tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search     info

RFC 5912

 Errata 
Informational
Pages: 117
Top     in Index     Prev     Next
in Group Index     Prev in Group     Next in Group     Group: PKIX

New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)

Part 1 of 6, p. 1 to 18
None       Next RFC Part

Updated by:    6960


Top       ToC       Page 1 
Internet Engineering Task Force (IETF)                        P. Hoffman
Request for Comments: 5912                                VPN Consortium
Category: Informational                                        J. Schaad
ISSN: 2070-1721                                  Soaring Hawk Consulting
                                                               June 2010


 New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)

Abstract

   The Public Key Infrastructure using X.509 (PKIX) certificate format,
   and many associated formats, are expressed using ASN.1.  The current
   ASN.1 modules conform to the 1988 version of ASN.1.  This document
   updates those ASN.1 modules to conform to the 2002 version of ASN.1.
   There are no bits-on-the-wire changes to any of the formats; this is
   simply a change to the syntax.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc5912.

Page 2 
Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Design Notes  . . . . . . . . . . . . . . . . . . . . . .   4
   2.  ASN.1 Module PKIX-CommonTypes . . . . . . . . . . . . . . . .   5
   3.  ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . .   8
   4.  ASN.1 Module for RFC 2560 . . . . . . . . . . . . . . . . . .  18
   5.  ASN.1 Module for RFC 2986 . . . . . . . . . . . . . . . . . .  22
   6.  ASN.1 Module for RFC 3279 . . . . . . . . . . . . . . . . . .  23
   7.  ASN.1 Module for RFC 3852 (Attribute Certificate v1)  . . . .  34
   8.  ASN.1 Module for RFC 4055 . . . . . . . . . . . . . . . . . .  36
   9.  ASN.1 Module for RFC 4210 . . . . . . . . . . . . . . . . . .  42
   10. ASN.1 Module for RFC 4211 . . . . . . . . . . . . . . . . . .  53
   11. ASN.1 Module for RFC 5055 . . . . . . . . . . . . . . . . . .  61
   12. ASN.1 Module for RFC 5272 . . . . . . . . . . . . . . . . . .  74
   13. ASN.1 Module for RFC 5755 . . . . . . . . . . . . . . . . . .  85
   14. ASN.1 Module for RFC 5280, Explicit and Implicit  . . . . . .  91
   15. Security Considerations . . . . . . . . . . . . . . . . . . . 115
   16. Normative References  . . . . . . . . . . . . . . . . . . . . 116

Top      ToC       Page 3 
1.  Introduction

   Some developers would like the IETF to use the latest version of
   ASN.1 in its standards.  Most of the RFCs that relate to security
   protocols still use ASN.1 from the 1988 standard, which has been
   deprecated.  This is particularly true for the standards that relate
   to PKIX, Cryptographic Message Syntax (CMS), and S/MIME.

   This document updates the following RFCs to use ASN.1 modules that
   conform to the 2002 version of ASN.1 [ASN1-2002].  Note that not all
   the modules are updated; some are included to simply make the set
   complete.

   o  RFC 2560, PKIX Online Certificate Status Protocol (OCSP) [RFC2560]

   o  RFC 2986, PKCS #10 certificate request [RFC2986]

   o  RFC 3279, PKIX algorithms and identifier [RFC3279]

   o  RFC 3852, contains PKIX attribute certificates, version 1
      [RFC3852]

   o  RFC 4055, Additional Algorithms and Identifiers for RSA
      Cryptography [RFC4055]

   o  RFC 4210, PKIX CMP (Certificate Management Protocol) [RFC4210]

   o  RFC 4211, PKIX CRMF (Certificate Request Message Format) [RFC4211]

   o  RFC 5055, PKIX SCVP (Server-based Certificate Validation Protocol)
      [RFC5055]

   o  RFC 5272, Certificate Management over CMS (CMC) [RFC5272]

   o  RFC 5280, PKIX certificate and Certificate Revocation List (CRL)
      profile [RFC5280] (both the implicit and explicit modules)

   o  RFC 5755, PKIX attribute certificates, version 2 [RFC5755]

   Note that some of the modules in this document get some of their
   definitions from places different than the modules in the original
   RFCs.  The idea is that these modules, when combined with the modules
   in [RFC5911] can stand on their own and do not need to import
   definitions from anywhere else.  Also note that the ASN.1 modules in
   this document have references in their text comments that need to be
   looked up in original RFCs, and that some of those references may
   have already been superseded by later RFCs.

