Tech-invite   3GPPspecs   Glossaries   IETFRFCs   Groups   SIP   ABNFs   Ti+   Search in Tech-invite

in Index   Prev   Next
in Index   Prev   Next  Group: PKIX

RFC 5912

New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)

Pages: 117
Informational
Errata
Updated by:  6960
Part 5 of 6 – Pages 74 to 91
First   Prev   Next

Top   ToC   RFC5912 - Page 74   prevText
12.  ASN.1 Module for RFC 5272

  EnrollmentMessageSyntax-2009
      {iso(1) identified-organization(3) dod(6) internet(1)
      security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53)}
  DEFINITIONS IMPLICIT TAGS ::=
  BEGIN
  EXPORTS ALL;
  IMPORTS

  AttributeSet{}, Extension{}, EXTENSION, ATTRIBUTE
  FROM PKIX-CommonTypes-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
  AlgorithmIdentifier{}, DIGEST-ALGORITHM, KEY-WRAP, KEY-DERIVATION,
      MAC-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY
  FROM AlgorithmInformation-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0)
      id-mod-algorithmInformation-02(58)}

  CertificateSerialNumber, GeneralName, CRLReason, ReasonFlags,
      CertExtensions
  FROM PKIX1Implicit-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}

  Name, id-pkix, PublicKeyAlgorithms, SignatureAlgorithms
  FROM PKIX1Explicit-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}

  ContentInfo, IssuerAndSerialNumber, CONTENT-TYPE
  FROM CryptographicMessageSyntax-2009
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
      smime(16) modules(0) id-mod-cms-2004-02(41)}

  CertReqMsg, PKIPublicationInfo, CertTemplate
  FROM PKIXCRMF-2009
Top   ToC   RFC5912 - Page 75
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005-02(55)}

  mda-sha1
  FROM PKIXAlgs-2009
       { iso(1) identified-organization(3) dod(6)
       internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
       id-mod-pkix1-algorithms2008-02(56)}

  kda-PBKDF2, maca-hMAC-SHA1
  FROM CryptographicMessageSyntaxAlgorithms-2009
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
      smime(16) modules(0) id-mod-cmsalg-2001-02(37) }

  mda-sha256
  FROM PKIX1-PSS-OAEP-Algorithms-2009
       { iso(1) identified-organization(3) dod(6)
         internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
         id-mod-pkix1-rsa-pkalgs-02(54) } ;

  --  CMS Content types defined in this document
  CMC-ContentTypes CONTENT-TYPE ::= { ct-PKIData | ct-PKIResponse, ... }

  --  Signature Algorithms defined in this document

  SignatureAlgs SIGNATURE-ALGORITHM ::= { sa-noSignature }

  --  CMS Unsigned Attributes

  CMC-UnsignedAtts ATTRIBUTE ::= { aa-cmc-unsignedData }

  --
  --

  id-cmc OBJECT IDENTIFIER ::= {id-pkix 7}   -- CMC controls
  id-cct OBJECT IDENTIFIER ::= {id-pkix 12}  -- CMC content types

  -- This is the content type for a request message in the protocol

  ct-PKIData CONTENT-TYPE ::=
      { PKIData IDENTIFIED BY id-cct-PKIData }
  id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 }

  PKIData ::= SEQUENCE {
      controlSequence    SEQUENCE SIZE(0..MAX) OF TaggedAttribute,
      reqSequence        SEQUENCE SIZE(0..MAX) OF TaggedRequest,
      cmsSequence        SEQUENCE SIZE(0..MAX) OF TaggedContentInfo,
      otherMsgSequence   SEQUENCE SIZE(0..MAX) OF OtherMsg
Top   ToC   RFC5912 - Page 76
  }

  BodyPartID ::= INTEGER(0..4294967295)

  TaggedAttribute ::= SEQUENCE {
      bodyPartID         BodyPartID,
      attrType           CMC-CONTROL.&id({Cmc-Control-Set}),
      attrValues         SET OF CMC-CONTROL.
                             &Type({Cmc-Control-Set}{@attrType})
  }

