tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search     info

RFC 5912

 
 
 

New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)

Part 6 of 6, p. 91 to 117
Prev RFC Part

 


prevText      Top      Up      ToC       Page 91 
14.  ASN.1 Module for RFC 5280, Explicit and Implicit

   Note that many of the changes in this module are similar or the same
   as the changes made in more recent versions of X.509 itself.

  PKIX1Explicit-2009
      {iso(1) identified-organization(3) dod(6) internet(1)
      security(5) mechanisms(5) pkix(7) id-mod(0)
      id-mod-pkix1-explicit-02(51)}
  DEFINITIONS EXPLICIT TAGS ::=
  BEGIN

  IMPORTS

  Extensions{}, EXTENSION, ATTRIBUTE, SingleAttribute{}
  FROM PKIX-CommonTypes-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}

Top      Up      ToC       Page 92 
  AlgorithmIdentifier{}, PUBLIC-KEY, SIGNATURE-ALGORITHM
  FROM AlgorithmInformation-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0)
      id-mod-algorithmInformation-02(58)}

  CertExtensions, CrlExtensions, CrlEntryExtensions
  FROM PKIX1Implicit-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
  SignatureAlgs, PublicKeys
  FROM PKIXAlgs-2009
      {iso(1) identified-organization(3) dod(6)
      internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 56}

  SignatureAlgs, PublicKeys
  FROM PKIX1-PSS-OAEP-Algorithms-2009
      {iso(1) identified-organization(3) dod(6)
      internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
      id-mod-pkix1-rsa-pkalgs-02(54)}

  ORAddress
  FROM PKIX-X400Address-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60)};

  id-pkix  OBJECT IDENTIFIER  ::=
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7)}

  -- PKIX arcs

  id-pe OBJECT IDENTIFIER  ::=  { id-pkix 1 }
      -- arc for private certificate extensions
  id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
      -- arc for policy qualifier types
  id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
      -- arc for extended key purpose OIDs
  id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
      -- arc for access descriptors

  -- policyQualifierIds for Internet policy qualifiers

  id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
      -- OID for CPS qualifier
  id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
      -- OID for user notice qualifier

Top      Up      ToC       Page 93 
  -- access descriptor definitions

  id-ad-ocsp         OBJECT IDENTIFIER ::= { id-ad 1 }
  id-ad-caIssuers    OBJECT IDENTIFIER ::= { id-ad 2 }
  id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 }
  id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 }

  -- attribute data types
  AttributeType           ::=  ATTRIBUTE.&id

  --  Replaced by SingleAttribute{}
  --
  -- AttributeTypeAndValue   ::=  SEQUENCE {
  --    type    ATTRIBUTE.&id({SupportedAttributes}),
  --    value   ATTRIBUTE.&Type({SupportedAttributes}{@type}) }
  --

  -- Suggested naming attributes: Definition of the following
  --   information object set may be augmented to meet local
  --   requirements.  Note that deleting members of the set may
  --   prevent interoperability with conforming implementations.
  -- All attributes are presented in pairs: the AttributeType
  --   followed by the type definition for the corresponding
  --   AttributeValue.

  -- Arc for standard naming attributes

  id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }

  -- Naming attributes of type X520name

  id-at-name              AttributeType ::= { id-at 41 }
  at-name ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-name }

  id-at-surname           AttributeType ::= { id-at 4 }
  at-surname ATTRIBUTE ::= { TYPE X520name IDENTIFIED BY id-at-surname }

  id-at-givenName         AttributeType ::= { id-at 42 }
  at-givenName ATTRIBUTE ::=
      { TYPE X520name IDENTIFIED BY id-at-givenName }

  id-at-initials          AttributeType ::= { id-at 43 }
  at-initials ATTRIBUTE ::=
      { TYPE X520name IDENTIFIED BY id-at-initials }

  id-at-generationQualifier AttributeType ::= { id-at 44 }
  at-generationQualifier ATTRIBUTE ::=
      { TYPE X520name IDENTIFIED BY id-at-generationQualifier }

Top      Up      ToC       Page 94 
  -- Directory string type --

  DirectoryString{INTEGER:maxSize} ::= CHOICE {
      teletexString    TeletexString(SIZE (1..maxSize)),
      printableString  PrintableString(SIZE (1..maxSize)),
      bmpString        BMPString(SIZE (1..maxSize)),
      universalString  UniversalString(SIZE (1..maxSize)),
      uTF8String       UTF8String(SIZE (1..maxSize))
  }

  X520name ::= DirectoryString {ub-name}

  -- Naming attributes of type X520CommonName

  id-at-commonName        AttributeType ::= { id-at 3 }

  at-x520CommonName ATTRIBUTE ::=
      {TYPE X520CommonName IDENTIFIED BY id-at-commonName }

  X520CommonName ::= DirectoryString {ub-common-name}

  -- Naming attributes of type X520LocalityName

  id-at-localityName      AttributeType ::= { id-at 7 }

  at-x520LocalityName ATTRIBUTE ::=
      { TYPE X520LocalityName IDENTIFIED BY id-at-localityName }
  X520LocalityName ::= DirectoryString {ub-locality-name}

  -- Naming attributes of type X520StateOrProvinceName

  id-at-stateOrProvinceName AttributeType ::= { id-at 8 }

  at-x520StateOrProvinceName ATTRIBUTE ::=
      { TYPE DirectoryString {ub-state-name}
          IDENTIFIED BY id-at-stateOrProvinceName }
  X520StateOrProvinceName ::= DirectoryString {ub-state-name}

  -- Naming attributes of type X520OrganizationName

  id-at-organizationName  AttributeType ::= { id-at 10 }

  at-x520OrganizationName ATTRIBUTE ::=
      { TYPE DirectoryString {ub-organization-name}
          IDENTIFIED BY id-at-organizationName }
  X520OrganizationName ::= DirectoryString {ub-organization-name}