Top      ToC       Page 4 
   The document also includes a module of common definitions called
   "PKIX-CommonTypes".  These definitions are used here and in
   [RFC5911].

   The document also includes a module of common definitions called
   "AlgorithmInformation".  These definitions are used here and in
   [RFC5911].

1.1.  Design Notes

   The modules in this document use the object model available in the
   2002 ASN.1 documents to a great extent.  Objects for each of the
   different algorithm types are defined.  Also, all of the places where
   the 1988 ASN.1 syntax had ANY holes to allow for variable syntax now
   use objects.

   Much like the way that the PKIX and S/MIME working groups use the
   prefix of id- for object identifiers, this document has also adopted
   a set of two-, three-, and four-letter prefixes to allow for quick
   identification of the type of an object based on its name.  This
   allows, for example, the same back half of the name to be used for
   the different objects.  Thus, "id-sha1" is the object identifier,
   while "mda-sha1" is the message digest object for "sha1".

   One or more object sets for the different types of algorithms are
   defined.  A single consistent name for each different algorithm type
   is used.  For example, an object set named PublicKeys contains the
   public keys defined in that module.  If no public keys are defined,
   then the object set is not created.  When importing these object sets
   into an ASN.1 module, one needs to be able to distinguish between the
   different object sets with the same name.  This is done by using both
   the module name (as specified in the IMPORT statement) and the object
   set name.  For example, in the module for RFC 5280:

   PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 }
   PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7  33 }

   PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ...,
       PKIX1-PSS-OAEP-Algorithms.PublicKeys }

Top      ToC       Page 5 
2.  ASN.1 Module PKIX-CommonTypes

   This section contains a module that is imported by many other modules
   in this document and in [RFC5911].  This module does not come from
   any existing RFC.

  PKIX-CommonTypes-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}

  DEFINITIONS EXPLICIT TAGS ::=
  BEGIN

  --  ATTRIBUTE
  --
  --  Describe the set of data associated with an attribute of some type
  --
  --  &id is an OID identifying the attribute
  --  &Type is the ASN.1 type structure for the attribute; not all
  --      attributes have a data structure, so this field is optional
  --  &minCount contains the minimum number of times the attribute can
  --      occur in an AttributeSet
  --  &maxCount contains the maximum number of times the attribute can
  --      appear in an AttributeSet
  --      Note: this cannot be automatically enforced as the field
  --      cannot be defaulted to MAX.
  --  &equality-match contains information about how matching should be
  --      done
  --
  --  Currently we are using two different prefixes for attributes.
  --
  --  at- for certificate attributes
  --  aa- for CMS attributes
  --

  ATTRIBUTE ::= CLASS {
      &id             OBJECT IDENTIFIER UNIQUE,
      &Type           OPTIONAL,
      &equality-match MATCHING-RULE OPTIONAL,
      &minCount       INTEGER DEFAULT 1,
      &maxCount       INTEGER OPTIONAL
  } WITH SYNTAX {
      [TYPE &Type]
      [EQUALITY MATCHING RULE &equality-match]
      [COUNTS [MIN &minCount] [MAX &maxCount]]
      IDENTIFIED BY &id
  }

Top      ToC       Page 6 
  -- Specification of MATCHING-RULE information object class
  --

  MATCHING-RULE ::= CLASS {
    &ParentMatchingRules   MATCHING-RULE OPTIONAL,
    &AssertionType         OPTIONAL,
    &uniqueMatchIndicator  ATTRIBUTE OPTIONAL,
    &id                    OBJECT IDENTIFIER UNIQUE
  }
  WITH SYNTAX {
    [PARENT &ParentMatchingRules]
    [SYNTAX &AssertionType]
    [UNIQUE-MATCH-INDICATOR &uniqueMatchIndicator]
    ID &id
  }

  --  AttributeSet
  --
  --  Used when a set of attributes is to occur.
  --
  --  type contains the identifier of the attribute
  --  values contains a set of values where the structure of the ASN.1
  --      is defined by the attribute
  --
  --  The parameter contains the set of objects describing
  --      those attributes that can occur in this location.
  --

  AttributeSet{ATTRIBUTE:AttrSet} ::= SEQUENCE {
      type      ATTRIBUTE.&id({AttrSet}),
      values    SET SIZE (1..MAX) OF ATTRIBUTE.
                    &Type({AttrSet}{@type})
  }

