Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 3280

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

Pages: 129
Obsoletes:  2459
Obsoleted by:  5280
Updated by:  43254630
Part 5 of 5 – Pages 92 to 129
First   Prev   None

ToP   noToC   RFC3280 - Page 92   prevText

Appendix A. Pseudo-ASN.1 Structures and OIDs

This section describes data objects used by conforming PKI components in an "ASN.1-like" syntax. This syntax is a hybrid of the 1988 and 1993 ASN.1 syntaxes. The 1988 ASN.1 syntax is augmented with 1993 UNIVERSAL Types UniversalString, BMPString and UTF8String. The ASN.1 syntax does not permit the inclusion of type statements in the ASN.1 module, and the 1993 ASN.1 standard does not permit use of the new UNIVERSAL types in modules using the 1988 syntax. As a result, this module does not conform to either version of the ASN.1 standard. This appendix may be converted into 1988 ASN.1 by replacing the definitions for the UNIVERSAL Types with the 1988 catch-all "ANY".

A.1 Explicitly Tagged Module, 1988 Syntax

PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- -- IMPORTS NONE -- -- UNIVERSAL Types defined in 1993 and 1998 ASN.1 -- and required by this specification UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING -- UniversalString is defined in ASN.1:1993 BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING -- BMPString is the subtype of UniversalString and models -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1 UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING -- The content of this type conforms to RFC 2279. -- PKIX specific OIDs id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
ToP   noToC   RFC3280 - Page 93
-- PKIX arcs

id-pe OBJECT IDENTIFIER  ::=  { id-pkix 1 }
        -- arc for private certificate extensions
id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
        -- arc for policy qualifier types
id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
        -- arc for extended key purpose OIDS
id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
        -- arc for access descriptors

-- policyQualifierIds for Internet policy qualifiers

id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
      -- OID for CPS qualifier
id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
      -- OID for user notice qualifier

-- access descriptor definitions

id-ad-ocsp         OBJECT IDENTIFIER ::= { id-ad 1 }
id-ad-caIssuers    OBJECT IDENTIFIER ::= { id-ad 2 }
id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 }
id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 }

-- attribute data types

Attribute       ::=     SEQUENCE {
      type              AttributeType,
      values    SET OF AttributeValue }
            -- at least one value is required

AttributeType           ::=  OBJECT IDENTIFIER

AttributeValue          ::=  ANY

AttributeTypeAndValue           ::=     SEQUENCE {
        type    AttributeType,
        value   AttributeValue }

-- suggested naming attributes: Definition of the following
--   information object set may be augmented to meet local
--   requirements.  Note that deleting members of the set may
--   prevent interoperability with conforming implementations.
-- presented in pairs: the AttributeType followed by the
--   type definition for the corresponding AttributeValue
--Arc for standard naming attributes
id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
ToP   noToC   RFC3280 - Page 94
-- Naming attributes of type X520name

id-at-name              AttributeType ::= { id-at 41 }
id-at-surname           AttributeType ::= { id-at 4 }
id-at-givenName         AttributeType ::= { id-at 42 }
id-at-initials          AttributeType ::= { id-at 43 }
id-at-generationQualifier AttributeType ::= { id-at 44 }

X520name ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-name)),
      printableString   PrintableString (SIZE (1..ub-name)),
      universalString   UniversalString (SIZE (1..ub-name)),
      utf8String        UTF8String      (SIZE (1..ub-name)),
      bmpString         BMPString       (SIZE (1..ub-name)) }

-- Naming attributes of type X520CommonName

id-at-commonName        AttributeType ::= { id-at 3 }

X520CommonName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-common-name)),
      printableString   PrintableString (SIZE (1..ub-common-name)),
      universalString   UniversalString (SIZE (1..ub-common-name)),
      utf8String        UTF8String      (SIZE (1..ub-common-name)),
      bmpString         BMPString       (SIZE (1..ub-common-name)) }

-- Naming attributes of type X520LocalityName

id-at-localityName      AttributeType ::= { id-at 7 }

X520LocalityName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-locality-name)),
      printableString   PrintableString (SIZE (1..ub-locality-name)),
      universalString   UniversalString (SIZE (1..ub-locality-name)),
      utf8String        UTF8String      (SIZE (1..ub-locality-name)),
      bmpString         BMPString       (SIZE (1..ub-locality-name)) }

-- Naming attributes of type X520StateOrProvinceName

id-at-stateOrProvinceName AttributeType ::= { id-at 8 }

X520StateOrProvinceName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-state-name)),
      printableString   PrintableString (SIZE (1..ub-state-name)),
      universalString   UniversalString (SIZE (1..ub-state-name)),
      utf8String        UTF8String      (SIZE (1..ub-state-name)),
      bmpString         BMPString       (SIZE(1..ub-state-name)) }
ToP   noToC   RFC3280 - Page 95
-- Naming attributes of type X520OrganizationName

id-at-organizationName  AttributeType ::= { id-at 10 }

X520OrganizationName ::= CHOICE {
      teletexString     TeletexString
                          (SIZE (1..ub-organization-name)),
      printableString   PrintableString
                          (SIZE (1..ub-organization-name)),
      universalString   UniversalString
                          (SIZE (1..ub-organization-name)),
      utf8String        UTF8String
                          (SIZE (1..ub-organization-name)),
      bmpString         BMPString
                          (SIZE (1..ub-organization-name))  }

-- Naming attributes of type X520OrganizationalUnitName

id-at-organizationalUnitName AttributeType ::= { id-at 11 }

X520OrganizationalUnitName ::= CHOICE {
      teletexString     TeletexString
                          (SIZE (1..ub-organizational-unit-name)),
      printableString   PrintableString
                          (SIZE (1..ub-organizational-unit-name)),
      universalString   UniversalString
                          (SIZE (1..ub-organizational-unit-name)),
      utf8String        UTF8String
                          (SIZE (1..ub-organizational-unit-name)),
      bmpString         BMPString
                          (SIZE (1..ub-organizational-unit-name)) }

-- Naming attributes of type X520Title

id-at-title             AttributeType ::= { id-at 12 }

X520Title ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-title)),
      printableString   PrintableString (SIZE (1..ub-title)),
      universalString   UniversalString (SIZE (1..ub-title)),
      utf8String        UTF8String      (SIZE (1..ub-title)),
      bmpString         BMPString       (SIZE (1..ub-title)) }

-- Naming attributes of type X520dnQualifier

id-at-dnQualifier       AttributeType ::= { id-at 46 }

X520dnQualifier ::=     PrintableString
ToP   noToC   RFC3280 - Page 96
-- Naming attributes of type X520countryName (digraph from IS 3166)

id-at-countryName       AttributeType ::= { id-at 6 }

X520countryName ::=     PrintableString (SIZE (2))

-- Naming attributes of type X520SerialNumber

id-at-serialNumber      AttributeType ::= { id-at 5 }

X520SerialNumber ::=    PrintableString (SIZE (1..ub-serial-number))

-- Naming attributes of type X520Pseudonym

id-at-pseudonym         AttributeType ::= { id-at 65 }

X520Pseudonym ::= CHOICE {
   teletexString     TeletexString   (SIZE (1..ub-pseudonym)),
   printableString   PrintableString (SIZE (1..ub-pseudonym)),
   universalString   UniversalString (SIZE (1..ub-pseudonym)),
   utf8String        UTF8String      (SIZE (1..ub-pseudonym)),
   bmpString         BMPString       (SIZE (1..ub-pseudonym)) }

-- Naming attributes of type DomainComponent (from RFC 2247)

id-domainComponent      AttributeType ::=
                          { 0 9 2342 19200300 100 1 25 }

DomainComponent ::=     IA5String

-- Legacy attributes

pkcs-9 OBJECT IDENTIFIER ::=
       { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }

id-emailAddress          AttributeType ::= { pkcs-9 1 }

EmailAddress ::=         IA5String (SIZE (1..ub-emailaddress-length))