  -- Naming attributes of type X520OrganizationalUnitName

Top      Up      ToC       Page 95 
  id-at-organizationalUnitName AttributeType ::= { id-at 11 }

  at-x520OrganizationalUnitName ATTRIBUTE ::=
      { TYPE DirectoryString  {ub-organizational-unit-name}
          IDENTIFIED BY id-at-organizationalUnitName }
  X520OrganizationalUnitName ::= DirectoryString
                                     {ub-organizational-unit-name}

  -- Naming attributes of type X520Title

  id-at-title             AttributeType ::= { id-at 12 }

  at-x520Title ATTRIBUTE ::= { TYPE DirectoryString { ub-title }
      IDENTIFIED BY id-at-title }

  -- Naming attributes of type X520dnQualifier

  id-at-dnQualifier       AttributeType ::= { id-at 46 }

  at-x520dnQualifier ATTRIBUTE ::= { TYPE PrintableString
      IDENTIFIED BY id-at-dnQualifier }

  -- Naming attributes of type X520countryName (digraph from IS 3166)

  id-at-countryName       AttributeType ::= { id-at 6 }

  at-x520countryName ATTRIBUTE ::=  { TYPE PrintableString (SIZE (2))
      IDENTIFIED BY id-at-countryName }

  -- Naming attributes of type X520SerialNumber

  id-at-serialNumber      AttributeType ::= { id-at 5 }

  at-x520SerialNumber ATTRIBUTE ::=  {TYPE PrintableString
      (SIZE (1..ub-serial-number)) IDENTIFIED BY id-at-serialNumber }

  -- Naming attributes of type X520Pseudonym

  id-at-pseudonym         AttributeType ::= { id-at 65 }

  at-x520Pseudonym ATTRIBUTE ::= { TYPE DirectoryString {ub-pseudonym}
      IDENTIFIED BY id-at-pseudonym }

  -- Naming attributes of type DomainComponent (from RFC 2247)

  id-domainComponent      AttributeType ::=
       { itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100)
       pilotAttributeType(1) 25 }

Top      Up      ToC       Page 96 
  at-domainComponent ATTRIBUTE ::= {TYPE IA5String
      IDENTIFIED BY id-domainComponent }

  -- Legacy attributes

  pkcs-9 OBJECT IDENTIFIER ::=
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
  id-emailAddress          AttributeType ::= { pkcs-9 1 }

  at-emailAddress ATTRIBUTE ::= {TYPE IA5String
      (SIZE (1..ub-emailaddress-length)) IDENTIFIED BY
      id-emailAddress }

  -- naming data types --

  Name ::= CHOICE { -- only one possibility for now --
      rdnSequence  RDNSequence }

  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

  DistinguishedName ::=   RDNSequence

  RelativeDistinguishedName  ::=
      SET SIZE (1 .. MAX) OF SingleAttribute { {SupportedAttributes} }

  --  These are the known name elements for a DN

  SupportedAttributes ATTRIBUTE ::= {
      at-name | at-surname | at-givenName | at-initials |
      at-generationQualifier | at-x520CommonName |
      at-x520LocalityName | at-x520StateOrProvinceName |
      at-x520OrganizationName | at-x520OrganizationalUnitName |
      at-x520Title | at-x520dnQualifier | at-x520countryName |
      at-x520SerialNumber | at-x520Pseudonym | at-domainComponent |
      at-emailAddress, ... }

  --
  -- Certificate- and CRL-specific structures begin here
  --

  Certificate  ::=  SIGNED{TBSCertificate}

  TBSCertificate  ::=  SEQUENCE  {
      version         [0]  Version DEFAULT v1,
      serialNumber         CertificateSerialNumber,
      signature            AlgorithmIdentifier{SIGNATURE-ALGORITHM,
                                {SignatureAlgorithms}},
      issuer               Name,

Top      Up      ToC       Page 97 
      validity             Validity,
      subject              Name,
      subjectPublicKeyInfo SubjectPublicKeyInfo,
      ... ,
      [[2:               -- If present, version MUST be v2
      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL
      ]],
      [[3:               -- If present, version MUST be v3 --
      extensions      [3]  Extensions{{CertExtensions}} OPTIONAL
      ]], ... }

  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

  CertificateSerialNumber  ::=  INTEGER

  Validity ::= SEQUENCE {
      notBefore      Time,
      notAfter       Time  }

  Time ::= CHOICE {
      utcTime        UTCTime,
      generalTime    GeneralizedTime }

  UniqueIdentifier  ::=  BIT STRING

  SubjectPublicKeyInfo  ::=  SEQUENCE  {
      algorithm            AlgorithmIdentifier{PUBLIC-KEY,
                               {PublicKeyAlgorithms}},
      subjectPublicKey     BIT STRING  }

  -- CRL structures

  CertificateList  ::=  SIGNED{TBSCertList}

  TBSCertList  ::=  SEQUENCE  {
      version              Version OPTIONAL,
                                 -- if present, MUST be v2
      signature            AlgorithmIdentifier{SIGNATURE-ALGORITHM,
                               {SignatureAlgorithms}},
      issuer               Name,
      thisUpdate           Time,
      nextUpdate           Time OPTIONAL,
      revokedCertificates  SEQUENCE SIZE (1..MAX) OF SEQUENCE {
          userCertificate  CertificateSerialNumber,
          revocationDate   Time,
          ... ,
          [[2:                  -- if present, version MUST be v2

Top      Up      ToC       Page 98 
          crlEntryExtensions  Extensions{{CrlEntryExtensions}}
                                  OPTIONAL
          ]], ...
      } OPTIONAL,
      ... ,
      [[2:                       -- if present, version MUST be v2
      crlExtensions       [0] Extensions{{CrlExtensions}}
                                  OPTIONAL
      ]], ... }

  -- Version, Time, CertificateSerialNumber, and Extensions were
  -- defined earlier for use in the certificate structure