  --  SingleAttribute
  --
  --  Used for a single valued attribute
  --
  --  The parameter contains the set of objects describing the
  --      attributes that can occur in this location
  --

  SingleAttribute{ATTRIBUTE:AttrSet} ::= SEQUENCE {
      type      ATTRIBUTE.&id({AttrSet}),
      value     ATTRIBUTE.&Type({AttrSet}{@type})
  }

  --  EXTENSION

Top      ToC       Page 7 
  --
  --  This class definition is used to describe the association of
  --      object identifier and ASN.1 type structure for extensions
  --
  --  All extensions are prefixed with ext-
  --
  --  &id contains the object identifier for the extension
  --  &ExtnType specifies the ASN.1 type structure for the extension
  --  &Critical contains the set of legal values for the critical field.
  --      This is normally {TRUE|FALSE} but in some instances may be
  --      restricted to just one of these values.
  --

  EXTENSION ::= CLASS {
      &id  OBJECT IDENTIFIER UNIQUE,
      &ExtnType,
      &Critical    BOOLEAN DEFAULT {TRUE | FALSE }
  } WITH SYNTAX {
      SYNTAX &ExtnType IDENTIFIED BY &id
      [CRITICALITY &Critical]
  }

  --  Extensions
  --
  --  Used for a sequence of extensions.
  --
  --  The parameter contains the set of legal extensions that can
  --  occur in this sequence.
  --

  Extensions{EXTENSION:ExtensionSet} ::=
      SEQUENCE SIZE (1..MAX) OF Extension{{ExtensionSet}}

  --  Extension
  --
  --  Used for a single extension
  --
  --  The parameter contains the set of legal extensions that can
  --      occur in this extension.
  --
  --  The restriction on the critical field has been commented out
  --  the authors are not completely sure it is correct.
  --  The restriction could be done using custom code rather than
  --  compiler-generated code, however.
  --

  Extension{EXTENSION:ExtensionSet} ::= SEQUENCE {
      extnID      EXTENSION.&id({ExtensionSet}),

Top      ToC       Page 8 
      critical    BOOLEAN
  --                     (EXTENSION.&Critical({ExtensionSet}{@extnID}))
                       DEFAULT FALSE,
      extnValue   OCTET STRING (CONTAINING
                  EXTENSION.&ExtnType({ExtensionSet}{@extnID}))
                  --  contains the DER encoding of the ASN.1 value
                  --  corresponding to the extension type identified
                  --  by extnID
  }

  --  Security Category
  --
  --  Security categories are used both for specifying clearances and
  --  for labeling objects.  We move this here from RFC 3281 so that
  --  they will use a common single object class to express this
  --  information.
  --

  SECURITY-CATEGORY ::= TYPE-IDENTIFIER

  SecurityCategory{SECURITY-CATEGORY:Supported} ::= SEQUENCE {
      type      [0]  IMPLICIT SECURITY-CATEGORY.
              &id({Supported}),
      value     [1]  EXPLICIT SECURITY-CATEGORY.
              &Type({Supported}{@type})
  }

  END

3.  ASN.1 Module AlgorithmInformation

   This section contains a module that is imported by many other modules
   in this document.  Note that this module is also given in [RFC5911].
   This module does not come from any existing RFC.

AlgorithmInformation-2009
    {iso(1) identified-organization(3) dod(6) internet(1) security(5)
    mechanisms(5) pkix(7) id-mod(0)
    id-mod-algorithmInformation-02(58)}

DEFINITIONS EXPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS

KeyUsage
FROM PKIX1Implicit-2009
    {iso(1) identified-organization(3) dod(6) internet(1)

Top      ToC       Page 9 
    security(5) mechanisms(5) pkix(7) id-mod(0)
    id-mod-pkix1-implicit-02(59)} ;

--  Suggested prefixes for algorithm objects are:
--
--  mda-   Message Digest Algorithms
--  sa-    Signature Algorithms
--  kta-   Key Transport Algorithms (Asymmetric)
--  kaa-   Key Agreement Algorithms  (Asymmetric)
--  kwa-   Key Wrap Algorithms (Symmetric)
--  kda-   Key Derivation Algorithms
--  maca-  Message Authentication Code Algorithms
--  pk-    Public Key
--  cea-   Content (symmetric) Encryption Algorithms
--  cap-   S/MIME Capabilities