-- naming data types --

Name ::= CHOICE { -- only one possibility for now --
      rdnSequence  RDNSequence }

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

DistinguishedName ::=   RDNSequence
ToP   noToC   RFC3280 - Page 97
RelativeDistinguishedName  ::=
                    SET SIZE (1 .. MAX) OF AttributeTypeAndValue

-- Directory string type --

DirectoryString ::= CHOICE {
      teletexString             TeletexString   (SIZE (1..MAX)),
      printableString           PrintableString (SIZE (1..MAX)),
      universalString           UniversalString (SIZE (1..MAX)),
      utf8String              UTF8String      (SIZE (1..MAX)),
      bmpString               BMPString       (SIZE (1..MAX)) }

-- certificate and CRL specific structures begin here

Certificate  ::=  SEQUENCE  {
     tbsCertificate       TBSCertificate,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     extensions      [3]  Extensions OPTIONAL
                          -- If present, version MUST be v3 --  }

Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

CertificateSerialNumber  ::=  INTEGER

Validity ::= SEQUENCE {
     notBefore      Time,
     notAfter       Time  }

Time ::= CHOICE {
     utcTime        UTCTime,
     generalTime    GeneralizedTime }

UniqueIdentifier  ::=  BIT STRING
ToP   noToC   RFC3280 - Page 98
SubjectPublicKeyInfo  ::=  SEQUENCE  {
     algorithm            AlgorithmIdentifier,
     subjectPublicKey     BIT STRING  }

Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

Extension  ::=  SEQUENCE  {
     extnID      OBJECT IDENTIFIER,
     critical    BOOLEAN DEFAULT FALSE,
     extnValue   OCTET STRING  }

-- CRL structures

CertificateList  ::=  SEQUENCE  {
     tbsCertList          TBSCertList,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }

TBSCertList  ::=  SEQUENCE  {
     version                 Version OPTIONAL,
                                  -- if present, MUST be v2
     signature               AlgorithmIdentifier,
     issuer                  Name,
     thisUpdate              Time,
     nextUpdate              Time OPTIONAL,
     revokedCertificates     SEQUENCE OF SEQUENCE  {
          userCertificate         CertificateSerialNumber,
          revocationDate          Time,
          crlEntryExtensions      Extensions OPTIONAL
                                         -- if present, MUST be v2
                               }  OPTIONAL,
     crlExtensions           [0] Extensions OPTIONAL }
                                         -- if present, MUST be v2

-- Version, Time, CertificateSerialNumber, and Extensions were
-- defined earlier for use in the certificate structure

AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL  }
                                -- contains a value of the type
                                -- registered for use with the
                                -- algorithm object identifier value

-- X.400 address syntax starts here
ToP   noToC   RFC3280 - Page 99
ORAddress ::= SEQUENCE {
   built-in-standard-attributes BuiltInStandardAttributes,
   built-in-domain-defined-attributes
                   BuiltInDomainDefinedAttributes OPTIONAL,
   -- see also teletex-domain-defined-attributes
   extension-attributes ExtensionAttributes OPTIONAL }

-- Built-in Standard Attributes

BuiltInStandardAttributes ::= SEQUENCE {
   country-name                  CountryName OPTIONAL,
   administration-domain-name    AdministrationDomainName OPTIONAL,
   network-address           [0] IMPLICIT NetworkAddress OPTIONAL,
     -- see also extended-network-address
   terminal-identifier       [1] IMPLICIT TerminalIdentifier OPTIONAL,
   private-domain-name       [2] PrivateDomainName OPTIONAL,
   organization-name         [3] IMPLICIT OrganizationName OPTIONAL,
     -- see also teletex-organization-name
   numeric-user-identifier   [4] IMPLICIT NumericUserIdentifier
                                 OPTIONAL,
   personal-name             [5] IMPLICIT PersonalName OPTIONAL,
     -- see also teletex-personal-name
   organizational-unit-names [6] IMPLICIT OrganizationalUnitNames
                                 OPTIONAL }
     -- see also teletex-organizational-unit-names

CountryName ::= [APPLICATION 1] CHOICE {
   x121-dcc-code         NumericString
                           (SIZE (ub-country-name-numeric-length)),
   iso-3166-alpha2-code  PrintableString
                           (SIZE (ub-country-name-alpha-length)) }

AdministrationDomainName ::= [APPLICATION 2] CHOICE {
   numeric   NumericString   (SIZE (0..ub-domain-name-length)),
   printable PrintableString (SIZE (0..ub-domain-name-length)) }

NetworkAddress ::= X121Address  -- see also extended-network-address

X121Address ::= NumericString (SIZE (1..ub-x121-address-length))

TerminalIdentifier ::= PrintableString (SIZE
(1..ub-terminal-id-length))

PrivateDomainName ::= CHOICE {
   numeric   NumericString   (SIZE (1..ub-domain-name-length)),
   printable PrintableString (SIZE (1..ub-domain-name-length)) }
ToP   noToC   RFC3280 - Page 100
OrganizationName ::= PrintableString
                            (SIZE (1..ub-organization-name-length))
  -- see also teletex-organization-name

NumericUserIdentifier ::= NumericString
                            (SIZE (1..ub-numeric-user-id-length))

PersonalName ::= SET {
   surname     [0] IMPLICIT PrintableString
                    (SIZE (1..ub-surname-length)),
   given-name  [1] IMPLICIT PrintableString
                    (SIZE (1..ub-given-name-length)) OPTIONAL,
   initials    [2] IMPLICIT PrintableString
                    (SIZE (1..ub-initials-length)) OPTIONAL,
   generation-qualifier [3] IMPLICIT PrintableString
                    (SIZE (1..ub-generation-qualifier-length))
                    OPTIONAL }
  -- see also teletex-personal-name

OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
                             OF OrganizationalUnitName
  -- see also teletex-organizational-unit-names

OrganizationalUnitName ::= PrintableString (SIZE
                    (1..ub-organizational-unit-name-length))

-- Built-in Domain-defined Attributes

BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
                    (1..ub-domain-defined-attributes) OF
                    BuiltInDomainDefinedAttribute

BuiltInDomainDefinedAttribute ::= SEQUENCE {
   type PrintableString (SIZE
                   (1..ub-domain-defined-attribute-type-length)),
   value PrintableString (SIZE
                   (1..ub-domain-defined-attribute-value-length)) }

-- Extension Attributes

ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
               ExtensionAttribute

ExtensionAttribute ::=  SEQUENCE {
   extension-attribute-type [0] IMPLICIT INTEGER
                   (0..ub-extension-attributes),
   extension-attribute-value [1]
                   ANY DEFINED BY extension-attribute-type }
ToP   noToC   RFC3280 - Page 101
-- Extension types and attribute values

common-name INTEGER ::= 1

CommonName ::= PrintableString (SIZE (1..ub-common-name-length))

teletex-common-name INTEGER ::= 2

TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))

teletex-organization-name INTEGER ::= 3

TeletexOrganizationName ::=
                TeletexString (SIZE (1..ub-organization-name-length))

teletex-personal-name INTEGER ::= 4

TeletexPersonalName ::= SET {
   surname     [0] IMPLICIT TeletexString
                    (SIZE (1..ub-surname-length)),
   given-name  [1] IMPLICIT TeletexString
                    (SIZE (1..ub-given-name-length)) OPTIONAL,
   initials    [2] IMPLICIT TeletexString
                    (SIZE (1..ub-initials-length)) OPTIONAL,
   generation-qualifier [3] IMPLICIT TeletexString
                    (SIZE (1..ub-generation-qualifier-length))
                    OPTIONAL }

teletex-organizational-unit-names INTEGER ::= 5

TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
      (1..ub-organizational-units) OF TeletexOrganizationalUnitName