  Cmc-Control-Set CMC-CONTROL ::= {
      cmc-identityProof | cmc-dataReturn | cmc-regInfo |
      cmc-responseInfo | cmc-queryPending | cmc-popLinkRandom |
      cmc-popLinkWitness | cmc-identification | cmc-transactionId |
      cmc-senderNonce | cmc-recipientNonce | cmc-statusInfo |
      cmc-addExtensions | cmc-encryptedPOP | cmc-decryptedPOP |
      cmc-lraPOPWitness | cmc-getCert | cmc-getCRL |
      cmc-revokeRequest | cmc-confirmCertAcceptance |
      cmc-statusInfoV2 | cmc-trustedAnchors | cmc-authData |
      cmc-batchRequests | cmc-batchResponses | cmc-publishCert |
      cmc-modCertTemplate | cmc-controlProcessed |
      cmc-identityProofV2 | cmc-popLinkWitnessV2, ... }

  OTHER-REQUEST ::= TYPE-IDENTIFIER

  --  We do not define any other requests in this document;
  --     examples might be attribute certification requests

  OtherRequests OTHER-REQUEST ::= {...}

  TaggedRequest ::= CHOICE {
      tcr               [0] TaggedCertificationRequest,
      crm               [1] CertReqMsg,
      orm               [2] SEQUENCE {
          bodyPartID            BodyPartID,
          requestMessageType    OTHER-REQUEST.&id({OtherRequests}),
          requestMessageValue   OTHER-REQUEST.&Type({OtherRequests}
                                    {@.requestMessageType})
      }
  }

  TaggedCertificationRequest ::= SEQUENCE {
      bodyPartID            BodyPartID,
      certificationRequest  CertificationRequest
  }

  AttributeList ATTRIBUTE ::= {at-extension-req, ...}
Top   ToC   RFC5912 - Page 77
  CertificationRequest ::= SEQUENCE {
     certificationRequestInfo  SEQUENCE {
         version                   INTEGER,
         subject                   Name,
         subjectPublicKeyInfo      SEQUENCE {
             algorithm                 AlgorithmIdentifier{PUBLIC-KEY,
                                           {PublicKeyAlgorithms}},
             subjectPublicKey          BIT STRING
         },
         attributes                [0] IMPLICIT SET OF
                                       AttributeSet{{AttributeList}}
      },
      signatureAlgorithm        AlgorithmIdentifier
                                    {SIGNATURE-ALGORITHM,
                                        {SignatureAlgorithms}},
      signature                 BIT STRING
  }

  TaggedContentInfo ::= SEQUENCE {
      bodyPartID              BodyPartID,
      contentInfo             ContentInfo
  }

  OTHER-MSG ::= TYPE-IDENTIFIER

  --  No other messages currently defined

  OtherMsgSet OTHER-MSG ::= {...}

  OtherMsg ::= SEQUENCE {
      bodyPartID        BodyPartID,
      otherMsgType      OTHER-MSG.&id({OtherMsgSet}),
      otherMsgValue     OTHER-MSG.&Type({OtherMsgSet}{@otherMsgType}) }

  --  This defines the response message in the protocol

  ct-PKIResponse CONTENT-TYPE ::=
      { PKIResponse IDENTIFIED BY id-cct-PKIResponse }
  id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 }

  ResponseBody ::= PKIResponse

  PKIResponse ::= SEQUENCE {
      controlSequence   SEQUENCE SIZE(0..MAX) OF TaggedAttribute,
      cmsSequence       SEQUENCE SIZE(0..MAX) OF TaggedContentInfo,
      otherMsgSequence  SEQUENCE SIZE(0..MAX) OF OtherMsg
  }
Top   ToC   RFC5912 - Page 78
  CMC-CONTROL ::= TYPE-IDENTIFIER

  -- The following controls have the type OCTET STRING

  cmc-identityProof CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-identityProof }
  id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3}

  cmc-dataReturn CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-dataReturn }
  id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4}

  cmc-regInfo CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-regInfo }
  id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18}

  cmc-responseInfo CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-responseInfo }
  id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19}

  cmc-queryPending CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-queryPending }
  id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21}

  cmc-popLinkRandom CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-popLinkRandom }
  id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22}

  cmc-popLinkWitness CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-popLinkWitness }
  id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23}

  -- The following controls have the type UTF8String

  cmc-identification CMC-CONTROL ::=
      { UTF8String IDENTIFIED BY id-cmc-identification }
  id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2}

  -- The following controls have the type INTEGER

  cmc-transactionId CMC-CONTROL ::=
      { INTEGER IDENTIFIED BY id-cmc-transactionId }
  id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5}