ParamOptions ::= ENUMERATED {
   required,         -- Parameters MUST be encoded in structure
   preferredPresent, -- Parameters SHOULD be encoded in structure
   preferredAbsent,  -- Parameters SHOULD NOT be encoded in structure
   absent,           -- Parameters MUST NOT be encoded in structure
   inheritable,      -- Parameters are inherited if not present
   optional,         -- Parameters MAY be encoded in the structure
   ...
}

--  DIGEST-ALGORITHM
--
--  Describes the basic information for ASN.1 and a digest
--      algorithm.
--
--  &id - contains the OID identifying the digest algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--
--  Additional information such as the length of the hash could have
--      been encoded.  Without a clear understanding of what information
--      is needed by applications, such extraneous information was not
--      considered to be of sufficent importance.
--
--  Example:
--  mda-sha1 DIGEST-ALGORITHM ::= {
--      IDENTIFIER id-sha1
--      PARAMS TYPE NULL ARE preferredAbsent
--  }

DIGEST-ALGORITHM ::= CLASS {

Top      ToC       Page 10 
    &id                 OBJECT IDENTIFIER UNIQUE,
    &Params             OPTIONAL,
    &paramPresence      ParamOptions DEFAULT absent
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence ]
}

--  SIGNATURE-ALGORITHM
--
--  Describes the basic properties of a signature algorithm
--
--  &id - contains the OID identifying the signature algorithm
--  &Value - contains a type definition for the value structure of
--              the signature; if absent, implies that no ASN.1
--              encoding is performed on the value
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &HashSet - The set of hash algorithms used with this
--                  signature algorithm
--  &PublicKeySet - the set of public key algorithms for this
--                  signature algorithm
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
--     IDENTIFIER id-RSASSA-PSS
--     PARAMS TYPE RSASSA-PSS-params ARE required
--     HASHES { mda-sha1 | mda-md5, ... }
--     PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- }

SIGNATURE-ALGORITHM ::= CLASS {
    &id             OBJECT IDENTIFIER UNIQUE,
    &Value          OPTIONAL,
    &Params         OPTIONAL,
    &paramPresence  ParamOptions DEFAULT absent,
    &HashSet        DIGEST-ALGORITHM OPTIONAL,
    &PublicKeySet   PUBLIC-KEY OPTIONAL,
    &smimeCaps      SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [VALUE &Value]
    [PARAMS [TYPE &Params] ARE &paramPresence ]
    [HASHES &HashSet]
    [PUBLIC-KEYS &PublicKeySet]

Top      ToC       Page 11 
    [SMIME-CAPS &smimeCaps]
}

--  PUBLIC-KEY
--
--  Describes the basic properties of a public key
--
--  &id - contains the OID identifying the public key
--  &KeyValue - contains the type for the key value
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &keyUsage - contains the set of bits that are legal for this
--              key type.  Note that is does not make any statement
--              about how bits may be paired.
--  &PrivateKey - contains a type structure for encoding the private
--              key information.
--
--  Example:
--  pk-rsa-pss PUBLIC-KEY ::= {
--      IDENTIFIER id-RSASSA-PSS
--      KEY RSAPublicKey
--      PARAMS TYPE RSASSA-PSS-params ARE optional
--      CERT-KEY-USAGE { .... }
--  }

PUBLIC-KEY ::= CLASS {
    &id             OBJECT IDENTIFIER UNIQUE,
    &KeyValue       OPTIONAL,
    &Params         OPTIONAL,
    &paramPresence  ParamOptions DEFAULT absent,
    &keyUsage       KeyUsage OPTIONAL,
    &PrivateKey     OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [KEY &KeyValue]
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [CERT-KEY-USAGE &keyUsage]
    [PRIVATE-KEY &PrivateKey]
}

--  KEY-TRANSPORT
--
--  Describes the basic properties of a key transport algorithm
--
--  &id - contains the OID identifying the key transport algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters

Top      ToC       Page 12 
--  &paramPresence - parameter presence requirement
--  &PublicKeySet - specifies which public keys are used with
--                       this algorithm
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  kta-rsaTransport KEY-TRANSPORT ::= {
--      IDENTIFIER &id
--      PARAMS TYPE NULL ARE required
--      PUBLIC-KEYS  { pk-rsa | pk-rsa-pss }
--  }