TeletexOrganizationalUnitName ::= TeletexString
                  (SIZE (1..ub-organizational-unit-name-length))

pds-name INTEGER ::= 7

PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))

physical-delivery-country-name INTEGER ::= 8

PhysicalDeliveryCountryName ::= CHOICE {
   x121-dcc-code NumericString (SIZE
(ub-country-name-numeric-length)),
   iso-3166-alpha2-code PrintableString
                  (SIZE (ub-country-name-alpha-length)) }
ToP   noToC   RFC3280 - Page 102
postal-code INTEGER ::= 9

PostalCode ::= CHOICE {
   numeric-code NumericString (SIZE (1..ub-postal-code-length)),
   printable-code PrintableString (SIZE (1..ub-postal-code-length)) }

physical-delivery-office-name INTEGER ::= 10

PhysicalDeliveryOfficeName ::= PDSParameter

physical-delivery-office-number INTEGER ::= 11

PhysicalDeliveryOfficeNumber ::= PDSParameter

extension-OR-address-components INTEGER ::= 12

ExtensionORAddressComponents ::= PDSParameter

physical-delivery-personal-name INTEGER ::= 13

PhysicalDeliveryPersonalName ::= PDSParameter

physical-delivery-organization-name INTEGER ::= 14

PhysicalDeliveryOrganizationName ::= PDSParameter

extension-physical-delivery-address-components INTEGER ::= 15

ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter

unformatted-postal-address INTEGER ::= 16

UnformattedPostalAddress ::= SET {
   printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines)
         OF PrintableString (SIZE (1..ub-pds-parameter-length))
         OPTIONAL,
   teletex-string TeletexString
         (SIZE (1..ub-unformatted-address-length)) OPTIONAL }

street-address INTEGER ::= 17

StreetAddress ::= PDSParameter

post-office-box-address INTEGER ::= 18

PostOfficeBoxAddress ::= PDSParameter

poste-restante-address INTEGER ::= 19
ToP   noToC   RFC3280 - Page 103
PosteRestanteAddress ::= PDSParameter

unique-postal-name INTEGER ::= 20

UniquePostalName ::= PDSParameter

local-postal-attributes INTEGER ::= 21

LocalPostalAttributes ::= PDSParameter

PDSParameter ::= SET {
   printable-string PrintableString
                (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
   teletex-string TeletexString
                (SIZE(1..ub-pds-parameter-length)) OPTIONAL }

extended-network-address INTEGER ::= 22

ExtendedNetworkAddress ::= CHOICE {
   e163-4-address SEQUENCE {
      number      [0] IMPLICIT NumericString
                       (SIZE (1..ub-e163-4-number-length)),
      sub-address [1] IMPLICIT NumericString
                       (SIZE (1..ub-e163-4-sub-address-length))
                       OPTIONAL },
   psap-address [0] IMPLICIT PresentationAddress }

PresentationAddress ::= SEQUENCE {
    pSelector     [0] EXPLICIT OCTET STRING OPTIONAL,
    sSelector     [1] EXPLICIT OCTET STRING OPTIONAL,
    tSelector     [2] EXPLICIT OCTET STRING OPTIONAL,
    nAddresses    [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }

terminal-type  INTEGER ::= 23

TerminalType ::= INTEGER {
   telex (3),
   teletex (4),
   g3-facsimile (5),
   g4-facsimile (6),
   ia5-terminal (7),
   videotex (8) } (0..ub-integer-options)

-- Extension Domain-defined Attributes

teletex-domain-defined-attributes INTEGER ::= 6
ToP   noToC   RFC3280 - Page 104
TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
   (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute

TeletexDomainDefinedAttribute ::= SEQUENCE {
        type TeletexString
               (SIZE (1..ub-domain-defined-attribute-type-length)),
        value TeletexString
               (SIZE (1..ub-domain-defined-attribute-value-length)) }

--  specifications of Upper Bounds MUST be regarded as mandatory
--  from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
--  Upper Bounds

-- Upper Bounds
ub-name INTEGER ::= 32768
ub-common-name INTEGER ::= 64
ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128
ub-organization-name INTEGER ::= 64
ub-organizational-unit-name INTEGER ::= 64
ub-title INTEGER ::= 64
ub-serial-number INTEGER ::= 64
ub-match INTEGER ::= 128
ub-emailaddress-length INTEGER ::= 128
ub-common-name-length INTEGER ::= 64
ub-country-name-alpha-length INTEGER ::= 2
ub-country-name-numeric-length INTEGER ::= 3
ub-domain-defined-attributes INTEGER ::= 4
ub-domain-defined-attribute-type-length INTEGER ::= 8
ub-domain-defined-attribute-value-length INTEGER ::= 128
ub-domain-name-length INTEGER ::= 16
ub-extension-attributes INTEGER ::= 256
ub-e163-4-number-length INTEGER ::= 15
ub-e163-4-sub-address-length INTEGER ::= 40
ub-generation-qualifier-length INTEGER ::= 3
ub-given-name-length INTEGER ::= 16
ub-initials-length INTEGER ::= 5
ub-integer-options INTEGER ::= 256
ub-numeric-user-id-length INTEGER ::= 32
ub-organization-name-length INTEGER ::= 64
ub-organizational-unit-name-length INTEGER ::= 32
ub-organizational-units INTEGER ::= 4
ub-pds-name-length INTEGER ::= 16
ub-pds-parameter-length INTEGER ::= 30
ub-pds-physical-address-lines INTEGER ::= 6
ub-postal-code-length INTEGER ::= 16
ub-pseudonym INTEGER ::= 128
ub-surname-length INTEGER ::= 40
ToP   noToC   RFC3280 - Page 105
ub-terminal-id-length INTEGER ::= 24
ub-unformatted-address-length INTEGER ::= 180
ub-x121-address-length INTEGER ::= 16

-- Note - upper bounds on string types, such as TeletexString, are
-- measured in characters.  Excepting PrintableString or IA5String, a
-- significantly greater number of octets will be required to hold
-- such a value.  As a minimum, 16 octets, or twice the specified
-- upper bound, whichever is the larger, should be allowed for
-- TeletexString.  For UTF8String or UniversalString at least four
-- times the upper bound should be allowed.

END

A.2 Implicitly Tagged Module, 1988 Syntax

PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- IMPORTS id-pe, id-kp, id-qt-unotice, id-qt-cps, -- delete following line if "new" types are supported -- BMPString, UTF8String, -- end "new" types -- ORAddress, Name, RelativeDistinguishedName, CertificateSerialNumber, Attribute, DirectoryString FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }; -- ISO arc for standard certificate and CRL extensions id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} -- authority key identifier OID and syntax id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
ToP   noToC   RFC3280 - Page 106
AuthorityKeyIdentifier ::= SEQUENCE {
    keyIdentifier             [0] KeyIdentifier            OPTIONAL,
    authorityCertIssuer       [1] GeneralNames             OPTIONAL,
    authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
    -- authorityCertIssuer and authorityCertSerialNumber MUST both
    -- be present or both be absent

KeyIdentifier ::= OCTET STRING

-- subject key identifier OID and syntax

id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }

SubjectKeyIdentifier ::= KeyIdentifier

-- key usage extension OID and syntax

id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }

KeyUsage ::= BIT STRING {
     digitalSignature        (0),
     nonRepudiation          (1),
     keyEncipherment         (2),
     dataEncipherment        (3),
     keyAgreement            (4),
     keyCertSign             (5),
     cRLSign                 (6),
     encipherOnly            (7),
     decipherOnly            (8) }

-- private key usage period extension OID and syntax

id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }

PrivateKeyUsagePeriod ::= SEQUENCE {
     notBefore       [0]     GeneralizedTime OPTIONAL,
     notAfter        [1]     GeneralizedTime OPTIONAL }
     -- either notBefore or notAfter MUST be present

-- certificate policies extension OID and syntax

id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }

anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 }

CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation

PolicyInformation ::= SEQUENCE {
ToP   noToC   RFC3280 - Page 107
     policyIdentifier   CertPolicyId,
     policyQualifiers   SEQUENCE SIZE (1..MAX) OF
             PolicyQualifierInfo OPTIONAL }