  -- The following controls have the type OCTET STRING

  cmc-senderNonce CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-senderNonce }
Top   ToC   RFC5912 - Page 79
  id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6}

  cmc-recipientNonce CMC-CONTROL ::=
      { OCTET STRING IDENTIFIED BY id-cmc-recipientNonce }
  id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7}

  -- Used to return status in a response

  cmc-statusInfo CMC-CONTROL ::=
      { CMCStatusInfo IDENTIFIED BY id-cmc-statusInfo }
  id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1}

  CMCStatusInfo ::= SEQUENCE {
      cMCStatus       CMCStatus,
      bodyList        SEQUENCE SIZE (1..MAX) OF BodyPartID,
      statusString    UTF8String OPTIONAL,
      otherInfo       CHOICE {
         failInfo         CMCFailInfo,
         pendInfo         PendInfo
      } OPTIONAL
  }

  PendInfo ::= SEQUENCE {
      pendToken        OCTET STRING,
      pendTime         GeneralizedTime
  }

  CMCStatus ::= INTEGER {
      success         (0),
      failed          (2),
      pending         (3),
      noSupport       (4),
      confirmRequired (5),
      popRequired     (6),
      partial         (7)
  }

  -- Note:
  -- The spelling of unsupportedExt is corrected in this version.
  -- In RFC 2797, it was unsuportedExt.

  CMCFailInfo ::= INTEGER {
      badAlg          (0),
      badMessageCheck (1),
      badRequest      (2),
      badTime         (3),
      badCertId       (4),
      unsuportedExt   (5),
Top   ToC   RFC5912 - Page 80
      mustArchiveKeys (6),
      badIdentity     (7),
      popRequired     (8),
      popFailed       (9),
      noKeyReuse      (10),
      internalCAError (11),
      tryLater        (12),
      authDataFail    (13)
  }

  -- Used for RAs to add extensions to certification requests

  cmc-addExtensions CMC-CONTROL ::=
      { AddExtensions IDENTIFIED BY id-cmc-addExtensions }
  id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8}

  AddExtensions ::= SEQUENCE {
      pkiDataReference    BodyPartID,
      certReferences      SEQUENCE OF BodyPartID,
      extensions          SEQUENCE OF Extension{{CertExtensions}}
  }

  cmc-encryptedPOP CMC-CONTROL ::=
      { EncryptedPOP IDENTIFIED BY id-cmc-encryptedPOP }
  cmc-decryptedPOP CMC-CONTROL ::=
      { DecryptedPOP IDENTIFIED BY id-cmc-decryptedPOP }
  id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9}
  id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10}

  EncryptedPOP ::= SEQUENCE {
      request       TaggedRequest,
      cms             ContentInfo,
      thePOPAlgID     AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
      witnessAlgID    AlgorithmIdentifier{DIGEST-ALGORITHM,
                          {WitnessAlgs}},
      witness         OCTET STRING
  }

  POPAlgs MAC-ALGORITHM ::= {maca-hMAC-SHA1, ...}
  WitnessAlgs DIGEST-ALGORITHM ::= {mda-sha1, ...}

  DecryptedPOP ::= SEQUENCE {
      bodyPartID      BodyPartID,
      thePOPAlgID     AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
      thePOP          OCTET STRING
  }

  cmc-lraPOPWitness CMC-CONTROL ::=
Top   ToC   RFC5912 - Page 81
      { LraPopWitness IDENTIFIED BY id-cmc-lraPOPWitness }

  id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11}

  LraPopWitness ::= SEQUENCE {
      pkiDataBodyid   BodyPartID,
      bodyIds         SEQUENCE OF BodyPartID
  }

  --

  cmc-getCert CMC-CONTROL ::=
      { GetCert IDENTIFIED BY id-cmc-getCert }
  id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15}

  GetCert ::= SEQUENCE {
      issuerName      GeneralName,
      serialNumber    INTEGER }

  cmc-getCRL CMC-CONTROL ::=
      { GetCRL IDENTIFIED BY id-cmc-getCRL }
  id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16}
  GetCRL ::= SEQUENCE {
      issuerName    Name,
      cRLName       GeneralName OPTIONAL,
      time          GeneralizedTime OPTIONAL,
      reasons       ReasonFlags OPTIONAL }

  cmc-revokeRequest CMC-CONTROL ::=
      { RevokeRequest IDENTIFIED BY id-cmc-revokeRequest}
  id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17}