KEY-TRANSPORT ::= CLASS {
    &id                 OBJECT IDENTIFIER UNIQUE,
    &Params             OPTIONAL,
    &paramPresence      ParamOptions DEFAULT absent,
    &PublicKeySet       PUBLIC-KEY OPTIONAL,
    &smimeCaps          SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [PUBLIC-KEYS &PublicKeySet]
    [SMIME-CAPS &smimeCaps]
}

--  KEY-AGREE
--
--  Describes the basic properties of a key agreement algorithm
--
--  &id - contains the OID identifying the key agreement algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &PublicKeySet - specifies which public keys are used with
--                        this algorithm
--  &Ukm - type of user keying material used
--  &ukmPresence - specifies the requirements to define the UKM field
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  kaa-dh-static-ephemeral KEY-AGREE ::= {
--      IDENTIFIER id-alg-ESDH
--      PARAMS TYPE KeyWrapAlgorithm ARE required
--      PUBLIC-KEYS {
--         {IDENTIFIER dh-public-number KEY DHPublicKey
--            PARAMS TYPE DHDomainParameters ARE inheritable }

Top      ToC       Page 13 
--      }
--      - - UKM should be present but is not separately ASN.1-encoded
--      UKM ARE preferredPresent
--  }

KEY-AGREE ::= CLASS {
    &id             OBJECT IDENTIFIER UNIQUE,
    &Params         OPTIONAL,
    &paramPresence  ParamOptions DEFAULT absent,
    &PublicKeySet   PUBLIC-KEY OPTIONAL,
    &Ukm            OPTIONAL,
    &ukmPresence    ParamOptions DEFAULT absent,
    &smimeCaps      SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [PUBLIC-KEYS &PublicKeySet]
    [UKM [TYPE &Ukm] ARE &ukmPresence]
    [SMIME-CAPS &smimeCaps]
}

--  KEY-WRAP
--
--  Describes the basic properties of a key wrap algorithm
--
--  &id - contains the OID identifying the key wrap algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  kwa-cms3DESwrap KEY-WRAP ::= {
--      IDENTIFIER id-alg-CMS3DESwrap
--      PARAMS TYPE NULL ARE required
--  }

KEY-WRAP ::= CLASS {
    &id                OBJECT IDENTIFIER UNIQUE,
    &Params            OPTIONAL,
    &paramPresence     ParamOptions DEFAULT absent,
    &smimeCaps         SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [SMIME-CAPS &smimeCaps]
}

Top      ToC       Page 14 
--  KEY-DERIVATION
--
--  Describes the basic properties of a key derivation algorithm
--
--  &id - contains the OID identifying the key derivation algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  kda-pbkdf2 KEY-DERIVATION ::= {
--      IDENTIFIER id-PBKDF2
--      PARAMS TYPE PBKDF2-params ARE required
--  }

KEY-DERIVATION ::= CLASS {
    &id                OBJECT IDENTIFIER UNIQUE,
    &Params            OPTIONAL,
    &paramPresence     ParamOptions DEFAULT absent,
    &smimeCaps         SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [SMIME-CAPS &smimeCaps]
}

-- MAC-ALGORITHM
--
--  Describes the basic properties of a message
--      authentication code (MAC) algorithm
--
--  &id - contains the OID identifying the MAC algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &keyed - MAC algorithm is a keyed MAC algorithm
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Some parameters that perhaps should have been added would be
--  fields with the minimum and maximum MAC lengths for
--  those MAC algorithms that allow truncations.
--
--  Example:
--  maca-hmac-sha1 MAC-ALGORITHM ::= {
--      IDENTIFIER hMAC-SHA1

Top      ToC       Page 15 
--      PARAMS TYPE NULL ARE preferredAbsent
--      IS KEYED MAC TRUE
--      SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
--  }

MAC-ALGORITHM ::= CLASS {
    &id                 OBJECT IDENTIFIER UNIQUE,
    &Params             OPTIONAL,
    &paramPresence      ParamOptions DEFAULT absent,
    &keyed              BOOLEAN,
    &smimeCaps          SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    IS-KEYED-MAC &keyed
    [SMIME-CAPS &smimeCaps]
}