  --
  --  The two object sets below should be expanded to include
  --  those algorithms which are supported by the system.
  --
  --  For example:
  --  SignatureAlgorithms SIGNATURE-ALGORITHM ::= {
  --    PKIXAlgs-2008.SignatureAlgs, ...,
  --        - - RFC 3279 provides the base set
  --    PKIX1-PSS-OAEP-ALGORITHMS.SignatureAlgs |
  --        - - RFC 4055 provides extension algs
  --    OtherModule.SignatureAlgs
  --        - - RFC XXXX provides additional extension algs
  --  }

  SignatureAlgorithms SIGNATURE-ALGORITHM ::= {
      PKIXAlgs-2009.SignatureAlgs, ...,
      PKIX1-PSS-OAEP-Algorithms-2009.SignatureAlgs }

  PublicKeyAlgorithms PUBLIC-KEY ::= {
      PKIXAlgs-2009.PublicKeys, ...,
      PKIX1-PSS-OAEP-Algorithms-2009.PublicKeys}

  -- Upper Bounds

  ub-state-name INTEGER ::= 128
  ub-organization-name INTEGER ::= 64
  ub-organizational-unit-name INTEGER ::= 64
  ub-title INTEGER ::= 64
  ub-serial-number INTEGER ::= 64
  ub-pseudonym INTEGER ::= 128
  ub-emailaddress-length INTEGER ::= 255
  ub-locality-name INTEGER ::= 128
  ub-common-name INTEGER ::= 64
  ub-name INTEGER ::= 32768

Top      Up      ToC       Page 99 
  -- Note - upper bounds on string types, such as TeletexString, are
  -- measured in characters.  Excepting PrintableString or IA5String, a
  -- significantly greater number of octets will be required to hold
  -- such a value.  As a minimum, 16 octets or twice the specified
  -- upper bound, whichever is the larger, should be allowed for
  -- TeletexString.  For UTF8String or UniversalString, at least four
  -- times the upper bound should be allowed.

  -- Information object classes used in the definition
  -- of certificates and CRLs

  -- Parameterized Type SIGNED
  --
  -- Three different versions of doing SIGNED:
  --  1.  Simple and close to the previous version
  --
  --  SIGNED{ToBeSigned} ::= SEQUENCE {
  --    toBeSigned  ToBeSigned,
  --    algorithm   AlgorithmIdentifier{SIGNATURE-ALGORITHM,
  --                    {SignatureAlgorithms}},
  --    signature   BIT STRING
  --  }

  --  2.  From Authenticated Framework
  --
  --  SIGNED{ToBeSigned} ::= SEQUENCE {
  --    toBeSigned        ToBeSigned,
  --    COMPONENTS OF SIGNATURE{ToBeSigned}
  --  }
  --  SIGNATURE{ToBeSigned} ::= SEQUENCE {
  --    algorithmIdentifier   AlgorithmIdentifier,
  --    encrypted             ENCRYPTED-HASH{ToBeSigned}
  --  }
  --  ENCRYPTED-HASH{ToBeSigned} ::=
  --    BIT STRING
  --      (CONSTRAINED BY {
  --        shall be the result of applying a hashing procedure to
  --        the DER-encoded (see 4.1) octets of a value of
  --        ToBeSigned and then applying an encipherment procedure
  --        to those octets
  --      })
  --
  --
  --  3.  A more complex version, but one that automatically ties
  --      together both the signature algorithm and the
  --      signature value for automatic decoding.
  --
  SIGNED{ToBeSigned} ::= SEQUENCE {

Top      Up      ToC       Page 100 
     toBeSigned           ToBeSigned,
     algorithmIdentifier  SEQUENCE {
         algorithm        SIGNATURE-ALGORITHM.
                            &id({SignatureAlgorithms}),
         parameters       SIGNATURE-ALGORITHM.
                            &Params({SignatureAlgorithms}
                              {@algorithmIdentifier.algorithm}) OPTIONAL
     },
     signature BIT STRING (CONTAINING SIGNATURE-ALGORITHM.&Value(
                              {SignatureAlgorithms}
                              {@algorithmIdentifier.algorithm}))
  }

  END


   PKIX1Implicit-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
   DEFINITIONS IMPLICIT TAGS ::=
   BEGIN
   IMPORTS

   AttributeSet{}, EXTENSION, ATTRIBUTE
   FROM PKIX-CommonTypes-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }

   id-pe, id-kp, id-qt-unotice, id-qt-cps, ORAddress, Name,
       RelativeDistinguishedName, CertificateSerialNumber,
       DirectoryString{}, SupportedAttributes
   FROM PKIX1Explicit-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) };

   CertExtensions EXTENSION ::= {
           ext-AuthorityKeyIdentifier | ext-SubjectKeyIdentifier |
           ext-KeyUsage | ext-PrivateKeyUsagePeriod |
           ext-CertificatePolicies | ext-PolicyMappings |
           ext-SubjectAltName | ext-IssuerAltName |
           ext-SubjectDirectoryAttributes |
           ext-BasicConstraints | ext-NameConstraints |
           ext-PolicyConstraints | ext-ExtKeyUsage |
           ext-CRLDistributionPoints | ext-InhibitAnyPolicy |
           ext-FreshestCRL | ext-AuthorityInfoAccess |
           ext-SubjectInfoAccessSyntax, ... }

   CrlExtensions EXTENSION ::= {

Top      Up      ToC       Page 101 
           ext-AuthorityKeyIdentifier | ext-IssuerAltName |
           ext-CRLNumber | ext-DeltaCRLIndicator |
           ext-IssuingDistributionPoint |  ext-FreshestCRL, ... }

   CrlEntryExtensions EXTENSION ::= {
           ext-CRLReason | ext-CertificateIssuer |
           ext-HoldInstructionCode | ext-InvalidityDate, ... }
   -- Shared arc for standard certificate and CRL extensions

   id-ce OBJECT IDENTIFIER  ::=  { joint-iso-ccitt(2) ds(5) 29 }

   -- authority key identifier OID and syntax

   ext-AuthorityKeyIdentifier EXTENSION ::= { SYNTAX
       AuthorityKeyIdentifier IDENTIFIED BY
       id-ce-authorityKeyIdentifier }
   id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }

   AuthorityKeyIdentifier ::= SEQUENCE {
       keyIdentifier             [0] KeyIdentifier            OPTIONAL,
       authorityCertIssuer       [1] GeneralNames             OPTIONAL,
       authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
   (WITH COMPONENTS {
      ...,
      authorityCertIssuer        PRESENT,
      authorityCertSerialNumber  PRESENT
    } |
    WITH COMPONENTS {
      ...,
      authorityCertIssuer        ABSENT,
      authorityCertSerialNumber  ABSENT
    })

   KeyIdentifier ::= OCTET STRING

   -- subject key identifier OID and syntax

   ext-SubjectKeyIdentifier EXTENSION ::= { SYNTAX
       KeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier }
   id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }

   -- key usage extension OID and syntax

   ext-KeyUsage EXTENSION ::= { SYNTAX
       KeyUsage IDENTIFIED BY id-ce-keyUsage }
   id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }

   KeyUsage ::= BIT STRING {

Top      Up      ToC       Page 102 
        digitalSignature        (0),
        nonRepudiation          (1), --  recent editions of X.509 have
                                     --  renamed this bit to
                                     --  contentCommitment
        keyEncipherment         (2),
        dataEncipherment        (3),
        keyAgreement            (4),
        keyCertSign             (5),
        cRLSign                 (6),
        encipherOnly            (7),
        decipherOnly            (8)
    }

   -- private key usage period extension OID and syntax

   ext-PrivateKeyUsagePeriod EXTENSION ::= { SYNTAX
       PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod }
   id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }

   PrivateKeyUsagePeriod ::= SEQUENCE {
        notBefore       [0]     GeneralizedTime OPTIONAL,
        notAfter        [1]     GeneralizedTime OPTIONAL }
   (WITH COMPONENTS {..., notBefore  PRESENT } |
    WITH COMPONENTS {..., notAfter  PRESENT })

   -- certificate policies extension OID and syntax

   ext-CertificatePolicies EXTENSION ::= { SYNTAX
       CertificatePolicies IDENTIFIED BY id-ce-certificatePolicies}
   id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }

   CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

   PolicyInformation ::= SEQUENCE {
        policyIdentifier   CertPolicyId,
        policyQualifiers   SEQUENCE SIZE (1..MAX) OF
                PolicyQualifierInfo OPTIONAL }

   CertPolicyId ::= OBJECT IDENTIFIER

   CERT-POLICY-QUALIFIER ::= TYPE-IDENTIFIER

   PolicyQualifierInfo ::= SEQUENCE {
          policyQualifierId  CERT-POLICY-QUALIFIER.
               &id({PolicyQualifierId}),
          qualifier          CERT-POLICY-QUALIFIER.
               &Type({PolicyQualifierId}{@policyQualifierId})}

Top      Up      ToC       Page 103 
   -- Implementations that recognize additional policy qualifiers MUST
   -- augment the following definition for PolicyQualifierId

   PolicyQualifierId CERT-POLICY-QUALIFIER ::=
       { pqid-cps | pqid-unotice, ... }

   pqid-cps CERT-POLICY-QUALIFIER ::= { CPSuri IDENTIFIED BY id-qt-cps }
   pqid-unotice CERT-POLICY-QUALIFIER ::= { UserNotice
       IDENTIFIED BY id-qt-unotice }

   -- CPS pointer qualifier

   CPSuri ::= IA5String

   -- user notice qualifier

   UserNotice ::= SEQUENCE {
        noticeRef        NoticeReference OPTIONAL,
        explicitText     DisplayText OPTIONAL}

   --
   --  This is not made explicit in the text
   --
   -- {WITH COMPONENTS {..., noticeRef PRESENT} |
   --  WITH COMPONENTS {..., DisplayText PRESENT }}

   NoticeReference ::= SEQUENCE {
        organization     DisplayText,
        noticeNumbers    SEQUENCE OF INTEGER }

   DisplayText ::= CHOICE {
        ia5String        IA5String      (SIZE (1..200)),
        visibleString    VisibleString  (SIZE (1..200)),
        bmpString        BMPString      (SIZE (1..200)),
        utf8String       UTF8String     (SIZE (1..200)) }

   -- policy mapping extension OID and syntax

   ext-PolicyMappings EXTENSION ::= { SYNTAX
       PolicyMappings IDENTIFIED BY id-ce-policyMappings }
   id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }

   PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
       issuerDomainPolicy      CertPolicyId,
       subjectDomainPolicy     CertPolicyId
   }

   -- subject alternative name extension OID and syntax

Top      Up      ToC       Page 104 
   ext-SubjectAltName EXTENSION ::= { SYNTAX
       GeneralNames IDENTIFIED BY id-ce-subjectAltName }
   id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   GeneralName ::= CHOICE {
        otherName                   [0]  INSTANCE OF OTHER-NAME,
        rfc822Name                  [1]  IA5String,
        dNSName                     [2]  IA5String,
        x400Address                 [3]  ORAddress,
        directoryName               [4]  Name,
        ediPartyName                [5]  EDIPartyName,
        uniformResourceIdentifier   [6]  IA5String,
        iPAddress                   [7]  OCTET STRING,
        registeredID                [8]  OBJECT IDENTIFIER
   }

   -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
   -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax

   OTHER-NAME ::= TYPE-IDENTIFIER

   EDIPartyName ::= SEQUENCE {
       nameAssigner    [0] DirectoryString {ubMax} OPTIONAL,
       partyName       [1] DirectoryString {ubMax}
   }

   -- issuer alternative name extension OID and syntax

   ext-IssuerAltName EXTENSION ::= { SYNTAX
       GeneralNames IDENTIFIED BY id-ce-issuerAltName }
   id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }

   ext-SubjectDirectoryAttributes EXTENSION ::= { SYNTAX
       SubjectDirectoryAttributes IDENTIFIED BY
       id-ce-subjectDirectoryAttributes }
   id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }

   SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF
       AttributeSet{{SupportedAttributes}}

