{}, PUBLIC-KEY, SIGNATURE-ALGORITHM
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
CertExtensions, CrlExtensions, CrlEntryExtensions
FROM PKIX1Implicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
SignatureAlgs, PublicKeys
FROM PKIXAlgs-2009
{iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 56}
SignatureAlgs, PublicKeys
FROM PKIX1-PSS-OAEP-Algorithms-2009
{iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs-02(54)}
ORAddress
FROM PKIX-X400Address-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60)};
id-pkix OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7)}
-- PKIX arcs
id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
-- arc for private certificate extensions
id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
-- arc for policy qualifier types
id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
-- arc for extended key purpose OIDs
id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
-- arc for access descriptors
-- policyQualifierIds for Internet policy qualifiers
id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
-- OID for CPS qualifier
id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
-- OID for user notice qualifier
-- access descriptor definitions
id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }
id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 }
id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 }
-- attribute data types
AttributeType ::= ATTRIBUTE.&id
-- Replaced by SingleAttribute{}
--
-- AttributeTypeAndValue ::= SEQUENCE {
-- type ATTRIBUTE.&id({SupportedAttributes}),
-- value ATTRIBUTE.&Type({SupportedAttributes}{@type}) }
--
-- Suggested naming attributes: Definition of the following
-- information object set may be augmented to meet local
-- requirements. Note that deleting members of the set may
-- prevent interoperability with conforming implementations.
-- All attributes are presented in pairs: the AttributeType
-- followed by the type definition for the corresponding
-- AttributeValue.
-- Arc for standard naming attributes
id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
-- Naming attributes of type X520name
id-at-name AttributeType ::= { id-at 41 }
at-name ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-name }
id-at-surname AttributeType ::= { id-at 4 }
at-surname ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-surname }
id-at-givenName AttributeType ::= { id-at 42 }
at-givenName ATTRIBUTE ::=
{ TYPE X520name IDENTIFIED BY id-at-givenName }
id-at-initials AttributeType ::= { id-at 43 }
at-initials ATTRIBUTE ::=
{ TYPE X520name IDENTIFIED BY id-at-initials }
id-at-generationQualifier AttributeType ::= { id-at 44 }
at-generationQualifier ATTRIBUTE ::=
{ TYPE X520name IDENTIFIED BY id-at-generationQualifier }
-- Directory string type --
DirectoryString{INTEGER:maxSize} ::= CHOICE {
teletexString TeletexString(SIZE (1..maxSize)),
printableString PrintableString(SIZE (1..maxSize)),
bmpString BMPString(SIZE (1..maxSize)),
universalString UniversalString(SIZE (1..maxSize)),
uTF8String UTF8String(SIZE (1..maxSize))
}
X520name ::= DirectoryString {ub-name}
-- Naming attributes of type X520CommonName
id-at-commonName AttributeType ::= { id-at 3 }
at-x520CommonName ATTRIBUTE ::=
{TYPE X520CommonName IDENTIFIED BY id-at-commonName }
X520CommonName ::= DirectoryString {ub-common-name}
-- Naming attributes of type X520LocalityName
id-at-localityName AttributeType ::= { id-at 7 }
at-x520LocalityName ATTRIBUTE ::=
{ TYPE X520LocalityName IDENTIFIED BY id-at-localityName }
X520LocalityName ::= DirectoryString {ub-locality-name}
-- Naming attributes of type X520StateOrProvinceName
id-at-stateOrProvinceName AttributeType ::= { id-at 8 }
at-x520StateOrProvinceName ATTRIBUTE ::=
{ TYPE DirectoryString {ub-state-name}
IDENTIFIED BY id-at-stateOrProvinceName }
X520StateOrProvinceName ::= DirectoryString {ub-state-name}
-- Naming attributes of type X520OrganizationName
id-at-organizationName AttributeType ::= { id-at 10 }
at-x520OrganizationName ATTRIBUTE ::=
{ TYPE DirectoryString {ub-organization-name}
IDENTIFIED BY id-at-organizationName }
X520OrganizationName ::= DirectoryString {ub-organization-name}