CertPolicyId ::= OBJECT IDENTIFIER

PolicyQualifierInfo ::= SEQUENCE {
       policyQualifierId  PolicyQualifierId,
       qualifier        ANY DEFINED BY policyQualifierId }

-- Implementations that recognize additional policy qualifiers MUST
-- augment the following definition for PolicyQualifierId

PolicyQualifierId ::=
    OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )

-- CPS pointer qualifier

CPSuri ::= IA5String

-- user notice qualifier

UserNotice ::= SEQUENCE {
     noticeRef        NoticeReference OPTIONAL,
     explicitText     DisplayText OPTIONAL}

NoticeReference ::= SEQUENCE {
     organization     DisplayText,
     noticeNumbers    SEQUENCE OF INTEGER }

DisplayText ::= CHOICE {
     ia5String        IA5String      (SIZE (1..200)),
     visibleString    VisibleString  (SIZE (1..200)),
     bmpString        BMPString      (SIZE (1..200)),
     utf8String       UTF8String     (SIZE (1..200)) }

-- policy mapping extension OID and syntax

id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }

PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
     issuerDomainPolicy      CertPolicyId,
     subjectDomainPolicy     CertPolicyId }

-- subject alternative name extension OID and syntax

id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
ToP   noToC   RFC3280 - Page 108
SubjectAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

GeneralName ::= CHOICE {
     otherName                       [0]     AnotherName,
     rfc822Name                      [1]     IA5String,
     dNSName                         [2]     IA5String,
     x400Address                     [3]     ORAddress,
     directoryName                   [4]     Name,
     ediPartyName                    [5]     EDIPartyName,
     uniformResourceIdentifier       [6]     IA5String,
     iPAddress                       [7]     OCTET STRING,
     registeredID                    [8]     OBJECT IDENTIFIER }

-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax

AnotherName ::= SEQUENCE {
     type-id    OBJECT IDENTIFIER,
     value      [0] EXPLICIT ANY DEFINED BY type-id }

EDIPartyName ::= SEQUENCE {
     nameAssigner            [0]     DirectoryString OPTIONAL,
     partyName               [1]     DirectoryString }

-- issuer alternative name extension OID and syntax

id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }

IssuerAltName ::= GeneralNames

id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }

SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute

-- basic constraints extension OID and syntax

id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }

BasicConstraints ::= SEQUENCE {
     cA                      BOOLEAN DEFAULT FALSE,
     pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

-- name constraints extension OID and syntax

id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }
ToP   noToC   RFC3280 - Page 109
NameConstraints ::= SEQUENCE {
     permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
     excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

GeneralSubtree ::= SEQUENCE {
     base                    GeneralName,
     minimum         [0]     BaseDistance DEFAULT 0,
     maximum         [1]     BaseDistance OPTIONAL }

BaseDistance ::= INTEGER (0..MAX)

-- policy constraints extension OID and syntax

id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }

PolicyConstraints ::= SEQUENCE {
     requireExplicitPolicy           [0] SkipCerts OPTIONAL,
     inhibitPolicyMapping            [1] SkipCerts OPTIONAL }

SkipCerts ::= INTEGER (0..MAX)

-- CRL distribution points extension OID and syntax

id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}

CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

DistributionPoint ::= SEQUENCE {
     distributionPoint       [0]     DistributionPointName OPTIONAL,
     reasons                 [1]     ReasonFlags OPTIONAL,
     cRLIssuer               [2]     GeneralNames OPTIONAL }

DistributionPointName ::= CHOICE {
     fullName                [0]     GeneralNames,
     nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

ReasonFlags ::= BIT STRING {
     unused                  (0),
     keyCompromise           (1),
     cACompromise            (2),
     affiliationChanged      (3),
     superseded              (4),
     cessationOfOperation    (5),
     certificateHold         (6),
     privilegeWithdrawn      (7),
     aACompromise            (8) }
ToP   noToC   RFC3280 - Page 110
-- extended key usage extension OID and syntax

id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}

ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId


KeyPurposeId ::= OBJECT IDENTIFIER

-- permit unspecified key uses

anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }

-- extended key purpose OIDs

id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
id-kp-codeSigning            OBJECT IDENTIFIER ::= { id-kp 3 }
id-kp-emailProtection        OBJECT IDENTIFIER ::= { id-kp 4 }
id-kp-timeStamping           OBJECT IDENTIFIER ::= { id-kp 8 }
id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }

-- inhibit any policy OID and syntax

id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 }

InhibitAnyPolicy ::= SkipCerts

-- freshest (delta)CRL extension OID and syntax

id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 }

FreshestCRL ::= CRLDistributionPoints

-- authority info access

id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }

AuthorityInfoAccessSyntax  ::=
        SEQUENCE SIZE (1..MAX) OF AccessDescription

AccessDescription  ::=  SEQUENCE {
        accessMethod          OBJECT IDENTIFIER,
        accessLocation        GeneralName  }

-- subject info access

id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 }
ToP   noToC   RFC3280 - Page 111
SubjectInfoAccessSyntax  ::=
        SEQUENCE SIZE (1..MAX) OF AccessDescription

-- CRL number extension OID and syntax

id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }

CRLNumber ::= INTEGER (0..MAX)

-- issuing distribution point extension OID and syntax

id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }

IssuingDistributionPoint ::= SEQUENCE {
     distributionPoint          [0] DistributionPointName OPTIONAL,
     onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
     onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
     onlySomeReasons            [3] ReasonFlags OPTIONAL,
     indirectCRL                [4] BOOLEAN DEFAULT FALSE,
     onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }

id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }

BaseCRLNumber ::= CRLNumber

-- CRL reasons extension OID and syntax

id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }

CRLReason ::= ENUMERATED {
     unspecified             (0),
     keyCompromise           (1),
     cACompromise            (2),
     affiliationChanged      (3),
     superseded              (4),
     cessationOfOperation    (5),
     certificateHold         (6),
     removeFromCRL           (8),
     privilegeWithdrawn      (9),
     aACompromise           (10) }

-- certificate issuer CRL entry extension OID and syntax

id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }

CertificateIssuer ::= GeneralNames

-- hold instruction extension OID and syntax
ToP   noToC   RFC3280 - Page 112
id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }

HoldInstructionCode ::= OBJECT IDENTIFIER

-- ANSI x9 holdinstructions

-- ANSI x9 arc holdinstruction arc

holdInstruction OBJECT IDENTIFIER ::=
          {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2}

-- ANSI X9 holdinstructions referenced by this standard

id-holdinstruction-none OBJECT IDENTIFIER  ::=
                {holdInstruction 1} -- deprecated

id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
                {holdInstruction 2}

id-holdinstruction-reject OBJECT IDENTIFIER ::=
                {holdInstruction 3}

-- invalidity date CRL entry extension OID and syntax

id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }

InvalidityDate ::=  GeneralizedTime

END

Appendix B. ASN.1 Notes

CAs MUST force the serialNumber to be a non-negative integer, that is, the sign bit in the DER encoding of the INTEGER value MUST be zero - this can be done by adding a leading (leftmost) `00'H octet if necessary. This removes a potential ambiguity in mapping between a string of octets and an integer value. As noted in section 4.1.2.2, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets in length. Conformant CAs MUST NOT use serialNumber values longer than 20 octets. As noted in section 5.2.3, CRL numbers can be expected to contain long integers. CRL validators MUST be able to handle cRLNumber values up to 20 octets in length. Conformant CRL issuers MUST NOT use cRLNumber values longer than 20 octets.
ToP   noToC   RFC3280 - Page 113
   The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
   constructs.  A valid ASN.1 sequence will have zero or more entries.
   The SIZE (1..MAX) construct constrains the sequence to have at least
   one entry.  MAX indicates the upper bound is unspecified.
   Implementations are free to choose an upper bound that suits their
   environment.