   -- basic constraints extension OID and syntax

   ext-BasicConstraints EXTENSION ::= { SYNTAX
       BasicConstraints IDENTIFIED BY id-ce-basicConstraints }
   id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }

Top      Up      ToC       Page 105 
   BasicConstraints ::= SEQUENCE {
        cA                      BOOLEAN DEFAULT FALSE,
        pathLenConstraint       INTEGER (0..MAX) OPTIONAL
   }

   -- name constraints extension OID and syntax
   ext-NameConstraints EXTENSION ::= { SYNTAX
       NameConstraints IDENTIFIED BY id-ce-nameConstraints }
   id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }

   NameConstraints ::= SEQUENCE {
        permittedSubtrees       [0] GeneralSubtrees OPTIONAL,
        excludedSubtrees        [1] GeneralSubtrees OPTIONAL
   }
   --
   --  This is a constraint in the issued certificates by CAs, but is
   --  not a requirement on EEs.
   --
   -- (WITH COMPONENTS { ..., permittedSubtrees PRESENT} |
   --  WITH COMPONENTS { ..., excludedSubtrees PRESENT }}

   GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

   GeneralSubtree ::= SEQUENCE {
        base                GeneralName,
        minimum         [0] BaseDistance DEFAULT 0,
        maximum         [1] BaseDistance OPTIONAL
   }

   BaseDistance ::= INTEGER (0..MAX)

   -- policy constraints extension OID and syntax

   ext-PolicyConstraints EXTENSION ::= { SYNTAX
       PolicyConstraints IDENTIFIED BY id-ce-policyConstraints }
   id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }

   PolicyConstraints ::= SEQUENCE {
        requireExplicitPolicy           [0] SkipCerts OPTIONAL,
        inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
   --
   --  This is a constraint in the issued certificates by CAs,
   --  but is not a requirement for EEs
   --
   -- (WITH COMPONENTS { ..., requireExplicitPolicy PRESENT} |
   --  WITH COMPONENTS { ..., inhibitPolicyMapping PRESENT})

   SkipCerts ::= INTEGER (0..MAX)

Top      Up      ToC       Page 106 
   -- CRL distribution points extension OID and syntax

   ext-CRLDistributionPoints EXTENSION ::= { SYNTAX
       CRLDistributionPoints IDENTIFIED BY id-ce-cRLDistributionPoints}
   id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}
   CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

   DistributionPoint ::= SEQUENCE {
        distributionPoint       [0] DistributionPointName OPTIONAL,
        reasons                 [1] ReasonFlags OPTIONAL,
        cRLIssuer               [2] GeneralNames OPTIONAL
   }
   --
   --  This is not a requirement in the text, but it seems as if it
   --      should be
   --
   --(WITH COMPONENTS {..., distributionPoint PRESENT} |
   -- WITH COMPONENTS {..., cRLIssuer PRESENT})

   DistributionPointName ::= CHOICE {
        fullName                [0] GeneralNames,
        nameRelativeToCRLIssuer [1] RelativeDistinguishedName
   }

   ReasonFlags ::= BIT STRING {
        unused                  (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        privilegeWithdrawn      (7),
        aACompromise            (8)
    }

   -- extended key usage extension OID and syntax

   ext-ExtKeyUsage EXTENSION ::= { SYNTAX
       ExtKeyUsageSyntax IDENTIFIED BY id-ce-extKeyUsage }
   id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}

   ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

   KeyPurposeId ::= OBJECT IDENTIFIER

   -- permit unspecified key uses

Top      Up      ToC       Page 107 
   anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }

   -- extended key purpose OIDs

   id-kp-serverAuth       OBJECT IDENTIFIER ::= { id-kp 1 }
   id-kp-clientAuth       OBJECT IDENTIFIER ::= { id-kp 2 }
   id-kp-codeSigning      OBJECT IDENTIFIER ::= { id-kp 3 }
   id-kp-emailProtection  OBJECT IDENTIFIER ::= { id-kp 4 }
   id-kp-timeStamping     OBJECT IDENTIFIER ::= { id-kp 8 }
   id-kp-OCSPSigning      OBJECT IDENTIFIER ::= { id-kp 9 }

   -- inhibit any policy OID and syntax

   ext-InhibitAnyPolicy EXTENSION  ::= {SYNTAX
       SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy }
   id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 }

   -- freshest (delta)CRL extension OID and syntax

   ext-FreshestCRL EXTENSION ::= {SYNTAX
       CRLDistributionPoints IDENTIFIED BY id-ce-freshestCRL }
   id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 }

   -- authority info access

   ext-AuthorityInfoAccess EXTENSION ::= { SYNTAX
       AuthorityInfoAccessSyntax IDENTIFIED BY
       id-pe-authorityInfoAccess }
   id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }

   AuthorityInfoAccessSyntax  ::=
           SEQUENCE SIZE (1..MAX) OF AccessDescription

   AccessDescription  ::=  SEQUENCE {
           accessMethod          OBJECT IDENTIFIER,
           accessLocation        GeneralName  }

   -- subject info access

   ext-SubjectInfoAccessSyntax EXTENSION ::= { SYNTAX
       SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess }
   id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 }

   SubjectInfoAccessSyntax  ::=
           SEQUENCE SIZE (1..MAX) OF AccessDescription

   -- CRL number extension OID and syntax

Top      Up      ToC       Page 108 
   ext-CRLNumber EXTENSION ::= {SYNTAX
       INTEGER (0..MAX) IDENTIFIED BY id-ce-cRLNumber }
   id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }

   CRLNumber ::= INTEGER (0..MAX)
   -- issuing distribution point extension OID and syntax

   ext-IssuingDistributionPoint EXTENSION ::= { SYNTAX
       IssuingDistributionPoint IDENTIFIED BY
       id-ce-issuingDistributionPoint }
   id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }

   IssuingDistributionPoint ::= SEQUENCE {
        distributionPoint          [0] DistributionPointName OPTIONAL,
        onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
        onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
        onlySomeReasons            [3] ReasonFlags OPTIONAL,
        indirectCRL                [4] BOOLEAN DEFAULT FALSE,
        onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE
   }
           -- at most one of onlyContainsUserCerts, onlyContainsCACerts,
           -- or onlyContainsAttributeCerts may be set to TRUE.