-- Naming attributes of type X520OrganizationalUnitName
id-at-organizationalUnitName AttributeType ::= { id-at 11 }
at-x520OrganizationalUnitName ATTRIBUTE ::=
{ TYPE DirectoryString {ub-organizational-unit-name}
IDENTIFIED BY id-at-organizationalUnitName }
X520OrganizationalUnitName ::= DirectoryString
{ub-organizational-unit-name}
-- Naming attributes of type X520Title
id-at-title AttributeType ::= { id-at 12 }
at-x520Title ATTRIBUTE ::= { TYPE DirectoryString { ub-title }
IDENTIFIED BY id-at-title }
-- Naming attributes of type X520dnQualifier
id-at-dnQualifier AttributeType ::= { id-at 46 }
at-x520dnQualifier ATTRIBUTE ::= { TYPE PrintableString
IDENTIFIED BY id-at-dnQualifier }
-- Naming attributes of type X520countryName (digraph from IS 3166)
id-at-countryName AttributeType ::= { id-at 6 }
at-x520countryName ATTRIBUTE ::= { TYPE PrintableString (SIZE (2))
IDENTIFIED BY id-at-countryName }
-- Naming attributes of type X520SerialNumber
id-at-serialNumber AttributeType ::= { id-at 5 }
at-x520SerialNumber ATTRIBUTE ::= {TYPE PrintableString
(SIZE (1..ub-serial-number)) IDENTIFIED BY id-at-serialNumber }
-- Naming attributes of type X520Pseudonym
id-at-pseudonym AttributeType ::= { id-at 65 }
at-x520Pseudonym ATTRIBUTE ::= { TYPE DirectoryString {ub-pseudonym}
IDENTIFIED BY id-at-pseudonym }
-- Naming attributes of type DomainComponent (from RFC 2247)
id-domainComponent AttributeType ::=
{ itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100)
pilotAttributeType(1) 25 }
at-domainComponent ATTRIBUTE ::= {TYPE IA5String
IDENTIFIED BY id-domainComponent }
-- Legacy attributes
pkcs-9 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
id-emailAddress AttributeType ::= { pkcs-9 1 }
at-emailAddress ATTRIBUTE ::= {TYPE IA5String
(SIZE (1..ub-emailaddress-length)) IDENTIFIED BY
id-emailAddress }
-- naming data types --
Name ::= CHOICE { -- only one possibility for now --
rdnSequence RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
DistinguishedName ::= RDNSequence
RelativeDistinguishedName ::=
SET SIZE (1 .. MAX) OF SingleAttribute { {SupportedAttributes} }
-- These are the known name elements for a DN
SupportedAttributes ATTRIBUTE ::= {
at-name | at-surname | at-givenName | at-initials |
at-generationQualifier | at-x520CommonName |
at-x520LocalityName | at-x520StateOrProvinceName |
at-x520OrganizationName | at-x520OrganizationalUnitName |
at-x520Title | at-x520dnQualifier | at-x520countryName |
at-x520SerialNumber | at-x520Pseudonym | at-domainComponent |
at-emailAddress, ... }
--
-- Certificate- and CRL-specific structures begin here
--
Certificate ::= SIGNED{TBSCertificate}
TBSCertificate ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier{SIGNATURE-ALGORITHM,
{SignatureAlgorithms}},
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
... ,
[[2: -- If present, version MUST be v2
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL
]],
[[3: -- If present, version MUST be v3 --
extensions [3] Extensions{{CertExtensions}} OPTIONAL
]], ... }
Version ::= INTEGER { v1(0), v2(1), v3(2) }
CertificateSerialNumber ::= INTEGER
Validity ::= SEQUENCE {
notBefore Time,
notAfter Time }
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
UniqueIdentifier ::= BIT STRING
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier{PUBLIC-KEY,
{PublicKeyAlgorithms}},
subjectPublicKey BIT STRING }
-- CRL structures
CertificateList ::= SIGNED{TBSCertList}
TBSCertList ::= SEQUENCE {
version Version OPTIONAL,
-- if present, MUST be v2
signature AlgorithmIdentifier{SIGNATURE-ALGORITHM,
{SignatureAlgorithms}},
issuer Name,
thisUpdate Time,
nextUpdate Time OPTIONAL,
revokedCertificates SEQUENCE SIZE (1..MAX) OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate Time,
... ,
[[2: -- if present, version MUST be v2
crlEntryExtensions Extensions{{CrlEntryExtensions}}
OPTIONAL
]], ...
} OPTIONAL,
... ,
[[2: -- if present, version MUST be v2
crlExtensions [0] Extensions{{CrlExtensions}}
OPTIONAL
]], ... }
-- Version, Time, CertificateSerialNumber, and Extensions were
-- defined earlier for use in the certificate structure
--
-- The two object sets below should be expanded to include
-- those algorithms which are supported by the system.