   The construct "positiveInt ::= INTEGER (0..MAX)" defines positiveInt
   as a subtype of INTEGER containing integers greater than or equal to
   zero.  The upper bound is unspecified.  Implementations are free to
   select an upper bound that suits their environment.

   The character string type PrintableString supports a very basic Latin
   character set: the lower case letters 'a' through 'z', upper case
   letters 'A' through 'Z', the digits '0' through '9', eleven special
   characters ' = ( ) + , - . / : ? and space.

   Implementers should note that the at sign ('@') and underscore ('_')
   characters are not supported by the ASN.1 type PrintableString.
   These characters often appear in internet addresses.  Such addresses
   MUST be encoded using an ASN.1 type that supports them.  They are
   usually encoded as IA5String in either the emailAddress attribute
   within a distinguished name or the rfc822Name field of GeneralName.
   Conforming implementations MUST NOT encode strings which include
   either the at sign or underscore character as PrintableString.

   The character string type TeletexString is a superset of
   PrintableString.  TeletexString supports a fairly standard (ASCII-
   like) Latin character set, Latin characters with non-spacing accents
   and Japanese characters.

   Named bit lists are BIT STRINGs where the values have been assigned
   names.  This specification makes use of named bit lists in the
   definitions for the key usage, CRL distribution points and freshest
   CRL certificate extensions, as well as the freshest CRL and issuing
   distribution point CRL extensions.  When DER encoding a named bit
   list, trailing zeroes MUST be omitted.  That is, the encoded value
   ends with the last named bit that is set to one.

   The character string type UniversalString supports any of the
   characters allowed by ISO 10646-1 [ISO 10646].  ISO 10646-1 is the
   Universal multiple-octet coded Character Set (UCS).  ISO 10646-1
   specifies the architecture and the "basic multilingual plane" -- a
   large standard character set which includes all major world character
   standards.
ToP   noToC   RFC3280 - Page 114
   The character string type UTF8String was introduced in the 1997
   version of ASN.1, and UTF8String was added to the list of choices for
   DirectoryString in the 2001 version of X.520 [X.520].  UTF8String is
   a universal type and has been assigned tag number 12.  The content of
   UTF8String was defined by RFC 2044 [RFC 2044] and updated in RFC 2279
   [RFC 2279].

   In anticipation of these changes, and in conformance with IETF Best
   Practices codified in RFC 2277 [RFC 2277], IETF Policy on Character
   Sets and Languages, this document includes UTF8String as a choice in
   DirectoryString and the CPS qualifier extensions.

   Implementers should note that the DER encoding of the SET OF values
   requires ordering of the encodings of the values.  In particular,
   this issue arises with respect to distinguished names.

   Implementers should note that the DER encoding of SET or SEQUENCE
   components whose value is the DEFAULT omit the component from the
   encoded certificate or CRL.  For example, a BasicConstraints
   extension whose cA value is FALSE would omit the cA boolean from the
   encoded certificate.

   Object Identifiers (OIDs) are used throughout this specification to
   identify certificate policies, public key and signature algorithms,
   certificate extensions, etc.  There is no maximum size for OIDs.
   This specification mandates support for OIDs which have arc elements
   with values that are less than 2^28, that is, they MUST be between 0
   and 268,435,455, inclusive.  This allows each arc element to be
   represented within a single 32 bit word.  Implementations MUST also
   support OIDs where the length of the dotted decimal (see [RFC 2252],
   section 4.1) string representation can be up to 100 bytes
   (inclusive).  Implementations MUST be able to handle OIDs with up to
   20 elements (inclusive).  CAs SHOULD NOT issue certificates which
   contain OIDs that exceed these requirements.  Likewise, CRL issuers
   SHOULD NOT issue CRLs which contain OIDs that exceed these
   requirements.

   Implementors are warned that the X.500 standards community has
   developed a series of extensibility rules.  These rules determine
   when an ASN.1 definition can be changed without assigning a new
   object identifier (OID).  For example, at least two extension
   definitions included in RFC 2459 [RFC 2459], the predecessor to this
   profile document, have different ASN.1 definitions in this
   specification, but the same OID is used.  If unknown elements appear
   within an extension, and the extension is not marked critical, those
   unknown elements ought to be ignored, as follows:

      (a)  ignore all unknown bit name assignments within a bit string;
ToP   noToC   RFC3280 - Page 115
      (b)  ignore all unknown named numbers in an ENUMERATED type or
      INTEGER type that is being used in the enumerated style, provided
      the number occurs as an optional element of a SET or SEQUENCE; and

      (c)  ignore all unknown elements in SETs, at the end of SEQUENCEs,
      or in CHOICEs where the CHOICE is itself an optional element of a
      SET or SEQUENCE.

   If an extension containing unexpected values is marked critical, the
   implementation MUST reject the certificate or CRL containing the
   unrecognized extension.

Appendix C. Examples

This section contains four examples: three certificates and a CRL. The first two certificates and the CRL comprise a minimal certification path. Section C.1 contains an annotated hex dump of a "self-signed" certificate issued by a CA whose distinguished name is cn=us,o=gov,ou=nist. The certificate contains a DSA public key with parameters, and is signed by the corresponding DSA private key. Section C.2 contains an annotated hex dump of an end entity certificate. The end entity certificate contains a DSA public key, and is signed by the private key corresponding to the "self-signed" certificate in section C.1. Section C.3 contains a dump of an end entity certificate which contains an RSA public key and is signed with RSA and MD5. This certificate is not part of the minimal certification path. Section C.4 contains an annotated hex dump of a CRL. The CRL is issued by the CA whose distinguished name is cn=us,o=gov,ou=nist and the list of revoked certificates includes the end entity certificate presented in C.2. The certificates were processed using Peter Gutman's dumpasn1 utility to generate the output. The source for the dumpasn1 utility is available at <http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c>. The binaries for the certificates and CRLs are available at <http://csrc.nist.gov/pki/pkixtools>.

C.1 DSA Self-Signed Certificate

This section contains an annotated hex dump of a 699 byte version 3 certificate. The certificate contains the following information: (a) the serial number is 23 (17 hex);
ToP   noToC   RFC3280 - Page 116
   (b)  the certificate is signed with DSA and the SHA-1 hash algorithm;
   (c)  the issuer's distinguished name is OU=NIST; O=gov; C=US
   (d)  and the subject's distinguished name is OU=NIST; O=gov; C=US
   (e)  the certificate was issued on June 30, 1997 and will expire on
   December 31, 1997;
   (f)  the certificate contains a 1024 bit DSA public key with
   parameters;
   (g)  the certificate contains a subject key identifier extension
   generated using method (1) of section 4.2.1.2; and
   (h)  the certificate is a CA certificate (as indicated through the
   basic constraints extension.)