  RevokeRequest ::= SEQUENCE {
      issuerName            Name,
      serialNumber          INTEGER,
      reason                CRLReason,
      invalidityDate         GeneralizedTime OPTIONAL,
      passphrase            OCTET STRING OPTIONAL,
      comment               UTF8String OPTIONAL }

  cmc-confirmCertAcceptance CMC-CONTROL ::=
      { CMCCertId IDENTIFIED BY id-cmc-confirmCertAcceptance }
  id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24}

  CMCCertId ::= IssuerAndSerialNumber

  -- The following is used to request v3 extensions be added
  --     to a certificate
Top   ToC   RFC5912 - Page 82
  at-extension-req ATTRIBUTE ::=
      { TYPE ExtensionReq IDENTIFIED BY id-ExtensionReq }
  id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
      rsadsi(113549) pkcs(1) pkcs-9(9) 14}

  ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF
      Extension{{CertExtensions}}

  -- The following allows Diffie-Hellman Certification Request
  --     Messages to be well-formed

  sa-noSignature SIGNATURE-ALGORITHM ::= {
      IDENTIFIER id-alg-noSignature
      VALUE NoSignatureValue
      PARAMS TYPE NULL ARE required
      HASHES { mda-sha1 }
  }
  id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}

  NoSignatureValue ::= OCTET STRING
  --  Unauthenticated attribute to carry removable data.

  id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
      rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)}

  aa-cmc-unsignedData ATTRIBUTE ::=
      { TYPE CMCUnsignedData IDENTIFIED BY id-aa-cmc-unsignedData }
  id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34}

  CMCUnsignedData ::= SEQUENCE {
      bodyPartPath        BodyPartPath,
      identifier          TYPE-IDENTIFIER.&id,
      content             TYPE-IDENTIFIER.&Type
  }

  --  Replaces CMC Status Info
  --

  cmc-statusInfoV2 CMC-CONTROL ::=
      { CMCStatusInfoV2 IDENTIFIED BY id-cmc-statusInfoV2 }
  id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25}

  EXTENDED-FAILURE-INFO ::= TYPE-IDENTIFIER

  ExtendedFailures EXTENDED-FAILURE-INFO ::= {...}

  CMCStatusInfoV2 ::= SEQUENCE {
     cMCStatus             CMCStatus,
Top   ToC   RFC5912 - Page 83
     bodyList              SEQUENCE SIZE (1..MAX) OF
                                    BodyPartReference,
     statusString          UTF8String OPTIONAL,
     otherInfo             CHOICE {
         failInfo               CMCFailInfo,
         pendInfo               PendInfo,
         extendedFailInfo       [1] SEQUENCE {
            failInfoOID            TYPE-IDENTIFIER.&id
                                       ({ExtendedFailures}),
            failInfoValue          TYPE-IDENTIFIER.&Type
                                       ({ExtendedFailures}
                                           {@.failInfoOID})
         }
      } OPTIONAL
  }

  BodyPartReference ::= CHOICE {
     bodyPartID           BodyPartID,
     bodyPartPath         BodyPartPath
  }

  BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID

  --  Allow for distribution of trust anchors
  --

  cmc-trustedAnchors CMC-CONTROL ::=
      { PublishTrustAnchors IDENTIFIED BY id-cmc-trustedAnchors }
  id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26}

  PublishTrustAnchors ::= SEQUENCE {
      seqNumber      INTEGER,
      hashAlgorithm  AlgorithmIdentifier{DIGEST-ALGORITHM,
                         {HashAlgorithms}},
      anchorHashes   SEQUENCE OF OCTET STRING
  }

  HashAlgorithms DIGEST-ALGORITHM ::= {
     mda-sha1 | mda-sha256, ...
  }

  cmc-authData CMC-CONTROL ::=
      { AuthPublish IDENTIFIED BY id-cmc-authData }
  id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27}

  AuthPublish ::= BodyPartID

  --   These two items use BodyPartList
Top   ToC   RFC5912 - Page 84
  cmc-batchRequests CMC-CONTROL ::=
      { BodyPartList IDENTIFIED BY id-cmc-batchRequests }
  id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28}

  cmc-batchResponses CMC-CONTROL ::=
      { BodyPartList IDENTIFIED BY id-cmc-batchResponses }
  id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29}

  BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID

  cmc-publishCert CMC-CONTROL ::=
      { CMCPublicationInfo IDENTIFIED BY id-cmc-publishCert }
  id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30}

  CMCPublicationInfo ::= SEQUENCE {
      hashAlg        AlgorithmIdentifier{DIGEST-ALGORITHM,
                           {HashAlgorithms}},
      certHashes     SEQUENCE OF OCTET STRING,
      pubInfo        PKIPublicationInfo
  }

  cmc-modCertTemplate CMC-CONTROL ::=
      { ModCertTemplate IDENTIFIED BY id-cmc-modCertTemplate }
  id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31}

  ModCertTemplate ::= SEQUENCE {
      pkiDataReference             BodyPartPath,
      certReferences               BodyPartList,
      replace                      BOOLEAN DEFAULT TRUE,
      certTemplate                 CertTemplate
  }

  -- Inform follow-on servers that one or more controls have
  --     already been processed

  cmc-controlProcessed CMC-CONTROL ::=
      { ControlsProcessed IDENTIFIED BY id-cmc-controlProcessed }
  id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32}

  ControlsProcessed ::= SEQUENCE {
      bodyList              SEQUENCE SIZE(1..MAX) OF BodyPartReference
  }

  --  Identity Proof control w/ algorithm agility

  cmc-identityProofV2 CMC-CONTROL ::=
      { IdentityProofV2 IDENTIFIED BY id-cmc-identityProofV2 }
  id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 33 }
Top   ToC   RFC5912 - Page 85
  IdentityProofV2 ::= SEQUENCE {
      proofAlgID       AlgorithmIdentifier{DIGEST-ALGORITHM,
                           {WitnessAlgs}},
      macAlgId         AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
      witness          OCTET STRING
  }

  cmc-popLinkWitnessV2 CMC-CONTROL ::=
      { PopLinkWitnessV2 IDENTIFIED BY id-cmc-popLinkWitnessV2 }
  id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 34 }

  PopLinkWitnessV2 ::= SEQUENCE {
      keyGenAlgorithm   AlgorithmIdentifier{KEY-DERIVATION,
                            {KeyDevAlgs}},
      macAlgorithm      AlgorithmIdentifier{MAC-ALGORITHM, {POPAlgs}},
      witness           OCTET STRING
  }

  KeyDevAlgs KEY-DERIVATION ::= {kda-PBKDF2, ...}

  END

13.  ASN.1 Module for RFC 5755

   PKIXAttributeCertificate-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)}
   DEFINITIONS IMPLICIT TAGS ::=
   BEGIN
   IMPORTS

   AttributeSet{}, Extensions{}, SecurityCategory{},
           EXTENSION, ATTRIBUTE, SECURITY-CATEGORY
   FROM PKIX-CommonTypes-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }

   AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM
   FROM AlgorithmInformation-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0)
       id-mod-algorithmInformation-02(58)}

      -- IMPORTed module OIDs MAY change if [PKIXPROF] changes
      -- PKIX Certificate Extensions

   CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp,
       id-ad, id-at, SIGNED{}, SignatureAlgorithms
Top   ToC   RFC5912 - Page 86
   FROM PKIX1Explicit-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)}

   GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier,
       ext-AuthorityInfoAccess, ext-CRLDistributionPoints
   FROM PKIX1Implicit-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}

   ContentInfo
     FROM CryptographicMessageSyntax-2009
       { iso(1) member-body(2) us(840) rsadsi(113549)
       pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) };
   --  Define the set of extensions that can appear.
   --  Some of these are imported from PKIX Cert

   AttributeCertExtensions EXTENSION ::= {
       ext-auditIdentity | ext-targetInformation |
       ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess |
       ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying |
       ext-aaControls, ... }

   ext-auditIdentity EXTENSION ::= { SYNTAX
       OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity}

   ext-targetInformation EXTENSION ::= { SYNTAX
       Targets IDENTIFIED BY id-ce-targetInformation }

   ext-noRevAvail EXTENSION ::= { SYNTAX
       NULL IDENTIFIED BY id-ce-noRevAvail}

   ext-ac-proxying EXTENSION ::= { SYNTAX
       ProxyInfo IDENTIFIED BY id-pe-ac-proxying}

   ext-aaControls EXTENSION ::= { SYNTAX
       AAControls IDENTIFIED BY id-pe-aaControls}