--
-- For example:
-- SignatureAlgorithms SIGNATURE-ALGORITHM ::= {
-- PKIXAlgs-2008.SignatureAlgs, ...,
-- - - RFC 3279 provides the base set
-- PKIX1-PSS-OAEP-ALGORITHMS.SignatureAlgs |
-- - - RFC 4055 provides extension algs
-- OtherModule.SignatureAlgs
-- - - RFC XXXX provides additional extension algs
-- }
SignatureAlgorithms SIGNATURE-ALGORITHM ::= {
PKIXAlgs-2009.SignatureAlgs, ...,
PKIX1-PSS-OAEP-Algorithms-2009.SignatureAlgs }
PublicKeyAlgorithms PUBLIC-KEY ::= {
PKIXAlgs-2009.PublicKeys, ...,
PKIX1-PSS-OAEP-Algorithms-2009.PublicKeys}
-- Upper Bounds
ub-state-name INTEGER ::= 128
ub-organization-name INTEGER ::= 64
ub-organizational-unit-name INTEGER ::= 64
ub-title INTEGER ::= 64
ub-serial-number INTEGER ::= 64
ub-pseudonym INTEGER ::= 128
ub-emailaddress-length INTEGER ::= 255
ub-locality-name INTEGER ::= 128
ub-common-name INTEGER ::= 64
ub-name INTEGER ::= 32768
-- Note - upper bounds on string types, such as TeletexString, are
-- measured in characters. Excepting PrintableString or IA5String, a
-- significantly greater number of octets will be required to hold
-- such a value. As a minimum, 16 octets or twice the specified
-- upper bound, whichever is the larger, should be allowed for
-- TeletexString. For UTF8String or UniversalString, at least four
-- times the upper bound should be allowed.
-- Information object classes used in the definition
-- of certificates and CRLs
-- Parameterized Type SIGNED
--
-- Three different versions of doing SIGNED:
-- 1. Simple and close to the previous version
--
-- SIGNED{ToBeSigned} ::= SEQUENCE {
-- toBeSigned ToBeSigned,
-- algorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM,
-- {SignatureAlgorithms}},
-- signature BIT STRING
-- }
-- 2. From Authenticated Framework
--
-- SIGNED{ToBeSigned} ::= SEQUENCE {
-- toBeSigned ToBeSigned,
-- COMPONENTS OF SIGNATURE{ToBeSigned}
-- }
-- SIGNATURE{ToBeSigned} ::= SEQUENCE {
-- algorithmIdentifier AlgorithmIdentifier,
-- encrypted ENCRYPTED-HASH{ToBeSigned}
-- }
-- ENCRYPTED-HASH{ToBeSigned} ::=
-- BIT STRING
-- (CONSTRAINED BY {
-- shall be the result of applying a hashing procedure to
-- the DER-encoded (see 4.1) octets of a value of
-- ToBeSigned and then applying an encipherment procedure
-- to those octets
-- })
--
--
-- 3. A more complex version, but one that automatically ties
-- together both the signature algorithm and the
-- signature value for automatic decoding.
--
SIGNED{ToBeSigned} ::= SEQUENCE {
toBeSigned ToBeSigned,
algorithmIdentifier SEQUENCE {
algorithm SIGNATURE-ALGORITHM.
&id({SignatureAlgorithms}),
parameters SIGNATURE-ALGORITHM.
&Params({SignatureAlgorithms}
{@algorithmIdentifier.algorithm}) OPTIONAL
},
signature BIT STRING (CONTAINING SIGNATURE-ALGORITHM.&Value(
{SignatureAlgorithms}
{@algorithmIdentifier.algorithm}))
}
END
PKIX1Implicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
AttributeSet{}, EXTENSION, ATTRIBUTE
FROM PKIX-CommonTypes-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name,
RelativeDistinguishedName, CertificateSerialNumber,
DirectoryString{}, SupportedAttributes
FROM PKIX1Explicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) };
CertExtensions EXTENSION ::= {
ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier |
ext-KeyUsage | ext-PrivateKeyUsagePeriod |
ext-CertificatePolicies | ext-PolicyMappings |
ext-SubjectAltName | ext-IssuerAltName |
ext-SubjectDirectoryAttributes |
ext-BasicConstraints | ext-NameConstraints |
ext-PolicyConstraints | ext-ExtKeyUsage |
ext-CRLDistributionPoints | ext-InhibitAnyPolicy |
ext-FreshestCRL | ext-AuthorityInfoAccess |
ext-SubjectInfoAccessSyntax, ... }
CrlExtensions EXTENSION ::= {
ext-AuthorityKeyIdentifier | ext-IssuerAltName |
ext-CRLNumber | ext-DeltaCRLIndicator |
ext-IssuingDistributionPoint | ext-FreshestCRL, ... }
CrlEntryExtensions EXTENSION ::= {
ext-CRLReason | ext-CertificateIssuer |
ext-HoldInstructionCode | ext-InvalidityDate, ... }
-- Shared arc for standard certificate and CRL extensions
id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 }
-- authority key identifier OID and syntax
ext-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX
AuthorityKeyIdentifier IDENTIFIED BY
id-ce-authorityKeyIdentifier }
id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
(WITH COMPONENTS {
...,
authorityCertIssuer PRESENT,
authorityCertSerialNumber PRESENT
} |
WITH COMPONENTS {
...,
authorityCertIssuer ABSENT,
authorityCertSerialNumber ABSENT
})
KeyIdentifier ::= OCTET STRING
-- subject key identifier OID and syntax
ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX
KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier }
id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 }
-- key usage extension OID and syntax
ext-KeyUsage EXTENSION ::= { SYNTAX
KeyUsage IDENTIFIED BY id-ce-keyUsage }
id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1), -- recent editions of X.509 have
-- renamed this bit to
-- contentCommitment
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8)
}
-- private key usage period extension OID and syntax
ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX
PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod }
id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 }
PrivateKeyUsagePeriod ::= SEQUENCE {
notBefore [0] GeneralizedTime OPTIONAL,
notAfter [1] GeneralizedTime OPTIONAL }
(WITH COMPONENTS {..., notBefore PRESENT } |
WITH COMPONENTS {..., notAfter PRESENT })
-- certificate policies extension OID and syntax
ext-CertificatePolicies EXTENSION ::= { SYNTAX
CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies}
id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
PolicyInformation ::= SEQUENCE {
policyIdentifier CertPolicyId,
policyQualifiers SEQUENCE SIZE (1..MAX) OF
PolicyQualifierInfo OPTIONAL }
CertPolicyId ::= OBJECT IDENTIFIER
CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER
PolicyQualifierInfo ::= SEQUENCE {
policyQualifierId CERT-POLICY-QUALIFIER.
&id({PolicyQualifierId}),
qualifier CERT-POLICY-QUALIFIER.
&Type({PolicyQualifierId}{@policyQualifierId})}
-- Implementations that recognize additional policy qualifiers MUST
-- augment the following definition for PolicyQualifierId
PolicyQualifierId CERT-POLICY-QUALIFIER ::=
{ pqid-cps | pqid-unotice, ... }
pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps }
pqid-unotice CERT-POLICY-QUALIFIER ::= { UserNotice
IDENTIFIED BY id-qt-unotice }
-- CPS pointer qualifier
CPSuri ::= IA5String
-- user notice qualifier
UserNotice ::= SEQUENCE {
noticeRef NoticeReference OPTIONAL,
explicitText DisplayText OPTIONAL}
--
-- This is not made explicit in the text
--
-- {WITH COMPONENTS {..., noticeRef PRESENT} |
-- WITH COMPONENTS {..., DisplayText PRESENT }}
NoticeReference ::= SEQUENCE {
organization DisplayText,
noticeNumbers SEQUENCE OF INTEGER }
DisplayText ::= CHOICE {
ia5String IA5String (SIZE (1..200)),
visibleString VisibleString (SIZE (1..200)),
bmpString BMPString (SIZE (1..200)),
utf8String UTF8String (SIZE (1..200)) }
-- policy mapping extension OID and syntax
ext-PolicyMappings EXTENSION ::= { SYNTAX
PolicyMappings IDENTIFIED BY id-ce-policyMappings }
id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 }
PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
issuerDomainPolicy CertPolicyId,
subjectDomainPolicy CertPolicyId
}
-- subject alternative name extension OID and syntax
ext-SubjectAltName EXTENSION ::= { SYNTAX
GeneralNames IDENTIFIED BY id-ce-subjectAltName }
id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 }
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralName ::= CHOICE {
otherName [0] INSTANCE OF OTHER-NAME,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER
}
-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
OTHER-NAME ::= TYPE-IDENTIFIER
EDIPartyName ::= SEQUENCE {
nameAssigner [0] DirectoryString {ubMax} OPTIONAL,
partyName [1] DirectoryString {ubMax}
}
-- issuer alternative name extension OID and syntax
ext-IssuerAltName EXTENSION ::= { SYNTAX
GeneralNames IDENTIFIED BY id-ce-issuerAltName }
id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 }
ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX
SubjectDirectoryAttributes IDENTIFIED BY
id-ce-subjectDirectoryAttributes }
id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 }
SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF
AttributeSet{{SupportedAttributes}}
-- basic constraints extension OID and syntax
ext-BasicConstraints EXTENSION ::= { SYNTAX
BasicConstraints IDENTIFIED BY id-ce-basicConstraints }
id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
BasicConstraints ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL
}
-- name constraints extension OID and syntax
ext-NameConstraints EXTENSION ::= { SYNTAX
NameConstraints IDENTIFIED BY id-ce-nameConstraints }
id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
NameConstraints ::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
excludedSubtrees [1] GeneralSubtrees OPTIONAL
}
--
-- This is a constraint in the issued certificates by CAs, but is
-- not a requirement on EEs.