   ext-DeltaCRLIndicator EXTENSION ::= { SYNTAX
       CRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator }
   id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }

   -- CRL reasons extension OID and syntax

   ext-CRLReason EXTENSION ::= { SYNTAX
       CRLReason IDENTIFIED BY id-ce-cRLReasons }
   id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }

   CRLReason ::= ENUMERATED {
        unspecified             (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        removeFromCRL           (8),
        privilegeWithdrawn      (9),
        aACompromise           (10)
   }

   -- certificate issuer CRL entry extension OID and syntax

Top      Up      ToC       Page 109 
   ext-CertificateIssuer EXTENSION ::= { SYNTAX
       GeneralNames IDENTIFIED BY id-ce-certificateIssuer }
   id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }

   -- hold instruction extension OID and syntax
   ext-HoldInstructionCode EXTENSION ::= { SYNTAX
       OBJECT IDENTIFIER IDENTIFIED BY id-ce-holdInstructionCode }
   id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }

   -- ANSI x9 holdinstructions

   holdInstruction OBJECT IDENTIFIER ::=
             {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}
   id-holdinstruction-none OBJECT IDENTIFIER  ::=
                   {holdInstruction 1} -- deprecated
   id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
                   {holdInstruction 2}
   id-holdinstruction-reject OBJECT IDENTIFIER ::=
                   {holdInstruction 3}

   -- invalidity date CRL entry extension OID and syntax

   ext-InvalidityDate EXTENSION  ::=  { SYNTAX
       GeneralizedTime IDENTIFIED BY id-ce-invalidityDate }
   id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
   -- Upper bounds
   ubMax INTEGER ::= 32768

   END


  --
  --  This module is used to isolate all the X.400 naming information.
  --  There is no reason to expect this to occur in a PKIX certificate.
  --

  PKIX-X400Address-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-x400address-02(60) }
  DEFINITIONS EXPLICIT TAGS ::=
  BEGIN

  -- X.400 address syntax starts here

  ORAddress ::= SEQUENCE {
     built-in-standard-attributes BuiltInStandardAttributes,
     built-in-domain-defined-attributes
                     BuiltInDomainDefinedAttributes OPTIONAL,

Top      Up      ToC       Page 110 
     -- see also teletex-domain-defined-attributes
     extension-attributes ExtensionAttributes OPTIONAL }

  -- Built-in Standard Attributes

  BuiltInStandardAttributes ::= SEQUENCE {
     country-name                  CountryName OPTIONAL,
     administration-domain-name    AdministrationDomainName OPTIONAL,
     network-address           [0] IMPLICIT NetworkAddress OPTIONAL,
       -- see also extended-network-address
     terminal-identifier       [1] IMPLICIT TerminalIdentifier OPTIONAL,
     private-domain-name       [2] PrivateDomainName OPTIONAL,
     organization-name         [3] IMPLICIT OrganizationName OPTIONAL,
       -- see also teletex-organization-name
     numeric-user-identifier   [4] IMPLICIT NumericUserIdentifier
                                   OPTIONAL,
     personal-name             [5] IMPLICIT PersonalName OPTIONAL,
       -- see also teletex-personal-name
     organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
                                   OPTIONAL }
       -- see also teletex-organizational-unit-names

  CountryName ::= [APPLICATION 1] CHOICE {
     x121-dcc-code         NumericString
                             (SIZE (ub-country-name-numeric-length)),
     iso-3166-alpha2-code  PrintableString
                             (SIZE (ub-country-name-alpha-length)) }

  AdministrationDomainName ::= [APPLICATION 2] CHOICE {
     numeric   NumericString   (SIZE (0..ub-domain-name-length)),
     printable PrintableString (SIZE (0..ub-domain-name-length)) }

  NetworkAddress ::= X121Address  -- see also extended-network-address

  X121Address ::= NumericString (SIZE (1..ub-x121-address-length))

  TerminalIdentifier ::= PrintableString (SIZE
  (1..ub-terminal-id-length))

  PrivateDomainName ::= CHOICE {
     numeric   NumericString   (SIZE (1..ub-domain-name-length)),
     printable PrintableString (SIZE (1..ub-domain-name-length)) }

  OrganizationName ::= PrintableString
                              (SIZE (1..ub-organization-name-length))
    -- see also teletex-organization-name

  NumericUserIdentifier ::= NumericString

Top      Up      ToC       Page 111 
                              (SIZE (1..ub-numeric-user-id-length))

  PersonalName ::= SET {
     surname     [0] IMPLICIT PrintableString
                      (SIZE (1..ub-surname-length)),
     given-name  [1] IMPLICIT PrintableString
                      (SIZE (1..ub-given-name-length)) OPTIONAL,
     initials    [2] IMPLICIT PrintableString
                      (SIZE (1..ub-initials-length)) OPTIONAL,
     generation-qualifier [3] IMPLICIT PrintableString
                      (SIZE (1..ub-generation-qualifier-length))
                      OPTIONAL }
    -- see also teletex-personal-name

  OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
                               OF OrganizationalUnitName
    -- see also teletex-organizational-unit-names

  OrganizationalUnitName ::= PrintableString (SIZE
                      (1..ub-organizational-unit-name-length))

  -- Built-in Domain-defined Attributes

  BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
                      (1..ub-domain-defined-attributes) OF
                      BuiltInDomainDefinedAttribute

  BuiltInDomainDefinedAttribute ::= SEQUENCE {
     type PrintableString (SIZE
                     (1..ub-domain-defined-attribute-type-length)),
     value PrintableString (SIZE
                     (1..ub-domain-defined-attribute-value-length)) }

  -- Extension Attributes

  ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
                 ExtensionAttribute

  EXTENSION-ATTRIBUTE ::= CLASS {
      &id             INTEGER (0..ub-extension-attributes) UNIQUE,
      &Type
  } WITH SYNTAX { &Type IDENTIFIED BY &id }