  0 30  699: SEQUENCE {
  4 30  635:   SEQUENCE {
  8 A0    3:     [0] {
 10 02    1:       INTEGER 2
          :       }
 13 02    1:     INTEGER 17
 16 30    9:     SEQUENCE {
 18 06    7:       OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
          :       }
 27 30   42:     SEQUENCE {
 29 31   11:       SET {
 31 30    9:         SEQUENCE {
 33 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 38 13    2:           PrintableString 'US'
          :           }
          :         }
 42 31   12:       SET {
 44 30   10:         SEQUENCE {
 46 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 51 13    3:           PrintableString 'gov'
          :           }
          :         }
 56 31   13:       SET {
 58 30   11:         SEQUENCE {
 60 06    3:           OBJECT IDENTIFIER
          :             organizationalUnitName (2 5 4 11)
 65 13    4:           PrintableString 'NIST'
           :           }
           :         }
           :       }
 71 30   30:     SEQUENCE {
 73 17   13:       UTCTime '970630000000Z'
 88 17   13:       UTCTime '971231000000Z'
           :       }
103 30   42:     SEQUENCE {
105 31   11:       SET {
ToP   noToC   RFC3280 - Page 117
107 30    9:         SEQUENCE {
109 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
114 13    2:           PrintableString 'US'
           :           }
           :         }
118 31   12:       SET {
120 30   10:         SEQUENCE {
122 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
127 13    3:           PrintableString 'gov'
           :           }
           :         }
132 31   13:       SET {
134 30   11:         SEQUENCE {
136 06    3:           OBJECT IDENTIFIER
           :             organizationalUnitName (2 5 4 11)
141 13    4:           PrintableString 'NIST'
           :           }
           :         }
           :       }
147 30  440:     SEQUENCE {
151 30  300:       SEQUENCE {
155 06    7:         OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
164 30  287:         SEQUENCE {
168 02  129:           INTEGER
           :             00 B6 8B 0F 94 2B 9A CE A5 25 C6 F2 ED FC
           :             FB 95 32 AC 01 12 33 B9 E0 1C AD 90 9B BC
           :             48 54 9E F3 94 77 3C 2C 71 35 55 E6 FE 4F
           :             22 CB D5 D8 3E 89 93 33 4D FC BD 4F 41 64
           :             3E A2 98 70 EC 31 B4 50 DE EB F1 98 28 0A
           :             C9 3E 44 B3 FD 22 97 96 83 D0 18 A3 E3 BD
           :             35 5B FF EE A3 21 72 6A 7B 96 DA B9 3F 1E
           :             5A 90 AF 24 D6 20 F0 0D 21 A7 D4 02 B9 1A
           :             FC AC 21 FB 9E 94 9E 4B 42 45 9E 6A B2 48
           :             63 FE 43
300 02   21:           INTEGER
           :             00 B2 0D B0 B1 01 DF 0C 66 24 FC 13 92 BA
           :             55 F7 7D 57 74 81 E5
323 02  129:           INTEGER
           :             00 9A BF 46 B1 F5 3F 44 3D C9 A5 65 FB 91
           :             C0 8E 47 F1 0A C3 01 47 C2 44 42 36 A9 92
           :             81 DE 57 C5 E0 68 86 58 00 7B 1F F9 9B 77
           :             A1 C5 10 A5 80 91 78 51 51 3C F6 FC FC CC
           :             46 C6 81 78 92 84 3D F4 93 3D 0C 38 7E 1A
           :             5B 99 4E AB 14 64 F6 0C 21 22 4E 28 08 9C
           :             92 B9 66 9F 40 E8 95 F6 D5 31 2A EF 39 A2
           :             62 C7 B2 6D 9E 58 C4 3A A8 11 81 84 6D AF
           :             F8 B4 19 B4 C2 11 AE D0 22 3B AA 20 7F EE
           :             1E 57 18
ToP   noToC   RFC3280 - Page 118
           :           }
           :         }
455 03  133:       BIT STRING 0 unused bits, encapsulates {
459 02  129:           INTEGER
           :             00 B5 9E 1F 49 04 47 D1 DB F5 3A DD CA 04
           :             75 E8 DD 75 F6 9B 8A B1 97 D6 59 69 82 D3
           :             03 4D FD 3B 36 5F 4A F2 D1 4E C1 07 F5 D1
           :             2A D3 78 77 63 56 EA 96 61 4D 42 0B 7A 1D
           :             FB AB 91 A4 CE DE EF 77 C8 E5 EF 20 AE A6
           :             28 48 AF BE 69 C3 6A A5 30 F2 C2 B9 D9 82
           :             2B 7D D9 C4 84 1F DE 0D E8 54 D7 1B 99 2E
           :             B3 D0 88 F6 D6 63 9B A7 E2 0E 82 D4 3B 8A
           :             68 1B 06 56 31 59 0B 49 EB 99 A5 D5 81 41
           :             7B C9 55
           :           }
           :       }
591 A3   50:     [3] {
593 30   48:       SEQUENCE {
595 30   29:         SEQUENCE {
597 06    3:           OBJECT IDENTIFIER
           :             subjectKeyIdentifier (2 5 29 14)
602 04   22:           OCTET STRING, encapsulates {
604 04   20:               OCTET STRING
           :                 86 CA A5 22 81 62 EF AD 0A 89 BC AD 72 41
           :                 2C 29 49 F4 86 56
           :               }
           :           }
626 30   15:         SEQUENCE {
628 06    3:           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
633 01    1:           BOOLEAN TRUE
636 04    5:           OCTET STRING, encapsulates {
638 30    3:               SEQUENCE {
640 01    1:                 BOOLEAN TRUE
           :                 }
           :               }
           :           }
           :         }
           :       }
           :     }
643 30    9:   SEQUENCE {
645 06    7:     OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
           :     }
654 03   47:   BIT STRING 0 unused bits, encapsulates {
657 30   44:       SEQUENCE {
659 02   20:         INTEGER
           :           43 1B CF 29 25 45 C0 4E 52 E7 7D D6 FC B1
           :           66 4C 83 CF 2D 77
681 02   20:         INTEGER
ToP   noToC   RFC3280 - Page 119
           :           0B 5B 9A 24 11 98 E8 F3 86 90 04 F6 08 A9
           :           E1 8D A5 CC 3A D4
           :         }
           :       }
           :   }