--
-- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} |
-- WITH COMPONENTS { ..., excludedSubtrees PRESENT }}
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
GeneralSubtree ::= SEQUENCE {
base GeneralName,
minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL
}
BaseDistance ::= INTEGER (0..MAX)
-- policy constraints extension OID and syntax
ext-PolicyConstraints EXTENSION ::= { SYNTAX
PolicyConstraints IDENTIFIED BY id-ce-policyConstraints }
id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 }
PolicyConstraints ::= SEQUENCE {
requireExplicitPolicy [0] SkipCerts OPTIONAL,
inhibitPolicyMapping [1] SkipCerts OPTIONAL }
--
-- This is a constraint in the issued certificates by CAs,
-- but is not a requirement for EEs
--
-- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} |
-- WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT})
SkipCerts ::= INTEGER (0..MAX)
-- CRL distribution points extension OID and syntax
ext-CRLDistributionPoints EXTENSION ::= { SYNTAX
CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints}
id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31}
CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL
}
--
-- This is not a requirement in the text, but it seems as if it
-- should be
--
--(WITH COMPONENTS {..., distributionPoint PRESENT} |
-- WITH COMPONENTS {..., cRLIssuer PRESENT})
DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName
}
ReasonFlags ::= BIT STRING {
unused (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
privilegeWithdrawn (7),
aACompromise (8)
}
-- extended key usage extension OID and syntax
ext-ExtKeyUsage EXTENSION ::= { SYNTAX
ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage }
id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
KeyPurposeId ::= OBJECT IDENTIFIER
-- permit unspecified key uses
anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
-- extended key purpose OIDs
id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
-- inhibit any policy OID and syntax
ext-InhibitAnyPolicy EXTENSION ::= {SYNTAX
SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy }
id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 }
-- freshest (delta)CRL extension OID and syntax
ext-FreshestCRL EXTENSION ::= {SYNTAX
CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL }
id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 }
-- authority info access
ext-AuthorityInfoAccess EXTENSION ::= { SYNTAX
AuthorityInfoAccessSyntax IDENTIFIED BY
id-pe-authorityInfoAccess }
id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
AuthorityInfoAccessSyntax ::=
SEQUENCE SIZE (1..MAX) OF AccessDescription
AccessDescription ::= SEQUENCE {
accessMethod OBJECT IDENTIFIER,
accessLocation GeneralName }
-- subject info access
ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX
SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess }
id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 }
SubjectInfoAccessSyntax ::=
SEQUENCE SIZE (1..MAX) OF AccessDescription
-- CRL number extension OID and syntax
ext-CRLNumber EXTENSION ::= {SYNTAX
INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber }
id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
CRLNumber ::= INTEGER (0..MAX)
-- issuing distribution point extension OID and syntax
ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX
IssuingDistributionPoint IDENTIFIED BY
id-ce-issuingDistributionPoint }
id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
IssuingDistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
onlySomeReasons [3] ReasonFlags OPTIONAL,
indirectCRL [4] BOOLEAN DEFAULT FALSE,
onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE
}
-- at most one of onlyContainsUserCerts, onlyContainsCACerts,
-- or onlyContainsAttributeCerts may be set to TRUE.
ext-DeltaCRLIndicator EXTENSION ::= { SYNTAX
CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator }
id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
-- CRL reasons extension OID and syntax
ext-CRLReason EXTENSION ::= { SYNTAX
CRLReason IDENTIFIED BY id-ce-cRLReasons }
id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10)
}
-- certificate issuer CRL entry extension OID and syntax
ext-CertificateIssuer EXTENSION ::= { SYNTAX
GeneralNames IDENTIFIED BY id-ce-certificateIssuer }
id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
-- hold instruction extension OID and syntax
ext-HoldInstructionCode EXTENSION ::= { SYNTAX
OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode }
id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
-- ANSI x9 holdinstructions
holdInstruction OBJECT IDENTIFIER ::=
{joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
id-holdinstruction-none OBJECT IDENTIFIER ::=
{holdInstruction 1} -- deprecated
id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
{holdInstruction 2}
id-holdinstruction-reject OBJECT IDENTIFIER ::=
{holdInstruction 3}
-- invalidity date CRL entry extension OID and syntax
ext-InvalidityDate EXTENSION ::= { SYNTAX
GeneralizedTime IDENTIFIED BY id-ce-invalidityDate }
id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
-- Upper bounds
ubMax INTEGER ::= 32768
END
--
-- This module is used to isolate all the X.400 naming information.