  ExtensionAttribute ::=  SEQUENCE {
     extension-attribute-type [0] IMPLICIT EXTENSION-ATTRIBUTE.
          &id({SupportedExtensionAttributes}),
     extension-attribute-value [1] EXTENSION-ATTRIBUTE.
          &Type({SupportedExtensionAttributes}

Top      Up      ToC       Page 112 
              {@extension-attribute-type})}

  SupportedExtensionAttributes EXTENSION-ATTRIBUTE ::= {
      ea-commonName | ea-teletexCommonName | ea-teletexOrganizationName
      | ea-teletexPersonalName | ea-teletexOrganizationalUnitNames |
      ea-pDSName | ea-physicalDeliveryCountryName | ea-postalCode |
      ea-physicalDeliveryOfficeName | ea-physicalDeliveryOfficeNumber |
      ea-extensionORAddressComponents | ea-physicalDeliveryPersonalName
      | ea-physicalDeliveryOrganizationName |
      ea-extensionPhysicalDeliveryAddressComponents |
      ea-unformattedPostalAddress | ea-streetAddress |
      ea-postOfficeBoxAddress | ea-posteRestanteAddress |
      ea-uniquePostalName | ea-localPostalAttributes |
      ea-extendedNetworkAddress | ea-terminalType |
      ea-teletexDomainDefinedAttributes, ... }

  -- Extension types and attribute values

  ea-commonName EXTENSION-ATTRIBUTE ::= { PrintableString
      (SIZE (1..ub-common-name-length)) IDENTIFIED BY 1 }

  ea-teletexCommonName EXTENSION-ATTRIBUTE ::= {TeletexString
      (SIZE (1..ub-common-name-length)) IDENTIFIED BY 2 }

  ea-teletexOrganizationName EXTENSION-ATTRIBUTE::= { TeletexString
      (SIZE (1..ub-organization-name-length)) IDENTIFIED BY 3 }

  ea-teletexPersonalName EXTENSION-ATTRIBUTE ::= {SET {
     surname     [0] IMPLICIT TeletexString
                      (SIZE (1..ub-surname-length)),
     given-name  [1] IMPLICIT TeletexString
                      (SIZE (1..ub-given-name-length)) OPTIONAL,
     initials    [2] IMPLICIT TeletexString
                      (SIZE (1..ub-initials-length)) OPTIONAL,
     generation-qualifier [3] IMPLICIT TeletexString
                      (SIZE (1..ub-generation-qualifier-length))
                      OPTIONAL } IDENTIFIED BY 4 }

  ea-teletexOrganizationalUnitNames EXTENSION-ATTRIBUTE ::=
      { SEQUENCE SIZE (1..ub-organizational-units) OF
            TeletexOrganizationalUnitName IDENTIFIED BY 5 }

  TeletexOrganizationalUnitName ::= TeletexString
      (SIZE (1..ub-organizational-unit-name-length))

  ea-pDSName EXTENSION-ATTRIBUTE ::= {PrintableString
      (SIZE (1..ub-pds-name-length)) IDENTIFIED BY 7 }

Top      Up      ToC       Page 113 
  ea-physicalDeliveryCountryName EXTENSION-ATTRIBUTE ::= { CHOICE {
       x121-dcc-code NumericString (SIZE
          (ub-country-name-numeric-length)),
       iso-3166-alpha2-code PrintableString
          (SIZE (ub-country-name-alpha-length)) }
       IDENTIFIED BY 8 }

  ea-postalCode EXTENSION-ATTRIBUTE ::= { CHOICE {
     numeric-code NumericString (SIZE (1..ub-postal-code-length)),
     printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
     IDENTIFIED BY 9 }

  ea-physicalDeliveryOfficeName EXTENSION-ATTRIBUTE ::=
      { PDSParameter IDENTIFIED BY 10 }

  ea-physicalDeliveryOfficeNumber EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 11 }

  ea-extensionORAddressComponents EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 12 }

  ea-physicalDeliveryPersonalName EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 13}

  ea-physicalDeliveryOrganizationName EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 14 }

  ea-extensionPhysicalDeliveryAddressComponents EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 15 }

  ea-unformattedPostalAddress EXTENSION-ATTRIBUTE ::= { SET {
     printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines)
           OF PrintableString (SIZE (1..ub-pds-parameter-length))
           OPTIONAL,
     teletex-string TeletexString
           (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
     IDENTIFIED BY 16 }

  ea-streetAddress EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 17 }

  ea-postOfficeBoxAddress EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 18 }

  ea-posteRestanteAddress EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 19 }

  ea-uniquePostalName EXTENSION-ATTRIBUTE ::=

Top      Up      ToC       Page 114 
      { PDSParameter IDENTIFIED BY 20 }

  ea-localPostalAttributes EXTENSION-ATTRIBUTE ::=
      {PDSParameter IDENTIFIED BY 21 }
  PDSParameter ::= SET {
     printable-string PrintableString
                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
     teletex-string TeletexString
                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL }

  ea-extendedNetworkAddress EXTENSION-ATTRIBUTE ::= {
     CHOICE {
         e163-4-address SEQUENCE {
             number      [0] IMPLICIT NumericString
                   (SIZE (1..ub-e163-4-number-length)),
             sub-address [1] IMPLICIT NumericString
                   (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL
         },
         psap-address [0] IMPLICIT PresentationAddress
     } IDENTIFIED BY 22
  }

  PresentationAddress ::= SEQUENCE {
      pSelector     [0] EXPLICIT OCTET STRING OPTIONAL,
      sSelector     [1] EXPLICIT OCTET STRING OPTIONAL,
      tSelector     [2] EXPLICIT OCTET STRING OPTIONAL,
      nAddresses    [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }

  ea-terminalType EXTENSION-ATTRIBUTE ::= {INTEGER {
     telex (3),
     teletex (4),
     g3-facsimile (5),
     g4-facsimile (6),
     ia5-terminal (7),
     videotex (8) } (0..ub-integer-options)
     IDENTIFIED BY 23 }