   -- Define the set of attributes used here

   AttributesDefined ATTRIBUTE ::= {  at-authenticationInfo |
        at-accesIdentity | at-chargingIdentity | at-group |
        at-role | at-clearance | at-encAttrs, ...}

   at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo
       IDENTIFIED BY id-aca-authenticationInfo}

   at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo
Top   ToC   RFC5912 - Page 87
       IDENTIFIED BY id-aca-accessIdentity}

   at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax
       IDENTIFIED BY id-aca-chargingIdentity}

   at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax
       IDENTIFIED BY id-aca-group}

   at-role ATTRIBUTE ::= { TYPE RoleSyntax
       IDENTIFIED BY id-at-role}

   at-clearance ATTRIBUTE ::= { TYPE Clearance
       IDENTIFIED BY id-at-clearance}
   at-clearance-RFC3281 ATTRIBUTE ::= {TYPE Clearance-rfc3281
       IDENTIFIED BY id-at-clearance-rfc3281 }

   at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo
       IDENTIFIED BY id-aca-encAttrs}

   --
   --  OIDs used by Attribute Certificate Extensions
   --

   id-pe-ac-auditIdentity       OBJECT IDENTIFIER ::= { id-pe 4 }
   id-pe-aaControls             OBJECT IDENTIFIER ::= { id-pe 6 }
   id-pe-ac-proxying            OBJECT IDENTIFIER ::= { id-pe 10 }
   id-ce-targetInformation      OBJECT IDENTIFIER ::= { id-ce 55 }
   id-ce-noRevAvail             OBJECT IDENTIFIER ::= { id-ce 56 }

   --
   --  OIDs used by Attribute Certificate Attributes
   --

   id-aca                       OBJECT IDENTIFIER ::= { id-pkix 10 }

   id-aca-authenticationInfo    OBJECT IDENTIFIER ::= { id-aca 1 }
   id-aca-accessIdentity        OBJECT IDENTIFIER ::= { id-aca 2 }
   id-aca-chargingIdentity      OBJECT IDENTIFIER ::= { id-aca 3 }
   id-aca-group                 OBJECT IDENTIFIER ::= { id-aca 4 }
   -- { id-aca 5 } is reserved
   id-aca-encAttrs              OBJECT IDENTIFIER ::= { id-aca 6 }

   id-at-role                   OBJECT IDENTIFIER ::= { id-at 72}
   id-at-clearance              OBJECT IDENTIFIER ::= {
        joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) }

   -- Uncomment the following declaration and comment the above line if
   -- using the id-at-clearance attribute as defined in [RFC3281]
Top   ToC   RFC5912 - Page 88
   -- id-at-clearance ::= id-at-clearance-3281

   id-at-clearance-rfc3281              OBJECT IDENTIFIER ::= {
       joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5)
       clearance (55) }

   --
   --  The syntax of an Attribute Certificate
   --

   AttributeCertificate ::= SIGNED{AttributeCertificateInfo}

   AttributeCertificateInfo ::= SEQUENCE {
       version        AttCertVersion,  -- version is v2
       holder         Holder,
       issuer         AttCertIssuer,
       signature      AlgorithmIdentifier{SIGNATURE-ALGORITHM,
                          {SignatureAlgorithms}},
       serialNumber   CertificateSerialNumber,
       attrCertValidityPeriod   AttCertValidityPeriod,
       attributes     SEQUENCE OF
                          AttributeSet{{AttributesDefined}},
       issuerUniqueID UniqueIdentifier OPTIONAL,
       extensions     Extensions{{AttributeCertExtensions}} OPTIONAL
   }

   AttCertVersion ::= INTEGER { v2(1) }

   Holder ::= SEQUENCE {
       baseCertificateID   [0] IssuerSerial OPTIONAL,
                 -- the issuer and serial number of
                 -- the holder's Public Key Certificate
       entityName          [1] GeneralNames OPTIONAL,
                 -- the name of the claimant or role
       objectDigestInfo    [2] ObjectDigestInfo OPTIONAL
                 -- used to directly authenticate the
                 -- holder, for example, an executable
   }

   ObjectDigestInfo    ::= SEQUENCE {
       digestedObjectType  ENUMERATED {
            publicKey            (0),
            publicKeyCert        (1),
            otherObjectTypes     (2) },
               -- otherObjectTypes MUST NOT
               -- be used in this profile
       otherObjectTypeID   OBJECT IDENTIFIER  OPTIONAL,
       digestAlgorithm     AlgorithmIdentifier{DIGEST-ALGORITHM, {...}},
Top   ToC   RFC5912 - Page 89
       objectDigest        BIT STRING
   }