-- There is no reason to expect this to occur in a PKIX certificate.
--
PKIX-X400Address-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60) }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
-- X.400 address syntax starts here
ORAddress ::= SEQUENCE {
built-in-standard-attributes BuiltInStandardAttributes,
built-in-domain-defined-attributes
BuiltInDomainDefinedAttributes OPTIONAL,
-- see also teletex-domain-defined-attributes
extension-attributes ExtensionAttributes OPTIONAL }
-- Built-in Standard Attributes
BuiltInStandardAttributes ::= SEQUENCE {
country-name CountryName OPTIONAL,
administration-domain-name AdministrationDomainName OPTIONAL,
network-address [0] IMPLICIT NetworkAddress OPTIONAL,
-- see also extended-network-address
terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL,
private-domain-name [2] PrivateDomainName OPTIONAL,
organization-name [3] IMPLICIT OrganizationName OPTIONAL,
-- see also teletex-organization-name
numeric-user-identifier [4] IMPLICIT NumericUserIdentifier
OPTIONAL,
personal-name [5] IMPLICIT PersonalName OPTIONAL,
-- see also teletex-personal-name
organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
OPTIONAL }
-- see also teletex-organizational-unit-names
CountryName ::= [APPLICATION 1] CHOICE {
x121-dcc-code NumericString
(SIZE (ub-country-name-numeric-length)),
iso-3166-alpha2-code PrintableString
(SIZE (ub-country-name-alpha-length)) }
AdministrationDomainName ::= [APPLICATION 2] CHOICE {
numeric NumericString (SIZE (0..ub-domain-name-length)),
printable PrintableString (SIZE (0..ub-domain-name-length)) }
NetworkAddress ::= X121Address -- see also extended-network-address
X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
TerminalIdentifier ::= PrintableString (SIZE
(1..ub-terminal-id-length))
PrivateDomainName ::= CHOICE {
numeric NumericString (SIZE (1..ub-domain-name-length)),
printable PrintableString (SIZE (1..ub-domain-name-length)) }
OrganizationName ::= PrintableString
(SIZE (1..ub-organization-name-length))
-- see also teletex-organization-name
NumericUserIdentifier ::= NumericString
(SIZE (1..ub-numeric-user-id-length))
PersonalName ::= SET {
surname [0] IMPLICIT PrintableString
(SIZE (1..ub-surname-length)),
given-name [1] IMPLICIT PrintableString
(SIZE (1..ub-given-name-length)) OPTIONAL,
initials [2] IMPLICIT PrintableString
(SIZE (1..ub-initials-length)) OPTIONAL,
generation-qualifier [3] IMPLICIT PrintableString
(SIZE (1..ub-generation-qualifier-length))
OPTIONAL }
-- see also teletex-personal-name
OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
OF OrganizationalUnitName
-- see also teletex-organizational-unit-names
OrganizationalUnitName ::= PrintableString (SIZE
(1..ub-organizational-unit-name-length))
-- Built-in Domain-defined Attributes
BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
(1..ub-domain-defined-attributes) OF
BuiltInDomainDefinedAttribute
BuiltInDomainDefinedAttribute ::= SEQUENCE {
type PrintableString (SIZE
(1..ub-domain-defined-attribute-type-length)),
value PrintableString (SIZE
(1..ub-domain-defined-attribute-value-length)) }
-- Extension Attributes
ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
ExtensionAttribute
EXTENSION-ATTRIBUTE ::= CLASS {
&id INTEGER (0..ub-extension-attributes) UNIQUE,
&Type
} WITH SYNTAX { &Type IDENTIFIED BY &id }
ExtensionAttribute ::= SEQUENCE {
extension-attribute-type [0] IMPLICIT EXTENSION-ATTRIBUTE.
&id({SupportedExtensionAttributes}),
extension-attribute-value [1] EXTENSION-ATTRIBUTE.