C.2 End Entity Certificate Using DSA

This section contains an annotated hex dump of a 730 byte version 3 certificate. The certificate contains the following information: (a) the serial number is 18 (12 hex); (b) the certificate is signed with DSA and the SHA-1 hash algorithm; (c) the issuer's distinguished name is OU=nist; O=gov; C=US (d) and the subject's distinguished name is CN=Tim Polk; OU=nist; O=gov; C=US (e) the certificate was valid from July 30, 1997 through December 1, 1997; (f) the certificate contains a 1024 bit DSA public key; (g) the certificate is an end entity certificate, as the basic constraints extension is not present; (h) the certificate contains an authority key identifier extension matching the subject key identifier of the certificate in Appendix C.1; and (i) the certificate includes one alternative name - an RFC 822 address of "wpolk@nist.gov". 0 30 730: SEQUENCE { 4 30 665: SEQUENCE { 8 A0 3: [0] { 10 02 1: INTEGER 2 : } 13 02 1: INTEGER 18 16 30 9: SEQUENCE { 18 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) : } 27 30 42: SEQUENCE { 29 31 11: SET { 31 30 9: SEQUENCE { 33 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 38 13 2: PrintableString 'US' : } : } 42 31 12: SET { 44 30 10: SEQUENCE { 46 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 51 13 3: PrintableString 'gov' : } : }
ToP   noToC   RFC3280 - Page 120
    56 31   13:       SET {
    58 30   11:         SEQUENCE {
    60 06    3:           OBJECT IDENTIFIER
              :             organizationalUnitName (2 5 4 11)
    65 13    4:           PrintableString 'NIST'
              :           }
              :         }
              :       }
    71 30   30:     SEQUENCE {
    73 17   13:       UTCTime '970730000000Z'
    88 17   13:       UTCTime '971201000000Z'
              :       }
   103 30   61:     SEQUENCE {
   105 31   11:       SET {
   107 30    9:         SEQUENCE {
   109 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
   114 13    2:           PrintableString 'US'
              :           }
              :         }
   118 31   12:       SET {
   120 30   10:         SEQUENCE {
   122 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
   127 13    3:           PrintableString 'gov'
              :           }
              :         }
   132 31   13:       SET {
   134 30   11:         SEQUENCE {
   136 06    3:           OBJECT IDENTIFIER
              :             organizationalUnitName (2 5 4 11)
   141 13    4:           PrintableString 'NIST'
              :           }
              :         }
   147 31   17:       SET {
   149 30   15:         SEQUENCE {
   151 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
   156 13    8:           PrintableString 'Tim Polk'
              :           }
              :         }
              :       }
   166 30  439:     SEQUENCE {
   170 30  300:       SEQUENCE {
   174 06    7:         OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
   183 30  287:         SEQUENCE {
   187 02  129:           INTEGER
              :             00 B6 8B 0F 94 2B 9A CE A5 25 C6 F2 ED FC
              :             FB 95 32 AC 01 12 33 B9 E0 1C AD 90 9B BC
              :             48 54 9E F3 94 77 3C 2C 71 35 55 E6 FE 4F
              :             22 CB D5 D8 3E 89 93 33 4D FC BD 4F 41 64
ToP   noToC   RFC3280 - Page 121
              :             3E A2 98 70 EC 31 B4 50 DE EB F1 98 28 0A
              :             C9 3E 44 B3 FD 22 97 96 83 D0 18 A3 E3 BD
              :             35 5B FF EE A3 21 72 6A 7B 96 DA B9 3F 1E
              :             5A 90 AF 24 D6 20 F0 0D 21 A7 D4 02 B9 1A
              :             FC AC 21 FB 9E 94 9E 4B 42 45 9E 6A B2 48
              :             63 FE 43
   319 02   21:           INTEGER
              :             00 B2 0D B0 B1 01 DF 0C 66 24 FC 13 92 BA
              :             55 F7 7D 57 74 81 E5
   342 02  129:           INTEGER
              :             00 9A BF 46 B1 F5 3F 44 3D C9 A5 65 FB 91
              :             C0 8E 47 F1 0A C3 01 47 C2 44 42 36 A9 92
              :             81 DE 57 C5 E0 68 86 58 00 7B 1F F9 9B 77
              :             A1 C5 10 A5 80 91 78 51 51 3C F6 FC FC CC
              :             46 C6 81 78 92 84 3D F4 93 3D 0C 38 7E 1A
              :             5B 99 4E AB 14 64 F6 0C 21 22 4E 28 08 9C
              :             92 B9 66 9F 40 E8 95 F6 D5 31 2A EF 39 A2
              :             62 C7 B2 6D 9E 58 C4 3A A8 11 81 84 6D AF
              :             F8 B4 19 B4 C2 11 AE D0 22 3B AA 20 7F EE
              :             1E 57 18
              :           }
              :         }
   474 03  132:       BIT STRING 0 unused bits, encapsulates {
   478 02  128:           INTEGER
              :             30 B6 75 F7 7C 20 31 AE 38 BB 7E 0D 2B AB
              :             A0 9C 4B DF 20 D5 24 13 3C CD 98 E5 5F 6C
              :             B7 C1 BA 4A BA A9 95 80 53 F0 0D 72 DC 33
              :             37 F4 01 0B F5 04 1F 9D 2E 1F 62 D8 84 3A
              :             9B 25 09 5A 2D C8 46 8E 2B D4 F5 0D 3B C7
              :             2D C6 6C B9 98 C1 25 3A 44 4E 8E CA 95 61
              :             35 7C CE 15 31 5C 23 13 1E A2 05 D1 7A 24
              :             1C CB D3 72 09 90 FF 9B 9D 28 C0 A1 0A EC
              :             46 9F 0D B8 D0 DC D0 18 A6 2B 5E F9 8F B5
              :             95 BE
              :           }
              :       }
   609 A3   62:     [3] {
   611 30   60:       SEQUENCE {
   613 30   25:         SEQUENCE {
   615 06    3:           OBJECT IDENTIFIER subjectAltName (2 5 29 17)
   620 04   18:           OCTET STRING, encapsulates {
   622 30   16:               SEQUENCE {
   624 81   14:                 [1] 'wpolk@nist.gov'
              :                 }
              :               }
              :           }
   640 30   31:         SEQUENCE {
   642 06    3:           OBJECT IDENTIFIER
ToP   noToC   RFC3280 - Page 122
              :             authorityKeyIdentifier (2 5 29 35)
   647 04   24:           OCTET STRING, encapsulates {
   649 30   22:               SEQUENCE {
   651 80   20:                 [0]
              :                   86 CA A5 22 81 62 EF AD 0A 89 BC AD 72
              :                   41 2C 29 49 F4 86 56
              :                 }
              :               }
              :           }
              :         }
              :       }
              :     }
   673 30    9:   SEQUENCE {
   675 06    7:     OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
              :     }
   684 03   48:   BIT STRING 0 unused bits, encapsulates {
   687 30   45:       SEQUENCE {
   689 02   20:         INTEGER
              :           36 97 CB E3 B4 2C E1 BB 61 A9 D3 CC 24 CC
              :           22 92 9F F4 F5 87
   711 02   21:         INTEGER
              :           00 AB C9 79 AF D2 16 1C A9 E3 68 A9 14 10
              :           B4 A0 2E FF 22 5A 73
              :         }
              :       }
              :   }

C.3 End Entity Certificate Using RSA

This section contains an annotated hex dump of a 654 byte version 3 certificate. The certificate contains the following information: (a) the serial number is 256; (b) the certificate is signed with RSA and the SHA-1 hash algorithm; (c) the issuer's distinguished name is OU=NIST; O=gov; C=US (d) and the subject's distinguished name is CN=Tim Polk; OU=NIST; O=gov; C=US (e) the certificate was issued on May 21, 1996 at 09:58:26 and expired on May 21, 1997 at 09:58:26; (f) the certificate contains a 1024 bit RSA public key; (g) the certificate is an end entity certificate (not a CA certificate); (h) the certificate includes an alternative subject name of "<http://www.itl.nist.gov/div893/staff/polk/index.html>" and an alternative issuer name of "<http://www.nist.gov/>" - both are URLs; (i) the certificate include an authority key identifier extension and a certificate policies extension specifying the policy OID 2.16.840.1.101.3.2.1.48.9; and
ToP   noToC   RFC3280 - Page 123
   (j)  the certificate includes a critical key usage extension
   specifying that the public key is intended for verification of
   digital signatures.