   AttCertIssuer ::= CHOICE {
       v1Form   GeneralNames,  -- MUST NOT be used in this
                               -- profile
       v2Form   [0] V2Form     -- v2 only
   }

   V2Form ::= SEQUENCE {
       issuerName            GeneralNames  OPTIONAL,
       baseCertificateID     [0] IssuerSerial  OPTIONAL,
       objectDigestInfo      [1] ObjectDigestInfo  OPTIONAL
          -- issuerName MUST be present in this profile
          -- baseCertificateID and objectDigestInfo MUST
          -- NOT be present in this profile
   }

   IssuerSerial  ::=  SEQUENCE {
       issuer         GeneralNames,
       serial         CertificateSerialNumber,
       issuerUID      UniqueIdentifier OPTIONAL
   }

   AttCertValidityPeriod  ::= SEQUENCE {
       notBeforeTime  GeneralizedTime,
       notAfterTime   GeneralizedTime
   }

   --
   -- Syntax used by Attribute Certificate Extensions
   --

   Targets ::= SEQUENCE OF Target

   Target  ::= CHOICE {
       targetName     [0] GeneralName,
       targetGroup    [1] GeneralName,
       targetCert     [2] TargetCert
   }

   TargetCert  ::= SEQUENCE {
       targetCertificate  IssuerSerial,
       targetName         GeneralName OPTIONAL,
       certDigestInfo     ObjectDigestInfo OPTIONAL
   }

   AAControls ::= SEQUENCE {
Top   ToC   RFC5912 - Page 90
       pathLenConstraint INTEGER (0..MAX) OPTIONAL,
       permittedAttrs    [0] AttrSpec OPTIONAL,
       excludedAttrs     [1] AttrSpec OPTIONAL,
       permitUnSpecified BOOLEAN DEFAULT TRUE
   }

   AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER

   ProxyInfo ::= SEQUENCE OF Targets

   --
   --  Syntax used by Attribute Certificate Attributes
   --
   IetfAttrSyntax ::= SEQUENCE {
      policyAuthority[0] GeneralNames    OPTIONAL,
      values         SEQUENCE OF CHOICE {
                     octets    OCTET STRING,
                     oid       OBJECT IDENTIFIER,
                     string    UTF8String
     }
   }

   SvceAuthInfo ::=    SEQUENCE {
       service       GeneralName,
       ident         GeneralName,
       authInfo      OCTET STRING OPTIONAL
   }

   RoleSyntax ::= SEQUENCE {
       roleAuthority  [0] GeneralNames OPTIONAL,
       roleName       [1] GeneralName
   }

   Clearance ::= SEQUENCE {
       policyId            OBJECT IDENTIFIER,
       classList           ClassList DEFAULT {unclassified},
       securityCategories  SET OF SecurityCategory
                                {{SupportedSecurityCategories}} OPTIONAL
   }

   -- Uncomment the following lines to support deprecated clearance
   -- syntax and comment out previous Clearance.

   -- Clearance ::= Clearance-rfc3281

   Clearance-rfc3281  ::=  SEQUENCE {
       policyId       [0] OBJECT IDENTIFIER,
       classList      [1] ClassList DEFAULT {unclassified},
Top   ToC   RFC5912 - Page 91
       securityCategories [2] SET OF SecurityCategory-rfc3281
                              {{SupportedSecurityCategories}} OPTIONAL
   }

   ClassList  ::=  BIT STRING {
       unmarked       (0),
       unclassified   (1),
       restricted     (2),
       confidential   (3),
       secret         (4),
       topSecret      (5)
   }
   SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }

   SecurityCategory-rfc3281{SECURITY-CATEGORY:Supported} ::= SEQUENCE {
       type      [0]  IMPLICIT SECURITY-CATEGORY.
               &id({Supported}),
       value     [1]  EXPLICIT SECURITY-CATEGORY.
               &Type({Supported}{@type})
   }

   ACClearAttrs ::= SEQUENCE {
       acIssuer          GeneralName,
       acSerial          INTEGER,
       attrs             SEQUENCE OF AttributeSet{{AttributesDefined}}
   }

   END



(page 91 continued on part 6)

Next Section