&Type({SupportedExtensionAttributes}
{@extension-attribute-type})}
SupportedExtensionAttributes EXTENSION-ATTRIBUTE ::= {
ea-commonName | ea-teletexCommonName | ea-teletexOrganizationName
| ea-teletexPersonalName | ea-teletexOrganizationalUnitNames |
ea-pDSName | ea-physicalDeliveryCountryName | ea-postalCode |
ea-physicalDeliveryOfficeName | ea-physicalDeliveryOfficeNumber |
ea-extensionORAddressComponents | ea-physicalDeliveryPersonalName
| ea-physicalDeliveryOrganizationName |
ea-extensionPhysicalDeliveryAddressComponents |
ea-unformattedPostalAddress | ea-streetAddress |
ea-postOfficeBoxAddress | ea-posteRestanteAddress |
ea-uniquePostalName | ea-localPostalAttributes |
ea-extendedNetworkAddress | ea-terminalType |
ea-teletexDomainDefinedAttributes, ... }
-- Extension types and attribute values
ea-commonName EXTENSION-ATTRIBUTE ::= { PrintableString
(SIZE (1..ub-common-name-length)) IDENTIFIED BY 1 }
ea-teletexCommonName EXTENSION-ATTRIBUTE ::= {TeletexString
(SIZE (1..ub-common-name-length)) IDENTIFIED BY 2 }
ea-teletexOrganizationName EXTENSION-ATTRIBUTE::= { TeletexString
(SIZE (1..ub-organization-name-length)) IDENTIFIED BY 3 }
ea-teletexPersonalName EXTENSION-ATTRIBUTE ::= {SET {
surname [0] IMPLICIT TeletexString
(SIZE (1..ub-surname-length)),
given-name [1] IMPLICIT TeletexString
(SIZE (1..ub-given-name-length)) OPTIONAL,
initials [2] IMPLICIT TeletexString
(SIZE (1..ub-initials-length)) OPTIONAL,
generation-qualifier [3] IMPLICIT TeletexString
(SIZE (1..ub-generation-qualifier-length))
OPTIONAL } IDENTIFIED BY 4 }
ea-teletexOrganizationalUnitNames EXTENSION-ATTRIBUTE ::=
{ SEQUENCE SIZE (1..ub-organizational-units) OF
TeletexOrganizationalUnitName IDENTIFIED BY 5 }
TeletexOrganizationalUnitName ::= TeletexString
(SIZE (1..ub-organizational-unit-name-length))
ea-pDSName EXTENSION-ATTRIBUTE ::= {PrintableString
(SIZE (1..ub-pds-name-length)) IDENTIFIED BY 7 }
ea-physicalDeliveryCountryName EXTENSION-ATTRIBUTE ::= { CHOICE {
x121-dcc-code NumericString (SIZE
(ub-country-name-numeric-length)),
iso-3166-alpha2-code PrintableString
(SIZE (ub-country-name-alpha-length)) }
IDENTIFIED BY 8 }
ea-postalCode EXTENSION-ATTRIBUTE ::= { CHOICE {
numeric-code NumericString (SIZE (1..ub-postal-code-length)),
printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
IDENTIFIED BY 9 }
ea-physicalDeliveryOfficeName EXTENSION-ATTRIBUTE ::=
{ PDSParameter IDENTIFIED BY 10 }
ea-physicalDeliveryOfficeNumber EXTENSION-ATTRIBUTE ::=
{PDSParameter IDENTIFIED BY 11 }
ea-extensionORAddressComponents EXTENSION-ATTRIBUTE ::=
{PDSParameter IDENTIFIED BY 12 }
ea-physicalDeliveryPersonalName EXTENSION-ATTRIBUTE ::=
{PDSParameter IDENTIFIED BY 13}
ea-physicalDeliveryOrganizationName EXTENSION-ATTRIBUTE ::=
{PDSParameter IDENTIFIED BY 14 }
ea-extensionPhysicalDeliveryAddressComponents EXTENSION-ATTRIBUTE ::=
{PDSParameter IDENTIFIED BY 15 }
ea-unformattedPostalAddress EXTENSION-ATTRIBUTE ::= { SET {
printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines)
OF PrintableString (SIZE (1..ub-pds-parameter-length))
OPTIONAL,
teletex-string TeletexString
(SIZE (1..ub-unformatted-address-length)) OPTIONAL }
IDENTIFIED BY 16 }
ea-streetAddress EXTENSION-ATTRIBUTE ::=
{PDSParameter IDENTIFIED BY 17 }
ea-postOfficeBoxAddress EXTENSION-ATTRIBUTE ::=
{PDSParameter IDENTIFIED BY 18 }
ea-posteRestanteAddress EXTENSION-ATTRIBUTE ::=
{PDSParameter IDENTIFIED BY 19 }
ea-uniquePostalName EXTENSION-ATTRIBUTE ::=
{ PDSParameter IDENTIFIED BY 20 }
ea-localPostalAttributes EXTENSION-ATTRIBUTE ::=
{PDSParameter IDENTIFIED BY 21 }
PDSParameter ::= SET {
printable-string PrintableString
(SIZE(1..ub-pds-parameter-length)) OPTIONAL,
teletex-string TeletexString
(SIZE(1..ub-pds-parameter-length)) OPTIONAL }
ea-extendedNetworkAddress EXTENSION-ATTRIBUTE ::= {
CHOICE {
e163-4-address SEQUENCE {
number [0] IMPLICIT NumericString
(SIZE (1..ub-e163-4-number-length)),
sub-address [1] IMPLICIT NumericString
(SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL
},
psap-address [0] IMPLICIT PresentationAddress
} IDENTIFIED BY 22
}
PresentationAddress ::= SEQUENCE {
pSelector [0] EXPLICIT OCTET STRING OPTIONAL,