  0 30  654: SEQUENCE {
  4 30  503:   SEQUENCE {
  8 A0    3:     [0] {
 10 02    1:       INTEGER 2
           :       }
 13 02    2:     INTEGER 256
 17 30   13:     SEQUENCE {
 19 06    9:       OBJECT IDENTIFIER
           :         sha1withRSAEncryption (1 2 840 113549 1 1 5)
 30 05    0:       NULL
           :       }
 32 30   42:     SEQUENCE {
 34 31   11:       SET {
 36 30    9:         SEQUENCE {
 38 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 43 13    2:           PrintableString 'US'
           :           }
           :         }
 47 31   12:       SET {
 49 30   10:         SEQUENCE {
 51 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
 56 13    3:           PrintableString 'gov'
           :           }
           :         }
 61 31   13:       SET {
 63 30   11:         SEQUENCE {
 65 06    3:           OBJECT IDENTIFIER
           :             organizationalUnitName (2 5 4 11)
 70 13    4:           PrintableString 'NIST'
           :           }
           :         }
           :       }
 76 30   30:     SEQUENCE {
 78 17   13:       UTCTime '960521095826Z'
 93 17   13:       UTCTime '970521095826Z'
           :       }
108 30   61:     SEQUENCE {
110 31   11:       SET {
112 30    9:         SEQUENCE {
114 06    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
119 13    2:           PrintableString 'US'
           :           }
           :         }
123 31   12:       SET {
ToP   noToC   RFC3280 - Page 124
125 30   10:         SEQUENCE {
127 06    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
132 13    3:           PrintableString 'gov'
           :           }
           :         }
137 31   13:       SET {
139 30   11:         SEQUENCE {
141 06    3:           OBJECT IDENTIFIER
           :             organizationalUnitName (2 5 4 11)
146 13    4:           PrintableString 'NIST'
           :           }
           :         }
152 31   17:       SET {
154 30   15:         SEQUENCE {
156 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
161 13    8:           PrintableString 'Tim Polk'
           :           }
           :         }
           :       }
171 30  159:     SEQUENCE {
174 30   13:       SEQUENCE {
176 06    9:         OBJECT IDENTIFIER
           :           rsaEncryption (1 2 840 113549 1 1 1)
187 05    0:         NULL
           :         }
189 03  141:       BIT STRING 0 unused bits, encapsulates {
193 30  137:           SEQUENCE {
196 02  129:             INTEGER
           :               00 E1 6A E4 03 30 97 02 3C F4 10 F3 B5 1E
           :               4D 7F 14 7B F6 F5 D0 78 E9 A4 8A F0 A3 75
           :               EC ED B6 56 96 7F 88 99 85 9A F2 3E 68 77
           :               87 EB 9E D1 9F C0 B4 17 DC AB 89 23 A4 1D
           :               7E 16 23 4C 4F A8 4D F5 31 B8 7C AA E3 1A
           :               49 09 F4 4B 26 DB 27 67 30 82 12 01 4A E9
           :               1A B6 C1 0C 53 8B 6C FC 2F 7A 43 EC 33 36
           :               7E 32 B2 7B D5 AA CF 01 14 C6 12 EC 13 F2
           :               2D 14 7A 8B 21 58 14 13 4C 46 A3 9A F2 16
           :               95 FF 23
328 02    3:             INTEGER 65537
           :             }
           :           }
           :       }
333 A3  175:     [3] {
336 30  172:       SEQUENCE {
339 30   63:         SEQUENCE {
341 06    3:           OBJECT IDENTIFIER subjectAltName (2 5 29 17)
346 04   56:           OCTET STRING, encapsulates {
348 30   54:               SEQUENCE {
ToP   noToC   RFC3280 - Page 125
350 86   52:                 [6]
           :                   'http://www.itl.nist.gov/div893/staff/'
           :                   'polk/index.html'
           :                 }
           :               }
           :           }
404 30   31:         SEQUENCE {
406 06    3:           OBJECT IDENTIFIER issuerAltName (2 5 29 18)
411 04   24:           OCTET STRING, encapsulates {
413 30   22:               SEQUENCE {
415 86   20:                 [6] 'http://www.nist.gov/'
           :                 }
           :               }
           :           }
437 30   31:         SEQUENCE {
439 06    3:           OBJECT IDENTIFIER
           :             authorityKeyIdentifier (2 5 29 35)
444 04   24:           OCTET STRING, encapsulates {
446 30   22:               SEQUENCE {
448 80   20:                 [0]
           :                   08 68 AF 85 33 C8 39 4A 7A F8 82 93 8E
           :                   70 6A 4A 20 84 2C 32
           :                 }
           :               }
           :           }
470 30   23:         SEQUENCE {
472 06    3:           OBJECT IDENTIFIER
           :             certificatePolicies (2 5 29 32)
477 04   16:           OCTET STRING, encapsulates {
479 30   14:               SEQUENCE {
481 30   12:                 SEQUENCE {
483 06   10:                   OBJECT IDENTIFIER
           :                            '2 16 840 1 101 3 2 1 48 9'
           :                   }
           :                 }
           :               }
           :           }
495 30   14:         SEQUENCE {
497 06    3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
502 01    1:           BOOLEAN TRUE
505 04    4:           OCTET STRING, encapsulates {
507 03    2:               BIT STRING 7 unused bits
           :                 '1'B (bit 0)
           :               }
           :           }
           :         }
           :       }
           :     }
ToP   noToC   RFC3280 - Page 126
511 30   13:   SEQUENCE {
513 06    9:     OBJECT IDENTIFIER
           :       sha1withRSAEncryption (1 2 840 113549 1 1 5)
524 05    0:     NULL
           :     }
526 03  129:   BIT STRING 0 unused bits
           :     1E 07 77 6E 66 B5 B6 B8 57 F0 03 DC 6F 77
           :     6D AF 55 1D 74 E5 CE 36 81 FC 4B C5 F4 47
           :     82 C4 0A 25 AA 8D D6 7D 3A 89 AB 44 34 39
           :     F6 BD 61 1A 78 85 7A B8 1E 92 A2 22 2F CE
           :     07 1A 08 8E F1 46 03 59 36 4A CB 60 E6 03
           :     40 01 5B 2A 44 D6 E4 7F EB 43 5E 74 0A E6
           :     E4 F9 3E E1 44 BE 1F E7 5F 5B 2C 41 8D 08
           :     BD 26 FE 6A A6 C3 2F B2 3B 41 12 6B C1 06
           :     8A B8 4C 91 59 EB 2F 38 20 2A 67 74 20 0B
           :     77 F3
           :   }

C.4 Certificate Revocation List

This section contains an annotated hex dump of a version 2 CRL with one extension (cRLNumber). The CRL was issued by OU=NIST; O=gov; C=US on August 7, 1997; the next scheduled issuance was September 7, 1997. The CRL includes one revoked certificates: serial number 18 (12 hex), which was revoked on July 31, 1997 due to keyCompromise. The CRL itself is number 18, and it was signed with DSA and SHA-1. 0 30 203: SEQUENCE { 3 30 140: SEQUENCE { 6 02 1: INTEGER 1 9 30 9: SEQUENCE { 11 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) : } 20 30 42: SEQUENCE { 22 31 11: SET { 24 30 9: SEQUENCE { 26 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 31 13 2: PrintableString 'US' : } : } 35 31 12: SET { 37 30 10: SEQUENCE { 39 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 44 13 3: PrintableString 'gov' : } : } 49 31 13: SET { 51 30 11: SEQUENCE {
ToP   noToC   RFC3280 - Page 127
 53 06    3:           OBJECT IDENTIFIER
           :             organizationalUnitName (2 5 4 11)
 58 13    4:           PrintableString 'NIST'
           :           }
           :         }
           :       }
 64 17   13:     UTCTime '970807000000Z'
 79 17   13:     UTCTime '970907000000Z'
 94 30   34:     SEQUENCE {
 96 30   32:       SEQUENCE {
 98 02    1:         INTEGER 18
101 17   13:         UTCTime '970731000000Z'
116 30   12:         SEQUENCE {
118 30   10:           SEQUENCE {
120 06    3:             OBJECT IDENTIFIER cRLReason (2 5 29 21)
125 04    3:             OCTET STRING, encapsulates {
127 0A    1:                 ENUMERATED 1
           :                 }
           :             }
           :           }
           :         }
           :       }
130 A0   14:     [0] {
132 30   12:       SEQUENCE {
134 30   10:         SEQUENCE {
136 06    3:           OBJECT IDENTIFIER cRLNumber (2 5 29 20)
141 04    3:           OCTET STRING, encapsulates {
143 02    1:               INTEGER 12
           :               }
           :           }
           :         }
           :       }
           :     }
146 30    9:   SEQUENCE {
148 06    7:     OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
           :     }
157 03   47:   BIT STRING 0 unused bits, encapsulates {
160 30   44:       SEQUENCE {
162 02   20:         INTEGER
           :           22 4E 9F 43 BA 95 06 34 F2 BB 5E 65 DB A6
           :           80 05 C0 3A 29 47
184 02   20:         INTEGER
           :           59 1A 57 C9 82 D7 02 21 14 C3 D4 0B 32 1B
           :           96 16 B1 1F 46 5A
           :         }
           :       }
           :   }
ToP   noToC   RFC3280 - Page 128

Author Addresses

Russell Housley RSA Laboratories 918 Spring Knoll Drive Herndon, VA 20170 USA EMail: rhousley@rsasecurity.com Warwick Ford VeriSign, Inc. 401 Edgewater Place Wakefield, MA 01880 USA EMail: wford@verisign.com Tim Polk NIST Building 820, Room 426 Gaithersburg, MD 20899 USA EMail: wpolk@nist.gov David Solo Citigroup 909 Third Ave, 16th Floor New York, NY 10043 USA EMail: dsolo@alum.mit.edu
ToP   noToC   RFC3280 - Page 129
Full Copyright Statement

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.