  -- Extension Domain-defined Attributes

  ea-teletexDomainDefinedAttributes EXTENSION-ATTRIBUTE ::=
      { SEQUENCE SIZE (1..ub-domain-defined-attributes) OF
           TeletexDomainDefinedAttribute IDENTIFIED BY 6 }

  TeletexDomainDefinedAttribute ::= SEQUENCE {
      type TeletexString
          (SIZE (1..ub-domain-defined-attribute-type-length)),
      value TeletexString
          (SIZE (1..ub-domain-defined-attribute-value-length)) }

Top      Up      ToC       Page 115 
  --  specifications of Upper Bounds MUST be regarded as mandatory
  --  from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
  --  Upper Bounds
  -- Upper Bounds
  ub-match INTEGER ::= 128
  ub-common-name-length INTEGER ::= 64
  ub-country-name-alpha-length INTEGER ::= 2
  ub-country-name-numeric-length INTEGER ::= 3
  ub-domain-defined-attributes INTEGER ::= 4
  ub-domain-defined-attribute-type-length INTEGER ::= 8
  ub-domain-defined-attribute-value-length INTEGER ::= 128
  ub-domain-name-length INTEGER ::= 16
  ub-extension-attributes INTEGER ::= 256
  ub-e163-4-number-length INTEGER ::= 15
  ub-e163-4-sub-address-length INTEGER ::= 40
  ub-generation-qualifier-length INTEGER ::= 3
  ub-given-name-length INTEGER ::= 16
  ub-initials-length INTEGER ::= 5
  ub-integer-options INTEGER ::= 256
  ub-numeric-user-id-length INTEGER ::= 32
  ub-organization-name-length INTEGER ::= 64
  ub-organizational-unit-name-length INTEGER ::= 32
  ub-organizational-units INTEGER ::= 4
  ub-pds-name-length INTEGER ::= 16
  ub-pds-parameter-length INTEGER ::= 30
  ub-pds-physical-address-lines INTEGER ::= 6
  ub-postal-code-length INTEGER ::= 16
  ub-surname-length INTEGER ::= 40
  ub-terminal-id-length INTEGER ::= 24
  ub-unformatted-address-length INTEGER ::= 180
  ub-x121-address-length INTEGER ::= 16

  -- Note - upper bounds on string types, such as TeletexString, are
  -- measured in characters.  Excepting PrintableString or IA5String, a
  -- significantly greater number of octets will be required to hold
  -- such a value.  As a minimum, 16 octets or twice the specified
  -- upper bound, whichever is the larger, should be allowed for
  -- TeletexString.  For UTF8String or UniversalString, at least four
  -- times the upper bound should be allowed.

  END

15.  Security Considerations

   Even though all the RFCs in this document are security-related, the
   document itself does not have any security considerations.  The ASN.1
   modules keep the same bits-on-the-wire as the modules that they
   replace.

Top      Up      ToC       Page 116 
16.  Normative References

   [ASN1-2002]  ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and
                X.683", ITU-T X.680, X.681, X.682, and X.683, 2002.

   [RFC2560]    Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
                Adams, "X.509 Internet Public Key Infrastructure Online
                Certificate Status Protocol - OCSP", RFC 2560,
                June 1999.

   [RFC2986]    Nystrom, M. and B. Kaliski, "PKCS #10: Certification
                Request Syntax Specification Version 1.7", RFC 2986,
                November 2000.

   [RFC3279]    Bassham, L., Polk, W., and R. Housley, "Algorithms and
                Identifiers for the Internet X.509 Public Key
                Infrastructure Certificate and Certificate Revocation
                List (CRL) Profile", RFC 3279, April 2002.

   [RFC3852]    Housley, R., "Cryptographic Message Syntax (CMS)",
                RFC 3852, July 2004.

   [RFC4055]    Schaad, J., Kaliski, B., and R. Housley, "Additional
                Algorithms and Identifiers for RSA Cryptography for use
                in the Internet X.509 Public Key Infrastructure
                Certificate and Certificate Revocation List (CRL)
                Profile", RFC 4055, June 2005.

   [RFC4210]    Adams, C., Farrell, S., Kause, T., and T. Mononen,
                "Internet X.509 Public Key Infrastructure Certificate
                Management Protocol (CMP)", RFC 4210, September 2005.

   [RFC4211]    Schaad, J., "Internet X.509 Public Key Infrastructure
                Certificate Request Message Format (CRMF)", RFC 4211,
                September 2005.

   [RFC5055]    Freeman, T., Housley, R., Malpani, A., Cooper, D., and
                W. Polk, "Server-Based Certificate Validation Protocol
                (SCVP)", RFC 5055, December 2007.

   [RFC5272]    Schaad, J. and M. Myers, "Certificate Management over
                CMS (CMC)", RFC 5272, June 2008.

   [RFC5280]    Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
                Housley, R., and W. Polk, "Internet X.509 Public Key
                Infrastructure Certificate and Certificate Revocation
                List (CRL) Profile", RFC 5280, May 2008.

Top      Up      ToC       Page 117 
   [RFC5480]    Turner, S., Brown, D., Yiu, K., Housley, R., and T.
                Polk, "Elliptic Curve Cryptography Subject Public Key
                Information", RFC 5480, March 2009.

   [RFC5755]    Farrell, S., Housley, R., and S. Turner, "An Internet
                Attribute Certificate Profile for Authorization",
                RFC 5755, January 2010.

   [RFC5911]    Hoffman, P. and J. Schaad, "New ASN.1 Modules for
                Cryptographic Message Syntax (CMS) and S/MIME",
                RFC 5911, June 2010.

Authors' Addresses

   Paul Hoffman
   VPN Consortium
   127 Segre Place
   Santa Cruz, CA  95060
   US

   Phone: 1-831-426-9827
   EMail: paul.hoffman@vpnc.org


   Jim Schaad
   Soaring Hawk Consulting

   EMail: jimsch@exmsft.com