sSelector [1] EXPLICIT OCTET STRING OPTIONAL,
tSelector [2] EXPLICIT OCTET STRING OPTIONAL,
nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
ea-terminalType EXTENSION-ATTRIBUTE ::= {INTEGER {
telex (3),
teletex (4),
g3-facsimile (5),
g4-facsimile (6),
ia5-terminal (7),
videotex (8) } (0..ub-integer-options)
IDENTIFIED BY 23 }
-- Extension Domain-defined Attributes
ea-teletexDomainDefinedAttributes EXTENSION-ATTRIBUTE ::=
{ SEQUENCE SIZE (1..ub-domain-defined-attributes) OF
TeletexDomainDefinedAttribute IDENTIFIED BY 6 }
TeletexDomainDefinedAttribute ::= SEQUENCE {
type TeletexString
(SIZE (1..ub-domain-defined-attribute-type-length)),
value TeletexString
(SIZE (1..ub-domain-defined-attribute-value-length)) }
-- specifications of Upper Bounds MUST be regarded as mandatory -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter -- Upper Bounds -- Upper Bounds ub-match INTEGER ::= 128 ub-common-name-length INTEGER ::= 64 ub-country-name-alpha-length INTEGER ::= 2 ub-country-name-numeric-length INTEGER ::= 3 ub-domain-defined-attributes INTEGER ::= 4 ub-domain-defined-attribute-type-length INTEGER ::= 8 ub-domain-defined-attribute-value-length INTEGER ::= 128 ub-domain-name-length INTEGER ::= 16 ub-extension-attributes INTEGER ::= 256 ub-e163-4-number-length INTEGER ::= 15 ub-e163-4-sub-address-length INTEGER ::= 40 ub-generation-qualifier-length INTEGER ::= 3 ub-given-name-length INTEGER ::= 16 ub-initials-length INTEGER ::= 5 ub-integer-options INTEGER ::= 256 ub-numeric-user-id-length INTEGER ::= 32 ub-organization-name-length INTEGER ::= 64 ub-organizational-unit-name-length INTEGER ::= 32 ub-organizational-units INTEGER ::= 4 ub-pds-name-length INTEGER ::= 16 ub-pds-parameter-length INTEGER ::= 30 ub-pds-physical-address-lines INTEGER ::= 6 ub-postal-code-length INTEGER ::= 16 ub-surname-length INTEGER ::= 40 ub-terminal-id-length INTEGER ::= 24 ub-unformatted-address-length INTEGER ::= 180 ub-x121-address-length INTEGER ::= 16 -- Note - upper bounds on string types, such as TeletexString, are -- measured in characters. Excepting PrintableString or IA5String, a -- significantly greater number of octets will be required to hold -- such a value. As a minimum, 16 octets or twice the specified -- upper bound, whichever is the larger, should be allowed for -- TeletexString. For UTF8String or UniversalString, at least four -- times the upper bound should be allowed. END15. Security Considerations
Even though all the RFCs in this document are security-related, the document itself does not have any security considerations. The ASN.1 modules keep the same bits-on-the-wire as the modules that they replace.
16. Normative References
[ASN1-2002] ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and X.683", ITU-T X.680, X.681, X.682, and X.683, 2002. [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 2560, June 1999. [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification Request Syntax Specification Version 1.7", RFC 2986, November 2000. [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, April 2002. [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004. [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, June 2005. [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, "Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)", RFC 4210, September 2005. [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)", RFC 4211, September 2005. [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. Polk, "Server-Based Certificate Validation Protocol (SCVP)", RFC 5055, December 2007. [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS (CMC)", RFC 5272, June 2008. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.
[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, March 2009. [RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet Attribute Certificate Profile for Authorization", RFC 5755, January 2010. [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, June 2010.Authors' Addresses
Paul Hoffman VPN Consortium 127 Segre Place Santa Cruz, CA 95060 US Phone: 1-831-426-9827 EMail: paul.hoffman@vpnc.org Jim Schaad Soaring Hawk Consulting EMail: jimsch@exmsft.com