--  CONTENT-ENCRYPTION
--
--  Describes the basic properties of a content encryption
--      algorithm
--
--  &id - contains the OID identifying the content
--        encryption algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  Example:
--  cea-3DES-cbc CONTENT-ENCRYPTION ::= {
--      IDENTIFIER des-ede3-cbc
--      PARAMS TYPE IV ARE required
--      SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
--  }

CONTENT-ENCRYPTION ::= CLASS {
    &id                OBJECT IDENTIFIER UNIQUE,
    &Params            OPTIONAL,
    &paramPresence     ParamOptions DEFAULT absent,
    &smimeCaps         SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [SMIME-CAPS &smimeCaps]
}

Top      ToC       Page 16 
-- ALGORITHM
--
-- Describes a generic algorithm identifier
--
--  &id - contains the OID identifying the algorithm
--  &Params - if present, contains the type for the algorithm
--               parameters; if absent, implies no parameters
--  &paramPresence - parameter presence requirement
--  &smimeCaps - contains the object describing how the S/MIME
--              capabilities are presented.
--
--  This would be used for cases where an algorithm of an unknown
--  type is used.  In general however, one should either define
--  a more complete algorithm structure (such as the one above)
--  or use the TYPE-IDENTIFIER class.

ALGORITHM ::= CLASS {
    &id OBJECT   IDENTIFIER UNIQUE,
    &Params      OPTIONAL,
    &paramPresence ParamOptions DEFAULT absent,
    &smimeCaps   SMIME-CAPS OPTIONAL
} WITH SYNTAX {
    IDENTIFIER &id
    [PARAMS [TYPE &Params] ARE &paramPresence]
    [SMIME-CAPS &smimeCaps]
}

-- AlgorithmIdentifier
--
-- Provides the generic structure that is used to encode algorithm
--    identification and the parameters associated with the
--    algorithm.
--
-- The first parameter represents the type of the algorithm being
--    used.
-- The second parameter represents an object set containing the
--    algorithms that may occur in this situation.
--    The initial list of required algorithms should occur to the
--      left of an extension marker; all other algorithms should
--      occur to the right of an extension marker.
--
-- The object class ALGORITHM can be used for generic unspecified
--     items.
-- If new ALGORITHM classes are defined, the fields &id and &Params
--     need to be present as fields in the object in order to use
--     this parameterized type.
--
-- Example:

Top      ToC       Page 17 
--    SignatureAlgorithmIdentifier ::=
--       AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgSet}}

AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
        SEQUENCE {
            algorithm   ALGORITHM-TYPE.&id({AlgorithmSet}),
            parameters  ALGORITHM-TYPE.
                   &Params({AlgorithmSet}{@algorithm}) OPTIONAL
        }

--  S/MIME Capabilities
--
--  We have moved the SMIME-CAPS from the module for RFC 3851 to here
--  because it is used in RFC 4262 (X.509 Certificate Extension for
--  S/MIME Capabilities)
--
--
--  This class is used to represent an S/MIME capability.  S/MIME
--  capabilities are used to represent what algorithm capabilities
--  an individual has.  The classic example was the content encryption
--  algorithm RC2 where the algorithm id and the RC2 key lengths
--  supported needed to be advertised, but the IV used is not fixed.
--  Thus, for RC2 we used
--
--  cap-RC2CBC SMIME-CAPS ::= {
--      TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc }
--
--  where 40 and 128 represent the RC2 key length in number of bits.
--
--  Another example where information needs to be shown is for
--  RSA-OAEP where only specific hash functions or mask generation
--  functions are supported, but the saltLength is specified by the
--  sender and not the recipient.  In this case, one can either
--  generate a number of capability items,
--  or a new S/MIME capability type could be generated where
--  multiple hash functions could be specified.
--
--
--  SMIME-CAP
--
--  This class is used to associate the type that describes the
--  capabilities with the object identifier.
--

SMIME-CAPS ::= CLASS {
    &id         OBJECT IDENTIFIER UNIQUE,
    &Type       OPTIONAL
}

Top      ToC       Page 18 
WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id }

--
--  Generic type - this is used for defining values.
--

--  Define a single S/MIME capability encoding

SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE {
    capabilityID        SMIME-CAPS.&id({CapabilitySet}),
    parameters          SMIME-CAPS.&Type({CapabilitySet}
                            {@capabilityID}) OPTIONAL
}

--  Define a sequence of S/MIME capability values

SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::=
        SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} }

END



(page 18 continued on part 2)

Next RFC Part